release: v0.4.8 — production-hardening pass

CHANGELOG.md

@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.4.8] - 2026-06-10
+
 ### Added
 - **RBAC now enforces the full permission lattice.** The server maps each
   statement to the capability it needs — reads → `Read`, row mutations

Cargo.toml

@@ -3,7 +3,7 @@ resolver = "2"
 members = ["crates/*"]
 
 [workspace.package]
-version = "0.4.7"
+version = "0.4.8"
 edition = "2021"
 rust-version = "1.93"
 license = "MIT"

README.md

@@ -219,7 +219,7 @@ Before exposing `powdb-server` beyond `127.0.0.1`:
 - [ ] Enable TLS via `POWDB_TLS_CERT` and `POWDB_TLS_KEY` (or run behind a TLS-terminating proxy). Set `POWDB_REQUIRE_TLS=1` to make the server refuse to start with a password but no TLS, so credentials can never transit in cleartext by misconfiguration.
 - [ ] Bind to a specific interface with `--bind` rather than `0.0.0.0` if you can.
 - [ ] Mount `POWDB_DATA` on a persistent, durable volume. WAL replay assumes the directory is not wiped between restarts.
-- [ ] Pin the version (`cargo install powdb-server --version 0.4.7 --locked` or the matching ghcr tag). PowDB is pre-1.0; minor bumps may change on-disk formats.
+- [ ] Pin the version (`cargo install powdb-server --version 0.4.8 --locked` or the matching ghcr tag). PowDB is pre-1.0; minor bumps may change on-disk formats.
 - [ ] Wrap bulk loads and write bursts in a transaction (`begin` … `commit`) — one fsync per batch instead of per row, ~50x write throughput with identical durability. See [Write throughput & durability](#write-throughput--durability).
 - [ ] Size `POWDB_QUERY_MEMORY_LIMIT` for your host's RAM: it bounds a **single** query's materialization, not aggregate concurrent usage, so the 256 MiB default times many simultaneous connections can still exceed the process ceiling and get OOM-killed on memory-capped hosts (Railway/Fly/small AWS). Lower it accordingly.
 

SECURITY.md

@@ -4,7 +4,8 @@
 
 | Version         | Supported          |
 | --------------- | ------------------ |
-| 0.4.7           | :white_check_mark: |
+| 0.4.8           | :white_check_mark: |
+| 0.4.7           | :x: (superseded)   |
 | 0.4.6           | :x: (superseded)   |
 | 0.4.5           | :x: (superseded)   |
 | 0.4.4           | :x: (superseded)   |
@@ -17,7 +18,7 @@
 > **v0.4.1, v0.4.2, and v0.4.3 are yanked** for data-loss bugs in crash
 > recovery and have been replaced by **v0.4.4**, which adds a permanent
 > durability regression suite. If you are on any of those three versions,
-> upgrade to the latest release (0.4.7). See `CHANGELOG.md` for details.
+> upgrade to the latest release (0.4.8). See `CHANGELOG.md` for details.
 
 ## Reporting a Vulnerability
 

crates/backup/Cargo.toml

@@ -12,13 +12,13 @@ categories = ["database", "database-implementations"]
 documentation = "https://docs.rs/powdb-backup"
 
 [dependencies]
-powdb-storage = { version = "0.4.7", path = "../storage" }
+powdb-storage = { version = "0.4.8", path = "../storage" }
 serde.workspace = true
 serde_json.workspace = true
 blake3.workspace = true
 
 [dev-dependencies]
-powdb-query = { version = "0.4.7", path = "../query" }
+powdb-query = { version = "0.4.8", path = "../query" }
 
 [lints]
 workspace = true

crates/cli/Cargo.toml

@@ -12,11 +12,11 @@ categories = ["database", "command-line-utilities"]
 documentation = "https://docs.rs/powdb-cli"
 
