Changelog

Recent product updates and release notes.

Beta 0.40.0

Current

Released

May 18, 2026

Hooks now live at the top of the schema as a named, BQL-shaped registry, not embedded inside each kind. The mutation pipeline routes per-unit with precise validate/transform/effect gating, the commit-event diff records exactly which keys moved, and Studio surfaces the registry as a first-class section. Pre-launch breaking change: legacy per-kind hooks blocks are no longer accepted on import.

Beta 0.40.0

May 18, 2026Current beta

Schema-level hooks

Features

definition_mutate knows about hooks. Create / update / delete / query via { "$type": "hook", "name": "..." }. Schema events emit $sid (hook name) for hook ops and $did for kinds/fields, so audit subscribers can distinguish the two without parsing the type.
Per-unit hook gating. The validate / transform / effect gates short-circuit at the unit level — a batch that mixes a hooked kind (e.g. Post) with an unhooked kind (e.g. User) only runs hooks against Post. Multi-subspace batches stay correct because the gate inspects each unit's subspace.
Hook dependency validation on schema deletes. Deleting a kind or field that a hook still targets fails with a clear error before any prefix is written. Renaming a field that a hook filter references in the same batch is allowed if the hook update lands first; otherwise the batch is rejected as dangling.
Transform conflict detection across hooks. When two top-level transform hooks write the same leaf path on the same unit during one pass, the batch errors out instead of silently picking the last writer.
Studio Hooks sidebar. Schema sidebar shows a Hooks section with a Zap icon, hook name, and type chip (unit.validate / unit.transform / unit.effect). Renders even when there are no kinds yet, so freshly-imported hook-only schemas are visible.

Improvements

Commit-event diff is precise for hook updates. Only the keys that actually changed appear in changed / details. Optional fields removed by the update (e.g. dropping when or timeoutMs) are recorded with a null sentinel so audit subscribers can tell "removed" apart from "unchanged".
Schema version stays consistent on dep-check rollback. Hook CRUD no longer inline-persists the schema version — the outer dispatcher does it after validate_hook_dependencies clears, so a rejected batch leaves the on-disk version exactly where it was.
Bulk hook load on schema open. set_hooks_bulk indexes the entire hook set once instead of rebuilding the index on every insert.
Duplicate-kind entries in $kinds.$any collapse to one index slot, so ["Post", "Post"] no longer fires the hook twice.

Fixes

Top-level effect snapshot path matches per-unit gating. A batch touching only unhooked kinds no longer pays the snapshot cost when the schema declares effect hooks elsewhere.
definition_import rejects the legacy per-kind hooks block with an explicit error instead of silently dropping it.

Breaking Changes

Hooks move to schema.hooks. The per-kind hooks block on KindDef is removed. Hooks now live in a top-level map keyed by hook name (schema.hooks["Post.audit"] = { type, target: { ops, $kinds, $filter }, $js }). Existing definitions must be rewritten — there is no transparent migration.
schema.hooks targets are BQL-shaped. A hook declares its target with { ops, $kinds, $filter }. ops accepts create | update | delete | query; link and unlink are rejected at parse time (use update on the role/link field for those). $filter rejects arc-field paths.
Hook arity per name is 1. Each hook is identified by name and replaces in place — update is full-replace semantics. Use distinct names to attach multiple hooks to the same kind.

Beta 0.39.0

May 17, 2026

Safer portals, smarter Studio, and ergonomic SDK

Portal save now catches broken hooks and undefined variables before they reach the browser. Components can be renamed with all import paths updated automatically. The React SDK drops the empty-input boilerplate for no-input operations.

Features

Portal hooks validated at save time. Unknown hooks, definition-domain hooks (schema/portals API), and cross-source hook usage are rejected when saving a page or component — with a did-you-mean suggestion — instead of failing silently at browser runtime.
Portal undefined variables caught at save time. Typos in variable names (e.g. useMutationn) are now detected by semantic analysis and rejected with the offending line number and a spelling suggestion.
Component rename rewrites all imports. Renaming a component in Pages Builder cascades @components/OldName → @components/NewName across every page, layout, and component that references it.
useQuery(ref) no longer requires {} for operations with no input fields. Pass the ref alone when the input schema is empty; ops with required fields still type-check as before.
$search gains $mode: "all" to run all search strategies simultaneously, returning the broadest match set.

Improvements

Studio: double-click a kind or field row to edit it directly. The kind edit modal opens on the matching tab with that field pre-selected.
BQL completions are mode-aware. $code and $js no longer appear at the query/mutation root (they are only valid inside field-value objects).
additionalProperties strict-mode errors include the reason. Validation rejections now say which field triggered the extra-property check.
Doc search finds concepts faster. Frontmatter aliases and stemmed boosting surface the right page with partial or alternate terms.

Fixes

Namespace-imported hooks (import { useQuery } from "@blitzgraph/client-react") are now validated the same as default imports — the bypass is closed.
Saving an app no longer silently drops pages or layouts included in the update payload; they are rejected explicitly.
FTS segment flush is now High priority so index updates are not starved by lower-priority background tasks.

Beta 0.38.0

May 14, 2026

Roundtrip-safe data import and export

BlitzGraph data exports now produce query-shaped units that can be imported with minimal drift, including cross-subspace references and stable arc wiring.

Improvements

Imports support multiple subspaces in one payload. Root and nested create items can carry $subspace, matching normal mutation defaults while keeping $id references scoped correctly.
Export output mirrors query output more closely. Link fields and role fields can both appear in exported units so the data shape stays familiar to query consumers.
Import errors are more precise. Duplicate $id, non-create $op, id conflicts, and missing kind context now return structured error codes for SDK and MCP callers.

Fixes

Roundtrip imports preserve exported relationships without requiring callers to hand-author $var aliases.
Import ignores exported $iid values instead of trying to preserve internal ULIDs.

Breaking Changes

Data import is create-only. /data/import accepts missing $op or $op: "create" and rejects update-style import items.
Export no longer emits mutation-only fields. Exported units omit $op, $var, and $iid; import treats $id as the roundtrip reference key for rebuilding arcs inside the imported payload.

Beta 0.37.1

May 14, 2026

Scan-aware FILE uploads

BlitzGraph FILE uploads now share stricter validation across Studio and portals, expose scan-aware readiness, and refresh expiring file links from the client.

Improvements

FILE uploads are harder to spoof. Browser uploads now share filename, MIME allowlist, magic-byte, size, and finalize checks across presign, inline mutation, and portal flows.
File links are scan-aware. Processing or blocked files no longer expose signed URLs, while ready files include URL expiry metadata so clients can refresh before links expire.
React FILE previews handle security states. Processing and blocked attachments render explicit states, while expiring signed links refresh before they become dead download links.

Fixes

Inline portal uploads now use the same FILE validation path as staged uploads, closing bypasses around declared MIME types and executable payloads.
Malicious attachment filenames render as plain text in React previews.

Beta 0.37.0

May 14, 2026

Canonical imports, safer portals, and hosted hardening

BlitzGraph now uses one canonical envelope for HTTP, SDK, and MCP imports/exports, validates portal apps before saving broken code, and tightens hosted security, uploads, feedback, and data protection.

Features

Schema and portals can be imported/exported independently. Use /schema/import|export for kinds only, /portals/import|export for apps/components only, and /definitions/import|export for the full bundle.
Subspace opts accept names or numeric IDs. HTTP, SDK, and generated types now share the same opts.subspace shape as per-item $subspace.
Public Bugs / feedback dialog. The marketing header can now send bug reports, feature requests, friction notes, or other feedback through a rate-limited marketing.feedback.send op.

Improvements

MCP import tools match the HTTP/SDK contracts. data.import now uses { units, opts }, preserves optional opts, and rejects unknown wrapper keys before execution.
Portal ops fail earlier and clearer. queryOps / mutationOps BQL, $input markers, declared inputSchema, and mutation invalidation targets are validated before an app is saved.
Hosted security is stricter. BlitzGraph now sends centralized CSP/security headers, hides the Next.js version header, and keeps required presigned S3 upload origins allowed for FILE uploads.
Hosted data protection is explicit. Server data lives on dedicated /data volumes with daily snapshots and environment-specific retention.

Fixes

Scoped imports now keep their opts.subspace target through SDK, MCP, seed, and HTTP paths, preventing schema/data imports from landing in the wrong subspace.
FILE uploads from Studio and portals are no longer blocked by the app CSP when using presigned S3 upload URLs.
Server-side PostHog exception reporting flushes in the background, so telemetry does not block user responses.

Breaking Changes

Definition endpoints are pluralized. Use /definitions/query, /definitions/mutate, /definitions/import, and /definitions/export. The old /definition/* paths are gone.
Import/export bodies use canonical envelopes. /data/import takes { units, opts? }; /data/export takes { selector?, opts? }; definition/schema/portal imports carry opts in the JSON body. Subspace defaults now live at opts.subspace.
Options are camelCase only. Use timeoutMs, failFast, returnMode, defaultMeta, maxErrors, onExprError, etc. Snake_case option keys and root-level request subspace fields are rejected.
Data import/export response keys are camelCase. Import progress/results expose inputItems, unitsCreated, and byKind; export chunks/results expose units instead of items.
Portal TSX must use generated refs from @app/ops. String op names, inline/local refs, tuple-destructured hooks, and broken TSX/server modules now reject at save time.

Beta 0.36.0

May 13, 2026

Granular subspace wipes: schema-only and portals-only

wipe_schema previously wiped both schema (kinds) and portals (apps + components) together. It now clears kinds only — portals survive. The previous combined behavior moved to wipe_definitions. A new wipe_portals clears apps and components without touching kinds or data.

Features

New admin op wipe_definitions — kinds + schema events + apps + components. Same KV scope as definition/import. Rejected when unit data exists.
New admin op wipe_portals — apps + components only. Kinds and unit data survive. No data-empty guard, since portals do not constrain unit data.
TS sub-accessors: subspace.data.wipe(), subspace.definitions.wipe(), subspace.schema.wipe(), subspace.portals.wipe() mirror the four admin ops. Top-level subspaceWipeData / wipeDefinitions / wipeSchema / wipePortals shorthands available on BlitzGraphClient and NamespaceClient.
Four MCP tools: data.wipe, definitions.wipe, schema.wipe, portals.wipe.

Fixes

Full-reset guidance in SCHEMA_ALREADY_EXISTS and SUBSPACE_HAS_DATA error messages now suggests wipe_definitions() instead of wipe_schema(), so portals are not left behind on a full reset (the subsequent additive definition_import() would have failed with portal overlap).

Breaking Changes

Admin op wipe_schema semantics changed. It was a full definitions wipe (kinds + apps + components); it is now kinds-only. Use wipe_definitions (admin op) / subspace.definitions.wipe() (TS) for the previous behavior.
TS SDK wipeSchema semantics changed identically. subspace.schema.wipe(), client.subspaceWipeSchema(), and NamespaceClient.wipeSchema() no longer touch portals. Migrate full-reset call sites to wipeDefinitions() / subspaceWipeDefinitions().
Studio "Wipe Schema" button relabeled to "Wipe Definitions" since the call wipes both branches.

Beta 0.35.0

May 12, 2026

Full-screen Studio, steadier dashboard loading, and larger portal uploads

Studio now opens as a focused full-screen workspace from owner-scoped space URLs, dashboard space lists recover cleanly from rapid navigation and first-login bootstrap races, and portal mutation uploads work past Axum's 2 MiB default up to BlitzStore's configured body limit.

Features

Owner-scoped Studio opens full screen. /u/<owner>/<space>/studio and /o/<owner>/<space>/studio skip the regular webapp chrome and pin the resolved server connection so users land directly in the workspace.
Larger portal mutation uploads. Portal operations that include files or images can now pass the server's configured BlitzStore request limit instead of failing at Axum's 2 MiB default.

