v0.241.007

v0.241.007

New Feature

• Improved Mobile UI Support

Bug Fixes

• Uploaded File Preview Body XSS Hardening

  • Fixed the uploaded-file preview modal so stored file bodies no longer reach the preview pane through raw HTML sinks.
  • Plain-text previews now render as inert preformatted text, CSV-backed previews are built with DOM text nodes, and legacy HTML-backed table payloads now fall back to inert text instead of live markup.
  • Added focused functional and UI regression coverage plus versioned fix documentation for the hardened preview path.
  • (Ref: chat-input-actions.js, test_uploaded_file_preview_xss_fix.py, test_uploaded_file_preview_escaping.py, UPLOADED_FILE_PREVIEW_XSS_FIX.md)

• Public Workspace Tag Color XSS Hardening

  • Fixed the public workspace tag surfaces so stored tag colors no longer reach folder-grid actions, tag badges, tag management rows, or selected-tag chips through inline handler or style interpolation.
  • Shared tag helper paths now normalize and validate tag colors on create and update across personal, group, and public routes, and previously stored invalid colors fall back to safe deterministic values on read.
  • Added focused functional and UI regression coverage plus versioned fix documentation for the hardened public tag rendering path.
  • (Ref: functions_documents.py, route_backend_documents.py, route_backend_group_documents.py, route_backend_public_documents.py, public_workspace.js, test_public_workspace_tag_color_xss_fix.py, test_public_workspace_tag_color_rendering.py, PUBLIC_WORKSPACE_TAG_COLOR_XSS_FIX.md)

• Agent Template Gallery Actions Escaping

  • Fixed the agent template gallery so stored actions_to_load values no longer reach the recommended-actions row through a raw HTML sink.
  • Agent template helper paths now normalize actions_to_load consistently on read, create, and update flows, and invalid write payload shapes are rejected before they can persist.
  • Added focused functional and UI regression coverage plus versioned fix documentation for the hardened gallery path.
  • (Ref: agent_templates_gallery.js, functions_agent_templates.py, test_agent_template_gallery_actions_to_load_xss_fix.py, test_agent_template_gallery_actions_escaping.py, AGENT_TEMPLATE_GALLERY_ACTIONS_TO_LOAD_XSS_FIX.md)

• Stored XSS Share, Activity, and Masking Hardening

  • Fixed the remaining stored-XSS share-modal flows so attacker-controlled user names, group names, descriptions, emails, and toast content no longer render through inline handlers or raw HTML sinks.
  • Hardened the group activity timeline and raw-activity modal so stored activity metadata and serialized activity JSON now render as inert text instead of executable markup.
  • Rebuilt masked-range rendering with DOM APIs and bound masking display names to the authenticated server-side user instead of trusting browser-supplied identity fields.
  • Added focused functional and UI regression coverage plus versioned fix documentation for the hardened sharing, activity, and masking paths.
  • (Ref: chat-toast.js, workspace-documents-sharing.js, group-documents-sharing.js, manage_group.js, chat-messages.js, route_backend_chats.py, test_stored_xss_share_activity_and_masking_fix.py, test_document_share_modal_escaping.py, STORED_XSS_SHARE_ACTIVITY_AND_MASKING_FIX.md)

• Chat Scope Picker and Conversation Details XSS Hardening

  • Fixed the chat scope-lock picker so stored group and public workspace names no longer reach the locked-workspaces modal through raw HTML interpolation.
  • Hardened the conversation-details modal so attacker-controlled titles, context names, participant labels, document labels, semantic tags, classifications, and scope-lock names render as inert text, and invalid web-source values no longer produce active javascript: links.
  • Added focused functional and UI regression coverage plus versioned fix documentation for the affected chat modal surfaces.
  • (Ref: chat-documents.js, chat-conversation-details.js, test_stored_xss_chat_scope_and_conversation_details_fix.py, test_chat_scope_lock_and_conversation_details_escaping.py, CHAT_SCOPE_LOCK_AND_CONVERSATION_DETAILS_XSS_FIX.md)

• Chat Citation and Uploaded File Modal Filename XSS Hardening

  • Fixed the first-render chat citation modal so attacker-controlled document filenames returned from citation APIs no longer reach the modal header as raw HTML on the first open.
  • The uploaded-file preview modal now uses the same safe title-population path, closing the adjacent filename sink before it can regress into the same stored-XSS family.
  • Added focused functional and UI regression coverage plus versioned fix documentation for both modal title flows.
  • (Ref: chat-citations.js, chat-input-actions.js, test_stored_xss_chat_modal_filename_fix.py, test_chat_modal_filename_escaping.py, CITATION_AND_FILE_MODAL_FILENAME_XSS_FIX.md)

• Stored XSS Agent and Member Rendering Hardening

  • Fixed the stored-XSS sink in chat message rendering so agent display names no longer reach the sender header, image header, or metadata drawer as raw HTML.
  • Public and group workspace member-management views now escape untrusted member display names and emails before rendering member rows, pending requests, ownership-transfer options, bulk-remove summaries, user-search results, and CSV validation previews, and the public member search no longer embeds untrusted values inside an inline onclick handler.
  • /api/userSearch now escapes Microsoft Graph OData filter literals before composing the $filter expression, so apostrophes in search input cannot break the backend Graph query.
  • Added focused functional and UI regression coverage plus versioned fix documentation for the hardened chat, workspace member-management, and Graph filter paths.
  • (Ref: chat-messages.js, manage_public_workspace.js, manage_group.js, route_backend_users.py, test_stored_xss_chat_workspace_rendering_fix.py, test_public_workspace_member_rendering_escaping.py, test_group_workspace_member_rendering_escaping.py, STORED_XSS_AGENT_AND_MEMBER_RENDERING_FIX.md)

