Apr 7, 2026 · @gitryder
We added thousands separators to numeric values in the pipeline Insights tab, making large numbers easier to read at a glance.
Apr 7, 2026 · @gitryder
We fixed an issue where the pipeline table stayed filtered after viewing a pipeline's detail page and navigating away to another tab. Returning to the Pipelines page would show only the previously viewed pipeline, and clearing the search had no effect.
]]>Apr 7, 2026 · @tobim, @codex · #5988
The export operator no longer emits partially populated events from rebuilt partitions when a row is null at the record level. Previously, some events could appear with most fields set to null while a few values, such as event_type or interface fields, were still present.
This makes exports from rebuilt data more reliable when investigating sparse or malformed-looking events.
Mar 31, 2026
The from_http and http operators now include the port in the Host header
when the URL uses a non-standard port. Previously, the port was omitted, which
caused requests to fail with HTTP 403 when the server validates the Host
header against the full authority, such as for pre-signed URL signature
verification.
The export command no longer fails or misses recent events when a node is flushing active partitions to disk under heavy load. Recent exports now keep the in-memory partitions they depend on alive until the snapshot completes, which preserves correctness for concurrent import and export workloads.
The reusable GitHub Actions release workflow now works in external repositories by default. It falls back to the caller repository's GITHUB_TOKEN, makes GitHub App authentication optional, and only enables GPG signing when a caller provides a signing key and opts into commit and/or tag signing. The single release.yaml workflow now also exposes the advanced hooks and release controls directly, including skip-publish for dry runs and smoke tests. Tenzir repositories can still opt into the existing bot identity, GitHub App token flow, and signed commits and tags by passing those settings explicitly.
Mar 26, 2026 · @gitryder
We added a new Stream view to the Explorer that shows all pipeline results as a continuous list of expandable events. You can switch between the Table, Chart, and Stream views using the view selector in the toolbar. The Stream view displays events from all schemas together, with color-coded badges to distinguish between them. Each row shows a one-line preview that you can expand to inspect the full event. The view remembers your selection across pipeline runs, and the event list scrolls horizontally as a whole, with schema badges staying pinned on the left.
Mar 13, 2026 · @gitryder
You can now sort the Explorer table by clicking column headers. Sortable columns show a sort indicator, and clicking cycles through ascending, descending, and unsorted states. Sorting works for both top-level and nested fields.
Mar 12, 2026 · @gitryder
You can now click on field names and values in the Explorer inspector to copy them to the clipboard. Field names copy the full dot-separated path, and values copy their TQL representation.
Mar 12, 2026 · @gitryder
You can now select a time range directly from the Explorer header. Choose from quick presets like 5 minutes or 12 hours, or open the custom popover to pick from a grid of relative durations or set an absolute date range. The selector is currently available for pipelines that start with the export operator.
Mar 12, 2026 · @gitryder
We combined the 'About' and 'Install' tabs in the package detail drawer into a single scrollable view. Package information, examples, and configuration options are now shown on one page instead of requiring tab switches.
Mar 24, 2026 · @gitryder
We fixed an issue where custom packages installed on a node were not visible in the library view. Previously, only packages from the official Tenzir library were shown. Custom packages are now included alongside library packages.
Mar 24, 2026 · @gitryder
We fixed a bug where operator description text on the package detail page appeared rotated 90 degrees, overlapping other content.
Mar 17, 2026 · @gitryder
Packages containing user-defined operators can again be installed through the platform. Previously, installing such packages failed because the operator arguments were serialized incorrectly. This only affected installs through the platform UI—command-line package installs were not impacted.
]]>Feb 4, 2026 · @tobim, @codex · #5703
AWS operators now support OIDC-based authentication via the AssumeRoleWithWebIdentity API.
You can authenticate with AWS resources using OpenID Connect tokens from external identity providers like Azure, Google Cloud, or custom endpoints. This enables secure cross-cloud authentication without sharing long-lived AWS credentials.
Configure web identity authentication in any AWS operator by specifying a token source and target role:
from_s3 "s3://bucket/path", aws_iam={
region: "us-east-1",
assume_role: "arn:aws:iam::123456789012:role/cross-cloud-role",
web_identity: {
token_file: "/path/to/oidc/token"
}
}
The web_identity option accepts three token sources: token_file (path to a token file), token_endpoint (HTTP endpoint that returns a token), or token (direct token value). For HTTP endpoints, you can extract tokens from JSON responses using path.
Credentials automatically refresh before expiration, with exponential backoff retry logic for transient failures. This is especially useful for long-running pipelines that need persistent authentication.
Mar 30, 2026 · @jachris · #5954
Pipelines that use and, or, or if-else expressions run significantly faster in certain cases — up to 30× in our benchmarks. The improvement is most noticeable in pipelines with complex filtering or branching logic. No pipeline changes are needed to benefit.
Mar 23, 2026 · @mavam, @codex · #5939
The ocsf::derive operator now supports OCSF 1.8.0 events.
For example, you can now derive enum and sibling fields for events that declare
metadata.version: "1.8.0":
from {metadata: {version: "1.8.0"}, class_uid: 1007}
ocsf::derive
This keeps OCSF normalization pipelines working when producers emit 1.8.0
events.
Platform configuration validation now provides clearer error messages when an invalid configuration is encountered, helping you quickly diagnose and fix configuration issues.
