Excalibur 0.4.2 removes heartbeat checking on the client to fix an annoying (but technically intended) bug.

Note that the server still has the heartbeat endpoint, but is now unused. The removal of this endpoint will come in Excalibur 0.5.

App​

🔧 Fixes​

• Fixed an issue on mobile where navigating to file selection and taking too long would kick the user back to the login screen
  • Related to heartbeat checking

🗑️ Removals​

• Removed heartbeat checking

Server​

No significant changes.

Excalibur 0.4.1 is a hotfix release fixing two big issues with the app.

App​

🔧 Fixes​

• Fixed issue where opening list of active jobs would trigger a refresh of the file list
• Fixed issue where a token refresh would not prompt the client to reconnect to the file listener

Server​

✏️ Changes​

• Made /api/auth/token also disconnect the user from the update manager

🔧 Fixes​

• Fixed minor issue where attempting to send messages to disconnected sockets would cause the entire file listener to fail

Excalibur 0.4 mainly brings performance improvements and bugfixes. Minor quality-of-life improvements to the application, such as the count of items uploaded en masse, have also been added.

There are no breaking changes made in Excalibur 0.4, but please still follow the 0.4 upgrade guide to upgrade your Excalibur instance to version 0.4.

Read all about the changes to Excalibur below. Enjoy!

App​

✨ Additions​

• Show skeleton items to directory list when waiting for directory to load
• Added check for update button to settings page
• Added a file count to the snackbar when uploading multiple files

✏️ Changes​

• Adjusted directory list height to accommodate floating action button
• Made refreshContents() call listdir() three times before giving up
• Changed sorting algorithm for names from lexicographical sorting to "natural" sorting (using natural-compare-lite)
• Slightly modified look of the sidebar menu
• Modified folder navigation to add a small delay before navigating to allow UI updates and show tap animations
• Modified check for update dialog slightly:
  • Title of dialog changed
  • Link to changelog page changed to Excalibur documentation website

🚄 Performance Improvements​

• Use new server info endpoint to reduce requests made to the server during server selection
• Use maximum upload size returned in server info query to check file sizes before upload (instead of querying server for each file)

🔧 Fixes​

• Fixed issue where the file list does not update when the current directory changes
  • This occurred especially when the server connection was unstable
• Fixed an issue where, when clicking into a subfolder, the current folder's file list would be requested in addition to the subfolder's file list
• Fixed listdir() failing badly when timeout occurs
• Fixed ugliness involved with Android edge-to-edge rendering
• Fixed inconsistency of URL path encoding, especially with ( and ), by following Python's urllib.quote() and urllib.quotePlus() implementations
• Fixed incorrect parent directory button row highlighting

📦 Dependencies​

• Updated ESLint dependencies:
  • eslint-plugin-cypress from 5.2.0 to 5.2.1
  • typescript-eslint from 8.51.0 to 8.52.0
• Updated Electron dependencies:
  • electron-builder from 26.3.1 to 26.4.0
  • electron-builder-squirrel-windows from 26.3.1 to 26.4.0
  • dmg-builder from 26.3.1 to 26.4.0
  • electron-updater from 6.6.2 to 6.7.3
• Updated @trivago/prettier-plugin-sort-imports from 6.0.1 to 6.0.2
• Updated cypress from 15.8.1 to 15.8.2
• Updated vite from 7.3.0 to 7.3.1
• Updated various type dependencies:
  • @types/node from 25.0.3 to 25.0.6
  • @types/react from 19.2.7 to 19.2.8

⚙️ Internal​

• Added more tests:
  • Added validateURL() tests to url.test.ts
• Fixed redundant console.log()/console.debug() calls
• Restructured workspace
• Split tests in files.cy.ts into multiple files for better organization and maintainability

Server​

✨ Additions​

• Added a new server info endpoint at /api/well-known/info which returns the following information:
  • version: SemVer of the server
  • max_upload_size: Maximum allowed file size in bytes
  • time: ISO 8601 string of the server's current time
• Added persistence to communications via a file-based communications cache, so that when the server restarts they will not be disconnected
  • This unfortunately does not apply to WebSocket sessions

