Sencho

0.87.0 (2026-06-01)

Added

• auto-heal: restart crashed containers and harden the heal loop (#1258) (dbb7fe8)
• dashboard: surface metrics-stale indicator after sustained poll failure (#1213) (7c3ba3f)
• deploy-panel: tell Community operators deploys lack auto-rollback (#1193) (27b8954)
• fleet-sync: gate sync-status polling on admin role (#1271) (7d7e0a6)
• fleet: show stack-label filtering in Fleet View on every tier (#1268) (d8f73f8)
• labels: harden Stack Labels (gate parity, abort, dry-run, cap) (#1232) (2a29fed)
• security: make CVE suppressions optionally honored by deploy-block policies (#1269) (085267b)
• security: per-image scroll + retention cap in scan history (#1231) (42e8d3a)
• sidebar: surface unreachable nodes in cross-node stack search (#1195) (5196f04)
• stack-activity: in-process metrics, structured diagnostic logs, docs (#1229) (80499ee)
• stack-files: cap directory listings at 1000 + add file-tree filter (#1208) (fcf2222)
• stack-files: drag-and-drop upload zone (#1207) (ea002cd)
• stack-files: force-text override for misidentified binary files (#1215) (d8b6f8c)
• stack-files: in-process metrics and structured mutation logs (#1216) (9f2f13f)
• stack-logs: WebSocket reconnect with backoff and gap sentinel (#1197) (07a2e8f)
• stacks: in-process per-(nodeId, action) metrics + admin endpoint (#1196) (7ec6fe0)
• stacks: optimistic concurrency on compose and env file writes (#1183) (fbd13ac)
• stacks: server-side POST /api/stacks/bulk endpoint (#1185) (5aedc52)
• stacks: structured 503 docker_unavailable envelope + disconnect tests (#1191) (009ec43)
• stacks: surface post-deploy scan attempt status (#1198) (d727a55)

Fixed

• app-store: harden template deploy, registry fetch, and catalogue refresh (#1250) (96c5f05)
• atomic-deploy: harden rollback locking, restore fidelity, and tier gating (#1247) (45844b9)
• audit-log: neutralize CSV export injection, clamp pagination, bound anomaly history (#1259) (5e66b54)
• auto-heal: gate panel write controls on admin role (#1245) (b034de5)
• auto-update: paid-gate execute route and harden image-check watchdog (#1257) (ca34691)
• blueprints: gate Federation pin control on admin role (#1252) (d41282e)
• dashboard: debounce state-invalidate refetches (#1209) (03a5826)
• dashboard: decouple FleetHeartbeat refresh from the active local node (#1210) (0db0d29)
• dashboard: slow HealthStatusBar sync-label tick to 5s (#1211) (6d995b9)
• deploy-enforcement: surface scan-policy blocks on update and sidebar deploys (#1248) (b33a0e8)
• deploy-progress: decouple deploys from the live progress stream (#1246) (5dea040)
• editor: harden save-deploy, node-switch, delete, and stats reactivity (#1188) (7c84969)
• fleet-actions: stop-by-label works on Community remote nodes (#1270) (7e0cffa)
• fleet-snapshots: gate reads on admin role and encrypt content at rest (#1273) (c11a550)
• fleet: gate node update actions to admins and harden update tracking (#1272) (0953025)
• git-sources: harden webhook delivery, transport errors, and clone limits (#1249) (2844f60)
• global-search: close the command palette on Escape deterministically (#1256) (a5bfd48)
• global-search: surface unreachable nodes and harden the command palette (#1253) (98049e3)
• host-console: audit session lifecycle and harden path, resize, and route gating (#1263) (d4fa4a4)
• mesh: re-evaluate data plane every 10s and add opt-in auto-recreate (#1184) (aa3d99a)
• mfa: enforce single-use backup codes under concurrent verification (#1262) (7e65a2a)
• nodes: close capability-gating gaps in node compatibility (#1261) (d03d97d)
• notifications: harden alert dispatch crash-safety and redact webhook secrets in logs (#1255) (7d4e616)
• notifications: prevent self-container stack routing (#1242) (265fece)
• observability: gate global logs to admins, scope to managed containers, harden SSE (#1254) (69edb0d)
• rbac: enforce admin seat cap on promotion and harden last-admin and audit paths (#1266) (b61388c)
• registries: keep registry endpoints local to each instance (#1267) (18762fa)
• resources: harden Resources Hub data race, prune errors, and scan lifecycle (#1251) (eed7e04)
• scheduled-ops: run stack lifecycle schedules on remote nodes and harden run visibility (#1260) (6fc7f20)
• security: gate admin-only scan affordances on isAdmin (#1230) (117f590)
• sidebar: cancel pending debounce emit on external value reset (#1244) (0a8e6a7)
• sidebar: require admin role for Schedule task and debounce search input (#1243) (9791818)
• sso: surface config load, test, and removal errors in the SSO settings UI (#1265) (4248ac0)
• stack-activity: per-stack history integrity, attribution, sanitization (#1228) (2d56ea9)
• stack-files: atomic write via tmp+rename with optional exclusive mode (#1205) (668eda6)
• stack-files: avoid false failed download metrics (#1236) (92355d5)
• stack-files: confirm before overwriting an existing upload target (#1204) (c8b095b)
• stack-files: guard download stream destroy against the supertest in-process close race (#1227) (a4a8abb)
• stack-files: optimistic concurrency on file-tab writes via mtime ETag (#1206) (4964320)
• stack-files: prompt before discarding unsaved edits on file switch (#1203) (3e56696)
• stack-files: symlink-aware delete and chmod (#1214) (c2357ec)
• stack-files: track download metric off the file stream, not the response (#1220) (f86042b)
• stacks: default Empty template ships ports block commented out (#1189) (8ba8875)
• stacks: refuse file-explorer delete/rename/chmod on protected stack files (#1202) (37b1237)
• stacks: require stack:read on file explorer GET routes (#1200) (4c28b37)
• stacks: serialize concurrent lifecycle operations per stack (#1182) (60ecd57)