v0.31.4

Changes

• Upgraded to templ v0.3.1020
• Removed Chroma (JSON highlighter) — a JS alternative can be added if needed
• Replaced unmaintained env config package with github.com/caarlos0/env
• Removed Cobra CLI dependency
• Removed redundant swag import
• Fixed Air config to use go tool for the initial swag command
• Dependency bumps (golang-x group and others)
• Updated license copyright statement

Bug Fixes

• Fixed FetchFileContentFromGithub to remove need for G107 nosec caveat

Developer Action Required

Docker volume reset needed. The Postgres volume mount path has been updated for postgres:18-alpine compatibility.

Run the following before starting the stack:

docker volume rm signalsd_db-data-dev
make docker-up 

Migrations run automatically — no further steps needed.

v0.31.3

What's Changed

• refactor error handling and logging
• fix handling of client disconnects and timeouts

Full Changelog: v0.31.2...v0.31.3

v0.31.2

What's New

• update: bump Go to 1.26.3 for govuln findings
• update: bump github.com/gohugoio/hugo 0.159.2 to 0.161.0 (dev dependency)
• fix: show the correct version on staging /version endpoint

Note for local dev envs: use make docker-build to update the container with the latest dependencies

v0.31.1

What's Changed

New

• github workflows for deploying staging and production envs to AWS. Note the GCP environment has been removed.
• deepwiki link - AI generated technical documentation (worth a look - the content is easier to navigate that fishing through comments and API doc and links back to the code if you want to check accuracy)

Fixes

• fix: log durations as strings (ms/s/min) rather than nanoseconds
• fix: Info() now overrides ldflags version if VERSION is set in the env This corrects the bug where prod showed the previous version number (the bug occurred because the new prod workflow uses the binary from staging, and this is built before the new version tag is created)

Dependencies

• deps(deps): bump github.com/jub0bs/cors from 1.0.0 to 1.0.2
• deps(deps): bump github.com/pressly/goose/v3 from 3.27.0 to 3.27.1
• deps(deps): bump github.com/alecthomas/chroma/v2 from 2.23.1 to 2.24.1

• Release notes
• Commits

Full Changelog: v0.31.0...v0.31.1

v0.31.0

What's Changed

new GitHub workflows

The service now deploys to AWS ECS as well as GCP

Fixes

/oauth/token and /oauth/revoke now correctly conform to RFC 6749:

Token endpoint requests now use application/x-www-form-urlencodedtials.
Refresh tokens for web users remain in HTTP-only cookies per RFC 9700.

Developer migration note

The /oauth/token and /oauth/revoke endpoints no longer accept JSON bodies or grant_type as a URL query parameter.

What to change in your requests:

Set Content-Type: application/x-www-form-urlencoded
Move grant_type into the request body as a form field (e.g. grant_type=client_credentials)
Move client_id and client_secret into the form body — or use HTTP Basic Auth (Authorization: Basic base64(client_id:client_secret))

For refresh_token grant: send grant_type=refresh_token in the form body; the refresh token itself is still sent as the refresh_token HTTP-only cookie

errors:
The error response format for /oauth endpoints now include a RFC6749 compliant error field alongside the error_code field provided with other requests (use error_code and error_description for more detail)

{
  "error": "invalid_grant",
  "error_description": "session expired, please log in again",
  "error_code": "refresh_token_invalid"
}

Dependencies

• deps(deps): bump the golang-x group in /app with 2 updates by @dependabot[bot] in #166
• deps(deps): bump github.com/jackc/pgx/v5 from 5.9.1 to 5.9.2 in /app in the dependencies group by @dependabot[bot] in #168

Full Changelog: v0.30.0...v0.31.0

v0.30.0

What's New

• New signal router feature
• Updated batch handling (now driven entirely by the user submit batch ref)
• new roles (isnadmin/siteadmin)
• improvement to permissions (clear separation between read-only, write-only and read/write)
• all caches are now refreshed using polling

Breaking Changes

Database changes:

• Signal types are now defined at site (rather than isn) level - this change was necessary to support the routing feature
• batches are now at account level
• new roles

⚠️ there is no migration from v0.22 - start with an empty database. For dev environments run make docker-reset after getting the latest release (this will drop and recreate the database and rebuild the app and db containers with the latest dependencies)

Signal Creation

It is now required to include a batch_ref identifier when sending signals.
You can use the Batch Status endpoint to get information on the status of the signals loaded in a batch.
There is no longer any need to use the API to open new batches - when you supply a new batch_ref a new batch is automatically started.

