Skip to content

CHANGELOG.md

Latest commit

 

History

History
470 lines (337 loc) · 21.7 KB

CHANGELOG.md

File metadata and controls

470 lines (337 loc) · 21.7 KB

Changelog

All notable changes for the Superblocks' On-Premise Agent will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

vNext

  • Upgrade vm2 to latest version (v3.10.5)
  • Add Snowflake Postgres support
  • Add plugin support for snowflakecortex integration

v1.35.0

  • Security patches

v1.34.0

  • Add atob and btoa polyfills to the WASM sandbox
  • Added option to route all control flow related resolution of bindings to the WASM sandbox
  • Python worker bug fixes

v1.33.1

  • Add superblocks.auditLogs.enabled helm value to allow disabling audit log ingestion (defaults to enabled)
  • Add Workforce Identity Federation support for BigQuery
  • Add Databricks Lakebase integration
  • Upgrade vm2 to latest version (3.10.4) with fix for CVE-2026-22709

v1.32.0

  • Add support for parameters array in SQL plugins for parameterized queries
  • Add support for file uploads in 2.0 apps
  • Require authorization header for inline definitions in /v2/execute, /v2/execute/stream, and /v2/execute/twoway endpoints to prevent anonymous code execution while still allowing public apps (fetch by ID) to work
  • Upgrade Go 1.25.1 → 1.25.5, golang.org/x/crypto v0.41.0 → v0.45.0, golang.org/x/sync v0.17.0 → v0.18.0, golang.org/x/text v0.28.0 → v0.31.0 and run apt-get upgrade -y in Dockerfiles to resolve CVEs.
  • Do not fail when primitive values are used as inputs to Python APIs, similar to JavaScript APIs
  • Validate view mode against profiles for API execution with provided definition
  • Restrict access to blocked packages in JavaScript steps via: dynamic import, eval, and Function constructors
  • Update JavaScript worker to execute language steps within vm2
  • Support generating presigned PUT URLs for s3
  • Add support for Kubernetes Gateway API as an alternative to Ingress for routing traffic to the agent
  • Update FilePicker download endpoint to ensure requested download paths are under the temp directory
  • Add WASM-based sandbox using QuickJS for more secure JavaScript binding resolution
  • Require authorization header for /v2/test endpoint to prevent unauthenticated environment variable access
  • Enforce WASM sandbox memory limit for host-side allocations
  • Pass a memory limit to the WASM sandbox
  • Control the WASM bindings sandbox rollout via LaunchDarkly
  • Add Date object marshalling support in WASM sandbox (Date objects are now preserved when passing between host and VM in both directions).
  • Add JavaScriptWASM plugin type for executing pure JS steps within the WASM sandbox.

v1.31.0

  • Add support for restricting imports and built in functions in Python language execution steps
  • Properly clear the environment of Python execution step sandboxes

v1.30.0

  • Add retry logic to Databricks metadata requests in case of rate-limiting
  • Update VM2 to patch vulnerability
  • Upgraded Python OTel libraries to v1.16.0
  • Add (plugin) support for openai_v2 based integrations

v1.29.1

  • Set a default password for the agent's internal redis instance

v1.29.0

  • Use Databricks Unity Catalog to fetch metadata via REST
  • Disable script and function execution in the agent's redis server
  • Add support for setting a password for the default user in the agent's redis server

v1.28.1

v1.28.0

  • Updated Databricks integration test to timeout after 5000ms

v1.27.0

  • Added support for header value prefix in auth injection flow
  • Added support of Oauth Token Federation auth for Databricks
  • Fixed new bindings syntax support for bindings that require legacy resolution and an expression in the template literal contains the token separator string (i.e. ", ")
    • e.g. ${JSON.stringify({ name: "test", enabled: true })}
  • Added support for "oauth on behalf of token exchange" in Salesforce integration

v1.26.0

  • Added support for the metadata endpoint in the GraphQL integration
  • Added support for custom SubjectTokenType on "oauth on behalf of token exchange" flows
  • Updated types for Salesforce integration to support "oauth on behalf of token exchange"
  • Added types support for new Confluence integration
  • Added support for custom object schemas in Salesforce
  • Added flag agent.plugins.auth.validate_subject_token_during_obo_flow.enabled to determine whether we should validate the subject token during "oauth on behalf of token exchange" flows

