CHANGELOG.md

# Changelog

All notable changes to this project will be documented in this file.

## [1.6.0] - 2026-04-01

### Added

- **wfe-server**: Headless workflow server (single binary)
  - gRPC API with 13 RPCs: workflow CRUD, lifecycle streaming, log streaming, log search
  - HTTP webhooks: GitHub and Gitea with HMAC-SHA256 verification, configurable triggers
  - OIDC/JWT authentication with JWKS discovery and asymmetric algorithm allowlist
  - Static bearer token auth with constant-time comparison
  - Lifecycle event broadcasting via `WatchLifecycle` server-streaming RPC
  - Real-time log streaming via `StreamLogs` with follow mode and history replay
  - Full-text log search via OpenSearch with `SearchLogs` RPC
  - Layered config: CLI flags > env vars > TOML file
- **wfe-server-protos**: gRPC service definitions (tonic 0.14, server + client stubs)
- **wfe-core**: `LogSink` trait for real-time step output streaming
- **wfe-core**: Lifecycle publisher wired into executor (StepStarted, StepCompleted, Error, Completed, Terminated)
- **wfe**: `use_log_sink()` on `WorkflowHostBuilder`
- **wfe-yaml**: Shell step streaming mode with `tokio::select!` interleaved stdout/stderr

### Security

- JWT algorithm confusion prevention: derive algorithm from JWK, reject symmetric algorithms
- Constant-time static token comparison via `subtle` crate
- OIDC issuer HTTPS validation to prevent SSRF
- Fail-closed on OIDC discovery failure (server won't start with broken auth)
- Authenticated generic webhook endpoint
- 2MB webhook payload size limit
- Config parse errors fail loudly (no silent fallback to open defaults)
- Blocked sensitive env var injection (PATH, LD_PRELOAD, etc.) from workflow data
- Security regression tests for all critical and high findings

### Fixed

- Shell step streaming path now respects `timeout_ms` with `child.kill()` on timeout
- LogSink properly threaded from WorkflowHostBuilder through executor to StepExecutionContext
- LogStore.with_search() wired in server main.rs for OpenSearch indexing
- OpenSearch `index_chunk` returns Err on HTTP failure instead of swallowing it
- Webhook publish failures return 500 instead of 200

## [1.5.0] - 2026-03-29

### Added

- **wfe-rustlang**: New crate with Rust toolchain step executors
  - Cargo steps: `cargo-build`, `cargo-test`, `cargo-check`, `cargo-clippy`, `cargo-fmt`, `cargo-doc`, `cargo-publish`
  - External tool steps with auto-install: `cargo-audit`, `cargo-deny`, `cargo-nextest`, `cargo-llvm-cov`
  - Rustup steps: `rust-install`, `rustup-toolchain`, `rustup-component`, `rustup-target`
  - `cargo-doc-mdx`: generates MDX documentation from rustdoc JSON output using the `rustdoc-types` crate
- **wfe-yaml**: `rustlang` feature flag enabling all cargo/rustup step types
- **wfe-yaml**: Schema fields for Rust steps (`package`, `features`, `toolchain`, `profile`, `output_dir`, etc.)
- **wfe-containerd**: Remote daemon support via `WFE_IO_DIR` environment variable
- **wfe-containerd**: Image chain ID resolution from content store for proper rootfs snapshots
- **wfe-containerd**: Docker-default Linux capabilities for root containers
- Lima `wfe-test` VM config (Alpine + containerd + BuildKit, TCP socat proxy)
- Containerd integration tests running Rust toolchain in containers

### Fixed

- **wfe-containerd**: Empty rootfs — snapshot parent now resolved from image chain ID instead of empty string
- **wfe-containerd**: FIFO deadlock with remote daemons — replaced with regular file I/O
- **wfe-containerd**: `sh: not found` — use absolute `/bin/sh` path in OCI process spec
- **wfe-containerd**: `setgroups: Operation not permitted` — grant capabilities when running as UID 0

### Changed

- Lima `wfe-test` VM uses Alpine apk packages instead of GitHub release binaries
- Container tests use TCP proxy (`http://127.0.0.1:2500`) instead of Unix socket forwarding
- CI pipeline (`workflows.yaml`) updated with `wfe-rustlang` in test, package, and publish steps

879 tests. 88.8% coverage on wfe-rustlang.

