What's New1.4.1 - Tenant API – 1.4.1
View Release
0300 180 0403
hello@plugstream.co.uk
Chat on WhatsApp

PlugStream Release Notes

PlugStream is continuously updated to improve reliability, security, and user experience. This page provides a transparent record of every software and firmware release, including what changed and why it matters.

Latest

Firmware API 1.0.0

Firmware API – 1.0.0

1.0.0
Tests: passed (151/151)Coverage: 0.0%
Service
December 9, 2025
Tags
#firmware-api

Firmware API – 1.0.0

1.0.0 (2025-12-09)

Bug Fixes

  • Add debug logging (4330cf0)
  • Add reconnection loop to AMQP consumer (4ffd536)
  • Added additional node_modules (3cf11bb)
  • Added duplicate rollout detection and reporting (f4e9e49)
  • Added Prisma Client copy in Docker stage (ec77acf)
  • Auto-create devices when assigning to cohorts (f58cd5b)
  • build: Correct relative imports in version lifecycle routes to resolve module-not-found during Next build (21b9a0d)
  • ci: Corrected typo in lint stage of Staging Pipeline (a2fda2a)
  • ci: Removed tsx from Dockerfile (88e78d8)
  • Cleaned up prisma Migrations (15fec12)
  • Corrected CI Pipeline template (5209d7e)
  • Corrected Migration (6e49672)
  • improve S3 presigned URL generation and upload error handling (89acc6d)
  • platform-owner: Finalise auth/rbac updates and ensure group listing aligns with new guards (a3284fe)
  • prisma: Add Device.groupMemberships back-relation to satisfy FirmwareGroupDevice.device relation validation (30da89d)
  • Remove minHwRev requirement so it is optional (42c2d91)
  • Remove public from Dockerfile copy block (f17c261)
  • Removed Copying files from prod stage (a558e2a)
  • Resolve build issue in withdraw route (a5dfcdc)
  • Resolve Next.js 15 build issues and type errors (03b3b8c)
  • Resolve Prisma DeviceRolloutStatus enum issues and add device counts to cohorts (404f788)
  • Resolve tenant-auth route imports (d6087ae)

Documentation

  • Establish consistent tenant scoping requirements for all API endpoints (b34d8bb)

