
Changelog
All notable changes to this project are documented in this file.
[0.62.27] - 2026-06-25
Fixed
- fix(loadtest): pin k6 multipart creds so it ignores ambient AWS_* env (#1067)
[0.62.26] - 2026-06-21
Other
- perf(list): push delimiter CommonPrefix collapse into SQL via loose index scan (closes #1065) (#1066)
[0.62.25] - 2026-06-20
Fixed
- fix(readpath): bound degraded-broadcast loser-drain to stop goroutine leak (closes #971) (#1048)
- fix(dashboard): list directory children under underscore-named prefixes (closes #1045) (#1047)
- fix(replication): stop unreachable backends cascading breaker trips (closes #1029) (#1038)
- fix(ci): treat cosign Rekor 409 as already-signed (#1032)
- fix(reconcile): byte-order cursor to stop sorted-merge oscillation (#1031)
Refactored
- refactor(encryption): centralize stored-object decrypt + read-path plaintext pipeline (refs #1050) (#1062)
- refactor(backend): GetWithTimeout/HeadWithTimeout lifecycle helpers (refs #1050) (#1057)
- refactor(worker): batch runner + uniform WorkSummary results (refs #1050) (#1056)
- refactor(rebalancer): PlacementSet + candidate cache for planning (refs #1050) (#1055)
- refactor(readpath): extract ProbeScheduler from the Broadcaster (refs #1050) (#1053)
- refactor(readpath): return an explicit ProbeResult instead of smuggling the winner via sync.Once (refs #1050) (#1052)
- refactor(readpath): extract degraded-mode broadcast into a Broadcaster (#1044)
- refactor(proxy): rename per-package Stores interfaces to disambiguate (closes #1006) (#1041)
- refactor(proxy): decouple BackendRuntime from BackendManager (#1004, #990) (#1040)
- refactor(proxy): rename infra.Core to BackendRuntime (closes #988) (#1039)
Dependencies
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.103.3 to 1.104.0 in the aws-sdk group (#1060)
- chore(deps): bump actions/checkout from 6 to 7 in the actions group (#1059)
- chore(deps): bump github.com/aws/smithy-go in the minor-and-patch group (#1061)
- chore(deps): bump the minor-and-patch group with 4 updates (#1037)
- chore(deps): bump the aws-sdk group with 4 updates (#1036)
- chore(deps): bump SonarSource/sonarqube-scan-action in the actions group (#1035)
Other
- perf(list): skip past emitted CommonPrefix groups during delimiter listing (closes #1063) (#1064)
- typed move-reason profiles and provideIf DI helper (refs #1050) (#1054)
- test(perf): make get-cold measure cold reads and fail loudly on flush errors (closes #1049) (#1051)
- take Deps/Config structs for constructors with >=4 params (#1042)
- reach parity with the dashboard (refs #1033) (#1034)
- GH_ISSUE_1009: move validate logic into internal/cli/validatecmd (#1028)
[0.62.1] - 2026-06-11
Fixed
- fix(ci,deps): patch webpage base image CVEs + bump pgx to v5.10.0 (#1027)
Other
- GH_ISSUE_1025: human-readable CLI output + per-item progress streaming (#1026)
- GH_ISSUE_1023: bound + rate-limit backfill-checksums; add make install (#1024)
[0.61.1] - 2026-06-08
Other
- GH_ISSUE_1021: target a remote instance via admin flags/env, no full config (#1022)
[0.61.0] - 2026-06-08
Improved
- update CHANGELOG.md for v0.60.40 (#1001)
Dependencies
- chore(deps): bump the aws-sdk group with 4 updates (#1016)
Other
- docs(web): reflect usage reconciliation in godoc + background-services diagram (#1020)
- GH_ISSUE_1018: add usage reconciliation to correct bytes_used drift (#1019)
- GH_ISSUE_1011: ride out transient MinIO 502s in concurrent put/delete test (#1015)
- GH_ISSUE_1002: route over-replication cleaner through the TxAdapter lock seam (#1010)
[0.60.40] - 2026-06-02
Added
- add s3o_list_pages_capped_total counter (#764)
Fixed
- fixup: web godoc updates
- fixup: added updated web godoc
- fixup: added web godocs that were missing
- fixup: adjust nomad-demo resource allocations
- fix(proxy): materialize CopyObject source to a seekable body (#816)
- fix(s3api): include ETag and StorageClass in ListObjects responses (#814)
- fix(sqlite): route tx.Commit failure through breaker PostCheck (#775) (#786)
Refactored
- refactor(proxy): extract read-failover orchestration into internal/proxy/readpath (#849) (#855)
- refactor(proxy): decompose internal/proxy into focused subpackages (#841) (#845)
- refactor(proxy): consolidate proxy package files (22 → 10) (#844)
- refactor(di): centralize worker provider dependency resolution (#839)
- refactor(proxy): drop worker fields from BackendManager and validate constructor inputs (#838)
- refactor(worker): extract replicator planner and outcome struct (#811)
- refactor(logging): handler-enforced error rendering + component scoping (#809)
- refactor(di): explicit Optional[T] resolution distinguishing missing vs failed providers (#807)
- refactor(reload): generation-aware coordinator with structured outcomes (#790) (#802)
- refactor(backend): typed CopyError for stream-copy phase classification (#793) (#801)
- refactor(worker): drop dead quotaStats from replication path (#792) (#800)
- refactor(cli/serve): decompose god object into runtime/httpserver/reload (#788) (#789)
- refactor(store): use mapping helpers for nullable fields (#774) (#787)
- refactor(ioutilx): extract read-closer helpers from proxy (#776) (#785)
- refactor(observe): unify span error recording across managers (#773) (#784)
- refactor(transport): extract shared HTTP JSON helpers (#772) (#783)
- refactor(ui): split handler.go into focused transport modules (#771) (#782)
- refactor(di): explicit manager wiring via di.WireManager (#777) (#781)
- refactor(proxy): split multipart.go into focused files (#770) (#780)
- refactor(proxy): remove parent back-pointers from ObjectManager and MultipartManager (#769) (#779)
