From e57bd79b7f9e0a63ad44a38449a59c697259643d Mon Sep 17 00:00:00 2001 From: Alexei Mochalov Date: Tue, 28 Apr 2026 19:43:25 +0200 Subject: [PATCH] Release notes 1.69 --- release-notes/1-69-0-release-notes.md | 45 +++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 release-notes/1-69-0-release-notes.md diff --git a/release-notes/1-69-0-release-notes.md b/release-notes/1-69-0-release-notes.md new file mode 100644 index 0000000..1a9dea1 --- /dev/null +++ b/release-notes/1-69-0-release-notes.md @@ -0,0 +1,45 @@ +# Platform Update 1.69 + +This release introduces **Union Role Mapping** for SSO, scopes bucket listings to a user's actual access (including admins), and improves the Benchling integration with auto-refreshing canvases and review-record export. Several stack-admin and variant changes round out the release. + +## New Quilt Platform Features + +### Union Role Mapping for SSO + +SSO configurations can now opt into a `union_roles: true` flag that assigns users the **union of all matching mapping roles** at login, instead of stopping at the first match. Users switch between assigned roles via the existing role switcher, and roles that are no longer matched on a subsequent login are automatically revoked. + +Key behavior under `union_roles: true`: + +- **Union assignment**: Every mapping rule whose match condition fires contributes its role to the user +- **Auto-revocation**: Roles no longer in the matched set are removed on next login +- **Tri-state admin**: The `admin` field becomes three-valued — omitted (no vote), `true` (grant), `false` (veto). An explicit `admin: false` blocks admin even if another matching mapping grants it +- **Backward compatible**: Default remains first-match-wins. Existing SSO configs see no behavior change + +This is opt-in; existing customers do not need to take action. + +### Role-Scoped Bucket Listings (including Admins) + +User-facing bucket listings — the catalog navbar, the landing-page grid, the bucket-search filter, and the MCP `bucket_list` tool — now respect a user's role scope. Previously, admins always saw the full bucket inventory regardless of role; admins now see the same scoped list as other users with the same roles. + +Administrators who need access to additional buckets can still manage them through the Admin → Buckets interface. + +### Benchling Integration Improvements + +The Benchling integration adds two notable behaviors in this release: + +- **Auto-refreshing canvas**: After a Quilt package revision is exported, the Benchling canvas refreshes automatically — the "pending → complete" transition is now seamless, and the canvas remains reachable for browsing while a re-export is in flight +- **Review-record export trigger**: `reviewRecord` entry events from Benchling now trigger the standard package export workflow, so reviewed entries flow through the same path as primary entries + +## Other Improvements + +- The Admin Buckets editor no longer surfaces the **Overview URL** and **Structured data (JSON-LD)** fields. Both supported features that were specific to the obsolete OPEN stack +- Fixed an "Error resolving revision" flash that briefly appeared when navigating to a just-created package +- `ConnectAllowedHosts` now supports leading-dot domain suffixes (e.g. `.benchling.com`) to allow any subdomain over HTTPS, simplifying configuration for SaaS integrations with sub-domain rotation +- Deny manual bucket management via bucket policies — all bucket configuration changes must now go through CloudFormation, eliminating drift between deployed and declared state +- Fixed Okta `ClientId` and `BaseUrl` resolution in Terraform configurations +- The `s3-proxy` container image is rebased on an updated Amazon Linux 2023 base for routine security maintenance + +## Variants + +- **open-quilt-bio**: Replaced specific Benchling hostnames with domain-suffix wildcards (`.benchling.com`, `.bnchdev.org`, `.bnch.us`); added HubSpot marketing analytics tracking +- **nightly**: Adopted the same Benchling suffix wildcards; dropped Google and OneLogin SSO providers (Okta, Microsoft/Entra, and password remain)