Skip to main content
Version: 2.5.0

MaestroHub 2.5.0 Release Notes

MaestroHub 2.5.0 is a major release that lands four new connectors (LoRaWAN, AWS Lambda, NATS, SMB), ships the first full Sharing & Groups experience end-to-end, rewrites the dependency graph as a tiered, clustered, paginated surface, refactors the Import/Export wizard around async validate/export and per-entity selection, introduces multi-replica connector slots with a license-gated Scaling tab, adds a Switch node and a strict-priority scheduler with recovery-mode controls, upgrades the frontend platform to React 19 / Vite 8 / Tailwind 4 / TypeScript 6, and pushes a deep performance and high-availability correctness pass across the engine, scheduler, license, and cache subsystems.

Highlights

  • Four new connectors — LoRaWAN (with a pipeline trigger node), AWS Lambda, NATS, and a native SMB connector — all wired into the existing function-selection, scaling, and dependency surfaces.
  • Sharing & Groups GA — Groups (full CRUD + membership + group-inherited roles + effective-permissions preview) and resource sharing (ShareDialog wired into Pipelines and Topics; share-aware list filters across Connections / Functions / Models / Dashboards) become user-facing features. clone is promoted to a first-class verb, closing a previous privilege-escalation gap.
  • Mount points — A new admin surface for subtree ownership of the UNS, with atomic subtree relocation and a visibility filter on the topic explorer.
  • Dependencies Graph rewrite — Tiered, clustered, paginated navigation with function and topic supernodes; frontier "+N more" expansion; consolidated filters with a dynamic-edges toggle; default 100-node cap; "View dependencies" shortcuts on every entity page.
  • Import/Export wizard refactor — Async export and validate paths, per-entity selection with cascade rules, deferred-item tracking, and a cleaner step-by-step flow.
  • Multi-replica connectors — A single connection can now be spread across multiple replicas without duplicate publishes or dropped subscriptions, surfaced through a new Scaling tab in every connector form (license-gated by advanced_access_control).
  • Switch node — A new pipeline node with N configurable output ports and multi-fire semantics.
  • Strict-priority scheduler + Recovery mode — Cron / interval / webhook fires move through a strict-priority queue with a starvation backstop; recovery mode adds per-execution cancel and org-wide clear-queue / cancel-running.
  • Dead-letter queue controls — Operators can now list, peek depth, replay, and discard failed lifecycle events directly.
  • Phone-home admin opt-out — Privacy tab on System Management with category toggles and a full audit trail.
  • Frontend platform upgrade — Coordinated React 19 + Vite 8 + Tailwind 4 + TypeScript 6 jump, with a follow-up Tailwind 4 sanity sweep.
  • HA correctness sweep — Permission changes, PAT revocations, license updates, and SMTP config changes now propagate across all replicas without restarts.

New Connectors

LoRaWAN

End-to-end support for LoRaWAN gateways and a dedicated pipeline trigger node. Includes a stable-subset hash for uplinks so onChange dedup is robust to volatile uplink payload fields.

AWS Lambda

Invoke AWS Lambda functions from pipelines as a first-class connector — no more bespoke REST workarounds.

NATS

Native NATS connector for subscribing to and publishing on NATS subjects, sitting alongside the existing MQTT and Kafka connectors.

SMB

Native SMB connector for file-share workflows, with the standard scaling, function-selection, and dependency wiring.

All four connectors plug into the existing function-selection dialog (now consolidated across connectors), the new Scaling tab, the dependency graph, and the MCP explore_protocols tool.

Sharing, Groups & Mount Points

The 2.4.0 authorization redesign exposed the core primitives; 2.5.0 turns them into a user-facing experience.