- refactor(di): split di.go into focused provider files (#768) (#778)
Improved
- update CHANGELOG.md for v0.46.20 (#762)
Dependencies
- chore(deps): bump the aws-sdk group across 1 directory with 4 updates (#954)
- chore(deps): bump the actions group with 2 updates (#953)
- chore(deps): bump the otel group across 1 directory with 4 updates (#955)
- chore(deps): bump the minor-and-patch group with 3 updates (#956)
- chore(deps): bump the actions group with 4 updates (#932)
- chore(deps): bump the minor-and-patch group with 2 updates (#931)
- chore(deps): bump the minor-and-patch group with 2 updates (#837)
Other
- GH_ISSUE_974: split NewInjector into grouped helpers + typed config.Mode (#1000)
- Revise README for clarity and project comparisons (#999)
- GH_ISSUE_973: drop issue refs and lint-threshold rationale from source comments (#998)
- GH_ISSUE_982: split monolithic README + admin-guide into front door + per-topic docs (#996)
- GH_ISSUE_989: group BackendManagerConfig into capability sub-structs (#995)
- GH_ISSUE_987: encapsulate BackendManager sub-manager fields behind accessors (#994)
- GH_ISSUE_985: split ObjectCore into ObjectWriteCore / ObjectReadCore; drop transitive BackendOrder (#993)
- GH_ISSUE_986: split ObjectCoordinator into WriteRouter / PendingWriter / CleanupWriter (#992)
- GH_ISSUE_984: narrow consumer store interfaces; MetadataStore is now composition-root-only (#991)
- GH_ISSUE_964: fix fuzz workflow filing false-positive crash issues (#967)
- GH_ISSUE_950: wire runtime/trace.FlightRecorder into admin snapshot endpoint (#966)
- GH_ISSUE_949: migrate eligible tests to testing/synctest (Go 1.25) (#965)
- GH_ISSUE_962: bump golangci-lint to v2.12.2 + fix surfaced findings (#963)
- GH_ISSUE_944: adopt errors.AsType[T] (Go 1.26) (#961)
- GH_ISSUE_946: adopt sync.WaitGroup.Go (Go 1.25) (#960)
- GH_ISSUE_945: use net.JoinHostPort instead of fmt.Sprintf("%s:%d") (#959)
- GH_ISSUE_952: go fix ./… modernizer sweep + govulncheck bump (#958)
- GH_ISSUE_948: log shutdown cause from signal.NotifyContext (Go 1.26) (#957)
- GH_ISSUE_834: preserve raw benchmark output alongside filtered summary (#943)
- GH_ISSUE_836: per-backend credential_source for AWS default chain (#942)
- GH_ISSUE_803: advisory-lock + replicator + reaper invariant tests (#941)
- GH_ISSUE_803: cleanup queue concurrent-worker integration test (#940)
- GH_ISSUE_804 (PR-B): DB-recovery cache invalidation, mixed-outcome counter, Range test (#939)
- GH_ISSUE_804: degraded-mode observability + operator opt-out (#938)
- GH_ISSUE_927: hoist per-cycle telemetry out of business logic (#937)
- GH_ISSUE_919: drop narrative comments and linter-shaped helper DTOs (#936)
- GH_ISSUE_918: collapse single-impl, single-consumer interface seams (#935)
- GH_ISSUE_920: standardize constructor dependency validation (#933)
- GH_ISSUE_925: relocate worker lifecycle services beside workers (#930)
- GH_ISSUE_924: extract shared object-move primitive (drain + rebalancer) (#929)
- Three-issue bundle: read-path split (#923) + rebalancer copy-map + accounting (#928)
- GH_ISSUE_916: populate content_hash on multipart completion (#926)
- GH_ISSUE_405: dashboard integrity polish + brand palette (#915)
- GH_ISSUE_883: guard DrainActive.Dec() with sync.Once (#914)
- GH_ISSUE_831: drop context.Background() from DI startup logs (#913)
- GH_ISSUE_906: split admin/handler.go by domain (#912)
- GH_ISSUE_902: split objects_write.go by operation type (#911)
- GH_ISSUE_903: extract finalize helpers for materialized COPY + DELETE (#910)
- GH_ISSUE_905: name batch-delete concurrency constant (#909)
- GH_ISSUE_901: collapse cache invalidation into one helper (#908)
- GH_ISSUE_904: clone caller’s slice before sorting in CopyToReplica (#907)
- GH_ISSUE_858: cap parallel degraded-broadcast fanout (#900)
- GH_ISSUE_881: stop double-counting backend DELETE API calls (#899)
- GH_ISSUE_884: HEAD-probe ambiguous native-copy failures before falling back (#898)
- GH_ISSUE_835: document admissionSemFor concurrency model + pin wiring with tests (#897)
- GH_ISSUE_880: skip cleanup enqueue when RecoverFromRecordFailure DELETE 404s (#896)
- GH_ISSUE_798: HTTP panic-recovery middleware with structured logging, audit, and metric (#895)
- GH_ISSUE_830: make PendingReaper registration explicit, drop nil,nil semantics (#894)
- GH_ISSUE_882: apply backend_timeout consistently to COPY + multipart complete (#893)
- GH_ISSUE_833: align loadtest go.mod with root + CI drift check (#892)
- GH_ISSUE_861: replace semaphore-per-item workerpool with fixed worker model (#891)
- FIX: add new benchmark file
- GH_ISSUE_889: Helm chart support for dedicated metrics listener + opt-in pprof (#890)
- GH_ISSUE_885: pool chunkBuffers + seal/open into pre-allocated dst (#888)
- GH_ISSUE_886: mount pprof only on dedicated metrics listener (#887)
- GH_ISSUE_878: docs audit sync — bring every doc in line with current code (#879)
- GH_ISSUE_843: treat backend DELETE 404 as idempotent success (#877)
- GH_ISSUE_653: close drain-race + fix DrainActive metric + bound purge loop (#876)
- GH_ISSUE_871: make notify mockOutboxStore thread-safe + parallelize 23 tests (#875)
- GH_ISSUE_860: swap UsageTracker RWMutex pair for atomic.Pointer snapshots (#874)
- GH_ISSUE_848: trim repetitive comments in consumer-interface + observability files (#873)
- GH_ISSUE_850: decompose infra.Core into capability-oriented services (#872)
- GH_ISSUE_854: replace http.DefaultClient with ts.Client() in s3api tests + parallelize adminctl (#870)
- GH_ISSUE_856: optimize PutObject buffering and integrity pipeline (#869)
- GH_ISSUE_859: add same-backend server-side copy fast path (#868)