Improvements

Lighter MCP tool discovery. Generic unknown response schemas no longer crowd the tool list, while concrete result schemas remain for exports, docs, Studio links, feedback, and portal URLs.
Dashboard spaces load more reliably after cold login and quick remounts. Personal-space bootstrap is coalesced per user, and the React query cache no longer leaves aborted requests stuck in a permanent pending state.
Sign-out clears cached space data before redirect. Switching accounts no longer risks showing stale spaces from the previous identity during client-side navigation.
Open in Studio is placement-aware. The overview action is disabled until the space has a server placement, avoiding a dead-end Studio launch while provisioning is still pending.
Cleaner Studio loading states. Studio connection and workspace loading now use a consistent Blitz loader instead of small text-only spinners.
Cleaner link previews. Shared BlitzGraph landing-page URLs now include an Open Graph image.
Better abuse protection for public entry points. Sign-in, agent device auth, and feedback submission now return bounded rate-limit responses under repeated requests.

Beta 0.34.1

May 12, 2026

Quality-of-life fixes for portals, Studio, and MCP

Catches a common React-hooks mistake in portals at compile time instead of in the browser, accepts more shapes of valid schema and definition input, and tightens a few rough edges in the Tasks API, MCP server, and Studio Pages Builder.

Features

Portal compile catches const [x] = useMutation(ref) / useQuery(ref). The hooks return objects, not tuples, so this used to compile and then crash at runtime with is not iterable. Saving the portal now fails with a clear error pointing at the offending line — including namespace imports and bracket-form calls.

Fixes

/tasks?subspace=<name> accepts the subspace name (was numeric id only — Studio requests were returning 400).
schema_import / portals_import / set_definitions accept the natural map-shape input where the slug lives in the map key (portals.apps.<slug>). Previously these typed setters rejected payloads that the JSON import path accepted.
Studio Pages Builder and portal image CSP allow https://host:443 and other explicit-default-port forms in the external-image allowlist.
MCP server: per-session context cache now has a bounded LRU so long-lived agents no longer leak memory. Structured BlitzGraphError instances are still recognized as such after JS minification, so error codes propagate to clients instead of collapsing to a generic message.

Beta 0.34.0

May 10, 2026

File values, native expressions, and portal hardening

FILE fields are now first-class everywhere — storage, HTTP API, TypeScript SDK, portals, Studio, and MCP. BQL gains typed literals under #…, interval containment and overlap operators, and a checked native fast lane for virtual fields. Portals validate their operation schemas and serve under stricter image CSP, and definition import / export use direct endpoint contracts.

Features

First-class FILE fields. Write files inline with a File / Blob from the browser or with a finalized blob marker; read back a FileValue with filename, mime, size, hash, signed url, and thumbnail_url for images.
Blob upload APIs. New /blob/presign and /blob/finalize endpoints plus SDK helpers blob.uploadFile, blob.uploadFiles, and mutateMultipart. Regular mutate() auto-detects File / Blob values and switches to multipart for you.
React and Studio file UX. @blitzgraph/client-react exports FilePreview, FileDownloadLink, FileUploadInput, and useFileObjectUrl. BlitzSheet can preview, download, replace, and clear FILE cells.
Native BQL expressions. Virtual fields can use { "$expr": { "@text.concat": [...] } } as a checked native fast lane. $js stays available for everything else.
Portal operation contracts. queryOps and mutationOps can declare inputSchema / outputSchema. Generated @app/ops refs carry typed input/output validation and mutation invalidation metadata.
Portal image allowlist. Apps can declare portalSecurity.externalImages.manualOrigins for dynamic hosts; literal TSX image origins and blob storage origins are merged into the served CSP automatically.
MCP file tools. Agents can presign, upload, and finalize blobs through MCP — including a batch blob.uploadMany.
Branch-shaped definitions accessors. New schema_import / portals_import and typed set_schema / set_portals / set_definitions setters in Rust and TS take { kinds } or { apps, components } directly without manual wrapping, and reject cross-branch keys at parse time.

Improvements

Portal pages run under stricter CSP. Framing is denied, component previews only allow the matching Studio origins, and CSP reports are accepted at /csp-report.
BlitzGraph UI polish. Sidebar navigation, version badge, and Studio namespace / subspace selectors received a pass; space URLs are now scoped per owner.

Fixes

Space slugs are per-owner. Two owners can use the same slug; duplicates under the same owner are still rejected.
dev:data:noauth binds to loopback only. No more accidentally exposing an unauthenticated dev server on a LAN address.
Multipart uploads are size-capped before parsing. Portal operations require a declared content-length under the op body cap, and JSON requests cannot spoof multipart files metadata.
FILE download links reject unsafe protocols. Studio previews and downloads sanitize URLs before binding to src / href.

Breaking Changes

Typed literals moved to #… keys. Use { "#datetime": "…" }, { "#decimal": "…" }, { "#intervals": [...] }, etc. The $… prefix is reserved for BQL selectors and operators. Migrate any { "$decimal": "…" } / { "$intervals": [...] } you have.
Interval filters. $covers is gone. Use $contains for point or interval containment, $intersects for overlap.
Subspace option renamed. Query and mutation options use default_subspace instead of subspace. The per-item BQL $subspace and request-envelope subspace are unchanged.
Definition export has no JSON body. POST /definition/export?subspace=main expects an empty request body. Definition import accepts the full definitions document directly.
Definition import only accepts the nested shape { schema: { kinds }, portals: { apps, components } }. For branch-only payloads use the new schema_import / portals_import accessors instead of wrapping by hand.
FILE markers use #file. Multipart placeholders are { "#file": "file_0" }; finalized write markers are sealed { "#file": { …, "capability": "…" } } objects. Old $file / $cap shapes are rejected.
Portal op schemas are strict. inputSchema / outputSchema only accept the supported JSON Schema subset; object inputs must explicitly declare additionalProperties.

Beta 0.33.0

May 9, 2026

Cross-kind numeric conversions

Changing a field's valueType between INTEGER, DECIMAL, FLOAT, and PERCENTAGE now succeeds. The schema commit returns immediately; a background task rewrites stored rows using the field's numericPolicy. CURRENCY is carved out — it needs an FX policy that the runtime does not have yet.

Features

All 12 cross-kind conversions between INTEGER, DECIMAL, FLOAT, and PERCENTAGE are supported. Per-field numericPolicy controls rounding: rejectOnLoss (default), round (banker's), truncate (toward zero), or allowPrecisionLoss. NaN / ±Infinity always reject.
Two new error codes exported from @blitzgraph/client-core: NUMERIC_PRECISION_LOSS (per-row precision drop with { field, from, to, value }) and INVALID_NUMERIC_CONVERSION (unsupported numeric pair).

Improvements

round and allowPrecisionLoss use banker's rounding (2.5 → 2, 3.5 → 4); pick truncate explicitly when toward-zero is required.
rejectOnLoss now catches scale-only precision drops too (DECIMAL(scale=4) → PERCENTAGE(scale=2) with non-zero trailing digits errors instead of silently rounding).
FLOAT → INTEGER rejects out-of-range floats instead of silently saturating to i64::MAX.

Breaking Changes

Numeric valueType changes used to be rejected synchronously with INVALID_TEMPORAL_CONVERSION. They now commit immediately and a background task rewrites the rows; per-row failures surface on the task. UIs that disabled the picker on the old rejection should switch to checking task completion.
Unsupported numeric transitions now emit INVALID_NUMERIC_CONVERSION (was INVALID_TEMPORAL_CONVERSION for everything). Both codes are exported.
numericPolicy is now validated upfront: it is rejected if there is no valueType change, on temporal transitions, or with a typo. Previously these were silently ignored.

Beta 0.32.0

May 8, 2026

HTTP 422 on rejected bodies, batch topo-sort, object-shaped mutation hooks

Rejected bodies now surface at the transport layer (422 instead of 200 with errors[]). definition_mutate batches sort themselves by intra-batch dependencies so you no longer hand-order delete batches. React mutation hooks return objects instead of tuples, so misnamed destructure becomes a type error instead of a runtime undefined.

Features

definition_mutate batches are topo-sorted by intra-batch dependencies. Creates/updates run dependencies-first, deletes run dependents-first, mixed batches do all deletes before all creates. Schema-aware enrichment also pulls in refs the JSON doesn't carry (e.g. a $did-only delete on a linkField now correctly removes it before the roleField it tunnels through). The response array still preserves input position.
canonicalize_path_strict for the authoring boundary — definition_mutate errors loudly on non-canonical paths, while the existing tolerant import path keeps normalizing.

Improvements

TS client handles 422 transparently: the parsed BlitzResponse still comes back. Void-returning paths (deleteDatabase, …) raise BlitzGraphError with errors[] populated.

Breaking Changes

BQL, schema, admin, blob, and task endpoints return 422 Unprocessable Entity when errors[] is non-empty (was 200 OK). Clients using fetch + res.ok or default axios will see the rejection at the transport layer. The body shape is unchanged, so code that already inspected errors[] keeps working.
React mutation hooks (useMutation, useRawMutation, useScopedMutate, usePortalsMutate, useSchemaMutate, …) return { mutate, ...state } instead of [mutate, state]. Migrate via object destructure: const { mutate, isLoading } = useMutation(ref) or rename with const { mutate: createUser } = useMutation(ref). The previous tuple silently bound undefined on misnamed positions — now it's a compile error.

Beta 0.31.4

May 8, 2026

Symmetric relations and self-relation enforcement

symmetric: true and allowSelfRelation: false are now enforced at write time. Symmetric roles collapse A↔B and B↔A into a single edge; the default allowSelfRelation: false rejects a player appearing in multiple roles of the same relation unit.

Features

Symmetric roles reject duplicate reverse-direction edges (SYMMETRIC_RELATION_EXISTS) both for new edges in the same batch and against already-committed relations.
allowSelfRelation: false (the default) rejects the same player appearing in two or more distinct roles of one relation unit (SELF_RELATION_FORBIDDEN). Per-kind scoped, so multi-kind composition stays unaffected. Validation respects child overrides on inherited roles.
Error payloads include kind name, role name, and the offending player ID list — enough to fix the mutation without exposing unrelated units.

Beta 0.30.3

May 8, 2026

Safer destructive actions and clearer credential UX

Subspace cards no longer surface Wipe Data, Wipe Schema, and Delete on hover — they live behind a kebab menu so a stray click can't nuke a subspace. The same menu adds quick-open shortcuts to BlitzSheet and Query Studio (double-clicking a card also opens BlitzSheet). The Access page tightens credential management: rotate and revoke now go through a confirmation dialog with a description that spells out the consequence, the misleading row-level "copy" button (which copied JSON metadata, never the secret) is gone, the Last Used column is hidden until the backend actually populates it, and expiry shows date plus time and switches to "Expired …" once past. The Studio connection modal defaults to https:// when you type a URL without a scheme, and IPv6 loopback (::1, [::1]:3011) is now correctly classified as local.

Improvements

Subspaces panel: destructive actions (Wipe Data, Wipe Schema, Delete) moved into a kebab menu so accidental clicks can no longer trigger them. Same menu adds Open in BlitzSheet and Open in Query Studio; double-click opens BlitzSheet.
Access page: rotate / revoke require a confirmation dialog; expiry shows date + time and switches to "Expired …" once past.
Studio connection modal auto-prefixes https:// for non-loopback URLs (was http://); loopback (localhost, 127.0.0.1, ::1, [::1], *.localhost) keeps http://.

Fixes

Removed the row-level "Copy" button on the Access page — it serialized JSON metadata, never the actual secret. Tokens are hashed at rest, so only the Token Created modal and the rotate banner can return one.
Hid the "Last Used" column until the backend populates lastUsedAt. Token status derives "Expired" client-side; rotate / revoke disable for expired tokens.
normalizeStudioUrl IPv6 parsing fixed: ::1 and [::1]:3011 were classified as remote and silently received https://. Bracketed authority and bare-IPv6 are now handled correctly.

