Skip to content

release: v0.4.6 — security hardening#83

Merged
zvndev merged 1 commit into
mainfrom
release/0.4.6
Jun 10, 2026
Merged

release: v0.4.6 — security hardening#83
zvndev merged 1 commit into
mainfrom
release/0.4.6

Conversation

@zvndev

@zvndev zvndev commented Jun 10, 2026

Copy link
Copy Markdown
Collaborator

Summary

Promotes the merged security/correctness fixes (#81) to a release: oversized-row DoS fix, readonly role enforcement, NULL wire format, window-frame semantics. Version bumps (workspace + inter-crate pins), CHANGELOG promotion, SECURITY.md supported-versions + enforcement wording, user-facing pin sweep.

Pre-publish smoke (mandatory gate) — 17/17 PASS against release binaries

  • Documented PowQL flow: type / multi-row insert / filter+order+limit / count / group+having / begin-rollback (count unchanged) / begin-commit
  • Durability: 3 rows inserted over TCP, server kill -9, restart → all rows recovered via WAL replay
  • Attack repro 1: 5000-char insert → row too large: 5015 bytes exceeds max 4070 bytes, server stays up, counts unchanged
  • Attack repro 2: readonly user reads OK; insert/drop → permission denied; admin writes OK
  • NULL over TCP renders NULL
  • Backup → restore → counts + point query match

Post-merge steps (in plan doc)

Tag v0.4.6 → release.yml (binaries + ghcr) → cargo publish ×6 in dependency order → clean-install re-smoke → npm publish TS client 0.4.0.

🤖 Generated with Claude Code

@zvndev @claude
release: prep v0.4.6 — security hardening (oversized-row DoS, readonl…
21f3521 
…y enforcement)

Promotes the four [Unreleased] fixes to 0.4.6:
- oversized rows rejected with a clean error instead of aborting the server
- readonly role enforced at the server dispatch layer (fail-closed)
- NULL serialized as bareword null on the wire (was {})
- window aggregates without order use the whole-partition frame

Plus: workspace + inter-crate pins to 0.4.6, SECURITY.md supported-versions
and enforcement wording, user-facing version pins swept (README, docs,
site, deploy examples).

Pre-publish smoke: 17/17 against release binaries (PowQL flow, kill -9
WAL replay, oversized-row attack, readonly enforcement, NULL render,
backup/restore).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@zvndev zvndev merged commit e1a3e12 into main Jun 10, 2026
7 checks passed
@zvndev zvndev deleted the release/0.4.6 branch June 10, 2026 00:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@zvndev