From 004c5c17953484a62d3c8ec9f3aeed45f65b6104 Mon Sep 17 00:00:00 2001 From: andrew Date: Tue, 21 Apr 2026 14:52:09 +0300 Subject: [PATCH 1/3] Prepare v0.3.0 release Co-Authored-By: Claude Opus 4.7 (1M context) --- Cargo.lock | 8 ++--- crates/omnigraph-cli/Cargo.toml | 8 ++--- crates/omnigraph-compiler/Cargo.toml | 2 +- crates/omnigraph-server/Cargo.toml | 6 ++-- crates/omnigraph/Cargo.toml | 6 ++-- docs/releases/v0.3.0.md | 49 ++++++++++++++++++++++++++++ 6 files changed, 64 insertions(+), 15 deletions(-) create mode 100644 docs/releases/v0.3.0.md diff --git a/Cargo.lock b/Cargo.lock index 7332d527..034c8780 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4596,7 +4596,7 @@ dependencies = [ [[package]] name = "omnigraph-cli" -version = "0.2.2" +version = "0.3.0" dependencies = [ "assert_cmd", "clap", @@ -4616,7 +4616,7 @@ dependencies = [ [[package]] name = "omnigraph-compiler" -version = "0.2.2" +version = "0.3.0" dependencies = [ "ahash", "arrow-array", @@ -4637,7 +4637,7 @@ dependencies = [ [[package]] name = "omnigraph-engine" -version = "0.2.2" +version = "0.3.0" dependencies = [ "arrow-array", "arrow-cast", @@ -4674,7 +4674,7 @@ dependencies = [ [[package]] name = "omnigraph-server" -version = "0.2.2" +version = "0.3.0" dependencies = [ "async-trait", "aws-config", diff --git a/crates/omnigraph-cli/Cargo.toml b/crates/omnigraph-cli/Cargo.toml index cb647ddf..dd30eca8 100644 --- a/crates/omnigraph-cli/Cargo.toml +++ b/crates/omnigraph-cli/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "omnigraph-cli" -version = "0.2.2" +version = "0.3.0" edition = "2024" description = "CLI for the Omnigraph graph database." license = "MIT" @@ -13,9 +13,9 @@ name = "omnigraph" path = "src/main.rs" [dependencies] -omnigraph = { package = "omnigraph-engine", path = "../omnigraph", version = "0.2.2" } -omnigraph-compiler = { path = "../omnigraph-compiler", version = "0.2.2" } -omnigraph-server = { path = "../omnigraph-server", version = "0.2.2" } +omnigraph = { package = "omnigraph-engine", path = "../omnigraph", version = "0.3.0" } +omnigraph-compiler = { path = "../omnigraph-compiler", version = "0.3.0" } +omnigraph-server = { path = "../omnigraph-server", version = "0.3.0" } clap = { workspace = true } color-eyre = { workspace = true } serde = { workspace = true } diff --git a/crates/omnigraph-compiler/Cargo.toml b/crates/omnigraph-compiler/Cargo.toml index 61470ffc..f8aaf042 100644 --- a/crates/omnigraph-compiler/Cargo.toml +++ b/crates/omnigraph-compiler/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "omnigraph-compiler" -version = "0.2.2" +version = "0.3.0" edition = "2024" description = "Schema/query compiler for Omnigraph. Zero Lance dependency." license = "MIT" diff --git a/crates/omnigraph-server/Cargo.toml b/crates/omnigraph-server/Cargo.toml index 1d2029f6..f808c762 100644 --- a/crates/omnigraph-server/Cargo.toml +++ b/crates/omnigraph-server/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "omnigraph-server" -version = "0.2.2" +version = "0.3.0" edition = "2024" description = "HTTP server for the Omnigraph graph database." license = "MIT" @@ -19,8 +19,8 @@ default = [] aws = ["dep:aws-config", "dep:aws-sdk-secretsmanager"] [dependencies] -omnigraph = { package = "omnigraph-engine", path = "../omnigraph", version = "0.2.2" } -omnigraph-compiler = { path = "../omnigraph-compiler", version = "0.2.2" } +omnigraph = { package = "omnigraph-engine", path = "../omnigraph", version = "0.3.0" } +omnigraph-compiler = { path = "../omnigraph-compiler", version = "0.3.0" } axum = { workspace = true } clap = { workspace = true } color-eyre = { workspace = true } diff --git a/crates/omnigraph/Cargo.toml b/crates/omnigraph/Cargo.toml index 19799893..fdd520bc 100644 --- a/crates/omnigraph/Cargo.toml +++ b/crates/omnigraph/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "omnigraph-engine" -version = "0.2.2" +version = "0.3.0" edition = "2024" description = "Runtime engine for the Omnigraph graph database." license = "MIT" @@ -16,7 +16,7 @@ default = [] failpoints = ["dep:fail", "fail/failpoints"] [dependencies] -omnigraph-compiler = { path = "../omnigraph-compiler", version = "0.2.2" } +omnigraph-compiler = { path = "../omnigraph-compiler", version = "0.3.0" } lance = { workspace = true } lance-datafusion = { workspace = true } lance-file = { workspace = true } @@ -47,7 +47,7 @@ async-trait = { workspace = true } url = { workspace = true } [dev-dependencies] -omnigraph-compiler = { path = "../omnigraph-compiler", version = "0.2.2" } +omnigraph-compiler = { path = "../omnigraph-compiler", version = "0.3.0" } tokio = { workspace = true } lance-namespace-impls = { workspace = true } serial_test = "3" diff --git a/docs/releases/v0.3.0.md b/docs/releases/v0.3.0.md new file mode 100644 index 00000000..9a144c38 --- /dev/null +++ b/docs/releases/v0.3.0.md @@ -0,0 +1,49 @@ +# Omnigraph v0.3.0 + +Omnigraph v0.3.0 is a feature and security release. It adds an AWS deployment path for the server, hardens bearer-token authentication, introduces a schema inspection endpoint, and ships the CodeBuild-driven image packaging pipeline. + +## Highlights + +### AWS deployment path + +A new `aws` Cargo feature enables an AWS-native bearer-token backend. When compiled with `--features aws` and pointed at an AWS Secrets Manager secret ARN via `OMNIGRAPH_SERVER_BEARER_TOKENS_AWS_SECRET`, the server fetches and parses bearer tokens directly from Secrets Manager at startup. The token loading path is abstracted behind a `TokenSource` trait so additional backends are easy to add. + +A manually-dispatched Package workflow builds two variants of the server image (default and `--features aws`) via AWS CodeBuild, tags them by source SHA in ECR, and records the digests for downstream deploy automation. + +### Bearer auth hardening + +Bearer tokens are now hashed (SHA-256) at rest inside the server and compared using constant-time equality (`subtle::ConstantTimeEq`). The authenticated actor id is resolved server-side from the hash match — requests can no longer assert their own actor id by setting a header. + +### Schema inspection API + +A new `GET /schema` endpoint and matching CLI `schema get` command return the active graph schema as JSON. A static OpenAPI spec is published at `openapi.json` and kept in sync with the server via a CI job. + +### Stricter run-branch hygiene + +Internal `__run__…` branches, used for short-lived write staging, are now filtered out of user-visible branch listings and are deleted on every terminal state transition instead of accumulating over time (MR-670, MR-674). + +## Breaking changes + +### Schema state is now required + +The server refuses to open a repo that lacks persisted schema state (`_schema.pg`, `_schema.ir.json`, `__schema_state.json`) or that has non-main public branches left over from earlier versions. Existing repos created with 0.2.x need to be reinitialized (or have their schema state written explicitly) before they can be opened with 0.3.0. + +## Included Changes + +- Add `aws` feature + `SecretsManagerTokenSource` backend +- Extract `TokenSource` trait for bearer token loading +- Harden bearer auth: constant-time compare, SHA-256 hashed at rest, server-authoritative actor id +- Add manually-dispatched Package workflow for CodeBuild image builds (default + aws variants) +- Add `GET /schema` endpoint and `schema get` CLI command +- Ship static `openapi.json` spec with CI auto-sync +- Filter and delete ephemeral `__run__` branches (MR-670, MR-674) +- Switch Dockerfile base to ECR Public (avoid Docker Hub rate limits) +- Raise `LANCE_MEM_POOL_SIZE` default to 1 GB for stable parallel tests +- Automate Homebrew tap updates on release tags +- Documentation for the AWS build variant and bearer-token sources + +## Upgrade Notes + +- Repos created with 0.2.x must be reinitialized (or have their schema state generated) before they can be opened with 0.3.0 +- Deployments using AWS Secrets Manager for bearer tokens must build the server with `--features aws` and set `OMNIGRAPH_SERVER_BEARER_TOKENS_AWS_SECRET` to the secret ARN +- The default token source (env var or JSON file) continues to work unchanged From 47afa4f02d97de7fb692a7b1a595aea65d2f7054 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 21 Apr 2026 11:55:30 +0000 Subject: [PATCH 2/3] chore: regenerate openapi.json --- openapi.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openapi.json b/openapi.json index bf826766..edee87d9 100644 --- a/openapi.json +++ b/openapi.json @@ -7,7 +7,7 @@ "name": "MIT", "identifier": "MIT" }, - "version": "0.2.2" + "version": "0.3.0" }, "paths": { "/branches": { From b07661ed575cf7d26ac00148e46208f96b3652da Mon Sep 17 00:00:00 2001 From: andrew Date: Tue, 21 Apr 2026 15:38:20 +0300 Subject: [PATCH 3/3] ci: retrigger CI on latest openapi.json