⚠️ 注意事项：本次更新引入了全新的令牌架构，会导致旧版所有授权失效。升级后您需要对所有客户端设备进行重新授权。
⚠️ Note: This update introduces a new token structure, which will cause all authorizations in the old version to become invalid. You will need to reauthorize all client devices after the upgrade.

🔐 核心更新：全新有状态令牌权限系统

🔐 Core update: New stateful token permission system

本次版本重构了底层的安全架构，从单一 无状态令牌 升级为 有状态多维度（协议、客户端、功能） 效验令牌：
This version reconstructs the underlying security architecture, upgrading from a single stateless token to a stateful multi-dimensional (protocol, client, function) validation token:

• 多维度校验：
• Multi-dimensional verification:
  • 协议控制：支持对 REST API、WebSocket、MCP 等不同访问协议及场景进行独立授权与限制。
  • Protocol Control: Supports independent authorization and restrictions on different access protocols and scenarios such as REST API, WebSocket, MCP, etc.
  • 客户端限制：支持通过通配符绑定特定设备（如 obsidian*），实现“一机一令”。
  • Client restrictions: Support binding specific devices (such as obsidian*) through wildcards to achieve "one machine, one command".
  • 内容控制：细化至笔记读写 (note_r/w)、附件管理 (file_r/w)、系统配置 (config_r/w) 等原子级权限。
  • Content Control: Refined to atomic-level permissions such as note reading and writing (note_r/w), attachment management (file_r/w), system configuration (config_r/w), etc.
• 世代校验与令牌轮转 (Rotation)：
• Generation Verification and Token Rotation:
  • 引入 Nonce 世代机制。令牌在泄露风险时可以进行轮转操作，旧世代令牌将立即失效，有效防范令牌被盗用的风险。
  • Introduced Nonce generation mechanism. Tokens can be rotated when there is a risk of leakage, and old generation tokens will immediately become invalid, effectively preventing the risk of token theft.
• 动态环境绑定：
• Dynamic Environment Binding:
  • 支持对令牌进行 IP 地址 和 User-Agent 的静态或通配符绑定，用于在非安全环境下限制令牌使用行为。
  • Supports static or wildcard binding of IP address and User-Agent to tokens to limit token usage in non-secure environments.
• 令牌访问统计：
• Token Access Statistics:
  • 服务端将会记录所有令牌的访问行为，支持实时监控各令牌的调用协议、来源 IP 及客户端版本。
  • The server will record the access behavior of all tokens and support real-time monitoring of the calling protocol, source IP and client version of each token.

✨ 其他新功能

✨ Other new features

• 备份任务密码设置：全量与增量备份任务新增灵活的备份包加密策略，支持“不设密码、手动固定密码、系统随机密码”三种配置模式，显着提升备份数据的存储安全性。
• Backup task password setting: A new flexible backup package encryption strategy is added for full and incremental backup tasks, supporting three configuration modes of "no password, manual fixed password, and system random password", significantly improving the storage security of backup data.

🛠 修复

🛠 Fix

• 云存储适配：升级阿里云 OSS v2 驱动，修复存储配置连接测试失败及区域识别问题。
• Cloud Storage Adaptation: Upgrade Alibaba Cloud OSS v2 driver to fix storage configuration connection test failure and region identification issues.

⚡️ 优化与性能

⚡️ Optimization and performance

• 文件处理优化：调整哈希计算阈值为 10MB；通过延迟创建目录减少文件系统 I/O 开销。
• File processing optimization: Adjust hash calculation threshold to 10MB; reduce file system I/O overhead by delaying directory creation.

💄 其他/体验

💄 Other/Experience

• 协议标准化：所有 WebSocket 返回消息强制包含 vault 字段，确保多库同步状态的一致性。
• Protocol Standardization: All WebSocket return messages are forced to contain the vault field to ensure the consistency of multi-database synchronization status.
• 安全加固：备份历史记录中的敏感密码字段默认开启掩码处理，支持手动解密查看。
• Security hardening: Sensitive password fields in backup history are masked by default and support manual decryption and viewing.