Setting TENZIR_ENDPOINT to an unresolvable hostname no longer crashes the pipeline with a segfault.
Mar 25, 2026 · @mavam, @claude · #5949
ocsf::derive no longer emits a false warning when an _id field is set
to 99 (Other) and the sibling string contains a source-specific value.
Per the OCSF specification, 99/Other is an explicit escape hatch: the
integer signals that the value is not in the schema's enumeration and the
companion string must hold the raw value from the data source. For
example, the following is now accepted silently:
from {
metadata: { version: "1.7.0" },
type_uid: 300201,
class_uid: 3002,
auth_protocol_id: 99,
auth_protocol: "Negotiate",
}
ocsf::derive
Previously this produced a spurious warning: found invalid value for 'auth_protocol' because "Negotiate" is not a named enum caption.
Mar 24, 2026 · @lava
The Azure Blob Storage connector now handles Azure::Core::Http::TransportException
(e.g., SSL certificate errors) gracefully instead of crashing. Previously, a
self-signed certificate in the certificate chain would cause an unhandled
exception and terminate the node.
Mar 20, 2026 · @mavam, @codex · #20
This fixes the release candidate workflow so RCs no longer remain in changelog history after they have been superseded. Creating a new -rc.N now replaces the previous RC for that cycle, and creating a stable release closes the RC cycle and removes its RC manifests from releases/.
For example:
# Start an RC cycle for a later stable release.
tenzir-ship release create v1.2.3 --rc --yes
tenzir-ship release create v1.3.0 --yes
# Or promote the active RC to its matching stable release.
tenzir-ship release create v1.2.3 --rc --yes
tenzir-ship release create --yes
After the stable release is created, the RC is no longer kept in release history. Release candidates are also cumulative, so each new RC includes the previous RC's entries plus any newly added unreleased entries, while stable releases remain incremental.
]]>Mar 17, 2026 · @tobim
Feather store files now include a TENZIR:store:origin key in the Arrow table
schema metadata. The value is "ingest" for freshly ingested data, "rebuild"
for partitions created by the rebuild command, and "compaction" for partitions
created by the compaction plugin. This allows external tooling such as pyarrow
to distinguish how a partition was produced.
Mar 11, 2026 · @IyeOnline, @codex, @mavam, @raxyte · #5897
The to_clickhouse operator now supports dynamic table names via an expression
table=..., which must evaluate to a string. If the value is not a valid
table name, the events will be dropped with a warning.
With this change, the operator will also create a database if it does not exist.
The prime use-case for this are OCSF event streams:
subscribe "ocsf"
ocsf::cast encode_variants=true, null_fill=true
to_clickhouse table=f"ocsf.{class_name.replace(" ","_")}", ...
You can now install Tenzir on Apple Silicon macOS via Homebrew:
brew tap tenzir/tenzir
brew install --cask tenzir
You can also install directly without tapping first:
brew install --cask tenzir/tenzir/tenzir
The release workflow keeps the Homebrew cask in sync with the signed macOS package so installs and uninstalls stay current across releases.
The AWS Marketplace ECR repository tenzir-node was incorrectly populated with
the tenzir image. It now correctly ships tenzir-node, which runs a Tenzir
node by default.
If you relied on the previous behavior, you can restore it by setting tenzir
as a custom entrypoint in your ECS task definition.
The bundled Suricata schema now covers the remaining event types listed in the Suricata 8.0.3 EVE JSON format documentation: IKE (IKEv1/IKEv2), HTTP/2, PostgreSQL, and Modbus. This completes Suricata 8 schema coverage for Tenzir.
The read_syslog operator and parse_syslog function now accept RFC 5424 structured-data parameter names longer than 32 characters, which some vendors emit despite the specification limit.
For example, this message now parses successfully instead of being rejected:
<134>1 2026-03-18T11:00:51.194137+01:00 HOSTNAME abc 9043 23003147 [F5@12276 thx_f5_for_ignoring_the_32_char_limit_in_structured_data="thx"] broken example
This improves interoperability with vendor syslog implementations that exceed the RFC limit for structured-data parameter names.
Mar 14, 2026 · @aljazerzen · #5906
The batch timeout was only checked when a new event arrived, so a single event followed by an idle stream would never be emitted. The timeout now fires independently of upstream activity.
Mar 13, 2026 · @jachris · #5901
The parse_winlog function could fragment output into thousands of tiny
batches due to type conflicts in RenderingInfo/Keywords, where events with
one <Keyword> emitted a string but events with multiple emitted a list.
Additionally, EventData with unnamed <Data> elements is now always emitted
as a record with _0, _1, etc. as field names instead of a list.
Mar 12, 2026 · @jachris · #5899
The in operator for list expressions is up to 33x faster. Previously it
created and finalized entire Arrow arrays for every element comparison, causing
severe overhead for expressions like EventID in [5447, 4661, ...].
Additionally, comparing a typed null value with == now returns false instead
of null, and != returns true, fixing a correctness issue with null
handling in equality comparisons.
Mar 12, 2026 · @jachris · #5899
The in operator fast path now correctly prevents comparison of secret values.
Previously, secret_value in [...] would silently compare instead of returning
null with a warning, bypassing the established secret comparison policy.