Beta 0.30.2

May 8, 2026

React SDK: stricter, safer types

@blitzgraph/client-react tightens its hook types so misuse fails to compile instead of crashing at runtime, and the cached query data is frozen so accidental in-place mutation is caught immediately.

Breaking Changes

useRawResource.data is now readonly T[], and the response array is frozen. Mutating helpers (push, in-place sort, …) stop type-checking and throw at runtime. Clone with [...result.data] if you need a mutable copy.
useInfiniteQuery(ref, …) requires a ref whose output is { items, nextCursor? }. Refs returning a plain array no longer compile.
useQuery / useRawQuery / useRawDefinitionQuery only accept a <TSelected> type parameter when you also pass a matching select projection. Omit the type argument for the identity case.

Beta 0.30.1

May 7, 2026

Structured envelope errors and better mutation error visibility

Envelope-level rejections now carry structured error codes, every content type ships its own prose docs through the SDK and JSON Schema, and mutation errors no longer disappear silently when batching against maxErrors.

Features

Envelope rejections now carry three structured codes — UNKNOWN_ENVELOPE_KEY, UNKNOWN_MULTIPART_FIELD, INVALID_ENVELOPE — with data: { unknown, allowed } so clients can branch on code instead of parsing prose.
Every content type now ships a docs: { summary, description, related } block. Generated TS, JSON Schema, and the marketing docs glossary all read from the same source.
useRawMutation accepts a mutationOpts field for forwarding execution options to the wire.
Browser-friendly 404 page for unknown portals (JSON clients still receive a JSON body). All portal 404s set Cache-Control: no-store so a stale 404 cannot shadow-ban a freshly created portal.

Improvements

Parse-time mutation validation now surfaces every per-item error in one response, even with failFast: true. Runtime fail-fast still applies to execution errors.
When the error list is truncated by maxErrors, MutateResult.info includes "N additional error(s) elided due to maxErrors" so truncation is no longer silent.
Portal 404 body no longer echoes the requested portal id — removes a trivial enumeration vector.

Beta 0.30.0

May 6, 2026

Numeric types split, typed error codes, and MCP tooling

NUMBER splits into INTEGER, DECIMAL, and FLOAT so indexes, aggregates, and sort orders are exact where it matters and lossy where it has to be. Server error codes are exposed as a typed TypeScript surface so clients can branch on stable strings. The MCP server gains tools for opening Studio, resolving portal URLs, and sending feedback.

Features

NUMBER splits into three explicit value types: INTEGER (exact i64), DECIMAL (arbitrary-precision base-10, max scale 28), and FLOAT (IEEE 754 f64). Pick INTEGER for counts/ids, DECIMAL for money and fractional measurements, FLOAT for ML / scientific values.
DECIMAL fields support optional fixed scale: 0..=28 and round-trip exactly through storage, indexes, aggregates, $js, and computed fields as { "#decimal": "<canonical-string>" }.
BlitzStudio sheet cells get dedicated INTEGER, DECIMAL, and FLOAT editors. The DECIMAL cell is precision-safe (no JS Number round-trip) and respects the field's scale.
Typed error-code surface in @blitzgraph/client-core: SERVER_ERROR_CODES, TRANSPORT_ERROR_CODES, ERROR_CODES, KnownErrorCode, isKnownErrorCode(). Regenerated from the Rust source so clients can branch on stable strings.
New numeric error codes: DECIMAL_SCALE_EXCEEDED, FLOAT_NOT_FINITE, INTEGER_OVERFLOW, DECIMAL_OVERFLOW.
MCP server gains three tools: studio.open (absolute Studio URL for the caller), portals.url (resolve app slug to public portal URL), feedback.send (post agent-authored reports to the control plane). The same feedback flow is also exposed via POST /agents/feedback.
MCP initialize ships an instructions string, per-tool annotations (readOnlyHint, destructiveHint, title), and docs URLs — ready for connector-store submission.
Pages Builder can rename pages and layouts directly from the tree, with path canonicalization and duplicate detection.

Improvements

PERCENTAGE is now backed by DECIMAL (was FLOAT), so percentages round-trip exactly through storage, indexes, and aggregates.
FLOAT is rejected as unique, indexed, idField, or interval-bounds value type at schema import — index keys would not be exact and unique would not survive NaN semantics.
MCP tools/call no longer races into duplicate token rotations on a cold cache: concurrent calls per access token now share one issuance.
Agent feedback writes are rate-limited per (IP, space) (30/hour). REST and MCP paths share one budget.

Fixes

Number JS built-in is no longer blocklisted inside $js bodies (broke expressions like Number(x)).
Switching a field out of CURRENCY no longer leaves stale currency metadata behind.
portals.url only treats HTTP 404 as "portal not found" — transient 5xx and network errors no longer mask a misconfigured portal as missing.

Breaking Changes

valueType: "NUMBER" is no longer accepted. Migrate each field to INTEGER, DECIMAL, or FLOAT. Schema import and definition_mutate reject NUMBER with a migration hint.
Cross-numeric valueType transitions are rejected with UnsupportedTransition in this release. They land properly in 0.33.0.
DECIMAL aggregate results (SUM, AVG, MIN, MAX, MEDIAN) are now canonical decimal strings rather than JSON numbers. Read them via { "#decimal": "..." } or parse the string directly. STDDEV continues to return f64.
$js and computed-field code emitting decimals must use { "#decimal": "<string>" } for DECIMAL fields. Returning a JS number may lose precision and is rejected for non-finite values.
NaN and ±Infinity are rejected at every DECIMAL coercion boundary with FLOAT_NOT_FINITE (previously silently produced corrupted index keys).
Pre-launch policy: existing dev databases were wiped as part of the numeric split. Re-import schemas and data on upgrade.

Beta 0.29.0

May 2, 2026

Native Currency, definition_query projection, and path-keyed portals

CURRENCY becomes a first-class value type with fixed-currency or multi-currency declarations at the schema level. definition_query adopts the BQL projection model with identity-only defaults. Portals replace routeTree with path-keyed layouts and per-page overrides. BQL contracts get tighter: $ids is gone, valueType replaces type, and definition payloads reject unknown keys.

Features

Native CURRENCY value type with fixed (currency: "USD") or multi-currency (currency: "*") declarations. Wire shape: { amount: DecimalString, currency: ISO4217Alpha3 }, validated end-to-end.
Fixed-currency fields DX-expand bare scalar writes and filters (19.99, { "$gt": 100 }) into canonical money objects. Multi-currency fields require the explicit { amount, currency } shape.
BlitzStudio renders CURRENCY values as amount currency, accepts paste coercion ("24500 USD" → canonical object), and exposes a currency picker on field editing.
New endpoint POST /docs/batch and TS helper client.docs.batch(req) for ordered multi-doc lookup with duplicate preservation and result: null for misses.
definition_query supports $as aliases on identity fields and $expand children.
Per-page layoutChainOverride: string[] | null on portal pages with tri-state semantics: absent inherits, [] opts out, [...] is an explicit override.
New TS surface subspace.definitions.{query,mutate}() (raw passthrough, no family validation) for mixed schema+portal batches, backed by matching MCP tools.
New layout.delete mutation in the portals client-ops surface.

Improvements

CURRENCY parse errors pinpoint the exact failure (bad ISO code, missing keys, lossy JSON float, malformed decimal) instead of a generic type mismatch.
BQL comparison operators on CURRENCY use schema-aware coercion and exact decimal comparison within the same currency.
Aborted batch mutations return commit-truthful responses: phantom IDs from never-persisted units are stripped, surviving IDs are rewritten to their public idField value.
Portal page and layout paths are canonicalized on bulk import (collapsing repeated slashes, stripping trailing slashes), and duplicate canonical paths fail with an explicit error.
Batch errors include per-item context: batch item [N]: ….
React SDK cache invalidation now correctly handles $id in scalar, array, and $in shapes, and invalidates on unlink (was missed).

Fixes

Failed batch creates no longer leak phantom $id values when errorMode: "collect" is in effect (including nested inline creates).
Failed batches under returnMode: "normalized" no longer synthesize fake $op commit operations for items that never committed.
Transient updated / created / deleted flags are stripped only at the top level — user-defined fields by those names are preserved.
Switching a field away from CURRENCY clears stale currency metadata so export / import round-trips do not fail later.

Breaking Changes

$ids is removed end-to-end. Use $id: [a, b] (sugar) or $id: { "$in": [...] } (canonical). Bulk-delete responses also use $id instead of $ids.
Data fields must use valueType instead of type, and kinds must use dataFields (object) instead of fields (array). No alias, no shim.
Definition payloads reject unknown keys (additionalProperties: false everywhere).
Root update mutations require an explicit selector ($id, $iid, $kinds, $filter, $search, or $var). Tunnel and arc-scoped update no longer accept $setKinds (set kinds at the root level only).
definition_query defaults to identity-only payloads. Omitting $fields returns only $type, $did, and the type-specific identity (slug / name / path). Heavy fields like tsxSource, clientJs, and compile artifacts require $fields: "*" or explicit projection.
$expand is only valid inside $fields and is restricted per definition type: app → pages / layouts / $history, page → layouts / $history, layout / component → $history only. Unsupported $expand options now error instead of being silently ignored.
definition_query $filter accepts equality and $in only (not the full BQL DSL); filtering on pages or layouts requires a map shape or null.
CURRENCY fields must declare currency (ISO 4217 alpha-3 or "*"). Multi-currency fields reject bare scalar writes and filter probes with CURRENCY_AMBIGUOUS; fixed-currency rejects mismatched currency with CURRENCY_MISMATCH. Cross-currency comparisons on multi-currency fields currently match nothing silently; convert to a canonical currency via a computed field for now.
Portals: routeTree is removed; DefinitionApp.layouts is keyed by path, not by name. Rename layout keys from labels ("root", "dashboard") to paths ("/", "/dashboard"). Layout chains are derived from page-path ancestors.
@blitzgraph/client-core renames OperatorDoc / OperatorDocSchema to DocOperator / DocOperatorSchema and removes the route-tree types (DefinitionRouteNode, DefinitionRouteGroup, DefinitionRoutePage).

Beta 0.28.0

April 27, 2026

Temporal types, stricter BQL, and schema integrity

Native DATE, DATETIME, TIME, and interval values land across the runtime, Studio, and client helpers. BQL validates malformed queries and mutations at the boundary instead of executing partially, and schema mutations refuse to leave dangling linkFields or role references behind.

Features

Native DATE (YYYY-MM-DD), DATETIME (YYYY-MM-DDTHH:MM:SS.SSSZ), and TIME (HH:MM:SS.SSS) value types with canonical wire formats.
Native interval values via { "#intervals": [...] }; queried with $contains (point or set containment) and $intersects (set overlap).
@blitzgraph/client-core exports temporal helpers (formatDate, formatDateTime, formatTime, isCanonical*, wrapTemporalCast).
Mutation roots and arc operations support multi-target selectors and narrowing with $id.$in, $iid, $iid.$in, $filter, $search, $kinds, $sort, $limit, and $offset.
Responses include a detailed meta.timings breakdown; @blitzgraph/client-core exposes getResponseClientTimings() for client-side response + JSON parse timing, and Studio shows the breakdown.
@blitzgraph/client-react/raw entrypoint with isolated cache keys for raw definition hooks, accepting BqlBatchQuery / BqlBatchMutation.
Background TaskManager gains a real three-phase IndexRebuild handler; schema type-change dispatch (FTS reindex + field conversion) is wired end-to-end.