Groups

  • Full CRUD — Create, edit, delete groups; manage membership from a new Groups tab.
  • Assign roles to groups — Grant roles at the group level; every member inherits them.
  • Group-inherited roles — The user-roles dialog now shows inherited roles alongside direct assignments.
  • Member count + effective-permissions preview — Pick a group and see exactly what permissions members will have, including license-tier-aware filtering.
  • Custom roles actually enforce — The custom-role enforcement gap from 2.4.0 is closed: define a role, see it gate the right routes, audit the change.

Sharing

  • ShareDialog wired into the Pipelines and Topic context menus. Shareable subjects resolve to human-readable labels.
  • Share-aware list filters rolled out to Connections, Functions, Models, and Dashboards so list pages reflect what you can actually see.
  • Subtree-scoped grants honoredtopic:create on a mount root now permits all descendant creations.
  • Audit trailresource.shared / resource.unshared events emitted for every share/unshare.

Mount Points

  • New admin tab for managing UNS subtree ownership.
  • Atomic subtree relocation — Move a subtree without breaking grants, audit references, or dependencies.
  • Visibility filter on topic explorer — Operators see exactly the subtree their grants reach, with mount-point boundaries respected.

Authz hardening

  • clone is now a first-class verb — Closes a privilege-escalation gap where cloning bypassed create checks.
  • Route guards extended to Sharing / Group / Impersonation endpoints; the previous /authz/roles* privilege-escalation gap is closed.
  • Custom-role audit — Every custom and built-in role lifecycle event is now audited.
  • Authz expiry + retention workers run on cron schedules.

Dependencies Graph Rewrite

The dependency graph — previously a single fan-out endpoint that loaded the entire org — is rebuilt around a tiered, clustered, paginated model.

  • Tier state machine with a truncation banner and a mode switcher.
  • Container types only by default — Focused tier bypasses the filter so you always see what you asked about.
  • Supernode rendering — Function and topic supernodes collapse large clusters into a single navigable group.
  • Frontier +N more affordances so it's clear when there's more to expand.
  • Paginated expansion panel for topic-prefix clusters and paginated dependents / dependencies lists in the detail panel.
  • Default 100-node cap with the unhelpful Focus on: chips dropped.
  • Search-first empty state for the focused tier, plus consolidated filters with a dynamic-edges toggle.

Performance

  • Layer-batched neighborhood walk also drives the export-dependency analyzer.
  • Indexed edge cache keeps lookups fast even on dense graphs.
  • Batched second-degree edge lookups unblock the deletion planner's transitive-impact step on large fan-outs.

Entry points

  • "View dependencies" shortcuts appear on every entity page.
  • Async dependency analysis on export, with progress and cancel.

Import / Export Refactor

A multi-phase rebuild of the import/export wizard splits long-running work onto async paths and gives users true per-entity control.

Async pipeline

  • Async export download — Backend produces the export off the request thread; the ExportWizard polls progress and lets users cancel.
  • Async validate path — Validate runs progress and surfaces deferred-item tracking before the user commits to an import.
  • Schema migration registry — Handles cross-version export upgrades without breaking older bundles.
  • HA-safe import sweeper — Multi-replica deploys no longer double-sweep stuck sessions.

Per-entity selection

  • Wizard checkboxes drive per-entity selection on import sessions.
  • Cascade rules — Deselecting a connection cascade-deselects its functions; topic cascade walks the parent tree recursively.
  • Per-type select-all / deselect-all buttons.
  • "Deselect all conflicts" bulk action for fast conflict resolution.
  • Snapshot reuse on execute — The wizard doesn't re-fetch what it just resolved at validate time.

Bulk-create rollout

  • Connections, functions, pipelines, topics, dashboards, models, and users all import through bulk-create paths, so a single bundle with hundreds of entities completes in seconds instead of one-at-a-time.

Wizard component refactor

  • Wizard state centralized and step components extracted, each tested in isolation. The ExportWizard refactor lands alongside tests, validate progress, and deferred-item tracking.

Multi-Replica Connectors

A new ownership model lets a single connection spread across multiple replicas without double-publishing or dropped subscriptions.