Mar 12, 2026 · @jachris · #5900
Pattern equality checks now correctly consider the case-insensitive flag. Previously, two patterns that differed only in case sensitivity were treated as equal, violating the hash/equality contract.
Mar 12, 2026 · @jachris · #5899
Splitting Arrow arrays for string and blob types no longer over-reserves memory. Previously both output builders reserved the full input size each, using up to twice the necessary memory.
]]>tenzir-ship now supports release candidates via release create --rc. Creating a release candidate snapshots the current unreleased entries without consuming them, so you can iterate on -rc.N releases before promoting one to the final stable release. The stable base is inferred automatically, and rerunning the command continues the matching RC series when one already exists.
When you are ready to ship the stable release, rerun tenzir-ship release create without --rc and the latest outstanding release candidate becomes the matching stable release automatically. Once an RC series exists, you either continue it with release create --rc or promote the latest candidate with the normal stable command.
Publishing a release candidate now automatically creates a GitHub prerelease and prevents it from being marked as latest. release version and show latest continue to resolve the latest stable release, while release publish without an explicit version now targets the latest release manifest, including RCs. The bundled GitHub Actions release workflows accept rc so you can keep creating RCs from CI, and the default stable workflow promotes the latest outstanding candidate automatically.
Fixed a scheduling issue introduced in v5.24.0 that could cause the node to
become unresponsive when too many pipelines using detached operators like
from_udp were deployed simultaneously.
The bundled Suricata schema now includes types for four previously missing event types: ike, http2, pgsql, and modbus.
The ike type supports both IKEv1 and IKEv2 traffic. Version-specific fields are contained within dedicated ikev1 and ikev2 sub-objects, covering key exchange payloads, nonce payloads, client proposals, vendor IDs, and IKEv2 role/notify information.
The http2 type models HTTP/2 request and response streams including settings frames, header lists, error codes, and stream priority.
The pgsql type covers PostgreSQL session events with full request fields (simple queries, startup parameters, SASL authentication) and response fields (row counts, command completion, parameter status).
The modbus type captures industrial Modbus protocol transactions including function codes, access types, exception responses, diagnostic subfunctions, and MEI encapsulated interface data.
Mar 13, 2026 · @mavam, @codex · #5902
read_syslog and parse_syslog now extract a leading RFC 5424-style
structured-data block from RFC 3164 message content.
This pattern occurs in practice with some VMware ESXi messages, where
components such as Hostd emit a legacy syslog record and prepend structured
metadata before the human-readable message text.
For example, this raw syslog line:
<166>2026-02-11T18:01:45.587Z esxi-01.example.invalid Hostd[2099494]: [Originator@6876 sub=Vimsvc.TaskManager opID=11111111-2222-3333-4444-555555555555] Task Completed
now parses as:
{
facility: 20,
severity: 6,
timestamp: "2026-02-11T18:01:45.587Z",
hostname: "esxi-01.example.invalid",
app_name: "Hostd",
process_id: "2099494",
structured_data: {
"Originator@6876": {
sub: "Vimsvc.TaskManager",
opID: "11111111-2222-3333-4444-555555555555",
},
},
content: "Task Completed",
}
Events without extracted structured data keep the existing syslog.rfc3164
schema. Events with extracted structured data use
syslog.rfc3164.structured.
Mar 10, 2026 · @IyeOnline, @satta · #5888
The bundled Suricata schema now aligns with Suricata 8, enabling proper parsing and representation of events from Suricata 8 deployments.
This update introduces support for new event types including POP3, ARP, and BitTorrent DHT, along with enhancements to existing event types. QUIC events now include ja4 and ja4s fields for fingerprinting, DHCP events include vendor_class_identifier, and TLS certificate timestamps now use the precise time type instead of string representation.
These schema changes ensure that Tenzir can reliably ingest and process telemetry from Suricata 8 without data loss or type mismatches.
Mar 11, 2026 · @jachris · #5893
In some situations, pipelines could not be successfully started, leading to timeouts and a non-responsive node, especially during node start.
Mar 10, 2026 · @IyeOnline, @codex · #5886
Pipelines using chained list transforms such as xs.where(...).map(...).where(...) no longer trigger an internal assertion on sliced input batches.
Mar 9, 2026 · @mavam, @codex · #5877
Invalid Google Cloud credentials in from_google_cloud_pubsub no longer crash the node. Authentication errors now surface as operator diagnostics instead.
Mar 12, 2026 · @lava
We upgraded Python dependencies and added system-level package upgrades to the Docker images to address known vulnerabilities.
Mar 11, 2026 · @realllydan
We fixed an issue where switching away from a pipeline that has the Insights tab available to one that does not could leave the tab selection in an invalid state.
]]>The bundled GitHub Actions workflows now use Node 24-compatible action versions, which keeps CI, release, and publishing automation aligned with GitHub's runtime transition. The release and sync workflows also mint GitHub App installation tokens without relying on a deprecated JavaScript action.
Release commands and the Python API now handle release versions more consistently when changelog data mixes tag-style versions such as v1.2.3 with bare semantic versions such as 1.2.3. This improves compatibility with existing changelog histories and makes release automation more reliable across commands that inspect, create, show, and publish releases.
Skipping a test no longer modifies its baseline file. Previously, running
with --update would overwrite the baseline of a skipped test with an empty
file, and running without --update would fail if the baseline was non-empty.
