GA
GlueArrow
Release notes

GlueArrow Box OS

Every release is cryptographically signed, SHA-256 verified on delivery, and applied atomically with automatic rollback on health-check failure. Stations receive updates over-the-air every 6 hours on Linux and Korra OS appliances.

DownloadsDocumentation

Changelog

All notable changes to GlueArrow Box OS will be documented in this file.

The format is based on Keep a Changelog.

[1.6.0] - 2026-03-27

Added

  • AES-256-CTR encryption.glue v2 format for audio file protection, matching SmartVault v2 implementation; cryptographically secure, 141x faster than v1 XOR

Changed

  • v1 backward compatibility — existing XOR-encrypted .glue v1 files remain readable; all new encryptions use AES-256-CTR v2

[1.5.0] - 2026-03-26

Added — Geo-Priority Scanning, Artist Reference & Cloud Scan Log

  • Baked-in artist reference (artist_reference.py) — 200+ major artists across all continents with country codes and genres; ships with every Box OS build; works fully offline for artist recognition from filenames
  • Geo-priority scanning — vault scanner sorts audio files by country relevance before processing. Three-layer scoring: exact artist match from baked-in reference (+20), partial match in filename (+15), folder keyword hints (+10)
  • Auto-detect country from IP — when STATION_COUNTRY env var is not set, falls back to ip-api.com detection before scanning
  • Cloud scan log — every file scanned (matched/duplicate/submitted/audd) is logged to Playtunes cloud vault_scan_log with original_name, corrected_title, match_method, country_hint, session_id, and status
  • Cloud artist merge — fetches /artists/countries from Playtunes when online and merges new artist data into the baked-in reference
  • Country keyword hints — 8 countries supported (GH, NG, KE, ZA, TZ, US, GB, JM) with genre and location-based folder matching

[1.4.0] - 2026-03-24

Added — PlaytunesDJ Workspace, Production Engine & Bug Fixes

  • PlaytunesDJ workspace — new ws_playtunesdj.html + ws_playtunesdj.css for music library browsing, playback queue, and vault scan trigger; 14th workspace in the control panel
  • /api/music/library endpoint — returns paginated local music library (tracks + total) for PlaytunesDJ workspace, backed by fingerprint_db.get_all_tracks()
  • Command Center (Owner) workspace updates — new ws_owner.html with network overview and cloud control features
  • PlaytunesDJ play context + vault ownership — play context integration for DJ sessions with SmartVault ownership tracking
  • Constants re-export shimstatic/js/constants.js re-exports from control/constants.js to fix broken ES module resolution for viewer-side video.js
  • Logo placeholder — transparent 1x1 PNG at static/graphics/logo.png prevents 404 noise in graphics overlay templates (replace with station logo)

Changed

  • Heartbeat exponential backoff_cloud_heartbeat_loop() now backs off from 10s to 5 minutes on repeated failures (doubles each cycle), resets to 10s on success; only logs the first failure to eliminate log spam when offline
  • /news endpoint fix — replaced sqlite3.Row.get() calls (which don't exist) with direct row["key"] access; fixes AttributeError that caused the endpoint to return empty data

Fixed

  • /news returning empty default_schedule and calendar due to sqlite3.Row not supporting .get() method
  • Heartbeat flooding logs with warnings every 10 seconds per station when cloud is unreachable
  • /static/js/constants.js returning 404 due to static/js/video.js importing ./constants.js relative to itself
  • /static/graphics/logo.png returning 404 in lower-third overlay templates

[1.3.0] - 2026-03-21

Added — SmartVault Pro Integration & Build Pipeline

  • SmartVault Pro batch scanner — new batch_scanner.py runs gevent-based batch scanning with pause/resume, incremental scans, and intra-session deduplication; processes 40,000+ songs in batches with persistent per-file status tracking
  • FTS5 full-text search — new fingerprint_db.py with SQLite FTS5 virtual table for sub-200ms search across title, artist, album, genre; includes cursor-based pagination for 1M+ row result sets
  • Scan session management — new scan_db.py tracks scan sessions with drive fingerprinting (survives USB drive letter changes), file registration in 500-file chunks, and batch processing with resume
  • Offline submission queue — new offline_manager.py detects connectivity loss, queues vault submissions, and retries up to 3 times when connection restores
  • Virtual scroller component — new frontend/js/virtual-scroller.js renders 40,000+ songs with only 15-20 DOM elements at 60 FPS; fixed 44px row height with 5-row buffer
  • Live scanner dashboard — new frontend/stream-scanner.html with SSE-powered real-time drive discovery, song count, elapsed time, and drive selection
  • Library scanner page — new frontend/library.html with session history, status filters (identified/pending/unidentified/error/duplicate), file detail expansion, CSV export, and jump-to-page pagination
  • 25+ new API endpoints — batch scan control (/api/batch/scan/*), session queries (/api/batch/session/*), file detail/retry (/api/batch/file/*), FTS5 search (/api/search, /api/search/cursor), connectivity (/api/connectivity), SSE song discovery (/api/songs/stream), fingerprint stats, submission status
  • Tauri scanner/library windowsopen_scanner and open_library commands registered in main.rs for native desktop window management
  • OTA auto-update systemlaunch.bat checks GCS for sidecar updates with SHA-256 verification and atomic swap; deploy/update-box-os.sh for Linux/Korra OS with automatic rollback on failure
  • systemd update timerdeploy/gluearrow-update.timer checks for updates every 6 hours with 30-minute randomized delay to prevent thundering herd
  • Build pipeline — new build.py with version stamping across api.py, tauri.conf.json, package.json; PyInstaller sidecar compilation; SHA-256 manifest generation
  • Cloud Build CI/CD — new cloudbuild.yaml with test, syntax check, sidecar build, Linux tarball packaging, and optional GCS publish steps
  • Release publishing — new publish_update.py uploads versioned builds to GCS with channel support (stable/beta/dev)

