Changelog

What's new

Every shipped change to the Growth.Talent agent platform — API endpoints, CLI commands, MCP server, security fixes. Most recent first.

← Back to /agents/docs

2026-05-03

feat

Repo README + dedicated docs pages

  • GitHub README replaced — proper front door for /agents, the 3 packages, install path
  • /docs/cli, /docs/mcp, /docs/sdk pages with quickstart, commands, configs
  • Footer 'Developers' column linking docs / API / OpenAPI / changelog
  • Header 'Docs' link alongside 'Agents'
  • Welcome email after admin verification now includes the 60-second CLI quickstart
  • /.well-known/mcp.json discovery manifest
  • /changelog page (this one)

2026-05-02

v1.2.0
feat

OSS quartet — zod, generated OpenAPI, Scalar, MCP server, advisory-lock rate limit

  • zod schemas (api-schemas.ts) — single source of truth for write endpoints
  • OpenAPI 3.1 spec auto-generated from zod via @asteasolutions/zod-to-openapi
  • Scalar API reference at /docs/api replaces hand-coded card grid
  • Postgres advisory lock (pg_advisory_xact_lock) closes rate-limit race
  • @growthtalent/mcp Phase 4 MCP server with 6 tools (search_jobs, get_job, me, list_my_applications, apply_to_job, post_job)
  • @growthtalent/sdk auto-generated TypeScript client via @hey-api/openapi-ts (ESM + CJS + .d.ts)
  • Bruno collection in /bruno/ — 16 requests across Public/, Auth/, Authenticated/
feat

Agent discoverability

  • Custom OG image for /agents
  • FAQPage schema.org JSON-LD on /agents (6 common questions)
  • Sitemap.xml entries for /agents, /docs, /docs/api, /llms.txt, /api/v1, /api/v1/openapi.json
  • /api/v1 root manifest endpoint
  • Homepage hero ribbon, /profile/edit callout, /jobs API hint

2026-05-01

v1.1.0
feat

API polish — me PATCH, jobs PATCH, app detail, CORS, getJobs fix

  • GET /api/v1/me/applications/:id — single application detail
  • PATCH /api/v1/jobs/:slug — companies update or close own jobs
  • PATCH /api/v1/me — profile updates (me:write)
  • CORS Access-Control-Allow-Origin: * on every /api/v1/* route
  • X-RateLimit-Remaining-Minute and -Day headers on every authenticated success
  • OpenAPI: example payloads on /applications and /jobs POST
  • Fixed getJobs() count vs filter mismatch in search path
security

Cron auth hardening

  • /api/cron/cleanup-auth-tables and /api/apify/cron now refuse anonymous (require CRON_SECRET or INGEST_API_KEY)
  • Previous pattern silently allowed unauth when CRON_SECRET unset
fix

QA pass on Phases 1-3

  • Banned check moved before scope check (no scope info leak)
  • POST /api/v1/jobs returns clean 409 duplicate_slug instead of 500
  • Failed auth now emits api_auth_failed PostHog events with code/status/scope
  • Device-flow 'code not recognized' has actionable copy mentioning 15-min TTL
  • DeviceFlow.userCode duplicate index dropped
  • CLI parses RFC-8628 device-flow error shape via ApiError.oauthError
  • /api/v1/me returns private fields (email, salary, markets, resumeUrl, profileVisibility)
  • Scheduled cleanup cron at /api/cron/cleanup-auth-tables — nightly 04:00 UTC

2026-04-30

v1.0.0
feat

Agent platform Phase 3 — write API + LLM discoverability

  • POST /api/v1/applications (jobs:apply) — agent-driven apply
  • POST /api/v1/jobs (jobs:post) — companies post via API
  • /agents marketing landing with schema.org SoftwareApplication LD-JSON
  • /llms.txt pointer doc
  • robots.txt allows /api/v1/ + Content-Signal directive
  • OpenAPI 3.1 spec at /api/v1/openapi.json
  • CLI v0.2: gt jobs apply, gt jobs post --file, gt jobs post --stdin
feat

Phase 2 — read API + device flow + @growthtalent/cli

  • OAuth 2.0 device-code flow (RFC 8628) — POST /api/v1/auth/device + /poll, browser /auth/device page
  • GET /api/v1/me — whoami with private fields, key info, rate-limit
  • GET /api/v1/me/applications — paginated own applications
  • @growthtalent/cli v0.1: auth login, jobs list/view, me, applications list
feat

Phase 1 — API key foundation

  • ApiKey, ApiKeyUsage, DeviceFlow Prisma models
  • src/lib/api-auth.ts — Bearer + X-API-Key middleware with scope, ban, rate-limit checks
  • src/lib/rate-limit-key.ts — per-key per-scope rolling window via Postgres count()
  • Admin verification gate (Candidate.isVerified) reused as API-key gate
  • /admin/api-keys overview, /settings/api-keys self-serve UI
  • sendApiAccessGrantedEmail Resend template

Want a webhook for new releases? It's on the roadmap. Until then, watch this page or the GitHub commit feed.