v1.25.0

  • Fixed workflow steps in path based apis to execute the desired workflow as expected (previously failed with NotFoundError)
  • Added support for new JavaScript template literals bindings syntax in arguments for workflows
  • Fixed return, send and wait blocks functionality when using new bindings syntax (JavaScript template literal or IIFE)
  • Added preview scoped token type
  • Updated scoped token claims to match the claims provided by the server (where the JWTs are generated)

v1.24.0

  • Updated binding resolution to treat entire fields in APIs as bindings for APIs fetched by path
  • Fix binding resolution of template literals for plugins requiring legacy binding resolution (i.e. JavaScript worker performs binding resolution)
  • Fix an issue where workflow parameters could be referenced unsafely causing a panic

v1.23.0

  • Fail silently when trying to delete a GSheets integration that has already been revoked
  • Switch to using pointers for custom JWT claims in JWT middleware and scoped token permissions JWTs
  • Add raw JWT to Go context when using the scoped permissions JWT validators
  • Updated the flow for detecting if JWT middleware should be used
  • Updated execution inputs to use Global.user derived from Superblocks JWT
  • Updated claims required to be present in a JWT for agent authorization
  • Updated the "oauth on behalf of token exchange" flow to use the identity provider access token from the Superblocks JWT instead of from the Auth0 JWT
  • Changed token scopes to match existing RBAC permissions
  • Added support for scoped (JWT) tokens with multiple scopes
  • Added support for API-level authorization
  • Added support for resolving integration configurations using the new (JavaScript template literals) bindings syntax

v1.22.0

  • Included azure blob storage and azure identities libraries to python worker
  • Generalized JWT middleware to allow for better reusability across repositories (moved agent specific validation to internal package)
  • Overwrite the default requirements.txt file with the contents of the desired requirements file (only affects slim variant and custom image builds)
  • Added scoped permission JWT types and validators to orchestrator
  • Updated Auth Code/Password Grant flows to enable bindings in certain fields

v1.21.0

  • Updated slim image builds to support package-slim.json files in any worker.js subdirectory
  • Added slim variant to packages/plugins/javascript package (i.e. package-slim.json) which keeps only dependencies required for binding resolution
  • Added SUPERBLOCKS_AGENT_REDIS_SOCKET_TIMEOUT_SECONDS to configure socket timeout for Redis client in Python worker
  • Update OPA Dockerfile's WORKER_JS_PREPARE_FS_ARGS argument's default value to match value for building slim variant
  • Update OPA variants doc with new arguments for building standard/slim variants
  • Fix the agent Helm Chart to support gRPC routes
  • Fix OOM from reusing Javascript context within an API's binding resolutions

v1.20.0

  • Added support for fetching (and executing) APIs referenced by application ID and path, rather than by api ID
  • Fixed bug in building query parameters list for DB plugins leveraging '?' placeholder syntax (repeated bindings fix)
  • Bump golang version to 1.23.7
  • Added support for referencing dynamic workflow response as {{credentials.response}}

v1.19.0

  • Updated Snowflake integration to not include INFORMATION_SCHEMA data in metadata
  • Updated Snowflake integration to pipe through database, schema, warehouse, and role for key-pair and sso auth types
  • Updated slim image to only include JavaScript packages required to run the JavaScript worker
  • Added support for performing new "oauth on behalf of token exchange" auth type
  • Added support for static subject token sources in "oauth2 on-behalf-of token exchange" auth type
  • Updated token forwarding auth type with IDP subject tokens to explicitly fail for workflows and scheduled jobs
  • Added support for "authTypeField" in integration OAuth flow
  • Updated Snowflake integration to support "oauth2 on-behalf-of token exchange" auth type
  • Explicitly shutdown prometheus metrics server when Python worker terminates
  • Update CheckAuth to support integration configurations using the OAuth on-behalf-of token exchange auth type
  • Updated Snowflake node sdk to v1.15.0 and disabled OCSP checking when connecting to Snowflake

