CHEMAZENER
648f6d7808
feat(i18n): add Spanish (es-ES) locale ( #757 )
...
* feat(i18n): add Spanish (es-ES) locale
Add complete Spanish translation covering all 930+ keys across
all UI sections: navigation, notebooks, sources, chat, search,
podcasts, transformations, settings, models, API keys, and error messages.
- Create es-ES locale file with full translation
- Register es-ES in locale index with LanguageCode type
- Add Spanish entry to LanguageToggle dropdown
- Add `spanish` key to common section in all existing locales
- Add date-fns Spanish locale for date formatting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix(i18n): use t() function accessor for Spanish dropdown item
Rebased onto main, which migrated i18n from the custom Proxy pattern to
react-i18next's t() function. Updates the new es-ES entry in
LanguageToggle to match the current accessor style so it renders the
translated label at runtime instead of undefined.
---------
Co-authored-by: chemazener <chemazener@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Luis Novo <lfnovo@gmail.com>
2026-04-19 11:32:12 -03:00
Luis Novo
66a10996da
Merge pull request #734 from vincentrou/fix-docs-quick-start-local
...
Update docs quick start local
2026-04-17 09:01:34 -03:00
Luis Novo
c0010a189c
Merge pull request #762 from lfnovo/dependabot/uv/langchain-openai-1.1.14
...
chore(deps): bump langchain-openai from 1.1.7 to 1.1.14
2026-04-17 08:59:00 -03:00
Luis Novo
7fb2341bf1
Merge pull request #761 from lfnovo/dependabot/uv/langchain-text-splitters-1.1.2
...
chore(deps): bump langchain-text-splitters from 1.1.0 to 1.1.2
2026-04-17 08:58:56 -03:00
Luis Novo
63784c42b2
Merge pull request #760 from lfnovo/dependabot/uv/authlib-1.6.11
...
chore(deps): bump authlib from 1.6.9 to 1.6.11
2026-04-17 08:58:52 -03:00
Luis Novo
6c3bc6ae51
Merge pull request #759 from lfnovo/dependabot/uv/langsmith-0.7.31
...
chore(deps): bump langsmith from 0.6.4 to 0.7.31
2026-04-17 08:58:48 -03:00
Luis Novo
f0207687f6
Merge pull request #758 from lfnovo/dependabot/uv/python-multipart-0.0.26
...
chore(deps): bump python-multipart from 0.0.22 to 0.0.26
2026-04-17 08:58:44 -03:00
Luis Novo
ca211721bc
Merge pull request #754 from lfnovo/dependabot/npm_and_yarn/frontend/follow-redirects-1.16.0
...
chore(deps): bump follow-redirects from 1.15.11 to 1.16.0 in /frontend
2026-04-17 08:58:41 -03:00
Luis Novo
ee6f27e5a2
Merge pull request #752 from lfnovo/dependabot/uv/pytest-9.0.3
...
chore(deps): bump pytest from 9.0.2 to 9.0.3
2026-04-17 08:58:37 -03:00
Luis Novo
2cdbd8b3c0
Merge pull request #748 from lfnovo/dependabot/npm_and_yarn/frontend/axios-1.15.0
...
chore(deps): bump axios from 1.13.5 to 1.15.0 in /frontend
2026-04-17 08:58:34 -03:00
Luis Novo
8653c18c27
Merge pull request #744 from lfnovo/dependabot/npm_and_yarn/frontend/next-16.2.3
...
chore(deps): bump next from 16.1.7 to 16.2.3 in /frontend
2026-04-17 08:58:30 -03:00
Luis Novo
1d0a60f9c7
Merge pull request #728 from lfnovo/dependabot/npm_and_yarn/frontend/vite-7.3.2
...
chore(deps-dev): bump vite from 7.3.1 to 7.3.2 in /frontend
2026-04-17 08:58:26 -03:00
dependabot[bot]
61684ba660
chore(deps): bump langchain-openai from 1.1.7 to 1.1.14
...
Bumps [langchain-openai](https://github.com/langchain-ai/langchain ) from 1.1.7 to 1.1.14.
- [Release notes](https://github.com/langchain-ai/langchain/releases )
- [Commits](https://github.com/langchain-ai/langchain/compare/langchain-openai==1.1.7...langchain-openai==1.1.14 )
---
updated-dependencies:
- dependency-name: langchain-openai
dependency-version: 1.1.14
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
2026-04-17 01:11:11 +00:00
dependabot[bot]
54e626cd9e
chore(deps): bump langchain-text-splitters from 1.1.0 to 1.1.2
...
Bumps [langchain-text-splitters](https://github.com/langchain-ai/langchain ) from 1.1.0 to 1.1.2.
