v0.0.55 — Connector permission split
Released: 2026-05-06.
connector.read / connector.edit permissions
Connector access splits off org.admin into two scoped permissions so designers can manage data sources without full org-admin — the Dataiku model where builders own their flows.
| Endpoint group | Permission |
|---|---|
| Catalog, scripts, list, get, models (read paths) | connector.read |
POST, PATCH, DELETE, test, bootstrap, send-message | connector.edit |
Per-role implicit grants (mirrors the seed migration):
| Role | Connector access |
|---|---|
admin | all (via the role == 'admin' shortcut) |
designer | connector.{read,edit} |
analyst | connector.read |
viewer | none |
A new idempotent seed_connector_permissions.sql runs on every honeyframe update. The _ROLE_IMPLICIT_PERMS resolver shim short-circuits without a DB roundtrip even before the seed has applied on a tenant.
Connectors moved to the Data sidebar
The Connectors page used to live under Administration with roles: ['admin'] — hiding it from the very users the backend now supports. It now sits next to Datasets in the Data section with roles: ['admin', 'editor', 'designer', 'analyst'] so it shows for both project-level and org-level callers. Connectors are a data construct, not pure admin — see Connectors.
Matrix permission-type autocomplete
The Authorization Matrix + Add permission field was free-text — typing feature.chatt would have permanently dead-columned the matrix until an admin revoked it. New GET /api/groups/permission-types endpoint merges:
DISTINCT permission_typefrom this org'sgroup_permissions- A small curated catalog (
org.admin,project.{admin,edit,view},dashboard.{edit,view},dataset.{read,readwrite},feature.{chat,agent_builder})
Frontend filters client-side as the admin types. Same route-ordering guard as /matrix — must be declared before /{group_id}.
Migration fixes
users.tenant_idALTER before init_schema — pilot installs predating multi-tenant rollout were missingtenant_id; later FK + INDEX statements failed with "column tenant_id does not exist", poisoning the migrate.py transaction. A one-statementALTER TABLE … ADD COLUMN IF NOT EXISTSregistered beforeinit_schemamakes init clean on pilot-style installs and is a no-op everywhere else.- Sidebar role normalization — designers landing on an org-level page (where
project_roleisn't set, soeffectiveRolefalls back touser.role) saw an empty sidebar because every item'sroleswas['admin', 'editor', 'viewer']. NewnavRole()helper mapsdesigner/analyst→editorfor nav purposes.
CI fix — sidecar matches downloaded artifact
The release job signed the tarball before re-packing it with the run.bin signature, leaving the sidecar referencing the old bytes. v0.0.49–v0.0.54 all shipped this way and we papered over it with --no-require-signature. v0.0.55 re-packs first, then signs — so the published .tar.gz.sha256 describes the bytes operators actually download.