## [1.4.0] - 2026-03-26

### Added

- Type-safe `when:` conditions on workflow steps with compile-time validation
- Full boolean combinator set: `all` (AND), `any` (OR), `none` (NOR), `one_of` (XOR), `not` (NOT)
- Task file includes with cycle detection
- Self-hosting CI pipeline (`workflows.yaml`) demonstrating all features
- `readFile()` op for deno runtime
- Auto-typed `##wfe[output]` annotations (bool, number conversion)
- Multi-workflow YAML files, SubWorkflow step type, typed input/output schemas
- HostContext for programmatic child workflow invocation
- BuildKit image builder and containerd container runner as standalone crates
- gRPC clients generated from official upstream proto files (tonic 0.14)

### Fixed

- Pipeline coverage step produces valid JSON, deno reads it with `readFile()`
- Host context field added to container executor test contexts
- `.outputs.` paths resolved flat for child workflows
- Pointer status conversion for Skipped in postgres provider

629 tests. 87.7% coverage.

## [1.0.0] - 2026-03-23

### Added

- **wfe-core**: Workflow engine with step primitives, executor, fluent builder API
- **wfe**: WorkflowHost, registry, sync runner, and purger
- **wfe-sqlite**: SQLite persistence provider
- **wfe-postgres**: PostgreSQL persistence provider
- **wfe-opensearch**: OpenSearch search index provider
- **wfe-valkey**: Valkey provider for locks, queues, and lifecycle events
- **wfe-yaml**: YAML workflow definitions with shell and deno executors
- **wfe-yaml**: Deno JS/TS runtime with sandboxed permissions, HTTP ops, npm support via esm.sh
- OpenTelemetry tracing support behind `otel` feature flag
- In-memory test support providers
chore: add CHANGELOG.md for v1.5.0 Full changelog covering v1.0.0, v1.4.0, and v1.5.0 releases. Also fix containerd integration test default address to handle Lima socket forwarding gracefully. 879 tests passing. 88.8% coverage on wfe-rustlang. 2026-03-29 17:13:14 +01:00			`# Changelog`

			`All notable changes to this project will be documented in this file.`

chore: bump version to 1.6.0, update CHANGELOG 2026-04-01 14:39:21 +01:00			`## [1.6.0] - 2026-04-01`

			`### Added`

			`- wfe-server: Headless workflow server (single binary)`
			`- gRPC API with 13 RPCs: workflow CRUD, lifecycle streaming, log streaming, log search`
			`- HTTP webhooks: GitHub and Gitea with HMAC-SHA256 verification, configurable triggers`
			`- OIDC/JWT authentication with JWKS discovery and asymmetric algorithm allowlist`
			`- Static bearer token auth with constant-time comparison`
			- Lifecycle event broadcasting via `WatchLifecycle` server-streaming RPC
			- Real-time log streaming via `StreamLogs` with follow mode and history replay
			- Full-text log search via OpenSearch with `SearchLogs` RPC
			`- Layered config: CLI flags > env vars > TOML file`
			`- wfe-server-protos: gRPC service definitions (tonic 0.14, server + client stubs)`
			- wfe-core: `LogSink` trait for real-time step output streaming
			`- wfe-core: Lifecycle publisher wired into executor (StepStarted, StepCompleted, Error, Completed, Terminated)`
			- wfe: `use_log_sink()` on `WorkflowHostBuilder`
			- wfe-yaml: Shell step streaming mode with `tokio::select!` interleaved stdout/stderr

			`### Security`

			`- JWT algorithm confusion prevention: derive algorithm from JWK, reject symmetric algorithms`
			- Constant-time static token comparison via `subtle` crate
			`- OIDC issuer HTTPS validation to prevent SSRF`
			`- Fail-closed on OIDC discovery failure (server won't start with broken auth)`
			`- Authenticated generic webhook endpoint`
			`- 2MB webhook payload size limit`
			`- Config parse errors fail loudly (no silent fallback to open defaults)`
			`- Blocked sensitive env var injection (PATH, LD_PRELOAD, etc.) from workflow data`
			`- Security regression tests for all critical and high findings`