• Chat Selected Document Metadata Authorization Fix

  • Fixed chat selected-document metadata resolution so /api/chat, /api/chat/stream, and the selected tabular document helper no longer trust caller-supplied document ids after authentication.
  • Personal selected documents now resolve only for the owner or a legitimately shared user, group selected documents now honor authorized owner and shared-group access, and public selected documents now resolve only inside the caller's visible public workspaces.
  • Added focused regression coverage for the shared selected-document resolver and updated the existing all-scope tabular regression so the hardened lookup path stays covered.
  • (Ref: route_backend_chats.py, test_chat_selected_document_metadata_authorization.py, test_tabular_all_scope_group_source_context.py, CHAT_SELECTED_DOCUMENT_METADATA_AUTHORIZATION_FIX.md)

• Control Center Public Workspace Members XSS Fix

  • Fixed a stored XSS in the Control Center public workspace members modal where stored member displayName and email values were rendered into an admin-facing HTML sink.
  • The members modal now builds the member row with DOM text nodes instead of injecting those fields through innerHTML, so malicious stored markup renders as inert text while the existing role badge styling remains unchanged.
  • Added focused regression coverage for the affected modal and documented the hardened sink under the current version line.
  • (Ref: workspace-manager.js, test_control_center_public_workspace_members_escaping.py, test_stored_xss_admin_rendering_fix.py, CONTROL_CENTER_PUBLIC_WORKSPACE_MEMBERS_XSS_FIX.md)

• Plugin Log Recent Feed Admin Authorization Follow-Up

  • Fixed the adjacent plugin logging route so /api/plugins/invocations/recent now enforces the Admin role instead of exposing the cross-user recent invocation feed to any authenticated user.
  • Unauthenticated requests still return 401 Unauthorized, non-admin users now receive 403 Forbidden, and the admin response payload remains unchanged for legitimate troubleshooting flows.
  • Extended the focused plugin logging regression coverage so both admin-only plugin logging endpoints are exercised under unauthenticated, non-admin, and admin conditions.
  • (Ref: route_plugin_logging.py, test_plugin_logging_clear_logs_authorization.py, PLUGIN_LOG_RECENT_INVOCATIONS_ADMIN_FIX.md)

• Public Workspace Details Projection Hardening

  • Fixed GET /api/public_workspaces/<workspace_id> so authenticated non-members no longer receive the full public workspace Cosmos document.
  • The route now returns a minimal public summary for non-members and a member-aware payload with explicit userRole and isMember fields for authorized workspace members, which preserves the manage-page UX without exposing manager lists, pending requests, or other member-only metadata.
  • Added focused functional and UI regression coverage to lock down the new payload contract and verify the public directory and non-member workspace page continue to behave correctly.
  • (Ref: route_backend_public_workspaces.py, functions_public_workspaces.py, manage_public_workspace.js, public_directory.js, test_security_authorization_hardening.py, test_public_workspace_projection_non_member_ui.py, PUBLIC_WORKSPACE_DETAILS_DISCLOSURE_FIX.md)

• Approval Route Authorization Guard Consolidation

  • Hardened the approval detail, approve, and de...

v0.241.006

Bug Fixes

• Speech and Video Indexer Setup Guidance Alignment

  • Fixed stale admin guidance around Azure AI Video Indexer and shared Azure Speech configuration so managed-identity setup no longer points admins toward legacy Video Indexer API keys or incomplete Speech instructions.
  • The admin experience now reflects the shared Speech resource model, adds Speech Resource ID helper fields, and keeps managed-identity voice-response requirements aligned with runtime behavior.
  • (Ref: admin_settings.html, admin_settings.js, route_backend_tts.py, functions_documents.py, shared Speech and Video Indexer guidance)

• Agent Output Token Defaults and Foundry Limit Enforcement

  • Fixed stale agent output-token defaults so new and normalized agents now use -1 to defer to the provider or model default instead of silently reintroducing older fixed caps.
  • Azure AI Foundry agent execution now also honors saved output-token settings in both classic Foundry agent runs and new Foundry Responses-based runs, so configured limits are enforced consistently instead of only being stored in agent configuration.
  • (Ref: functions_global_agents.py, agent.schema.json, foundry_agent_runtime.py, test_foundry_token_limit_defaults.py)

• Tabular Exhaustive Result Synthesis Retry

  • Fixed exhaustive tabular questions such as "list all" requests so the workflow no longer stops at an answer that claims only sample rows or workbook metadata are available after analytical tool calls already returned the full matching result set.
  • General tabular analysis now detects full versus partial result coverage from tool metadata, retries incomplete synthesis when necessary, and adds stronger prompt guidance so the final answer uses the returned analytical results directly.
  • (Ref: route_backend_chats.py, test_tabular_exhaustive_result_synthesis_fix.py, TABULAR_EXHAUSTIVE_RESULT_SYNTHESIS_FIX.md)

• Group Workspace Documents and Prompts Load Recovery

  • Fixed a Group Workspace page-load regression where active-group initialization could fail on a missing prompt-role UI container and stop the rest of the page from rendering correctly.
  • Group document and prompt content now continue loading even if the prompt permission banner or create-button container is unavailable during startup, preventing blank content areas caused by a JavaScript null-reference error.
  • Added functional and UI regression coverage for the guarded prompt-role path so future changes do not reintroduce the same startup failure.
  • (Ref: group_workspaces.html, test_group_workspace_prompt_role_ui_guard.py, test_group_workspace_prompt_role_containers_ui.py)

• Audio and Video Enhanced Citation Badge Consistency

  • Fixed blob-backed audio and video documents showing Standard citations in workspace details even when Enhanced Citations was enabled and the same files already opened through the enhanced citation experience on the chat page.
  • Document metadata now persists and normalizes the enhanced_citations flag from blob-backed storage state so existing media uploads and new uploads both render the correct Enhanced badge across workspace and chat flows.
  • Added regression coverage and fix documentation for the metadata normalization path.
  • (Ref: functions_documents.py, route_enhanced_citations.py, test_media_enhanced_citations_metadata_flag.py, MEDIA_ENHANCED_CITATION_BADGE_FIX.md)