  • Slot-based ownership — Each connection declares N slots; an ownership coordinator assigns slots to replicas and rebalances on replica change.
  • Per-slot status visibility — The UI shows which slot is healthy on which replica.
  • Scaling tab in every connector form — Cluster size and slot count are surfaced directly in the connection edit form, license-gated by advanced_access_control.
  • InfluxDB form parity — Scaling and Health tabs added so every connector form has the same shape.
  • Tab row wraps Health on desktop, doesn't scroll on mobile — UX polish across the Scaling/Health sweep.
  • Single-binary deploys behave identically — the ownership coordinator is transparent when only one replica is running.

Engine

Switch node

A new pipeline node with N configurable output ports. Each port has its own condition; multiple ports can fire from a single input ("multi-fire"). Replaces the older if-chain workaround.

Strict-priority scheduler

  • Strict-priority queue scheduler with a starvation backstop — high-priority cron / interval / webhook fires preempt low-priority work, but the backstop guarantees low-priority work eventually runs.
  • Per-lane pressure surface — Operators can see exactly which priority lane is backed up.
  • Per-org partitioning so a noisy org can't starve a quiet one.

Recovery mode

  • Per-execution cancel — Cancel a specific in-flight execution from the UI.
  • Org-wide clear-queue / cancel-running — Drain a wedged org without restarting the engine.
  • Queue-depth peek — See exactly how much is queued before draining.

Scheduler correctness

  • Cap cron / interval concurrency per-trigger + a skip-on-cap mode and UI throttling visibility — prevents a long-running pipeline from spawning a runaway pile of pending fires.
  • Deterministic execution IDs for cron / interval fires.
  • Webhook handler falls back to an authoritative lookup on cache miss instead of dropping the fire silently.
  • Throttling badge renders correctlyfires_skipped is now tenant-labeled and preserves the unsanitized trigger key.

Hot-path performance

A focused performance sweep landed:

  • License feature-check cache — ~17 % hot-path CPU recovered, kept fresh by lifecycle events.
  • Connector function cache — ~10 % hot-path CPU recovered, kept fresh by lifecycle events.
  • Node-output copy hot path — 3.1× faster on a 10 k-iteration workload, 78 % less memory.
  • ForEach hot-path series — −23–37 % wall time, −54 % allocations, −98 % mutex contention.
  • Pooled sub-executors and map reuse in the ForEach loop body path.
  • Batched loop-body iteration writes to avoid root-mutex serialization.
  • Compiled-expression cache — Per-Get LRU bookkeeping dropped for faster lookups.
  • OPC UA ReadGroup folded into a single multi-node read RPC.
  • OPC UA session pool with subscription / browse affinity (opt-in).
  • Kafka producer pool — Parallelizes response routing.
  • In-process RPC for single-binary deployments — Lite no longer pays a network hop cost between in-process modules.

Correctness fixes

  • Fan-in skipped when ancestor goes false — Regardless of BFS depth, fan-in now propagates correctly when an upstream node deactivates.
  • Executors fail-fast on expression errors instead of emitting raw template strings.
  • Bounded retention defaults on the dead-letter queue.
  • User pipeline failures don't ERROR-log or trigger broker retry — Application-level errors stay at the application layer.
  • Pipeline persistence level honored on debounced failuresnone persistence no longer leaks DB writes on failure paths.
  • Cached pipeline executions are now attributed to the trigger that actually fired, not a sibling.
  • Node-action route gated per-action verb instead of a blanket pipeline:run.
  • Parallel ForEach iteration is now opt-in via a Concurrency setting on the node.

High-Availability Correctness

A focused sweep closed long-standing HA correctness gaps where each replica held its own stale view.

