v0.0.38 — Dashboards overhaul, org-isolation, CircleCI

Released: 2026-05-02

The largest release since v0.0.31. Three big themes:

1. Dashboards — full set of new card types, conditional formatting, AI-generator polish, unified filter bar.
2. Org-isolation — opt-in RLS scaffolding; closes 17 cross-tenant leaks across data_connectors and pipelines; per-org plugin and license entitlements.
3. CircleCI is now the sole release builder, replacing Jenkins (which OOM'd on the Nuitka link phase) and the GitHub Actions release workflow (disabled in this release).

Features

Dashboards

• New card types: sparkline, big_number, treemap, bullet (actual vs target with bands), calendar_heatmap, metric_grid (many KPIs in one card), pie_3d, geo_scatter (pins with size/color encoding), section_divider (first-class text card).
• Conditional formatting for KPI cards and pivot heatmap shading.
• Dashboard-wide color theme override — pin a palette per dashboard.
• Time-range presets plus URL-persisted filters — share a dashboard URL with the active range and filters baked in.
• Unified active-filters bar plus a UI to manage global filter widgets.
• Per-card live auto-refresh with a Live badge.
• Reorder pages with a neighbor-swap endpoint.
• AI generator honors the 24-col grid, picks from the new card types, and the prompt is value-aware (samples real values, not just schema).
• Editor: card_config knobs exposed in the UI; chart shape, drill-down, and KPI format knobs added.

Datasets and Flow

• Dataiku-style Settings tab — Source & Connection panel, Storage row, project-scoped routes, sub-tabs.
• Parent Recipe button plus a dedicated Data Quality tab.
• Live dbt-test execution plus a History tab for non-lakehouse datasets.
• Multi-sheet xlsx upload with tenant-aware LLM schema context.
• Split recipe (1 input → N outputs) and LLM connector for chat-SQL on the flow.
• Run button on bare-model dbt recipes.

Plugin host

• Per-org enable/disable — API plus UI toggle, audit log entries on enable/disable.
• Per-tenant plugin enablement.
• Plugin-declared dbt workspaces auto-register on enable.
• Build-time frontend override aggregator plus a useOverride React hook for plugin UI overrides.

Security and licensing

• Per-org entitlements resolver — organizations refactored to carry license tier and feature flags.
• Org-access helper plus opt-in RLS scaffolding.
• RBAC: project visibility defaults to allow; auto-stitches on user/project create.
• Org Setup Wizard for super-admin onboarding.

Scheduler (Phase 1–3 unwind)

• send_email_report step type — reports folded into scenarios (Phase 3).
• scenario_templates plus per-project enable matrix (Phase 2).
• Retired pipeline_schedules (Phase 1) — single scheduling surface now.

Onboarding

• Idempotent /seed endpoint for tenant provisioning — tenant seed scripts now use the shared onboarding service.
• API-driven default project on install (replaces the dead tenants.py path).

Fixes

Cross-tenant leaks (the headline security work)

• Closed 17 data_connectors and 2 pipeline cross-tenant leaks.
• Cleared org-isolation baselines across agent_tools, knowledge_bases, sync_recipes, notebooks, scheduled_reports, jobs, flow_ai, flow_codegen, lineage, pipeline.py, and 8 small routers.
• Corrected RLS table categorization in the org-isolation migration.
• Closed out the remaining TODO(org-isolation) markers.

Dashboards

• Drop dashboard_cards.card_type CHECK constraint that blocked new card types.
• Single source of truth for grid resolution.
• Auto-fit choropleth viewport to its features; province name normalized across upstream GeoJSON sources.
• Text cards render as clean section dividers (chrome stripped in view mode); card_config fallback when SQL is empty; canonical text-card content storage at the API boundary.
• Widen dashboard view pages on large displays.
• KPI cards honor value/label row convention.
• AI generator: escape braces in the metric_grid example prompt.
• Silence ResponsiveContainer width(-1)/height(-1) on first paint.

Datasets, lineage, scheduler

• /runs endpoint queries job_runs only — pipeline_runs lacks log_output on prod.
• Hide Connection row for internal dbt-managed datasets.
• Lineage: materialized file uploads emit as resource_type=source.
• materialize: correct resolve_dataset arg order; sweep upload mirrors.
• Scheduler: heartbeat liveness plus trigger_config 500 fixed; silent FE catch removed; schema drift check at startup.
• schema_loader: bump value-sampling default from 10 to 30.

Auth / SSO

• Google SSO now clears the must_reset_password gate (was blocking SSO-only users behind a forced reset).

Build and CI

CircleCI is now the sole release builder. Jenkins is retired (OOM on Nuitka link); the GitHub Actions release workflow was disabled in the same release.

• git tag v0.0.X && git push hubstudio v0.0.X triggers the build.
• Nuitka now compiles inside manylinux_2_28_x86_64 (glibc 2.28) — fixes the v0.0.37 GLIBC_2.38 crashloop on prod ECS Ubuntu 22.04.
• no_output_timeout: 6h, NUITKA_JOBS=1, ccache restored across runs.
• Verify-tarball step asserts paas/backend/dist/run.bin is present (v0.0.36 silently shipped without it).

Upgrade notes

This is a schema-migrating release. The following migrations run on first boot:

• Drop dashboard_cards.card_type CHECK constraint.
• Org-isolation RLS scaffolding (opt-in — RLS is not enabled by default; flip per-org via the entitlements resolver).
• Pre-drop cleanup for pipeline_schedules and report_schedules; final DROP migrations for the scheduler unwind.

Standard upgrade path:

honeyframe update /tmp/hub-platform-v0.0.38-linux-x86_64-compiled.tar.gz

Rollback (snapshots taken pre-upgrade):

honeyframe update --rollback

Known issues and deferred

• RLS is opt-in — the migration adds the scaffolding and helper, but no org has it on by default. Enabling it for a tenant requires the entitlements resolver flag flip; document the steps before enabling on a customer.