- [Release notes](https://github.com/langchain-ai/langchain/releases )
- [Commits](https://github.com/langchain-ai/langchain/compare/langchain-text-splitters==1.1.0...langchain-text-splitters==1.1.2 )
---
updated-dependencies:
- dependency-name: langchain-text-splitters
dependency-version: 1.1.2
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
2026-04-17 01:07:27 +00:00
dependabot[bot]
45c16e1fa1
chore(deps): bump authlib from 1.6.9 to 1.6.11
...
Bumps [authlib](https://github.com/authlib/authlib ) from 1.6.9 to 1.6.11.
- [Release notes](https://github.com/authlib/authlib/releases )
- [Changelog](https://github.com/authlib/authlib/blob/v1.6.11/docs/changelog.rst )
- [Commits](https://github.com/authlib/authlib/compare/v1.6.9...v1.6.11 )
---
updated-dependencies:
- dependency-name: authlib
dependency-version: 1.6.11
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
2026-04-16 23:59:26 +00:00
dependabot[bot]
869604f824
chore(deps): bump langsmith from 0.6.4 to 0.7.31
...
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk ) from 0.6.4 to 0.7.31.
- [Release notes](https://github.com/langchain-ai/langsmith-sdk/releases )
- [Commits](https://github.com/langchain-ai/langsmith-sdk/compare/v0.6.4...v0.7.31 )
---
updated-dependencies:
- dependency-name: langsmith
dependency-version: 0.7.31
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
2026-04-16 02:36:34 +00:00
Luis Novo
d7967a0fcf
Merge pull request #755 from lfnovo/refactor/migrate-i18n-to-standard-t-function
...
refactor: migrate i18n from Proxy pattern to standard t() function
2026-04-15 21:56:01 -03:00
dependabot[bot]
2b4535413b
chore(deps): bump python-multipart from 0.0.22 to 0.0.26
...
Bumps [python-multipart](https://github.com/Kludex/python-multipart ) from 0.0.22 to 0.0.26.
- [Release notes](https://github.com/Kludex/python-multipart/releases )
- [Changelog](https://github.com/Kludex/python-multipart/blob/master/CHANGELOG.md )
- [Commits](https://github.com/Kludex/python-multipart/compare/0.0.22...0.0.26 )
---
updated-dependencies:
- dependency-name: python-multipart
dependency-version: 0.0.26
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
2026-04-15 20:59:54 +00:00
Rousseau Vincent
b3452582c9
Remove reference to OLLAMA_NUM_GPU
2026-04-15 16:26:14 +02:00
Luis Novo
e2cf35060b
fix: use getApiErrorMessage in use-settings and update CLAUDE.md docs
...
- Replace getApiErrorKey with getApiErrorMessage in use-settings.ts
so error toasts show translated messages instead of raw i18n keys
- Update CLAUDE.md files to reflect the new t('section.key') pattern
and remove outdated Proxy-related gotchas
2026-04-14 18:31:18 -03:00
Luis Novo
98a528158a
refactor: migrate i18n from custom Proxy pattern to standard react-i18next t() function
...
- Replace Proxy-based useTranslation hook with thin react-i18next wrapper
- Convert all t.section.key property access to t('section.key') function calls across 84 files
- Migrate TranslationKeys type parameters to TFunction from i18next
- Update test setup mock and test assertions for new pattern
- Preserve setLanguage with language change events for loading overlay
Closes #579
2026-04-14 14:42:58 -03:00
dependabot[bot]
edf323fbc9
chore(deps): bump follow-redirects from 1.15.11 to 1.16.0 in /frontend
...
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects ) from 1.15.11 to 1.16.0.
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases )
- [Commits](https://github.com/follow-redirects/follow-redirects/compare/v1.15.11...v1.16.0 )
---
updated-dependencies:
- dependency-name: follow-redirects
dependency-version: 1.16.0
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
2026-04-14 17:38:52 +00:00
Luis Novo
1e090b04a5
Merge pull request #753 from lfnovo/fix/graceful-credential-decryption-errors
...
fix: handle credential decryption errors gracefully
2026-04-14 14:37:19 -03:00
Luis Novo
621dd6c42a
chore: bump version to 1.8.5 and update changelog
2026-04-14 14:03:48 -03:00
Luis Novo
0c2522074d
fix: narrow exception handling and support migrate_to for broken credentials
...
- Catch only ValueError (decryption errors) instead of broad Exception
so NotFoundError and other failures propagate correctly
- Support migrate_to parameter in the fallback delete path so linked
models can be reassigned instead of always cascade-deleted
- Sanitize decryption_error message to not expose raw exception details
2026-04-14 10:34:32 -03:00
dependabot[bot]
171e9d3bd3
chore(deps): bump pytest from 9.0.2 to 9.0.3
...
