## Release Notes

Three changes shipped in this release: a configuration improvement for OAuth2, a frontend positioning fix, and a backend upgrade-stability improvement.

---

### New Features

- **Configurable OAuth2 scopes** — Operators can now customize which scopes are requested during login. The default (`openid email profile offline_access`) is unchanged, but providers like Google that don't support `offline_access` can now be configured without patching. See the updated configuration docs for examples.

---

### Bug Fixes

- **Combobox dropdown positioning in modals** — Dropdown menus (e.g. the Owner and Access class fields in the Deploy dialog) were rendering in the wrong position when opened inside a modal. Fixed by always portaling to `document.body`, which avoids the CSS containing-block issue caused by the modal's `backdrop-filter`.

---

### Other Notable Changes

- **Gradual CRD backfill on upgrade** — `RiseProject` CRDs are now stamped with a `rise.dev/version` label. On upgrade, the label change triggers an immediate Metacontroller resync per project without relying on polling intervals. Backfill runs as a background task (HTTP server starts immediately) and is rate-limited via the new `crd_upsert_interval_ms` setting (default: 1000 ms) to avoid API bursts on large installs.

## Release Notes

Multi-container deployments, quickstart templates, and a helm upgrade fix round out this release.

---

### ⚠️ Breaking Changes

**Multi-container deployment re-roll** — On first reconcile after upgrading, every running deployment's Kubernetes resources are recreated (Deployment renamed `…-app`, Service and ingress backends updated). Each app restarts once. Existing images are reused; nothing is rebuilt. Schedule a maintenance window.

**HTTP health probes disabled by default** — Probes are now opt-in for all containers, including single-container apps. Add an explicit `health_check` block to restore probe behavior.

**`target_platform` removed from registry-credentials response** — The runtime architecture is now available exclusively via the new `/api/v1/platform/capabilities` endpoint.

---

### New Features

**Multi-container deployments** — Define multiple containers in a single deployment via `[containers.<name>]` in `rise.toml`, with HTTP traffic routed across them via a `[routes]` section. Each container gets independent replica scaling. Single-container apps continue to work unchanged.

**Quickstart templates** — A curated catalog of one-click deployable images (Welcome page, Request echo, httpbin, Excalidraw) is now available from the home page and the "New project" dialog. Projects remember their template and surface an **Upgrade** or **Redeploy** action when the catalog image changes. The catalog is operator-configurable via `settings.quickstart`.

**Platform capabilities endpoint** — New public `GET /api/v1/platform/capabilities` endpoint exposes runtime properties (`runtime_arch`, `runtime_allows_root`) so clients can surface relevant warnings (e.g. privileged ports on hardened runtimes) without baking them into per-resource config.

---

### Bug Fixes

**Helm upgrade data loss fixed** — Defaulting `metacontroller.controllerClass` to `""` (was `"default"`) prevents every active deployment from being stopped during a `helm upgrade`. Multi-controller installs can still opt in by setting the value explicitly.

## Overview

This release introduces operator-facing documentation and deterministic JSON Schema generation for the generic resource API, plus a fix for Crates.io publishing.

## New Features

- **Resource API schema generation** (#325): New `rise backend schemas generate` CLI command produces byte-deterministic JSON Schemas for `Resource`, `ResourceMetadata`, `ControllerStatusMap`, `OrganizationResource`, and `ResourceDefinitionResource`. A `print` subcommand is also available for piping/inspection.
- **Operator documentation**: New **Resources** section in the engineering docs with five pages covering storage, API, custom resources, and schemas, including a new `JsonSchema.astro` component that renders schemas as browsable tables.
- **Tooling**: New `mise run resource:schema:generate` and `resource:schema:check` tasks, with the check wired into `mise run lint` and CI.

## Bug Fixes

- Fixed publishing to Crates.io.

# Release Notes

Significant release headlined by **historical Loki-backed logs with a redesigned log viewer**, a **new frontend design system** (themes, profile preferences, shell rebuild), and **runtime-agnostic workload identity tokens**. Also lands several deployment/ingress improvements and a number of bug fixes.

## ⚠️ Breaking Changes

- **Service accounts API path renamed** (`/projects/{project}/workload-identities*` → `/service-accounts*`) with no deprecation alias. The CLI is updated in lockstep, so **users must upgrade `rise` to manage service accounts** — older CLIs get `404`s on `rise sa` subcommands.
- **Loki 3.0+ is a hard requirement** for the new historical-logs backend (relies on `detected_level` for classification and the volume chart).
- **Existing installs configuring multi-org features must set** `default_organization.kubernetes_namespace_prefix: "rise-"` explicitly in their config; otherwise the controller falls back to `org-{discriminator}-{project_name}` and orphans the legacy `rise-*` namespaces on first reconcile. The shipped `config/{development,production}.yaml` already set this.