Skipped tests now leave existing baselines untouched, so toggling a skip
condition no longer causes unrelated baseline churn.
init command scaffolds changelog projects interactively or non-interactively, so you can set up a standalone or package-based project in less time. It also protects existing projects from accidental overwrites.
A new init command allows for scaffolding a new changelog project interactively or with the --yes flag. It supports both standalone and package modes, and prevents accidental overwriting of existing projects.
tenzir-ship init
This reduces the manual effort required to set up a new changelog.
]]>Mar 10, 2026 · @lava
The app container now supports a PRIVATE_WEBSOCKET_GATEWAY_ENDPOINT environment variable that overrides the existing PUBLIC_WEBSOCKET_GATEWAY_ENDPOINT for calls in the app backend. This allows configuring different endpoints when the frontend and backend live in different networks.
Mar 10, 2026 · @realllydan
The pipeline detail modal now includes an experimental Insights tab that visualizes per-operator backpressure, helping users identify bottlenecks in their pipelines. This tab is only available for pipelines running on the experimental new executor.
Mar 10, 2026 · @lava
We fixed an issue where ephemeral nodes were causing the frontend to fail to render or be displayed with incorrect connection status.
]]>Mar 2, 2026 · @mavam, @codex · #5851
parse_syslog() and read_syslog now accept common Check Point structured-data variants that are not strictly RFC 5424 compliant. This includes key:"value" parameters, semicolon-separated parameters, and records that omit an SD-ID entirely.
For records without an SD-ID, Tenzir now normalizes the structured data under checkpoint_2620, so downstream pipelines can use a stable field path.
For example, the message <134>1 ... - [action:"Accept"; conn_direction:"Incoming"] now parses successfully and maps to structured_data.checkpoint_2620. This improves interoperability with Check Point exports and reduces ingestion-time preprocessing.
Mar 6, 2026 · @IyeOnline · #5805
JSON parsing errors now display the surrounding bytes at the error location. This makes it easier to diagnose malformed JSON in your data pipelines.
For example, if your JSON is missing a closing bracket, the error message shows you the bytes around that location and marks where the parser stopped expecting more input.
Mar 4, 2026 · @tobim, @codex · #5865
The load_tcp operator now makes DNS hostname resolution opt-in with the resolve_hostnames parameter (defaults to false).
Previously, the operator always attempted reverse DNS lookups for peer endpoints, which could fail in environments without working reverse DNS configurations. Now you can enable this behavior by setting resolve_hostnames to true:
load_tcp endpoint="0.0.0.0:5555" resolve_hostnames=true {
read_json
}
When enabled and DNS resolution fails, the operator emits a warning diagnostic (once) instead of failing. This allows the operator to continue functioning in environments where reverse DNS is unavailable or unreliable.
Mar 6, 2026 · @IyeOnline · #5805
We improved the reporting for unexpected diagnostics outside of operator execution, such as during startup. In these cases you will now get the diagnostic message.
Mar 6, 2026 · @IyeOnline · #5805
Fixed multiple issues that could cause errors or incorrect behavior when the schema of parsed events changes between records. This is particularly important when ingesting data from sources that may add, remove, or modify fields over time.
Schema mismatch warnings for repeated fields in JSON objects (which Tenzir interprets as lists) now include an explanatory hint, making it clearer what's happening when a field appears multiple times where a single value was expected.
]]>Mar 5, 2026 · @lava
When you click a deep link in Tenzir Platform but aren't logged in, you're now redirected to your original destination after signing in, instead of landing on the home page.
Feb 18, 2026 · @gitryder
We improved how the nodes list loads, making dependent views feel faster and more responsive across the platform.
Feb 27, 2026 · @gitryder
We fixed an issue where profile images from Gravatar and Microsoft accounts were blocked by the content security policy, causing broken or missing avatars.
Feb 27, 2026 · @gitryder
We fixed an issue where the diagnostics pane could show diagnostics from a different pipeline than the one currently open in the detail modal.
Feb 18, 2026 · @gitryder
We fixed an issue where the context list could appear in a random order when no search was active, causing items to jump around. The list now uses a stable alphabetical order so it stays consistent and easier to interact with.
Feb 18, 2026 · @gitryder
We fixed an issue where opening a pipeline link for a workspace you don’t have access to would log you out. You are now redirected to the access page where you can open the link in your default workspace.
]]>Mar 4, 2026 · @mavam, @claude, @codex
We improved clarity and efficacy of the releasing process in the tenzir-ship agent skill.
Mar 2, 2026 · @IyeOnline · #5855
We fixed a bug that could cause a crash when reading JSON data.
Mar 2, 2026 · @jachris · #5841
The CEF parser now handles unescaped = characters (which are not conforming to
the specification) by using a heuristic.
Mar 1, 2026 · @mavam, @claude, @codex · #11
The pi-tenzir-ship package provides a skill for AI coding agents to perform
release engineering tasks. Install it in Pi with:
pi install npm:pi-tenzir-ship
Then activate it with /skill:tenzir-ship.
The skill covers adding changelog entries, cutting standard and module releases, triggering GitHub Actions release workflows, and publishing releases to GitHub.
Feb 28, 2026 · @mavam, @codex · #10
The release creation command now automatically updates version fields in package manifest files during release. When creating a release, tenzir-ship detects and updates package.json, pyproject.toml, project.toml, and Cargo.toml files in your project, including support for dynamic version files in monorepo workspaces.
