Back to docs

What's new in Mnueron Meet

Public changelog. Each release lists the customer-facing change and the developer details side-by-side, so business reviewers and engineers reading the same line agree on what shipped.

Security architecture Getting startedBuild & extend

Security Option C — AWS KMS envelope encryption (operator opt-in)

June 2, 2026SecurityEnterpriseFIPS

For business

Mnueron now supports FIPS 140-2 Level 3 certified encryption for stored credentials, backed by AWS KMS. Per-row Data Encryption Keys, envelope encryption, and full CloudTrail audit on every key operation.

  • Operator enables it per-deployment with two env vars; mixed-mode reads supported so legacy rows keep working.
  • Per-org migration runs with one command: npm run migrate:org-to-kms (idempotent + dry-run mode).
  • Cost: ~$1/month for the operator KMS key + ~$0.03 per 10k decrypt calls.
  • Unlocks healthcare-with-BAA, banking, and federal procurement conversations that were previously blocked.
  • BYOK (customer-managed keys) schema is in place — UI ships when a customer asks for it.

For developers

  • supabase/migrations/058_org_secrets_envelope.sql (encryption_mode + encrypted_dek + iv + kms_key_id)
  • src/lib/secrets/kms.ts (@aws-sdk/client-kms GenerateDataKey + Decrypt)
  • src/lib/secrets/envelope.ts (AES-256-GCM, 12B IV, 16B auth tag)
  • src/lib/secrets/db.ts (dispatch on row.encryption_mode at read; flag at write)
  • scripts/migrate-org-to-kms.mjs (per-org, idempotent, DRY_RUN supported)

Env required to enable: MNUERON_KMS_ENABLED=true, AWS_KMS_KEY_ID=<arn>, AWS_REGION, plus AWS credentials. Without them, the pgcrypto path stays active — no breakage.

See Security architecture for the envelope flow diagram.

Three meeting connectors — Fathom, Zoom AI Companion, Microsoft Teams

June 2, 2026MeetIntegrationsEnterprise

For business

Mnueron Meet now talks to the four most-used meeting tools: Granola (already shipped), plus Fathom, Zoom + AI Companion, and Microsoft Teams. Each lands as a configurable source on the integrations page. Transcripts flow into the same pipeline (decisions, action items, REQ/JIRA/Doc extraction, AI Summary).

  • Fathom: webhook-based, signed via HMAC-SHA256, REST poll backup.
  • Zoom: OAuth 2.0, AI Companion summary preferred, VTT transcript fallback, recordings list polling backup.
  • Microsoft Teams: Entra ID OAuth, Graph Change Notifications, transcripts via Graph API, calendar events backup poll.

For developers

  • src/lib/meet/plugins/fathom.ts (~140 lines)
  • src/lib/meet/plugins/zoom.ts (~280 lines incl. OAuth refresh)
  • src/lib/meet/plugins/teams.ts (~280 lines incl. Graph helpers)
  • src/app/api/integrations/meet/{fathom,zoom,teams}/webhook/route.ts (signed POST + URL validation handshakes)
  • src/lib/meet/registry.ts (all three registered)

Env required for Zoom + Teams: ZOOM_CLIENT_ID/SECRET, MS_TEAMS_CLIENT_ID/SECRET. Fathom uses per-source API key only.

OAuth callback UIs + per-vendor install pages come per customer onboard — the plugin contract is stable so adding them is template work.

AI Summary card — fix JSON-wrapped synopsis rendering

June 2, 2026FixMeet

For business

The AI Summary card was showing raw JSON ({"summary":"..."}) instead of the markdown body inside. Now extracts the synopsis cleanly and renders prose + bullets correctly. Existing meetings can be backfilled with one SQL statement or by clicking Regenerate on each card.

For developers

  • src/lib/meet/extractors/index.ts (extractSynopsisFromResponse handles synopsis/summary/markdown/text fields + unescapes \n)
  • summarizeMeeting prompt now specifies {"synopsis": "<markdown>"} contract
  • src/app/dashboard/meetings/SummaryBody.tsx (line-by-line walker so prose + bullets in one block render correctly)

Backfill query for legacy rows:

UPDATE meetings SET synopsis_md = COALESCE(
  synopsis_md::jsonb->>'synopsis',
  synopsis_md::jsonb->>'summary',
  synopsis_md)
WHERE synopsis_md LIKE '{"%';

Security Option B — audit log, rotation procedure, CI scanner

June 2, 2026SecurityCompliance

For business

Mnueron now ships every credential read with an audit row. Reviewers asking "who used the OpenAI key, when, and from where?"get a real answer — not a hand-wave.