🔧 Fixes​

• Fixed issue with file listener communications failing to be encrypted/decrypted correctly, causing issues with folder updates
• Fixed incorrect check for configuration values that needed to be positive
  • The check used to check if they were negative only. Now it checks if they are less than or equal to 0

🗑️ Removals​

• Removed /api/files/check/size endpoint in favour of the new server info endpoint
• Removed /api/well-known/clock endpoint in favour of the new server info endpoint
• Removed debug endpoint for listening to file updates (i.e., /api/files/listen/debug was removed)

📦 Dependencies​

• Removed cachetools dependency
• Updated alembic from 1.17.2 to 1.18.0
• Updated typer from 0.21.0 to 0.21.1
• Updated websockets from 15.0.1 to 16.0
• Updated ruff development dependency from 0.14.10 to 0.14.11
• Added pytest-timeout development dependency as a last-resort method to catch any tests that are hanging

⚙️ Internal​

• Created own implementation of TTLCache to replace cachetools dependency
• Added new internal _add_new_field() to config updater CLI to promote code reuse
• Removed old static folder

Excalibur 0.3.1 brings about several bugfixes to the project.

One pressing issue is with the rate limiting of file uploads. This is caused by the default token capacity and refill limit being too small for mass file uploads. As a temporary fix, modify your server's config.toml file as follows:

[server.rate_limit]
# The capacity of the rate limiter (e.g., number of allowed bursts)
-capacity = 20
+capacity = 250

# The refill rate of the rate limiter, in tokens per second
-refill_rate = 1
+refill_rate = 25

This will increase the rate limit for requests made to the server.

App​

🔒 Security​

• Updated qs transitive dependency from 6.14.0 to 6.14.1 to address CVE-2025-15284

✏️ Changes​

• Changed drag-and-drop overlay to be blurred instead of darkened

🔧 Fixes​

• Fixed an issue with uploading a folder
• Fixed an issue where uploading a folder within a subfolder fails
• Fixed flickering drag and drop overlay on Electron app on Windows
• Fixed an issue where updating jobs on the file explorer would constantly send requests for the current file list
• Fixed janky file refresh behaviour (especially when pulling down to refresh)
• Fixed an issue where attempting to create a new user when the server is unreachable would cause the application to hang

📦 Dependencies​

• Updated Ionic dependencies:

  • @ionic/core from 8.7.15 to 8.17.6
  • @ionic/react from 8.7.15 to 8.17.6
  • @ionic/react-router from 8.7.15 to 8.17.6

• Updated @trivago/prettier-plugin-sort-imports development dependency from 6.0.0 to 6.0.1

• Updated immer from 11.1.0 to 11.1.3

• Updated typescript-eslint development dependency from 8.50.1 to 8.51.0

⚙️ Internal​

• Cleaned up internal uses of useDirectory() to use useExplorerContext()
• Cleaned up internal uses of useUploadFile() to use useExplorerContext()
• Created new jobs-related context
• Moved .vscode folder to app's main directory (app/packages/main)
• Moved Jobs-related things into components/explorer/jobs

Server​

✏️ Changes​

• Changed default rate limit to from 20 requests total with 1 refill per second to 250 requests total with 25 refills per second
  • This is to allow for more simultaneous uploads at once
  • Running excalibur config update will also update the rate limit in the config file during the config update process

🚄 Performance Improvements​

• Made folder updates be queued so that the client does not get spammed with too many folder update notifications

📦 Dependencies​

• Updated fastapi from 0.127.0 to 0.128.0
• Updated gitpython from 3.1.45 to 3.1.46
• Updated sqlmodel from 0.0.29 to 0.0.31
• Updated typer from 0.20.1 to 0.21.0
• Updated ipython development dependency from 9.8.0 to 9.9.0

⚙️ Internal​

• Changed rate limit source code to use the HTTP_429_TOO_MANY_REQUESTS constant instead of using the status code directly

Excalibur 0.3 brings about huge changes to the project. Here are some of the highlights:

• Desktop Support: Excalibur now runs as a standalone desktop application on Windows, macOS, and Ubuntu!
• Multiple Concurrent Jobs: Support for multiple current uploads/downloads is here! Folder uploads are now also possible.
• Auto Token Refreshing: There's no more token expiry countdown! The authentication token now refreshes automatically.
• Item Moving: You can now move items between folders.
  • The user interface for moving items is a bit clunky. This will be worked on in the next update.

