Skip to main content
Version: 2.2

MaestroHub 2.2.0 Release Notes

MaestroHub 2.2.0 introduces an OAuth2/OIDC provider with personal access tokens, three new industrial and cloud connectors, a version history and revert system for pipelines and models, connection suspend/resume for planned maintenance, and expanded MCP tools for node introspection and dashboard management.

Highlights

  • OAuth2/OIDC provider — Full authorization code flow with PKCE, personal access tokens with 16 granular scopes, and license-gated client management.
  • 3 new connectors — BACnet, AWS IoT SiteWise, and Azure Blob Storage.
  • Version history & revert — Browse, compare, and revert pipeline and model versions with side-by-side diffs and canvas previews.
  • Connection suspend/resume — Explicitly suspend connections during planned maintenance to stop health checks, reconnection attempts, and log noise.
  • UNS dashboards phase 2 — Dual Y-axis bar charts, per-panel validation, stat panel text modes, and MCP dashboard tools.

OAuth2/OIDC Provider & Personal Access Tokens

  • Full OAuth2/OIDC provider — Authorization code flow with PKCE, JWK rotation, discovery endpoints, and a client management UI.
  • Personal Access Tokens (PATs) — Create revocable API tokens with usage tracking and a 50 active token limit per user.
  • 16 granular scopes — Pipelines, models, connectors, UNS, dashboards, and organizations, each with read/write/execute levels. Users can only request scopes they actually have permissions for.
  • License-gated client management — OAuth2 client registration and management requires the oauth2_clients license feature; standard OAuth2 protocol endpoints remain available to all users.
  • MCP user attribution — Entities created via MCP tools are now attributed to the authenticated user instead of a generic identity.
  • Lite support — OAuth2 and MCP configuration included in Lite builds with SQLite storage.

New Connectors

BACnet

  • Communicate with BACnet/IP devices over UDP.
  • Multi-Read batches multiple objects and properties in a single request for reduced network overhead.
  • Object Browse discovers available objects on a device with property inspection.
  • Dedicated BACnet Read pipeline node under the Industrial category.

AWS IoT SiteWise

  • Write via BatchPutAssetPropertyValue, Read latest values by alias or asset ID, and Browse the asset hierarchy interactively.
  • Auto-modeling creates asset models and assets on first write — no manual SiteWise console setup required.
  • Store & forward buffers failed writes in-memory and retries in the background with 7-day TTL eviction.
  • Supports static IAM credentials and the AWS default credential chain (env vars, instance roles, ECS task roles, EKS pod identity).

Azure Blob Storage

  • Three auth methods: connection string, shared key, and service principal OAuth2.
  • Eight function types covering full blob and container operations (list, read, write, delete for both blobs and containers).

Version History & Revert

  • Version history viewer — New History tab with a timeline of all past versions showing change summaries, user info, and timestamps.
  • Version detail view — Read-only snapshot at any version with inline change highlights (added, removed, modified).
  • Version comparison — Side-by-side diff of any two versions covering fields, labels, nodes, edges, and settings.
  • Pipeline canvas preview — Interactive read-only canvas with color-coded diff overlays for nodes and edges.
  • Revert — Revert to any past version via confirmation dialog; creates a new version with a "Reverted" change type.

Connection Suspend/Resume

  • Operators can explicitly suspend connections for planned maintenance.
  • Suspended connections stop health checks, reconnection attempts, and log noise.
  • Function execution returns a clear error with the connection name and suspend reason.
  • Optional suspend reason displayed as amber status text in the UI.
  • State persists across server restarts. Resume resets the circuit breaker and reconnects immediately.
  • Gated by the connection:update RBAC permission.

UNS Dashboard Enhancements

  • Dual Y-axis support for bar charts with automatic disabling in horizontal orientation.
  • Per-panel validation — Gauge min/max, line/bar Y-axis, candlestick field uniqueness, sankey field difference, and heatmap bucket/aggregation checks with inline warnings.
  • Stat panel text mode — Choose between displaying value, name, or both.
  • Threshold bands — Validation and a "Duplicate threshold" button for quick setup.
  • MCP dashboard tools — Dashboard CRUD and panel management are now available as MCP tools.

MCP Engine Improvements

  • engine_get_node_type — New tool to fetch detailed configuration and output schemas for a specific node type.
  • engine_list_node_types — Now supports category filtering and returns lightweight summaries.

Pipeline Engine Improvements

  • ForEach empty array fix — Nested ForEach with an empty source array no longer executes body nodes incorrectly.
  • Adjustable iteration index — Iteration number is now directly editable (click to type, Enter to jump) in both the Node Test Panel and Execution Replay, eliminating tedious clicking through long loops.
  • Parallel executor stability — Resolved a crash during ForEach loop shutdown.
  • Name reuse after delete — Pipeline and model names can now be correctly reused after deletion.

Operations & Reliability

  • Connection credential updates — Credential changes during an in-flight restart are now applied immediately instead of being silently dropped.
  • Connection status history — Fixed status history not recording in memory mode.
  • License resource limits — Licenses can now enforce maximum pipelines, connections, and users, displayed on the license page.
  • Dependency graph visual overhaul — New color palette, gradient fills, entity type icons, curved edges with animated particles, level-of-detail rendering across zoom levels, and performance optimizations.

Security

  • PAT scope validation — Server validates users have permissions for requested scopes, preventing privilege escalation.
  • OAuth2 secret enforcement — Empty or short secrets are rejected.
  • JWT issuer validation — Token validator checks the iss claim to prevent cross-tenant token reuse.
  • Org-scoped client listing — OAuth2 clients are scoped to the user's organization.
  • Dependency updates — Pinned Alpine postgresql16-client to >=16.13-r0, upgraded expr-lang/expr to v1.17.7, and patched HIGH severity vulnerabilities in frontend dependencies.

Bug Fixes

  • Fixed soft-deleted UNS topics preventing recreation; added cascade delete in UI and parent hierarchy restoration.
  • Fixed dashboard folders not loading when a dashboard was assigned to one.
  • Fixed batch delete buttons submitting the parent form instead of performing the delete action.
  • Fixed PAT table date formatting and column alignment issues.

Getting Started

Pull the Docker image or download a native binary and follow the Getting Started guide to have MaestroHub running in minutes.