Bumps [pytest](https://github.com/pytest-dev/pytest ) from 9.0.2 to 9.0.3.
- [Release notes](https://github.com/pytest-dev/pytest/releases )
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst )
- [Commits](https://github.com/pytest-dev/pytest/compare/9.0.2...9.0.3 )
---
updated-dependencies:
- dependency-name: pytest
dependency-version: 9.0.3
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
2026-04-14 02:21:10 +00:00
Luis Novo
ba01f7df4e
fix: handle credential decryption errors gracefully ( #740 )
...
- Credential.get_all() now uses per-row error handling instead of failing on first bad row
- Broken credentials include decryption_error field with descriptive message
- DELETE endpoint falls back to direct DB delete when credential can't be decrypted
- Frontend shows amber warning alert for broken credentials with disabled test/edit/discover
- Added i18n translation keys for decryption error warning in all 9 locales
2026-04-12 21:22:37 -03:00
dependabot[bot]
6b23e7cee8
chore(deps): bump axios from 1.13.5 to 1.15.0 in /frontend
...
Bumps [axios](https://github.com/axios/axios ) from 1.13.5 to 1.15.0.
- [Release notes](https://github.com/axios/axios/releases )
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md )
- [Commits](https://github.com/axios/axios/compare/v1.13.5...v1.15.0 )
---
updated-dependencies:
- dependency-name: axios
dependency-version: 1.15.0
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
2026-04-12 10:40:02 +00:00
dependabot[bot]
9c73299da0
chore(deps): bump next from 16.1.7 to 16.2.3 in /frontend
...
Bumps [next](https://github.com/vercel/next.js ) from 16.1.7 to 16.2.3.
- [Release notes](https://github.com/vercel/next.js/releases )
- [Changelog](https://github.com/vercel/next.js/blob/canary/release.js )
- [Commits](https://github.com/vercel/next.js/compare/v16.1.7...v16.2.3 )
---
updated-dependencies:
- dependency-name: next
dependency-version: 16.2.3
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
2026-04-11 04:20:11 +00:00
dependabot[bot]
b7788ec05a
chore(deps): bump tornado from 6.5.4 to 6.5.5 ( #668 )
...
Bumps [tornado](https://github.com/tornadoweb/tornado ) from 6.5.4 to 6.5.5.
- [Changelog](https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst )
- [Commits](https://github.com/tornadoweb/tornado/compare/v6.5.4...v6.5.5 )
---
updated-dependencies:
- dependency-name: tornado
dependency-version: 6.5.5
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-09 13:23:46 -03:00
Luis Novo
4222329451
fix: map base_url to endpoint for Azure credentials ( #741 )
...
* fix: map base_url to endpoint for Azure credentials
The Azure credential form only exposes a base_url field, but the
connection tester, key provisioner, and Esperanto config all expect
an endpoint field. This maps base_url to endpoint for Azure providers
so credentials work without requiring a dedicated endpoint form field.
Closes #727
* docs: update Azure credential docs to reflect base_url mapping
2026-04-09 13:22:00 -03:00
Luis Novo
ade4adc0b2
Merge pull request #736 from lfnovo/dependabot/uv/cryptography-46.0.7
...
chore(deps): bump cryptography from 46.0.6 to 46.0.7
2026-04-09 12:53:39 -03:00
Luis Novo
51bdc09965
Merge pull request #737 from lfnovo/dependabot/uv/langchain-core-1.2.28
...
chore(deps): bump langchain-core from 1.2.22 to 1.2.28
2026-04-09 12:53:26 -03:00
Luis Novo
4ae459ca5e
Merge pull request #739 from lfnovo/docs/security-guidelines
...
docs: add security guidelines for contributors
2026-04-09 12:19:43 -03:00
Luis Novo
8ee18d1fb7
docs: add security guidelines for contributors
...
Add security.md covering database query safety, template rendering,
file handling, secrets management, and a code review checklist.
Informed by CERT-EU coordinated vulnerability disclosures.
2026-04-09 12:16:09 -03:00
Luis Novo
1a35240e15
Merge pull request #738 from lfnovo/fix/security-vulnerabilities-round2
...
fix: prevent RCE, path traversal, and LFI vulnerabilities
2026-04-09 12:08:18 -03:00
Luis Novo
2f75c5978c
fix: harden path validation to prevent sibling directory bypass
...
Append os.sep to the directory path before startswith() check so that
paths like /app/data/uploads_evil/ cannot bypass the uploads directory
validation.
2026-04-09 12:05:38 -03:00
Luis Novo
70a466a640
fix: prevent RCE via SSTI, path traversal file write, and LFI file read
...
