Release Notes — v0.1.1
Release type: stabilisation release on the v0.1.x line.
This release consolidates the v0.1.x stabilisation series on top of v0.1.0.
It adds a bootstrap facade, the third action kind (Action::update,
partial PATCH), the first end-to-end metadata-driven form path through
the React renderer, and a high-severity persistence fix. Two intentional
breaking changes correct behaviour the v0.1.0 contract never promised.
Summary
- New bootstrap surface —
Ausus\Application+Ausus\ApplicationConfigcollapse manualInvokerwiring into a four-call lifecycle, with a one-call PSR-7 entry point viaApplication::http(). Action::update(...)— partial-PATCH action kind defined by ADR-0002. Compile-time validation refuses system fields, unknown fields, and the workflow state field.- Explicit workflow declaration —
EntityBuilder::workflow(field:, initial:); the implicit inference becomes a deprecated fallback emittingE_USER_DEPRECATED. FieldBuilder::label(...)— explicit renderer-friendly labels.Repository::findAll()— kernel contract addition; the projection renderer no longer reaches into the SQLite driver's private PDO via reflection.- Renderer form path —
ActionDescriptor.inputs[]always emitted;ActionDescriptor.initialValuespopulated on update-action descriptors. Eight pure form helpers exported and marked@public stable. - Critical bug fix — nullable-column serialisation corruption
(null →
"null"string on disk) fixed; regression-guarded by 30 assertions in CI step4h. apps/issue-tracker— production-style sample app with 3 entities, 2 workflows, 12 actions (incl. update actions). Wired into CI as step4g.- API stability sweep —
@internalPHPDoc on every package-private symbol forced topublicby PHP;ActionNode::$effectClasscarries a public-contract docblock; reserved-fields table on the ViewSchema reference; explicit "API stability" section on the React renderer. - Versioning policy published —
docs/VERSIONING.mdformalises semver, additive-only ViewSchema, deprecation channel per language, package version alignment.
Breaking changes
Both apply only to consumers running against the HTTP Router; CLI /
Application::invoke() paths are unaffected.
1. Router::resolveActor() is fail-closed
A missing or empty X-Actor-Roles header now yields a roleless actor;
every action declaring requireRole(...) returns 403 PolicyDenied.
The previous behaviour substituted a HelloInvoice-specific role set —
that fallback is gone.
Migration. An authenticated gateway must set X-Actor-Roles from
the verified session. See
Operations · Authenticated gateway.
2. ErrorMapper returns the documented HTTP status
Kernel exceptions that previously fell through silently to
500 InternalError now map to their documented codes:
| Exception | v0.1.0 status | v0.1.1 status |
|---|---|---|
PolicyDenied | 500 | 403 |
WorkflowGuardDenied | 500 | 403 |
NotFound | 500 | 404 |
UnknownAction | 500 | 404 |
WorkflowSubjectNotFound | 500 | 404 |
PolicySubjectRequired, ActorRequired, TenantContextRequired | 500 | 400 |
EffectFailed, AuditEmissionFailed | 500 | 500 (unchanged) |
Migration. Clients that read response.body.error.kind and ignored
the HTTP status are unaffected. Clients that branched on 500 for
non-server-error conditions must switch to the documented codes — see
HTTP routes reference.
Compatibility matrix
| Layer | Tool | Minimum | Tested with |
|---|---|---|---|
| Runtime (PHP) | php | 8.3 | 8.4.18 |
| Runtime (PHP) | ext-pdo, ext-pdo_sqlite | bundled | bundled |
| Tooling (PHP) | composer | 2.0 | 2.9.5 |
| Runtime (JS) | node | 18 | 22.x |
| Runtime (JS) | react, react-dom | ^18 || ^19 | 18.3.1 |
| Tooling (JS) | npm | 8 | 10.x |
| Tooling (JS) | typescript (dev) | 5.4 | 5.x |
Wire-format compatibility per docs/VERSIONING.md: ViewSchema
schemaVersion 1.0.0 and targetProfile react.web.v1 are unchanged.
Additive-only inside the 1.x.y line. Reserved-field forward shapes
catalogued in ViewSchema.
Known limitations
Unchanged from v0.1.0 (no new limitations introduced; four were
flipped to FIXED during stabilisation — see
apps/issue-tracker/FRAMEWORK-FINDINGS.md):
| Area | v0.1.1 state |
|---|---|
| Reserved packages | tenancy-row, audit-database, auth-bridge, presentation-default ship no code |
| Persistence | validated on SQLite only; MySQL/PostgreSQL designed-for, not validated |
| Runtime | single-process, single-tenant, single-actor per Invoker; no distributed runtime |
| Authentication | none — StubActor only; an authenticated gateway is expected |
| Renderer | no built-in router, theme tokens, optimistic UI, or CSS file |
| Projections | no filtering, sorting, or real pagination |
| Validation | field unique/max recorded in the graph but not enforced at runtime |
| Supply chain | npm provenance, GPG-signed tags, and SBOM are deferred to v0.2.0 |
Reproducibility
| Gate | Result |
|---|---|
composer validate — 11 manifests (root + 10 packages) | pass |
bash scripts/ci.sh | pass — ends [ci] DONE — all 10 steps passed, 350 assertions |
php apps/playground/run.php | pass — 36/36 assertions |
php apps/issue-tracker/tests/smoke.php | pass — 37/37 assertions |
npm run build && npm run trace | pass — 32/32 render assertions |
| Docusaurus EN + FR build | [SUCCESS] |
Migration from v0.1.0
For CLI / Application::invoke() consumers, this is a drop-in update.
For HTTP consumers:
- Send
X-Actor-Rolesexplicitly. A missing header now returns403; the implicit invoice.* fallback is gone. - Read
error.kindin response bodies; per-exception HTTP status codes are now accurate. A client that ignored anything except200/500continues to work.
Both code paths are exercised by CI step 4f and step 10.
Links
- Consolidated repository changelog (Keep a Changelog):
CHANGELOG.md - Root release notes (this release):
RELEASE-NOTES-v0.1.1.md - Versioning policy:
docs/VERSIONING.md - Previous release: v0.1.0
Looking ahead — v0.2.0
Items deferred from v0.1.1 (not commitments, but the documented
direction; full backlog in apps/issue-tracker/FRAMEWORK-FINDINGS.md):
- Foreign-key contract between entities.
- Projection filtering and pagination.
- Renderer reference-card linking from foreign-id columns.
- Audit-log projection.
- Implementations for the four reserved packages.
- MySQL / PostgreSQL persistence drivers.
- Supply-chain attestation (npm provenance, signed tags, SBOM).
See Planned RFCs for the architectural backlog.