Changed

  • api.py — imported and initialized SmartVault Pro modules (fingerprint_db, scan_db, offline_manager, batch_scanner); added all batch scan routes, SSE streaming, FTS5 search, and connectivity endpoints
  • main.rs — registered open_scanner and open_library Tauri commands; added window builders for scanner (1200x800) and library (1200x800) windows
  • deploy/install-linux.sh — now copies SmartVault Pro modules (fingerprint_db.py, scan_db.py, offline_manager.py, batch_scanner.py) and frontend/ directory; installs OTA update timer
  • requirements.txt — added qrcode[pil] for DJ registration QR codes
  • api.spec — superseded by build.py (dynamic PyInstaller invocation with hidden imports and data bundling)

[1.2.0] - 2026-03-21

Added -- Cross-Platform Support & Linux Appliance Architecture

  • Platform compatibility layer -- new platform_compat.py auto-detects Windows, macOS, or Linux and provides correct config paths, FFmpeg capture inputs (gdigrab/avfoundation/v4l2+pulse), subprocess flags, process priority, and network interface detection
  • Device scanner -- new device_scanner.py enumerates audio/video capture devices on all three platforms (dshow on Windows, avfoundation on macOS, v4l2-ctl + pactl on Linux)
  • GET /api/devices endpoint -- returns available audio and video devices for the setup wizard
  • macOS support -- config stored in ~/Library/Application Support/GlueArrow Box OS/, video capture via avfoundation, audio via avfoundation
  • Linux production deployment -- config in /etc/gluearrow-box-os/, data in /var/lib/gluearrow-box-os/, video via V4L2, audio via PulseAudio
  • systemd service -- new deploy/gluearrow-box-os.service replaces service_wrapper.py and watchdog.py on Linux with built-in auto-restart (Restart=always), hardware watchdog (WatchdogSec=30), and rapid-restart protection (StartLimitBurst)
  • HDMI kiosk mode -- new deploy/gluearrow-kiosk.service and deploy/gluearrow-kiosk.sh launch Chromium in full-screen kiosk mode showing God Mode (?ws=god) when an HDMI monitor is plugged in; auto-detects display connection, hides cursor after 3s inactivity, recovers from crashes
  • Linux installer -- new deploy/install-linux.sh one-command script installs all system dependencies (Python, FFmpeg, Chromium, PulseAudio, V4L2, X11), creates gluearrow system user, sets up Python venv, and enables both systemd services
  • Dynamic VLAN interface detection -- sync_engine.py setup_linux_vlans() now auto-detects the primary network interface instead of hardcoding eth0

Changed

  • api.py, streamer.py, sync_engine.py, restream_engine.py, obs_bridge.py -- replaced hardcoded %APPDATA% config paths with platform_compat.get_config_path() for cross-platform support
  • streamer.py -- FFmpeg pipeline now uses platform-detected video/audio inputs, subprocess launch flags, and process priority boosting via platform_compat; reads device names from station_config.json
  • README.md -- rewritten with cross-platform architecture diagram, workspace table, and dual deployment instructions (Windows + Linux)
  • STATION_ONBOARDING.md -- rewritten as v2.0 with separate instructions for GlueArrow Box hardware (plug-and-play) and Windows PC deployment

[1.1.0] - 2026-03-18

Added — Speaker Calibration, Show Lineups & Tally-to-Speaker Bridge

  • Speaker syncsync_engine.py now pulls calibrated_speakers and show_lineups from Cloud PostgreSQL to local SQLite (local_speakers, local_show_lineups) with MD5 hash-based change detection
  • Speaker creation with cloud pushPOST /api/speakers creates speakers locally and pushes to Cloud API; uses negative temp IDs as offline fallback
  • Voice sample capturePOST /api/speakers/<id>/voice saves .webm voice recordings locally and proxies to Cloud
  • Cross-station speaker searchGET /api/speakers/search proxies to Cloud for network-wide search with local fallback when offline
  • Show lineup managementGET/PUT /api/shows/<id>/lineup and GET /api/shows/current/lineup for assigning speakers to shows with mic channel mapping
  • Tally-to-speaker bridge_resolve_speaker_from_source() maps tally camera sources (cam1-8, mic_ptt, desktop) to calibrated speakers via current show lineup; broadcast_tally() now emits speaker_active with real speaker IDs
  • PTT speaker resolutionradio.js fetches current show lineup on init and resolves PTT speaker ID from mic_ptt channel assignment instead of hardcoded "presenter"
  • Planner lineup UIws_planner.html show detail panel now includes lineup management with search (local + network-wide), mic channel dropdown, inline "Calibrate New" quick-add, and drag-to-reorder
  • Producer desk wiringws_producer.html guest calibration now persists to backend via /api/speakers, searches calibrated speakers network-wide (shows "CALIBRATED" badge), captures 10-second voice samples during mic preview, and auto-loads current show lineup on workspace open