- GH_ISSUE_857: cancel losing degraded-read probes after a winner is declared (#867)
- GH_ISSUE_853: centralize per-operation completion observability (#866)
- GH_ISSUE_864: guard web targets against missing Hugo theme submodule (#865)
- FIXUP: add web godoc updates
- centralize per-backend usage + operation accounting via internal/proxy/accounting (#851) (#863)
- consumer-declared interfaces for proxy subpackages + lifecycle runners + reload hooks (#846) (#847)
- docs(logging): make error-attribute rule explicit (#840)
- surface orphan-enqueue failures during DB outages (#824)
- test(proxy): drop BenchmarkCopyMaterializeSink cognitive complexity (#822)
- ci(bench): nightly benchmark trend tracking via github-action-benchmark (#821)
- test(proxy): benchmark CopyObject materialize sink at both branches (#819)
- ci(fuzz): gate auto-filed bug issues on actual crashing input (#818)
- surface background worker health via admin API and Prometheus (#817)
- test(di): pin advisory-lock, interval, and mode-matrix invariants for periodic services (#812)
- docs(store): mechanical-checks contributing page + depguard boundary rule (#810)
- remove multipart DEK backfill worker (#766) (#767)
- perf envelope tooling + cache-flush admin API (#367) (#765)
[0.46.20] - 2026-05-10
Fixed
- fix(proxy,release): cache streaming admission + cosign bundle filename (#761)
[0.46.19] - 2026-05-10
Added
- add package-level doc comments to every Go package (#697)
- add FailableBackend, sentinel config errors, and edge-case integration scenarios (#591)
Fixed
- fix(release): switch cosign signing to –bundle (#756) (#757)
- fix(postgres): keep backend_quotas.bytes_used in step with encrypt/decrypt rewrites (#742) (#743)
- fix(breaker): clean Open->Closed recovery via new Recover() method (#739) (#741)
- fix(auth): SigV4 verifier honours wire-form path encoding (#737) (#738)
- fix(s3api): scope multipart endpoints to URL bucket to close cross-bucket IDOR (#735) (#736)
- fix(cleanup): per-row claim pattern eliminates double-processing race (#733) (#734)
- fix(ui/logs): stringify error attrs in ring buffer + click-to-expand rows (#720)
- fix(proxy/multipart): per-uploadID advisory lock + cleanup on failure (#715)
- fix(store): apply backend_quotas deltas in stable order to prevent deadlock (#687) (#688)
- fix(replicator): consistent size between row and quota; pass actual source size (#652) (#686)
- fix(proxy): single-tx batch DeleteObjects (#677)
- fix(rebalancer): batch backend lookup per source instead of per object (#675)
- fix(proxy): advance ListObjects continuation token past emitted CommonPrefix (#672)
- fix(proxy): release per-call timeout on broadcast-read winner (#671)
- fix(test): TestCircuitBreaker_DegradedDurationIsPositive flake (#670)
- fix(test): TestCircuitBreaker_DegradedDurationIsPositive flake
- fix(store/sqlite): clear S2077 hotspots via json_each IN expansion (#644)
- fix(proxy): paginate ReconcileBackend with bounded-memory sorted-merge (closes #614) (#642)
- fix(ui): use String.replaceAll() to trim slashes in upload path (#638)
- fix(ui): make cookie Secure flag follow trusted-proxy X-Forwarded-Proto (#635)
- fix(docs): use
for Mermaid line breaks in diagrams (#625) - fix(test): serialize TransitionLogs_HalfOpenToClosed to prevent captureLogs race (#603)
Hardened
- security: validate streaming SigV4 chunk signatures end-to-end (#730)
Refactored
- refactor(proxy): cleanup-DELETE accounting + read-path location plumbing (#758) (#759)
- refactor(di): drop redundant adapters, bag structs, side-effect registration (#753)
- refactor(store): collapse narrow store-role interfaces (#747) (#751)
- refactor(store): move CB into driver-level DBTX wrapper, delete decorator layer (#750)
- refactor(test): consolidate three handwritten mockStore implementations onto mockgen (#749)
- refactor(observability): standardize structured logging conventions (#718)
- refactor(lifecycle): rename Service/Stoppable to Runner/Stopper (#710)
- refactor(integration): drop S3776 cognitive complexity in test fixtures (#699)
- refactor(proxy): lift workers out of BackendManager (#676 B) (#685)
- refactor(proxy): slim backendCore (#676 C) (#684)
- refactor(proxy): extract metrics, drain, dashboard subpackages (676D partial) (#682)
- refactor(store): drop alias layer + split AdminStore into narrow roles (#681)
- refactor(store): drop postgres re-exports (676A) (#680)
- refactor(store): extract engine-agnostic core, thin per-engine adapters (#674)
- refactor(breaker, telemetry): decouple breaker from observability; split metrics (#640)
- refactor(store): collapse 11-case toObjectLocation switch via accessors (#639)
- refactor(transport): handlers depend on narrow Deps, not *BackendManager (closes #613) (#636)
- refactor(s3api): extract enforceContentLength helper (closes #632) (#633)
- refactor(cmd): thin cmd/ via internal/cli + breaker.Registry; atomic SIGHUP (#630)
- refactor(observe): collapse span+metrics+status boilerplate (#621)
- refactor(store): retire MetadataStore union, narrow roles everywhere (#617)
- decompose MetadataStore into narrow per-worker store interfaces (#566) (#579)
Improved
- replace do.MustInvoke with explicit error handling in DI resolution (#564) (#589)
- update CHANGELOG.md for v0.40.1 (#563)
Dependencies
- chore(deps): bump the actions group with 2 updates (#726)
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 (#727)
- chore(deps): bump github.com/redis/go-redis/v9 (#668)
- chore(deps): bump the aws-sdk group with 3 updates (#667)
- chore(deps): bump SonarSource/sonarqube-scan-action in the actions group (#666)
- chore(deps): bump the minor-and-patch group across 1 directory with 3 updates (#624)