## New Features

- **Historical logs with Loki** — new `RuntimeLogBackend` trait with Kubernetes (live pod) and Loki implementations; project authorization enforced before any backend query. Backend-driven log levels via new `GET /api/v1/logs/capabilities` endpoint; `/logs/volume` now returns sparse `by_level` buckets. Repeatable `?level=` filter on `/logs` and `/logs/volume`. CLI gains `rise deployment logs --level <name>` and colour-codes lines by level (TTY-only, `NO_COLOR`-aware).
- **Redesigned log viewer** — multi-select level filter, lazy-loaded stacked volume chart with per-level CSS variables, Grafana-style infinite scroll (200-line pages, IntersectionObserver), custom two-month date-range picker, auto-refresh dropdown (Off / 10s / 30s / 1m / 5m), single-line rows with click-to-expand JSON syntax highlighting, A11y polish.
- **New frontend design system** — Inter + JetBrains Mono fonts, oklch tokens, rebuilt shell (sidebar, topbar, command palette, login). Profile page with color themes (mint/indigo/ember/slate), density (compact/cozy), and light/dark toggle persisted to `localStorage`. Auth pages now honor theme preferences before paint.
- **Multi-host ingress per deployment group** — the reconciler now puts the deployment-group host, environment hosts, production host, and that env's custom domains all on the deployment group's primary ingress. `project_custom_domains` gains an `environment_id` column; `rise domain add` gets `--environment/-e`; the frontend gets an env selector + ENVIRONMENT/PRIMARY columns.
- **Runtime-agnostic workload identity tokens** — deployed apps obtain short-lived Rise-signed OIDC JWTs with claims describing the *Rise* identity (`sub = rise:proj:<project>:env:<environment>`). Two delivery modes: **pull** (unauthenticated `POST /api/v1/identity/token` exchange, `rise identity token --audience <aud>` CLI) and **push** (deployment controller mints tokens per `[identity.audiences]` in `.rise.toml`, mounted at `/var/run/secrets/rise/identity/`). Per-IP rate-limited.
- **Pod last_state in UI** — `last_state` collected from container statuses and surfaced as red status pills (OOMKilled, crash loops, etc.) with `· Nm ago` finished-at deltas. "Updated Xs ago" header with a 1s local ticker; conditions rendered as inline `r-status` pills; container cards become an auto-fit grid on wide screens.
- **Optional project name in CLI** — `rise project show/update/delete` accept an optional name and resolve it from `[project]` in `rise.toml` (with `--path` override).
- **Git repository URL tracking** — CLI auto-detects from 8+ CI platforms (GitHub Actions, GitLab CI, CircleCI, Buildkite, Drone, Jenkins, Azure Pipelines, Bitbucket) or local `origin`; normalizes to canonical HTTPS; surfaced on deployment + project responses and in the frontend.
- **Auto-detect build platform** — CLI default falls back to host arch (`linux/arm64` on Apple Silicon, `linux/amd64` elsewhere); backend can hint via `target_platform` on the registry-credentials response (driven by controller `node_selector["kubernetes.io/arch"]`). Local development "just works" on both Intel and ARM Macs.
- **Cross-platform `dev-setup.sh`** — single bootstrap script for macOS and Linux replacing the prior `mise setup:hosts` / `mise setup:docker` tasks; managed-block edits to `/etc/hosts`, `~/.docker/daemon.json` on macOS, idempotent re-runs, symmetric `mise down` teardown.

## Bug Fixes

- **Frontend Redeploy** no longer always overwrites `http_port` with `8080` — the field is now omitted so server-side source-deployment inheritance kicks in (#329).
- **Docs deploys no longer wipe open PR previews** — `docs-deploy` now seeds the live Pages site and surgically replaces only `docs-prod/{user,operator,index.html}`; all three Pages jobs serialize on a shared `pages-deploy` concurrency group (#328).
- **`rise.toml` project access-class changes now trigger RiseProject CR resync**, so ingress config updates immediately instead of lagging behind the DB (#308).
- **Snowflake OAuth provisioner** no longer keeps warehouses awake — steady-state drift check switched to a metadata-only `SHOW INTEGRATIONS` and re-verifies once per `verify_interval_seconds` (default 1h) instead of every 5s (#324).
- **Leader-gated reconciler loops** now share a global schedule (`leader_schedules` table) so handovers can't burst the cadence after a leader transition (#323).
- **`database.url` config** now correctly takes precedence over `DATABASE_URL` env var (#309).
- **`mise dev` / `mise down`** robustness — fail fast when `.env` is missing the rise-managed block, reliably tear down the frontend process group on Ctrl+C, and use a kubectl reachability probe for cluster teardown.
- **macOS dev setup** — minikube setup now detects running / existing / missing profiles and prompts before destroying state (#331).

