Changelog

Improved

• Extractor entity-type preferences — Extractor prompts now prefer specific entity_types (ai_agent, system_layer, orchestrator) over generic catch-alls (project_component). Improves cross-doc merge precision on technical-systems documentation (PR #80).

Improved

• Phase 1.5e — strong-embedding merge gate — The strong_embedding branch of cross-doc entity merge now requires shared_neighbor_count ≥ 2. Cuts false-positive auto-merges (e.g. Echo Brickell ↔ 830 Brickell as a building class) while preserving cross-doc fragmentation wins (PR #79).

Added

• Phase 1.5c — semantic embedding signal in cross-doc merge — Embedding-driven entity resolution (S2 cosine-similarity) now contributes to the cross-doc merge scorer. Resolves Watson / Dr. John Watson-style fragmentation that purely structural signals (S1/S3/S4) missed (PR #78).
• Operator consolidation-report endpoint — POST /v1/admin/maintenance/consolidate-entities/{tenant_id} — read-only preview of cross-doc merge candidates for operator review. No writes; safe to call against production.
• Backend Docker image ships scripts/ — Operator one-shots (backfill, diagnostics) are now runnable via az containerapp exec against the live image (PRs #75, #76).

Added

• Phase 1.5a/b — entity-embedding storage + writer — New entity_embedding table (Postgres pgvector, HNSW index) with extraction-time writer. Feature-flag-gated (CROSS_DOC_EMBEDDING_MERGE). Backfill script available for existing tenants (PRs #73, #74).

Added

• Stripe billing live in production — Credit-grant hardening complete; record_stripe_credit and record_operator_credit replace the legacy add_credits path. STRIPE_SUCCESS_URL / STRIPE_CANCEL_URL no longer fall back to dev defaults in production.
• rel_type_source_usage join table — search_relationships can now filter by source_ids[], returning only relationship types observed in the named sources (PR #57).

Fixed

• embed_compat.py SDK quirk — Multi-chunk files now produce one embedding per chunk; previously the SDK collapsed them to a single embedding (PR #55).
• Cast-list pre-pass — Rule 7 emits one entry per person with every surface form as an alias. Closes Watson-honorific fragmentation seen in literature corpora.

Added

• Phase 1 + 1.1 — cross-doc entity merge (structural signals) — S1/S3/S4 structural signals (name similarity, neighbor overlap, type compatibility) with safety floors: MIN_SHARED_NEIGHBORS_FOR_MERGE=3, MIN_NAME_SIM_FOR_MERGE=0.40, overlap-coefficient on S3. Produces same_as edges for operator review.

Fixed

• Retry-failures dispatch — The retry-failures route now dispatches trigger_sync_task when sync_state.files is empty, instead of silently completing (PR #66).
• MCP search_relationships field mapping — Backend returns name + score; MCP no longer expects rel_type + distance (PR #67).

Added

• API key rotation — Dashboard gains a “Rotate” button on every active key. One click mints a replacement with the same name and scopes, revokes the original. Closes the “revoke-then-create” window where integrations could land in a zero-valid-keys state.
• Emergency bulk-revoke — New “Revoke all” action on /dashboard/api-keys for incidents where you need to kill every active key immediately. Confirmation step required; tenant-isolated (cannot affect other tenants).
• Customer-visible extraction DLQ — The source files page now shows an amber banner whenever extraction produced unresolved failures. Click-through to see each failure (file, chunk, error class) with a one-click “Retry all” action. Retry is idempotent — the extraction pipeline dedups via content hash and MERGE.
• Per-credential rate limiting — Rate-limit buckets are now keyed on your Bearer token hash, not on IP. Two customers behind the same corporate NAT no longer compete for the same bucket.

Improved

• Dashboard readability on the team page — Removed a disabled “Invite Member” placeholder button that hinted at functionality not yet shipped.
• Onboarding flow — The “connect an AI agent” step now sends new users to API Keys (where actual setup happens) rather than a roadmap page.

Added

• Hosted MCP server at mcp.mantleai.dev/mcp — Public MCP endpoint serving streamable-HTTP transport. Any MCP-compatible client can connect with a Bearer token; no local install required.
• Ingestion resilience — Extraction failures are now durably recorded as DLQ rows in the sync-events table with file_id, chunk_index, error_class, error_message, and attempts metadata. Transient provider errors (timeouts, rate limits, network blips) auto-retry up to three times with exponential backoff + jitter before landing in the DLQ.
• Graph-scale hygiene — On hub entities with thousands of relationships, get_relationships auto-downgrades the “summary” shape (skipping expensive per-bucket examples) and marks the response completeness="severely_truncated" with a suggestion field telling the agent how to narrow. No more silent timeouts on well-connected entities.

Improved

• Relationship accuracy — get_relationships now returns an explicit completeness field so agents don't have to guess whether they have the full list. semantic_search carries an entity_suggestion when the query anchor resolves to an indexed entity, nudging agents to the graph path for enumeration questions.
• Tool-description parity with the Anthropic reference — Tool catalog overhead dropped from ~2,750 to ~1,050 tokens. Cheaper per-turn for agents with small context budgets.

Added

• Postgres PITR window extended — Point-in-time restore window extended from 7 to 35 days. Gives us a broader recovery surface.
• Daily Neo4j snapshots — Daily snapshots of the graph store. 14-day rolling retention with automatic prune. First-party operational infrastructure, not a third-party backup service.

Improved

• ACL enforcement on graph queries — Seed entity access now checked in Neo4j queries (previously only applied to the “other” side of a relationship).
• Per-credential metering — Pre-flight balance checks on search routes. Tenant runs out of credits → requests return 402 immediately rather than burning upstream provider tokens first.

Added

• Sentry integration — On backend + MCP — errors tagged with tenant_id + request_id for cross-service correlation.
• Readiness probe at /v1/ready — Exercises Postgres + Neo4j (+ Redis when configured). Replaces liveness-only /health for rolling-deploy cutover.

Improved

• Structured logging parity — Between backend and MCP servers. One request_id now traces a call from client → REST backend → MCP → Neo4j / Postgres.