Skip to main content

On-Prem Release Notes - 2026

v0.167.0 — June 1, 2026

Consolidates changes from v0.166.0 and v0.167.0 since the previous on-prem stable release (v0.165.0). Platform OSS version: v0.172.0.

New Features

  • AWS Bedrock Guardrails: The Amazon Bedrock LLM adapter now accepts a Guardrail identifier and version, applying the configured AWS Bedrock Guardrail to prompts and responses for content filtering and safety enforcement.
  • Full document text in API responses: API deployment responses can return the full extracted text of the input file alongside the structured output, removing the need for a separate call to fetch source text.
  • Frontend request ID propagation: The frontend now forwards a request ID through the request chain and surfaces it on error notifications, enabling end-to-end correlation of failures from UI to backend logs.

Fixes & Improvements

  • Adapter key persistence on tool instances: adapter_key is now stamped alongside adapter_id_key when a tool instance is PATCHed, fixing cases where an adapter change was not fully persisted on the tool instance.
  • Apostrophes in Platform API Key names: Platform API Key name and description fields now accept apostrophes, so values like Acme's key are no longer rejected at validation.
  • LLMWhisperer: portal/bridge image bumped to v0.26.0.

Helm Configuration Changes

  • helm-schema-gen plugin is now registered in the marketplace and an empty-anchor YAML issue in the chart values was fixed, so values.yaml schema generation works without manual anchor patching. No action required unless you maintain a fork of the chart values.

v0.165.0 — May 27, 2026

Consolidates changes from v0.164.0 and v0.165.0 since the previous on-prem stable release (v0.163.0).

New Features

  • Agentic Prompt Studio onboarding: A sample project, guided empty states on each step, and a dashboard CTA accelerate first-run discovery of Agentic Prompt Studio. Onboarding template assets are bundled with the release and the stepper is gated sequentially.
  • OpenAI-compatible LLM adapter: A dedicated adapter for any provider that speaks the OpenAI API (self-hosted gateways and OpenAI's own gpt-5 / o-series models), separate from the standard OpenAI adapter. Zero-cost tracking is wired in for free-tier endpoints.
  • Prompt Studio HITL feedback indicator: Prompt Studio surfaces a change indicator when a prompt's output has been edited via the HITL feedback loop. A new plugin slot lets enterprise plugins customize the indicator.

Fixes & Improvements

  • Org admin access to all organization resources: Org admins now have full access to every resource in their organization — Prompt Studio projects, adapters, and shared ProfileManager profiles — without each resource being explicitly shared with them. The Python SDK exposes equivalent service-account-level access for automated org-to-org migration flows.
  • Large file uploads in Prompt Studio: File uploads stream directly to remote storage instead of being buffered in backend memory, removing the backend-memory ceiling on document size.
  • Default triad adapters for invited users: Invited users now inherit the organization's default LLM, embedding, and vector DB adapters on first login, removing the manual adapter-selection step.
  • Table extraction — cross-page orphan rows: Subtable values placed by the LLM into the main values payload are now merged into the parent row across page boundaries, fixing orphaned rows on multi-page tables.

Helm Configuration Changes

  • ENABLE_HIGHLIGHT_API_DEPLOYMENT is now enabled by default in the on-prem chart values, surfacing source-document highlighting for API deployments. Override in your values.yaml if you previously kept it off.
  • bulk-download worker: pinned to a single replica with HPA disabled. If your values.yaml previously enabled autoscaling for this worker, the override is now ineffective — review and remove it.

v0.163.0 — May 18, 2026

New Features

  • Lookups V2 — post-extraction LLM enrichment for Prompt Studio: A new enrichment stage runs additional LLM lookups on already-extracted data, letting you cross-reference and normalize values without a second extraction pass. Includes lookup reference file upload and sharing-notification emails when a lookup is shared with another user. See Look-Ups for details.
  • AWS Bedrock bearer token authentication: Bedrock LLM and embedding adapters now support AWS_BEARER_TOKEN_BEDROCK authentication, an alternative to static keys and IRSA for environments that prefer a simpler, long-term API key over provisioning an IAM user. Note: short-lived/refreshing tokens are not supported.
  • Workflow execution log export: The workflow execution logs modal can now export logs as CSV or JSON for offline analysis and sharing.
  • full_access permission tier: A new full_access permission tier authorizes DELETE operations on the Platform API.

Fixes & Improvements

  • Lookups: fixed a 500 error on lookup reference file upload; the public share viewer now skips lookup probes and defaults to the Enriched view; restored Prompt Studio public sharing after the Lookups V2 wiring; fixed the empty Default tab in Prompt Studio Combined Output.
  • Tool-run logs: cloud plugin tool-run logs now stream to the workflow execution UI; log output was trimmed and clarified, and log_events_id is restored on tool-run dispatch so logs persist even without an active UI subscriber.
  • Adapters: deprecated sampling parameters are stripped for Claude Opus 4.7; fixed the Bedrock bearer token being lost on LLM.complete() re-validation.
  • Usage metrics: embedding usage records are flushed on the indexing path, line-item executor usage records propagate up the prompt chain, and single-pass lookup metrics are aggregated under a single lookup_llm list.
  • Observability: worker logs are now bound to request_id and trace context for end-to-end correlation.