## Other Notable Changes

- New `--platform` precedence chain on `rise build`/`deploy`: flag → `RISE_PLATFORM` → `rise.toml [build].platform` → backend hint → host arch.
- `@uiw/react-codemirror` → 4.25.10, `reqwest` → 0.13.4, `vite` → 8.0.14, `aws-config` → 1.8.17, `serde_json` → 1.0.150, JFrog Artifactory → 7.146.15.
- Backend settings JSON schema moved from `docs/user/public/schemas/` to `docs/engineering/public/schemas/`.

## Operator / Multi-Tenancy & Resource Store (work in progress)

These land foundational pieces of the multi-tenancy plan. Operator-only, not yet exposed to end users.

- **Generic resource HTTP API** with wildcard path routing (`GET|POST|PUT|DELETE /resources/{*path}`), versioned-collection semantics, store-aware classification, `AnyAuth` extractor, cascade-only deletion (`GET /resources/pending-deletion` for monitoring), `ResourceDefinition` hardening (immutable `parent`, multi-version schema validation), and operator docs.
- **Multi-org linkage, default-org bootstrap, and controller gating** — default Organization upserted on startup behind a Postgres advisory lock; nullable `organization_resource_uid` on `teams`/`projects` plus `user_organization_memberships`; Metacontroller webhook now refuses to reconcile projects whose Organization's `spec.deploymentControllerClass` doesn't match `controller_class_name` (label-routed via `rise.dev/controller-class`); per-request resolution of controller class + namespace prefix with a 30s `moka` cache; Organization-delete guard counts teams + projects + memberships; `ResourceStore::rename` lets bootstrap re-key the default Org instead of orphaning typed-row linkages.
- **Resource GC worker** — single-replica `ResourceGcController` drains cascading deletes (default 20 rows/s), with per-row audit-log entries and stuck-tombstone warnings.
- **Controller authentication & operator role** — JWT-validated controller identities (issuer + claim allowlist), separate `operator_users` role (distinct from admins) gating the generic resource API. `/me` now returns `is_operator`.
- **Service accounts module rename** — `workload_identity` → `service_accounts` (this is the breaking API change called out above; "service account" = inbound OIDC federation *into* Rise, distinct from the new workload identity tokens for deployed apps).
- **Workspace layout** — new `rise-resource-api` and `rise-resource-store` crates; releasable artifact is still the consolidated `rise` binary.

## Release Notes

Two bug fixes in this release.

### Bug Fixes

- **Env var key validation**: The API now rejects environment variable keys containing invalid characters or leading/trailing whitespace with a `400 Bad Request`. Previously, keys with spaces could be stored and then cause Kubernetes to reject the generated Secret at deploy time. Existing deployments with malformed keys will continue to work (keys are trimmed with a warning).

- **`image_pull_secret_name` always applied**: When `deployment_controller.image_pull_secret_name` is set in config, the named pull secret is now always added to the pod spec. Previously it was silently ignored for registry providers that don't mint their own pull secrets (e.g. GitLab with `mint_pull_secrets: false`).

- **Docs deployment**: Fixed the documentation deployment pipeline on production.

## Release Notes

This release adds JFrog Artifactory and AWS S3 as first-class extensions, introduces per-deployment resource configuration, hardens authentication security, and overhauls the documentation site.

---

### New Features

- **JFrog Artifactory registry support** — mint scoped, short-lived credentials for image push and Kubernetes pull secrets via JFrog's access token API or a Vault plugin. Separate push/pull TTLs, per-project scope isolation, and pull credential caching included.
- **AWS S3 bucket extension** — automatically provisions a dedicated S3 bucket and scoped IAM credentials per project, injected as environment variables. Supports `DeletionBlocked` state when a bucket is non-empty, with opt-in `force_empty_bucket` for safe teardown.
- **Configurable deployment replicas and resources** — set `replicas`, `cpu`, and `memory` in `rise.toml` or via `--replicas`/`--cpu`/`--memory` CLI flags. Admins can set per-environment min/max constraints; values are validated at deployment time.
- **Starlight documentation sites** — user and engineering docs now live at `docs/user` and `docs/engineering` with improved structure and navigation.
- **`rise backend rise-toml-schema` CLI command** — generates the `rise-toml-v1.schema.json` directly; the old `/api/v1/schema/rise-toml/v1` endpoint now redirects (301) to `/docs/schemas/rise-toml-v1.schema.json`.