v1.18.0

  • Added support for creating a worksheet in GSheets integration
  • Refactor launchdarkly client to separate wrapper around LaunchDarkly SDK into its own package separate from the interface for agent specific flags
  • Fixed bug in Redis integration that caused some raw Redis queries to error unexpectedly
  • Added support for exposing claims as part of Oauth payloads in the Oauth Code authorization flows

v1.17.0

  • Upgrade Google Cloud Secret Manager Go package to v1.14.2 (fixes "certificate_config.json: permission denied" error connecting to GCP secret manager)
  • Added support for key-pair authentication in Snowflake Plugin
  • Add support for machine-to-machine (M2M) authentication for Databricks plugin
  • Update WaitGroup runnable to block Close method on the WaitGroup completing (addresses redis: client is closed errors)
  • Allow branch name to be given in workflow HTTP requests as a header: X-Superblocks-Branch
  • Add last_updated field to the Resource proto, and set last updated time in update signature requests to server
  • Fixed projection for findOne action in MongoDB integration

v1.16.0

  • Update signing rotation endpoint for APIs
  • 403 status codes from the server now return as 403 instead of 500
  • Added Superblocks partner ID to the Databricks integration
  • Fix scheduled job execution for signed jobs (when signature verification is enabled)
  • Now return Kinesis Plugin Metadata
  • Add signing key's corresponding public key and algorithm to the Signature proto message
  • Fixes to Couchbase Plugin
  • Add "signature rotation errors" field to UpdateApiSignature and UpdateApplicationSignature proto messages (move existing Signature into result oneof field)
  • Added prefix and delimeter support to S3 Plugin
  • Added moment-timezone package to JavaScript worker
  • Bump superblocksteam/run dep to v0.0.6
  • Include signing algorithms with verification keys when registering agent
  • Include signing algorithm and public key in response from Sign endpoint (/v1/signature/sign)
  • Set errors on responses for all resources that fail to get re-signed during a signature rotation job
  • Improved error messages in Email Plugin

v1.15.1

  • Updated debian packages to address a few vulnerabilities

v1.15.0

  • Added support for Okta SSO in the Snowflake plugin
  • Fix connection string support for RedShift, MySQL, MariaDB, Postgres, CockroachDB
  • Added connection string support for RedShift, MySQL, MariaDB, Postgres, CockroachDB
  • Fix Snowflake template version
  • Fix connection for Snowflake integration so we do not hang for 90 seconds on an invalid configuration
  • Added AWS Kinesis plugin
  • Fix worker/js helm limits.memory
  • Update shutdown ordering so critical processes are not terminated prior to the webserver
  • Update dependencies to remove critical vulnerabilities in wget and libexpat1
  • Added support for enabling restapi, restapiintegration, openapi, graphql and graphqlintegration plugins to return more verbose HTTP response data in result (e.g. response status text, status code, etc.)
  • Added support for configuring whether or not a step using a restapi, restapiintegration or openapi plugin fails if the underlying web request fails
  • Added support for configuring whether or not a step using a graphql or graphqlintegration plugin fails if the GraphQL query returns with errors

v1.14.1

  • Change v1.security.Resource.config.api type from v1.Api to google.protobuf.Value well known type

v1.14.0

  • Added support of action config to test method

v1.13.0

  • Added ViewMode to API start/end logs
  • Added ViewMode to Block start/end logs
  • Add comprehensive logger fields to oauth code
  • Change: Support signing and verifying APIs at different versions than the agent

v1.12.0

  • Added support for new Akeyless Secrets Manager

v1.11.0

  • Set component field for remote logs from worker.go and worker.js
  • Update worker request baggage to include additional metadata to be included in remote logs
    • e.g. agent-id, agent-version, application-id, etc.
  • Update python worker idle milliseconds metric to be active seconds metric
  • Change: signature.enabled is renamed signature.verification.enabled to more accurately represent what it does (disable/enable verification only; signature.signing_key_id controls signing)
  • Change: all signature.keys are sent during agent registration to server regardless of the value of signature.verification.enabled (v1.10.2 introduced an awkward state where verification keys were not advertised during registration)
  • Change: when signature.signing_key_id is enabled, start watching superblocks server for rotation events
  • Add: new signature.batch.size which configures the batch size of resources to claim from server
  • Add 8 new LLM integrations.
  • Support streaming for the REST integration.

