Patch release. Adds Service accounts — non-login principals you can add to teams and issue scoped API tokens for. Every token now carries an explicit scope list (e.g. logs:read, alerts:write) enforced by middleware, with presets and an active-preset highlight in the picker. The team member dialog distinguishes humans from service accounts, and service principals get a clear badge in team rosters. Also surfaces ClickHouse column comments through the schema API for the new LogChef CLI v0.1.6 to consume.
- Service accounts — Non-login principals managed at Administration → Service Tokens. Cannot authenticate via OIDC or CLI exchange; exist only to own tokens and team memberships. Learn more →
- Scoped API tokens — Tokens now carry an explicit list of scopes (
logs:read, alerts:write, …). Presets in the picker: Read-only, Logs viewer, Logs analyst, Alerts manager, Source admin, Full access. The active preset stays highlighted while the selection matches. - Account-type toggle in Add Team Member — Pick Human user or Service account; the dropdown filters to that type and shows the principal's name with email as a subtitle instead of the raw service-account email.
- Service account badge in team member tables — bot icon + "Service account" pill so automation principals are visually distinct from humans.
- Manage teams on each service account card — team chips, a destructive warning when an account is in zero teams (its tokens won't reach any source), and an in-place add/remove dialog.
- Schema column descriptions — The schema API now surfaces ClickHouse column comments. Consumed by LogChef CLI v0.1.6's
schema command.
- "Create API Token" defaults to the Read-only preset. Previously defaulted to Full access, which made the scope picker look entirely disabled out of the box.
- Read-only preset is now every
:read scope. Adds tokens:read, users:read, settings:read. Admin-gated routes still enforce admin role separately. /admin/users/* routes 404 on service accounts. Service principals are managed via the dedicated /admin/service-accounts/* path so they can't be promoted through the human-user CRUD path.
- Scope picker checkboxes are interactive again. The component was bound to
:checked; the underlying primitive uses model-value. The bug was hidden behind the old Full-access default. - Token creation rejects empty scopes (HTTP 400). Requests with no scopes used to silently mint a full-access token.
- Corrupt or empty stored scopes fail closed. A token row with malformed scope JSON now grants no access instead of full access.
Major CLI release. Adds four new subcommands (saved-queries, find, tail, whoami, auth current), full time-range injection on raw SQL, agent-friendly output formats (msg, json-flat), a symmetric --explain / --dry-run split across query and sql, and TTY-aware highlighting so pipes don't need --no-highlight. Requires Logchef server v1.6.1+ for the saved-queries resolve endpoint and ClickHouse column descriptions.
saved-queries — List and run saved queries by name, numeric ID, or a pasted explorer URL. --var, --limit, --show-sql, and all output-format overrides supported.find <pattern> — Discover sources with recent matches for a service, job, host, or message pattern. Each match line is followed by per-column samples: label-shaped columns (service/host/job_name) get the top 3 values with counts; free-form text columns (msg) get one truncated sample row. Suppress with --no-samples. Per-source timeout defaults to 30s.tail <query> — Follow matching LogChefQL rows by polling. text, jsonl, or msg output; stable dedup across column-order changes; one-shot stderr warning when a poll returns at --limit.whoami — Print the authenticated user and accessible teams.auth current — Offline subcommand that prints the active context, server URL, and token source (config vs env), plus the token expiry when it came from saved config. No network call. Useful for "is my LOGCHEF_AUTH_TOKEN even set?" diagnostics.- SQL time flags on
sql — --since / --from / --to inject a timestamp predicate before the first top-level GROUP BY / ORDER BY / LIMIT / HAVING / SETTINGS / FORMAT. The scanner skips string literals, quoted identifiers, comments, and parenthesized subqueries; use __START__ / __END__ placeholders for full control (e.g. CTEs). --explain / --show-sql on query and sql — Print Generated SQL: <sql> to stderr, then continue executing. Plays cleanly with --output jsonl | jq pipes.--dry-run on query and sql — Print the resolved SQL to stdout (no prefix) and exit without keeping results. sql --dry-run is fully offline; query --dry-run calls the server once for LogChefQL translation.--output msg — Print only the message column (one row per line) on query, sql, collections, and saved-queries. Falls back to the first selected column when msg isn't projected.--output json-flat — Hoist JSON-shaped msg fields to top-level JSON rows on query, sql, collections, and saved-queries.LOGCHEF_DEFAULT_TEAM / LOGCHEF_DEFAULT_SOURCE — Env defaults when --team / --source are omitted. Precedence: flag → env → saved config.- Schema column descriptions —
schema --output text shows a new DESCRIPTION column when the source's ClickHouse columns carry comments; schema --output json includes them inline.