You can control this behavior with the release.version_bump_mode configuration option in your config.yaml:
auto (default): Automatically detect and update version filesoff: Skip version file updatesFor more granular control, use the release.version_files option to explicitly specify which files to update. Auto-detection searches the project root and parent directory (for nested changelog projects) and gracefully skips files without static version fields.
Release version selection now defaults to automatic bumping when you run
release create without an explicit version and without --patch, --minor,
or --major. The next version is inferred from unreleased entry types:
If no unreleased changelog entries exist, automatic bumping is not available. In that case, provide an explicit version or a manual bump flag to create an intro-only release.
The stats command now reports the computed next release version (or no value
when no automatic bump can be inferred), including in stats --json.
Feb 28, 2026 · @mavam, @codex · #9
Create releases with only introductory text and no changelog entries by using the --intro or --intro-file flags with release create. This is useful when re-publishing a package after yanking a previous artifact or retrying a failed publish workflow—scenarios where you want to create a new release version without adding changelog entries.
Previously, you had to provide at least one changelog entry to create a release. Now the release creation allows you to skip the entries entirely if you supply intro text. The --intro flag accepts text directly, while --intro-file reads from a Markdown file.
reusable-release.yaml now acts as a minimal opinionated wrapper around a new
reusable-release-advanced.yaml workflow.
The advanced workflow adds optional hooks and release controls for complex
consumers: pre/post publish scripts, non-main --no-latest publishing,
optional copy of release directories to main, latest branch updates, a
skip-publish dry-run mode, and workflow outputs for version and
is_latest.
Release commands now validate changelog directory structure before they run and fail fast when it is invalid.
release create and release publish now stop with explicit errors when stray files or directories are detected (for example, an unexpected changelog/next/ directory). Other commands (show, add, stats, and release version) emit warnings so layout problems are visible earlier, while validate reports full structural issues as regular validation errors.
Feb 15, 2026 · @mavam, @claude · #7
When a release step fails, the full command now prints below the progress panel so you can copy-paste it for manual recovery.
Previously, long commands would get truncated in the release progress panel, making it difficult to reproduce the failure manually. Now when a step fails, the complete command is displayed in full below the panel, giving you what you need to debug and retry the operation.
]]>Feb 27, 2026 · @mavam, @codex · #5846
The new experimental hmac function computes Hash-based Message
Authentication Codes (HMAC) for strings and blobs. It supports SHA-256
(default), SHA-512, SHA-384, SHA-1, and MD5 algorithms.
Note: The key parameter is currently a plain string because function
arguments cannot be secrets yet. We plan to change this in the future.
from {
signature: hmac("hello world", "my-secret-key"),
}
{
signature: "90eb182d8396f16d4341d582047f45c0a97d73388c5377d9ced478a2212295ad",
}
Specify a different algorithm with the algorithm parameter:
from {
signature: hmac("hello world", "my-secret-key", algorithm="sha512"),
}
Feb 27, 2026 · @IyeOnline · #5842
We fixed a bug that would cause an assertion failure "Index error: array slice would exceed array length". This was introduced as part of an optimization in Tenzir Node v5.27.0.
]]>Parallel suites are now scheduled more reliably when running with --jobs > 1, so interdependent tests (for example publisher/subscriber pairs) start together sooner instead of being delayed behind large backlogs of unrelated tests.
This update also adds an explicit correctness guard for parallel suites: you can set suite.min_jobs in test.yaml to declare the minimum job count required for valid execution. The run now fails fast if --jobs is lower than suite.min_jobs, and it also fails hard when a parallel suite cannot reserve at least min_jobs workers at runtime (for example under slot contention), instead of proceeding under-provisioned.
In addition, the harness now warns when a parallel suite has more tests than available jobs, making it easier to spot cases where effective suite parallelism is capped by worker count.
]]>Feb 24, 2026 · @lava
Fixed in issue where the platform plugin did not correctly use the
configured certfile, keyfile and cafile options for client
certificate authentication, and improved the error messages for TLS
issues during platform connection.
Feb 25, 2026 · @mavam, @codex · #32
Python fixture tests could fail with serialization errors when the test
configuration included enum values like mode: sequential in test.yaml.
These values are now properly converted to strings before being passed to
test scripts.
Feb 24, 2026 · @mavam, @codex · #29
Test suites can now execute their members in parallel by specifying mode: parallel in the suite configuration. By default, suites continue to run tests sequentially for stability and predictability.
To enable parallel execution, set mode: parallel in the test.yaml file alongside the suite configuration:
suite:
name: my-suite
mode: parallel
fixtures:
- node
Parallel suite execution is useful when tests within a suite are independent and can safely run concurrently. All suite members share the same fixtures and execute within the same fixture lifecycle, while test execution itself happens on separate threads. The suite thread pool is bounded by --jobs, so suite-level concurrency stays within the configured worker budget and does not scale unbounded with suite size.
Suite-level constraints like timeouts, fixture requirements, and capability checks still apply uniformly across all members, whether running sequentially or in parallel.
Feb 25, 2026 · @mavam, @codex · #31
Interrupting test runs with Ctrl+C now exits cleanly without leaking Python tracebacks from subprocess or fixture startup/teardown paths. Interrupt-shaped errors (including nested causes with signal-style return codes such as 130) are treated as graceful cancellation so the CLI reports interrupted tests instead of crashing.