- chore(deps): bump the aws-sdk group with 3 updates (#619)
- chore(deps): bump the actions group with 4 updates (#618)
- chore(deps): bump github.com/jackc/pgx/v5 from 5.9.1 to 5.9.2 (#596)
- chore(deps): bump the minor-and-patch group across 1 directory with 2 updates (#576)
- chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc (#573)
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 (#572)
Other
- FIX: new benchmark and tweaks to nomad resources to use less cpu since performance improved greatly on cpu
- cross-cutting cleanup (#754) (#755)
- delete verified-dead helpers and methods (#748)
- bug: encryption stream readers no longer translate IO errors to EOF (#732)
- docs(errors): include path/host/byte-position in error messages (#728)
- tactical helpers across postgres, config, worker (#725)
- tactical helpers across postgres, config, worker (#724)
- If-None-Match: * conditional writes; document last-writer-wins (#723)
- reaper: skip backends with open circuit; drop vault token perms warning (#722)
- share upload-level DEK + legacy backfill worker (#716)
- extract two duplicated blocks flagged by SonarCloud (#712)
- run SonarQube on non-Go PRs and replace remaining rgba bgs (#706)
- style(ui): raise UI text contrast to WCAG AA (#705)
- docs(ui): suppress go:S2092 false positives on Secure cookie flag (#703)
- pin sqlc and govulncheck via go.mod tool directive (#701)
- drop S3776 cognitive complexity violations across the repo (#692)
- graduate exhausted retries to cleanup_dlq for operator visibility (#689)
- added new benchmark
- tidy proxy test helpers and split worker ops contracts (#676 E+G+H) (#683)
- SigV4 timing equalization + reconciler stale-row sweep (#673)
- Revert “fix(test): TestCircuitBreaker_DegradedDurationIsPositive flake”
- PUT-before-COMMIT pending-row pattern with timestamp-aware reaper (#665)
- write-path cleanup timeouts, accounting symmetry, batch error (#656)
- clarity and code-reduction sweep from architecture review (#648)
- replication-aware dashboard, multi-backend file rows, admin actions (#646)
- test(di): cover audit callback, sqlite concrete store, postgres branch, watchdog backend loop (#629)
- dedupe row-mapping, encrypt-result assembly, sigv4, admin CLI (#623)
- latest benchmark
- log+observe silent errors in counter/notify; normalize log casing (#595)
- perf(test): make lifecycle backoff injectable; expand admin/ui handler coverage (#594)
- parallelize top-level tests in ui, store, breaker (#592)
- centralize magic timeouts and quiet test flakiness (#569, refs #522) (#590)
- address SonarQube findings #582-586 (#588)
- extract string constants and encryption helpers, add SonarQube (#580, #581) (#587)
- rebalancer skips moves where target already has a copy (#577) (#578)
- split store.go (1625 lines) into domain-focused files (#565) (#575)
[0.40.1] - 2026-04-16
Added
- add on-demand reconciliation admin endpoint (#557) (#562)
Improved
- update CHANGELOG.md for v0.39.21 (#555)
Other
- per-backend max_object_size to skip oversized writes (#560) (#561)
- pending gauges decrement per task for live progress (#558) (#559)
[0.39.21] - 2026-04-15
Improved
- update CHANGELOG.md for v0.39.19 (#552)
Other
- exclude failed targets from replication target selection (#553) (#554)
[0.39.19] - 2026-04-13
Improved
- update CHANGELOG.md for v0.39.18 (#550)
Dependencies
- chore(deps): bump the minor-and-patch group with 7 updates (#544)
Other
- adapt Port API for moby/moby v1.54 and update otel dependencies (#551)
[0.39.18] - 2026-04-12
Dependencies
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 (#542)
- chore(deps): bump the otel group with 4 updates (#543)
Other
- fail startup when encryption is enabled but encryptor init fails (#548) (#549)
[0.39.16] - 2026-04-11
Added
- add g3 backend to free-tier guide, enlarge admin UI logo (#537) (#538)
- add new benchmark test results
Improved
- update CHANGELOG.md for v0.38.2 (#504)
Dependencies
- chore(deps): bump actions/github-script from 8 to 9 in the actions group (#541)
- chore(deps): bump the aws-sdk group with 2 updates (#528)
- chore(deps): bump actions/upload-artifact in the actions group (#527)
- chore(deps): bump github.com/aws/smithy-go in the minor-and-patch group (#529)
- chore(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#530)
Other
- run rebalance and cleanup async to prevent client-side cancellation (#546) (#547)
- pin mermaid CDN to 11.8.0 to restore diagram tooltips (#545)
- Replicator cleans up stale metadata on source 404 (#539)
- 404 responses should not trip backend circuit breakers (#535) (#536)
- Replication target selection respects configured routing strategy (#534)
- fuzz-found false positive in presigned canonical request assertion (#523) (#526)
- testing: add 13 integration tests for edge cases and missing scenarios (#522) (#525)
- testing: add t.Parallel() to proxy, breaker, notify, audit, lifecycle (#522) (#524)
- Redis counter recovery lost-update race (#507) (#521)
- enhancement: enable gosec/errcheck/bodyclose/noctx linters, add t.Parallel() (#513) (#520)
- robustness improvements — overflow, starvation, stale probes, blocking (#514) (#519)
- extract testable run(), fix stale paths, add benchmarks and fuzz tests (#515)
- extract testable run() from monolithic runServe(), update dev environment (#515) (#518)
- panic recovery in pipe goroutines, worker ordering fixes (#508, #509) (#517)
- concurrency and robustness fixes (#506, #510, #511, #512) (#516)
- embedded SQLite backend, init CLI, zero-dependency deployments (#505)
[0.38.2] - 2026-03-30
Hardened