---

### Bug Fixes

- **Auth: cookies scoped to exact host** — cookies no longer carry a `Domain` attribute, preventing cross-subdomain leakage between the Rise API and app subdomains. Ingress auth flows now always redirect through `/.rise/auth/complete` on the app's own domain.
- **Auth: ingress JWTs now carry the correct `aud` claim** — private-app JWTs previously used the Rise server URL as audience; they now use the app's own URL. API middleware rejects RS256 ingress tokens, preventing them from authenticating API calls.
- **AWS error detection** — replaced brittle string-matching on formatted error types with typed AWS SDK error variants across S3 and RDS extension providers.

---

### ⚠️ Breaking Changes

- **`cookie_domain` setting repurposed** — this field no longer sets the `Domain` attribute on new cookies. It is now used only to clear stale domain-scoped cookies during migration. Existing configs continue to work, but cross-subdomain cookie sharing via `cookie_domain` is no longer supported.
- **Legacy Metacontroller adoption code removed** — the `legacy_adopt_existing_resources_to_metacontroller` backend setting and `adoptExistingResources` Helm value have been removed. Clusters that still rely on this one-time migration path must complete the migration before upgrading.
- **Registry credentials endpoint moved** — credentials are now fetched from `GET /projects/{name}/deployments/{id}/registry-credentials` (scoped to Pending/Building/Pushing states) instead of the old project-scoped endpoint. Older CLI versions fall back to credentials in `CreateDeploymentResponse`, which is now deprecated.

---

### Dependency Updates

Routine updates to tokio, openssl, aws-sdk-s3/s3-js, jsonwebtoken, tailwindcss 4.3, vite 8, react 19.2, pack 0.40.6, gunicorn 26, and several other crates and npm packages.

## Release Notes

**Overview:** A single bug fix addressing network connectivity issues with ingress controllers.

### Bug Fixes

- **Fix NetworkPolicy blocking ingress traffic** — Updated the NetworkPolicy to allow ingress controller traffic to reach the main HTTP port, resolving potential connectivity issues where applications were unreachable despite correct ingress configuration. (#262)

## Release Notes Summary

This release focuses on **security hardening**, **high-availability support**, and a **major architectural change** to the Kubernetes deployment controller.

### New Features

- **Metacontroller-based deployment controller** — Migrated the Kubernetes deployment controller from an in-process controller to a Metacontroller webhook architecture (`d65ecf7`, `c57ba8b`)
- **High-availability backend** — Backend is now safe to run with multiple replicas, including HA lease liveness and retryable OAuth state (`7077511`, `fe18842`)
- **Deployment secrets as Kubernetes Secrets** — Environment variable secrets are now injected as proper Kubernetes Secrets instead of inline values (`bd10719`)
- **Pod-IP validation for webhooks** — Replaced token-based webhook auth with pod-IP validation for improved security (`a48c586`)
- **`--platform` build option** — Override the default build platform (e.g., `--platform linux/amd64`) (`3626399`)
- **`rise env export`** — New command to export environment variables, with a fix to environment resolution in `rise run` (`08b6b67`)

### Bug Fixes

- Fix handling of terminating pods in deployment status display (`6c044ba`)
- Reject plain PKCE method in OAuth flow, require S256 (`4b42ae3`)
- Fix `podSelector` in webhook NetworkPolicy for metacontroller (`6909f0f`)

### Other Changes

- Added `cargo audit` to CI (`d3541cb`)
- Dependency updates: openssl, pack (buildpacks), marked
- Development documentation and task improvements
- Updated tag-release script

## Release Notes

This release includes one security improvement and one documentation update.

### New Features

- **Secure secret injection** — Deployment environment secrets are now injected as Kubernetes Secrets rather than being passed inline, reducing secret exposure in pod specs and Kubernetes API objects.

### Other Changes

- **Documentation** — Added Metacontroller architecture documentation and removed stale controller references from the docs.

## Release Notes

This release includes a security improvement to the webhook authentication mechanism and an addition to the CI pipeline.

### Security

- **Metacontroller webhook authentication** now uses pod-IP validation instead of token-based auth, reducing the attack surface for webhook endpoints.

### CI / Infrastructure

- Added `cargo audit` check to CI to automatically detect known vulnerabilities in Rust dependencies.