The Excalibur documentation website was also updated in this release.

Unfortunately, this release does bring about some breaking changes. Please follow the 0.3 upgrade guide to upgrade your Excalibur instance to version 0.3.

Read all about the changes to Excalibur below. Enjoy!

App​

🔒 Security​

• Updated the Excalibur Encryption Format (ExEF) to version 3, which includes the following changes:
  • Reduced size of the Version field from 2 bytes to 1 byte
  • Replaced Key Size field with Cipher ID field for greater flexibility of choice of encryption algorithm, and reduced its size from 2 bytes to 1 byte
  • Added Header MAC field for quick verification of the decryption key (solving the issue of 'decrypting' the entire file before seeing that the AES-GCM tag does not match)
• Use proof-of-possession token along any heartbeat request that asks for authentication validity

✨ Additions​

• Added auto token refreshing, eliminating the need for a countdown before logout
• Added support for multiple in-progress upload/download tasks
• Added ability to cancel in-progress upload/download tasks
• Added support for full-folder uploads
• Added ability for the app to listen for any folder changes from the server
• Added support for Electron desktop builds
• Added ability to move items between folders
  • The current UI for moving items is a bit clunky; this will be improved upon in a future release
• Added support for drag-and-drop uploads for non-mobile builds
• Created a new user sign up page
  • New users will now need to provide the Account Creation Key (ACK) mnemonic to create an account
  • In particular, we now use BIP39 to generate a mnemonic from ACK
• Added a "parent directory" option to subfolders to allow you to navigate back to the parent directory
• Made right-clicking bring up the context menu
• Added a new setting to allow users to change files'/folders' icon types:
  • Default: files' icons are outlined, folders' icons are solid
  • Reversed: files' icons are solid, folders' icons are outlined
  • All Outlined: all icons are outlined
  • All Solid: all icons are solid
• Added automatic checking for updates

✏️ Changes​

• Changed vault key dialog to show a mnemonic of the vault key instead of the raw hex
  • The mnemonic is generated using BIP39
• Changed the default crypto chunk size from 512 KiB to 256 KiB

🚄 Performance Improvements​

• Moved most encryption/decryption operations to crypto workers
• Refactored code that handles encryption/decryption of requests. This should improve the speed and responsiveness of the cryptographic operations in the file explorer
• Use chunked file reads on native systems to improve the efficiency of the app
• Included local font files in the app to make loading faster
• Made the server URL check in the server choice page run in parallel, reducing the total time needed to check all possible API URLs

🔧 Fixes​

• Fixed an issue where scrolling the file list does not keep the breadcrumbs and file header at the top of the page
• Fixed an issue where the server version does not refresh even after the server gets updated
• Fixed a bug where kicking back to the login screen did not log out the user, still displaying the username on the side menu on the login page
• Fixed several dark/light mode inconsistencies

⚠️ Deprecations​

• Deprecated ExEF version 2 in favour of ExEF version 3

🗑️ Removals​

• Removed credits from app; moved credits to the website instead
• Removed support for PWA-on-server builds