  • Permission changes propagate across replicas — A role grant on one replica now applies on the others without restart.
  • PAT revocations propagate across replicas — A revoked Personal Access Token can no longer keep working on a replica that didn't issue it.
  • License updates propagate across replicas — Feature flags and license changes apply everywhere without restart.
  • SMTP config hot-swap — Email server changes apply without restarting every replica.
  • Single fleet heartbeat — The license fleet heartbeat is now a leader-elected singleton instead of one per replica.
  • OAuth2 session codes persisted — Previously per-replica state was breaking ~67 % of HA logins.
  • Audit log integrity preserved under HA load — The hash chain stays linear regardless of how many subscribers are consuming.
  • Lite trial self-heal across host sleep — Trial expiry recovers correctly even when the host was suspended.
  • Operator dead-letter queue surface — List, peek depth, replay, or discard failed lifecycle events.

Edge-manager HA

  • Configurable NATS + fleet license-cache invalidation finalize production-grade HA for edge deploys.

Phone-Home & Audit

Admin opt-out

  • Privacy tab on the System Management page with category toggles and an audit trail.
  • Admins-only visibility — Telemetry is registered as an authz entity so only admins see the Privacy tab.
  • Single send under HA — Telemetry doesn't double-send across replicas; one leader-elected sender per cluster, plus an always-on coordinator in Lite.

Audit coverage

  • Coverage gaps closed — License, impersonation, oauth2, and fleet now produce audit records on their dedicated audit streams.
  • Sharing events auditedresource.shared / resource.unshared events emitted for every share/unshare.

UNS

Topic explorer & sharing

  • Visibility filter on the topic explorer — Operators only see what their grants reach.
  • ShareDialog wired into the topic tree context menu.
  • topic:create respects subtree scope — Granting topic:create on a mount root permits all descendant creations.

MQTT 5 features

  • MQTT 5 shared subscriptions + cross-replica broker reload + settings audit.
  • MQTT-over-WebSocket discovery survives broker drops and reload.
  • MQTT discovery — Live Active Discoveries panel and a consistent camelCase HTTP wire format.
  • Member topic writes unblocked — The previous over-restrictive authz check is fixed.

Storage & resilience

  • Topic auto-create hot path hardened against racy publish floods — No more duplicate-row failures under burst.
  • Pebble storage — Production-safe replacement for the previous dependency, carrying a panic-safety patch.
  • Pebble ⇆ TimescaleDB switch now works in both directions; the previous TimescaleDB-to-Pebble switch silently no-op'd.
  • Metadata decoupled from historian — Plus a pool exhaustion fix; metadata writes no longer back up behind historian writes.
  • Case-insensitive topic search no longer ignores rows with missing search vectors.
  • Empty-results and broken-labels endpoint fixes shipped.

Frontend Platform

  • React 19 + Vite 8 + Tailwind 4 + TypeScript 6 — One coordinated upgrade across the application.
  • Tailwind 4 sanity sweep — Outline and opacity utilities reconciled with the new defaults.
  • Security + patch sweep across UI and shared package trees.

Sidebar & navigation

  • Sidebar rail + ⌘B replaces the floating sidebar toggle — Now matches the keyboard expectation set by every major IDE.
  • URL rehydration sweep — Log filters, sorts, pagination, and fleet pages all rehydrate state from the URL on cold load.
  • Filter state rehydration for logs, connections, and topic views.
  • "View on canvas" opens in a new tab to preserve filter options.

Output panels & previews

  • Bounded inline previews + virtualized output panel prevent freezes on large results.

Toast & error envelope

  • Stray toast call sites routed through the design-system toast.
  • HTTP error responses converged on a single envelope — the UI no longer has to special-case legacy error shapes.

Other UI fixes

  • Duplicate Identity & Access sidebar item removed.
  • Dashboard line-shape morph on refresh fixed.
  • Pipeline canvas right-click + shortcut bugs — Including a copy-shortcut fix that respects text selection.
  • Flexible node output handles — Focus and keyboard quirks fixed.
  • Execution History gates aligned with the backend read verb.
  • Global search returns results again.
  • Connection edit page — Functions list filters and pagination fixed.
  • Connections, functions, pipeline editor — A bundled set of UX fixes landed late in the cycle.

