DeepTutor v1.3.8 Release Notes

Release Date: 2026.05.08

v1.3.8 brings DeepTutor's optional multi-user mode into the main release line.
It keeps local single-user installs unchanged while adding authenticated shared
deployments with isolated user workspaces, admin-managed access, and clearer
deployment guidance.

Highlights

Multi-User Workspaces

• Authentication can gate shared deployments - enabling AUTH_ENABLED
  adds login, registration, JWT sessions, and a first-user admin flow.
• Each user gets isolated data - ordinary users work under
  multi-user/<uid>/ with separate chat history, memory, notebooks, and
  knowledge bases, while admins keep the main workspace.
• Admin grants control access - /admin/users lets admins create users and
  assign allowed model profiles, knowledge bases, skills, and copied spaces
  without exposing API keys.

Safer Runtime Boundaries

• Knowledge and RAG stay scoped - assigned knowledge bases are visible with
  badges, and non-admin RAG calls no longer fall back silently to admin data.
• Model routing honors grants - non-admin chat turns use an assigned model
  profile and fail early if no LLM is available.
• Settings are redacted for users - non-admin settings show theme, language,
  and model summaries, while provider secrets and endpoints remain admin-only.

Deployment and UI

• Frontend auth routes are included - /login, /register, auth-aware
  middleware, logout controls, and admin navigation are wired into the web app.
• Multi-user docs are now first-class - README and translated READMEs
  document setup, workspace layout, audit logs, env vars, and production
  caveats.
• Optional PocketBase remains documented - PocketBase can still be used as a
  sidecar path, but true multi-user deployments should leave POCKETBASE_URL
  unset and use the built-in JSON/SQLite backend.

Tests

• Added multi-user tests for identity migration, first-admin registration,
  grants, settings restrictions, scoped interface preferences, skill access, and
  RAG fallback prevention.
• Added status-redaction coverage so non-admin users do not receive provider
  model or search endpoint details.

Upgrade Notes

• Existing local installs stay in single-user mode unless AUTH_ENABLED=true.
• For real multi-user deployments, set AUTH_ENABLED=true, keep
  POCKETBASE_URL blank, create the first admin through /register, and assign
  models before ordinary users start chat turns.
• New deployment state is stored under multi-user/; back up both data/ and
  multi-user/ before upgrading shared instances.
• Multi-worker deployments should bootstrap the first admin carefully because
  first-user promotion is protected by an in-process lock.

Full Changelog: https://github.com/HKUDS/DeepTutor/compare/v1.3.7...v1.3.8