v0.9.0 — serveStream / serveConnection

Add a public server-side serve-over-stream seam (the sibling of the client's pipeConnect):

• VgiRpcServer.serveConnection(readable, writable, transportKind?) — the transport-agnostic core that run() (stdin/stdout) now delegates to.
• serveStream(protocol, { readable, writable }) — convenience wrapper.

Lets a worker be served over any duplex channel that isn't a process/socket — e.g. a Web Worker MessagePort bridge, or an in-memory pipe.

v0.8.0

Raw-TCP socket transport

New serveTcp / tcpConnect and TransportKind.TCP — the network analog of the Unix-socket transport, speaking the same raw Arrow-IPC framing without the HTTP envelope. Loopback-only by default (127.0.0.1); no auth/TLS, so use HTTP for untrusted networks.

• Conformance worker gains --tcp [HOST:]PORT, emitting a TCP:<host>:<port> discovery line.
• Verified at full conformance parity via the Python vgi-rpc-test --tcp harness.

Full changelog: v0.7.5...v0.8.0

v0.7.5

What's changed

• CF/browser: launcher-free workerd/worker/browser entry. The barrel is split into index.core.ts (runtime-agnostic), index.ts (core + node-only AF_UNIX launcher, for node/bun), and index.workerd.ts (core only). The workerd/worker/browser export conditions now resolve to the launcher-free entry, so node:net / node:fs / node:child_process no longer enter Cloudflare Worker / browser bundles.

Node/bun consumers are unaffected — index.ts still re-exports the launcher.

Published to npm as @query-farm/vgi-rpc@0.7.5.

v0.7.4

What's changed

• deps: replace the @uwdata/flechette GitHub fork + install-time patch pipeline with the published, self-contained @query-farm/flechette@^2.4.0. The per-batch custom_metadata, multi-batch ordering, and empty-batch patches are now baked into that package.
• Removed scripts/patch-flechette.mjs and scripts/flechette-patches/; postinstall now only does the apache-arrow dev fixup.

The dependency tree is now fully npm-resolvable — no github: deps for flechette — so Cloudflare Worker / browser consumers bundle flechette straight from the registry.

Published to npm as @query-farm/vgi-rpc@0.7.4.

v0.7.3

What's changed since v0.7.2

• fix(describe): correct protocol_name and is_exchange to match the conformance spec
• flechette: normalize foreign Arrow types before building columns
• build: commit dist/ for github-dependency consumption
• fix(lint): sort flechette imports to unblock CI

Published to npm as @query-farm/vgi-rpc@0.7.3.

v0.7.2

Fixes the unloadable dist shipped in 0.7.0/0.7.1.

bun-version: latest in the publish workflow resolved to bun 1.3.14, whose bundler mis-emits re-export aliases (export { RpcError2 as RpcError } and similar, with the renamed binding never declared). The result was a syntactically valid but unloadable ESM module — every import from @query-farm/vgi-rpc threw.

• Pin the publish workflow to bun 1.3.5 (builds a correct bundle).
• Add a post-build step that imports dist/index.js so a broken bundle fails CI instead of being published.

No source changes.

v0.7.1

Republish with a corrected build.

The published 0.7.0 dist/index.js emitted export { RpcError2 as RpcError } with RpcError2 never defined — an older bun bundler re-export bug that made the entire ESM module fail to load for every import consumer (e.g. import { RpcError } from "@query-farm/vgi-rpc"). Rebuilt with bun 1.3.5, which resolves the alias correctly. No source changes.

v0.7.0

First feature release since v0.6.4 — 51 commits tracking the vgi-rpc-python reference for wire compatibility, plus a full docs refresh.

✨ New features

Transports & serving

• AF_UNIX socket launcher — serveUnix / launch with spawn-or-reuse, a deterministic per-command socket path, cross-process locking, a shared state directory, and GC of stale sockets (TransportKind.UNIX).

HTTP

• OAuth & PKCE — browser-login middleware with origin allowlist, token-exchange proxy for SPA clients, RFC 9728 protected-resource metadata, device-code discovery, and _vgi_auth cookie auth.
• Sticky sessions — enableSticky / stickyDefaultTtl / stickyEchoHeaders with DELETE /__session__ teardown.
• Compression — accepts zstd and gzip request bodies; response compression via compressionLevel; maxDecompressedRequestBytes decompression-bomb defense.
• Cookies for unary methods; CORS preflight now reflects Access-Control-Request-Headers.
• Response caps — maxResponseBytes / maxExternalizedResponseBytes.

Large payloads / external storage

• External-location pointer batches (vgi_rpc.location) with the ExternalStorage interface, maybeExternalizeBatch / resolveExternalLocation, and httpsOnlyValidator.
• Request externalization via upload URLs — POST /__upload_url__/init, uploadUrlProvider, maxUploadBytes.

Streaming

• cancel() support for streaming calls — server-side onCancel hook driven by vgi_rpc.cancel input metadata.

Arrow backend

• Backend-agnostic arrow facade with arrow-js and flechette implementations; workerd-compatible bundling and a Web Crypto migration.

Observability

• AccessLogHook + --access-log (JSONL records that validate cross-language).

🔌 Protocol / wire changes

• State tokens are now sealed with XChaCha20-Poly1305 AEAD (was HMAC-SHA256) and bound to the authenticated principal. The new key option is tokenKey (32-byte master key).
• Slim __describe__ wire format — DESCRIBE_VERSION = 4, 8-column schema, plus a protocol_hash digest.
• protocol_version enforcement at the dispatch boundary (ProtocolVersionError, error_kind = protocol_version_mismatch).
• Typed errors — MethodNotImplementedError, ServerDrainingError, SessionLostError with vgi_rpc.error_kind metadata.
• Over HTTP, RPC errors now return HTTP 200 + X-VGI-RPC-Error (with an EXCEPTION batch) instead of 500.

⚠️ Upgrade notes

• The HTTP state-token format changed (HMAC → AEAD); tokens are not compatible across the upgrade and in-flight streams won't resume from an older server. The option rename signingKey → tokenKey is required.
• Introspection no longer carries doc / param_types on the wire (slim v4) — the Protocol class is the source of human-readable type info.

📚 Docs

• Full documentation refresh aligned to the current API, new guides (Unix Socket Launcher, OAuth & PKCE, Sticky Sessions, Compression, Large Payloads), and a new logo.

Full changelog: v0.6.4...v0.7.0

v0.6.4

What's new

• Access-Control-Max-Age on CORS preflight: New corsMaxAge option in HttpHandlerOptions sets the Access-Control-Max-Age header on OPTIONS responses. Default is 7200 seconds (2 hours). Pass null to omit the header.

v0.6.3

Add X-VGI-Content-Encoding to the CORS Access-Control-Expose-Headers response header, so browser clients can detect zstd-compressed responses cross-origin.

The full exposed header list is now: WWW-Authenticate, X-Request-ID, X-VGI-Content-Encoding.