Tale v0.2.87
Highlights
Enterprise SSO & SCIM provisioning (#1936)
Unified, file-based Enterprise SSO replacing the old per-provider config: a single connection covering OIDC, OAuth2, and SAML, plus SCIM 2.0 user/group provisioning. Configured from the admin UI (Settings → Enterprise SSO). See the new Enterprise SSO docs.
Two-tier sandbox concurrency limits (#1971)
Sandbox concurrency is now governed at two levels: global environment caps and per-org governance. Default caps were lowered to suit a small host — operators on larger boxes should set these explicitly:
SANDBOX_MAX_CONCURRENTdefault 4 → 2SANDBOX_MAX_SESSIONSdefault 10 → 2SANDBOX_MAX_SESSIONS_PER_ORGremains 50
Unified chat panel + branch-aware workspace inheritance (#1934)
Consolidated chat experience into a single panel, with sandbox workspaces that inherit from their parent branch.
Fixes
- Sandbox-agent
401responses no longer launder into a fake success (#2100). - Website scan no longer spins indefinitely on un-markable (canonical) URLs.
Operator notes
Migrations run automatically on tale deploy (auto-detected, confirmed at deploy). This release adds:
- Fold legacy
audit_retentionpolicy intoretention_policy(destructive, reversible) - Migrate
ssoProvidersinto the file-based Enterprise SSO connection (reversible) - Export
orgPackagePolicy→ file-basedrun_codegovernance policy (reversible) - Export
modelSyncSettings→ file-basedmodel_syncgovernance policy (reversible) - Drop legacy
orgPackagePolicyrows, post-export cleanup (destructive, reversible) - Drop legacy
modelSyncSettingsrows, post-export cleanup (destructive, reversible)
Upgrade with tale upgrade, then tale deploy.