chore: Add v8.5.3 release notes to CHANGELOG

Josh Bendson · Josh Bendson · commit 9171e018abb8 · 2026-01-19T10:41:12.000-06:00
Documents changes since v8.5.2: - Hybrid authentication for web UI endpoints (PR #730) - CSRF token handling fixes (PR #729) - Callback-based delegation job completion (Story #720) - Server stability improvements (Epic #733) This commit prepares for creating the v8.5.3 git tag, which will enable pipx installation at this version.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,68 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [8.5.3] - 2026-01-19
+
+### Fixed
+
+#### Hybrid Authentication for Web UI Endpoints
+
+**Issue**: The golden repo index management endpoint (`/api/admin/golden-repos/{alias}/indexes`) only supported token-based authentication (JWT/API keys). Web UI uses session-based authentication (cookies + CSRF tokens), causing "Missing authentication credentials" errors when attempting to add indexes via the web interface.
+
+**Root Cause**: Authentication dependency checked for Bearer tokens only, not session cookies.
+
+**Solution**: Implemented hybrid authentication that tries both methods:
+1. Session-based auth first (for web UI users)
+2. Token-based auth as fallback (for API clients)
+
+**Changes**:
+- Added `get_current_admin_user_hybrid()` and `get_current_user_hybrid()` to dependencies.py
+- Fixed session attribute check (`session.role` instead of `session.is_admin`)
+- Fixed session cookie name (use `SESSION_COOKIE_NAME` constant)
+- Applied hybrid auth to golden repo index endpoint and job status endpoint
+- Added comprehensive Playwright-based testing
+
+**Impact**: Web UI can now successfully call admin endpoints using session authentication while maintaining full API client compatibility.
+
+**Related Commits**: 8a46162, e6fc9f6, 0b33e36, 94fe373, d38332c, 11bbff9
+
+#### CSRF Token Handling in HTMX Partials
+
+**Issue**: Auto-discovery HTMX partial responses weren't properly passing CSRF tokens, causing validation failures.
+
+**Solution**:
+- Fixed CSRF token extraction from cookies in detail endpoints
+- Set CSRF cookie in partial response builders
+- Pass CSRF token to auto-discovery HTMX partials
+
+**Related Commits**: e354533, 2fd98c6, 202f912
+
+### Added
+
+#### Callback-Based Delegation Job Completion
+
+**Feature**: Delegation functions can now use callback URLs for asynchronous job completion instead of polling.
+
+**Implementation**:
+- Poll handler extracts results from conversation API
+- Enhanced delegation job tracking
+- Comprehensive delegation functions documentation
+
+**Related Commits**: ccaed58, 92a94b5
+
+### Changed
+
+#### Server Stability and Technical Debt Cleanup
+
+**Epic #733**: General server stability improvements and technical debt reduction.
+
+**Improvements**:
+- Fixed missing server config module (was excluded by gitignore)
+- Fixed missing mocks in temporal indexer tests
+- Linting and formatting fixes
+
+**Related Commits**: 642c182, a81e0b1, de5eb22, 711f501
+
 ## [8.4.46] - 2025-12-28
 
 ### Enhanced
