Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[0.2.0] - 2026-05-26

Added

  • Generalized Configuration Pattern: Unified configuration system for all client settings

    • Config dataclass with auto-discovery from multiple sources

    • Resolution order: explicit config → config_path → prefixed env vars → unprefixed env vars → ./roomz.toml → ~/.roomz.toml

    • Environment variable prefix system: ROOMZ_PREFIX=DEVDEV_ROOMZ_SERVER_URL

    • TOML config file support with [client] section

    • Config.auto_discover() returns discovered path for debugging

    • Structured logging for config discovery

    • ConfigurationError exception for clear error messages

Changed

  • Breaking: AsyncClient and SyncClient constructors now accept config: Config instead of individual server_url and display_name parameters

    • Old: AsyncClient(server_url="http://localhost:5000", display_name="Alice")

    • New: AsyncClient(config=Config(server_url="http://localhost:5000", display_name="Alice"))

    • Or use auto-discovery: AsyncClient() with ROOMZ_SERVER_URL env var or ~/.roomz.toml

Fixed

  • Session cache security: Session files now created with 0600 permissions (atomic creation with os.open() + O_EXCL)

  • Server URL validation: URLs validated to be http/https only, no credentials allowed

  • Email sender: ResendEmailSender now correctly handles quoted EMAIL_FROM values

Security

  • Session cache files created with 0600 permissions (JWT tokens protected)

  • Config files loaded with explicit error handling (raises ConfigurationError on invalid files)

  • Server URL validation prevents credential injection

[0.1.2] - 2026-05-18

Added

  • Per-device display names: Users can set custom display names per device/session

    • /name <name> command to set display name in chat

    • /name (no argument) to clear display name

    • Display format: "{name} ({email})" or just email

    • Web client: persisted in localStorage

    • Python client: ROOMZ_DISPLAY_NAME env var or ~/.roomz/config.toml

    • Stateless server-side storage (per-connection in memory)

    • Input validation: max 50 chars, no newlines/control chars, XSS prevention

Fixed

  • System message visibility: Presence messages (user joined/left) now visible on dark themes

    • Changed from text-medium-emphasis to text-primary class

    • Subtle primary background for better contrast

  • Mobile title truncation: Title “Roomz” no longer truncates on narrow screens

    • User dropdown shows icon-only on mobile (< 600px)

    • Full text visible on tablet/desktop

Changed

  • Presence events now include display_name field

  • New display_name_changed WebSocket event for multi-device awareness

[0.1.0] - 2024-05-15

Added

  • Initial release

  • Magic link authentication with email delivery

  • JWT-based session management with httpOnly cookies

  • Real-time WebSocket chat using Socket.IO

  • User-owned private channels for isolated messaging

  • Python client library (AsyncClient and SyncClient)

  • CLI interface (roomz-cli) with Textual TUI

  • Session caching for automatic reconnection

  • Rate limiting for magic link requests

  • ALLOWED_EMAILS access control

  • Resend email integration

  • Comprehensive test suite

Security

  • HS256 JWT signing (algorithm hardcoded)

  • Single-use magic links with 15-minute expiration

  • Rate limiting (5 requests per email per hour)

  • httpOnly, SameSite=Strict cookies

  • Server-side ALLOWED_EMAILS validation on every request

  • XSS prevention through message sanitization

Version History

Version

Date

Description

0.2.0

2026-05-26

Configuration pattern, session security fixes

0.1.2

2026-05-18

Display names, mobile UX fixes

0.1.1

2026-05-15

Package restructuring

0.1.0

2024-05-15

Initial release