Release 2026.5.0
Release period: 2026-01-28 to 2026-02-04
This release includes the following issues:
- Disabled Users Are Now Excluded from Building Block Permission Input
- Workspace-Scoped API Keys for Building Block Runs
- Default Values No Longer Supported for Encrypted User/Operator Inputs
- Fixed Building Block Runner Not Being Updated When Changing Implementation Type
- Ephemeral API Keys Automatically Deleted After Building Block Run Completes
- File Type Input Keys Can Contain Dots and Special Characters
- Improved Azure Cost Collection Accuracy
- Markdown Lists Now Render with Proper Formatting
- Simplified Project Deletion Dialog for Projects Without Tenants
- meshObject API for Building Block Definition Version
- Improved OpenTofu Variable Handling in Building Block Runner
- meshPlatformType API Now Supports Workspace-Scoped Access Control
- Fix Duplicate Azure User Groups During AKS Replication
- Improved Login Reliability for Workspace Switching
Ticket Details
Disabled Users Are Now Excluded from Building Block Permission Input
Audience: User
Description
We fixed an issue where disabled users were incorrectly included in the building block permission input. When you disable a user via SCIM, the system now correctly excludes them from the building block user permission list. This ensures that building blocks no longer receive permission updates for users who should not have access to workspace resources.
Workspace-Scoped API Keys for Building Block Runs
Audience: User
Description
Building blocks can now automatically receive an ephemeral API key to interact with the meshStack API during their execution. This enables self-service automation patterns where building blocks can create additional resources like other building blocks, tenants, or meshObjects within the consuming workspace - without requiring admin permissions.
When you define permissions on a building block definition, the system automatically provides authentication via
the MESHSTACK_API_TOKEN input. The ephemeral API key is scoped to the workspace where the
building block runs and has only the permissions you explicitly configured. Application teams see the required
permissions in the marketplace before adding the building block.
Note: Ephemeral API keys are not yet fully supported for GitHub Actions and Azure DevOps building blocks. We plan to provide support for this soon.
How to use
To enable this feature, configure permissions under the "Implementation" tab in your building block definition. The ephemeral API key is automatically deleted when the building block run reaches a terminal state, or after a maximum of 6 hours - whichever comes first.
For OpenTofu building blocks, the meshStack Terraform provider automatically picks up the
MESHSTACK_API_TOKEN (and MESHSTACK_ENDPOINT) environment variables - no additional provider configuration needed.
The API key permissions follow the principle of least privilege. If your building block creates a nested building block that also requires permissions, meshStack prevents privilege escalation: the nested building block creation fails if it requires more permissions than the parent building block has.
Default Values No Longer Supported for Encrypted User/Operator Inputs
Audience: User
Description
Previously, setting a default value for encrypted (sensitive) inputs with "User Input"
or "Platform Operator Manual Input" assignment types would result in the placeholder
value "
To prevent this issue, you can no longer set default values for these input types. Users and operators must now explicitly provide values for sensitive inputs with these assignment types when creating building blocks.
Fixed Building Block Runner Not Being Updated When Changing Implementation Type
Audience: User
Description
Fixed a bug where changing a building block definition's implementation type (e.g., from Manual to Terraform or vice versa) would fail with an error about the building block runner not matching the new implementation type. The issue occurred because the automatically preselected runner was not being properly included in the update request.
Ephemeral API Keys Automatically Deleted After Building Block Run Completes
Audience: User
Description
Ephemeral API keys created for building block runs are now automatically deleted when the run reaches a terminal state (succeeded or failed). Previously, these keys remained valid for up to 6 hours, which was unnecessarily long for most use cases.
With this change, the effective lifetime of ephemeral API keys is reduced to the actual duration of the building block run, improving security by minimizing the window during which these credentials remain active.
Note: While the JWT bearer tokens themselves remain technically valid after deletion, they will no longer work for API calls.
File Type Input Keys Can Contain Dots and Special Characters
Audience: User
Description
Fixed a regression where building block input keys of type file were incorrectly restricted to the same naming rules as other input types. File type inputs can now contain dots and special characters again, making it possible to use filenames like "config.json" or "script.sh" as input keys. Non-FILE input types continue to follow the standard naming rules (must start with a letter, contain only letters, numbers, hyphens, and underscores).
Improved Azure Cost Collection Accuracy
Audience: User
Description
We improved the accuracy of Azure cost data collection by preventing rare duplicate cost items during collection runs (which can happen when Azure re-names their products).
Markdown Lists Now Render with Proper Formatting
Audience: User
Description
Fixed an issue introduced by a recent library upgrade where markdown formatting (bold text, links, italic text, and inline code) was not rendering properly inside lists when writing building block definition README files. Previously, bold and link markdowns would display as raw markdown syntax instead of being formatted correctly.
Simplified Project Deletion Dialog for Projects Without Tenants
Audience: User
Description
The project deletion dialog in the admin area has been simplified for projects that do not have any tenants. When you delete a project without tenants, the dialog no longer shows unnecessary information about tenant deletion and building block removal, making the deletion process clearer and more straightforward.
meshObject API for Building Block Definition Version
Audience: User
Description
A new meshObject API is now available for programmatic creation and modification of building block definition versions. This enables you to automate the management of building block definitions in meshStack, including support for all implementation types. The endpoints remain in preview mode for now. Future changes might still occur.
How to use
The API provides access to building block definition versions for API keys with the appropriate permissions. You can use the API to create new draft versions, update existing draft versions of building block definitions and release draft versions. For detailed information about available endpoints, request formats, and authentication requirements, please refer to the meshStack API documentation.
Improved OpenTofu Variable Handling in Building Block Runner
Audience: User
Description
We improved how building block inputs are passed to OpenTofu runs as input variables, making them more reliable to configure. The OpenTofu building block runner now properly encodes variables from building block inputs, ensuring better compatibility with different input types like CODE, MULTI_SELECT, and FILE.
Building block inputs with type CODE are now expected to contain HCL expressions. If parsing CODE input fails, the provided input is passed as-is as a string value. When an OpenTofu variable input is specified with type string and the building block input type doesn't match this, the value is provided as a JSON-encoded string, which you can recover using jsondecode in a typesafe manner within OpenTofu.
See further documentation in https://docs.meshcloud.io/concepts/building-block/#code-input
meshPlatformType API Now Supports Workspace-Scoped Access Control
Audience: User
Description
The meshPlatformType API has been enhanced to support workspace-scoped ownership. Platform types can now be owned
by specific workspaces, allowing platform teams to manage their own platform types. The API now
includes a new ownedByWorkspace field in the metadata section that identifies which workspace owns the platform
type. All API keys can still read all platform types regardless of ownership.
Fix Duplicate Azure User Groups During AKS Replication
Audience: User
Description
Fixed an issue where Azure's eventual consistency could cause duplicate user groups to appear during AKS platform replication. These duplicates previously caused problems during the replication process. meshStack now automatically detects and removes duplicate user groups, ensuring smooth replication operations.
Improved Login Reliability for Workspace Switching
Audience: User
Description
Improved the reliability of workspace switching and login process. In rare cases, users could experience repeated login redirects (login loop). The system now automatically detects and tries to recover from this condition.