- security hardening — Redis counter race, tree API auth, SigV4 edge cases (#488) (#491)
Improved
- update CHANGELOG.md for v0.37.2 (#486)
Other
- strip whitespace from SigV4 header names, add fuzz-import tooling (#498) (#503)
- close onboarding gaps for replication with encryption (#501) (#502)
- fuzz-found bugs in SigV4 canonical request and encryption header parsing (#495, #496) (#497)
- cosign signing, Vault DEK caching on failover, CI improvements (#381, #425) (#494)
- shutdown correctness, worker observability, and operational robustness (#490) (#493)
- config validation gaps that defer errors to runtime (#489) (#492)
- deduplicate Grafana dashboard panels on redeploy (#485) (#487)
[0.37.2] - 2026-03-29
Improved
- update CHANGELOG.md for v0.37.1 (#484)
[0.37.1] - 2026-03-29
Fixed
- fixup: bump version
Improved
- update CHANGELOG.md for v0.37.0 (#483)
[0.37.0] - 2026-03-29
Added
- add timeouts, release preflight integration tests, Dependabot grouping, linters, SBOM (#456) (#478)
- add edge case coverage for lifecycle, config, auth cache, admission (#450) (#477)
Fixed
- fix!: require session_secret when UI is enabled, remove admin_secret fallback (#442) (#476)
- fixup: add new benchmark file
Improved
- update CHANGELOG.md for v0.33.0 (#473)
Dependencies
- chore(deps): bump aquasecurity/trivy-action (#470)
Other
- web Dockerfile build context blocked by root .dockerignore
- event notifications, DI refactor, package restructuring (#360) (#481)
- configurable multipart timeout, capacity warning, production docs (#480)
- added latest bench test
- cache read error, download Content-Type, unknown keyID, range clamp (#439, #440, #441, #444) (#475)
- testing: improve fuzz targets and benchmark coverage (#472) (#474)
[0.33.0] - 2026-03-28
Added
- add missing indexes, replace random() scrubber query, harden lifecycle (#435, #451, #453) (#463)
- add generic AtomicConfig[T] and TTLCache[K,V] to eliminate boilerplate (#457) (#459)
- add presigned URL support (#353) (#418)
- add read burst loadtest, cache Grafana panels, fix loadtest build (#417)
- add optional in-memory object data cache (#403) (#416)
- add decrypt-existing admin API, migrate integration tests to testcontainers (#408) (#409)
Fixed
- fixup: adding benchmarks
- fix lint exclusion path, add concurrency cancel, harden supply chain (#454, #455) (#469)
- fix min_conns default, document new features, update metrics table (#466, #467) (#468)
- fixup: fix website badge
Hardened
- security: fix signing key cache DoS, CSRF entropy, error enumeration, timer leak (#419, #431, #432, #445) (#464)
- security: verify vault token file permissions before reading (#428) (#461)
Improved
- update CHANGELOG.md for v0.20.3 (#407)
Dependencies
- chore(deps): bump codecov/codecov-action from 5 to 6 (#410)
- chore(deps): bump github.com/aws/aws-sdk-go-v2/credentials (#411)
- chore(deps): bump github.com/jackc/pgx/v5 from 5.8.0 to 5.9.1 (#412)
- chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.41.4 to 1.41.5 (#413)
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 (#414)
- chore(deps): bump github.com/hashicorp/vault/api from 1.22.0 to 1.23.0 (#415)
Other
- reject encrypted reads during DB outage, fix vault renewal mutex (#429, #433) (#465)
- metrics shutdown, circuit breaker stale probe, load shedding threshold (#420, #424, #437) (#462)
- extract selectWriteTarget, add typed RoutingStrategy, rename shadowed vars (#452, #458) (#460)
[0.20.3] - 2026-03-23
Added
- add Helm chart, replace raw Kubernetes manifests (#382) (#406)
- add compatibility matrix and upgrade checklist (#379) (#397)
- add Getting Started section to README (#374) (#394)
- add rebalance pending gauge and encryption unknown-keyID counter (#316) (#327)
- add goleak goroutine leak detection and fix flaky timing tests (#315) (#324)
- add unit tests for chunk encryption, location cache, aggregator, and cleanup queue (#312) (#323)
Fixed
- fixup: force new version of logo everywhere with version tag
- fixup: bust cache on logo so cloudflare doesn’t serve the old one, update image push tasks in makefile
Hardened
- security: limit active multipart uploads per bucket (#369) (#402)
- security: add two-phase confirmation for remove-backend –purge (#368) (#401)
- security: add CSRF token protection for UI state-changing operations (#371) (#399)
- security: document nonce derivation safety invariant (#372) (#396)
- security: separate metrics listener and strip instance ID from health (#370) (#395)
Improved
- Update README.md (#400)
- update documentation for v0.19.x changes (#328)
- update CHANGELOG.md for v0.19.1 (#307)
Documentation
- document docker-compose volume cleanup and add troubleshooting (#375) (#393)
- document database connection pool sizing for production (#351) (#391)
Other
- logging tweak and version bump
- object integrity verification with SHA-256 content hashing (#404)
- enhancement: add schema version validation at startup, update logo (#387) (#398)
- report missing part numbers in CompleteMultipartUpload error (#384) (#390)
- recommend trace sample rate for production deployments (#355) (#389)
- warn when replication.factor=1 with multiple backends (#348) (#388)
- added new benchmark test after a number of changes
- perf: pipeline Redis Expire calls with INCRBY operations (#336) (#347)
- perf: use string slicing instead of TrimPrefix in list responses (#338) (#346)
- perf: use map lookup for encrypted object locations in GetObject and HeadObject (#337) (#345)
- perf: replace fmt.Sprintf with string concat for multipart part keys (#335) (#344)
- perf: parse SigV4 auth header once and reduce encoding allocations (#333, #334) (#343)