v1.10.2

  • Change: default example signing key and verification keys are removed.
  • OPAs now skip ratelimiting logic as it's extra network calls for no benefit
  • Fix: python file descripter leak resulting in Too many open files
  • Couchbase integration now accepts connection strings

v1.10.1

  • Switch to using W3C trace propagator
  • Fix: Include verification key IDs in agent registration request

v1.10.0

  • Fix: Integrations with Dynamic Workflow Configuration now pass Profile during "Test Connection"
  • Change: Bumped Microsoft SQL integration to support URI connection strings
  • Switch to using asymmetric keys (ED25519) for resource signing/verification

v1.9.3

  • OPAs now skip ratelimiting logic as it's extra network calls for no benefit

v1.9.2

  • ?

v1.9.1

  • Support web3 module in Javascript steps.

v1.9.0

  • Breaking Defaults for events.cloud.enabled set to false, as this was producing large amounts of error logs for EU customers. This flag is only used for signing and signing has not be enabled for EU customers yet.
    • For customers that have signing enabled, we must ask them to enable SUPERBLOCKS_ORCHESTRATOR_EVENTS_CLOUD_ENABLED=true
  • Fix bug that prevented observability events to be authenticated correctly.

v1.8.1

  • Ensure redis is shutdown after all executions have been drained.
  • Fix bug preventing OpenAPI integrations from honoring delegated binding resolution.
  • Auto refresh renewable access tokens for HashiCorp Vault secret integrations.

v1.8.0

  • Fix the os environment bindings for plugin tests and metadata calls.

v1.7.4

  • Propagating X-Superblocks-Authorization header when talking to the new Global Edge Network.
  • Add more descriptive User-Agent header when talking to Superblocks.
  • When an API is cancelled, show "context cancelled" instead of Internal Error in the audit logs.
  • Add application-id and page-id to observability logs.

v1.7.3

  • Fixed plugin ID in OpenAPI integration step execution logs
  • Enable the process pool worker
  • Fixed issue in the python worker that resulted synchronous executions of steps
  • Fixed issue in the python worker where steps would potentially block against concurrently running steps
  • Fixed issue in the python worker where setting log level in non-uppercase would crash the worker

v1.7.2

  • Fixed observability logging of worker.go to propagate to downstream systems
  • Added support for the Elasticsearch integration
  • Expose AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable in Python sandbox (for use in Python language steps)

v1.7.1

  • Release slim OPA
  • Fixed missing deasync dependency in arm OPA image. Moved to building deasync from source since maintainer does not build the module for all node versions and architectures.

v1.7.0

  • Deprecated internal gRPC transport and all configuration parameters in favor of adding redis to the all-in-one container
  • Fixed memory leak with the v8 plugin
  • Fixed hanging apis when running with high parallelism
  • Fixed agent panics when running with high parallelism
  • Fixed loops timing out when running the REST plugin with basic auth
  • Exposed configuration for API timeout
  • Enable new integrations for OPA: Confluent, Redpanda, Couchbase, Databricks, Oracle Database
  • Reduced baseline memory by 100Mb

v1.6.1

  • Introduce a shorter version for some of our agent environment variables. For example, you can use SB_AGENT_KEY instead of specifying both SUPERBLOCKS_AGENT_KEY and SUPERBLOCKS_ORCHESTRATOR_SUPERBLOCKS_KEY.
  • Bump a lot of dependencies.
  • Start sending traffic JavaScript code that can be run in V8 to the new Go worker.

v1.6.0

  • Added the EXPOSE directive to the OPA's Dockerfile so that it can be inspected by vendors like Aptible.

  • Introduced support for an RSA JWT to be utilized later.

  • Bump a lot of dependencies.