Improvements

BQL query preparation is unified before execution, so root keys, selectors, filters, $fields, nested $expand, $expandArc, $groupBy, $sort, and $score are checked consistently.
Definition import / mutate validates linkField ownership against role playedBy (including inherited kinds) and rejects invalid target / targetRoles.
Role renames propagate to dependent link.plays and tunnel targetRoles. Role deletes, playedBy narrowing, and kind deletes are blocked when they would leave dangling links.
Schema mutation rejects unsupported value_type transitions at commit time instead of corrupting stored values.
update_kind_in with parent: null now actually clears the parent (was a silent no-op).
Auth/context HTTP failures return canonical errors: [{ code, message }] responses; MCP tool failures preserve structured error identity in structuredContent.error.
Bearer auth strictly accepts only bzt_* and bzi_* token prefixes.
BlitzGraph Studio renders and validates DATE, DATETIME, and TIME as distinct types; control / auth timestamp fields use DATETIME.

Fixes

Nested $fields, $expand, and $expandArc projections are recursively validated against the resolved target kinds.
Definition exports emit wildcard role playedBy as ["*"] instead of an empty array.
Role rename keeps local linkFields on descendant kinds intact instead of overwriting them.
Scoped arc mutations targeted by $id resolve through the engine, so custom-idField lookups work inside parent-scoped contexts.
BQL topo sort skips line / block comments and regex literals when walking arrow bodies, so JS defaults containing these tokens no longer corrupt dependency analysis.
Portal asset bodies scrub raw engine internals outside dev mode.

Breaking Changes

DATE no longer accepts timestamp strings. Use DATETIME for instants.
Interval values must use { "#intervals": [...] }; replace $includes / $overlaps filters with $contains / $intersects.
The untagged { "min": n, "max": n } cardinality shortcut is removed — use "MANY" (with optional min / max siblings) or { "MANY": { "min": n, "max": n } }.
BQL validation is stricter: malformed $and / $or / $not, unknown $... filter operators, unknown multi-kind fields, scalar $expand, and ambiguous JSON-vs-arc paths now fail instead of being silently ignored.
$meta is no longer accepted as a root query key — use it only inside $fields.
Query-backed mutation selectors ($filter, $search) resolve against the mutation-start snapshot. To target units created earlier in the same batch, capture them with $var.
Upsert requires exactly one scalar identity selector ($id, $iid, or $filter); $id.$in, $iid.$in, $sort, $limit, and $offset are rejected.
Schema mutation is stricter: creating a role without playedBy errors, invalid linkField owners error, inherited role / link clones cannot be edited through descendants, role deletes are rejected while dependent linkFields exist.
@blitzgraph/client-react split into a root surface (typed safe operations) and a /raw surface (raw definition / resource hooks). useResource is renamed to useRawResource and moved to /raw.
@blitzgraph/client-core renamed the public auth surface to token. The previous auth* exports were removed.
KindDef is no longer exported from generated/schema; source kind definitions from the dedicated defs entry point.
Portals: layouts use name as the authoritative key (no more path); pages and layouts must be sent as a map, not an array. The dead segment, isGroup, hasLayout, and synthetic /_layout/{index} slots are removed.

Beta 0.26.0

April 18, 2026

Agent tooling, safe operations, and a full storage reset

AI coding agents talk to BlitzGraph over MCP, client packages move to @blitzgraph/, contract-backed docs are served at /docs/, the web app moves to typed safe operations with a unified cache, HTTP auth unifies on Authorization: Bearer, and the storage layout is reset to widen subspaces to 65,535 per namespace.

Features

Google OAuth sign-in alongside GitHub and magic link.
Public MCP server at /mcp. Claude Code and Codex connect as remote MCP hosts with device-flow OAuth.
Typed MCP tool surface: schema and portal export/import/query/mutate, BQL data query/mutate, and docs.* (overview/concept/operator/example/list/search).
Dynamic MCP resources: blitzgraph://schema/current, blitzgraph://docs/overview, and one per concept, enumerated live from the contract at resources/list time (no codegen drift).
/docs/* HTTP surface (overview, concept, operator, example, list, search) served from the Rust contract as the single source of truth.
Safe operations layer: typed client-ops refs, same-origin CSRF check, streamed body size limit, RFC 7239 Forwarded parsing, per-user sliding-window rate limit, and default-deny authorization per ref.
Unified operation cache with normalized units, descriptor-based family invalidation, optimistic updates, prefetch for RSC, Suspense-first queries, and infinite-query support.
Subspace capacity widened to 65,535 per namespace (up from 255).
Task routing is now target-aware with stable ID-based targets for database, namespace, subspace, kind, and field work.
Namespace-scoped principals can now list and operate on tasks within their own namespace.

Improvements

Definitions reshape: on the wire every bundle is { $bzv, schema, portals }. The TS client exposes client.schema, client.portals, and client.definitions accessors over the same HTTP endpoints.
definition_import is strictly additive (rejects overlapping kinds, apps, or components). Mixed nested + flat DX payloads are hoisted into the canonical nested shape before the overlap check, so no branch can slip past.
Admin namespace and subspace responses expose stable numeric $rid values (ns:1, ss:2) that survive renames.
Blob cleanup, usage metering, and task routing all handle subspace IDs above 255 correctly.
Storage internals now use explicit system namespace and system subspace planes instead of overloaded auth-style metadata slots.
Agent device verification page redesigned with branded UI.
Billing upgrade flow simplified to a "book a call" modal.
Space overview replaces connection bundle reveal with retry provisioning.
Marketing hero and background paint is smoother under animation thanks to explicit stacking-context isolation and will-change transform hints.
Feedback widget loads its Slack thread only after the launcher is opened, so marketing pages start with one less network round-trip.

Fixes

Namespace-scoped task APIs no longer leak foreign-namespace tasks or database-level tasks.
FTS reindex tasks now trigger correctly for field-level schema mutations.
Blob orphan cleanup now scans all known subspaces before deleting objects, including high-numbered ones.
Subspace and namespace drop paths clean up routed task state more safely; drop(unknown_namespace) returns UnknownNamespace instead of panicking.
CSRF: honor the rightmost element of the RFC 7239 Forwarded header (appended by the proxy closest to us). A forged leftmost value can no longer forge same-origin.
Rate limit IP derivation no longer trusts X-Forwarded-For or X-Real-IP. A value is only used when TRUST_PROXY_HEADERS=true and parsed from the rightmost for= entry. Otherwise rate limiting falls back to the userId (or a shared anonymous bucket).
Body-size cap on /api/ops/* is enforced while streaming chunks; oversized payloads no longer allocate before rejection.
Handler errors on /api/ops/* log full server-side and surface an opaque fallback to the client, so driver messages can't leak.
useQuery cleanup only aborts the in-flight fetch when the LAST observer for that key unmounts. Sibling components sharing a deduped request no longer get stuck on pending.
Operation descriptor context tracks the effective scope from input (caller overrides provider), so family invalidation tags records under the namespace they actually queried.
Social sign-in buttons stay disabled during OAuth redirect to prevent double-click.
MCP OAuth metadata consistently includes the mcp scope across all discovery endpoints.
transport.parseError guards the JSON body parse, so malformed 5xx bodies surface with the HTTP status instead of a SyntaxError.
BlitzStudio schema view keeps the last good schema on a refresh failure instead of wiping the cache to { kinds: {} }.
controlSpaces{Create,Update}Ref reject whitespace-only names at the schema boundary.
Marketing background noise layer is correctly scoped via isolation: isolate so mix-blend-overlay no longer flickers or bleeds into page chrome.
Marketing header anchors (#playground, #features, #compare) use absolute paths so they work from /docs and other non-home pages.
Feedback widget only surfaces an error after two consecutive poll failures and polls less aggressively, so transient outages no longer show a red flash.

Breaking Changes

Persisted storage from before this release is not compatible with the new key layout (5-byte header, u16 subspace). Reset or reimport existing data.
Public client packages renamed: @blitzstore/client-core → @blitzgraph/client-core, @blitzstore/client-react → @blitzgraph/client-react. Update your imports; the API surface is unchanged.
definition_import / definition_export now speak the nested { schema, portals } shape on the wire. The flat { kinds, apps, components } root is still accepted as DX input but is hoisted before processing. Custom consumers of the raw definitionExport payload must read from .schema.kinds and .portals.{apps,components}.
Removed the TS mirror consts CONCEPTS_MANIFEST and OPERATOR_DOCS from @blitzgraph/client-core. Call client.docs.list("concept"), client.docs.list("operator"), or the dedicated per-name endpoints instead. The contract is the only registry.
HTTP BQL routes now require the request envelope shape with body instead of accepting direct top-level BQL payloads.
Task payloads now return target instead of namespace, subspace_id, and scope; published TaskScope schemas and SDK exports were replaced by TaskTarget.
GET /tasks?namespace=... now returns 400 Bad Request when the namespace cannot be resolved instead of an empty success response.
Namespace admin updates now expect defaultSubspace as a subspace RID like ss:2, not a raw name or bare numeric value.
Public namespace and subspace resolution rejects the reserved system ID 0 instead of treating it like a normal selector.
HTTP auth is now Authorization: Bearer <token> for both scoped grant tokens (bzt_*) and internal keys (bzi_*). The blitz-internal-key header and its rate-limit bypass were removed.

Beta 0.25.1

April 16, 2026

Google sign-in, MCP transport, and agent tooling (rolled into 0.26.0)

Early cut of Google OAuth and the MCP transport that shipped on main while the @blitzgraph rename and safe-ops work were stabilizing in parallel. Consolidated into 0.26.0; this entry is kept for historical reference.

Features

Google OAuth sign-in alongside GitHub and magic link.
Public MCP server at /mcp. Claude Code and Codex can connect as remote MCP hosts.
10 MCP tools: schema and portal export/import/query/mutate, plus BQL data query and mutate.
Live schema resource (blitzgraph://schema/current) for agent context.
Standard OAuth discovery metadata at /.well-known/oauth-authorization-server and /.well-known/oauth-protected-resource.

Improvements

Agent device verification page redesigned with branded UI.
Billing upgrade flow simplified to a "book a call" modal.
Space overview replaces connection bundle reveal with retry provisioning.

Fixes

Social sign-in buttons stay disabled during OAuth redirect to prevent double-click.
MCP OAuth metadata now consistently includes the mcp scope across all discovery endpoints.

Beta 0.25.0

April 11, 2026

Tunnel mutations, root aggregates, and stricter API contracts

New graph write capabilities, root-level aggregate queries, and clearer transport rules across admin and import APIs.

Features

Root aggregate BQL queries no longer require $groupBy for a single summary row.
Tunnel query and projected update support for linkField target:"role".
Relation-tree create support for tunnel writes through role-target links.

Improvements

Blob upload contracts are now typed around presign and finalize flows.
Blob finalization is stricter about subspace, principal, and finalize race handling.

Fixes

Target-scope validation fails more safely on tampered or invalid access payloads.
JS HTTP redirect handling is stricter against unsafe redirect chains.
Tunnel selector narrowing is more robust for $id filtering and deduplicated endpoint frontiers.

Breaking Changes

POST /admin expects the raw admin payload directly, not a { body, opts } envelope.
POST /data/import supports SSE progress with Accept: text/event-stream and one-shot JSON otherwise.
Endpoint-shaped tunnel writes on linkField target:"role" now reject; use projected updates or explicit relation-tree create.

Beta 0.24.0

April 9, 2026

Magic link sign-in, UI polish, and feedback fixes

Email sign-in, cleaner product chrome, and a more stable feedback flow.

Features

Email magic-link sign-in.

Improvements

Updated navbar and feedback widget styling.

Fixes

Feedback conversations behave more reliably during longer sessions.
Magic-link sign-in states and messages are less error-prone.

Beta 0.23.0

April 7, 2026

Docs, legal pages, and cleaner control-backed flows

Public docs, legal pages, and cleaner product flows across the marketing site and app.