Helm Configuration Changes

  • New REMOTE_LOOKUP_FILE_PATH backend config (# <REQUIRED>) — remote storage path for Lookups V2 data (e.g. <bucket-name>/lookups). Set this before upgrading.
  • Redis and MinIO now create dedicated ServiceAccounts by default (serviceAccount.create: true, automountServiceAccountToken: false), so the chart works out of the box on clusters whose admission policies prohibit the default service account.
  • The worker-executor-v2 baseline is now part of the chart defaults, with db-proxy PodDisruptionBudget alignment.
  • IRSA service accounts are now attached to S3-touching worker deployments.

v0.162.0 — May 11, 2026

New Features

  • HITL audit logging, change tracking, and statistics: Comprehensive audit trail for Human-in-the-Loop reviews — captures per-leaf JSON diffs, classifies row add/delete operations on list-valued fields, and surfaces edit markers in the audit UI.
  • Agentic table extractor plugin: New multi-agent, LLM-powered table extraction plugin (agentic_table_settings_v2) for complex tabular documents.
  • Gemini embedding adapter for Google AI Studio: New embedding adapter with gemini-embedding-001 as the default model. See Gemini embedding adapter for details.
  • DISABLE_SSO_IDP_AUTHORIZATION flag: New configuration flag to control SSO IdP authorization behavior for user management. See Enterprise SSO — On-Prem for details.
  • Live tool-run log streaming: Tool-run logs now stream into the workflow execution UI with markdown rendering.
  • MinIO ILM lifecycle rules codified in Helm: Object lifecycle (ILM) rules for MinIO are now part of the Helm chart, enabling automated cleanup without manual mc commands.

Fixes & Improvements

  • HITL: workflow deletion is no longer blocked when audit logs exist; restored the change history drawer; fixed audit plugin CSS that broke the adapter modal layout.
  • S3 connector: lists only buckets the configured credentials can actually browse and drops cross-region buckets from the picker.
  • SharePoint connector: more reliable site_url/drive_id persistence and safer OAuth token refresh — fewer re-auth prompts on long-running pipelines.
  • LLM & embedding reliability: unified retry logic across LLM and embedding providers reduces transient failures during prompt runs and indexing.
  • CORS: SocketIO and Django now accept wildcard subdomain origins, making multi-tenant subdomain deployments work out of the box.
  • Observability: workerExecutorV2 is now wrapped with OpenTelemetry auto-instrumentation, so worker spans show up alongside backend traces.

Helm Configuration Changes

  • New plugin config agentic_table_settings_v2 added to on-prem configuration and Docker build (required to enable the agentic table extractor).
  • New DISABLE_SSO_IDP_AUTHORIZATION environment flag for SSO user management.
  • MinIO ILM lifecycle rules are now codified in the Helm chart — review existing manual ILM policies before upgrading to avoid conflicts.
  • Removed unused MODEL_PRICES environment variables from platform-service charts.

v0.159.4 — May 20, 2026

Hotfix on the v0.159.3 line. Does not pull in features from v0.160.x–v0.163.x.

Security

  • litellm CVE-2026-42208 (UN — OSS HOTFIX): Bumps litellm from the Zipstack GitHub fork (1.82.3) to 1.83.10 from PyPI, clearing the SQL injection in litellm.proxy auth (affects 1.81.16–1.83.6). Unstract does not use litellm.proxy, but third-party scanners flag the installed package regardless.

Helm Configuration Changes

  • No new variables or required secrets.

v0.159.3 — May 7, 2026

New Features

  • AWS Bedrock IAM Role / Instance Profile authentication: New Authentication Type selector on the Bedrock LLM and embedding adapters lets EKS-hosted deployments authenticate via IRSA, instance profile, or task role — no static AWS access keys required. When the IAM Role mode is selected, boto3's default credential chain takes over, picking up the pod's ambient identity. See the AWS IRSA Setup for EKS Deployments guide for end-to-end setup including OIDC provider association, IAM role + trust policy creation, and verification.

v0.158.4 — March 27, 2026

New Features

  • AWS S3 IRSA authentication: Support for IAM Roles for Service Accounts (IRSA) on both S3 storage and S3 connectors, eliminating the need for static credentials in EKS deployments
  • HTTP session lifecycle management: Managed HTTP session pooling for workers API clients, improving connection reuse and reliability