Features

  • Add enhanced debug logging for tenant resolution in cohorts API - Add detailed logging to trace as_tenant parameter handling - Log auth mode, path tenant, and query parameters at each step - Track data being created in POST requests - Count items returned in GET requests - Enhanced requireTargetTenant logging to debug parameter extraction (f727081)
  • Add proper tenant validation to firmware version lifecycle endpoints (94f6b2e)
  • Add tenant-scoped firmware version lifecycle endpoints (de2a523)
  • Added DB Migration (be60e46)
  • Added health endpoints (ad5d715)
  • Added SSE Endpoints for rollout stats (13eb595)
  • Allow api-key callers through platform RBAC checks (fd54680)
  • api: Add firmware versions list endpoint (64ad495)
  • api: Enhance versions endpoint with product display names (c72e2b6)
  • api: Rollout detail/devices endpoints + operator intents (pause/resume/cancel/promote) with RBAC & AMQP publish - Detail endpoint with KPIs and policy - Devices listing with filters and pagination - Intent routes publishing to AMQP and updating status - RolloutStatus enum: add 'cancelled' + migration - Tests added; docs updated (7814799)
  • auth-mapping: Add FirmwareAuthMapping model, admin CRUD endpoints, and internal FusionAuth access-token exchange with in-memory cache + tests - Prisma model + migration - Admin routes guarded by AUTH_MAPPING_ADMIN with redacted secrets - Internal service token exchange guarded by SERVICE_ORCHESTRATOR with rate limiting - getFaAccessToken helper using Map+TTL cache and FA token POST - Tests for CRUD and token exchange behaviors Docs: implements docs/codex_prompt_firmware_api_fa_mapping.md (92c1f4b)
  • auth: Add TenantAuthMap model + admin CRUD; update JWT verification to use DB map for JWKS selection; document endpoints - Prisma model + migration - lib/auth: resolve faTenantId via prisma.tenantAuthMap - Admin routes for tenant-auth mapping - Tests for admin list/upsert - Update API docs (596d303)
  • cohorts: Drop groups compatibility; rename DB to Cohort/CohortDevice; implement /cohorts API and update rollouts + tests - Prisma: Cohort/CohortDevice models, migration renaming tables and groupId->cohortId - API: cohorts handlers for list/create/get/update/delete + membership and device-cohorts - Rollouts: accept cohorts_any with groups_any fallback, resolve via cohorts - Build: fix import paths in new routes - Tests: updated mocks and expectations (18d5954)
  • Enable tenant-based firmware isolation (a46776a)
  • groups+policy+audit: add FirmwareGroup, membership, and download audit; enforce policy gates; expand rollout cohorts; enrich approval event (b516c96)
  • groups: Membership read APIs + serial resolver - GET groups/{groupId}/devices with pagination and search - GET devices/{deviceId}/groups list memberships - Add lib/devices resolver for serial→deviceId - Prisma relation for FirmwareGroupDevice.device - Tests added; docs updated (6e53993)
  • groups: Tenant group CRUD + membership endpoints; OpenAPI docs; seed script - Routes: list/create, get/update/delete, replace membership - Validation schemas for group payloads - OpenAPI paths and schemas - Seed script and npm script - Tests for group flows (1213098)
  • implement tenant-scoped release endpoint and update documentation (6d15479)
  • lifecycle: Add submit/approve/withdraw/release endpoints; require tenant releases in manifest - Prisma: FirmwareRelease model present; FirmwareVersion state fields used - Routes: versions submit/approve/withdraw, releases create - Manifest: filters by FirmwareRelease for target tenant + state=released - Tests: add lifecycle tests; update manifest tests for new RBAC and release gating (3b95c62)
  • Migrate uploads endpoint to tenant-aware architecture (48f294c)
  • orchestrator-schema: Add IntentDedupe table (+ TTL index), Device.siteId and tenant/site index, and rollout tenant index - Prisma schema updates - Migration for IntentDedupe, Device.siteId, and indexes - Lint clean; tests passing (2b2398e)
  • platform-owner: Add platform owner mode with as_tenant support - Env vars: PLATFORM_TENANT_SLUG, PLATFORM_FA_TENANT_ID, PLATFORM_SCOPE - lib/auth: verifyForPathTenant for dual-mode verification - lib/rbac: requireTenantScopeOrPlatform + requireTargetTenant - Rollout detail + intents honor platform mode and as_tenant; queries filter by target tenant - Update K8s configmap/secret for platform vars - Tests updated to reflect new guards (809dea8)
  • Removed Next.js version (fbc48b3)
  • service-token: Add service token auth and internal download-url endpoint - Env: SERVICE_ORCHESTRATOR_TOKENS in .env and K8s Secret - lib/service-auth.ts guard for internal routes - POST tenants/{tenantId}/internal/download-url for orchestrator with audit and policy checks - Protect internal FA token exchange with service-token fallback - Tests for internal route (49e524e)
  • Trust api-auth headers for firmware-api auth (f289e97)
  • Updated migrations to include firmware approvals (d321b04)
  • Updated to more closly match the API Firmware contract following refactor to rust (e64558f)
  • Use JWT tid claim for tenant validation instead of hardcoded mappings (acdce4b)

BREAKING CHANGES

  • All firmware API endpoints now MUST follow tenant-scoped URL patterns
  • Update firmware_api_endpoint_contract_v2.md with mandatory tenant scoping
  • Add comprehensive tenant scoping rules and security guidelines
  • Create portal_integration_guidelines.md with frontend integration patterns
  • Add tenant_scoping_migration_checklist.md for implementation guidance
  • Mark all non-tenant-scoped endpoints as deprecated

This prevents future security issues by ensuring consistent tenant isolation,
platform admin support, and clear audit trails across all API endpoints.

Key Changes:

  • /versions/{id}/submit → /tenants/{tenantId}/versions/{id}/submit
  • /uploads → /tenants/{tenantId}/uploads
  • /releases → /tenants/{tenantId}/releases
  • All endpoints require tenant validation and as_tenant support
1.0.0 - Firmware API – 1.0.0 | PlugStream Change Logs