Feb 24, 2026 · @mavam, @codex · #30
Shell test files (.sh) now always default to the "shell" runner, even when a directory-level test.yaml file specifies a different runner (for example, runner: tenzir). This makes shell scripts work reliably in mixed-runner directories without requiring explicit runner: frontmatter in each file. Explicit runner: declarations in test file frontmatter still take precedence and can override this behavior if needed.
Manual fixture control now behaves consistently for fixtures that declare dataclass options.
Previously, starting a fixture with acquire_fixture(...) could fail when no
explicit options were provided, even if the fixture defined defaults.
With this fix, current_options(...) returns default typed options in the
manual fixture-control path, so fixtures started manually and fixtures started
through normal test activation behave the same way.
Feb 22, 2026 · @mavam, @codex · #5819
The slice function now supports list types in addition to string. You can slice lists using the same begin, end, and stride parameters. Negative stride values are now supported for lists, letting you reverse or step backward through list data. String slicing continues to require a positive stride.
Example usage with lists:
[1, 2, 3, 4, 5].slice(begin=1, end=4) returns [2, 3, 4][1, 2, 3, 4, 5].slice(stride=-1) returns the list in reverse order[1, 2, 3, 4, 5].slice(begin=1, end=5, stride=-2) returns [5, 3]Feb 17, 2026 · @mavam, @codex · #5767
The sort function now supports two new parameters: desc for controlling
sort direction and cmp for custom comparison logic via binary lambdas.
Sort in descending order:
from {xs: [3, 1, 2]}
select ys = sort(xs, desc=true)
{ys: [3, 2, 1]}
Sort records by a specific field using a custom comparator:
from {xs: [{v: 2, id: "b"}, {v: 1, id: "a"}, {v: 2, id: "c"}]}
select ys = sort(xs, cmp=(left, right) => left.v < right.v)
{
ys: [
{v: 1, id: "a"},
{v: 2, id: "b"},
{v: 2, id: "c"},
],
}
The cmp lambda receives two elements and returns a boolean indicating whether
the first element should come before the second. Both parameters can be combined
to reverse a custom comparison.
Feb 17, 2026 · @tobim
The read_lines operator was accidently broken while it was ported
to the new execution API. This change restores its functionality.
HTTP header values containing colons are now parsed correctly.
]]>Feb 18, 2026 · @gitryder
We improved the clarity and usability of Explorer charts. Legends are now collapsible, easier to read, and support filtering series directly. Pie chart legends adapt better to available space, and tooltips provide clearer information.
We also expanded the chart color palette for better visual distinction between series, fixed bar chart x-axis labels overlapping when there are many data points, and refined chart layout and behavior for a smoother overall experience.
Feb 18, 2026 · @gitryder
Resolved an issue where your Google profile picture did not appear in the workspace switcher. The image now loads and displays correctly.
Feb 17, 2026 · @lava
Fixed a bug where the static workspace synchronization used stale loop variables during cleanup, causing stale workspaces to persist and the last configured workspace to be incorrectly deleted.
Feb 17, 2026 · @gitryder
We fixed an issue where pressing ESC to close a pipeline detail view caused the pipeline list to stop responding to clicks.
]]>Feb 22, 2026 · @mavam, @codex · #28
Test suites can now declare operator dependencies with a requires configuration key in test.yaml. When a required operator is unavailable in the target Tenzir build, you can gracefully skip the suite by pairing requires with skip: {on: capability-unavailable}.
The skip.on key now accepts either a single condition as a string or a list of conditions, letting you skip on either fixture-unavailable or capability-unavailable (or both). When a capability is unavailable and the suite doesn't opt into skipping, the test run fails with a clear error message listing the missing operators.
Example configuration in test.yaml:
requires:
operators: [from_gcs, to_s3]
skip:
on: capability-unavailable
reason: requires from_gcs and to_s3 operators
This ensures test suites targeting specific capabilities only run when those capabilities are present, improving test reliability in heterogeneous build environments.
]]>Feb 18, 2026 · @mavam, @codex · #27
Fixtures can now define assertion hooks that run after test execution completes while fixtures remain active. Define assertions using the assertions parameter with a frozen dataclass type, then pass fixture-specific assertion payloads under assertions.fixtures.<name> in test frontmatter. The framework automatically invokes the assert_test hook with assertion data before tearing down fixtures, letting you validate side effects like HTTP requests or log output.
Example usage with an HTTP fixture:
fixtures: [http]
assertions:
fixtures:
http:
count: 1
method: POST
path: /api/endpoint
body: '{"key":"value"}'
The HTTP fixture receives the typed assertion payload and validates that the expected request was received. Payload structure is fixture-defined, so fixtures can choose flat fields or nested schemas as needed.
Assertion checks are tracked separately from test counts in the run summary as pass/fail check metrics, so fixture-level validations are visible without changing total test counts.
]]>Feb 17, 2026 · @gitryder
We updated the Platform's underlying framework dependencies to include their latest security fixes.
]]>Feb 16, 2026 · @mavam, @codex · #26
The test harness no longer initializes fixtures for suites where all tests are statically skipped. Previously, fixtures were activated even when no tests would run, causing unnecessary startup overhead and potential errors.
