v0.1.5

metapox released this 15 Jun 01:23

· 18 commits to main since this release

aa8c2ff

Config as Authority

TOML config becomes the sole source of truth for all policy resources. Hot reload via SIGHUP. TLS enforcement. Read-only transaction safety.

Highlights

Config as Authority (CFG-24): Workflows, execution policies, roles, webhooks — all managed in server.toml. API write endpoints return 405.
Hot reload via SIGHUP: Change config and reload without downtime.
TLS enforcement: Agent requires HTTPS by default (allow_insecure for dev).
SAFE-1/3/4/6: Read-only transaction for SELECT, execution plan signing, SQL review rules, CancellationGuard.
Break-glass DDL: --allow-ddl for controlled DDL execution outside migrations.
MySQL DML timeout fix: Reclassified SELECT queries now correctly timeout via tokio + KILL.

Breaking Changes

auth.mode default changed: "token" when OIDC absent, "both" when present. "oidc"/"both" require Pro license.
All Tier 1 write API endpoints return 405. Define resources in server.toml.
Webhook id field mandatory.
Custom roles are config-managed only.

Bug Fixes

MySQL DML timeout: max_execution_time removed from DML path (was silently succeeding on timeout).
Fail-open security: 3 critical paths closed.
Orphan heartbeat detection + fail-closed user status.
Config user sync status changes.
Result data double-encoding fixed.

See CHANGELOG.md for full details.

Assets 26