User Interface Enhancements

• AI Voice Conversations Setup Guide
  • Added an in-app Setup Guide modal to the AI Voice Conversations admin card so admins can configure Azure Speech without leaving Admin Settings.
  • The guide includes a live snapshot of the current Speech configuration, explains key versus managed-identity authentication, and now walks admins through enabling the required custom domain in Azure portal before verifying the endpoint on Keys and Endpoint.
  • (Ref: admin_settings.html, _speech_service_info.html, azure_speech_managed_identity_manul_setup.md, test_admin_multimedia_guidance.py)

v0.241.002

Bug Fixes

• Support Pages Respect Custom Application Titles

  • Fixed user-facing Support copy so Latest Features, Previous Release Features, and Send Feedback no longer fall back to the default SimpleChat name in customized deployments.
  • Support feedback email drafts now also use the configured application title, keeping the user-facing support flow consistent with branded environments.
  • (Ref: support_menu_config.py, support_send_feedback.html, route_backend_settings.py, support application-title personalization)

• Streaming Retry and Edit Thought Tracking

  • Fixed retry and edit requests in streaming chat when they fall back to the compatibility bridge and continue through the legacy /api/chat path.
  • Assistant response tracking is now initialized for both new-message and retry/edit flows before content safety runs, preventing compatibility-mode failures caused by an uninitialized ThoughtTracker.
  • (Ref: route_backend_chats.py, ThoughtTracker, /api/chat/stream, /api/chat, retry/edit compatibility bridge)

• Streaming Retry and Edit Multi-Endpoint Model Resolution

  • Fixed streaming retry and edit requests that route through the compatibility bridge so they no longer fail during AI model initialization in multi-endpoint environments.
  • The compatibility path now reuses the in-app multi-endpoint GPT resolver and Foundry fallback helpers instead of depending on script-only helper functions that were not available inside the Flask runtime.
  • (Ref: route_backend_chats.py, /api/chat/stream, /api/chat, multi-endpoint model resolution, Foundry fallback helpers)

• Profile Fact Memory Script Deduplication

  • Fixed a profile-page load failure where duplicate inline Fact Memory and tutorial script blocks could trigger browser parse errors such as Identifier 'factMemorySearchInput' has already been declared.
  • Removed duplicated profile sections, modal markup, and shadowing helper definitions so Fact Memory, tutorial preferences, and retention settings now initialize from one canonical script path.
  • Added source-level and UI regression coverage so duplicate profile blocks and page-load JavaScript errors are caught earlier.
  • (Ref: profile.html, test_profile_fact_memory_script_dedup.py, test_profile_fact_memory_editor.py, profile page script initialization)

v0.241.001

New Features

• Fact Memory Instructions and Facts

  • Added a clearer Fact Memory experience that distinguishes always-on Instructions from relevance-based Facts on the profile page and in chat-time recall.
  • Chat responses now surface saved-memory usage more clearly through separate Instruction Memory and Fact Memory Recall thoughts and citations.
  • Admin Settings Latest Features and the user-facing Support > Latest Features page now include Fact Memory guidance and screenshots, and admins can show or hide that announcement from General > User-Facing Latest Features.
  • (Ref: semantic_kernel_fact_memory_store.py, route_backend_chats.py, route_frontend_profile.py, profile.html, support_menu_config.py, admin_settings.html, latest_features.html, fact memory guidance and latest-features coverage)

• Support Menu and User-Facing Latest Features

  • Added a configurable Support menu for signed-in app users so teams can expose Latest Features and Send Feedback directly in everyday navigation.
  • Admins can rename the Support menu, control the internal feedback-recipient email address, and choose exactly which latest-feature cards are shared with end users from the General tab.
  • The user-facing Latest Features page now mirrors the available admin screenshots more closely, includes clearer guidance about why each feature matters, and adds direct links into Chat, Personal Workspace, or Support destinations where users can try the feature.
  • The Admin Settings Latest Features tab now also calls out the General-tab User-Facing Latest Features checklist so admins can see where feature sharing is configured.
  • (Ref: support_menu_config.py, route_frontend_support.py, latest_features.html, support_send_feedback.html, admin_settings.html, test_support_menu_user_feature.py, support menu configuration and user-facing latest features)

• MultiGPT Endpoint Management

  • Added multi-endpoint model management so admins can define multiple global model endpoints and users can add personal or group-scoped endpoints when those workspace features are enabled.
  • Personal Workspace and Group Workspace now surface dedicated model endpoint management cards, and agent/model selection can use combined global plus workspace endpoint lists instead of relying on a single shared deployment.
  • The endpoint workflow supports Azure OpenAI and Azure AI Foundry discovery flows, including model fetch/test operations and endpoint-based Foundry agent import.
  • (Ref: route_backend_models.py, route_frontend_admin_settings.py, workspace_model_endpoints.js, admin_model_endpoints.js, workspace.html, group_workspaces.html, test_workspace_multi_endpoints.py)

• Guided Chat Tutorial

  • Expanded the in-app chat tutorial into a fuller guided walkthrough of the current chat experience so new users can learn the live interface in context.
  • The tutorial now walks through the main chat toolbar, workspace and scope controls, conversation search, advanced search, selection mode, bulk actions, export-related flows, and message-level actions such as retry, edit, feedback, thoughts, and citations.
  • The walkthrough also includes reliability improvements for dynamic chat UI elements, including sidebar expansion, popup alignment, and tutorial-owned surfaces for steps that depend on transient menus.
  • (Ref: chat-tutorial.js, chats.html, chat-sidebar-conversations.js, test_chat_tutorial_selector_coverage.py, chat tutorial walkthrough)

