Skip to content
← Back to release notes
v0.64.0 stable

Release v0.64.0

Apr 30, 2026

Refreshed auth experience, optional error tracking, accurate audit logs, and a clutch fix for MFA setup.

Added

  • Unified sign-in / create-account page at /auth so users coming back from an OAuth flow with no session land on a clear next step instead of a dead end.
  • Shared password input with a show/hide toggle and a four-segment strength meter, used across reset password, accept invite, and partner registration.
  • Optional error tracking — opt in by setting a DSN, get unhandled errors plus on-error session replay with aggressive masking of text, inputs, URLs, IDs, cookies, headers, and request bodies. Self-hosters get zero telemetry by default.
  • MCP activation flow that flips a partner to active once payment is attached, with a polished landing page that recognizes the agent flow and points users back to their AI agent when they finish.

Improved

  • Email templates (activation, invite, transactional) now share a single branded layout so every message Breeze sends has consistent typography, spacing, and buttons.

Fixed

  • Adding multi-factor authentication was completely broken — every attempt errored out with a generic message. The web client now sends the current password the server has been requiring, so MFA setup, enable, and disable all work again.
  • Audit logs were recording the internal proxy IP for every action instead of the real client IP, breaking abuse investigation and login anomaly review. The platform now reads the trusted Cloudflare-provided client IP across all 22 audit and security call sites.
  • Reset password and accept invite were silently succeeding without actually changing anything — a database access context bug caused the underlying update to match zero rows while the API returned success.

A meaningful auth release. The unified /auth page closes a long-standing dead-end where users coming back from OAuth with no session had nowhere to go, and the shared password components give every account flow the same polished feel. The MFA fix is the most urgent piece — production users have been unable to enable MFA since the security audit hardened the API, and that’s now resolved.

On the operations side, audit logs now show the real source IP for every event instead of the proxy address, which makes login anomaly review and abuse investigation actually useful. And if you want browser-side error tracking, a single environment variable turns it on with privacy defaults that scrub everything tenant-specific before anything leaves the browser.