- Bump ai-prompter to >=0.4.0 which uses Jinja2 SandboxedEnvironment,
preventing arbitrary code execution via user-provided transformation prompts
- Sanitize uploaded filenames with os.path.basename() and validate resolved
path stays within upload directory to prevent path traversal
- Validate file_path in source creation is within UPLOADS_FOLDER to prevent
arbitrary file read via Local File Inclusion
2026-04-09 11:58:16 -03:00
dependabot[bot]
58e9998bb8
chore(deps): bump langchain-core from 1.2.22 to 1.2.28
...
Bumps [langchain-core](https://github.com/langchain-ai/langchain ) from 1.2.22 to 1.2.28.
- [Release notes](https://github.com/langchain-ai/langchain/releases )
- [Commits](https://github.com/langchain-ai/langchain/compare/langchain-core==1.2.22...langchain-core==1.2.28 )
---
updated-dependencies:
- dependency-name: langchain-core
dependency-version: 1.2.28
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
2026-04-08 22:28:22 +00:00
dependabot[bot]
3755b1f2d4
chore(deps): bump cryptography from 46.0.6 to 46.0.7
...
Bumps [cryptography](https://github.com/pyca/cryptography ) from 46.0.6 to 46.0.7.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst )
- [Commits](https://github.com/pyca/cryptography/compare/46.0.6...46.0.7 )
---
updated-dependencies:
- dependency-name: cryptography
dependency-version: 46.0.7
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
2026-04-08 21:55:21 +00:00
Rousseau Vincent
ff3525e46b
Update surrealdb user and add gpu for ollama
...
Added user root for surrealdb service and nvidia GPU support in ollama service.
2026-04-08 10:22:33 +02:00
Luis Novo
89eac04c63
Merge pull request #731 from lfnovo/fix/surrealdb-injection
...
fix: prevent SurrealDB injection via unsanitized query parameters
2026-04-07 14:52:22 -03:00
Luis Novo
3d560b4248
chore: bump version to 1.8.3 and update changelog
...
Add 1.8.2 and 1.8.3 entries to CHANGELOG.md.
1.8.3 documents the SurrealDB injection security fix.
2026-04-07 07:59:16 -03:00
Luis Novo
e5b253b11d
fix: prevent SurrealDB injection via order_by and unparameterized queries
...
- Add allowlist validation for order_by param in notebooks endpoint
- Parameterize session_id query in source_chat router
- Add regex validation in base.py get_all() order_by parameter
- Convert async_migrate bump/lower_version to parameterized queries
2026-04-07 07:58:54 -03:00
dependabot[bot]
19b82b24ed
chore(deps-dev): bump vite from 7.3.1 to 7.3.2 in /frontend
...
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite ) from 7.3.1 to 7.3.2.
- [Release notes](https://github.com/vitejs/vite/releases )
- [Changelog](https://github.com/vitejs/vite/blob/v7.3.2/packages/vite/CHANGELOG.md )
- [Commits](https://github.com/vitejs/vite/commits/v7.3.2/packages/vite )
---
updated-dependencies:
- dependency-name: vite
dependency-version: 7.3.2
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
2026-04-06 22:12:45 +00:00
Luis Novo
6274358b21
Merge pull request #725 from lfnovo/feat/dashscope-minimax-providers
...
feat: add DashScope (Qwen) and MiniMax provider support
2026-04-06 13:42:45 -03:00
Luis Novo
3934fe7e5e
chore: bump version to 1.8.2 and update changelog and provider docs
...
- Bump version from 1.8.1 to 1.8.2
- Add changelog entry for DashScope and MiniMax provider support
- Update provider counts across README and docs (16+ → 18+, 15+ → 17+)
- Add DashScope and MiniMax to README provider support matrix
2026-04-06 10:59:47 -03:00
Luis Novo
adc03e56bb
feat: add DashScope (Qwen) and MiniMax provider support
...
- Bump esperanto dependency to >=2.20.0 for new provider profiles
- Register both providers in credentials, key provider, connection tester, model discovery, and models router
- Add frontend provider entries (display names, modalities, docs links)
- Add documentation sections for both providers in ai-providers.md, environment-reference.md, and provider comparison
2026-04-06 10:54:37 -03:00
Luis Novo
c42dc10d2b
Merge pull request #723 from lfnovo/docs/deprecate-single-container
...
docs: deprecate single-container image
2026-04-06 08:21:06 -03:00
Luis Novo
746218248c
docs: add surrealdb service notes to docker-compose snippets
...
The v1-latest image requires a separate surrealdb service unlike the
deprecated single-container image. Add comments pointing to the full
base docker-compose.yml in all partial code examples.
2026-04-06 08:15:33 -03:00