Releases: 7Cav/api
2.5.0 — THIS. IS. CACHELESS.
⚠️ Breaking (enumerated, per PRD #112)
- The
X-Cacheresponse header is gone. The Redis response cache has been removed entirely — with the Phase 1 indexes in place, cache-miss latency ≈ cache-hit latency, so the cache (and Redis itself) was kicked down the hole. No other response field, status, or header changed — verified against the 69-case golden contract corpus.
Operational notes
- The binary no longer reads any
REDIS_*env and starts with no Redis configured at all. StaleREDIS_*vars on the container are harmless. - Redis can be decommissioned after this version is confirmed live (older binaries refuse to start without it).
- This deploy starts the Phase 2 soak (PRD #112): watch
duration=logs, roster pollers especially.
What's Changed
- Phase 1: dockerized MariaDB integration harness with forum-shaped schema and fixtures by @SyniRon in #141
- Phase 1: idempotent index DDL script and EXPLAIN-plan red-to-green tests by @SyniRon in #142
- Phase 3: golden contract corpus recorded from the current stack (red suite) by @SyniRon in #143
- Phase 2 (De-cache): remove the response-cache middleware, then delete the cache subsystem and Redis (#123, #124) by @SyniRon in #144
Full Changelog: 2.4.0...2.5.0
Contributors
Assets 2
2.4.0
Phase 0 — Observe (PRD #112)
Features
- Request duration logging (#114, PR #139):
duration=field appended to the[REQ](gRPC) and[CACHE](HTTP) request log lines — the measuring stick for the Phase 1/2 latency work. Existing line text and field order preserved; log consumers unaffected. - Sentry error capture, errors-only (#118, PR #140): env-gated via
SENTRY_DSN— unset means complete no-op. Captures panics and 5xx/Internal-class errors from both servers, tagged with release / key id / route; bearer material never reaches payloads. Startup probe + DSN-host dial pre-check make a dead config loud at boot;SENTRY_DEBUG=trueenables per-event transport diagnostics. Flush on shutdown.
Operational note (prod host)
With a DSN set, SIGTERM/SIGINT now flushes Sentry and exits 0 (previously signal death, 143). Inert under restart: always, but visible to exit-code-watching tooling. A second signal during the ≤2s flush window is absorbed.
Dependencies
Verification
Phase 0 closes when duration= lines and Sentry events are observed from prod (#112).
2.3.1
Contributors
Assets 2
2.3.0
Additive release — one new feature, one proto-level deprecation, no breaking changes.
Notable
feat(grpc): log per-request [REQ] line in auth interceptor (#105) — every unary gRPC call now emits [REQ] transport=grpc method=<full_method> peer=<addr> key_id=<id|none> on both auth-success and auth-failure paths. Evidence slice for #92 — the loopback-vs-external peer split is what gates #94/#95.
chore(milpacs): deprecate GetUserViaKeycloakId rpc + keycloak_id fields (#104) — proto-level deprecated: true markers on the keycloak lookup RPC and the Profile.keycloak_id / LiteProfile.keycloak_id fields. No behavior change; new code should not depend on them. Removal will be a separate breaking release.
Dependency bumps
docker/build-push-action7.1.0 → 7.2.0 (#102)docker/login-action4 → 4.1.0 (#101)grpc1.81.0 → 1.81.1 +docker/build-push-action7 → 7.1.0 bundle (#89)
Docs
docs: seed CONTEXT.md, ADRs, and agent docs(#103) — domain-language file at repo root, ADRs 0001–0004 covering the split-process layout, intra-process plaintext dial, redis response cache, and scope-based bearer auth.
Full Changelog: 2.2.1...2.3.0
2.2.1
Maintenance release — no consumer-facing behavior changes. Insomnia test suite (61/61) green throughout.
Dependency bumps
actions/checkoutv3→v6,docker/login-actionv2→v4,docker/build-push-actionv4→v7 (#73)viper1.19.0→1.21.0 (#74)gorm1.25.12→1.30.0 + dotted map-keyedWhereregression fix (#75)grpc-gateway/v22.26.3→2.29.0, transitivelygrpc1.79.3→1.80.0 (#76)grpc1.80.0→1.81.0,protoc-gen-go-grpc1.5.1→1.6.2 + proto regen (#77)gorm1.30.0→1.31.1 (#78)redis/go-redis9.7.3→9.19.0 (#79)
Notable fix
gorm 1.26+ dotted map-keyed Where regression (#75) — FindProfileByKeycloakID and FindProfileByDiscordID were using Where(map[string]interface{}{"xf_user_connected_account.provider": ...}). gorm 1.26+ misqualifies dotted map keys with the current model's table, producing a three-part qualifier MariaDB rejects. Both functions now use placeholder SQL.
Release plumbing
chore: auto-inject release version into server binary and OpenAPI spec(#81) — releases now bake the tag into the server binary (via-ldflags) and the OpenAPI spec served at/(via build-time sed into the proto sources). Local dev builds reportdev. Eliminates the manual two-place version bump that was a recurring near-miss.
Full Changelog: 2.2.0...2.2.1
2.2.0
What's Changed
- chore: gitignore Claude Code local working files by @SyniRon in #52
- feat: tickets endpoint + N-scopes-per-key auth refactor (v2.2.0) by @SyniRon in #53
Full Changelog: 2.1.1...2.2.0
Contributors
Assets 2
2.1.1
Contributors
Assets 2
2.1.0
What's Changed
Full Changelog: 2.0.2...2.1.0
Contributors
Assets 2
2.0.2
Security
Dependency updates addressing 12 Dependabot alerts:
Critical
google.golang.org/grpcv1.72.0 → v1.79.3 (CVE: AuthZ bypass via missing leading slash in:path)
High
github.com/opencontainers/selinuxv1.12.0 → v1.13.0 (CVE-2025-52881: runc container escape via procfs write redirects)github.com/containerd/containerdv1.7.25 → v1.7.29 (local privesc via wide CRI directory permissions)github.com/docker/cliv28.1.1 → v29.2.0 (local privesc via uncontrolled search path on Windows)
Medium
github.com/containerd/containerdv1.7.25 → v1.7.29 (host memory exhaustion, integer overflow in UID handling)github.com/quic-go/quic-gov0.51.0 → v0.57.0 (HTTP/3 QPACK header expansion DoS)golang.org/x/cryptov0.38.0 → v0.46.0 (ssh/agent panic, unbounded memory consumption)github.com/go-chi/chi/v5v5.2.1 → v5.2.2 (host header injection / open redirect)
Low
github.com/redis/go-redis/v9v9.7.0 → v9.7.3 (out-of-order responses on CLIENT SETINFO timeout)filippo.io/edwards25519v1.1.0 → v1.1.1 (invalid MultiScalarMult results)
Other
- Fixed two latent Printf-directive bugs surfaced by Go 1.24 vet