Features

Full public docs page.
Terms, Privacy, Acceptable Use, and Report Abuse pages.

Improvements

Landing page refresh with updated branding, header, and comparisons.
Dashboard, spaces, and settings moved onto cleaner control-backed flows.

Fixes

Custom-ID and not-found errors fail more clearly across the app and client flows.

Beta 0.22.0

April 5, 2026

Storage reset and stricter server URL config

This release was mainly about a storage reset and stricter runtime config validation.

Breaking Changes

Storage revisions were reset, so existing stored data needed a reset or reimport.
Server URL config became stricter around valid baseUrl and publicUrl values.

Beta 0.21.2

April 4, 2026

More automatic Studio and Playground connections

Studio and Playground became easier to connect to and more reliable in scoped setups.

Improvements

Studio and Playground connection flow became more automatic and scope-aware.

Fixes

Studio reconnect flow was cleaned up.
Ambiguous space resolution in Studio bootstrap was fixed.
Playground autoconnect became more reliable.

Beta 0.21.0

April 1, 2026

Same-origin Studio bootstrap and better navigation

Studio setup got simpler, the landing gained a new background, and several navigation issues were fixed.

Features

Same-origin Studio session bootstrap from a Space.
New constellation landing background.

Improvements

Studio can resolve connections from scope with less manual setup.

Fixes

Space to Studio navigation now lands on the correct server.
Docs and changelog footer links now point to the correct localized or external destinations.

Beta 0.20.0

March 31, 2026

Real control-plane flows and managed space provisioning

The app moved from placeholders to real provisioning, real tokens, and real billing reads.

Features

Real control-plane integration in the web app.
Real space tokens and billing reads.
End-to-end space provisioning with a one-time builder token reveal after creation.

Improvements

Space creation now returns a real connection bundle instead of mock placeholders.

Fixes

Unauthenticated users are redirected home instead of hitting a dead end.
Space creation and post-create redirect flow were made more reliable.

Beta 0.19.0

March 24, 2026

GitHub sign-in, onboarding, and custom public IDs

This release added the first full auth and onboarding flows plus better support for custom public IDs.

Features

GitHub OAuth sign-in and protected routes.
Sign-in onboarding modal flow.
Webapp onboarding routes.
URL value type support.
Arc responses and link operations can use custom public IDs.

Improvements

Studio and onboarding flows were cleaned up.

Fixes

Custom ID resolution works more reliably across linked records and batch writes.

Changelog

Recent product updates and release notes.

Beta 0.40.0

Current

Released

May 18, 2026

Beta 0.40.0

May 18, 2026Current beta

Schema-level hooks

Features

definition_mutate knows about hooks. Create / update / delete / query via { "$type": "hook", "name": "..." }. Schema events emit $sid (hook name) for hook ops and $did for kinds/fields, so audit subscribers can distinguish the two without parsing the type.
Per-unit hook gating. The validate / transform / effect gates short-circuit at the unit level — a batch that mixes a hooked kind (e.g. Post) with an unhooked kind (e.g. User) only runs hooks against Post. Multi-subspace batches stay correct because the gate inspects each unit's subspace.
Hook dependency validation on schema deletes. Deleting a kind or field that a hook still targets fails with a clear error before any prefix is written. Renaming a field that a hook filter references in the same batch is allowed if the hook update lands first; otherwise the batch is rejected as dangling.
Transform conflict detection across hooks. When two top-level transform hooks write the same leaf path on the same unit during one pass, the batch errors out instead of silently picking the last writer.
Studio Hooks sidebar. Schema sidebar shows a Hooks section with a Zap icon, hook name, and type chip (unit.validate / unit.transform / unit.effect). Renders even when there are no kinds yet, so freshly-imported hook-only schemas are visible.

Improvements

Commit-event diff is precise for hook updates. Only the keys that actually changed appear in changed / details. Optional fields removed by the update (e.g. dropping when or timeoutMs) are recorded with a null sentinel so audit subscribers can tell "removed" apart from "unchanged".
Schema version stays consistent on dep-check rollback. Hook CRUD no longer inline-persists the schema version — the outer dispatcher does it after validate_hook_dependencies clears, so a rejected batch leaves the on-disk version exactly where it was.
Bulk hook load on schema open. set_hooks_bulk indexes the entire hook set once instead of rebuilding the index on every insert.
Duplicate-kind entries in $kinds.$any collapse to one index slot, so ["Post", "Post"] no longer fires the hook twice.

Fixes

Top-level effect snapshot path matches per-unit gating. A batch touching only unhooked kinds no longer pays the snapshot cost when the schema declares effect hooks elsewhere.
definition_import rejects the legacy per-kind hooks block with an explicit error instead of silently dropping it.

Breaking Changes

Hooks move to schema.hooks. The per-kind hooks block on KindDef is removed. Hooks now live in a top-level map keyed by hook name (schema.hooks["Post.audit"] = { type, target: { ops, $kinds, $filter }, $js }). Existing definitions must be rewritten — there is no transparent migration.
schema.hooks targets are BQL-shaped. A hook declares its target with { ops, $kinds, $filter }. ops accepts create | update | delete | query; link and unlink are rejected at parse time (use update on the role/link field for those). $filter rejects arc-field paths.
Hook arity per name is 1. Each hook is identified by name and replaces in place — update is full-replace semantics. Use distinct names to attach multiple hooks to the same kind.

Beta 0.39.0

May 17, 2026

Safer portals, smarter Studio, and ergonomic SDK

Features

Portal hooks validated at save time. Unknown hooks, definition-domain hooks (schema/portals API), and cross-source hook usage are rejected when saving a page or component — with a did-you-mean suggestion — instead of failing silently at browser runtime.
Portal undefined variables caught at save time. Typos in variable names (e.g. useMutationn) are now detected by semantic analysis and rejected with the offending line number and a spelling suggestion.
Component rename rewrites all imports. Renaming a component in Pages Builder cascades @components/OldName → @components/NewName across every page, layout, and component that references it.
useQuery(ref) no longer requires {} for operations with no input fields. Pass the ref alone when the input schema is empty; ops with required fields still type-check as before.
$search gains $mode: "all" to run all search strategies simultaneously, returning the broadest match set.

Improvements

Studio: double-click a kind or field row to edit it directly. The kind edit modal opens on the matching tab with that field pre-selected.
BQL completions are mode-aware. $code and $js no longer appear at the query/mutation root (they are only valid inside field-value objects).
additionalProperties strict-mode errors include the reason. Validation rejections now say which field triggered the extra-property check.
Doc search finds concepts faster. Frontmatter aliases and stemmed boosting surface the right page with partial or alternate terms.

Fixes

Namespace-imported hooks (import { useQuery } from "@blitzgraph/client-react") are now validated the same as default imports — the bypass is closed.
Saving an app no longer silently drops pages or layouts included in the update payload; they are rejected explicitly.
FTS segment flush is now High priority so index updates are not starved by lower-priority background tasks.

Beta 0.38.0

May 14, 2026

Roundtrip-safe data import and export

BlitzGraph data exports now produce query-shaped units that can be imported with minimal drift, including cross-subspace references and stable arc wiring.

Improvements

Imports support multiple subspaces in one payload. Root and nested create items can carry $subspace, matching normal mutation defaults while keeping $id references scoped correctly.
Export output mirrors query output more closely. Link fields and role fields can both appear in exported units so the data shape stays familiar to query consumers.
Import errors are more precise. Duplicate $id, non-create $op, id conflicts, and missing kind context now return structured error codes for SDK and MCP callers.

Fixes

Roundtrip imports preserve exported relationships without requiring callers to hand-author $var aliases.
Import ignores exported $iid values instead of trying to preserve internal ULIDs.

Breaking Changes

Data import is create-only. /data/import accepts missing $op or $op: "create" and rejects update-style import items.
Export no longer emits mutation-only fields. Exported units omit $op, $var, and $iid; import treats $id as the roundtrip reference key for rebuilding arcs inside the imported payload.

Beta 0.37.1

May 14, 2026

Scan-aware FILE uploads

BlitzGraph FILE uploads now share stricter validation across Studio and portals, expose scan-aware readiness, and refresh expiring file links from the client.

Improvements

FILE uploads are harder to spoof. Browser uploads now share filename, MIME allowlist, magic-byte, size, and finalize checks across presign, inline mutation, and portal flows.
File links are scan-aware. Processing or blocked files no longer expose signed URLs, while ready files include URL expiry metadata so clients can refresh before links expire.
React FILE previews handle security states. Processing and blocked attachments render explicit states, while expiring signed links refresh before they become dead download links.

Fixes

Inline portal uploads now use the same FILE validation path as staged uploads, closing bypasses around declared MIME types and executable payloads.
Malicious attachment filenames render as plain text in React previews.

Beta 0.37.0

May 14, 2026

Canonical imports, safer portals, and hosted hardening

Features

Schema and portals can be imported/exported independently. Use /schema/import|export for kinds only, /portals/import|export for apps/components only, and /definitions/import|export for the full bundle.
Subspace opts accept names or numeric IDs. HTTP, SDK, and generated types now share the same opts.subspace shape as per-item $subspace.
Public Bugs / feedback dialog. The marketing header can now send bug reports, feature requests, friction notes, or other feedback through a rate-limited marketing.feedback.send op.

Improvements

MCP import tools match the HTTP/SDK contracts. data.import now uses { units, opts }, preserves optional opts, and rejects unknown wrapper keys before execution.
Portal ops fail earlier and clearer. queryOps / mutationOps BQL, $input markers, declared inputSchema, and mutation invalidation targets are validated before an app is saved.
Hosted security is stricter. BlitzGraph now sends centralized CSP/security headers, hides the Next.js version header, and keeps required presigned S3 upload origins allowed for FILE uploads.
Hosted data protection is explicit. Server data lives on dedicated /data volumes with daily snapshots and environment-specific retention.

Fixes

Scoped imports now keep their opts.subspace target through SDK, MCP, seed, and HTTP paths, preventing schema/data imports from landing in the wrong subspace.
FILE uploads from Studio and portals are no longer blocked by the app CSP when using presigned S3 upload URLs.
Server-side PostHog exception reporting flushes in the background, so telemetry does not block user responses.

Breaking Changes

Definition endpoints are pluralized. Use /definitions/query, /definitions/mutate, /definitions/import, and /definitions/export. The old /definition/* paths are gone.
Import/export bodies use canonical envelopes. /data/import takes { units, opts? }; /data/export takes { selector?, opts? }; definition/schema/portal imports carry opts in the JSON body. Subspace defaults now live at opts.subspace.
Options are camelCase only. Use timeoutMs, failFast, returnMode, defaultMeta, maxErrors, onExprError, etc. Snake_case option keys and root-level request subspace fields are rejected.
Data import/export response keys are camelCase. Import progress/results expose inputItems, unitsCreated, and byKind; export chunks/results expose units instead of items.
Portal TSX must use generated refs from @app/ops. String op names, inline/local refs, tuple-destructured hooks, and broken TSX/server modules now reject at save time.

Beta 0.36.0

May 13, 2026

Granular subspace wipes: schema-only and portals-only

Features

New admin op wipe_definitions — kinds + schema events + apps + components. Same KV scope as definition/import. Rejected when unit data exists.
New admin op wipe_portals — apps + components only. Kinds and unit data survive. No data-empty guard, since portals do not constrain unit data.
TS sub-accessors: subspace.data.wipe(), subspace.definitions.wipe(), subspace.schema.wipe(), subspace.portals.wipe() mirror the four admin ops. Top-level subspaceWipeData / wipeDefinitions / wipeSchema / wipePortals shorthands available on BlitzGraphClient and NamespaceClient.
Four MCP tools: data.wipe, definitions.wipe, schema.wipe, portals.wipe.