 [dependencies]
-powdb-storage = { version = "0.4.7", path = "../storage" }
-powdb-query = { version = "0.4.7", path = "../query" }
-powdb-server = { version = "0.4.7", path = "../server" }
-powdb-backup = { version = "0.4.7", path = "../backup" }
-powdb-auth = { version = "0.4.7", path = "../auth" }
+powdb-storage = { version = "0.4.8", path = "../storage" }
+powdb-query = { version = "0.4.8", path = "../query" }
+powdb-server = { version = "0.4.8", path = "../server" }
+powdb-backup = { version = "0.4.8", path = "../backup" }
+powdb-auth = { version = "0.4.8", path = "../auth" }
 rustyline = "15"
 tokio = { version = "1", features = ["rt", "rt-multi-thread", "net", "io-util", "macros"] }
 tracing.workspace = true

crates/query/Cargo.toml

@@ -12,7 +12,7 @@ categories = ["database", "database-implementations", "parser-implementations"]
 documentation = "https://docs.rs/powdb-query"
 
 [dependencies]
-powdb-storage = { version = "0.4.7", path = "../storage" }
+powdb-storage = { version = "0.4.8", path = "../storage" }
 thiserror.workspace = true
 tracing.workspace = true
 rustc-hash.workspace = true

crates/server/Cargo.toml

@@ -12,9 +12,9 @@ categories = ["database", "database-implementations", "network-programming"]
 documentation = "https://docs.rs/powdb-server"
 
 [dependencies]
-powdb-storage = { version = "0.4.7", path = "../storage" }
-powdb-query = { version = "0.4.7", path = "../query" }
-powdb-auth = { version = "0.4.7", path = "../auth" }
+powdb-storage = { version = "0.4.8", path = "../storage" }
+powdb-query = { version = "0.4.8", path = "../query" }
+powdb-auth = { version = "0.4.8", path = "../auth" }
 tokio = { version = "1", features = ["rt-multi-thread", "net", "io-util", "macros", "sync", "time", "signal"] }
 tokio-rustls = "0.26"
 rustls-pemfile = "2"

docs/getting-started.md

@@ -44,7 +44,7 @@ cargo run --release -p powdb-cli
 You should see:
 
 ```
-PowDB v0.4.7 — embedded mode
+PowDB v0.4.8 — embedded mode
 Data directory: ./powdb_data
 Type PowQL queries. Use Ctrl-D to exit.
 
@@ -445,9 +445,9 @@ cargo run --release -p powdb-cli -- --remote localhost:5433
 Output:
 
 ```
-PowDB v0.4.7 — remote mode
+PowDB v0.4.8 — remote mode
 Connecting to localhost:5433 ...
-Connected to db `main` (server v0.4.7)
+Connected to db `main` (server v0.4.8)
 Type PowQL queries. Use Ctrl-D to exit.
 
 powql>

docs/powdb-vs-sqlite.md

@@ -138,7 +138,7 @@ Results land in `crates/compare/results.csv`.
 ## Caveats and roadmap
 
 - **PowDB is pre-1.0.** The on-disk format may shift across minor versions.
-  Pin a version (`cargo install powdb-cli --version 0.4.7 --locked`) and
+  Pin a version (`cargo install powdb-cli --version 0.4.8 --locked`) and
   expect to re-bench / re-import on upgrades until 1.0.
 - **SQLite is the safe default.** Decades of production exposure, an
   enormous test suite, and tools everywhere. If you're not sure, you

