Skip to main content

Release Notes — v0.1.1

Release type: stabilisation release on the v0.1.x line.

This release consolidates the v0.1.x stabilisation series on top of v0.1.0. It adds a bootstrap facade, the third action kind (Action::update, partial PATCH), the first end-to-end metadata-driven form path through the React renderer, and a high-severity persistence fix. Two intentional breaking changes correct behaviour the v0.1.0 contract never promised.

Summary

  • New bootstrap surfaceAusus\Application + Ausus\ApplicationConfig collapse manual Invoker wiring into a four-call lifecycle, with a one-call PSR-7 entry point via Application::http().
  • Action::update(...) — partial-PATCH action kind defined by ADR-0002. Compile-time validation refuses system fields, unknown fields, and the workflow state field.
  • Explicit workflow declarationEntityBuilder::workflow(field:, initial:); the implicit inference becomes a deprecated fallback emitting E_USER_DEPRECATED.
  • FieldBuilder::label(...) — explicit renderer-friendly labels.
  • Repository::findAll() — kernel contract addition; the projection renderer no longer reaches into the SQLite driver's private PDO via reflection.
  • Renderer form pathActionDescriptor.inputs[] always emitted; ActionDescriptor.initialValues populated on update-action descriptors. Eight pure form helpers exported and marked @public stable.
  • Critical bug fix — nullable-column serialisation corruption (null → "null" string on disk) fixed; regression-guarded by 30 assertions in CI step 4h.
  • apps/issue-tracker — production-style sample app with 3 entities, 2 workflows, 12 actions (incl. update actions). Wired into CI as step 4g.
  • API stability sweep@internal PHPDoc on every package-private symbol forced to public by PHP; ActionNode::$effectClass carries a public-contract docblock; reserved-fields table on the ViewSchema reference; explicit "API stability" section on the React renderer.
  • Versioning policy publisheddocs/VERSIONING.md formalises semver, additive-only ViewSchema, deprecation channel per language, package version alignment.

Breaking changes

Both apply only to consumers running against the HTTP Router; CLI / Application::invoke() paths are unaffected.

1. Router::resolveActor() is fail-closed

A missing or empty X-Actor-Roles header now yields a roleless actor; every action declaring requireRole(...) returns 403 PolicyDenied. The previous behaviour substituted a HelloInvoice-specific role set — that fallback is gone.

Migration. An authenticated gateway must set X-Actor-Roles from the verified session. See Operations · Authenticated gateway.

2. ErrorMapper returns the documented HTTP status

Kernel exceptions that previously fell through silently to 500 InternalError now map to their documented codes:

Exceptionv0.1.0 statusv0.1.1 status
PolicyDenied500403
WorkflowGuardDenied500403
NotFound500404
UnknownAction500404
WorkflowSubjectNotFound500404
PolicySubjectRequired, ActorRequired, TenantContextRequired500400
EffectFailed, AuditEmissionFailed500500 (unchanged)

Migration. Clients that read response.body.error.kind and ignored the HTTP status are unaffected. Clients that branched on 500 for non-server-error conditions must switch to the documented codes — see HTTP routes reference.

Compatibility matrix

LayerToolMinimumTested with
Runtime (PHP)php8.38.4.18
Runtime (PHP)ext-pdo, ext-pdo_sqlitebundledbundled
Tooling (PHP)composer2.02.9.5
Runtime (JS)node1822.x
Runtime (JS)react, react-dom^18 || ^1918.3.1
Tooling (JS)npm810.x
Tooling (JS)typescript (dev)5.45.x

Wire-format compatibility per docs/VERSIONING.md: ViewSchema schemaVersion 1.0.0 and targetProfile react.web.v1 are unchanged. Additive-only inside the 1.x.y line. Reserved-field forward shapes catalogued in ViewSchema.

Known limitations

Unchanged from v0.1.0 (no new limitations introduced; four were flipped to FIXED during stabilisation — see apps/issue-tracker/FRAMEWORK-FINDINGS.md):

Areav0.1.1 state
Reserved packagestenancy-row, audit-database, auth-bridge, presentation-default ship no code
Persistencevalidated on SQLite only; MySQL/PostgreSQL designed-for, not validated
Runtimesingle-process, single-tenant, single-actor per Invoker; no distributed runtime
Authenticationnone — StubActor only; an authenticated gateway is expected
Rendererno built-in router, theme tokens, optimistic UI, or CSS file
Projectionsno filtering, sorting, or real pagination
Validationfield unique/max recorded in the graph but not enforced at runtime
Supply chainnpm provenance, GPG-signed tags, and SBOM are deferred to v0.2.0

Reproducibility

GateResult
composer validate — 11 manifests (root + 10 packages)pass
bash scripts/ci.shpass — ends [ci] DONE — all 10 steps passed, 350 assertions
php apps/playground/run.phppass — 36/36 assertions
php apps/issue-tracker/tests/smoke.phppass — 37/37 assertions
npm run build && npm run tracepass — 32/32 render assertions
Docusaurus EN + FR build[SUCCESS]

Migration from v0.1.0

For CLI / Application::invoke() consumers, this is a drop-in update.

For HTTP consumers:

  1. Send X-Actor-Roles explicitly. A missing header now returns 403; the implicit invoice.* fallback is gone.
  2. Read error.kind in response bodies; per-exception HTTP status codes are now accurate. A client that ignored anything except 200 / 500 continues to work.

Both code paths are exercised by CI step 4f and step 10.

Looking ahead — v0.2.0

Items deferred from v0.1.1 (not commitments, but the documented direction; full backlog in apps/issue-tracker/FRAMEWORK-FINDINGS.md):

  • Foreign-key contract between entities.
  • Projection filtering and pagination.
  • Renderer reference-card linking from foreign-id columns.
  • Audit-log projection.
  • Implementations for the four reserved packages.
  • MySQL / PostgreSQL persistence drivers.
  • Supply-chain attestation (npm provenance, signed tags, SBOM).

See Planned RFCs for the architectural backlog.