Fixes

Full-reset guidance in SCHEMA_ALREADY_EXISTS and SUBSPACE_HAS_DATA error messages now suggests wipe_definitions() instead of wipe_schema(), so portals are not left behind on a full reset (the subsequent additive definition_import() would have failed with portal overlap).

Breaking Changes

Admin op wipe_schema semantics changed. It was a full definitions wipe (kinds + apps + components); it is now kinds-only. Use wipe_definitions (admin op) / subspace.definitions.wipe() (TS) for the previous behavior.
TS SDK wipeSchema semantics changed identically. subspace.schema.wipe(), client.subspaceWipeSchema(), and NamespaceClient.wipeSchema() no longer touch portals. Migrate full-reset call sites to wipeDefinitions() / subspaceWipeDefinitions().
Studio "Wipe Schema" button relabeled to "Wipe Definitions" since the call wipes both branches.

Beta 0.35.0

May 12, 2026

Full-screen Studio, steadier dashboard loading, and larger portal uploads

Features

Owner-scoped Studio opens full screen. /u/<owner>/<space>/studio and /o/<owner>/<space>/studio skip the regular webapp chrome and pin the resolved server connection so users land directly in the workspace.
Larger portal mutation uploads. Portal operations that include files or images can now pass the server's configured BlitzStore request limit instead of failing at Axum's 2 MiB default.

Improvements

Lighter MCP tool discovery. Generic unknown response schemas no longer crowd the tool list, while concrete result schemas remain for exports, docs, Studio links, feedback, and portal URLs.
Dashboard spaces load more reliably after cold login and quick remounts. Personal-space bootstrap is coalesced per user, and the React query cache no longer leaves aborted requests stuck in a permanent pending state.
Sign-out clears cached space data before redirect. Switching accounts no longer risks showing stale spaces from the previous identity during client-side navigation.
Open in Studio is placement-aware. The overview action is disabled until the space has a server placement, avoiding a dead-end Studio launch while provisioning is still pending.
Cleaner Studio loading states. Studio connection and workspace loading now use a consistent Blitz loader instead of small text-only spinners.
Cleaner link previews. Shared BlitzGraph landing-page URLs now include an Open Graph image.
Better abuse protection for public entry points. Sign-in, agent device auth, and feedback submission now return bounded rate-limit responses under repeated requests.

Beta 0.34.1

May 12, 2026

Quality-of-life fixes for portals, Studio, and MCP

Features

Portal compile catches const [x] = useMutation(ref) / useQuery(ref). The hooks return objects, not tuples, so this used to compile and then crash at runtime with is not iterable. Saving the portal now fails with a clear error pointing at the offending line — including namespace imports and bracket-form calls.

Fixes

/tasks?subspace=<name> accepts the subspace name (was numeric id only — Studio requests were returning 400).
schema_import / portals_import / set_definitions accept the natural map-shape input where the slug lives in the map key (portals.apps.<slug>). Previously these typed setters rejected payloads that the JSON import path accepted.
Studio Pages Builder and portal image CSP allow https://host:443 and other explicit-default-port forms in the external-image allowlist.
MCP server: per-session context cache now has a bounded LRU so long-lived agents no longer leak memory. Structured BlitzGraphError instances are still recognized as such after JS minification, so error codes propagate to clients instead of collapsing to a generic message.

Beta 0.34.0

May 10, 2026

File values, native expressions, and portal hardening

Features

First-class FILE fields. Write files inline with a File / Blob from the browser or with a finalized blob marker; read back a FileValue with filename, mime, size, hash, signed url, and thumbnail_url for images.
Blob upload APIs. New /blob/presign and /blob/finalize endpoints plus SDK helpers blob.uploadFile, blob.uploadFiles, and mutateMultipart. Regular mutate() auto-detects File / Blob values and switches to multipart for you.
React and Studio file UX. @blitzgraph/client-react exports FilePreview, FileDownloadLink, FileUploadInput, and useFileObjectUrl. BlitzSheet can preview, download, replace, and clear FILE cells.
Native BQL expressions. Virtual fields can use { "$expr": { "@text.concat": [...] } } as a checked native fast lane. $js stays available for everything else.
Portal operation contracts. queryOps and mutationOps can declare inputSchema / outputSchema. Generated @app/ops refs carry typed input/output validation and mutation invalidation metadata.
Portal image allowlist. Apps can declare portalSecurity.externalImages.manualOrigins for dynamic hosts; literal TSX image origins and blob storage origins are merged into the served CSP automatically.
MCP file tools. Agents can presign, upload, and finalize blobs through MCP — including a batch blob.uploadMany.
Branch-shaped definitions accessors. New schema_import / portals_import and typed set_schema / set_portals / set_definitions setters in Rust and TS take { kinds } or { apps, components } directly without manual wrapping, and reject cross-branch keys at parse time.

Improvements

Portal pages run under stricter CSP. Framing is denied, component previews only allow the matching Studio origins, and CSP reports are accepted at /csp-report.
BlitzGraph UI polish. Sidebar navigation, version badge, and Studio namespace / subspace selectors received a pass; space URLs are now scoped per owner.

Fixes

Space slugs are per-owner. Two owners can use the same slug; duplicates under the same owner are still rejected.
dev:data:noauth binds to loopback only. No more accidentally exposing an unauthenticated dev server on a LAN address.
Multipart uploads are size-capped before parsing. Portal operations require a declared content-length under the op body cap, and JSON requests cannot spoof multipart files metadata.
FILE download links reject unsafe protocols. Studio previews and downloads sanitize URLs before binding to src / href.

Breaking Changes

Typed literals moved to #… keys. Use { "#datetime": "…" }, { "#decimal": "…" }, { "#intervals": [...] }, etc. The $… prefix is reserved for BQL selectors and operators. Migrate any { "$decimal": "…" } / { "$intervals": [...] } you have.
Interval filters. $covers is gone. Use $contains for point or interval containment, $intersects for overlap.
Subspace option renamed. Query and mutation options use default_subspace instead of subspace. The per-item BQL $subspace and request-envelope subspace are unchanged.
Definition export has no JSON body. POST /definition/export?subspace=main expects an empty request body. Definition import accepts the full definitions document directly.
Definition import only accepts the nested shape { schema: { kinds }, portals: { apps, components } }. For branch-only payloads use the new schema_import / portals_import accessors instead of wrapping by hand.
FILE markers use #file. Multipart placeholders are { "#file": "file_0" }; finalized write markers are sealed { "#file": { …, "capability": "…" } } objects. Old $file / $cap shapes are rejected.
Portal op schemas are strict. inputSchema / outputSchema only accept the supported JSON Schema subset; object inputs must explicitly declare additionalProperties.

Beta 0.33.0

May 9, 2026

Cross-kind numeric conversions

Features

All 12 cross-kind conversions between INTEGER, DECIMAL, FLOAT, and PERCENTAGE are supported. Per-field numericPolicy controls rounding: rejectOnLoss (default), round (banker's), truncate (toward zero), or allowPrecisionLoss. NaN / ±Infinity always reject.
Two new error codes exported from @blitzgraph/client-core: NUMERIC_PRECISION_LOSS (per-row precision drop with { field, from, to, value }) and INVALID_NUMERIC_CONVERSION (unsupported numeric pair).

Improvements

round and allowPrecisionLoss use banker's rounding (2.5 → 2, 3.5 → 4); pick truncate explicitly when toward-zero is required.
rejectOnLoss now catches scale-only precision drops too (DECIMAL(scale=4) → PERCENTAGE(scale=2) with non-zero trailing digits errors instead of silently rounding).
FLOAT → INTEGER rejects out-of-range floats instead of silently saturating to i64::MAX.

Breaking Changes

Numeric valueType changes used to be rejected synchronously with INVALID_TEMPORAL_CONVERSION. They now commit immediately and a background task rewrites the rows; per-row failures surface on the task. UIs that disabled the picker on the old rejection should switch to checking task completion.
Unsupported numeric transitions now emit INVALID_NUMERIC_CONVERSION (was INVALID_TEMPORAL_CONVERSION for everything). Both codes are exported.
numericPolicy is now validated upfront: it is rejected if there is no valueType change, on temporal transitions, or with a typo. Previously these were silently ignored.

Beta 0.32.0

May 8, 2026

HTTP 422 on rejected bodies, batch topo-sort, object-shaped mutation hooks

Features

definition_mutate batches are topo-sorted by intra-batch dependencies. Creates/updates run dependencies-first, deletes run dependents-first, mixed batches do all deletes before all creates. Schema-aware enrichment also pulls in refs the JSON doesn't carry (e.g. a $did-only delete on a linkField now correctly removes it before the roleField it tunnels through). The response array still preserves input position.
canonicalize_path_strict for the authoring boundary — definition_mutate errors loudly on non-canonical paths, while the existing tolerant import path keeps normalizing.

Improvements

TS client handles 422 transparently: the parsed BlitzResponse still comes back. Void-returning paths (deleteDatabase, …) raise BlitzGraphError with errors[] populated.

Breaking Changes

BQL, schema, admin, blob, and task endpoints return 422 Unprocessable Entity when errors[] is non-empty (was 200 OK). Clients using fetch + res.ok or default axios will see the rejection at the transport layer. The body shape is unchanged, so code that already inspected errors[] keeps working.
React mutation hooks (useMutation, useRawMutation, useScopedMutate, usePortalsMutate, useSchemaMutate, …) return { mutate, ...state } instead of [mutate, state]. Migrate via object destructure: const { mutate, isLoading } = useMutation(ref) or rename with const { mutate: createUser } = useMutation(ref). The previous tuple silently bound undefined on misnamed positions — now it's a compile error.

Beta 0.31.4

May 8, 2026

Symmetric relations and self-relation enforcement

Features

Symmetric roles reject duplicate reverse-direction edges (SYMMETRIC_RELATION_EXISTS) both for new edges in the same batch and against already-committed relations.
allowSelfRelation: false (the default) rejects the same player appearing in two or more distinct roles of one relation unit (SELF_RELATION_FORBIDDEN). Per-kind scoped, so multi-kind composition stays unaffected. Validation respects child overrides on inherited roles.
Error payloads include kind name, role name, and the offending player ID list — enough to fix the mutation without exposing unrelated units.

Beta 0.30.3

May 8, 2026

Safer destructive actions and clearer credential UX

Improvements

Subspaces panel: destructive actions (Wipe Data, Wipe Schema, Delete) moved into a kebab menu so accidental clicks can no longer trigger them. Same menu adds Open in BlitzSheet and Open in Query Studio; double-click opens BlitzSheet.
Access page: rotate / revoke require a confirmation dialog; expiry shows date + time and switches to "Expired …" once past.
Studio connection modal auto-prefixes https:// for non-loopback URLs (was http://); loopback (localhost, 127.0.0.1, ::1, [::1], *.localhost) keeps http://.

Fixes

Removed the row-level "Copy" button on the Access page — it serialized JSON metadata, never the actual secret. Tokens are hashed at rest, so only the Token Created modal and the rotate banner can return one.
Hid the "Last Used" column until the backend populates lastUsedAt. Token status derives "Expired" client-side; rotate / revoke disable for expired tokens.
normalizeStudioUrl IPv6 parsing fixed: ::1 and [::1]:3011 were classified as remote and silently received https://. Bracketed authority and bare-IPv6 are now handled correctly.

Beta 0.30.2

May 8, 2026

React SDK: stricter, safer types

Breaking Changes

useRawResource.data is now readonly T[], and the response array is frozen. Mutating helpers (push, in-place sort, …) stop type-checking and throw at runtime. Clone with [...result.data] if you need a mutable copy.
useInfiniteQuery(ref, …) requires a ref whose output is { items, nextCursor? }. Refs returning a plain array no longer compile.
useQuery / useRawQuery / useRawDefinitionQuery only accept a <TSelected> type parameter when you also pass a matching select projection. Omit the type argument for the identity case.