examples/deploy/README.md

@@ -64,13 +64,13 @@ docker run -d --name powdb \
   -e POWDB_DATA=/data \
   -e POWDB_BIND=0.0.0.0 \
   -e POWDB_PASSWORD=change-me \
-  ghcr.io/zvn-dev/powdb:v0.4.7
+  ghcr.io/zvn-dev/powdb:v0.4.8
 ```
 
 ## AWS ECS Fargate + EFS
 
 [`aws-ecs/`](./aws-ecs/) is a Terraform module that provisions an ECS
-cluster, a single Fargate task running `ghcr.io/zvn-dev/powdb:v0.4.7`, and
+cluster, a single Fargate task running `ghcr.io/zvn-dev/powdb:v0.4.8`, and
 an EFS file system backing `POWDB_DATA`. Read
 [`aws-ecs/README.md`](./aws-ecs/README.md) for trade-offs (single-writer,
 EFS fsync latency) before applying.

examples/deploy/aws-ecs/README.md

@@ -1,6 +1,6 @@
 # PowDB on AWS ECS Fargate + EFS
 
-A minimal Terraform module that runs `ghcr.io/zvn-dev/powdb:v0.4.7` as a
+A minimal Terraform module that runs `ghcr.io/zvn-dev/powdb:v0.4.8` as a
 single Fargate task with persistent storage on EFS. This is a starting
 point, not a turnkey production deploy — read the trade-offs below before
 you `terraform apply`.
@@ -71,7 +71,7 @@ front for a stable DNS name.
 | Name | Default | Notes |
 |---|---|---|
 | `powdb_password_secret_arn` | _(required)_ | Secrets Manager ARN holding `POWDB_PASSWORD`. |
-| `powdb_image` | `ghcr.io/zvn-dev/powdb:v0.4.7` | Pin to a digest in production. |
+| `powdb_image` | `ghcr.io/zvn-dev/powdb:v0.4.8` | Pin to a digest in production. |
 | `powdb_port` | `5433` | TCP wire protocol port. |
 | `task_cpu` | `512` (0.5 vCPU) | Fargate CPU units. |
 | `task_memory` | `1024` MiB | Must satisfy Fargate cpu↔memory ratios. |

examples/deploy/aws-ecs/variables.tf

@@ -13,7 +13,7 @@ variable "name_prefix" {
 variable "powdb_image" {
   description = "Container image for powdb-server."
   type        = string
-  default     = "ghcr.io/zvn-dev/powdb:v0.4.7"
+  default     = "ghcr.io/zvn-dev/powdb:v0.4.8"
 }
 
 variable "powdb_port" {

examples/deploy/cloudflare-tunnel/README.md

@@ -6,7 +6,7 @@ no static IP needed. Clients connect through Cloudflare's edge.
 
 ## What this example does
 
-- Runs `ghcr.io/zvn-dev/powdb:v0.4.7` on an internal docker network.
+- Runs `ghcr.io/zvn-dev/powdb:v0.4.8` on an internal docker network.
 - Runs `cloudflare/cloudflared` as a sidecar that establishes an
   outbound-only tunnel to Cloudflare.
 - Routes the hostname you own (e.g. `powdb.example.com`) over TCP into

examples/deploy/cloudflare-tunnel/docker-compose.yml

@@ -20,7 +20,7 @@
 
 services:
   powdb-server:
-    image: ghcr.io/zvn-dev/powdb:v0.4.7
+    image: ghcr.io/zvn-dev/powdb:v0.4.8
     container_name: powdb-server
     restart: unless-stopped
     environment:

site/getting-started.html

@@ -55,7 +55,7 @@ <h2><span class="step-number">2</span>Start the REPL</h2>
 cargo run --release -p powdb-cli</code></pre>
 
     <p>You should see:</p>
-    <div class="output">PowDB v0.4.7 -- embedded mode
+    <div class="output">PowDB v0.4.8 -- embedded mode
 Data directory: ./powdb_data
 Type PowQL queries. Use Ctrl-D to exit.
 
@@ -208,9 +208,9 @@ <h3>Start the server</h3>
 
     <h3>Connect from a client</h3>
     <pre><code class="language-bash">powdb-cli --remote localhost:5433</code></pre>
-    <div class="output">PowDB v0.4.7 -- remote mode
+    <div class="output">PowDB v0.4.8 -- remote mode
 Connecting to localhost:5433 ...
-Connected to db `main` (server v0.4.7)
+Connected to db `main` (server v0.4.8)
 Type PowQL queries. Use Ctrl-D to exit.
 
 powql></div>