Fixes & Improvements

  • Added TTL to API HITL settings and fixed NaN TTL display
  • Security hardening: cookie security attributes and XSS prevention headers
  • Added input validation and Content Security Policy (CSP) headers across backend and frontend
  • Frontend CSP adjustments for RJSF form rendering (unsafe-eval) and PDF viewer (blob:)
  • Switched litellm to Zipstack fork after PyPI quarantine
  • Upgraded litellm to 1.82.3 to fix Azure OpenAI connection errors
  • Monkey-patched litellm Cohere embed timeout for Bedrock embeddings
  • Added LLMCompat bridge class to fix retriever LLM compatibility with llama-index
  • Handle LLM refusal responses to prevent NoneType errors
  • Include adapter name in error messages for easier debugging

Helm Configuration Changes

  • Hardcoded image references now configurable via values.yaml — previously hardcoded container image paths can be overridden for air-gapped or custom registry deployments

v0.158.0 — March 19, 2026

New Features

  • Platform API keys for programmatic access to the Unstract Platform API. Organization admins can create, list, update, rotate, and delete API keys via the UI under Platform > Platform API Keys. Keys provide Bearer token authentication for all Platform API endpoints. See Platform API Keys documentation for details.
  • Service account access bypass for pluggable apps, enabling automated integrations without manual permission grants
  • Agentic Prompt Studio (beta): new backend and frontend for agentic document extraction workflows. See Agentic Prompt Studio for details.
  • HITL enhancements: sidebar navigation, queue deletion, nested table support, fetch-specific for targeted document review, reviewer name display on in-review documents, and default TTL changed from unlimited to 90 days. See HITL documentation for details.
  • CSV, TXT, and Excel file support in Prompt Studio file converter
  • Dashboard metrics system with plan banner, welcome card, and subscription usage tab
  • Card-based layout for Pipelines and API Deployments listing pages
  • Profile page now displays role and organization info
  • 1M context support for Anthropic LLM adapters
  • Vertex AI vertex_location support for regional endpoint configuration. See Gemini Pro adapter for details.
  • total_pages_processed exposed in execution API response and worker destination metadata
  • SharePoint/OneDrive connector for filesystem integration. See Connectors for details.
  • Azure AI Foundry adapter for LLM access
  • Redis Sentinel HA support with dual-mode configuration for backend, Celery, cache, tool containers, sidecars, and manual review queue. See HA Deployment for details.
  • RabbitMQ HA with configurable quorum queues. See HA Deployment for details.
  • MinIO HA support via optional MinIO Operator. See HA Deployment for details.
  • OAuth product scope added to login/signup authorization requests
  • Dynamic plugin loading infrastructure for enterprise components, migrations, and rule engine
  • Sidebar expand-on-hover UX improvement
  • Documentation link popover for connectors in the UI
  • Workflow deletion errors now show specific pipeline/API deployment names

Fixes & Improvements

  • HITL reliability: PostgreSQL count mismatch and slow query optimizations, bulk queries with lrange, soft-delete for DB-synced records, TTL display in days, rule engine nested array flattening fix, API rules evaluation fix after removal, add-row race condition fix, and queue metadata backfill migration
  • Custom data support added to single pass extraction; fixed string values being wrapped in extra quotes. See Custom Data for details.
  • PostgreSQL race condition in concurrent table creation handled
  • Memory and resource leak fixes: database cursor closure in subscription usage handler, platform-service resource leaks
  • Ollama adapters fixed post LiteLLM migration. See Ollama adapter for details.
  • Packet processing final fetch response API fix
  • Role update failures for existing users resolved
  • LLMWhisperer API key lookup database fallback added; client retry backoff configuration added
  • SIGTERM trap handlers for graceful container shutdown
  • Worker API timeout increased to prevent stuck executions during cron storms
  • Vertex AI thinking config skip for pro models when disabled
  • Azure OpenAI cost tracking now uses actual model name
  • Worker query optimization and retry configuration improvements
  • fsspec directory listing cache fix on connectors (including Azure listings expiry regression)
  • SharePoint walk() now supports detail=True
  • Secure cookie settings and CSRF cookie secure attribute enabled
  • Forbidden email handling in Auth0 OAuth callback
  • PDF viewer error fallback when document fails to load
  • Frontend migrated from Create React App to Vite
  • Export reminder state persists across page reloads
  • HTTP 409 returned when tool image not found in container registry
  • Legacy Celery file processing workers and dead code removed

Helm Configuration Changes

  • Redis Sentinel HA: new REDIS_SENTINEL_MODE env var added to prompt, runner, and multi-az values for dual-mode (standalone/sentinel) support
  • RabbitMQ HA: configurable quorum queues support added
  • MinIO HA: optional MinIO Operator support (operator deployed separately)
  • HITL worker secrets added to on-prem secret template
  • Agentic Studio apps and URLs added to on-prem configuration
  • Backfill metrics enabled by default for on-prem deployments
  • MODEL_PRICES_TTL_IN_DAYS changed from 7 to 1
  • Legacy worker templates removed: useUnifiedWorkers toggle and workerLogging config no longer needed