chore: prepare v2.2.2 release

[coderdan]

Summary

Prepares the v2.2.2 patch release, which ships the passthrough memory-leak fix (#395, closes #400).

While doing this I found the CHANGELOG and crate version had drifted from the actual releases, so this PR also reconciles them.

Changes

• CHANGELOG: add [2.2.2] section for the passthrough memory-leak fix.
• CHANGELOG: backfill the missing [2.2.1] section. The OPE index entry was still sitting under [Unreleased] even though it shipped in v2.2.1 (v2.2.1 points at the OPE merge feat(proxy): support OPE index type #390).
• Version bump: [workspace.package] version 2.2.0-alpha.1 → 2.2.2. The bump was skipped when v2.2.1 was cut, so the released binary's CARGO_PKG_VERSION (src/lib.rs VERSION) was stale.
• Drift prevention: cipherstash-proxy now uses version.workspace = true instead of a hardcoded version, so there's a single source of truth going forward.

Release steps (after merge)

1. Merge to main.
2. mise run release v2.2.2 — tags, pushes, creates the GitHub release, and triggers the Docker build/publish workflow.
3. Verify: docker buildx imagetools inspect cipherstash/proxy:2.2.2.

Note

Did not touch eql-mapper (independently versioned at 1.0.0) or cipherstash-proxy-integration (0.1.0). eql-mapper-macros and showcase already inherit the workspace version and so move to 2.2.2.

Summary by CodeRabbit

• Bug Fixes
  • Fixed a memory leak in passthrough mode where per-statement queues were not properly drained, preventing unbounded memory growth and potential out-of-memory errors.

[coderabbitai]

Warning

Review limit reached

@coderdan, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 16 minutes and 39 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3abdd037-7b72-434d-91a2-80f9496f2e1b

📥 Commits

Reviewing files that changed from the base of the PR and between 4b559e1 and 1ac1bcf.

📒 Files selected for processing (1)

• CHANGELOG.md

📝 Walkthrough

Walkthrough

This PR coordinates the 2.2.2 release by updating the workspace version from 2.2.0-alpha.1 to 2.2.2, synchronizing the proxy crate version to inherit the workspace version, and adding a changelog entry documenting the fix for a per-statement memory leak in passthrough mode (empty encrypt config).

Changes

Release 2.2.2 Coordination

Layer / File(s)	Summary
Version bump and changelog entry CHANGELOG.md, Cargo.toml, packages/cipherstash-proxy/Cargo.toml	Workspace version incremented to 2.2.2, proxy crate version now inherits from workspace, and changelog entry documents the fix for per-statement memory leak in passthrough mode where per-statement queues were not drained before returning, causing unbounded queue growth and OOM.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested reviewers

• tobyhede
• freshtonic

Poem

🐰 A memory leak has been plugged today,
Version bumped to 2.2.2 in every way,
Passthrough queues now drain as they should,
No more OOM in empty config neighborhoods! 🎉

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	The PR aims to ship the passthrough memory-leak fix (issue #400) but the actual code fix is not present; only version bumps and changelog entries are included.	This PR prepares release artifacts (CHANGELOG, version bump) for the v2.2.2 fix, but the actual code fix to address the memory leak in passthrough mode should be merged to main first.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: prepare v2.2.2 release' accurately summarizes the main objective: preparing a version bump and release artifacts for v2.2.2.
Out of Scope Changes check	✅ Passed	All changes (CHANGELOG update, workspace version bump, cipherstash-proxy version alignment) are directly related to the release preparation objective with no unrelated modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dan/release-2.2.2-changelog

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Prepares the v2.2.2 patch release shipping the passthrough memory-leak fix, and reconciles drift between the changelog and crate versions.

Changes:

• Bump workspace version from 2.2.0-alpha.1 → 2.2.2 (and update Cargo.lock accordingly).
• Switch cipherstash-proxy to inherit version.workspace = true to keep a single source of truth.
• Add [2.2.2] changelog entry for the passthrough leak fix and backfill the missing [2.2.1] section by moving the OPE entry out of [Unreleased].

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated no comments.

File	Description
Cargo.toml	Workspace version bumped to 2.2.2.
packages/cipherstash-proxy/Cargo.toml	Now inherits version from workspace.
Cargo.lock	Lockfile versions updated to 2.2.2 for workspace-inheriting crates.
CHANGELOG.md	Adds [2.2.2] and backfills [2.2.1] sections.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@CHANGELOG.md`:
- Around line 9-15: The CHANGELOG is missing reference link definitions for the
newly added headings [2.2.2] and [2.2.1] and the [Unreleased] compare target is
still v2.2.0-alpha.1; add reference links at the bottom of CHANGELOG.md for
[2.2.2] and [2.2.1] (using the same GitHub compare/release URL pattern used
elsewhere in the file) and update the [Unreleased] reference to compare from the
latest released tag (v2.2.2) to HEAD so the top [Unreleased], [2.2.2], and
[2.2.1] headings resolve correctly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f6d9711d-c68e-49c6-b2f2-a77d4259ef6c

📥 Commits

Reviewing files that changed from the base of the PR and between cd5469d and 4b559e1.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (3)

• CHANGELOG.md
• Cargo.toml
• packages/cipherstash-proxy/Cargo.toml