- perf: combine backend filtering into single pass on write path (#332) (#342)
- perf: fetch quota stats once per replication cycle (#341)
- perf: reuse chunk buffers and nonce in encrypt/decrypt readers (#340)
- cleanup: remove unused InFallbackMode export, cancel pipe on PutObject failure (#318) (#329)
- validate encryption chunk size, master_key_file, and workerpool concurrency at startup (#314) (#326)
- filter multipart uploads by backend in drain, fix UI JSON content-type (#325)
- cancel losing goroutine contexts in parallel broadcast read (#322)
- make Close() idempotent on RedisCounterBackend, RateLimiter, and LoginThrottle (#310) (#321)
- remove implicit stripPort from LoginThrottle, require caller-resolved IPs (#309) (#320)
- close timing side-channels in UI login and admin token auth (#308) (#319)
[0.19.1] - 2026-03-20
Improved
- updates to meet style guide
- update CHANGELOG.md for v0.19.0 (#306)
[0.19.0] - 2026-03-20
Improved
- update CHANGELOG.md for v0.18.3 (#296)
Dependencies
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 (#297)
- chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.41.3 to 1.41.4 (#298)
- chore(deps): bump github.com/aws/aws-sdk-go-v2/credentials (#299)
Other
- restructure storage/ into breaker/, backend/, store/, counter/, proxy/, worker/ (#304) (#305)
- invert audit→telemetry dependency and narrow MetadataStore interfaces (#301) (#303)
- split config validation into domain files and extract server middleware (#300) (#302)
[0.18.3] - 2026-03-20
Added
- add orphan reconciler and update documentation for v0.18.x changes (#289) (#295)
- add replication internals guide and fix encryption claims in architecture diagram (#284)
- Add container tuning, GOMEMLIMIT, and default max_concurrent_requests (#255) (#282)
Fixed
- fix multi-instance usage accounting and shared admission control (#289) (#294)
- fix log-trace correlation, add span kinds, rename s3proxy telemetry namespace (#286) (#288)
Hardened
- security: add Vault token renewal, fix SigV4 timing leak, warn on cert/key expiry (#290) (#292)
Improved
- update CHANGELOG.md for v0.17.9 (#274)
Dependencies
- chore(deps): bump google.golang.org/grpc (#287)
- chore(deps): bump golang.org/x/time from 0.14.0 to 0.15.0 (#279)
- chore(deps): bump golangci/golangci-lint-action from 7 to 9 (#275)
- chore(deps): bump dorny/paths-filter from 3 to 4 (#276)
- chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc (#277)
- chore(deps): bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.42.0 (#278)
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 (#280)
- chore(deps): bump golang.org/x/crypto from 0.48.0 to 0.49.0 (#281)
Other
- resilience: fix timeout cascading, bound connection pools, add jitter, reorder readiness (#291) (#293)
- have sitemap setup (#285)
[0.17.9] - 2026-03-13
Added
- Add interactive Mermaid.js architecture and flow diagrams to documentation site (#273)
Improved
- update CHANGELOG.md for v0.17.8 (#272)
[0.17.8] - 2026-03-12
Fixed
- Fix circuit breaker deadlock when all backends trip simultaneously (#271)
Improved
- update CHANGELOG.md for v0.17.5 (#264)
Dependencies
- chore(deps): bump golang.org/x/net (#267)
Other
- Reduce per-request CPU and allocation overhead in hot path (#269)
[0.17.5] - 2026-03-12
Added
- Add over-replication detection and cleanup with integration tests (#260) (#263)
- Add burst resilience: Retry-After, early rejection, split admission, load shedding, admission wait (#262)
Fixed
- Fix: updated nomad/kubernetes demos to protect the nomad and kubectl commands to protect if the user has en environment already pointing at real clusters
- Fix: accidentally committed benchmark test results
- Fix: pre-allocate headerlines slice (#259)
Improved
- update CHANGELOG.md for v0.17.01 (#256)
Other
- adding documentation for previous graceful degradation branch
- Tune HTTP transport, DNS resolution, and buffer pooling for backend clients (#254) (#261)
[0.17.01] - 2026-03-10
Added
- Add generic worker pool and parallelize sequential hot paths (#253)
Improved
- update CHANGELOG.md for v0.17.00 (#252)
[0.17.00] - 2026-03-10
Added
- Add orphan_bytes tracking to prevent quota drift on failed deletes (#250)
Improved
- update CHANGELOG.md for v0.16.25 (#248)
[0.16.25] - 2026-03-10
Added
- Add Tempo, Loki, and Alloy integration for Nomad and Kubernetes demos (#247)
Fixed
- Fix - expand free tier page with images and more detailed content
Improved
- update CHANGELOG.md for v0.16.23 (#245)
[0.16.23] - 2026-03-09
Fixed
- Fix: The PAT fix ensures CI triggers on the bot’s PR. The CODEOWNERS exemption prevents the review request from cluttering it. Together, the release flow should be: tag push → GoReleaser → changelog PR created → CI runs → checks pass → (#244)
[0.16.22] - 2026-03-09
Added
- Add trace-to-log correlation via slog TraceHandler (#242)
[0.16.21] - 2026-03-09
Other
- Test: bumping version to test release functionality
[0.16.20] - 2026-03-09
Fixed
- Fix: let release pipeline create a PR at the end and auto-merge it to have the changelog update (#238)
[0.16.19] - 2026-03-09
Fixed
- Fix: re-order pre-changelog, goreleaser, and git-cliff (#237)
[0.16.18] - 2026-03-09
Fixed
- Fix: the changelog step was breaking goreleaser on ‘make release’ (#236)
[0.16.17] - 2026-03-09
Other
- write failover for PutObject across eligible backends (#234)
[0.16.15] - 2026-03-09
Added
- add strip_sdk_headers option for GCS S3 compatibility (#229)
- add per-backend disable_checksum option for GCS compatibility (#225)
- Add DB query tracing, background worker spans, audit logging gaps, and Grafana dashboard coverage (#222)
- Add git-cliff changelog generation with commit categorization (#219)
