Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog.

[0.5.4] - 2026-03-23

Added

Collection CRUD via API — Create (POST /api/v1/collections/), update (PATCH /api/v1/collections/{uuid}/), and delete (DELETE /api/v1/collections/{uuid}/) collections programmatically. Update and delete are owner-only. Soft-delete cascades to all documents and removes search index entries immediately; blobs are retained for a 7-day grace period. SDKs: create_collection() / createCollection(), update_collection() / updateCollection(), delete_collection() / deleteCollection().
OpenAPI schema in production — GET /api/v1/schema/ is now available in all environments including production. Use it for SDK generation, ChatGPT Custom GPT Actions, Postman/Insomnia import, or any OpenAPI-compatible tool. Swagger UI and ReDoc remain debug-only.
Document download endpoint — GET /api/v1/documents/{uuid}/download/ returns a 302 redirect to a 1-hour signed URL for the original file. Download button on document detail page. SDKs: get_download_url() / getDownloadUrl().
Document replace endpoint — POST /api/v1/documents/{uuid}/replace/ for re-uploading an updated file to an existing document. UUID is preserved, old search index entries are removed, and the new file is processed asynchronously. Accepts optional title, tags, and source_type overrides. Returns the document object with status: "pending".
Web UI "Replace" button — Document detail page now shows a Replace button for document owners. The form pre-fills existing title and tags.
SDK replace methods — Python SDK: replace_document(uuid, path, ...). JavaScript SDK: replaceDocument(uuid, file, options).
Webhook notifications — Configure a webhook URL per organization to receive document.indexed and document.failed events. HMAC-SHA256 signed payloads with exponential backoff retries. API: GET/POST/DELETE /api/v1/webhooks/ + test endpoint (POST /api/v1/webhooks/test/).
Machine-readable error codes — Every API error response now includes a code field (e.g., INVALID_API_KEY, COLLECTION_NOT_FOUND, FILE_TOO_LARGE) alongside the human-readable error message. Switch on code for programmatic error handling; use error for display.
Bulk document delete — Select multiple documents on the collection detail page and delete them at once. Includes a select-all checkbox, a confirmation dialog before deletion, and soft-delete with immediate search entry removal.
Framework integrations — pip install 'aqoon[langchain]', 'aqoon[llamaindex]', 'aqoon[haystack]'. One-liner retriever wrappers that plug aqoon into any RAG pipeline. Each transforms search results into the framework's native document/node format.
RAG starter templates — Clone-and-run apps on GitHub (FastAPI, Flask). Uses the aqoon SDK + Claude for question answering with source citations.
ChatGPT integration — New guide at /docs/guide-chatgpt/ with step-by-step Custom GPT Actions setup. OpenAPI schema for ChatGPT Actions included. ChatGPT card added to the connect wizard. Landing page updated to "Works with Claude and ChatGPT."

[0.5.3] - 2026-03-22

Added

Document upload API — New endpoint POST /api/collections/{uuid}/documents/ for single and batch file uploads via API. Supports all file types (PDF, DOCX, images, CSV/XLSX, Markdown, text). Documents are processed asynchronously, same as web uploads.
Collection access permissions — API key grants now carry a permission level: read (search only, default) or write (search + upload). Full-access keys have implicit write on owned collections. Permission is preserved during key rotation.
SDK upload methods — Python SDK: upload_document(), upload_documents(). JavaScript SDK: uploadDocument(), uploadDocuments(). Both SDKs also support the permission parameter on grant_collection().
Connect wizard SDK tabs — REST API step now shows cURL, Python, and JavaScript tabs with install commands, code snippets, and API key pre-filled. Link to SDK docs included.

Changed

RAG tutorial updated for SDK — Python and JavaScript examples now use the aqoon SDKs instead of raw requests/fetch calls. Simpler code, fewer lines, same concepts.
API docs updated — API reference, authentication, KaaS, documents guide, collections guide, SDKs page, and quickstart all updated to document the upload endpoint and permission model.

