MUTX v1.4.0 — The Substrate Release#

192 commits · 8 days · April 2–9, 2026

v1.3.0 made MUTX behave like a real operator lane. v1.4.0 makes it survive production.

This release is about boring, high-leverage infrastructure: a self-hosted docs platform replacing GitBook, RBAC enforcement closing the last auth gaps, an OIDC token validation layer, a production-grade Kubernetes Helm chart, 20 SDK contract test modules, an autonomous development lane subsystem, and enough security hardening to matter.

The platform went from "has the features" to "you can actually run this in an enterprise."

Highlights#

1. Self-Hosted Documentation Platform (58 commits)#

Killed the GitBook dependency. Built a complete /docs system into the Next.js app with:

• Markdown rendering via remark→rehype pipeline with GitBook dark theme
• Sidebar navigation with auto-expand, depth-aware items, and chevron indicators
• Breadcrumbs with pathname-based ancestor matching
• Prev/next navigation wired from SUMMARY.md order
• Full-text search with Cmd+K modal and DOM-native indexing
• Right-rail Table of Contents
• GitBook {% hint %} blocks rendered as styled callouts
• data-view=card tables transformed into styled card grids
• Code copy buttons, light/dark theme switcher
• Mobile sidebar with toggle and close-on-nav
• WCAG contrast fixes, scroll-margin for anchor navigation
• 14 previously orphaned pages wired into SUMMARY.md

2. Autonomous Development Lane (25 commits)#

New always-on autonomy substrate that feeds tasks from GitHub issues, dispatches work across git worktrees, and reconciles PRs automatically:

• Issue-fed autonomy queue with malformed body rejection
• Worktree-based task dispatching
• Auto-reconciliation of safe PRs
• Auto-resume when usage limits reset
• Fleet task prioritization by signal strength
• Stale task recycling with evidence-change gating
• Guild-style run artifact schema and provenance capture
• OSS attribution ledger for external feature ports
• SDK error handling across 5 modules (agents, security, assistant, budgets, deployments)
• Daemon runtime and queue recovery hardening

3. Kubernetes / Helm Chart (NEW — 23 files, ~1,725 lines)#

Production-grade Helm chart at infrastructure/helm/mutx/:

• Component-specific templates: API, Web, OTel Collector, Redis, Postgres, Ingress, HPA, Secrets, ServiceAccount
• values.yaml with sensible dev defaults
• values.prod.yaml — HA replicas, topology spread, PDBs, managed DB disabled
• values.staging.yaml — middle ground overlay
• Ingress routes /v1/* + probes to API, /* to web, TLS per-host
• OTel Collector config fully templated with configOverride escape hatch
• Secrets auto-generate JWT_SECRET and SECRET_ENCRYPTION_KEY if unset
• Helm test pod for smoke validation
• helm lint clean, 14 resources rendered

4. RBAC Enforcement + OIDC Token Validation (9 commits)#

The council called these out as gaps. Both are now closed:

RBAC:

• Enforced require_role() on approvals (DEVELOPER/ADMIN), security (ADMIN), policies (ADMIN), and audit (ADMIN/AUDIT_ADMIN) routes
• Removed the permissive "allow any authenticated user through" bypass
• Admin-role gates applied at router level via FastAPI dependencies

OIDC:

• New src/api/auth/oidc.py — JWKS fetcher with 1-hour TTL cache, JWT signature validation, iss/aud/exp claim checks
• Configured via OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_JWKS_URI environment variables
• Ready for any OIDC-compliant IdP (Okta, Auth0, Azure AD, Keycloak)

5. SDK Contract Test Suite (30 commits)#

20 new pytest contract test modules covering every SDK surface:

agents · analytics · assistant · budgets · deployments · governance_credentials · governance_supervision · ingest · leads · newsletter · observability · onboarding · runtime · scheduler · security · sessions · swarm · templates · usage · approvals

Plus gap scanner signals and homepage smoke test stabilization (7 commits relaxing assertions, supporting both landing variants, reducing fold assumptions).

