v26.05.04

What's Changed

• fix: pyfly.security stays importable without pyjwt/starlette (v26.05.04) by @ancongui in #10

Full Changelog: v26.05.03...v26.05.04

v26.05.03

What's Changed

• feat: starter parity with Java/.NET (v26.05.03) by @ancongui in #9

Full Changelog: v26.05.02...v26.05.03

v26.05.02

What's Changed

• feat: add pyfly.domain DDD primitives + OrderService sample (v26.05.02) by @ancongui in #8

Full Changelog: v26.05.01...v26.05.02

v26.05.01

What's Changed

• chore: migrate to CalVer 26.05.01 and expand README with featured patterns by @ancongui in #7

Full Changelog: v0.3.0-M1...v26.05.01

v0.3.0-M1

What's Changed

• feat: v0.3.0 — full Java framework parity by @ancongui in #4
• chore: rename repo URL references to fireflyframework-pyfly by @ancongui in #5
• fix: clear all mypy --strict and ruff failures introduced in v0.3.0 by @ancongui in #6
• chore(deps): bump the actions group across 1 directory with 2 updates by @dependabot[bot] in #2
• chore(deps): bump the dev-dependencies group across 1 directory with 40 updates by @dependabot[bot] in #3

New Contributors

• @ancongui made their first contribution in #4

Full Changelog: v0.2.0-M11...v0.3.0-M1

v0.2.0-M11

v0.2.0-M11 (2026-03-01)

Thread-safety, correctness, and robustness audit — 18 fixes across DI container, web layer, resilience, security, and data modules.

Fixed

• Thread-safe singleton initialization: DI container now uses RLock with double-check pattern
• Condition list inheritance: @conditional_on_* decorators prevent cross-class mutation via MRO
• @transactional rollback_for semantics: Selective rollback matching Spring's @Transactional
• SecurityException status code: Base SecurityException → 403; UnauthorizedException retains 401
• @secure decorator: Authorization failures raise ForbiddenException (403)
• Security context bridge: SecurityMiddleware bridges to RequestContext for @pre_authorize/@post_authorize
• Lazy controller race condition: asyncio.Lock prevents duplicate bean resolution
• Parameter coercion errors: _coerce() raises InvalidRequestException (HTTP 400)
• Bulkhead TOCTOU: Consistent capacity tracking via _active counter
• asyncio.get_event_loop() → get_running_loop() (3 sites)

Changed

• Resilience sync/async support: All 4 decorators detect sync functions automatically
• Event bus optimization: Pre-sorted listeners at subscribe time
• Repository dynamic PK: find_all_by_ids()/delete_all() use sa_inspect instead of hardcoded .id
• Nested repository patching: _patch_repositories() patches one level deep
• Kahn's algorithm: deque for O(1) popleft
• Auto-config logging: ImportError logged at DEBUG instead of swallowed
• Filter chain: Fast path + 100MB body size guard

CI

• Added missing --ignore for test_mongo_projection_query.py and test_mongo_query_compiler.py

Full Changelog: v0.2.0-M10...v0.2.0-M11

v0.2.0-M10

Full Changelog: v0.2.0-M9...v0.2.0-M10

v0.2.0-M9

Full Changelog: v0.2.0-M8...v0.2.0-M9

v0.2.0-M8

Full Changelog: v0.2.0-M7...v0.2.0-M8

v0.2.0-M7

Full Changelog: v0.2.0-M6...v0.2.0-M7