The updated JSON looks like this:

{
  "batch_ref": "daily-sync-2026-04-02",
  "signals": [
    {
      "content": {},
      "correlation_id": "75b45fe1-ecc2-4629-946b-fd9058c3b2ca",
      "local_ref": "item_id_#1"
    }
  ]
}

Note the Signals Submission with Router and standard Signals Submission endpoints have been updated to use a common response structure.

The main changes are that the response now contains a results array with one element per ISN (this is to accommodate the router functionality that can write to multiple ISNs in one request). See the API doco for the Signals Submission endpoints for details of the JSON structure returned.

Signal Types Management

Signal Types are now defined at the site level. They can be added to an ISN using the new Add a Signal Type to an ISN endpoint.

Authentication - Claims structure changes

The new siteadmin and isnadmin roles clear up the distinction in responsibilities for admin accounts:

• siteadmins have full access (Note only site admins can create new Signal Types)
• isnadmins can create ISNs and add Signal Types to ISNs they own.
  The first account created on the site is automatically made an isnadmin

Permissions now separate read and write permissions.
accounts with write-only permission to an ISN can write signals but can only read signals they created. This was done to restrict visibility to service accounts that are used to supply new signals to an ISN but should not be able to see contributions from other accounts.

As part of the changes the response to the Login and Refresh Access Token endpoints was updated. See the API docs for details.

New: Signals Router

The router lets you submit signals without specifying a target ISN.
e.g POST /api/router/signal-types/{signal_type_slug}/v{sem_ver}/signals

The router resolves the target ISN for each signal using configured routing rules, or via correlation ID if supplied.

ISN resolution by correlation ID

Where a correlation ID is supplied, the routing rules do not apply and the signal will be routed to the ISN that received the original correlated signal.

ISN resolution by pattern match

If no correlation ID is present the handler attempts to resolve the ISN using the routing rules defined for the Signal Type. The rules are applied in the order defined in the Routing Rules Config (first match is accepted).

A routing config consists of a routing field (path to a single field in the signal content used for matching) and one or more matching patterns and the target ISN, e.g

routing field	pattern	operator	is case sensitive	target isn
payload.portOfEntry	felixstowe	equals	true	felixstowe-isn
payload.portOfEntry	southampton	equals	true	southampton-isn

Caches

the backend service uses 3 caches

• public isns
• json schemas
• routing configs
  .. these are now all refreshed by polling (this is to allow multiple instances of the http server to be deployed). Refresh interval is set in the server config package (currently set to run every 30 seconds).

Dependencies

• go 1.26.2
• postgres17 > postgres18
• github.com/jub0bs/cors from 0.13.6 to 1.0.0
• github.com/gohugoio/hugo from 0.149.1 to 0.159.2 (indirect dev tool dependency)

v0.22.0

What's New

⚠️ the v.0.22 series is discontinued - there is no migration to the new version (start with a fresh buid/database using v.0.30.0 when ready)

• updated permissions model
  it is now possible to assign explicit write / read permissions to an account
  this was done to support the requirement to prevent service accounts that submit data from seeing data submitted by other ISN users (these accounts should be given write-only permission , meaning they can submit data but can only view signals they created)
• Improved update isn account permissions feature.
  removed redundant 'revoke isn account permission' handler.
• Simplified batch handing:
  batches are now automatically created when an account first writes to an isn (no need for manual creation).
  Accounts still have the option to start new batches as required (this automatically closes the previously opened batch)

Dependencies

• deps(deps): bump google.golang.org/grpc from 1.79.1 to 1.79.3 in /app by @dependabot[bot] in #156
• deps(deps): bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 in /app in the go_modules group across 1 directory by @dependabot[bot] in #143
• deps(deps): bump the dependencies group in /app with 2 updates by @dependabot[bot] in #151
• deps(deps): bump github.com/pressly/goose/v3 from 3.26.0 to 3.27.0 in /app in the tools group by @dependabot[bot] in #149
• deps(deps): bump golang.org/x/time from 0.14.0 to 0.15.0 in /app in the golang-x group across 1 directory by @dependabot[bot] in #152

⚠️ Use make docker-build to update the dependencies in the docker image

fixes

• CI/CD workflows now use the pinned tool versions in go.sum]
• air live reload now detects changes to js files
• signal search was polling before the 'monitor' button was pressed (regression)
• fixed inconsistent case usage in api - see updated endpoints below

the rule is now:

