Releases: 7Cav/api
2.3.1
Contributors
Assets 2
2.3.0
Additive release — one new feature, one proto-level deprecation, no breaking changes.
Notable
feat(grpc): log per-request [REQ] line in auth interceptor (#105) — every unary gRPC call now emits [REQ] transport=grpc method=<full_method> peer=<addr> key_id=<id|none> on both auth-success and auth-failure paths. Evidence slice for #92 — the loopback-vs-external peer split is what gates #94/#95.
chore(milpacs): deprecate GetUserViaKeycloakId rpc + keycloak_id fields (#104) — proto-level deprecated: true markers on the keycloak lookup RPC and the Profile.keycloak_id / LiteProfile.keycloak_id fields. No behavior change; new code should not depend on them. Removal will be a separate breaking release.
Dependency bumps
docker/build-push-action7.1.0 → 7.2.0 (#102)docker/login-action4 → 4.1.0 (#101)grpc1.81.0 → 1.81.1 +docker/build-push-action7 → 7.1.0 bundle (#89)
Docs
docs: seed CONTEXT.md, ADRs, and agent docs(#103) — domain-language file at repo root, ADRs 0001–0004 covering the split-process layout, intra-process plaintext dial, redis response cache, and scope-based bearer auth.
Full Changelog: 2.2.1...2.3.0
2.2.1
Maintenance release — no consumer-facing behavior changes. Insomnia test suite (61/61) green throughout.
Dependency bumps
actions/checkoutv3→v6,docker/login-actionv2→v4,docker/build-push-actionv4→v7 (#73)viper1.19.0→1.21.0 (#74)gorm1.25.12→1.30.0 + dotted map-keyedWhereregression fix (#75)grpc-gateway/v22.26.3→2.29.0, transitivelygrpc1.79.3→1.80.0 (#76)grpc1.80.0→1.81.0,protoc-gen-go-grpc1.5.1→1.6.2 + proto regen (#77)gorm1.30.0→1.31.1 (#78)redis/go-redis9.7.3→9.19.0 (#79)
Notable fix
gorm 1.26+ dotted map-keyed Where regression (#75) — FindProfileByKeycloakID and FindProfileByDiscordID were using Where(map[string]interface{}{"xf_user_connected_account.provider": ...}). gorm 1.26+ misqualifies dotted map keys with the current model's table, producing a three-part qualifier MariaDB rejects. Both functions now use placeholder SQL.
Release plumbing
chore: auto-inject release version into server binary and OpenAPI spec(#81) — releases now bake the tag into the server binary (via-ldflags) and the OpenAPI spec served at/(via build-time sed into the proto sources). Local dev builds reportdev. Eliminates the manual two-place version bump that was a recurring near-miss.
Full Changelog: 2.2.0...2.2.1
2.2.0
What's Changed
- chore: gitignore Claude Code local working files by @SyniRon in #52
- feat: tickets endpoint + N-scopes-per-key auth refactor (v2.2.0) by @SyniRon in #53
Full Changelog: 2.1.1...2.2.0
Contributors
Assets 2
2.1.1
Contributors
Assets 2
2.1.0
What's Changed
Full Changelog: 2.0.2...2.1.0
Contributors
Assets 2
2.0.2
Security
Dependency updates addressing 12 Dependabot alerts:
Critical
google.golang.org/grpcv1.72.0 → v1.79.3 (CVE: AuthZ bypass via missing leading slash in:path)
High
github.com/opencontainers/selinuxv1.12.0 → v1.13.0 (CVE-2025-52881: runc container escape via procfs write redirects)github.com/containerd/containerdv1.7.25 → v1.7.29 (local privesc via wide CRI directory permissions)github.com/docker/cliv28.1.1 → v29.2.0 (local privesc via uncontrolled search path on Windows)
Medium
github.com/containerd/containerdv1.7.25 → v1.7.29 (host memory exhaustion, integer overflow in UID handling)github.com/quic-go/quic-gov0.51.0 → v0.57.0 (HTTP/3 QPACK header expansion DoS)golang.org/x/cryptov0.38.0 → v0.46.0 (ssh/agent panic, unbounded memory consumption)github.com/go-chi/chi/v5v5.2.1 → v5.2.2 (host header injection / open redirect)
Low
github.com/redis/go-redis/v9v9.7.0 → v9.7.3 (out-of-order responses on CLIENT SETINFO timeout)filippo.io/edwards25519v1.1.0 → v1.1.1 (invalid MultiScalarMult results)
Other
- Fixed two latent Printf-directive bugs surfaced by Go 1.24 vet
2.0.1
Contributors
Assets 2
2.0.0
BREAKING CHANGE ALL API KEYS ARE DEAD LONG LIVE NEW API KEY
What's Changed
Full Changelog: 1.7.6...2.0.0