  • Utilized the new superblocksteam/run project.

  • Fix a few flacky tests.

  • Fix a few graceful shutdown issues.

  • Introduced s6 as our process manager for the container. This will ensure that all processes within the container received the proper signals and are given the opportunity to shut down gracefully.

  • Bump a lot of dependencies.

v1.4.4

  • Introduced s6 as our process manager for the container. This will ensure that all processes within the container received the proper signals and are given the opportunity to shut down gracefully.
  • Bump a lot of dependencies.

v1.4.3

  • Added date-fns==3.3.1 to the list of JavaScript dependencies

v1.3.3

  • Fixes an issue where OAuth tokens used in the Authentication Code flow would be too aggressively cached

v1.3.2

  • Fixes an issue where non-lang plugins could not access the Filepicker

v1.3.1

  • Log a warning if invalid mode is used in Filepicker
  • Separate Kafka Consumer and Producer
  • Update multiple Go dependencies
  • Pass duration in seconds to quota error
  • Use Kafka transactions for 2 and more messages
  • Do not default access token's expiration to 1 day if expires_in = 0 or missing in exchange code response

v1.2.1

  • Fixes an issue with Google Sheets where sheet names dropdown is not loading

v1.2.0

  • Update multiple Go dependencies.
  • Ensure that all operations executed against a v8 isolate occurr in the same go routine it was created in.
  • Add gRPC middleware to catch client cancellations to provide a better error message.
  • Fixes segfault when logging error detail
  • Logs internal error, returned by clients.Check
  • Updates orchestrator to parse imports for javascript steps
  • Adds support for id_token in OAuth Code flow
  • Ensure a step can run for as long as the API has left.
  • Add JavaScript polyfile for "console".
  • Stops passing the test workflow body values to deployed runs

v1.1.2

  • Fixes an issue with the observability pipeline where plugin errors and logging were not piped to customer telemetry sinks

v1.1.1

  • Fixes an issue regarding large nested objects causing Python performance issues

v1.1.0

v1.0.15

  • Allows users to configure size limits in their OPAs, this currently defaults to 30MB. For the OPA these will need to be raised in tandem.
  • SUPERBLOCKS_ORCHESTRATOR_GRPC_MSG_REQ_MAX
  • SUPERBLOCKS_ORCHESTRATOR_GRPC_MSG_RES_MAX

v1.0.14

  • Removes the logging of the request values in the orchestrator

v1.0.13

  • Fixes an issue with the OPA where the healthchecks will return 500 after 30 minutes of the agent being idle

v1.0.12

  • Fixes an issue with Google Sheets integration metadata call
  • Gracefully handle nil pointer dereference when an workflow returns an unexpected nil output

v1.0.11

  • [SECURITY] Prevents logs from printing out API action configs in the worker logs

v1.0.10

  • Disables the signing feature in the OPA by default as it's currently still unreleased.

v1.0.9

  • Fixes issue with subject not being correctly set in emails sent via Email plugin steps

v1.0.8

  • Adds use of Superblocks-controlled template for emails sent using the Email plugin

v1.0.7

  • Fixes issues with reading the 2nd file from the Filepicker
  • Fixes issues with plugin metadata responses being rejected due to validation error
  • Fix panic when a workflow response is null and adds debug logging to surface those issues

v1.0.6

  • Fixes issue with Python steps being unable to read files due to BlockingIO
  • Fixes issue with MongoDB steps failing due to "Unexpected struct type" error

v1.0.5

  • Adds support for fetching branch-specific API definitions

v1.0.4

  • Fixes visibility of new REST authentication methods (API tokens forms for integrations like Datadog, CircleCI, etc.)
  • Adds support for SMPT integration

v1.0.3

  • Fixes issue with executing API steps that use OpenAPI integrations

v1.0.2

  • Introduce ARM image for local testing and deployment

v1.0.1

  • Addresses python plugin bugs:
  • Issue where python plugin is no longer able to use attribute notation to access dictionary keys
  • Issue where python was unable to read file contents via the FilePicker component

v1.0.0

  • Orchestrator based OPA released
  • Supports control-flow execution