Skip to content
Warlock.js v4.2.5

Change Log

Shipped releases across the @warlock.js/* packages — one shared version line, newest first.

Filter
4.2.5
June 15, 2026

Patch release: warlock add notifications now scaffolds the in-app read/dismiss HTTP surface — routes.ts + a notifications controller (list / unread-count / mark-read / mark-all-read / clear / delete), gated by authMiddleware and recipient-scoped via inApp. The family is re-published in lockstep; no other functional changes.

@warlock.js/core Added 1
  • Added warlock add notifications now scaffolds the in-app read/dismiss HTTP surface — routes.ts + a notifications.controller.ts (list / unread-count / mark-read / mark-all-read / clear / delete), gated by authMiddleware and recipient-scoped via inApp. Pulls @warlock.js/auth.
4.2.4
June 15, 2026

Patch release: corrects the worker-loader path in @warlock.js/core's build entry points — a wrong path in 4.2.3 left the worker entry broken. The family is re-published in lockstep; no other functional changes.

@warlock.js/core Fixed 1
  • Fixed Fix the worker-loader path in the build entry points — a wrong path in 4.2.3 left the worker entry broken (and blocked the 4.2.3 publish for some packages).
4.2.3
June 15, 2026

Patch release: adds the worker scripts as @warlock.js/core build entry points so they ship in the published package. A wrong entry-point path in this build blocked the npm publish for some packages — corrected in 4.2.4.

@warlock.js/core Fixed 1
  • Fixed Add the worker scripts as build entry points so they ship in the published package.
4.2.2
June 15, 2026

Patch release: adds cli/start to @warlock.js/core's build entry points so the warlock CLI entry ships in the published package. The family is re-published in lockstep; no other functional changes.

@warlock.js/core Fixed 1
  • Fixed Add cli/start to the build entry points so the warlock CLI entry ships in the published package.
4.2.1
June 15, 2026

Patch release: @warlock.js/core and @warlock.js/cascade now ship their bin folder, so the warlock and cascade CLIs work from the published package — they were omitted from the 4.2.0 build. The rest of the family is re-published at 4.2.1 to keep the lockstep version line; no other functional changes.

@warlock.js/core Fixed 1
  • Fixed Ship the bin folder so the warlock CLI works from the published package — it was omitted from the 4.2.0 build.
@warlock.js/cascade Fixed 1
  • Fixed Ship the bin folder so the cascade CLI works from the published package — it was omitted from the 4.2.0 build.
4.2.0
June 15, 2026

A security and correctness overhaul of @warlock.js/auth — brute-force login throttling, atomic refresh-token rotation with replay detection, CSPRNG signing secrets, a corrected default token lifetime, and overridable token storage for multi-tenant schemas. The jwt config block is superseded by accessToken / refreshToken. Also introduces @warlock.js/notifications — multi-channel notifications (mail, in-app, custom channels) with preferences, rate limits, idempotency, and a herald-backed async queue. Plus @warlock.js/access — authorization (RBAC + ABAC): permission checks, attribute-based policies, role management, and a pluggable resolver.