[0.5.2] - 2026-03-20

Added

Subscribe button on collection preview — Non-owners viewing a public collection can now subscribe directly from the detail page
"Cancels [date]" badge — Billing page shows pending cancellation date when subscription is scheduled to cancel at period end
Client-side file size validation — Files over 50 MB are rejected instantly in the browser before upload, preventing 90-second timeout
Bootstrap modal for collection revocation — Replaced browser confirm() with styled modal on API key detail page
Pagination styling — Pagination controls now match the app's indigo theme
Monitoring notes — Deployment guide updated with memory, response time, and Stripe webhook monitoring guidance

Fixed

Stripe webhook Django 5 fix — timezone.utc removed in Django 5, replaced with datetime.timezone.utc. Fixed customer.subscription.created webhook returning 500.
Billing usage bar — Monthly Usage counter now falls back to counting raw UsageLogs when daily aggregation hasn't run yet
Invoice creation from webhook — invoice.paid handler now creates Invoice records from Stripe event data instead of silently ignoring missing records
Duplicate Stripe subscriptions — Plan upgrades now modify the existing subscription instead of creating a new one
Azure SDK logging noise — Set to WARNING level, no more HTTP request/response flooding in logs
Heroku R14 memory — Documented WEB_CONCURRENCY=1 fix for 512 MB dyno limit
Mailtrap email backend — All production emails (including password reset) now use Mailtrap API instead of SMTP
French translations — Connect wizard, OAuth consent page, and Connectors setup instructions translated

Changed

Connect wizard simplified — Removed verify step (step 4). Wizard is now 3 steps: Choose tool → API key → Connect instructions
Code refactoring (Phase 1-3) — Extracted DocumentUploadService and AccountService, created SoftDeleteMixin, deduplicated Collection visibility logic, refactored models to use MetaAbstractModel, centralized constants, fixed ActiveManager API, added OwnerQuerySetMixin, consolidated slug generation
Pre-commit cleaned up — Removed incompatible flake8-django/flake8-isort/flake8-quotes, aligned CI flake8 plugins with pre-commit

[0.5.1] - 2026-03-18

Added

OAuth 2.0 for MCP — Claude Desktop Connectors now work natively. Click "Connect" in Claude Desktop to authenticate via OAuth without manual config files. Creates a full-access API key automatically.
OAuth consent page — Clean login/approve flow at /oauth/consent/ when connecting via OAuth
CSV and Excel (.xlsx) file support — New "Spreadsheet" source type. Rows are converted to searchable "Column: Value" text format. Multi-sheet Excel files supported.
Batch upload — Select multiple files at once from the file picker. Auto-detects source type per file, generates titles from filenames (or H1 headings for .md files).
Content-based file validation — Files are validated by magic bytes (PDF, PNG, JPG, DOCX, XLSX) or UTF-8 encoding (.md, .txt, .csv), not just extension. Prevents uploading renamed malicious files.
Usage dashboard fallback — Total Requests, Requests Over Time, and By API Key cards now show data immediately from raw logs, without waiting for the daily aggregation task.

Changed

MCP authentication — Token validation moved from manual ASGI handler to MCP SDK's built-in auth middleware. Both OAuth tokens and existing aqn_ Bearer keys continue to work.

[0.5.0] - 2026-03-17

Added

Markdown (.md) file support — Upload Markdown files directly. Content is read as plain text with heading-aware chunking that preserves section context (e.g. "## Deployment > ### Docker") for better search results
Text (.txt) file support — Upload plain text files alongside the existing paste option
CLAUDE.md integration guide — New docs page at /docs/guide-claude-md/ explaining how teams can add aqoon to their project's CLAUDE.md for automatic AI knowledge access
MCP usage logging — Search requests via MCP are now tracked in the usage dashboard and billing
JSON error middleware — API, MCP, and OAuth discovery paths now return JSON errors instead of HTML 404/500 pages
Auto-migrations on deploy — CI/CD pipeline now runs migrations automatically after each Heroku release
Celery Redis health check — Worker verifies Redis connectivity on startup and exits if unreachable