Fixed
- Fix: when a backend is unhealthy, routing still needs to allow half-open through so probes can heal the backend (#227)
Hardened
- Harden defaults: increase DB pool size and add location cache TTL jitter (#215)
Documentation
- documentation update I forgot
Other
- exclude circuit-broken backends from write routing (#226)
[0.16.4] - 2026-03-08
Added
- Add file download to admin web UI dashboard (#195)
- add website to readme (#193)
Fixed
- Fix cfg data race in SIGHUP handler by wrapping with atomic.Pointer[config.Config] (#210)
- Fix ListObjectsV2 pagination bug — when the store returned exactly maxKeys objects with more data available, the manager never set IsTruncated=true, so clients like aws s3 cp –recursive stopped after the first 1000 keys. Added (#200)
- Fix ListObjectsV2 pagination dropping results after exactly maxKeys entries (#198)
- forgot to add log message to new admin ui download functionality (#196)
Hardened
- Security hardening and error handling consistency (#209)
Refactored
- Decompose BackendManager into focused component structs (#208)
- Refactoring release that reduces code duplication without changing behavior. Admin API handlers now use Go 1.22+ method routing instead of manual method checks. A streamCopy helper consolidates the repeated (#204)
Improved
- Expand fuzz testing with new targets, fix CI flakiness, and add file headers (#213)
Other
- Addbenchmarksuiteforhot-pathoperationsandbenchmarkingdocs (#211)
- if replication factor is 1 (no replication) it should short-circuit before Replicate() is called since it will just find no available targets and log an error. Closes #191 (#192)
[0.14.4] - 2026-03-06
Added
- Add optional server-side Redis shared counters for multi-instance usage tracking (#170) (#186)
- add readme to available documentation on hugo website (#183) (#185)
- add readme to available documentation on hugo website (#183)
- Add health-aware replication: replace copies on circuit-broken backends (#171) (#172)
Improved
- Update lint in ci to be faster (#190)
- update alpine version (#188)
Dependencies
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 (#181)
- chore(deps): bump go.opentelemetry.io/otel from 1.40.0 to 1.41.0 (#180)
- chore(deps): bump go.opentelemetry.io/otel/trace from 1.40.0 to 1.41.0 (#179)
- chore(deps): bump github.com/aws/smithy-go from 1.24.1 to 1.24.2 (#178)
- chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.41.2 to 1.41.3 (#177)
- chore(deps): bump docker/setup-buildx-action from 3 to 4 (#173)
- chore(deps): bump actions/github-script from 7 to 8 (#174)
- chore(deps): bump docker/build-push-action from 6 to 7 (#175)
- chore(deps): bump docker/login-action from 3 to 4 (#176)
Other
- use lint image instead of installing it from scratch every time which takes forever (#189)
- always pull latest version of docker iamges (#187)
- Triggers on push to main (same as the app image) (#182)
[0.13.0] - 2026-03-05
Added
- Add project website, fix usage tracking gaps, and add Vault Transit TLS support (#168) (#169)
- Add optional server-side encryption with envelope encryption and chun… (#167)
- Add per-backend circuit breakers, drain fixes, and production hardening (#161) (#162)
- Add metadata passthrough, govulncheck CI, and production hardening (#159) (#160)
Hardened
- Harden auth, add request body limits, and fix dashboard CB panel (#164) (#165)
- Harden dashboard JS against XSS and add log pagination (#155) (#157)
- Harden auth and sanitize API error messages (#156)
Documentation
- documentation tweaks
Other
- README.md update on double encryption
[0.11.2] - 2026-03-03
Added
- Add GitHub community files and repo configuration for open-source readiness (#153)
- Add folder delete from web UI with batch prefix deletion (#151)
- Add Prometheus and Grafana to local demo scripts (#148) (#149)
- Add backend drain and remove operations (#146) (#147)
- Add in-memory log ring buffer with dashboard UI (#143)
- Add server-level admission control for concurrent request limiting (#141)
Refactored
- Refactor internal code for clarity and reduced duplication (#145)
Other
- if go or sqlc code changes and the version hasn’t been bumped reject the PR
[0.8.28] - 2026-03-02
Added
- Add explicit permissions to CI workflow jobs (#136) (#139)
- Add benchmarks, fuzz tests, and e2e tests (#126) (#134)
- add contributing, DR, security, performance, API, and migration guides (#124) (#132)
Fixed
- Fix unsafe integer conversion in RecordPart (#135) (#137)
Other
- support bcrypt-hashed admin_secret and deterministic session keys (#133)
[0.8.23] - 2026-03-02
Added
- add admin CLI, runtime log level control, and fix Trivy CI (#123) (#131)
- add –mode flag for api/worker/all instance roles (#121) (#129) (#130)
- add –mode flag for api/worker/all instance roles (#121) (#129)
- add readiness probe, JSON health responses, and pre-stop drain (#120) (#128)
- Add configurable HTTP server timeouts and ReadHeaderTimeout (#127)
- add LIKE ESCAPE clause and quota guard to SQL queries (#109)
Fixed
- Fix code correctness bugs in SQL, auth, XML responses, and concurrency (#114)
- prevent cleanupBackoff overflow on large attempt values (#112)
Hardened
- Harden security for error messages, config validation, and map access (#115)
- harden SigV4 and token authentication (#107)
Improved
- Improve packaging, deployment, and build consolidation (#117)
- Improve CI/CD pipeline with sqlc verification, release gates, and scanning (#116)
- replace destructive down migration with no-op (#113)
Other
- code cleanup and consistency improvements (#81, #84, #87, #93, #94, #96, #97, #101, #102) (#118)
- use detached context for advisory lock unlock (#111)