Feb 16, 2026 · @mavam, @codex · #25
When a fixture becomes unavailable during test execution, the test harness now provides a clean error message instead of a Python traceback.
]]>Feb 15, 2026 · @mavam, @codex · #23, #24
tenzir-test now supports both coarse and fine-grained controls for running skipped tests.
Use --run-skipped as a sledgehammer, or --run-skipped-reason with the same matching semantics as --match (bare substring or glob):
tenzir-test --run-skipped
tenzir-test --run-skipped-reason 'maintenance'
tenzir-test --run-skipped-reason '*docker*'
If both options are provided, --run-skipped takes precedence.
Feb 15, 2026 · @mavam, @codex · #22
Writing container-based fixtures no longer requires duplicating boilerplate for runtime detection, process management, and readiness polling.
The new container_runtime module provides reusable building blocks that handle
the common plumbing: detecting whether Docker or Podman is available, launching
containers in detached mode, polling for service readiness, and tearing down
cleanly. Custom fixtures can import these helpers and focus on their
service-specific logic instead.
The built-in docker-compose fixture and the example project now use these
shared helpers internally.
Adds a built-in docker-compose fixture that starts and tears down Docker Compose services from structured fixture options.
The fixture validates Docker Compose availability, waits for service readiness (health-check first, running-state fallback), and exports deterministic service environment variables (including host-published ports).
Feb 14, 2026 · @mavam, @claude · #20
You can now start fixtures in foreground mode without running any tests by using the --fixture option. This lets you provision services (like a database or message broker) and use them in your workflow.
Specify fixture names or YAML-style configuration:
uvx tenzir-test --fixture mysql
uvx tenzir-test --fixture 'kafka: {port: 9092}' --debug
The harness prints fixture-provided environment variables like HOST, PORT, and DATABASE, then keeps services running until you press Ctrl+C. You can repeat --fixture to activate multiple fixtures. The option is mutually exclusive with positional TEST arguments.
Feb 12, 2026 · @mavam, @claude · #5753
User-defined operators in packages can now declare optional field-type parameters with null as the default value. This allows operators to accept field selectors that are not required to be provided.
When a field parameter is declared with type: field and default: null, you can omit the argument when calling the operator, and the parameter will receive a null value instead. You can then check whether a field was provided by comparing the parameter to null within the operator definition.
Example:
In your package's operator definition, declare an optional field parameter:
args:
named:
- name: selector
type: field
default: null
In the operator implementation, check if the field was provided:
set result = if $selector != null then "field provided" else "field omitted"
When calling the operator, the field argument becomes optional:
my_operator # field is null
my_operator selector=x.y # field is x.y
Only null is allowed as the default value for field parameters. Non-null defaults are rejected with an error during package loading.
Feb 11, 2026 · @mavam, @claude
The paginate parameter for the from_http and http operators now supports link-based pagination via the Link HTTP header.
Previously, pagination was only available through a lambda function that extracted the next URL from response data. Now you can use paginate="link" to automatically follow pagination links specified in the response's Link header, following RFC 8288. This is useful for APIs that use HTTP header-based pagination instead of embedding next URLs in the response body.
The operator parses the Link header and follows the rel=next relation to automatically fetch the next page of results.
Example:
from_http "https://api.example.com/data", paginate="link"
If an invalid pagination mode is provided (neither a lambda nor "link"), the operator now reports a clear error message.
Feb 6, 2026 · @mavam, @claude · #5721, #5738
The from_mysql operator lets you read data directly from MySQL databases.
Read a table:
from_mysql table="users", host="localhost", port=3306, user="admin", password="secret", database="mydb"
List tables:
from_mysql show="tables", host="localhost", port=3306, user="admin", password="secret", database="mydb"
Show columns:
from_mysql table="users", show="columns", host="localhost", port=3306, user="admin", password="secret", database="mydb"
And ultimately execute a custom SQL query:
from_mysql sql="SELECT id, name FROM users WHERE active = 1",
host="localhost",
port=3306,
user="admin",
password="secret",
database="mydb"
The operator supports TLS/SSL connections for secure communication with MySQL
servers. Use tls=true for default TLS settings, or pass a record for
fine-grained control:
from_mysql table="users", host="db.example.com", database="prod", tls={
cacert: "/path/to/ca.pem",
certfile: "/path/to/client-cert.pem",
keyfile: "/path/to/client-key.pem",
}
The operator supports MySQL's caching_sha2_password authentication method and automatically maps MySQL data types to Tenzir types.
Use live=true to continuously stream new rows from a table. The operator
tracks progress using a watermark on an integer column, polling for rows above
the last-seen value:
from_mysql table="events", live=true, host="localhost", database="mydb"
By default, the tracking column is auto-detected from the table's auto-increment primary key. To specify one explicitly:
from_mysql table="events", live=true, tracking_column="event_id",
host="localhost", database="mydb"
Feb 12, 2026 · @IyeOnline
We have significantly improved the performance of the write_lines operator.
Feb 12, 2026 · @mavam, @claude · #5752
User-defined operators in packages can now declare parameters with the secret type to ensure that secret values are properly handled as secret expressions:
args:
positional:
- name: api_key
type: secret
description: "API key to use for authentication"
Feb 5, 2026 · @mavam, @claude · #5728
The merge() function now performs a recursive deep merge when merging two records. Previously, nested fields were dropped when merging, so merge({hw: {sn: "XYZ123"}}, {hw: {model: "foobar"}}) would incorrectly produce {hw: {model: "foobar"}} instead of recursively merging the nested fields. The function now correctly produces {hw: {sn: "XYZ123", model: "foobar"}} by materializing both input records and performing a deep merge on them.