Fixed

Redis SSL on Heroku — Fixed [SSL: CERTIFICATE_VERIFY_FAILED] for rediss:// URLs (Django cache + Celery)
MCP transport security — Added aqoon.ai to FastMCP allowed hosts (was rejecting production requests with 421)
CSP on /connect/ page — Fixed "Create Key" button blocked by Content Security Policy
CSRF on /connect/ page — Fixed 403 error when creating API keys (CSRF_COOKIE_HTTPONLY prevented JS access)
Landing page mobile nav — Nav collapse, solid background on open, CSS specificity fixes
Language switcher on legal pages — Added missing Bootstrap CSS/JS to Terms and Privacy pages
collectstatic S3 error — Added --clear flag to avoid HeadObject 404 on deleted remote files

[0.4.2] - 2026-03-13

Added

Pagination — Collection list, collection detail (documents table), and explore catalog now paginated with shared Bootstrap 5 pagination partial
Terms of Service — 15-section legal page at /terms/ (French + English), Guinea governing law
Privacy Policy — 13-section privacy page at /privacy/ (French + English), covers data collection, retention, cookies, and user rights
Dashboard onboarding — 3-step "Getting Started" card for new users with zero collections/documents
Collection preview — Public collections can be previewed (document list) from the explore catalog before subscribing
Post-upload guidance — Success message now explains the processing pipeline (extraction → chunking → indexing)
Post-indexing nudge — Document detail shows success alert when indexing completes, prompting users to search or connect AI
Collection help text — Form explains what a collection is with examples
Source type auto-detection — File extension automatically sets the source type dropdown on upload
AI connection wizard — Guided 3-step setup at /connect/ for Claude Desktop, Claude Code, and REST API with inline key creation, pre-filled configs, and copy-to-clipboard

Changed

Web search switched to GET — Search form uses GET for bookmarkable, refreshable URLs
Search limit field hidden — Defaults to 10, no longer exposed to users
Search scores — Raw decimal scores replaced with "Relevant" badge for clarity
Rate limiting — Switched from per-key to per-user counters to prevent bypass via multiple keys; MCP endpoint now rate-limited
API error format — All errors normalized to {"error": "..."} envelope via custom DRF exception handler
Scoped key creation — Collection picker shown at key creation time (hidden for full-access keys)
CSP — Removed unsafe-inline from script-src; all inline JS extracted to external files
MCP config format — Claude Desktop config now uses npx mcp-remote bridge (Claude Desktop doesn't support remote HTTP natively); docs and wizard updated
Settings page — Raw terminal commands replaced with link to the Connect AI wizard

[0.4.1] - 2026-03-13

Added

Login error differentiation — Specific error messages for wrong password, unactivated account, deleted account, and unknown email
Resend activation email — Link in login error message to resend activation email for unactivated accounts
Organization model — Organizations collected at registration, with editable name and logo on settings page
Mobile sidebar — Hamburger menu toggle with overlay for responsive navigation
Dashboard empty states — Call-to-action buttons when no collections or documents exist
Open Graph & Twitter Card — Social meta tags on landing page
Inline SVG favicon — Layers icon favicon on all pages
Password requirements — Shown on registration form

Changed

CSS extraction — Inline styles moved to CSS classes across 26 templates
JS extraction — Inline scripts moved to 6 external JS files for CSP compliance
Data minimization — Removed gender, dob, and bio fields from User model
User photo replaced — Replaced user photo with organization logo throughout the UI
WCAG contrast — Fixed --text-muted to 5.3:1 contrast ratio
Collection cards — Replaced onclick divs with semantic <a> tags
Delete account copy — Updated to reflect 7-day soft delete grace period
Docs navigation — Prev/next links now span across section boundaries
Upload button — Shows loading spinner on form submit
French translations — Updated for new features and registration flow

Fixed

document_count now refreshed on upload (not just delete)
Collection form cancel returns to detail page when editing
Sidebar no longer highlights Collections on Explore page
Full-access badge shown on API key detail instead of scoped-key UI
Usage chart colors fixed for light theme
Password fields no longer repopulated on validation error
register_done page now renders Django messages

[0.4.0] - 2026-03-12

Changed

Unified auth — All programmatic API access now uses aqn_ API keys with Bearer auth. DRF Token authentication removed from global defaults.
Full-access vs scoped keys — New is_full_access flag on API keys. Full-access keys see all user collections (for MCP/owner use). Scoped keys see only granted collections (for developers).
Scope-aware API views — /api/search/, /api/collections/, /api/documents/ now respect API key scope. Scoped keys cannot manage subscriptions (403).
MCP scoping — MCP tools (search_documents, list_collections, get_document_info, search_by_tag) now scope results based on API key type.
Settings page — Replaced API Token card with API Keys card linking to /keys/.