6. Landing Page + Contact Page Redesign (24 commits)#

Landing page: Below-hero redesign with refined motion and handoff animations, recomposed example cards, terminal failure scenes, replaced copied media with MUTX-native art, responsive audit polish, removed dead state and unused components.

Contact page: Dedicated hero layout with 2-col desktop grid, mobile-first stacking, new call-me hero image, full-width CTAs.

7. Security Hardening (9 commits)#

• Enforced verified email on authenticated token access
• Okta JWKS keys endpoint for token verification
• Restored legacy pbkdf2 password verification
• Honored env-file JWT secret in startup validation
• Removed fixed JWT secret defaults from demo config
• Hardened local bootstrap against forwarded header spoofing
• Required auth for self-heal webhook
• Prevented rate limit bypass via spoofed API key headers
• Removed third-party Calendly widget injection
• Enforced TLS for PostgreSQL connections
• Frontend container runs as non-root user

8. Adapter Hardening#

• CrewAI: Replaced hardcoded api_key="" with MUTX_API_KEY env var fallback + ValueError guard
• LangChain: Replaced stub stream_events() with real async generator — deque buffer, callback monkey-patching, background asyncio task, emitting llm_start/end, tool_start/end, agent_action/finish events

By the Numbers#

Contributors#

Fortune (111) · Proactive Coder (58) · CIPHER (22) · dependabot (1)

Upgrade Notes#

New Environment Variables#

# OIDC Token Validation (optional — enable when connecting an external IdP)
OIDC_ISSUER=
OIDC_CLIENT_ID=
OIDC_JWKS_URI=

# CrewAI Adapter (required if using run_crew())
MUTX_API_KEY=***
# Kubernetes / Helm
# See infrastructure/helm/mutx/values.yaml for full reference

Breaking Changes#

• RBAC is now enforced. Routes under /audit/*, /security/*, /policies/*, and /approvals/* now require specific roles. If you have test fixtures or service accounts that relied on open access, update them with appropriate roles.
• CrewAI run_crew() no longer accepts an empty API key silently. Set MUTX_API_KEY or pass api_key explicitly.

Helm Deployment#

# Dev (single replica, minimal resources)
helm install mutx infrastructure/helm/mutx/

# Production (HA, HPA, managed DB)
helm install mutx infrastructure/helm/mutx/ -f infrastructure/helm/mutx/values.prod.yaml

# Staging
helm install mutx infrastructure/helm/mutx/ -f infrastructure/helm/mutx/values.staging.yaml

Full Commit History#

192 commits since v1.3.0. See the compare view for the complete diff.

What's Next#

The substrate is real. What comes after:

• PVC templates for Helm chart persistence (Redis/Postgres)
• Dynamic role management (currently hardcoded ADMIN, AUDIT_ADMIN, DEVELOPER)
• Full OAuth2 authorization code flow (OIDC is token-validation only right now)
• Adapter integration tests with live framework instances
• Approval escalation routing with notification channels

Supported in v1.4.0#

These are the surfaces we consider part of the shipped release:

• mutx.dev
• mutx.dev/download
• mutx.dev/releases
• docs.mutx.dev (now self-hosted)
• the signed macOS app downloaded from the public release lane
• app.mutx.dev/dashboard for stable browser operator routes
• the CLI install path via curl -fsSL https://mutx.dev/install.sh | bash
• Kubernetes/Helm deployment via infrastructure/helm/mutx/

Still preview#

These surfaces are still not presented as fully stable in v1.4.0:

• app.mutx.dev/control/*
• preview-labeled dashboard areas that are intentionally outside the stable operator lane
• backend capabilities whose live runtime contract is still gated or incomplete

Artifact and release sources#

• Download: https://mutx.dev/download
• Release summary: https://mutx.dev/releases
• Docs release note: https://docs.mutx.dev/docs/v1.4
• GitHub release: https://github.com/mutx-dev/mutx-dev/releases/tag/v1.4.0
• Stable dashboard entry: https://app.mutx.dev/dashboard

Previous release: v1.3.0 Release Notes