0.6.0

Welcome to Excalibur 0.6.0! This release brings significant security improvements, numerous bug fixes, and performance improvements. Here are some of the highlights:

• New Authentication Protocol: Excalibur now uses the state-of-the-art Augmented Password-based Authenticated Key Exchange (aPAKE) protocol OPAQUE-3DH as the default authentication protocol instead of the legacy Secure Remote Password (SRP) protocol.
• Database-Backed Filesystem: Excalibur moved away from relying on operating-system file management to a database-backed filesystem for a more "logical" organization of files and folders.
• File Name Obfuscation: File and folder names can now be obfuscated to the server and other users for enhanced privacy.
• More Sorting Options: Added more sorting options for the file explorer page, including file size, file type, and creation time.

The Excalibur documentation website was also updated in this release.

Do note that there are several breaking changes to Excalibur in this version. Please follow the 0.6 upgrade guide to upgrade your Excalibur instance to version 0.6. Do also take note of all the breaking changes made to the server API if you are using it.

Read all about the changes to Excalibur below. Enjoy!

App

🔒️ Security

• 🔒️ Overridden version minima of dependencies in pnpm-workspace.yaml to address security vulnerabilities:
  • CVE-2026-34601, CVE-2026-41674, CVE-2026-41675, CVE-2026-41672, CVE-2026-41673: @xmldom/xmldom to 0.8.13

✨ New Features

• ✨ Implemented the OPAQUE-3DH protocol to replace the Secure Remote Password (SRP) protocol for increased security

• ✨ Implemented obfuscation of file and folder names

  • That is, file and folder names would appear to be obfuscated to the server and to other users
  • Names are obfuscated using a key derived from the vault key
  • New users can toggle this feature while signing up
  • This feature is disabled by default for existing users, but can be enabled in the "server settings" submenu

• ✨ Added more sorting options for the file explorer page:

  • File size
  • File type
  • Creation time

• ✨ Added creation times to file and folder listings

• 💄 Added a new server settings submenu that contains the server vault key

🔄 Changes

• 🔄 Changed default login protocol from Secure Remote Password (SRP) to OPAQUE-3DH

  • Old accounts can still log in using SRP
  • An option to upgrade to OPAQUE-3DH will be shown when logging in with SRP

• 🔄 Changed default registration protocol from Secure Remote Password (SRP) to OPAQUE-3DH

• 🚸 Updated registration flow so that users are automatically logged in after registration

• 🚸 Made the file change listener attempt to reconnect to the server upon initial disconnect

• 💄 Split up settings page's contents into multiple subpages for cleaner navigation

• 💄 Made the scrollbar for the file explorer breadcrumbs look nicer

• 💄 Updated file explorer interface to display the file listener status (i.e., connected or disconnected)

• 💄 Added current running Excalibur version to update dialog (to allow comparing with the latest release version)

• ⚰️ Removed vault key dialog

  • The vault key is now shown in the server settings submenu

🐛 Bug Fixes

• 🐛 Fixed an issue where the login page still shows the user being logged in even though they are not

🗑️ Deprecations

• 🗑️ Deprecated Secure Remote Password (SRP) related code
  • Code will be removed in a future update

♻️ Code Refactoring

• 🚚 Renamed lib/security to lib/auth in the main package

⬆️ Dependencies

• 🔒️ Added minimum age that dependencies need to be released before accepting updates

• ➕ Added mime dependency

• ➕ Added seedrandom dependency (and @types/seedrandom as a development dependency)

• ➖ Removed @vitejs/plugin-legacy dependency

• ⬆️ Updated Ionic dependencies:

  • @ionic/core from 8.8.2 to 8.8.6
  • @ionic/react from 8.8.2 to 8.8.6
  • @ionic/react-router from 8.8.2 to 8.8.6

• ⬆️ Updated Vite dependencies:

  • vite from 7.3.1 to 8.0.12
  • vite-plugin-node-polyfills from 0.25.0 to 0.26.0
  • vitest from 4.1.2 to 4.1.5
  • @vitejs/plugin-react from 5.1.4 to 6.0.1

• ⬆️ Updated Capacitor dependencies:

  • @capacitor/android from 8.2.0 to 8.3.3
  • @capacitor/app from 8.0.1 to 8.1.0
  • @capacitor/core from 8.2.0 to 8.3.3
  • @capacitor/cli from 8.2.0 to 8.3.3
  • @capacitor/keyboard from 8.0.2 to 8.0.3

• ⬆️ Updated Electron dependencies:

  • electron from 39.2.7 to 41.5.1
  • electron-vite from 5.0.0 to 6.0.0-beta.1

• ⬆️ Updated TailwindCSS dependencies:

  • tailwindcss from 4.2.1 to 4.3.0
  • @tailwindcss/vite from 4.2.1 to 4.3.0

• ⬆️ Updated React dependencies:

