Tags

Tags give the ability to mark specific points in history as being important
  • v0.14.0

    protected Release: v0.14.0
    v0.14.0 — generated Python, Rust, and Zig client SDKs
    
    Adds config-driven generation of polyglot client SDKs (Python stdlib-only
    async, Rust async tokio/reqwest, Zig std-only sync) as peers of the Go and
    TypeScript clients, covering REST/WebSocket/GraphQL/MCP and every auth mode,
    with per-language HMAC interop keystones proven byte-identical to securex,
    native unit tests, real-socket e2e, and fuzzing. Existing Go/TS client output
    is unchanged. See docs/POLYGLOT_CLIENTS.md.
    
  • v0.13.5

    protected Release: v0.13.5
    v0.13.5
    
  • v0.13.4

    protected Release: v0.13.4
    fix(client-react): path-param URL expansion for camelCase schema keys + runtime test (genapi#216)
    
  • v0.13.3

    protected Release: v0.13.3
    genapi v0.13.3
    
  • v0.13.2

    protected Release: v0.13.2
    genapi v0.13.2
    
  • v0.13.1

    protected Release: v0.13.1
    v0.13.1: host-adopting react-ui explorer stylesheet; CSRF cookie null-assert; public auth-mode no-op fix
    
  • v0.13.0

    protected Release: v0.13.0
    v0.13.0
    
    Highlights since v0.12.5:
    - feat: react-ui service explorer — dependency-free generated React explorer
      (gen/client/react-ui/) with tabbed REST/WS/GraphQL/MCP panels, live Try-it
      panels, multi-language code samples (curl/Go/Python/TypeScript), and
      CSS-variable theming. Enabled via client.react_ui: true.
    - feat: live GraphQL subscriptions wired through graphQLSubscribe<Field>()
      (graphql-transport-ws over WebSocket) with bounded frame log.
    - security: appsec review hardening (rounds 1-3) — token placeholders in code
      samples, OIDC issuer handling, webhook badge, auth gating, dead-code cleanup.
    - fix: repair CI-only test fallbacks (tsc-absent path) and harden a
      timing-sensitive htpx rate-limit test.
    
    See docs/REACT_UI_EXPLORER.md for mount instructions and limitations.
    
  • v0.12.5

    protected Release: v0.12.5
    v0.12.5 — resync gen/+testgen hashx mirror with the verify-time KDF DoS fix
    
    gen/ and testgen/ vendor a mirror of pkg/securex/hashx; the cost-ceiling changes
    in v0.12.3 left those copies stale, failing the generate:drift full-regen diff.
    Regenerated via 'make generate'; the drift gate is now clean.
    
  • v0.12.4

    protected Release: v0.12.4
    v0.12.4 — resync repo-root self-host mirror (fixes generate:drift)
    
    Regenerated the repo-root self-host mirror (api/, gql/, mcp/, types/) from
    configs/full.json so it carries the generated HashSecrets(ctx) methods + handler
    hashing calls it was missing. Purely additive; the generate:drift CI gate now
    passes (8 files in sync).
    
  • v0.12.3

    protected Release: v0.12.3
    v0.12.3 — fuzz-found hashx verify-time DoS fix + fuzz crasher artifacts
    
    fix: bound verify-time KDF cost parameters (pbkdf2 i, scrypt N*r*p, bcrypt cost,
    argon2 m*t) so an attacker-influenced encoded hash cannot pin the CPU for seconds
    (CWE-400). Found by FuzzVerifyEncoded; crashers committed as regression seeds.
    ci: both fuzz jobs now upload fuzz-findings/ as on_failure artifacts for repro.
    
  • v0.12.2

    protected Release: v0.12.2
    v0.12.2 — gap-analysis closure 2026-06-16
    
    Closes GAP-0096 (array-of-$ref item.Valid()), GAP-0055 (RBAC <10ms benchmarks
    + ABAC extensibility contract), GAP-0054 (in-repo Compass-metrics producer),
    GAP-0056 (verified non-Go harness integration path), GAP-0066 (htpx sub-surface
    REQ split); GAP-0089 documented won't-do. Zero open gaps in docs/GAP_ANALYSIS.md.
    
  • v0.12.1

    protected Release: v0.12.1
    v0.12.1 — audit remediation (appsec/quality/perf/gap)
    
    Closes the 2026-06-15 audit cycle across security, quality, performance, and
    requirements-gap reviews. 19 appsec findings (0 Critical/High), QG-084..091,
    GAP-0090..0095, PERF-0076 — all fixed test-first. Four review iterations
    converged with zero new findings from /security:appsec-review and /codepros:audit.
    
    Highlights: nested-$ref secret echo-back guard, fail-closed pepper startup,
    RBAC iss/aud binding, dev-bypass hardening (4 gates + release panic), MCP WS
    deadlines, WS fragment cap, trusted-proxy rate-limit keying, MCP inputSchema
    $defs resolution, gqlx batch-clone N→1.
    
  • v0.12.0

    protected Release: v0.12.0
    v0.12.0 — config-driven password/secret hashing
    
    Add FIPS-140-3-aware password/secret hashing to the genapi generator.
    
