apunkt/omnigraph
1
0
Fork 0
mirror of https://github.com/ModernRelay/omnigraph.git synced 2026-06-09 01:35:18 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
omnigraph/docs/releases/v0.3.0.md
Andrew Altshuler 8649b2084f
Prepare v0.3.0 release (#44) 
* Prepare v0.3.0 release

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore: regenerate openapi.json

* ci: retrigger CI on latest openapi.json

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2026-04-21 19:11:34 +03:00

3.2 KiB
Raw Blame History

Omnigraph v0.3.0

Omnigraph v0.3.0 is a feature and security release. It adds an AWS deployment path for the server, hardens bearer-token authentication, introduces a schema inspection endpoint, and ships the CodeBuild-driven image packaging pipeline.

Highlights

AWS deployment path

A new aws Cargo feature enables an AWS-native bearer-token backend. When compiled with --features aws and pointed at an AWS Secrets Manager secret ARN via OMNIGRAPH_SERVER_BEARER_TOKENS_AWS_SECRET, the server fetches and parses bearer tokens directly from Secrets Manager at startup. The token loading path is abstracted behind a TokenSource trait so additional backends are easy to add.

A manually-dispatched Package workflow builds two variants of the server image (default and --features aws) via AWS CodeBuild, tags them by source SHA in ECR, and records the digests for downstream deploy automation.

Bearer auth hardening

Bearer tokens are now hashed (SHA-256) at rest inside the server and compared using constant-time equality (subtle::ConstantTimeEq). The authenticated actor id is resolved server-side from the hash match — requests can no longer assert their own actor id by setting a header.

Schema inspection API

A new GET /schema endpoint and matching CLI schema get command return the active graph schema as JSON. A static OpenAPI spec is published at openapi.json and kept in sync with the server via a CI job.

Stricter run-branch hygiene

Internal __run__… branches, used for short-lived write staging, are now filtered out of user-visible branch listings and are deleted on every terminal state transition instead of accumulating over time (MR-670, MR-674).

Breaking changes

Schema state is now required

The server refuses to open a repo that lacks persisted schema state (_schema.pg, _schema.ir.json, __schema_state.json) or that has non-main public branches left over from earlier versions. Existing repos created with 0.2.x need to be reinitialized (or have their schema state written explicitly) before they can be opened with 0.3.0.

Included Changes

  • Add aws feature + SecretsManagerTokenSource backend
  • Extract TokenSource trait for bearer token loading
  • Harden bearer auth: constant-time compare, SHA-256 hashed at rest, server-authoritative actor id
  • Add manually-dispatched Package workflow for CodeBuild image builds (default + aws variants)
  • Add GET /schema endpoint and schema get CLI command
  • Ship static openapi.json spec with CI auto-sync
  • Filter and delete ephemeral __run__ branches (MR-670, MR-674)
  • Switch Dockerfile base to ECR Public (avoid Docker Hub rate limits)
  • Raise LANCE_MEM_POOL_SIZE default to 1 GB for stable parallel tests
  • Automate Homebrew tap updates on release tags
  • Documentation for the AWS build variant and bearer-token sources

Upgrade Notes

  • Repos created with 0.2.x must be reinitialized (or have their schema state generated) before they can be opened with 0.3.0
  • Deployments using AWS Secrets Manager for bearer tokens must build the server with --features aws and set OMNIGRAPH_SERVER_BEARER_TOKENS_AWS_SECRET to the secret ARN
  • The default token source (env var or JSON file) continues to work unchanged