Feb 13, 2026 · @mavam, @claude · #19
Configuration override log messages now use relative paths and human-friendly formatting instead of absolute paths and raw Python repr output, making debug output easier to read.
]]>Feb 11, 2026 · @mavam, @claude · #18
Fixture options now support nested dataclass hierarchies, allowing you to structure complex configurations with multiple levels of organization.
Previously, fixture options were limited to flat fields. Now you can declare nested dataclasses as field types, and tests can pass deeply structured options through frontmatter:
fixtures:
- node:
server:
message:
greeting: world
Type safety is preserved across all nesting levels. Optional nested fields (declared with Optional[T] or T | None) are supported, and omitted nested records use their default values. The example server fixture demonstrates this capability with a message.greeting field that flows through to environment variables.
Feb 10, 2026 · @lava
We upgraded pnpm to 9.15.0 in the frontend Docker image to address CVE-2024-53866.
]]>Feb 10, 2026 · @mavam, @claude · #17
Fixtures can now receive typed configuration options passed from test YAML files.
Declare options on a fixture with @fixture(options=MyDataclass), where MyDataclass is a frozen dataclass. Tests can then provide structured options in their frontmatter using either compact syntax (for simple cases) or expanded syntax (for clarity):
fixtures:
- node:
tls: true
port: 8443
- http:
port: 9090
The @fixture decorator validates that option keys match the dataclass fields, and the fixture retrieves its typed instance using current_options(name). When options aren't provided, fixtures receive a default-constructed instance of their options class.
The feature maintains backward compatibility with the existing fixtures: [node, http] syntax for fixtures without options.
Feb 3, 2026 · @mavam, @claude · #5715
The sigma operator now correctly loads all rules when given a directory containing multiple Sigma rule files. Previously, only the last processed rule file would be retained because the rules collection was being cleared on every recursive directory traversal.
sigma "/path/to/sigma/rules"
All rules found in the directory and its subdirectories will now be loaded and used to match against input events.
]]>You can now click on the Ingress or Egress legend item to isolate that series in the activity chart. Clicking again shows both series, making it easier to analyze each metric when lines overlap.
Feb 6, 2026 · @gitryder
We added a toggle in the Explorer table Inspector that lets you wrap lines for easier reading.
We now display the current platform version at the bottom of the workspace switcher dropdown,️ making it easier to always see which version you’re on.
Jan 28, 2026 · @gitryder · #38
We added sorting for the Live Activity column in the pipelines table, so you can easily order pipelines by their activity level.
Jan 28, 2026 · @gitryder · #29
We unified the Available and Installed library tabs into a single view, so you can see which packages are installed without switching tabs. You can also uninstall packages directly from the same page.
Feb 9, 2026 · @lava
We fixed a bug in the Inspector where strings containing backslashes were not displayed correctly. Backslashes were not being escaped in TQL string rendering. For example, a string like Hello \World\ was previously rendered as "Hello \World\" instead of "Hello \\World\\". The fix ensures backslashes are properly escaped when displayed.
skip
configurations in test.yaml failed with a JSON serialization error.
Python fixture tests that use skip in their test.yaml no longer fail with
Object of type SkipConfig is not JSON serializable.
-m/--match flag with automatic substring matching and centralizes skip handling in the engine for more consistent test reporting.
Feb 6, 2026 · @mavam, @claude · #16
The -m/--match flag now treats bare strings as substring matches automatically.
Previously, you had to use glob syntax like tenzir-test -m '*mysql*' to match tests by name. Now you can write tenzir-test -m mysql and it automatically matches any test path containing "mysql". This makes the common case of substring matching simpler and more intuitive.
Patterns that contain glob metacharacters (*, ?, [) still use fnmatch syntax as before, so existing patterns with wildcards continue to work exactly as they did. This change is fully backwards-compatible.
Feb 6, 2026 · @mavam, @claude · #15
Skip handling now lives in the engine instead of individual runners. Skipped tests are recorded consistently in summary stats regardless of which runner executes them, so skip counts and paths in the test report are always accurate.
Previously, each runner duplicated the same skip-config parsing, which could
lead to inconsistent skip tracking. Custom runners no longer need to implement
skip logic because the engine evaluates the skip configuration before
dispatching to any runner.
-m/--match CLI option.
Feb 6, 2026 · @mavam, @claude · #13
Select tests by relative path using the new -m/--match option with fnmatch glob patterns. You can repeat the option to match multiple patterns, and tests matching any pattern are selected. When you combine TEST paths with -m patterns, the framework runs only tests matching both (intersection). If a matched test belongs to a suite configured via test.yaml, all tests in that suite are included automatically. Empty or whitespace-only patterns are silently ignored.
Example: tenzir-test -m '*context*' -m '*create*' runs all tests whose paths contain "context" or "create" anywhere in the name.
Feb 2, 2026 · @mavam, @claude · #12
The help text for the tenzir-test command now provides more context and guidance.
The command description now explains the baseline comparison behavior and shows how to regenerate baselines with the --update flag.