- enforce MaxObjectSize on multipart uploads and fix ListObjects pagination (#110)
- correct usage tracking for multipart and failed operations (#108)
- defer read context cancellation until body is consumed (#106)
- validate client-supplied X-Request-Id to prevent log injection (#105)
- Clarify storage backend quota enforcement details
[0.8.6] - 2026-03-01
Other
- a few integration test additions
[0.8.5] - 2026-03-01
Added
- Add ListObjectsV1 and ListMultipartUploads endpoints (#60)
- add HeadBucket, GetBucketLocation, and ListBuckets stubs (#50) (#59)
- add Nomad and Kubernetes deployment examples with local demo scripts (#58)
- add structured circuit breaker transition logging (#57)
- add table of contents to README.md
- add validate and version subcommands, improve developer quickstart (#56)
Other
- adopt goose for versioned database migrations (#61)
[0.8.0] - 2026-02-28
Added
- add dashboard auth, file management, rebalance and sync to web UI (#49)
- add comprehensive Grafana dashboard covering all emitted metrics (#48)
- add screenshot of dashboard to readme
[0.7.2] - 2026-02-28
Improved
- updates to local image pushing to be faster, dockerfile/build tweaks,… (#47)
- update tests for better coverage (#43)
- updated version to be set in .version and docs to use x.x.x
Dependencies
- chore(deps): bump actions/checkout from 4 to 6 (#32)
- chore(deps): bump goreleaser/goreleaser-action from 6 to 7 (#33)
- chore(deps): bump actions/setup-go from 5 to 6 (#34)
- chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 (#36)
- chore(deps): bump go.opentelemetry.io/otel/sdk from 1.32.0 to 1.40.0 (#38)
- chore(deps): bump github.com/aws/aws-sdk-go-v2 from 1.32.7 to 1.41.2 (#35)
- chore(deps): bump go.opentelemetry.io/otel/trace from 1.32.0 to 1.40.0 (#39)
- chore(deps): bump go.opentelemetry.io/otel from 1.32.0 to 1.40.0
Other
- push docker image to ghcr on merge to main (#45)
[0.7.0] - 2026-02-27
Other
- make documents compatible with the style guide and all go code godoc compliant
[0.6.4] - 2026-02-27
Added
- add token usage for codecov
- add GoReleaser releases, Codecov, Dependabot, and CI badges
- add lifecycle rules for automatic object expiration
- add advisory locks and adaptive usage flushing for multi-instance safety
- add S3 DeleteObjects batch API
- add persistent retry queue for failed backend cleanup deletions
- add TLS/mTLS support with certificate hot-reload
- add Debian packaging with nfpm and systemd service
- add Debian packaging with nfpm and systemd service
- add structured audit logging with request ID tracing
- add service lifecycle manager with panic recovery and auto-restart
- add storage summary section to dashboard, bump to v0.5.1
- add lazy-loaded directory tree, tests, and v0.5.0 docs
- add SIGHUP config hot-reload with tests and documentation
- add spread routing tests, update docs, fix godoc compliance
- add spread write routing strategy and dashboard favicon
- add web UI documentation, fix OTel service name
- add object listing to dashboard and fix table alignment
- add operator/admin guide for deploying and operating the orchestrator
- add per-backend monthly usage limit enforcement
- add per-backend API request and data transfer tracking
- add GitHub Actions workflow and linter config
- add auth, sync pipeline, and store-level integration tests
- add comprehensive unit tests for manager business logic and fix integration tests
- add database circuit breaker with self-healing degraded mode
Hardened
- harden security, correctness, and observability for v0.5.2
Refactored
- rename s3-proxy to s3-orchestrator
- rename Go module to github.com/afreidah/s3-proxy
Improved
- replace NewBackendManager positional params with config struct
- replace goto with structured control flow in ListObjects
- update README and config example to reflect current features
Documentation
- document usage limits, new metrics, and usage_deltas table
Other
- optional parallel broadcast reads in degraded mode
- parallel rebalance move execution
- updating docs for .deb packaging info
- extract concerns from BackendManager and harden circuit breaker
- disable unsigned payload over plain HTTP, use Swap middleware
- stream uploads with unsigned payload, skip full-body buffering
- reduce circuit breaker boilerplate with generic helpers, fix hugeParam lint
- interactive collapsible object tree in dashboard
- cache-bust CSS, fix double-v version, simplify table layout
- table alignment with fixed layout and explicit column widths
- check json.Encode error return to satisfy errcheck lint
- built-in web UI dashboard for operational visibility
- production hardening across 6 areas
- multi-bucket support with per-bucket SigV4 credentials
- use golangci-lint v2 via go run to match config format
- validate quota and replication combinations to prevent nonsensical configs
- make quota_bytes optional — 0 or omitted means unlimited
- highlight multi-cloud replication in project description
- remove munchbox-specific references, improve project description
- remove munchbox-specific references, improve project description
- GetObject result struct, fix goroutine leaks, add cache eviction and race detector
- multipart quota reservation, ListObjects delimiter pagination, backend timeouts
- correct 4 error handling bugs in manager and multipart handlers
- circuit breaker returns ErrDBUnavailable on probe failure, fix all errcheck lint
- split manager, add structured S3 errors, unify handler routing
- production-harden s3-proxy with security, correctness, and code quality improvements
- reorganize s3-proxy into cmd + internal package structure