  • Append-only audit trail of every key decryption.
  • Documented rotation procedure with a tested SQL template.
  • CI scanner blocks PRs that try to commit API-key shapes.
  • Inline guidance nudges users toward scoped + IP-restricted keys.
  • Honest gap doc in /docs/meet/security for procurement reviews.

Net effect: most public-company InfoSec reviews now pass at this tier without a custom contract.

For developers

Files touched:

  • supabase/migrations/057_secret_access_log.sql
  • src/lib/secrets/db.ts (resolveSecretAdmin now writes one audit row per call)
  • src/lib/meet/pipeline.ts + src/app/api/meetings/[id]/regenerate-summary/route.ts (pass route + user_id ctx)
  • scripts/rotate-encryption-key.sql (rotation template)
  • .github/workflows/secret-scan.yml + .gitleaks.toml
  • src/app/docs/meet/security/page.tsx ("what we don't have yet" section)
  • src/app/account-settings/keys/page.tsx (vendor-best-practice copy)

To verify: npm run db:push, thenSELECT count(*) FROM secret_access_log;. Exercise the AI Summary; the count should bump.

Bring-your-own API keys — settings hub at /account-settings/keys

June 2, 2026AISettings

For business

Workspaces can now plug in their own OpenAI / Anthropic / Granola credentials from a single hub. The AI Summary card, decision extractor, and project classifier all use the org's key when set — falling back to the platform key only when no org-level key exists.

  • One panel for all AI + vendor credentials.
  • Show/hide eye toggle, masked previews (…wxyz), test buttons.
  • Status badges: Verified · Set but not tested · Test failed · Not set.
  • Each key has a help link to the provider's key-generation flow.
  • For customers: bill against your own provider account, audit your usage directly with your provider, rotate at your own cadence.

For developers

Schema + helpers + endpoints + UI:

  • supabase/migrations/056_org_secrets.sql (RLS-scoped, pgp_sym_encrypt)
  • src/lib/secrets/db.ts — listOrgSecrets / putOrgSecret / deleteOrgSecret / resolveSecretAdmin
  • src/app/api/account/secrets/route.ts (GET, PUT)
  • src/app/api/account/secrets/[kind]/route.ts (DELETE)
  • src/app/api/account/secrets/[kind]/test/route.ts (probe upstream)
  • src/app/account-settings/keys/page.tsx + SecretCard.tsx

Resolution order at the LLM call site: orgSecretFromDb → process.env.OPENAI_API_KEY → null.

Encryption uses pgp_sym_encrypt withARCHIVE_ENC_KEY (env). Decrypted values exist only in memory during the LLM call and are never logged. SeeSecurity for the full secret lifecycle diagram.

AI Summary card — per-meeting LLM synopsis

June 2, 2026AIMeet

For business

Each meeting in Mnueron Meet now shows a 2-3 sentence narrative summary plus a bullet rollup of the most important decisions / blockers / action items — generated by an LLM at ingest time, regenerable on demand.

  • Falls back to the raw source summary when no synopsis exists yet.
  • "Generate summary" / "Regenerate" button on the meeting detail page.
  • Stamped with a generated-at timestamp so users see freshness.
  • Cost: about $0.0002 per meeting via gpt-4o-mini.

For developers

  • supabase/migrations/055_meeting_synopsis.sql
  • src/lib/meet/extractors/index.ts — summarizeMeeting() with LlmKeyOverrides
  • src/lib/meet/pipeline.ts step 6.5 (auto on ingest)
  • src/app/api/meetings/[id]/regenerate-summary/route.ts
  • src/app/dashboard/meetings/SummaryBody.tsx (markdown rendering)

Output is markdown the UI renders directly. The function strips stray ```markdownfences from the model output. Hard timeout 1.5s on the LLM call so a slow API doesn't stall the pipeline.