- Highlighting auto-disables on non-TTY output. All five subcommands (
query, sql, collections, saved-queries, tail) skip ANSI escapes when stdout is piped, so ... | jq and ... > file produce clean output without --no-highlight. The flag still works as an explicit override.
Logchef 1.6 reorganizes saved queries around Collections — cross-team curation lists you can share with teammates. Teams now exist purely for access control. A new Editor team role sits between Member and Admin: editors can save queries and manage collections without getting full admin rights.
- Collections — Group saved queries into shareable lists. Everyone gets a personal collection automatically. Shared collections are invite-only; queries you can't run show with a lock icon.
- Unified Saved Queries page — One place to browse, search, and pin queries. Pick "All Queries", your personal collection, or any shared collection from a dropdown at the top.
- "Add to Collection" drawer — Open the menu on any saved query and tick the collections you want it pinned to. Create new collections inline.
- Editor team role — A new role for teammates who curate queries and collections. Editors can save queries, create collections, and invite collection members. They can't invite team members or link sources — those stay admin-only.
- Share a saved query with a link —
/logs/saved/:queryId resolves the right team and source automatically, so the recipient lands directly on the query. - CSV / JSON downloads stream from the backend with admission control, so very large exports don't tip the server over.
- Calendar month/year drill-down in the date picker.
- OIDC
skip_email_verified_check — Skip the email-verified claim on providers that don't pass it through (e.g. Cloudflare Access in front of an upstream IdP). (#86) - Native ClickHouse TLS — Configure TLS directly in the source connection instead of relying on stunnel/sidecars. (#88)
- Save your own queries. The Save button is now visible to every team member (it was hidden from non-admins by mistake). Editing or deleting a saved query still requires the original creator or a global admin.
- Distinct icons for LogchefQL and SQL in the saved queries list, so you can tell them apart at a glance.
- Cleaner admin and settings pages — consistent header, sections, and empty-state styling across Users, Teams, Sources, System Settings, Profile, and Preferences.
- Saved queries belong to a source, not a team. Anyone with source access can see and run them. The team you saved from is just a hint used to pick the right access path.
- Explore UI polish — quieter top bar, concrete query placeholders, Local|UTC timezone toggle.
- Query Folders — replaced by Collections.
- Bookmarks — your starred queries automatically move to your personal collection.
- Very large query results are now capped (
[query] max_limit, default 100k rows) so the browser doesn't run out of memory. - Long raw SQL in the URL no longer trips the server's HTTP header size limit.
- Switching sources is race-free — the explorer waits for the new source's schema before running a query, and a slower in-flight response can't overwrite a faster one.
- Saved queries open against the right source — the query's source overrides any stale source param in the URL.
- Export job pruner is crash-safe — interrupted prunes no longer leave orphaned download files.
- Translate API errors are surfaced to the editor instead of failing silently.
- Export download URLs are relative, so downloads work behind reverse proxies that rewrite hostnames.
Contributors: @m0nikasingh — OIDC email verification skip (
#86), native ClickHouse TLS (
#88), AI SQL insert mode fix (
#89)