Deprecated

AQOON_TOKEN env var in aqoon-mcp package — Use AQOON_API_KEY (fallback still works).

Removed

POST /api/v1/search/ — Removed entirely. Use /api/search/ which supports both full-access and scoped API keys.
POST /api/token/ — Returns 410 Gone. Use API keys from /keys/ instead.
DRF TokenAuthentication from global REST Framework defaults.
Token generate/revoke/regenerate from Settings page.
DRF token support in MCP /mcp endpoint — Only aqn_ keys accepted.

[0.3.0] - 2026-03-08

Added

Public collections — is_public flag on Collection model, admin-managed
Collection subscriptions — CollectionSubscription model for users to subscribe to public collections
Explore catalog page — Browse and subscribe to unsubscribed public collections (/explore/)
Subscribe/Unsubscribe views — Web views and API endpoint (POST/DELETE /api/collections/<slug>/subscribe/)
Centralized visibility helpers — Collection.visible_for(), visible_docs_q(), and user_id variants used across all 19 query locations
Owner-only guards on mutation views (upload, edit, delete) — buttons hidden in templates for non-owners
Unsubscribe button on collection detail page for subscribed non-owners
Public badge on collection cards and detail page; "Subscribed" badge on non-owned collections in list
"Explore public collections" link on collections list page
is_subscribed field in Collection API serializer
CollectionSubscriptionAdmin in Django admin
Slug collision resolution (owned collection prioritized over subscribed)

[0.2.0] - 2026-03-08

Added

REST API — Token-authenticated endpoints for collections, documents, and search
Remote MCP endpoint — Hosted /mcp with Streamable HTTP transport, per-user scoping via token auth
Local MCP package — Pip-installable aqoon-mcp package with stdio transport
API token management — Generate/regenerate/revoke tokens in user settings page
KaaS Phase 1: API Key Management — aqn_-prefixed keys with SHA256 hashing, collection-scoped access grants, search via POST /api/search/
KaaS Phase 2: Rate Limiting — RateTier model with 3 tiers (Free/Basic/Pro), Redis-based counters (minute/day/month windows), X-RateLimit-* headers
KaaS Phase 3: Usage Tracking — UsageLog and UsageSummary models, async logging via Celery, daily aggregation, 90-day retention, Chart.js usage dashboard
KaaS Phase 4: Developer Dashboard — Public API docs page (/developers/), interactive search playground (/developers/playground/)
KaaS Phase 5: Billing Integration — BillingPlan, Subscription, Invoice models, Stripe webhook handler, monthly invoice generation via Celery Beat, billing dashboard
ASGI routing (uvicorn) with dual auth support (DRF tokens + KaaS keys)
Django admin for rate tiers, API keys, usage logs, billing plans, subscriptions, invoices
Bootstrap modals for destructive actions (replacing browser confirm dialogs)
Sidebar navigation for API Keys, API Usage, and Billing

[0.1.0] - 2026-03-08

Added

Project scaffolding with 54 Startups standards
User authentication (register, login, password reset, account management)
Collection model for organizing documents
Document model with PDF/DOCX/image/text/URL source types
DocumentChunk model for vectorized content
Azure Document Intelligence integration for text extraction
Azure OpenAI embedding generation (text-embedding-3-small)
Azure AI Search hybrid search (text + vector, HNSW)
Azure Blob Storage for file uploads
Celery task for async document processing pipeline
Django web UI with Bootstrap 5.3 sidebar layout
Dashboard with stats and recent activity
Collection CRUD with card grid view
Document upload with drag-and-drop
Full-text + semantic search across collections
Document status polling (AJAX)
Standalone MCP server with 4 tools (search_documents, list_collections, get_document_info, search_by_tag)
Health check endpoint with database + Redis checks
Docker Compose setup (Django + PostgreSQL + Redis + Celery)