• Personal Workspace Guided Tutorial

  • Added a dedicated in-app tutorial for Personal Workspace so users can learn document, prompt, agent, action, and tag workflows directly inside the workspace page.
  • The walkthrough covers uploads, search and filters, list and grid views, document details, row actions, bulk selection flows, tag management, prompt management, agent management, and action management.
  • It also includes layout-aware positioning and state-restoration behavior so the overlay remains aligned while tabs, filters, menus, and collapsible sections change during the walkthrough.
  • (Ref: workspace.html, workspace-tutorial.js, test_personal_workspace_tutorial_selector_coverage.py, test_personal_workspace_tutorial_document_flow.py, test_workspace_tutorial_reposition_fix.py, test_workspace_tutorial_layer_order_fix.py)

• Conversation Completion Notifications

  • Added personal chat completion notifications so users who leave a conversation before the assistant finishes can still see that a response is ready.
  • Notification clicks deep-link back into the completed conversation, and personal conversations now show a green unread dot until the assistant response is opened.
  • The unread state and notification lifecycle are wired into the chat conversation list, sidebar list, and mark-read flow so the indicator clears once the conversation is actually viewed.
  • (Ref: conversation notifications, unread assistant responses, route_backend_chats.py, route_backend_conversations.py, functions_notifications.py, functions_conversation_unread.py, chat-conversations.js, chat-sidebar-conversations.js)

• Background Chat Completion Away From Chat Page

  • Updated streaming chat execution so assistant responses can continue running after the user leaves the chat page instead of stopping when the browser disconnects from the stream.
  • This keeps final assistant persistence, unread markers, and completion notifications reachable even when users navigate into Personal, Group, or other pages while a reply is still generating.
  • (Ref: background stream execution, BackgroundStreamBridge, route_backend_chats.py, test_chat_stream_background_execution.py, test_streaming_only_chat_path.py)

• SimpleChat Startup and Scheduler Separation

  • Added deployment guidance for local development, Azure App Service native Python startup, and container runtimes so administrators can choose between direct Gunicorn startup and optional python app.py handoff behavior with clear environment-variable guidance.
  • Extracted the scheduler-style logging timer, approval expiration, and retention loops into a shared background task module and added a dedicated simplechat_scheduler.py entrypoint so scheduled work can run in a separate process or job.
  • This allows the web app to use Gunicorn with workers=2 without duplicating scheduler loops inside every worker process, while keeping a legacy override available for single-process environments.
  • (Ref: app.py, background_tasks.py, simplechat_scheduler.py, SIMPLECHAT_STARTUP.md, test_startup_scheduler_support.py)

• Deployment, Setup, and Upgrade Documentation Refresh

  • Expanded the deployment guidance so teams can more quickly choose between manual deployment, Azure CLI, Bicep, Terraform, and special-environment setup paths from the main setup documentation.
  • Added a dedicated upgrade guide for existing deployments that separates native Python App Service upgrades from container-based App Service upgrades, including when to use VS Code deployment, ZIP deploy, deployment slots, azd deploy, azd provision, or azd up.
  • Clarified developer and production runtime documentation with explicit local-development guidance, Azure production startup expectations, Gunicorn startup rules, container entrypoint behavior, and scheduler-separation recommendations.
  • (Ref: setup_instructions.md, setup_instructions_manual.md, how-to/upgrade_paths.md, running_simplechat_azure_production.md, running_simplechat_locally.md, SIMPLECHAT_STARTUP.md, deployment and developer documentation)

• Chat Completion Notifications

  • Added personal chat completion notifications so users who leave a streaming conversation before the assistant finishes now receive a notification when the AI response is ready.
  • Notification clicks deep-link directly back to the completed conversation, and personal conversations now show a green unread dot in both chat conversation lists until that response is opened.
  • The unread state is cleared automatically when the conversation is opened or when the user stays on the chat page through stream completion, keeping the active-view experience clean without adding heartbeat tracking.
  • (Ref: route_backend_chats.py, route_backend_conversations.py, functions_notifications.py, functions_conversation_unread.py, chat-conversations.js, chat-sidebar-conversations.js, chat-streaming.js, test_chat_completion_notifications.py)

• Configurable Tabular Preview Blob Size Limit

  • Added an admin-configurable maximum blob size for tabular file previews, replacing the previous hardcoded limit. Default is 200 MB.
  • New Tabular Preview Limits card in the Enhanced Citations section of Admin Settings (Citations tab) lets admins increase or decrease the limit based on their compute resources and user population.
  • Setting is stored as tabular_preview_max_blob_size_mb and accepts values from 1 to 1024 MB.
  • (Ref: route_enhanced_citations.py, functions_settings.py, admin_settings.html)

• Tabular Preview Memory Optimization

  • The /api/enhanced_citations/tabular_preview endpoint no longer loads entire files into a DataFrame. It now uses nrows limits in pandas.read_csv/read_excel to read only the rows needed for the preview, and checks blob size before downloading to reject oversized files early.
  • (Ref: route_enhanced_citations.py)

• Persistent Conversation Summaries

  • Summaries generated during conversation export are now saved to the conversation document in Cosmos DB for future reuse.
  • C...

v0.239.002

View the features with screenshots and descriptions
https://microsoft.github.io/simplechat/latest-release/

Bug Fixes

• Workspace Scope Lock Unlock Fix

  • Fixed bug where unlocking workspace scope in chat conversations was not working correctly.
  • (Ref: chat-conversations.js, selectConversation(), workspace scope lock state)

• Public Workspace Documents Loading Fix

  • Fixed JavaScript error preventing public workspace documents from loading. Removed incorrect import statement that caused a module resolution failure.
  • (Ref: public_workspace.js, JS import fix, public workspace document list)

v0.239.001

New Features

View the features with screenshots and descriptions
https://microsoft.github.io/simplechat/latest-release/

• Conversation Export

  • Export one or multiple conversations from the Chat page in JSON or Markdown format.
  • Single Export: Use the ellipsis menu on any conversation to quickly export it.
  • Multi-Export: Enter selection mode, check the conversations you want, and click the export button.
  • A guided 4-step wizard walks you through selection review, format choice, packaging options (single file or ZIP archive), and download.
  • Sensitive internal metadata is automatically stripped from exported data for security.

