> ## Documentation Index > Fetch the complete documentation index at: https://docs.getbifrost.ai/llms.txt > Use this file to discover all available pages before exploring further. # v1.4.0 > Enterprise v1.4.0 changelog - 2026-05-06 **Breaking changes in v1.4.0.** See the [v1.4.0 Migration Guide](/enterprise/migration-guides/v1.4.0) for full before/after examples, automatic migration details, and a step-by-step checklist before upgrading. ## Changelog This release unifies the API authentication path so password-mode admin and API-key auth share the OSS `AuthMiddleware`/RBAC pipeline, splits SCIM provider configuration into per-provider forms, keeps governance usage snapshots alive across idle periods, and pulls in OSS base `transports/v1.5.0-prerelease8` with `objectStorageExcludeFields`, MCP server/client URL split, and a stack of provider correctness fixes (Anthropic routing, Bedrock structured-output streaming, SGL extra-params passthrough). ## ✨ Features ### Authentication & API Surface * **Unified API Auth Pipeline** - Removed the enterprise `SessionMiddleware` in favor of the OSS `AuthMiddleware.APIMiddleware()` on API routes; password-mode admin sessions and API-key auth now flow through the same middleware chain and share `schemas.IsLocalAdminContextKey` / `schemas.IsAPIKeyAuthContextKey` from core, eliminating the previous duplicated context-key constants. * **RBAC Always Initialized** - RBAC controller and permission cache are now bootstrapped unconditionally (no longer gated on the SCIM controller being present), so API-key permission checks and local-admin RBAC bypass work in non-SSO deployments. * **Auth Middleware Context Keys (OSS)** - Core v1.5.7 adds `IsAPIKeyAuthContextKey` (short-circuit when API-key auth already passed) and `IsLocalAdminContextKey` (bypass RBAC when auth is disabled). ### SCIM & Identity * **Per-Provider SCIM Config Forms** - The single SCIM config form has been split into dedicated forms per provider (Entra, Google, Keycloak, Okta, SailPoint, Zitadel), each with its own validation and field set, replacing the shared switch-case form for better maintainability. * **Dedicated SCIM `config_hash` Migration** - Added `addSCIMProviderConfigHashColumn` (id `ent_add_scim_provider_config_hash_column`) so installations that already ran `ent_add_config_hash_columns` still receive the column on `enterprise_scim_providers`. Migration also reordered to run alongside other config-hash migrations, before access-profile migrations. ### Governance & Cluster * **Governance Snapshot Heartbeat** - Added a 10s heartbeat for unchanged governance usage snapshots, tracking `lastBroadcastAt` per node so peers don't expire idle nodes' usage state under the 30s stale-node TTL. Cluster-wide budget and rate-limit enforcement no longer falls back to a partial local view when a node's usage simply stops changing. ### OSS Base (transports/v1.5.0-prerelease8) * **`objectStorageExcludeFields`** - Configurable list of log payload fields that stay in the database instead of being offloaded to object storage. * **MCP External Base URL Split** - MCP external base URL split into separate server and client URL fields for clearer reverse-proxy configuration. * **Schema Normalizer** - New `NormalizeSchemaForAnthropicRaw` (gjson/sjson) avoids `map[string]interface{}` round-trips during Anthropic schema preparation. * **Bedrock Structured Output** - New `extractJSONSchemaObject` helper unifies composite and decomposed JSON schema fields for OpenAI-compat structured output on Bedrock. * **Provider Capability Matrix** - Re-enabled `ContextEditing` and `ContextManagementField` for Vertex; disabled `TaskBudgets` for Azure (not documented upstream); `claude-4.6-sonnet` mapped for the Bedrock test account. ### Infrastructure * **New Customer Envs** - Added `bluestaq` and `onbe` Terraform/Docker scaffolding (hub backend, perimeter, terraform.tfvars); refreshed `falconx` and `constructor` Dockerfiles. ## 🐞 Fixed * **API Middleware Wiring** - Auth middleware now runs before RBAC on API routes so `IsLocalAdminContextKey` is set before RBAC evaluates; cluster-message handler updated to use the unified `s.AuthMiddleware` reference. * **Prompts Plugin Missing Header** - Prompts plugin's deployment resolver no longer returns an error when `x-bf-prompt-id` is absent - missing header is treated as "plugin not needed for this request" instead of a failure. * **SCIM Teams Page Styling** - Fixed layout/style regressions on the SCIM teams pages (`usersView` and `usersTable`). * **Anthropic Integration Routing (OSS)** - Skip model catalog routing when loadbalancer or governance routing has already set the provider. * **SGL Extra Params Passthrough (OSS)** - SGL provider now sets `BifrostContextKeyPassthroughExtraParams`, so SGLang vLLM-style extra-body params (`chat_template_kwargs`, `guided_json`, `guided_regex`, `separate_reasoning`) are no longer dropped. * **Bedrock Structured-Output Streaming (OSS)** - Suppress non-tool content events (text deltas, reasoning, non-tool content-block starts) in structured-output mode so prose/preamble no longer corrupts the assembled JSON. * **MCP Tool Field Resolution (OSS)** - Resolve `tools_to_execute` and `tools_to_auto_execute` from existing config before validation on MCP client update. * **Auth Config Disabled Context (OSS)** - Update request context correctly when auth config is disabled. * **`BifrostError` String Output (OSS)** - Added `String()` method so logged errors render as JSON instead of decimal byte dumps. * **Streaming Latency Validation (OSS)** - Zero-millisecond latency values are now accepted (valid for sub-millisecond cache hits). * **`NewUnsupportedOperationError` Context (OSS)** - Now populates `Provider` and `RequestType` in `ExtraFields`. * **SCIM Page Layout (OSS)** - Added `no-scrollbar` utility class and applied `no-padding-parent` to the SCIM page. ## 📀 Base OSS version `transports/v1.5.0-prerelease8` ## 🔌 If you are compiling plugin against this release - use following deps ``` module github.com/maximhq/bifrost-enterprise go 1.26.2 require ( cloud.google.com/go/bigquery v1.74.0 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 github.com/DataDog/datadog-go/v5 v5.6.0 github.com/DataDog/dd-trace-go/v2 v2.4.0 github.com/aws/aws-sdk-go-v2 v1.41.5 github.com/aws/aws-sdk-go-v2/config v1.32.11 github.com/aws/aws-sdk-go-v2/credentials v1.19.14 github.com/aws/aws-sdk-go-v2/service/bedrockruntime v1.50.1 github.com/aws/aws-sdk-go-v2/service/sts v1.41.10 github.com/bytedance/sonic v1.15.0 github.com/coreos/go-oidc/v3 v3.12.0 github.com/fasthttp/router v1.5.4 github.com/golang-jwt/jwt/v5 v5.3.0 github.com/google/cel-go v0.26.1 github.com/google/uuid v1.6.0 github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 github.com/grandcat/zeroconf v1.0.0 github.com/hashicorp/consul/api v1.22.0 github.com/hashicorp/memberlist v0.5.4 github.com/maximhq/bifrost/core v1.5.8-0.20260501201305-734f02d4cd7d github.com/maximhq/bifrost/framework v1.3.8-0.20260501201305-734f02d4cd7d github.com/maximhq/bifrost/plugins/governance v1.5.8-0.20260501201305-734f02d4cd7d github.com/maximhq/bifrost/plugins/prompts v1.0.8-0.20260501201305-734f02d4cd7d github.com/maximhq/bifrost/transports v1.5.0-prerelease8.0.20260501201305-734f02d4cd7d github.com/nakabonne/tstorage v0.3.6 github.com/stretchr/testify v1.11.1 github.com/testcontainers/testcontainers-go v0.40.0 github.com/tetratelabs/wazero v1.11.0 github.com/valyala/fasthttp v1.68.0 go.etcd.io/etcd/client/v3 v3.6.6 golang.org/x/crypto v0.49.0 golang.org/x/oauth2 v0.36.0 google.golang.org/api v0.274.0 google.golang.org/grpc v1.80.0 google.golang.org/protobuf v1.36.11 gorm.io/driver/sqlite v1.6.0 gorm.io/gorm v1.31.1 k8s.io/api v0.34.1 k8s.io/apimachinery v0.34.1 k8s.io/client-go v0.34.1 ) ```