  • react from 19.2.4 to 19.2.5
  • react-dom from 19.2.4 to 19.2.5

• ⬆️ Updated immer from 11.1.4 to 11.1.8

• ⬆️ Updated baseline-browser-mapping from 2.10.7 to 2.10.29

• 📌 Pinned typescript development dependency version to 5.x.x (currently 5.9.3)

• ⬆️ Updated ESLint development dependencies:

  • eslint from 9.39.3 to 9.39.4
  • @eslint/js from 9.39.2 to 9.39.4
  • eslint-plugin-chai-friendly from 1.1.0 to 1.2.0
  • eslint-plugin-cypress from 6.1.0 to 6.4.1
  • eslint-plugin-react-hooks from 7.0.1 to 7.1.1
  • typescript-eslint from 8.56.1 to 8.59.2

• ⬆️ Updated Prettier development dependencies:

  • prettier from 3.8.1 to 3.8.3
  • prettier-plugin-tailwindcss from 0.7.2 to 0.8.0

• ⬆️ Updated globals development dependency from 17.4.0 to 17.6.0

• ⬆️ Updated lint-staged development dependency from 16.3.3 to 16.4.0

• ⬆️ Updated start-server-and-test development dependency from 2.1.5 to 3.0.4

• ⬆️ Updated cypress development dependency from 15.11.0 to 15.14.2

• ⬆️ Updated @types/node development dependency from 25.5.0 to 25.6.2

🧹 Miscellaneous

• 🔨 Added a new update_deps.py script to automate the generation of dependency updates' news fragments
• 🧹 Moved MIME type determination into client (instead of being on the server)
• 🧹 Configured some E2E tests to not run other tests in the suite if any one of the tests fails
• 🧹 Added more Cypress end-to-end tests:
  • Item renaming
  • Item deletion
• 🧹 Split the tests that were originally in crud.cy.ts into multiple files for more modular testing
• 🧹 Migrated the android FolderOpenerPlugin to Kotlin
• 🧹 Updated .browserslistrc to Ionic v8 versions
• 🧹 Updated GitHub action android-actions/setup-android to v4
• 🧹 Updated GitHub action pnpm/action-setup to v5

Server

💥 Breaking Changes

• 💥 Changed CLI options for the start command:

  • Renamed --enable-cors/--disable-cors to --enable-cors-validation/--no-cors-validation (since --disable-cors was misleading)

• 💥 Added a new option --auth-protocol to the excalibur user add command

  • It defaults to the new OPAQUE authentication mechanism (OPAQUE-3DH)
  • For SRP compatibility, use --auth-protocol=SRP

• 💥 The File type no longer returns a mimetype value; it is up to the client to derive the MIME type of the file. This affects the following endpoints:

  • /api/files/search (which returns a list of file-score pairs)
  • /api/files/list/{path} (which returns a list of files or directories)

• 💥 Certain endpoints' response content have been removed as their response codes sufficiently indicate the success/failure of the operation. In particular, these endpoints now no longer return any content for the 200 OK status code:

  • /api/files/move (previously returned Item Moved)
  • /api/files/mkdir/{path} (previously returned Directory created)
  • /api/files/rename/{path} (previously returned Item renamed)
  • /api/files/upload/{path} (previously returned File uploaded)

• 💥 We will now use uv's 0.10.x series to build and install the server package, updating the minimum version from 0.9.30 in pyproject.toml and GitHub actions to 0.10.9

✨ New Features

• ✨ Implemented the OPAQUE-3DH protocol to replace the Secure Remote Password (SRP) protocol

  • Added a new registration endpoint (/api/auth/opaque/register) to handle OPAQUE registration flows
    • This endpoint also allows existing users using SRP to upgrade to OPAQUE
  • Added a new login endpoint (/api/auth/opaque) to handle OPAQUE login flows

• ✨ Implemented a new database-backed file management system, moving away from relying on operating-system file management

  • Folders are now "logical" and not tied to actual directories on the filesystem
  • Files' names are now stored in the database instead of on the filesystem
  • Files are now stored in a single directory on the filesystem, with their database ID as the filename

• ✨ Added new endpoints to get and edit additional user info (/api/users/info/{username} and /api/users/edit-info/{username} respectively)

  • These additional user info are used solely by the client; the server does not use them

• ✨ Added a new endpoint (/api/files/all) to get all files and folders in the user's file system

• ✨ Added a new backup command to the CLI (excalibur backup)

• ✨ Made responses return X-Content-Type-Options and X-Frame-Options headers

  • The values are X-Content-Type-Options: nosniff and X-Frame-Options: DENY

🔄 Changes

• 🗃️ Modified the Excalibur database:

  • Modified the User table:
    • Added auth_protocol, additional_info, and registration_record fields
    • Made srp_group, srp_salt, and srp_verifier fields optional (since they are not used for the OPAQUE-3DH protocol)
  • Added the FSItem table