📦 Dependencies​

• Switched to pnpm for dependency management
• Updated js-yaml transitive dependency version from 4.1.0 to 4.1.1 to address CVE-2025-64718
• Updated glob transitive dependency version from 11.0.3 to 11.1.0 to address CVE-2025-64756
• Updated Capacitor to Version 8. This required updates to a few dependencies:
  • @capacitor/android from 7.4.3 to 8.0.0
  • @capacitor/app from 7.1.0 to 8.0.0
  • @capacitor/core from 7.4.3 to 8.0.0
  • @capacitor/cli from 7.4.3 to 8.0.0
  • @capacitor/filesystem from 7.1.4 to 8.0.0
  • @capacitor/keyboard from 7.0.3 to 8.0.0
  • @capacitor/preferences from 7.0.2 to 8.0.0
  • @capacitor/privacy-screen from 1.1.1 to 2.0.0
  • @capacitor/screen-orientation from 7.0.2 to 8.0.0
  • @capawesome/capacitor-file-picker from 7.2.0 to 8.0.0
• Updated android dependencies:
  • AGP from 8.13.0 to 8.13.2
  • AndroidX activity from 1.9.2 to 1.11.0
  • AndroidX core from 1.15.0 to 1.17.0
  • AndroidX Espresso Core from 3.6.1 to 3.7.0
  • AndroidX fragment from 1.8.4 to 1.8.9
  • AndroidX JUnit from 1.2.1 to 1.3.0
  • AndroidX WebKit from 1.12.1 to 1.14.0
  • Core splash screen from 1.0.1 to 1.2.0
  • Cordova Android from 10.1.1 to 14.0.1
• Updated Cypress from 15.3.0 to 15.8.1
• Updated ESLint dependencies:
  • eslint from 9.37.0 to 9.39.2
  • @eslint/js from 9.37.0 to 9.39.2
  • eslint-plugin-react-hooks from 7.0.0 to 7.0.1
  • eslint-plugin-react-refresh from 0.4.23 to 0.4.26
  • typescript-eslint from 8.46.1 to 8.50.1
• Updated Ionic dependencies:
  • @ionic/core from 8.7.5 to 8.7.15
  • @ionic/react from 8.7.5 to 8.7.15
  • @ionic/react-router from 8.7.5 to 8.7.15
• Updated Prettier dependencies:
  • prettier from 3.6.2 to 3.7.4
  • prettier-plugin-tailwindcss from 0.6.14 to 0.7.2
  • @trivago/prettier-plugin-sort-imports from 5.2.2 to 6.0.0
• Updated React dependencies:
  • react from 19.2.0 to 19.2.3
  • react-dom from 19.2.0 to 19.2.3
• Updated TailwindCSS dependencies:
  • tailwindcss from 4.1.14 to 4.1.18
  • @tailwindcss/vite from 4.1.14 to 4.1.18
• Updated Vite dependencies:
  • vite from 7.1.11 to 7.3.0
  • @vitejs/plugin-react from 5.0.4 to 5.1.2
• Updated globals from 16.4.0 to 16.5.0
• Updated jsonwebtoken from 9.0.3 to 9.0.4
• Updated lint-staged from 16.2.3 to 16.2.4
• Updated lint-staged from 16.2.4 to 16.2.6
• Updated vitest from 3.2.4 to 4.0.16
• Updated various type dependencies:
  • @types/node from 24.10.1 to 25.0.3
  • @types/react from 19.2.0 to 19.2.7
  • @types/react-dom from 19.2.0 to 19.2.3

⚙️ Internal​

• Made end-to-end Cypress tests more reliable
• Added more Cypress end-to-end tests
• Added tests for invalid ExEF file handling
• Bump GitHub actions' actions versions
  • actions/checkout from v5 to v6
  • actions/setup-node from v5 to v6
  • actions/setup-python from v5 to v6
  • actions/upload-artifact from v5 to v6
  • astral-sh/setup-uv from v6.5.0 to v7 (with corresponding uv version bumped from 0.8.17 to 0.9.18)
• Fixed incorrect attestation path for the PWA in the release-builds.yml workflow
• Refactored the structure of the FileExplorer page to be less complex and more maintainable
• Slightly modified TailwindCSS class specification to be aligned to the "canonical form" and also reduce spurious styling