• Retention Policy UI for Groups and Public Workspaces

  • Can now configure conversation and document retention periods directly from the workspace and group management page.
  • Choose from preset retention periods ranging from 7 days to 10 years, use the organization default, or disable automatic deletion entirely.

• Owner-Only Group Agent and Action Management

  • New admin setting to restrict group agent and group action management (create, edit, delete) to only the group Owner role.
  • Admin Toggle: "Require Owner to Manage Group Agents and Actions" located in Admin Settings > My Groups section, under the existing group creation membership setting.
  • Default Off: When disabled, both Owner and Admin roles can manage group agents and actions (preserving existing behavior).
  • When Enabled: Only the group Owner can create, edit, and delete group agents and group actions. Group Admins and other roles are restricted to read-only access.
  • Backend Enforcement: Server-side validation returns 403 for non-Owner users attempting create, update, or delete operations on group agents and actions.
  • Frontend Enforcement: "New Agent" and "New Action" buttons are hidden, edit/delete controls are removed, and a permission warning is displayed for non-Owner users.
  • Files Modified: functions_settings.py, admin_settings.html, route_frontend_admin_settings.py, route_backend_agents.py, route_backend_plugins.py, group_workspaces.html, group_agents.js, group_plugins.js.
  • (Ref: require_owner_for_group_agent_management setting, assert_group_role permission check)

• Enforce Workspace Scope Lock

  • Adds an admin-controlled safeguard that automatically locks workspace scope after the first AI search to prevent unintended cross-workspace data access.
  • Enabled by Default: When enabled, workspace scope automatically locks after the first AI search and users cannot unlock it, preventing accidental cross-contamination between data sources.
  • Informational Modal: Users can still click the lock icon to view which workspaces are locked, but the "Unlock Scope" button is hidden and replaced with an informational message.
  • Backend Enforcement: Server-side validation rejects unlock API requests when the setting is enabled, providing defense-in-depth security.
  • Admin Toggle: Located in Admin Settings > Workspace tab in the new "Workspace Scope Lock" section.
  • Files Modified: config.py, functions_settings.py, route_frontend_admin_settings.py, admin_settings.html, chats.html, chat-documents.js, route_backend_conversations.py.
  • (Ref: ENFORCE_WORKSPACE_SCOPE_LOCK.md)

• Blob Metadata Tag Propagation

  • Document tags now propagate to Azure Blob Storage metadata when enhanced citations is enabled.
  • Automatic Sync: When tags are added, removed, or updated on a document, the corresponding blob's metadata is updated with a document_tags field containing a comma-separated list of tags.
  • Conditional: Only active when enable_enhanced_citations is enabled in admin settings; no blob metadata changes occur otherwise.
  • Cross-Workspace: Works for personal, group, and public workspace documents.
  • Non-Blocking: Blob metadata update failures are logged but do not prevent the primary tag propagation to AI Search chunks.
  • Files Modified: functions_documents.py.
  • (Ref: BLOB_METADATA_TAG_PROPAGATION.md)

• Document Tag System

  • Comprehensive tag management system for organizing documents across personal, group, and public workspaces.
  • Tag Definitions: Tags with custom colors from a 10-color default palette (blue, green, amber, red, purple, pink, cyan, lime, orange, indigo) or user-specified hex codes. Colors assigned deterministically via character-sum hash.
  • Full CRUD API: 15 endpoints (5 per workspace type) for listing, creating, bulk tagging, renaming/recoloring, and deleting tags. Consistent API pattern across /api/documents/tags, /api/group_documents/<id>/tags, and /api/public_workspace_documents/<id>/tags.
  • Bulk Tag Operations: Apply, remove, or replace tags on multiple documents in a single operation with per-document success/error reporting.
  • AI Search Integration: Tags propagate to all document chunks via propagate_tags_to_chunks(), enabling OData tag filtering during hybrid search with AND logic (document_tags/any(t: t eq 'tag')).
  • Tag Validation: Max 50 characters, alphanumeric plus hyphens/underscores only, normalized to lowercase, duplicates silently deduplicated.
  • Tag Storage: Personal tags in user settings, group tags on group Cosmos document, public workspace tags on workspace Cosmos document.
  • Files Modified: functions_documents.py, functions_search.py, route_backend_documents.py, route_backend_group_documents.py, route_backend_public_documents.py.
  • Files Added: static/json/ai_search-index-user.json, static/json/ai_search-index-group.json, static/json/ai_search-index-public.json.
  • (Ref: Document Tag System, AI Search OData filtering, cross-workspace tags, DOCUMENT_TAG_SYSTEM.md)

• Workspace Folder View (Grid View)

  • Toggle between traditional list view and folder-based grid view for workspace documents via radio buttons.
  • Tag Folders: Color-coded folder cards displaying tag name, document count, folder icon, and context menu (rename, recolor, delete).
  • Special Folders: "Untagged" folder for documents with no tags and "Unclassified" folder for documents without classification (when classification is enabled).
  • Folder Drill-Down: Click a folder to view its contents with breadcrumb navigation, in-folder search, configurable page sizes (10, 20, 50), and sort by filename or title.
  • Grid Sort Controls: Sort folder overview by name or file count with ascending/descending toggle.
  • View Persistence: Selected view preference saved to localStorage and restored on page load.
  • Tag Management Modal: Step-through workflow for creating, editing, renaming, recoloring, and deleting tags with color picker.
  • Cross-Workspace Support: Equivalent grid view and tag management available in group workspaces (inline JS) and public workspaces.
  • Files Added: workspace-tags.js (1257 lines), workspace-tag-management.js (732 lines).
  • Files Modified: workspace.html, group_workspaces.html, public_workspaces.html, public_workspace.js.
  • (Ref: Folder view, tag management modal, grid rendering, WORKSPACE_FOLDER_VIEW.md)