• 🗃️ Added authentication protocol information (auth_protocol) to be returned by the security details endpoint (/api/users/security/{username})

• 🗃️ The File and Directory types now return a creation_time field representing the creation timestamp of the item. This affects the following endpoints:

  • /api/files/search (which returns a list of file-score pairs)
  • /api/files/list/{path} (which returns a list of files or directories)

• 🗑️ The following endpoints no longer return the corresponding response codes:

  • /api/files/download/{path}: Removed 406 Not Acceptable, corresponding to an "Illegal or invalid path"
  • /api/files/upload/{path}: Removed
    • 406 Not Acceptable, corresponding to an "Illegal or invalid path"
    • 414 URI Too Long, corresponding to a file path that is too long
  • /api/files/mkdir/{path}: Removed
    • 406 Not Acceptable, corresponding to an "Illegal or invalid path"
    • 414 URI Too Long, corresponding to a directory path that is too long
  • /api/files/list/{path}: Removed 406 Not Acceptable, corresponding to an "Illegal or invalid path"
  • /api/files/check/path/{path}: Removed
    • 406 Not Acceptable, corresponding to an "Illegal or invalid path"
    • 414 URI Too Long, corresponding to a directory path that is too long
  • /api/files/check/dir/{path}: Removed 406 Not Acceptable, corresponding to an "Illegal or invalid path"
  • /api/files/delete/{path}: Removed 406 Not Acceptable, corresponding to an "Illegal or invalid path"
  • /api/files/move/{path}: Removed
    • 406 Not Acceptable, corresponding to an "Illegal or invalid path"
    • 414 URI Too Long, corresponding to a path that is too long
  • /api/files/rename/{path}: Removed
    • 406 Not Acceptable, corresponding to an "Illegal or invalid path", replacing it with 400 Bad Request corresponding to an "Illegal or invalid name"
    • 414 URI Too Long, corresponding to a path that is too long

  The documentation has been updated to reflect these changes.

• 🧹 Subdirectories returned by /api/files/list/{path} will no longer have items returned

  • Previously, any subdirectories' items field would be set to null. Now the field is omitted entirely

🐛 Bug Fixes

• 🐛 Fixed a bug where unbounded timestamps in the future were allowed as timestamps during the Proof-of-Possession (PoP) validation process

  • Now only timestamps within the configured tolerance are allowed

• 🐛 Fixed wrong exception being returned if the WebSocket credentials are incorrect

• 🐛 Fixed certain CLI commands (i.e., excalibur db ui and excalibur test) returning incorrect error codes

• 🐛 Fixed an issue where multiple file listener connections with the same communications UUID from the authentication token would override each other, causing all non-latest connections to not receive any updates from the server

• 🐛 Fixed a bug where returning nothing in some endpoints gives "Response content shorter than Content-Length" internal server errors

• ✏️ Fixed typo in the add user endpoint documentation.

🗑️ Deprecations

• 🔥 Removed old operating-system file management code

  • Please migrate to the new system using the excalibur db migrate-files command

• 🗑️ Deprecated Secure Remote Password (SRP) related code

  • Users can still register and log in with SRP, but it is recommended to use OPAQUE-3DH instead
  • Endpoints and code relating to SRP will be removed in a future update

⬆️ Dependencies

• 🔒️ Added minimum age that dependencies need to be released before accepting updates

• ➖ Removed watchdog dependency

• ⬆️ Updated fastapi from 0.135.2 to 0.136.1

• ⬆️ Updated gitpython from 3.1.46 to 3.1.50

• ⬆️ Updated packaging from 26.0 to 26.2

• ⬆️ Updated pydantic from 2.12.5 to 2.13.4

• ⬆️ Updated pydantic-settings from 2.13.1 to 2.14.1

• ⬆️ Updated tomlkit from 0.14.0 to 0.15.0

• ⬆️ Updated typer from 0.24.1 to 0.25.1

• ⬆️ Updated uvicorn from 0.41.0 to 0.46.0

• ⬆️ Updated ipython development dependency from 9.10.0 to 9.10.1

• ⬆️ Updated pytest development dependency from 9.0.2 to 9.0.3

• ⬆️ Updated rapidfuzz dependency from 3.14.3 to 3.14.5

• ⬆️ Updated ruff development dependency from 0.15.6 to 0.15.12

• ⬆️ Updated sqlmodel dependency from 0.0.37 to 0.0.38

🧹 Miscellaneous

• 🧹 Changed the scheme name of the HTTPBearer instance from "SRP-Identity" to "Auth-Identity".
• 🧑‍💻 Added an option to return the ACK as a string for the debug /api/auth/ack endpoint (as_string=true)
• 🔨 Added a new update_deps.py script to automate the generation of dependency updates' news fragments
• 🧹 Fixed bug in the internal _add_new_field() function present in the excalibur config update command