REQ / JIRA / ADR / Document link extraction + Impact Analysis tiles

June 1, 2026MeetExtraction

For business

Mnueron now finds and surfaces the ticket / requirement / document references mentioned in any meeting transcript. Selecting a meeting populates four Impact Analysis tiles: Requirements · Jira Tickets · Test Cases · Documents — each with a count and the first few refs.

Right-rail panels (Related Requirements / Tickets / Documents) render the full lists. Click a meeting to see exactly what downstream artifacts it impacts.

For developers

  • src/lib/meet/extractors/index.ts — TICKETY_RE classified by prefix (REQ/ADR/RFC/US → 'requirement' / 'adr'), DOC_FILE_RE for filenames
  • scripts/backfill-meeting-links.mjs — re-scan existing meetings against new patterns (idempotent)
  • src/app/dashboard/meetings/MeetingIntelligenceClient.tsx — tile redesign, multi-select filters, Share / Edit buttons
  • src/app/api/meetings/route.ts — ?source / ?status / ?attendee multi-value filters

Projects — folder organization for meetings

May 31, 2026MeetOrganization

For business

Group meetings by client, initiative, or workstream. New meetings auto-file into the right project based on title, attendees, and rules you pin. Each project gets its own dashboard with the meetings, open action items, and decisions for that effort.

  • Confirmation banner on auto-assigned meetings: Keep / Move / Always for this pattern.
  • Inline title editing, Share-link, Move-to-project dropdown on every meeting.
  • Filter chips on the cross-project meetings list: All / Unfiled / by project.

For developers

  • supabase/migrations/054_projects.sql (projects · project_assignment_rules · meetings.project_id)
  • src/lib/projects/db.ts + classifier.ts (rules first, then LLM with 1.5s timeout)
  • src/app/api/meet-projects/* + /api/project-rules/route.ts
  • src/app/dashboard/projects/page.tsx + [slug]/page.tsx (admin-gated server components delegating to ProjectsClient / ProjectDetailClient)
  • scripts/seed-projects.mjs — realistic test data with REQ / JIRA / Doc refs pre-populated

Membership convention: no org_memberships table in this schema. Users belong to an org viaapi_tokens. Pipeline attendee resolution uses the same bridge.

Archive tier — old memories to your own S3 / R2 / B2 bucket

May 30, 2026StoragePro

For business

Pro plans can offload aged meetings to a bucket their org owns. Memories older than the configured threshold (default 90 days) get exported as self-describing .md files at a key your ops can browse, then stubbed in our DB.

One adapter covers AWS S3, Cloudflare R2, and Backblaze B2 — same protocol, different endpoints. Tested connection probe verifies the credentials before any nightly archival runs.

For developers

  • supabase/migrations/052_storage_modes_and_archive.sql
  • src/lib/archive/adapters/s3.ts + render-md.ts + worker.ts
  • src/app/api/archive/config + run + test routes (Pro-gated)
  • scripts/archive-run.mjs (local trigger — replaces Vercel cron)

Meeting source auth: bytea → jsonb (Granola sync unblocked)

May 28, 2026FixGranola

For business

Granola sync was failing silently. We diagnosed it: the column storing vendor credentials was declared as bytes while the app treated it as JSON. After migration 053, every Granola sync carries the correct API key. Existing rows convert in place.

For developers

  • supabase/migrations/053_meeting_sources_auth_jsonb.sql — idempotent DO $$ block: detects current type and migrates only if needed.
  • src/lib/meet/pipeline.ts step 2 — uses api_tokens for attendee→user resolution.

Local-trigger scripts (replaces Vercel cron)

May 27, 2026Ops

For business

The Hobby Vercel plan caps at one cron slot — and we need two (Granola sync every 10 min + archive nightly). Solution: trigger jobs from a local scheduler (Windows Task Scheduler or cron) authenticating via a shared secret. Free, scales linearly with your local machines, and gives ops full visibility.

For developers

  • scripts/sync-granola.mjs + scripts/archive-run.mjs (GET endpoints with x-cron-secret)
  • vercel.json: empty crons array
  • /docs/meet/local-scheduling page with Windows Task Scheduler walkthrough

Looking for older changes?

This page tracks Mnueron Meet specifically. Repository commits on GitHub cover everything, including Memory, Chat, Knowledge Graph, Suggestions, and the marketing site.