• Multi-Workspace Scope Management

  • Select from Personal, multiple Group, and multiple Public workspaces simultaneously in the chat interface.
  • Hierarchical Scope Dropdown: Organized sections with checkbox multi-selection and "Select All / Clear All" toggle with indeterminate state support.
  • Scope Locking: Per-conversation lock that freezes workspace selection after the first AI Search. Three-state machine: null (auto-lockable) → true (locked) → false (user-unlocked) → true (re-lockable).
  • Lock Indicator: Visual lock icon with tooltip showing locked workspace names. Locked workspaces appear grayed out in the dropdown.
  • Lock/Unlock Modal: Dialog for manually toggling scope lock per conversation.
  • Lock Persistence: Lock state stored in conversation metadata via PATCH /api/conversations/<id>/scope_lock.
  • Workspace Search Container: Multi-column flex layout (Scope → Tags → Documents) with connected card UI and viewport boundary detection.
  • Files Modified: chat-documents.js, chat-messages.js, chats.html, route_backend_chats.py, route_backend_conversations.py.
  • (Ref: Multi-workspace selection, scope locking, search container layout, MULTI_WORKSPACE_SCOPE_MANAGEMENT.md)

• Chat Document and Tag Filtering

  • Checkbox-based multi-document selection replacing the legacy single-document dropdown in the chat interface.
  • Custom Document Dropdown: Checkboxes for each document with real-time search, "All Documents" option, and selected count display ("3 Documents").
  • Scope Indicators: Each document labeled with its source workspace: [Personal], [Group: Name], or [Public: Name].
  • Multi-Tag Filtering: Checkbox dropdown for selecting tags to filter the document list. Classification categories shown with color coding when enabled.
  • Dynamic Tag Loading: Tags load and merge across all selected scope workspaces with aggregated counts.
  • DOM-Based Filtering: Non-matching documents removed from the DOM (not hidden via CSS), following project conventions. Removed items stored for restoration when filters change.
  • Backend Integration: Selected document IDs and tags sent in chat request body. Backend constructs OData AND filter: `document...

v0.237.011

(v0.237.011)

Bug Fixes

• Chat File Upload "Unsupported File Type" Fix

  • Fixed issue where uploading xlsx, png, jpg, csv, and other image/tabular files in the chat interface returned a 400 "Unsupported file type" error.
  • Root Cause: os.path.splitext() returns extensions with a leading dot (e.g., .png), but the IMAGE_EXTENSIONS and TABULAR_EXTENSIONS sets in config.py store extensions without dots (e.g., png). The comparison '.png' in {'png', ...} was always False, causing all image and tabular uploads to fall through to the unsupported file type error.
  • Solution: Added file_ext_nodot = file_ext.lstrip('.') and used the dot-stripped extension for set comparisons against IMAGE_EXTENSIONS and TABULAR_EXTENSIONS, matching the pattern already used in functions_documents.py.
  • (Ref: route_frontend_chats.py, file extension comparison, IMAGE_EXTENSIONS, TABULAR_EXTENSIONS)

• Manage Group Page Duplicate Code and Error Handling Fix

  • Fixed multiple code quality and user experience issues in the Manage Group page JavaScript.
  • Duplicate Event Handlers: Removed duplicate event handler registrations (lines 96-127) for .select-user-btn, .remove-member-btn, .change-role-btn, .approve-request-btn, and .reject-request-btn that were causing multiple event firings.
  • Duplicate HTML in Actions Column: Fixed member action buttons rendering duplicate attributes as visible text instead of functional buttons, causing raw HTML/CSS class names to display in the Actions column.
  • Duplicate Pending Request Buttons: Removed duplicate Approve and Reject buttons in pending requests table that were appearing twice per request.
  • Enhanced Error Handling: Improved setRole() and removeMember() functions with specific error messages for 404 (member not found) and 403 (permission denied) errors, automatic member list refresh on 404, and user-friendly toast notifications instead of generic alerts.
  • Removed Duplicate Comment: Cleaned up duplicate "Render user-search results" comment.
  • Impact: Member management buttons now render and function correctly, provide better error feedback, and auto-recover from stale member data.
  • (Ref: manage_group.js, event handler deduplication, error handling improvements, toast notifications)

v0.237.009

New Features

• ServiceNow Integration Documentation
  • Comprehensive documentation for integrating ServiceNow with Simple Chat, including step-by-step guides for both Basic Authentication and OAuth 2.0.
  • OAuth 2.0 Setup: Detailed guide for Resource Owner Password Credential grant type with production security considerations.
  • OpenAPI Specifications: 7 OpenAPI YAML files for ServiceNow Incident Management and Knowledge Base APIs (both bearer token and basic auth versions).
  • Agent Instructions: Behavioral instructions optimized for ServiceNow operations (263 lines).
  • Key Features: Integration user creation, role assignment guidance, token management strategies, troubleshooting guide, and production deployment considerations.
  • Documentation Files: SERVICENOW_INTEGRATION.md (760 lines), SERVICENOW_OAUTH_SETUP.md (480+ lines), servicenow_agent_instructions.txt, and 7 OpenAPI specs in docs/how-to/agents/ServiceNow/.
  • (Ref: ServiceNow integration, OAuth 2.0, OpenAPI specifications, enterprise integrations)

