v0.14.0
Status: Released
All roadmap items for v0.14 "Phase 17 — Failure Safety, CI/CD Trustworthiness &
Security Hardening" are implemented and tested.
Highlights
-
Correctness fixes (CORR-1 through CORR-8): Seven correctness bugs were found
and fixed. Progress is now preserved on recoverable failures (CORR-1); the heartbeat
correctly signals the main executor loop via atokio::sync::watchchannel when the
advisory lock is lost (CORR-3); promotion filters the destination state by project
(CORR-4); the promote command migrates the catalog before use and records spec_jsonb
(CORR-5); consumer view drops now delete the catalog row so drift counts stay
accurate (CORR-7); and status drift counting now sums stream, source, and consumer
deltas (CORR-8). -
Catalog v6: The catalog schema is bumped to version 6. The new migration adds
thepgtrickle_mock.scheduler_statetable used by integration tests to assert that
pause_scheduler/resume_schedulercalls are routed correctly (TEST-3). -
Security hardening (SEC-1 – SEC-3):
- SEC-1: Keyword-value DSNs (e.g.
host=... password=secret) are now also
checked for plaintext passwords; previously only URI-style DSNs were validated. - SEC-2: Consumer SQL bodies are validated to be a single
SELECTstatement
before the view is created, preventing DDL injection via migration files. - SEC-3: The read-only helper now issues
BEGIN READ ONLYbefore setting
SET LOCAL statement_timeout, so the timeout is correctly scoped to the
transaction. Thesanitize_statement_timeoutallowlist prevents injection via
the timeout argument.
- SEC-1: Keyword-value DSNs (e.g.
-
Ergonomics (ERG-2):
aqueduct destroynow exits with code 2 on error (via
anyhow::bail!) instead of callingstd::process::exit(1)directly, ensuring the
error message is routed through the standard error handler. -
Lint fixes (L1, L7):
- L1: The DSN-redaction regex in the CLI is now compiled once via
LazyLock
instead of being recompiled on every call. - L7: CI environment variables (
GITHUB_ACTIONS,CI,GITLAB_CI,
CIRCLECI) are now checked for the string value"true"rather than merely being
set, preventing false positive CI detection.
- L1: The DSN-redaction regex in the CLI is now compiled once via
-
CI/CD fixes (CI-1 – CI-3):
- CI-1: The composite
planandapplyGitHub Actions now map the runner
OS/architecture to the correct release archive suffix (linux-amd64,
linux-arm64,macos-arm64,macos-amd64,windows-amd64). - CI-2: The action-smoke workflow now invokes the composite actions end-to-end
using a locally-packaged archive (via the newlocal-archiveinput). The
migration file path was corrected tomigrations/streams/event_count.sql. - CI-3:
mdbook testis now a blocking step (removedcontinue-on-error: true).
The docs-lint job no longer checks for a non-existentexportsubcommand, and
the subcommand reference check now fails the job if any documented subcommand is
missing from the binary.
- CI-1: The composite
-
Test infrastructure (TEST-3): The
pgtrickle_mockschema now includes a
scheduler_statetable. The mockpause_scheduler/resume_schedulerfunctions
insert and delete rows in this table, enabling integration tests to assert scheduler
state transitions. Nine new integration tests cover all CORR, SEC, and TEST items. -
pg_versionin JSON output (M15):aqueduct status --format jsonnow includes
a"pg_version"field.
Migration notes
-
Catalog: Run
aqueduct init(oraqueduct apply) to apply the v5→v6 catalog
migration. The migration is fully backward-compatible. -
Consumer SQL validation: If you have consumer migration files whose SQL body is
not a pureSELECTstatement,aqueduct applywill now reject them with error
code 1307. Update those files to use a singleSELECT.