7.5 KiB
Changelog
All notable changes to ScadaBridge are documented in this file.
The format is based on Keep a Changelog.
Detailed per-change history lives in git log,
archreview/plans/00-MASTER-TRACKER.md, and docs/plans/ — this file records
operator-facing and breaking changes only.
[Unreleased]
Changed — Architecture-review hardening initiative (PLAN-01…PLAN-08, 2026-07-08 → 2026-07-10)
Eight architecture reviews produced eight fix plans; 191 of 192 tasks landed. The
initiative added eager startup options-validation across 12+ components, ClusterClient
message-contract lock tests, secured-write pending-TTL, a login throttle, transport
import single-flight, store-and-forward sweep bounding, and a deploy-readiness
handshake; it excised the vestigial site-notification delivery surface and established
a canonical deferred-work register. Authoritative record:
archreview/plans/00-MASTER-TRACKER.md plus the per-plan docs.
Added — M8 Transport
Encrypted bundle export/import extended from central-only config to site/instance-scoped
config (Sites, site DataConnections, Instances + Area by name), reconciled across
environments by the BundleNameMap name-mapping subsystem, with a per-line Myers diff and
the script trust gate enforced at import review. Post-initiative additions (both 2026-07-10):
an aggregated live alarm stream feeding the Alarm Summary page, and hourly KPI rollups
unblocking 30d/90d trend windows.
Added — M7 Native alarms + operational UX
Read-only native-alarm mirroring (OPC UA Alarms & Conditions + MxAccess Gateway) onto a
unified condition model; an operator Alarm Summary page; OPC UA node browse/search/type-info
and site-local certificate trust; two-person secured writes, introducing the Operator
and Verifier roles; and an SMS (Twilio) notification delivery adapter.
Changed — BREAKING: canonical role names + audit separation-of-duties collapse (Task 1.7)
Role string VALUES are standardized onto the canonical vocabulary
(Administrator/Designer/Deployer/Viewer; Engineer remains unused by
ScadaBridge; Operator has since been adopted by the M7 two-person secured-write
flow, together with the new Verifier role — see the M7 entry above). The legacy
ScadaBridge role names were renamed and two were
collapsed:
| Legacy role | Canonical role | Notes |
|---|---|---|
Admin |
Administrator |
rename |
Design |
Designer |
rename |
Deployment |
Deployer |
rename |
Audit |
Administrator |
COLLAPSE |
AuditReadOnly |
Viewer |
COLLAPSE |
- SECURITY — privilege escalation (accepted). The former
Auditrole collapses intoAdministrator. This is a real escalation: a former audit-only user now holds the entire admin surface (create/update/delete sites, manage LDAP group→role mappings and API keys, preview/import transport bundles), not just audit read+export. This loss of auditor/admin separation-of-duties is a deliberate, accepted trade-off of the canonicalization. - SECURITY — half-SoD preserved. The former
AuditReadOnlyrole collapses intoViewer, which keeps audit READ (Audit Log page, Configuration Audit Log page, audit nav group) but cannot bulk-export. The audit policy sets are nowOperationalAuditRoles = { Administrator, Viewer }andAuditExportRoles = { Administrator }, so aViewerreads the audit log but the Export-CSV button //api/audit/exportendpoint correctly refuses it. - Enforcement. Every enforcement site moved together: the role-claim values,
the authorization policies (
RequireAdmin/RequireDesign/RequireDeploymentpolicy names are unchanged; only the role values inside them changed), theManagementActor.GetRequiredRoleswitch, the hard-coded site-scope admin-bypass (Roles.Administratoreverywhere), theDebugStreamHubAdministrator/Deployer gates, and the CentralUIBrowseService/BindingTesterDesigner guards. Site-scoping logic is otherwise unchanged — only the admin-bypass value moved from"Admin"toRoles.Administrator. - Config-DB migration
CanonicalizeRoles. Updates the four seededLdapGroupMappingsrows (Id 1-4) to the canonical role values and adds raw idempotent catch-allUPDATEs for operator-added rows (Admin/Audit→Administrator,Design→Designer,Deployment→Deployer,AuditReadOnly→Viewer). The Down migration is lossy for the collapse: it best-effort mapsAdministrator→AdminandViewer→AuditReadOnlybut cannot recover the originalAudit/AdminorViewer/AuditReadOnlydistinction. - Operator action. Any LDAP group→role mappings created with the legacy role
strings are migrated automatically by
CanonicalizeRoles. New mappings created via the CentralUI LDAP-mappings form now offer the canonical role values (including aVieweroption for audit-read-only delegation).
Changed — BREAKING: inbound API authentication
Inbound API authentication has migrated off the SQL Server X-API-Key scheme and
onto the shared ZB.MOM.WW.Auth.ApiKeys library.
- Credential format. The inbound
POST /api/{methodName}endpoint now authenticates anAuthorization: Bearer sbk_<keyId>_<secret>token instead of the rawX-API-Key: <key>header. The secret is verified with a peppered, constant-time HMAC compare inside the shared library verifier. - Storage. Inbound API keys now live in the shared
ZB.MOM.WW.Auth.ApiKeysSQLite store, not the SQL Server configuration database. The deterministic-HMACApiKeytable is gone. - Authorization model. A key's allowed methods are now its per-key scopes
(scope string == method name, ordinal/case-sensitive). The previous
ApiMethod.ApprovedApiKeyIdsCSV that linked methods to key IDs has been removed. - Peppering. Keys are peppered per environment via
ScadaBridge:InboundApi:ApiKeyPepper(≥ 16 characters, different per environment, kept secret). The same configuration key now backs the library verifier's pepper secret.
BREAKING — all existing inbound API keys are INVALIDATED and must be re-issued. Old
X-API-Keycredentials and their stored HMAC hashes are not migrated and are not recoverable; theApiKeystable is dropped. Operators must re-issue every inbound key as ansbk_…token and update every API client. See the runbook:docs/operations/inbound-api-key-reissue.md.
Removed
- The SQL Server
ApiKeyentity (ZB.MOM.WW.ScadaBridge.Commons.Entities.InboundApi.ApiKey), its EF Core mapping, and itsIInboundApiRepositorykey methods (GetApiKeyByIdAsync,GetAllApiKeysAsync,GetApiKeyByValueAsync,AddApiKeyAsync,UpdateApiKeyAsync,DeleteApiKeyAsync,GetApprovedKeysForMethodAsync). - The
ApiMethod.ApprovedApiKeyIdsproperty, its EF mapping, and the CSV parse/serialize helpers. - The legacy hashing code:
ApiKeyHasher/IApiKeyHasherand the in-repo inboundApiKeyValidator(superseded by the sharedIApiKeyVerifier), plus their DI registrations and tests.
Migrations
RetireInboundApiKeyStore— drops theApiKeystable and theApiMethods.ApprovedApiKeyIdscolumn.Downrecreates both, but dropped keys are not recoverable: rolling the migration back does not restore credentials. Rollback means reverting the deployment, then re-issuing keys.