• url paths (kebab-case)
• url params (snake_case)
• url search params (snake_case)
• database columns (snake_case)

This is a breaking change - the following urls have been updated

Updated endpoints

Old Endpoint	New Endpoint
POST /admin/{isn_slug}/signal_types	POST /admin/{isn_slug}/signal-types
POST /admin/{isn_slug}/signal_types/{signal_type_slug}/schemas	POST /admin/{isn_slug}/signal-types/{signal_type_slug}/schemas
PUT /admin/{isn_slug}/signal_types/{signal_type_slug}/v{sem_ver}	PUT /admin/{isn_slug}/signal-types/{signal_type_slug}/v{sem_ver}
DELETE /admin/{isn_slug}/signal_types/{signal_type_slug}/v{sem_ver}	DELETE /admin/{isn_slug}/signal-types/{signal_type_slug}/v{sem_ver}
GET /admin/{isn_slug}/signal_types	GET /admin/{isn_slug}/signal-types
GET /admin/{isn_slug}/signal_types/{signal_type_slug}/v{sem_ver}	GET /admin/{isn_slug}/signal-types/{signal_type_slug}/v{sem_ver}
POST /api/isn/{isn_slug}/signal_types/{signal_type_slug}/v{sem_ver}/signals	POST /api/isn/{isn_slug}/signal-types/{signal_type_slug}/v{sem_ver}/signals
PUT /api/isn/{isn_slug}/signal_types/{signal_type_slug}/v{sem_ver}/signals/withdraw	PUT /api/isn/{isn_slug}/signal-types/{signal_type_slug}/v{sem_ver}/signals/withdraw
GET /api/isn/{isn_slug}/signal_types/{signal_type_slug}/v{sem_ver}/signals/search	GET /api/isn/{isn_slug}/signal-types/{signal_type_slug}/v{sem_ver}/signals/search
GET /api/public/isn/{isn_slug}/signal_types/{signal_type_slug}/v{sem_ver}/signals/search	GET /api/public/isn/{isn_slug}/signal-types/{signal_type_slug}/v{sem_ver}/signals/search
Full Changelog: v0.21.5...v0.22.0

v0.21.5

What's Changed

The service is now running on
https://signalsd-staging.corridorone.uk/
https://signalsd.corridorone.uk/

.. and the old btddemo.org domain is being retired.

CI

• github actions updated (Node 24 support)
• Vulnerability checks (govulncheck) added (see make vuln) - these now run as part of the standard CI workflow and are included in the make check command.
• CI and docker builds now refer to app/go.mod to identify the current go version (just change go.mod and run tests to upgrade go versions)
• tools.go adopted to simplify tool management

fixes

• review of http headers - remove deprecated X-Requested-With from CORS config - modernized security headers - x-max-request-size > signalsd-max-request-size
• security: G120, G705 an G117 fixes
• UI: signals search monitor was always active, even when button not pressed

Dependencies

• go v1.26.1 (vulnerability fixes)
• deps(deps): bump github.com/go-chi/chi/v5 from 5.2.4 to 5.2.5 in /app by @dependabot[bot] in #135
• deps(deps): bump golang.org/x/text from 0.33.0 to 0.34.0 in /app by @dependabot[bot] in #138
• deps(deps): bump github.com/jub0bs/cors from 0.11.0 to 0.13.2 in /app by @dependabot[bot] in #141
• deps(deps): bump github.com/lmittmann/tint from 1.1.2 to 1.1.3 in /app by @dependabot[bot] in #136
• deps(deps): bump golang.org/x/crypto from 0.47.0 to 0.48.0 in /app by @dependabot[bot] in #139
• deps(deps): bump github.com/a-h/templ from 0.3.977 to 0.3.1001 in /app by @dependabot[bot] in #140

⚠️ you need to rebuild the app container to get the latest dependencies: make docker-build

v0.21.4

fix: incorrect CSP response header blocked htmx and prevented the UI working properly
removed inline scripts/css from templates to comply with new CSP policy

v0.21.2

What's New

• deps(deps): bump github.com/golang-jwt/jwt/v5 from 5.3.0 to 5.3.1 in /app by @dependabot[bot] in #133
• deps(deps): bump github.com/jub0bs/cors from 0.10.0 to 0.11.0 in /app by @dependabot[bot] in #134
• review of http headers (replaced obsolete X-headers)

Full Changelog: v0.21.1...v0.21.2