[1.0.0] - 2026-03-13

Added

  • Broadcast automation engine with schedule-driven show switching, 5-tier video failover (stream, camera, main file, program backup, general fallback, system loop), and gevent-based real-time loop
  • Flask-SocketIO control plane for real-time broadcast commands between controller UI and server
  • RTMP/HLS streaming via FFmpeg-based RTMPStreamer with live encoding and segment output
  • Schedule management with SQLite-backed local schedule, CRUD API, Excel import, downloadable templates, and per-show source mode configuration (file, link, camera)
  • Show planner with per-show configuration for video sources, headlines, fallback paths, stream URLs, camera devices, and social metadata overrides
  • Tally system with program/preview bus state, TSL UMD address mapping, and real-time tally API
  • Vision mixer controls — take (cut), fade, and stinger transitions between preview and program via SocketIO
  • Source switching — set preview and program sources (cam1-3, desktop, fallback, bars, black, graphics) with SocketIO events
  • OBS Studio bridge connecting to OBS WebSocket v5 for scene switching, stream start/stop, and status monitoring
  • Restream engine with Restream.io API v2 integration, OAuth2 token lifecycle, multi-platform metadata push (titles, descriptions, hashtags), and auto-social on show change
  • Cloud Relay pusher — background thread watches local HLS folder and pushes .ts segments + .m3u8 playlists to cloud CDN, with 5-second heartbeat
  • YouTube integration with API key storage and stream status monitoring
  • Multi-destination streaming — manage multiple RTMP destinations with CRUD API
  • Station registration with cloud sync, QR-code pairing flow, and Bearer token authentication for all cloud API calls
  • Station configuration API with local config persistence in station_config.json
  • User authentication with local registration, login, QR-session claiming, and user listing
  • License validation endpoint for station licensing
  • Sync engine — bidirectional PostgreSQL-to-SQLite schedule synchronization with cloud, offline-first architecture, VLAN-aware networking
  • SmartVault scanner — standalone drive scanner generating Chromaprint DNA fingerprints, Playtunes DB fingerprint checks, AudD API fallback identification, and pending track submission
  • Music library with drive detection, audio file scanning (mp3, flac, wav, aac, ogg, m4a, aiff, wv, opus), search, and local HTML5 playback with path traversal protection
  • DJ setup workflow for music library configuration
  • Vault scan jobs with SSE (Server-Sent Events) progress streaming
  • Play logging with local ledger and cloud sync via /api/music/sync-ledger
  • Playtunes API proxy forwarding requests to GlueArrow Cloud Playtunes endpoints
  • Artist claims system with local CRUD and cloud sync
  • Music clips per-show assignment with ordering and CRUD operations
  • Ad bid management — create, list, accept/reject ad bids with expiration tracking
  • Marketplace bookings — view, accept/reject bookings, and slot management with cloud sync
  • Traffic log API aggregating daily play counts, ad impressions, and revenue from local database
  • Front desk with visitor check-in, clock-in/out, and attendance tracking
  • QR check-in system with QR code generation and SocketIO-based scan handling
  • Staff check-in via PIN verification with SocketIO events
  • Owner dashboard APIs for detection history and team management
  • News ticker API serving current headlines from schedule data
  • AI Verify content safety system with keyword-based flagging (banned terms) and review queuing (sensitive terms)
  • Prometheus metrics endpoint (/metrics) with circuit breaker failure tracking
  • Health check endpoint for service monitoring
  • VLAN setup wizard with managed switch auto-detection
  • Watchdog process monitor with auto-restart, rapid-restart protection, and Windows Task Scheduler compatibility
  • Service wrapper for running Box OS as a Windows background service
  • Structured logging with JSON format for production (GCP Cloud Logging compatible)
  • Producer commands via SocketIO for remote show control
  • Caller/speaker management via SocketIO for live call-in shows
  • Station heartbeat system for cloud connectivity monitoring
  • Test suite with pytest for API routes, streamer, and sync engine

Security

  • Bearer token authentication for all cloud API calls using station_token from local config
  • Path traversal protection on music file serving (realpath validation against allowed root)
  • Drive path validation blocking .. directory traversal on scan endpoints
  • Circuit breaker pattern on schedule API with Prometheus failure tracking

Looking for security advisories? See the Security Whitepaper or email security@gluearrow.com.