Bug Fixes

• Workspace Search Deselection KeyError Fix

  • Fixed HTTP 500 error when deselecting the workspace search button after having a document selected. Users would get "Could not get a response. HTTP error! status: 500" in the chat interface.
  • Root Cause: When workspace search was deselected (hybrid_search_enabled = False), the user_metadata['workspace_search'] dictionary was never initialized. However, subsequent code for handling group scope or public workspace context attempted to access user_metadata['workspace_search']['group_name'] or other properties, causing a KeyError.
  • Error: KeyError: 'workspace_search' at lines 468, 479 in route_backend_chats.py when trying to set group_name or active_public_workspace_id.
  • Solution: Added defensive checks before accessing user_metadata['workspace_search']. If the key doesn't exist, initialize it with {'search_enabled': False} before attempting to set additional properties like group_name or workspace IDs.
  • Workaround: Clicking Home and then back to Chat worked because it triggered a page reload that reset the state properly.
  • (Ref: route_backend_chats.py, workspace search, metadata initialization, KeyError handling)

• OpenAPI Basic Authentication Fix

  • Fixed "session not authenticated" errors when using Basic Authentication with OpenAPI actions, even when credentials were correct.
  • Root Cause: Mismatch between how the UI stored Basic Auth credentials (as username:password string in auth.key) and how the OpenAPI plugin factory expected them (as separate username and password properties in additionalFields).
  • Solution: Modified OpenApiPluginFactory to detect and parse username:password format from auth.key, splitting credentials into separate properties that the authentication middleware expects.
  • Files Modified: semantic_kernel_plugins/openapi_plugin_factory.py.
  • (Ref: OpenAPI actions, Basic Authentication, credential parsing, OPENAPI_BASIC_AUTH_FIX.md)

• Group Action OAuth Schema Merging Fix

  • Fixed HTTP 401 Unauthorized errors when using OAuth bearer token authentication with group actions. When editing group actions, additionalFields was empty, missing all authentication configuration.
  • Root Cause: Group action backend routes did not call get_merged_plugin_settings() to merge UI form data with OpenAPI schema defaults, while global action routes did. This caused group actions to be saved without authentication configuration fields like auth_method, base_url, and authentication credentials.
  • Solution: Updated group action save/update routes in route_backend_plugins.py to call get_merged_plugin_settings(), ensuring authentication configuration is properly merged and persisted.
  • Files Modified: route_backend_plugins.py.
  • (Ref: Group actions, OAuth authentication, schema merging, GROUP_ACTION_OAUTH_SCHEMA_MERGING_FIX.md)

• Group Agent Loading Fix

  • Fixed issue where group agents were not appearing in the agent list when per-user semantic kernel mode was enabled. Users selecting group agents would fall back to the global "researcher" agent with zero plugins/actions available.
  • Root Cause: The load_user_semantic_kernel() function only loaded personal agents and global agents (when merge enabled), but completely omitted group agents from groups the user is a member of.
  • Solution: Updated load_user_semantic_kernel() to fetch and load group agents for all groups the user is a member of, ensuring proper agent availability in per-user kernel mode.
  • Files Modified: semantic_kernel_loader.py.
  • (Ref: Group agents, per-user semantic kernel, agent loading, GROUP_AGENT_LOADING_FIX.md)

• Manage Group Page Syntax Error Fix

  • Fixed critical JavaScript syntax error preventing the manage group page from loading. Removed duplicate code blocks including duplicate conditional checks, forEach loops, button tags, and function definitions.
  • The page was stuck on "Loading..." indefinitely with console error "Uncaught SyntaxError: missing ) after argument list" at line 673.
  • (Ref: manage_group.js, duplicate code removal, syntax error resolution)

• File Extension Handling Improvements

  • Fixed multiple issues related to file extension handling and audio transcription across the application.
  • Missing MP3 Extension: Fixed issue where .mp3 files were missing from the list of allowed extensions. Users attempting to upload mp3 files to workspaces saw "Uploaded 0/1, Failed: 1" with no error logging to activity_logs or documents containers.
  • Centralized Extension Definitions: Resolved file extension variable duplications throughout codebase by centralizing all allowed file extension definitions in config.py and importing them in downstream function and route files. This prevents extension lists from going out of sync during updates.
  • Additional Supported Extensions: Added missing file types supported by Document Intelligence and Video Indexer services: .heic (image), .mpg, .mpeg, .webm (video).
  • Browser-Compatible Extensions: Adjusted file extensions in chat-enhanced-citations.js for proper browser rendering. Removed incompatible formats like .heif and added compatible formats like .3gp after thorough testing.
  • (Ref: config.py, file extension centralization, enhanced citations rendering)

• Audio Transcription Continuous Recognition Fix (MAG)

  • Fixed incomplete audio transcriptions in Azure Government (MAG) environments where transcription stopped at first silence or after 30 seconds of audio.
  • Root Cause: Previous implementation used recognize_once() method which stops transcription at the first silence (end of sentence, speaker pauses) and has a maximum 30-second transcription limit.
  • Solution: Implemented continuous recognition using start_continuous_recognition() method instead of recognize_once(), enabling full-length audio file transcription without interruption at natural speech pauses.
  • Impact: Audio files now transcribe completely regardless of length or natural pauses in speech, improving transcription quality and completeness in MAG regions where Fast Transcription API is unavailable.
  • (Ref: Azure Speech Service, continuous recognition, MAG support, audio transcription)

• Workspace File Metadata Edit Error Fix

  • Fixed "'tuple' object has no attribute 'get'" error when clicking Save after editing workspace file metadata in personal, group, or public workspaces.
  • Root Cause: Missing checks and error handling in route backend documents code when processing metadata updates.
  • Solution: Added additional validation checks and proper handling to route_backend_documents.py for all workspace types (personal, group, public).
  • Impact: Users can now successfully edit and save file metadata without encountering errors.
  • (Ref: route_backend_documents.py, metadata updates, error handling)

v0.237.007

(v0.237.007)

