Appearance
AireFrame Release Notes
Version: 2.46.0
Release Date: 6th May 2026
Summary of Changes
✨ New Features
- Tenant Theme Colours in Liquid Expressions (FRAME-2443)
- Subject Group Management APIs (FRAME-2512, FRAME-2513, FRAME-2514, FRAME-2515, FRAME-2516)
- GraphQL Alias Overloading Protection (FRAME-2532)
⚡ Improvements
- In-Browser Subject Avatar Cropping (FRAME-1559)
- Delete Structural Entity API (FRAME-2508)
- Query Groups API (FRAME-2509)
- Get Group by Key API (FRAME-2510)
- Delete Group API (FRAME-2511)
🐞 Bug Fixes
- Blocked JavaScript-Embedded PDF Uploads (FRAME-2534)
Detailed Changes
✨ New Features
Tenant Theme Colours in Liquid Expressions (FRAME-2443)
Description
Tenant theme colours are now accessible within Liquid expressions via the tenant.theme.colours object, enabling dynamic, theme-aware content rendering.
What this means for you
You can now reference your organisation's theme colours directly in templates and expressions, making it easier to produce on-brand content without hardcoding colour values.
Subject Group Upsert API (FRAME-2512)
Description
A new API endpoint has been added to create or update groups, supporting the full subject ownership model introduced in this release.
What this means for you
Developers integrating with AireFrame can now programmatically manage groups, streamlining how organisations structure and assign subject ownership.
Query Structure Types API (FRAME-2513)
Description
A new paginated API endpoint has been introduced to query all structure types defined within a tenant, following the same pagination pattern as the structural entities API.
What this means for you
You now have a consistent, paginated way to retrieve structure type definitions via the API, making it easier to build integrations that reflect your data model.
Get Structure Type by Key API (FRAME-2514)
Description
A new API endpoint has been added to retrieve a specific structure type by its key, mirroring the existing structural entity lookup pattern.
What this means for you
You can now look up individual structure types directly by key through the API, reducing the need for multiple requests when working with known type identifiers.
Upsert Structure Type API (FRAME-2515)
Description
A new API endpoint allows structure types to be created or updated in a single operation, supporting the subject ownership feature set.
What this means for you
Developers can now manage structure type definitions programmatically, enabling more automated and repeatable configuration of your AireFrame environment.
Delete Structure Type API (FRAME-2516)
Description
A new API endpoint has been introduced to delete structure types by key, completing the full set of structure type management operations.
What this means for you
You now have full create, read, update, and delete control over structure types via the API, giving developers and integrators complete lifecycle management.
GraphQL Alias Overloading Protection (FRAME-2532)
Description
A fix has been applied to address a GraphQL alias overloading vulnerability identified during penetration testing. This hardens the API against denial-of-service attacks that exploit alias-based query amplification.
What this means for you
The AireFrame API is now more resilient against a class of abuse that could degrade performance for all users, improving overall platform stability and security.
⚡ Improvements
In-Browser Subject Avatar Cropping (FRAME-1559)
Description
Users can now crop subject avatar images directly within the browser rather than needing to pre-crop images before uploading.
What this means for you
Uploading and setting a subject avatar is now simpler — you can adjust the crop in-browser without needing to use an external image editor first.
Delete Structural Entity API (FRAME-2508)
Description
A new API endpoint is now available for deleting structural entities, expanding the structural entity management surface.
What this means for you
You can now remove structural entities via the API, giving integrators full control over the lifecycle of structural data within AireFrame.
Query Groups API (FRAME-2509)
Description
A paginated API endpoint has been introduced to query groups, consistent with the paging pattern used across other AireFrame list APIs.
What this means for you
Developers can now retrieve and page through groups via the API, making it straightforward to build integrations that work with your group structure.
Get Group by Key API (FRAME-2510)
Description
A new API endpoint allows retrieval of a specific subject group by its key. Requests for the internal global group key will return a 404 as it is not a manageable group.
What this means for you
You can look up individual groups directly by key through the API, which reduces unnecessary requests when working with known group identifiers.
Delete Group API (FRAME-2511)
Description
A new API endpoint has been added to delete groups, completing the core CRUD operations for group management.
What this means for you
Developers and integrators now have full create, read, update, and delete capability for groups via the API.
🐞 Bug Fixes
Blocked JavaScript-Embedded PDF Uploads (FRAME-2534)
Description
AireFrame now rejects uploaded PDF files that contain embedded JavaScript, addressing a stored cross-site scripting (XSS) vulnerability identified during penetration testing. PDFs with JavaScript keywords or action markers are blocked at the point of upload with an appropriate error message.
Fixed JSON Schema Concurrency Errors (FRAME-2555)
Description
A concurrency issue in the JSON schema processing library was causing intermittent errors under concurrent load, resulting in unhandled exceptions in production.