@warlock.js/notifications New 1
  • New Shipped Warlock.js Notifications Package.
@warlock.js/access New 1
  • New Shipped Warlock.js Access Package.
@warlock.js/auth Added 5 Fixed 6 Deprecated 1 Removed 2 Security 2
  • Added loginThrottleMiddleware — failure-aware brute-force / credential-stuffing protection that counts only failed logins, resets on a successful one, locks per-account and per-IP, and rejects pre-controller with 429 (cache-backed, fails open on a cache outage). Adds AuthErrorCodes.TooManyAttempts (EC004).
  • Added accessToken / refreshToken configuration blocks, making a separate refresh-token secret first-class.
  • Added Overridable token storage — register a custom model under config.auth.accessToken.model / config.auth.refreshToken.model and .extend() the exported accessTokenSchema / refreshTokenSchema to add columns (e.g. a multi-tenant organization_id). Models own issuance through issue() and expose named statics, so the service hard-codes no column names.
  • Added tokenType (access | refresh) claim, stamped on issue and verified on read, so an access token can no longer be presented as a refresh token.
  • Added expires_at on access tokens; warlock auth.cleanup now purges expired access tokens as well as refresh tokens.
  • Fixed Default access-token lifetime was ~3.6 seconds (a numeric expiresIn interpreted as milliseconds) and is now 1 hour.
  • Fixed Targeted revocation queried userId instead of the user_id column, so logout and refresh-token removal threw on Postgres and silently no-oped on MongoDB. The service now routes every token query through named model statics, so no column name is hard-coded.
  • Fixed Token deletions were fire-and-forget inside Promise<void> methods (false success for callers, uncatchable rejections) and are now awaited.
  • Fixed The route middleware matched on userType instead of the user_type column.
  • Fixed revokeAllTokens / revokeTokenFamily reported an empty set — a re-query on revoked_at: null after the update matched nothing — so the token.revoked / token.familyRevoked events never fired. The revoked rows are now captured before revocation.
  • Fixed A throwing synchronous auth-event listener no longer turns a completed login into a 500.
  • Deprecated The auth.jwt.* configuration block (jwt: { secret, expiresIn, refresh }). Use accessToken / refreshToken instead — the legacy shape is still read and mapped forward with a one-time deprecation warning.
  • Removed Unread access_tokens columns is_active and last_access.
  • Removed The unused auth.password.salt configuration key.
  • Security warlock jwt.generate now derives JWT_SECRET / JWT_REFRESH_SECRET from a CSPRNG (Random.token) instead of Math.random()-backed Random.string.
  • Security Refresh-token rotation is atomic: a guarded conditional UPDATE means two concurrent rotations of the same token can never both succeed, and a replayed token revokes its entire family.
@warlock.js/logger Added 4 Changed 3 Fixed 1
  • Added log.flush() — awaitable async counterpart to flushSync(). Drains every channel that implements flush() via Promise.allSettled with per-channel isolation, so one channel's failure can't break shutdown. FileLog / JSONFileLog implement it; ConsoleLog writes synchronously and doesn't need it.
  • Added SentryLog channel — forwards entries to Sentry. eventLevels (fatal / error / warn by default) become events (captureException for Error messages, captureMessage otherwise); every other level becomes a breadcrumb. module / action are tags, context is a structured Sentry context. @sentry/node is an optional peer, lazily imported — pass an existing client or options.
  • Added log.fatal() + fatal log level — ranked strictly above error for unrecoverable failures (failed bootstrap, uncaughtException). Does not auto-flush or exit; caller decides.
  • Added ConsoleLog renders fatal with a icon on a bright-red background and bold red-bright message, distinct from error's .
  • Changed captureAnyUnhandledRejection() now escalates uncaughtException to log.fatal (was log.error). Node terminates the process by default, so it's semantically fatal — makes "page only on fatal" alerting clean. unhandledRejection stays at error.
  • Changed LoggingData.type is now typed as LogLevel (was a duplicated inline union — code-standards cleanup).
  • Changed LogContract and the LogChannel base now expose an optional flush?() alongside the existing flushSync?().
  • Fixed @sentry/node is now referenced only via local minimal types + an indirect dynamic import, so source-served consumers (the package's main./src/index.ts) no longer get a TS2307: Cannot find module '@sentry/node' when they (correctly) don't install the optional peer. Proven by pruning the SDK and running the full suite + tsc --noEmit clean.
@warlock.js/cascade Changed 1 Fixed 1
  • Changed MongoDB and PostgreSQL drivers now log a failed initial connect() at log.fatal (was log.error). Boot-time database connection failures are unrecoverable in every realistic Warlock use case (app boot, CLI migrations, workers) — fatal makes "page on fatal only" alerting clean. Per-query failures, createDatabase/dropDatabase lifecycle errors, and disconnect failures stay at error.
  • Fixed PostgreSQL increment / decrement (and the *Many variants) bound the amount parameter as $1, which collided with the first filter placeholder (SET n = n + $1 WHERE id = $1) — the filter value bound into the amount slot, so every filtered counter update wrote the wrong number. The amount now binds after the filter params.
@warlock.js/ai Fixed 1
  • Fixed No-argument tools (declared without an input schema) no longer crash on invocation. A schemaless tool threw Cannot read properties of undefined (reading '~standard'); tool.invoke now skips validation when no schema is present and passes the raw input straight to the handler.
@warlock.js/ai-anthropic Added 1
  • Added Opt-in promptCaching flag on the model config. When enabled, the tool definitions are marked with cache_control: { type: "ephemeral" }, so multi-trip agents reuse the static tool schemas at Anthropic's cache-read rate instead of re-sending them at full price every trip. Off by default — a cache write costs more, so it only pays off across repeated trips; the system prompt is left uncached because it carries per-turn content.
@warlock.js/cache Changed 1
  • Changed Redis driver now logs a failed initial connect() at log.fatal (was log.error). Boot-time cache connection failures are unrecoverable in practice — fatal makes "page on fatal only" alerting clean, aligned with the cascade drivers and the herald connector.
@warlock.js/core Changed 1
  • Changed herald-connector and http-connector now log a failed boot-time connection at log.fatal (was log.error / a dev-only console write). A broker connection failure or an HTTP port-bind failure at boot is unrecoverable — fatal makes "page on fatal only" alerting clean, aligned with the cascade and cache drivers. The HTTP connector additionally await log.flush() before process.exit(1) so the fatal entry reaches Sentry/file before the process dies. Disconnect/shutdown failures stay at error.
4.1.15
June 4, 2026

Initial public baseline of the Warlock.js framework — 17 packages published in lockstep at 4.1.15. From this release on, every change is recorded in its package's CHANGELOG.md and aggregated here by version.