			`### Fixed`

			- Shell step streaming path now respects `timeout_ms` with `child.kill()` on timeout
			`- LogSink properly threaded from WorkflowHostBuilder through executor to StepExecutionContext`
			`- LogStore.with_search() wired in server main.rs for OpenSearch indexing`
			- OpenSearch `index_chunk` returns Err on HTTP failure instead of swallowing it
			`- Webhook publish failures return 500 instead of 200`

chore: add CHANGELOG.md for v1.5.0 Full changelog covering v1.0.0, v1.4.0, and v1.5.0 releases. Also fix containerd integration test default address to handle Lima socket forwarding gracefully. 879 tests passing. 88.8% coverage on wfe-rustlang. 2026-03-29 17:13:14 +01:00			`## [1.5.0] - 2026-03-29`

			`### Added`

			`- wfe-rustlang: New crate with Rust toolchain step executors`
			- Cargo steps: `cargo-build`, `cargo-test`, `cargo-check`, `cargo-clippy`, `cargo-fmt`, `cargo-doc`, `cargo-publish`
			- External tool steps with auto-install: `cargo-audit`, `cargo-deny`, `cargo-nextest`, `cargo-llvm-cov`
			- Rustup steps: `rust-install`, `rustup-toolchain`, `rustup-component`, `rustup-target`
			- `cargo-doc-mdx`: generates MDX documentation from rustdoc JSON output using the `rustdoc-types` crate
			- wfe-yaml: `rustlang` feature flag enabling all cargo/rustup step types
			- wfe-yaml: Schema fields for Rust steps (`package`, `features`, `toolchain`, `profile`, `output_dir`, etc.)
			- wfe-containerd: Remote daemon support via `WFE_IO_DIR` environment variable
			`- wfe-containerd: Image chain ID resolution from content store for proper rootfs snapshots`
			`- wfe-containerd: Docker-default Linux capabilities for root containers`
			- Lima `wfe-test` VM config (Alpine + containerd + BuildKit, TCP socat proxy)
			`- Containerd integration tests running Rust toolchain in containers`

			`### Fixed`

			`- wfe-containerd: Empty rootfs — snapshot parent now resolved from image chain ID instead of empty string`
			`- wfe-containerd: FIFO deadlock with remote daemons — replaced with regular file I/O`
			- wfe-containerd: `sh: not found` — use absolute `/bin/sh` path in OCI process spec
			- wfe-containerd: `setgroups: Operation not permitted` — grant capabilities when running as UID 0

			`### Changed`

			- Lima `wfe-test` VM uses Alpine apk packages instead of GitHub release binaries
			- Container tests use TCP proxy (`http://127.0.0.1:2500`) instead of Unix socket forwarding
			- CI pipeline (`workflows.yaml`) updated with `wfe-rustlang` in test, package, and publish steps

			`879 tests. 88.8% coverage on wfe-rustlang.`

			`## [1.4.0] - 2026-03-26`

			`### Added`

			- Type-safe `when:` conditions on workflow steps with compile-time validation
			- Full boolean combinator set: `all` (AND), `any` (OR), `none` (NOR), `one_of` (XOR), `not` (NOT)
			`- Task file includes with cycle detection`
			- Self-hosting CI pipeline (`workflows.yaml`) demonstrating all features
			- `readFile()` op for deno runtime
			- Auto-typed `##wfe[output]` annotations (bool, number conversion)
			`- Multi-workflow YAML files, SubWorkflow step type, typed input/output schemas`
			`- HostContext for programmatic child workflow invocation`
			`- BuildKit image builder and containerd container runner as standalone crates`
			`- gRPC clients generated from official upstream proto files (tonic 0.14)`

			`### Fixed`

			- Pipeline coverage step produces valid JSON, deno reads it with `readFile()`
			`- Host context field added to container executor test contexts`
			- `.outputs.` paths resolved flat for child workflows
			`- Pointer status conversion for Skipped in postgres provider`

			`629 tests. 87.7% coverage.`

			`## [1.0.0] - 2026-03-23`

			`### Added`

			`- wfe-core: Workflow engine with step primitives, executor, fluent builder API`
			`- wfe: WorkflowHost, registry, sync runner, and purger`
			`- wfe-sqlite: SQLite persistence provider`
			`- wfe-postgres: PostgreSQL persistence provider`
			`- wfe-opensearch: OpenSearch search index provider`
			`- wfe-valkey: Valkey provider for locks, queues, and lifecycle events`
			`- wfe-yaml: YAML workflow definitions with shell and deno executors`
			`- wfe-yaml: Deno JS/TS runtime with sandboxed permissions, HTTP ops, npm support via esm.sh`
			- OpenTelemetry tracing support behind `otel` feature flag
			`- In-memory test support providers`