spooled-backend v0.1.79
🔒 Security
- API key queue scoping is now enforced on job operations. A key created
with a restricted queues list (e.g. ["billing"]) could previously still
enqueue, bulk-enqueue, and claim jobs on any queue over both REST and gRPC —
the scope was only checked at worker registration. Scope is now enforced
consistently on POST /jobs, POST /jobs/bulk, POST /jobs/claim, and the
gRPC QueueService.Enqueue / QueueService.Dequeue / WorkerService.Register
RPCs. An empty list or a * entry still means "all queues". Violations return
403 ACCESS_DENIED (REST) / PERMISSION_DENIED (gRPC).
🐛 Fixed
POST /workers/{id}/heartbeat now returns the structured VALIDATION_ERROR
response shape (with field-level details) instead of a raw deserialize string.
✨ Changed
POST /api-keys now echoes the granted queues in its response so callers
can confirm the scope of a freshly created key.
⚠️ Upgrade note: existing keys that have a non-empty queues list but
currently operate across other queues will start receiving 403 after this
release. Keys with an empty scope or * are unaffected.