Bug Fixes

• Sidebar Conversations Race Condition and DOM Manipulation Fix
  • Fixed two critical issues preventing sidebar conversations from displaying correctly for users.
  • Issue #1 - DOM Manipulation Error: Fixed JavaScript error NotFoundError: Failed to execute 'insertBefore' on 'Node' that caused sidebar conversation list to fail to render. Root cause was incorrect order of DOM element manipulation where insertBefore() was called with an invalid reference node after elements had been moved/removed.
  • Issue #2 - Race Condition with Empty Conversations: Fixed race condition where users with no existing conversations who created their first conversation would not see it appear in the sidebar. Root cause was the loading flag never being reset when API returned empty conversations array, causing all subsequent reload attempts to be blocked indefinitely.
  • Solution Part 1: Enhanced DOM manipulation with stricter parent node validation (dropdownElement.parentNode === headerRow), wrapped operations in try-catch for graceful fallback to appendChild(), and added comprehensive error logging. Ensures sidebar always renders even if timing issues occur.
  • Solution Part 2: Implemented pending reload queue system. Instead of blocking concurrent loads, the code now marks pendingSidebarReload = true when a reload is requested during active loading. All code paths (success, empty array, error) now reset the loading flag and check for pending reloads, automatically triggering queued reload after 100ms delay.
  • Impact: Before fix, ~10-15% of page loads had DOM errors and 100% of new users couldn't see their first conversation without manual page refresh. After fix, 0% failures with seamless user experience and no manual refresh needed.
  • (Ref: chat-sidebar-conversations.js, DOM manipulation order, race condition handling, loading flag management, pending reload queue, lines 12-40, 93-115, 169-183)

v0.237.006

(v0.237.006)

Bug Fixes

• Sidebar Conversations DOM Manipulation Fix

  • Fixed JavaScript error "Failed to execute 'insertBefore' on 'Node': The node before which the new node is to be inserted is not a child of this node" that prevented sidebar conversations from loading.
  • Root Cause: In createSidebarConversationItem(), the code was attempting DOM manipulation in the wrong order. When originalTitleElement was appended to titleWrapper, it was removed from headerRow, making the subsequent insertBefore(titleWrapper, dropdownElement) fail because dropdownElement was no longer a valid child reference in the expected DOM position.
  • Impact: Users experienced a complete failure loading the sidebar conversation list, with the error appearing in browser console and preventing any conversations from displaying in the sidebar. This affected all users attempting to view their conversation history.
  • Solution: Reordered DOM manipulation to remove originalTitleElement from DOM first, style it, add it to titleWrapper, then insert the complete titleWrapper before dropdownElement. Added validation to check if dropdownElement is a valid child before attempting insertion.
  • (Ref: chat-sidebar-conversations.js, createSidebarConversationItem(), DOM manipulation order, line 150)

• Windows Unicode Encoding Issue Fix

  • Fixed critical cross-platform compatibility issue where the application crashes on Windows when processing or displaying Unicode characters beyond the Western European character set.
  • Root Cause: Python on Windows uses cp1252 encoding for stdout/stderr (limited to 256 Western European characters), while Azure services and web applications use UTF-8 encoding universally (1.1M+ characters). This mismatch caused UnicodeEncodeError: 'charmap' codec can't encode character '\uXXXX' when logging or displaying emojis, international characters, IPA symbols, or special formatting.
  • Impact: Application crashes affecting:
    • Video transcripts with phonetic symbols
    • Chat messages containing emojis or international text
    • Agent responses with Unicode formatting
    • Debug logging across the entire application
    • Error messages and stack traces
  • Solution: Configured UTF-8 encoding globally at application startup for Windows platforms by reconfiguring sys.stdout and sys.stderr to UTF-8 at the top of app.py before any imports or print statements. Includes fallback for older Python versions (<3.7). Platform-specific fix only applies on Windows.
  • Testing: Verified with video processing (IPA phonetic symbols), chat messages (emojis/international characters), debug logging (Unicode content), and confirmed no impact on Linux/macOS deployments.
  • Issue: Fixes #644
  • (Ref: app.py, UTF-8 encoding configuration, cross-platform compatibility)

• Azure Speech Service Managed Identity Authentication Fix

  • Fixed Azure Speech Service managed identity authentication requiring resource-specific endpoints with custom subdomains instead of regional endpoints.
  • Root Cause: Managed identity (AAD token) authentication fails with regional endpoints (e.g., https://eastus2.api.cognitive.microsoft.com) because the Bearer token doesn't specify which Speech resource to access. The regional gateway cannot determine resource authorization, resulting in 400 BadRequest errors. Key-based authentication works with regional endpoints because the subscription key identifies the specific resource.
  • Impact: Users could not use managed identity authentication with Speech Service for audio transcription. Setup appeared successful but failed at runtime with authentication errors.
  • Solution: Comprehensive setup guide for managed identity requiring:
    • Custom Subdomain: Enable custom subdomain on Speech resource using az cognitiveservices account update --custom-domain <resource-name>
    • Resource-Specific Endpoint: Configure endpoint as https://<resource-name>.cognitiveservices.azure.com (not regional endpoint)
    • RBAC Roles: Assign Cognitive Services Speech User and Cognitive Services Speech Contributor roles to App Service managed identity
    • Admin Settings: Update Speech Service Endpoint to resource-specific URL, set Authentication Type to "Managed Identity", leave Speech Service Key empty
  • Key Differences:
    • Key auth ✅ works with both regional and resource-specific endpoints
    • Managed Identity ❌ fails with regional endpoints (400 BadRequest)
    • Managed Identity ✅ works with resource-specific endpoints (requires custom subdomain)
  • Troubleshooting Guide: Added comprehensive troubleshooting for NameResolutionError (custom subdomain not enabled), 400 BadRequest (wrong endpoint type), 401 Authentication errors (missing RBAC roles).
  • (Ref: Azure Speech Service, managed identity authentication, custom subdomain, RBAC configuration, endpoint types)