Server​

🔒 Security​

• Updated the Excalibur Encryption Format (ExEF) to version 3, which includes the following changes:
  • Reduced size of the Version field from 2 bytes to 1 byte
  • Replaced Key Size field with Cipher ID field for greater flexibility of choice of encryption algorithm, and reduced its size from 2 bytes to 1 byte
  • Added Header MAC field for quick verification of the decryption key (solving the issue of 'decrypting' the entire file before seeing that the AES-GCM tag does not match)
• Added a requirement for a proof-of-possession (PoP) token to be sent along any heartbeat request that asks for authentication validity

✨ Additions​

• Added SRP proof-of-possession checking for some WebSocket endpoints
• Added config subcommands to the CLI:
  • config validate: Validates the config file
  • config update: Updates the config file to the latest version
• Added a WebSocket endpoint (/api/files/listen) that allows clients to listen for directory changes
• Added an endpoint for token refreshing
• Added an endpoint that allows moving of items
• Added an option (--log/--no-log or -l/-L) that enables/disables logging to console
• Added a new configuration field to automatically delete old logs

✏️ Changes​

• Changed account creation key to be a 32-byte random key
  • Using excalibur user ack will now print the mnemonic for the key instead of the key itself
• Changed delay parameter in the CLI to accept both an incoming and outgoing delay (both in milliseconds)
• Changed option that enables/disables logging to file from --logging/--no-logging (-l/-L) to --log-to-file/--no-log-to-file (-f/-F)
• Changed the WebSocket ping interval from the Uvicorn default 20 seconds to 30 seconds
• Disabled WebSocket logs
• Edited some API endpoints' descriptions to be more descriptive
• Tags that are not relevant to the current running of the server (e.g., non-debug mode, non-PWA) are now hidden

🔧 Fixes​

• Fixed issue with server not correctly handling delay for WebSockets' requests

⚠️ Deprecations​

• Deprecated ExEF version 2 in favour of ExEF version 3

🗑️ Removals​

• Removed support for PWA server builds

📦 Dependencies​

• Updated aiofiles from 24.1.0 to 25.1.0
• Updated alembic from 1.16.5 to 1.17.2
• Updated cachetools from 6.2.0 to 6.2.4
• Updated fastapi from 0.118.0 to 0.127.0
• Updated Pydantic dependencies:
  • pydantic from 2.11.9 to 2.12.5
  • pydantic-core from 2.33.2 to 2.41.5
  • pydantic-settings from 2.11.0 to 2.12.0
• Updated sqlalchemy from 2.0.43 to 2.0.45
• Updated sqlmodel from 0.0.25 to 0.0.29
• Updated typer from 0.19.2 to 0.20.1
• Updated uvicorn from 0.37.0 to 0.40.0
• Updated ipython development dependency from 9.6.0 to 9.8.0
• Updated pytest development dependency from 8.4.2 to 9.0.2
• Updated ruff development dependency from 0.13.3 to 0.14.10

⚙️ Internal​

• Updated minimum supported uv package manager version from 0.8.17 to 0.9.3
• Added an internal debugging endpoint that generates a PoP header
• Changed internal PoP check flag from EXCALIBUR_SERVER_HMAC_ENABLED to EXCALIBUR_SERVER_POP_ENABLED
• Changed references to RFC7231 status codes to the latest RFC9110 names (see Starlette #2939):
  • HTTP_413_REQUEST_ENTITY_TOO_LARGE to HTTP_413_CONTENT_TOO_LARGE
  • HTTP_414_REQUEST_URI_TOO_LONG to HTTP_414_URI_TOO_LONG
  • HTTP_416_REQUESTED_RANGE_NOT_SATISFIABLE to HTTP_416_RANGE_NOT_SATISFIABLE
  • HTTP_422_UNPROCESSABLE_ENTITY to HTTP_422_UNPROCESSABLE_CONTENT
• Edited the excalibur test command to allow running specific tests
• Refactored the code in the files subdirectory of the API
• Removed reference to license-files in pyproject.toml