    - pkg/securex/hashx: salted, self-describing (PHC/bcrypt-crypt) one-way
      hashing + constant-time verify. Argon2id (default), bcrypt, scrypt
      (non-FIPS) and PBKDF2-HMAC-SHA-256/512 (FIPS, stdlib crypto/pbkdf2).
      Optional HMAC pepper, upgrade-on-login (needsRehash), adversarial-input
      hardened (FuzzHashVerify, FuzzVerifyEncoded).
    - Config: SchemaProp.secret/hash + security.password_hash policy.
      Generation fails closed if a non-FIPS algorithm is used under
      security.fips=true.
    - Generator emits HashSecrets(ctx) on every request type and invokes it
      after Valid() and before the handler on REST/MCP/GraphQL seams; secret
      fields are redacted in logs and forbidden in responses. hash on
      WebSocket/nested schemas is rejected at generation (no silent bypass).
      Guarantee proven end-to-end: a non-hashed value never reaches the handler.
    
  • v0.11.2

    protected Release: v0.11.2
    fix(securex): config-driven RBAC role hierarchy from security.roles (L-36)
    
  • v0.11.1

    protected Release: v0.11.1
    v0.11.1
    
    Audit-driven fix release. Two full /codepros:audit + /security:appsec-review
    iterations closed 36 findings; iteration 3 confirmation clean.
    
    Highlights:
    - PERF-0064: gqlx fragment-bomb remote CPU DoS bounded (memoization + saturating arithmetic)
    - SEC-0049: MCP per-tool default-deny authorization
    - SEC-0051: request body caps (form/multipart/JSON) enforced
    - SEC-0050: golang.org/x/net v0.55.0 (clears GO-2026-5025..5030)
    - SEC-0052/0053/0054/0055: htpx debug read cap, MCP stdio error logging, gosec annotation, RFC 6455 control-frame hardening
    - PERF-0021: verified-JWT LRU cache (lock-free hot path)
    - QG-066..083: server config validation, wsx limiter bound, GraphQL subscription fixes, shared internal/jwtalg alg-confusion guard, and more
    
    See docs/{SECURITY,QUALITY,PERF}_GAP_ANALYSIS.md and docs/APPSEC_REVIEW_2026-06-09*.md.
    
  • v0.11.0

    protected Release: v0.11.0
    v0.11.0 — downstream bug fixes (L-30..L-34) + TS/React client feature expansion (TSC-01..18)
    
    Generator bugs (docs/GENERATOR_BUGS.md), all closed:
    - L-30 (High): WS handlers now receive the authenticated principal — the
      verifier-mutated request context is threaded into conn.Context() (mirrors REST).
    - L-31 (Med): WS routes gain a per-route "name" override + method-name collision
      validation + generic-name warnings (mirrors REST L-15); also applied to
      GraphQL-subscription method names.
    - L-32 (Med): TS/React client gains 401-refresh-retry, binary/Blob responses +
      public requestRaw, typed query params, and a unified HTTPError
      (status/code/parsed body/cause) with network-error normalization.
    - L-33 (Low): generated Go formatted with goimports grouping (imports.Process);
      the test-gen + openapi emission paths are formatted too — goimports -l
      ./gen ./testgen is clean (reopened+closed L-28).
    - L-34 (Med): TS client emits the strict-safe body: cond ? null : (...) form,
      exactOptionalPropertyTypes-clean.
    
    TS/React client feature requests (docs/DOWNSTREAM_FEATURE_REQUESTS_caast-ui.md, TSC-01..18):
    - BREAKING: DTOs are now camelCase with a snake/camel boundary mapper (wire stays snake_case).
    - RN/Hermes-safe by default: portable base64/uuid/utf8; capability-guarded crypto.subtle/Blob/WebSocket.
    - react-query interop: augmented plain hooks (enabled, v5 state aliases, mutateAsync,
      bounded QueryCache with dedup+invalidate+gcTime/LRU, retry-on-retryable) + an opt-in
      @tanstack/react-query variant (generated query-key factory + auto-invalidation).
    - Auth & ergonomics: ambient token holder + React Context/useClient, unverified JWT
      decoder + hasRole (RN-safe base64), export barrel.
    - Per-request options (signal/headers/timeoutMs) + Accept; exported API_PREFIX.
    
    Also raises go test -race -timeout to 25m for the larger cmd/genapi suite.
    
  • v0.10.0

    protected Release: v0.10.0
    v0.10.0 - audit gap closure: 21 findings closed + audit-convergence
    
    Security: SEC-0046 (recursive schema $ref guard blocking TS-SDK code injection, incl. nested-array bypass F-1), SEC-0047 (Go 1.26.4, closes GO-2026-5037/5039), SEC-0048. Features: rest-interface-name generator flag (collision-safe self-hosting), string format:date-time RFC3339 validation, root-mirror drift gate, per-package coverage floors, gqlx bench-gate. Performance: gqlx LRU document cache (~55% faster repeated queries), single per-request deadline, lazy maps, json/v2 resolver binding.
    
    BREAKING: audit sink kind syslog/cef is now rejected at config validation (previously a silent no-op); go.mod requires go 1.26.4.
    
    See docs/AUDIT_SUMMARY_2026-06-07.md.