Beta 0.30.1

May 7, 2026

Structured envelope errors and better mutation error visibility

Features

Envelope rejections now carry three structured codes — UNKNOWN_ENVELOPE_KEY, UNKNOWN_MULTIPART_FIELD, INVALID_ENVELOPE — with data: { unknown, allowed } so clients can branch on code instead of parsing prose.
Every content type now ships a docs: { summary, description, related } block. Generated TS, JSON Schema, and the marketing docs glossary all read from the same source.
useRawMutation accepts a mutationOpts field for forwarding execution options to the wire.
Browser-friendly 404 page for unknown portals (JSON clients still receive a JSON body). All portal 404s set Cache-Control: no-store so a stale 404 cannot shadow-ban a freshly created portal.

Improvements

Parse-time mutation validation now surfaces every per-item error in one response, even with failFast: true. Runtime fail-fast still applies to execution errors.
When the error list is truncated by maxErrors, MutateResult.info includes "N additional error(s) elided due to maxErrors" so truncation is no longer silent.
Portal 404 body no longer echoes the requested portal id — removes a trivial enumeration vector.

Beta 0.30.0

May 6, 2026

Numeric types split, typed error codes, and MCP tooling

Features

NUMBER splits into three explicit value types: INTEGER (exact i64), DECIMAL (arbitrary-precision base-10, max scale 28), and FLOAT (IEEE 754 f64). Pick INTEGER for counts/ids, DECIMAL for money and fractional measurements, FLOAT for ML / scientific values.
DECIMAL fields support optional fixed scale: 0..=28 and round-trip exactly through storage, indexes, aggregates, $js, and computed fields as { "#decimal": "<canonical-string>" }.
BlitzStudio sheet cells get dedicated INTEGER, DECIMAL, and FLOAT editors. The DECIMAL cell is precision-safe (no JS Number round-trip) and respects the field's scale.
Typed error-code surface in @blitzgraph/client-core: SERVER_ERROR_CODES, TRANSPORT_ERROR_CODES, ERROR_CODES, KnownErrorCode, isKnownErrorCode(). Regenerated from the Rust source so clients can branch on stable strings.
New numeric error codes: DECIMAL_SCALE_EXCEEDED, FLOAT_NOT_FINITE, INTEGER_OVERFLOW, DECIMAL_OVERFLOW.
MCP server gains three tools: studio.open (absolute Studio URL for the caller), portals.url (resolve app slug to public portal URL), feedback.send (post agent-authored reports to the control plane). The same feedback flow is also exposed via POST /agents/feedback.
MCP initialize ships an instructions string, per-tool annotations (readOnlyHint, destructiveHint, title), and docs URLs — ready for connector-store submission.
Pages Builder can rename pages and layouts directly from the tree, with path canonicalization and duplicate detection.

Improvements

PERCENTAGE is now backed by DECIMAL (was FLOAT), so percentages round-trip exactly through storage, indexes, and aggregates.
FLOAT is rejected as unique, indexed, idField, or interval-bounds value type at schema import — index keys would not be exact and unique would not survive NaN semantics.
MCP tools/call no longer races into duplicate token rotations on a cold cache: concurrent calls per access token now share one issuance.
Agent feedback writes are rate-limited per (IP, space) (30/hour). REST and MCP paths share one budget.

Fixes

Number JS built-in is no longer blocklisted inside $js bodies (broke expressions like Number(x)).
Switching a field out of CURRENCY no longer leaves stale currency metadata behind.
portals.url only treats HTTP 404 as "portal not found" — transient 5xx and network errors no longer mask a misconfigured portal as missing.

Breaking Changes

valueType: "NUMBER" is no longer accepted. Migrate each field to INTEGER, DECIMAL, or FLOAT. Schema import and definition_mutate reject NUMBER with a migration hint.
Cross-numeric valueType transitions are rejected with UnsupportedTransition in this release. They land properly in 0.33.0.
DECIMAL aggregate results (SUM, AVG, MIN, MAX, MEDIAN) are now canonical decimal strings rather than JSON numbers. Read them via { "#decimal": "..." } or parse the string directly. STDDEV continues to return f64.
$js and computed-field code emitting decimals must use { "#decimal": "<string>" } for DECIMAL fields. Returning a JS number may lose precision and is rejected for non-finite values.
NaN and ±Infinity are rejected at every DECIMAL coercion boundary with FLOAT_NOT_FINITE (previously silently produced corrupted index keys).
Pre-launch policy: existing dev databases were wiped as part of the numeric split. Re-import schemas and data on upgrade.

Beta 0.29.0

May 2, 2026

Native Currency, definition_query projection, and path-keyed portals

Features

Native CURRENCY value type with fixed (currency: "USD") or multi-currency (currency: "*") declarations. Wire shape: { amount: DecimalString, currency: ISO4217Alpha3 }, validated end-to-end.
Fixed-currency fields DX-expand bare scalar writes and filters (19.99, { "$gt": 100 }) into canonical money objects. Multi-currency fields require the explicit { amount, currency } shape.
BlitzStudio renders CURRENCY values as amount currency, accepts paste coercion ("24500 USD" → canonical object), and exposes a currency picker on field editing.
New endpoint POST /docs/batch and TS helper client.docs.batch(req) for ordered multi-doc lookup with duplicate preservation and result: null for misses.
definition_query supports $as aliases on identity fields and $expand children.
Per-page layoutChainOverride: string[] | null on portal pages with tri-state semantics: absent inherits, [] opts out, [...] is an explicit override.
New TS surface subspace.definitions.{query,mutate}() (raw passthrough, no family validation) for mixed schema+portal batches, backed by matching MCP tools.
New layout.delete mutation in the portals client-ops surface.

Improvements

CURRENCY parse errors pinpoint the exact failure (bad ISO code, missing keys, lossy JSON float, malformed decimal) instead of a generic type mismatch.
BQL comparison operators on CURRENCY use schema-aware coercion and exact decimal comparison within the same currency.
Aborted batch mutations return commit-truthful responses: phantom IDs from never-persisted units are stripped, surviving IDs are rewritten to their public idField value.
Portal page and layout paths are canonicalized on bulk import (collapsing repeated slashes, stripping trailing slashes), and duplicate canonical paths fail with an explicit error.
Batch errors include per-item context: batch item [N]: ….
React SDK cache invalidation now correctly handles $id in scalar, array, and $in shapes, and invalidates on unlink (was missed).

Fixes

Failed batch creates no longer leak phantom $id values when errorMode: "collect" is in effect (including nested inline creates).
Failed batches under returnMode: "normalized" no longer synthesize fake $op commit operations for items that never committed.
Transient updated / created / deleted flags are stripped only at the top level — user-defined fields by those names are preserved.
Switching a field away from CURRENCY clears stale currency metadata so export / import round-trips do not fail later.

Breaking Changes

$ids is removed end-to-end. Use $id: [a, b] (sugar) or $id: { "$in": [...] } (canonical). Bulk-delete responses also use $id instead of $ids.
Data fields must use valueType instead of type, and kinds must use dataFields (object) instead of fields (array). No alias, no shim.
Definition payloads reject unknown keys (additionalProperties: false everywhere).
Root update mutations require an explicit selector ($id, $iid, $kinds, $filter, $search, or $var). Tunnel and arc-scoped update no longer accept $setKinds (set kinds at the root level only).
definition_query defaults to identity-only payloads. Omitting $fields returns only $type, $did, and the type-specific identity (slug / name / path). Heavy fields like tsxSource, clientJs, and compile artifacts require $fields: "*" or explicit projection.
$expand is only valid inside $fields and is restricted per definition type: app → pages / layouts / $history, page → layouts / $history, layout / component → $history only. Unsupported $expand options now error instead of being silently ignored.
definition_query $filter accepts equality and $in only (not the full BQL DSL); filtering on pages or layouts requires a map shape or null.
CURRENCY fields must declare currency (ISO 4217 alpha-3 or "*"). Multi-currency fields reject bare scalar writes and filter probes with CURRENCY_AMBIGUOUS; fixed-currency rejects mismatched currency with CURRENCY_MISMATCH. Cross-currency comparisons on multi-currency fields currently match nothing silently; convert to a canonical currency via a computed field for now.
Portals: routeTree is removed; DefinitionApp.layouts is keyed by path, not by name. Rename layout keys from labels ("root", "dashboard") to paths ("/", "/dashboard"). Layout chains are derived from page-path ancestors.
@blitzgraph/client-core renames OperatorDoc / OperatorDocSchema to DocOperator / DocOperatorSchema and removes the route-tree types (DefinitionRouteNode, DefinitionRouteGroup, DefinitionRoutePage).

Beta 0.28.0

April 27, 2026

Temporal types, stricter BQL, and schema integrity

Features

Native DATE (YYYY-MM-DD), DATETIME (YYYY-MM-DDTHH:MM:SS.SSSZ), and TIME (HH:MM:SS.SSS) value types with canonical wire formats.
Native interval values via { "#intervals": [...] }; queried with $contains (point or set containment) and $intersects (set overlap).
@blitzgraph/client-core exports temporal helpers (formatDate, formatDateTime, formatTime, isCanonical*, wrapTemporalCast).
Mutation roots and arc operations support multi-target selectors and narrowing with $id.$in, $iid, $iid.$in, $filter, $search, $kinds, $sort, $limit, and $offset.
Responses include a detailed meta.timings breakdown; @blitzgraph/client-core exposes getResponseClientTimings() for client-side response + JSON parse timing, and Studio shows the breakdown.
@blitzgraph/client-react/raw entrypoint with isolated cache keys for raw definition hooks, accepting BqlBatchQuery / BqlBatchMutation.
Background TaskManager gains a real three-phase IndexRebuild handler; schema type-change dispatch (FTS reindex + field conversion) is wired end-to-end.

Improvements

BQL query preparation is unified before execution, so root keys, selectors, filters, $fields, nested $expand, $expandArc, $groupBy, $sort, and $score are checked consistently.
Definition import / mutate validates linkField ownership against role playedBy (including inherited kinds) and rejects invalid target / targetRoles.
Role renames propagate to dependent link.plays and tunnel targetRoles. Role deletes, playedBy narrowing, and kind deletes are blocked when they would leave dangling links.
Schema mutation rejects unsupported value_type transitions at commit time instead of corrupting stored values.
update_kind_in with parent: null now actually clears the parent (was a silent no-op).
Auth/context HTTP failures return canonical errors: [{ code, message }] responses; MCP tool failures preserve structured error identity in structuredContent.error.
Bearer auth strictly accepts only bzt_* and bzi_* token prefixes.
BlitzGraph Studio renders and validates DATE, DATETIME, and TIME as distinct types; control / auth timestamp fields use DATETIME.

Fixes

Nested $fields, $expand, and $expandArc projections are recursively validated against the resolved target kinds.
Definition exports emit wildcard role playedBy as ["*"] instead of an empty array.
Role rename keeps local linkFields on descendant kinds intact instead of overwriting them.
Scoped arc mutations targeted by $id resolve through the engine, so custom-idField lookups work inside parent-scoped contexts.
BQL topo sort skips line / block comments and regex literals when walking arrow bodies, so JS defaults containing these tokens no longer corrupt dependency analysis.
Portal asset bodies scrub raw engine internals outside dev mode.