Debug & Observability Tools

  • /debug/pprof gated on System.Admin and an in-app speedscope viewer added — Profile sampling is one click, no external tooling required.
  • Quick-download row on /debug/profile — Stream a CPU / memory / goroutine profile directly from the UI.
  • Improved /debug/profile layout and alignment.
  • PAT list refreshes immediately on create, not on the Done click.

Monitoring

  • PromQL-style aggregation semantics in the Lite monitoring backend — Lite query results now match what Prometheus would have returned for the same expression.
  • Tenant-scoped Overview metrics + System tab restored.
  • Latency + trigger charts decay after pipelines stop — Previously held the last value indefinitely.

Connectors (additional fixes)

  • OPC UA / DA browsers now use NodeId-based function naming for stable, replay-safe identifiers.
  • Connection delete with many functions no longer crashes or times out — Function deletion is batched, and the deletion-planner fan-out is bounded.
  • First execute is no longer slow on a freshly created function — Compile cache populates on creation.
  • Reconnect is reliable — Per-connection routing is now registered only after reconnect succeeds.
  • Suspend / resume lifecycle — Routes, persistence, and error visibility fixed end-to-end.
  • REST connector — Raw body restored in the result for non-JSON responses.
  • Modbus Read Group coalescing is now safe for sparse register maps.
  • LoRaWAN uplinkonChange dedup keys on a stable subset of the uplink payload.
  • Function selection dialogs consolidated across every connector.

Deployment & Operations

  • Portainer App Template — Finalized template artifacts for upstream submission to portainer/templates@v3.
  • DFS Stack install tab added to the docs deployment guide.
  • Lite / GCP — UNS historian defaults to Pebble.
  • Third-party notices rendering bug fixed; notices file regenerated.
  • Security scanning — Trivy + Semgrep added as a fast PR-time gate.
  • Trivy + OSV remediations — Alpine OS, Go dependencies, and stdlib all moved to current.
  • All gosec HIGH / MEDIUM and reachable govulncheck findings cleared.

Documentation

  • Platform Tour docs page — A new guided overview based on the partner-onboarding material the delivery team prepared.
  • MaestroHub Loop diagram replaces the ISA-95 pyramid on the overview page.

Notable Bug Fixes

A non-exhaustive list of correctness fixes that landed in this release:

  • HA logins failed for ~67 % of attempts — OAuth2 session codes were per-replica; now persisted.
  • Audit log integrity under HA load — The hash chain stays linear regardless of subscriber count.
  • Permission changes didn't propagate across replicas — Now broadcast cluster-wide.
  • PAT revocations stayed valid on replicas that didn't issue the token — Now broadcast cluster-wide.
  • License trial didn't survive a host sleep — Now self-heals automatically.
  • Topic auto-create could fail on publish floods — Hot path hardened.
  • Topic search ignored rows with missing search vectors — Case-insensitive search now matches them.
  • Global search dropped every result — Fixed after the API client refactor.
  • Logs reader rejected INTEGER timestamp columns in SQLite.
  • Cached pipeline executions were attributed to the wrong trigger.
  • Connection delete with many functions crashed or timed out.
  • MQTT discovery didn't survive broker drops — Now reload-safe.
  • Pebble ⇆ TimescaleDB switch was a silent no-op in one direction.

Backward Compatibility

All existing role assignments, custom policies, pipeline configurations, and connector configs from 2.4.x continue to work without changes.

API endpoints, function signatures, config fields, and CLI flags from 2.4.x continue to work. New fields have sensible defaults so existing configs run unchanged. Database migrations are additive.

The new Scaling tab and multi-replica slot model are license-gated by advanced_access_control; Foundation deployments see the existing single-slot behavior unchanged.

Getting Started

Download a native binary or pull the Docker image and follow the Getting Started guide to have MaestroHub running in minutes.