Breaking Changes

DATE no longer accepts timestamp strings. Use DATETIME for instants.
Interval values must use { "#intervals": [...] }; replace $includes / $overlaps filters with $contains / $intersects.
The untagged { "min": n, "max": n } cardinality shortcut is removed — use "MANY" (with optional min / max siblings) or { "MANY": { "min": n, "max": n } }.
BQL validation is stricter: malformed $and / $or / $not, unknown $... filter operators, unknown multi-kind fields, scalar $expand, and ambiguous JSON-vs-arc paths now fail instead of being silently ignored.
$meta is no longer accepted as a root query key — use it only inside $fields.
Query-backed mutation selectors ($filter, $search) resolve against the mutation-start snapshot. To target units created earlier in the same batch, capture them with $var.
Upsert requires exactly one scalar identity selector ($id, $iid, or $filter); $id.$in, $iid.$in, $sort, $limit, and $offset are rejected.
Schema mutation is stricter: creating a role without playedBy errors, invalid linkField owners error, inherited role / link clones cannot be edited through descendants, role deletes are rejected while dependent linkFields exist.
@blitzgraph/client-react split into a root surface (typed safe operations) and a /raw surface (raw definition / resource hooks). useResource is renamed to useRawResource and moved to /raw.
@blitzgraph/client-core renamed the public auth surface to token. The previous auth* exports were removed.
KindDef is no longer exported from generated/schema; source kind definitions from the dedicated defs entry point.
Portals: layouts use name as the authoritative key (no more path); pages and layouts must be sent as a map, not an array. The dead segment, isGroup, hasLayout, and synthetic /_layout/{index} slots are removed.

Beta 0.26.0

April 18, 2026

Agent tooling, safe operations, and a full storage reset

Features

Google OAuth sign-in alongside GitHub and magic link.
Public MCP server at /mcp. Claude Code and Codex connect as remote MCP hosts with device-flow OAuth.
Typed MCP tool surface: schema and portal export/import/query/mutate, BQL data query/mutate, and docs.* (overview/concept/operator/example/list/search).
Dynamic MCP resources: blitzgraph://schema/current, blitzgraph://docs/overview, and one per concept, enumerated live from the contract at resources/list time (no codegen drift).
/docs/* HTTP surface (overview, concept, operator, example, list, search) served from the Rust contract as the single source of truth.
Safe operations layer: typed client-ops refs, same-origin CSRF check, streamed body size limit, RFC 7239 Forwarded parsing, per-user sliding-window rate limit, and default-deny authorization per ref.
Unified operation cache with normalized units, descriptor-based family invalidation, optimistic updates, prefetch for RSC, Suspense-first queries, and infinite-query support.
Subspace capacity widened to 65,535 per namespace (up from 255).
Task routing is now target-aware with stable ID-based targets for database, namespace, subspace, kind, and field work.
Namespace-scoped principals can now list and operate on tasks within their own namespace.

Improvements

Definitions reshape: on the wire every bundle is { $bzv, schema, portals }. The TS client exposes client.schema, client.portals, and client.definitions accessors over the same HTTP endpoints.
definition_import is strictly additive (rejects overlapping kinds, apps, or components). Mixed nested + flat DX payloads are hoisted into the canonical nested shape before the overlap check, so no branch can slip past.
Admin namespace and subspace responses expose stable numeric $rid values (ns:1, ss:2) that survive renames.
Blob cleanup, usage metering, and task routing all handle subspace IDs above 255 correctly.
Storage internals now use explicit system namespace and system subspace planes instead of overloaded auth-style metadata slots.
Agent device verification page redesigned with branded UI.
Billing upgrade flow simplified to a "book a call" modal.
Space overview replaces connection bundle reveal with retry provisioning.
Marketing hero and background paint is smoother under animation thanks to explicit stacking-context isolation and will-change transform hints.
Feedback widget loads its Slack thread only after the launcher is opened, so marketing pages start with one less network round-trip.

Fixes

Namespace-scoped task APIs no longer leak foreign-namespace tasks or database-level tasks.
FTS reindex tasks now trigger correctly for field-level schema mutations.
Blob orphan cleanup now scans all known subspaces before deleting objects, including high-numbered ones.
Subspace and namespace drop paths clean up routed task state more safely; drop(unknown_namespace) returns UnknownNamespace instead of panicking.
CSRF: honor the rightmost element of the RFC 7239 Forwarded header (appended by the proxy closest to us). A forged leftmost value can no longer forge same-origin.
Rate limit IP derivation no longer trusts X-Forwarded-For or X-Real-IP. A value is only used when TRUST_PROXY_HEADERS=true and parsed from the rightmost for= entry. Otherwise rate limiting falls back to the userId (or a shared anonymous bucket).
Body-size cap on /api/ops/* is enforced while streaming chunks; oversized payloads no longer allocate before rejection.
Handler errors on /api/ops/* log full server-side and surface an opaque fallback to the client, so driver messages can't leak.
useQuery cleanup only aborts the in-flight fetch when the LAST observer for that key unmounts. Sibling components sharing a deduped request no longer get stuck on pending.
Operation descriptor context tracks the effective scope from input (caller overrides provider), so family invalidation tags records under the namespace they actually queried.
Social sign-in buttons stay disabled during OAuth redirect to prevent double-click.
MCP OAuth metadata consistently includes the mcp scope across all discovery endpoints.
transport.parseError guards the JSON body parse, so malformed 5xx bodies surface with the HTTP status instead of a SyntaxError.
BlitzStudio schema view keeps the last good schema on a refresh failure instead of wiping the cache to { kinds: {} }.
controlSpaces{Create,Update}Ref reject whitespace-only names at the schema boundary.
Marketing background noise layer is correctly scoped via isolation: isolate so mix-blend-overlay no longer flickers or bleeds into page chrome.
Marketing header anchors (#playground, #features, #compare) use absolute paths so they work from /docs and other non-home pages.
Feedback widget only surfaces an error after two consecutive poll failures and polls less aggressively, so transient outages no longer show a red flash.

Breaking Changes

Persisted storage from before this release is not compatible with the new key layout (5-byte header, u16 subspace). Reset or reimport existing data.
Public client packages renamed: @blitzstore/client-core → @blitzgraph/client-core, @blitzstore/client-react → @blitzgraph/client-react. Update your imports; the API surface is unchanged.
definition_import / definition_export now speak the nested { schema, portals } shape on the wire. The flat { kinds, apps, components } root is still accepted as DX input but is hoisted before processing. Custom consumers of the raw definitionExport payload must read from .schema.kinds and .portals.{apps,components}.
Removed the TS mirror consts CONCEPTS_MANIFEST and OPERATOR_DOCS from @blitzgraph/client-core. Call client.docs.list("concept"), client.docs.list("operator"), or the dedicated per-name endpoints instead. The contract is the only registry.
HTTP BQL routes now require the request envelope shape with body instead of accepting direct top-level BQL payloads.
Task payloads now return target instead of namespace, subspace_id, and scope; published TaskScope schemas and SDK exports were replaced by TaskTarget.
GET /tasks?namespace=... now returns 400 Bad Request when the namespace cannot be resolved instead of an empty success response.
Namespace admin updates now expect defaultSubspace as a subspace RID like ss:2, not a raw name or bare numeric value.
Public namespace and subspace resolution rejects the reserved system ID 0 instead of treating it like a normal selector.
HTTP auth is now Authorization: Bearer <token> for both scoped grant tokens (bzt_*) and internal keys (bzi_*). The blitz-internal-key header and its rate-limit bypass were removed.

Beta 0.25.1

April 16, 2026

Google sign-in, MCP transport, and agent tooling (rolled into 0.26.0)

Features

Google OAuth sign-in alongside GitHub and magic link.
Public MCP server at /mcp. Claude Code and Codex can connect as remote MCP hosts.
10 MCP tools: schema and portal export/import/query/mutate, plus BQL data query and mutate.
Live schema resource (blitzgraph://schema/current) for agent context.
Standard OAuth discovery metadata at /.well-known/oauth-authorization-server and /.well-known/oauth-protected-resource.

Improvements

Agent device verification page redesigned with branded UI.
Billing upgrade flow simplified to a "book a call" modal.
Space overview replaces connection bundle reveal with retry provisioning.

Fixes

Social sign-in buttons stay disabled during OAuth redirect to prevent double-click.
MCP OAuth metadata now consistently includes the mcp scope across all discovery endpoints.

Beta 0.25.0

April 11, 2026

Tunnel mutations, root aggregates, and stricter API contracts

New graph write capabilities, root-level aggregate queries, and clearer transport rules across admin and import APIs.

Features

Root aggregate BQL queries no longer require $groupBy for a single summary row.
Tunnel query and projected update support for linkField target:"role".
Relation-tree create support for tunnel writes through role-target links.

Improvements

Blob upload contracts are now typed around presign and finalize flows.
Blob finalization is stricter about subspace, principal, and finalize race handling.

Fixes

Target-scope validation fails more safely on tampered or invalid access payloads.
JS HTTP redirect handling is stricter against unsafe redirect chains.
Tunnel selector narrowing is more robust for $id filtering and deduplicated endpoint frontiers.

Breaking Changes

POST /admin expects the raw admin payload directly, not a { body, opts } envelope.
POST /data/import supports SSE progress with Accept: text/event-stream and one-shot JSON otherwise.
Endpoint-shaped tunnel writes on linkField target:"role" now reject; use projected updates or explicit relation-tree create.

Beta 0.24.0

April 9, 2026

Magic link sign-in, UI polish, and feedback fixes

Email sign-in, cleaner product chrome, and a more stable feedback flow.

Features

Email magic-link sign-in.

Improvements

Updated navbar and feedback widget styling.

Fixes

Feedback conversations behave more reliably during longer sessions.
Magic-link sign-in states and messages are less error-prone.

Beta 0.23.0

April 7, 2026

Docs, legal pages, and cleaner control-backed flows

Public docs, legal pages, and cleaner product flows across the marketing site and app.

Features

Full public docs page.
Terms, Privacy, Acceptable Use, and Report Abuse pages.

Improvements

Landing page refresh with updated branding, header, and comparisons.
Dashboard, spaces, and settings moved onto cleaner control-backed flows.

Fixes

Custom-ID and not-found errors fail more clearly across the app and client flows.

Beta 0.22.0

April 5, 2026

Storage reset and stricter server URL config

This release was mainly about a storage reset and stricter runtime config validation.

Breaking Changes

Storage revisions were reset, so existing stored data needed a reset or reimport.
Server URL config became stricter around valid baseUrl and publicUrl values.

Beta 0.21.2

April 4, 2026

More automatic Studio and Playground connections

Studio and Playground became easier to connect to and more reliable in scoped setups.

Improvements

Studio and Playground connection flow became more automatic and scope-aware.

Fixes

Studio reconnect flow was cleaned up.
Ambiguous space resolution in Studio bootstrap was fixed.
Playground autoconnect became more reliable.

Beta 0.21.0

April 1, 2026

Same-origin Studio bootstrap and better navigation

Studio setup got simpler, the landing gained a new background, and several navigation issues were fixed.

Features

Same-origin Studio session bootstrap from a Space.
New constellation landing background.

Improvements

Studio can resolve connections from scope with less manual setup.

Fixes

Space to Studio navigation now lands on the correct server.
Docs and changelog footer links now point to the correct localized or external destinations.

Beta 0.20.0

March 31, 2026

Real control-plane flows and managed space provisioning

The app moved from placeholders to real provisioning, real tokens, and real billing reads.

Features

Real control-plane integration in the web app.
Real space tokens and billing reads.
End-to-end space provisioning with a one-time builder token reveal after creation.

Improvements

Space creation now returns a real connection bundle instead of mock placeholders.

Fixes

Unauthenticated users are redirected home instead of hitting a dead end.
Space creation and post-create redirect flow were made more reliable.

Beta 0.19.0

March 24, 2026

GitHub sign-in, onboarding, and custom public IDs

This release added the first full auth and onboarding flows plus better support for custom public IDs.

Features

GitHub OAuth sign-in and protected routes.
Sign-in onboarding modal flow.
Webapp onboarding routes.
URL value type support.
Arc responses and link operations can use custom public IDs.

Improvements

Studio and onboarding flows were cleaned up.

Fixes

Custom ID resolution works more reliably across linked records and batch writes.