v1.3.0

Stable

• std-llm is now 1.0-stable. Public surface frozen per docs/reference/stdlib/std-llm.md; bumps require a 1.x deprecation notice per LTS contract.
• std-json is now 1.0-stable. Public surface frozen per docs/reference/stdlib/std-json.md; bumps require a 1.x deprecation notice per LTS contract.

Added

• 27 new language built-in functions — comprehensive string, list, and map operations now available in .ax programs without importing any library:
  • String: __builtin_int_to_string, __builtin_float_to_string, __builtin_string_len, __builtin_string_chars, __builtin_string_contains, __builtin_string_starts_with, __builtin_string_ends_with, __builtin_string_to_upper, __builtin_string_to_lower, __builtin_string_trim, __builtin_string_join, __builtin_string_split, __builtin_string_replace, __builtin_string_slice, __builtin_int_parse, __builtin_float_parse, __builtin_bool_to_string
  • List: __builtin_list_len, __builtin_list_is_empty, __builtin_list_head, __builtin_list_tail, __builtin_list_append, __builtin_list_concat, __builtin_list_reverse
  • Map: __builtin_map_get, __builtin_map_set, __builtin_map_remove, __builtin_map_contains_key, __builtin_map_keys, __builtin_map_values, __builtin_map_len
• Import resolution — import "std-name" statements in .ax source now resolve at compile time via a source-level preprocessor that inlines the named library from libs/<name>/src/core.ax. No compiler pipeline change required.
• boruna evidence inspect shows step outputs — for plaintext bundles, evidence inspect <bundle> now reads outputs/<step_id>/result.json and renders a truncated preview (500 chars) per step in text mode; --json mode includes a "step_outputs" key with full parsed content. Encrypted bundles without --decrypt print a hint to stderr.
• std-json enhancements — json_array(items: List<String>) -> String serializes a list to a JSON array string; int_to_string now calls __builtin_int_to_string (was returning empty string); json_escape now performs proper character-by-character escaping using __builtin_string_chars.
• std-validation enhancements — string_length now calls __builtin_string_len (was hardcoded 0); added validate_contains, validate_starts_with, validate_ends_with.

v1.2.0

Stable

• std-ui is now 1.0-stable. Public surface frozen per docs/reference/stdlib/std-ui.md; bumps require a 1.x deprecation notice per LTS contract.
• std-validation is now 1.0-stable. Public surface frozen per docs/reference/stdlib/std-validation.md; bumps require a 1.x deprecation notice per LTS contract.
• std-forms is now 1.0-stable. Public surface frozen per docs/reference/stdlib/std-forms.md; bumps require a 1.x deprecation notice per LTS contract.
• std-authz is now 1.0-stable. Public surface frozen per docs/reference/stdlib/std-authz.md; bumps require a 1.x deprecation notice per LTS contract.
• std-http is now 1.0-stable. Public surface frozen per docs/reference/stdlib/std-http.md; bumps require a 1.x deprecation notice per LTS contract.
• std-db is now 1.0-stable. Public surface frozen per docs/reference/stdlib/std-db.md; bumps require a 1.x deprecation notice per LTS contract.
• std-sync is now 1.0-stable. Public surface frozen per docs/reference/stdlib/std-sync.md; bumps require a 1.x deprecation notice per LTS contract.
• std-routing is now 1.0-stable. Public surface frozen per docs/reference/stdlib/std-routing.md; bumps require a 1.x deprecation notice per LTS contract.
• std-storage is now 1.0-stable. Public surface frozen per docs/reference/stdlib/std-storage.md; bumps require a 1.x deprecation notice per LTS contract.
• std-notifications is now 1.0-stable. Public surface frozen per docs/reference/stdlib/std-notifications.md; bumps require a 1.x deprecation notice per LTS contract.
• std-testing is now 1.0-stable. Public surface frozen per docs/reference/stdlib/std-testing.md; bumps require a 1.x deprecation notice per LTS contract.

Added

• Compliance templates — three pre-built workflow patterns: soc2_audit_workflow (SOC 2 audit trail), hipaa_data_pipeline (PHI redaction + audit log), financial_review_pipeline (dual-control SOX approval gates)
• Four new example workflows demonstrating stdlib package usage (form_submission_pipeline, data_ingestion_pipeline, api_routing_workflow); closes graduation criterion 1 for all 11 std-* packages
• docs/reference/stdlib/std-llm.md and docs/reference/stdlib/std-json.md — reference docs closing criterion 4 for std-llm and std-json
• examples/workflows/llm_content_generator/ and examples/workflows/json_data_transformer/ — example workflows closing criterion 1 for std-llm and std-json
• boruna evidence diff — compare two evidence bundles side-by-side.
  Reports differences in step outputs, audit event counts, workflow metadata,
  and verification status. --json flag for machine-readable output.
• boruna workflow eval — run the same workflow against two LLM provider configs and compare evidence bundles; reports per-step output agreement and timing

Changed

• Improved error messages: boruna lang check now suggests the nearest variable name for E003 errors and the nearest function name for E004 errors using edit-distance-1 matching; type-conversion hints for common E009 mismatches (Int↔String, Bool↔Int); E001 lexer errors now include a source pointer line; E002 parse errors append a common-cause hint; E007 capability violation message now names the offending capability and action.
• Better lang repair: repair now handles E003 near-miss rename patches via the tooling suggestion pipeline; new RepairStrategy::Conservative applies only High-confidence patches, skipping Medium/Low (safe for CI auto-repair); bottom-up patch ordering was already in place and verified correct.

v1.1.0

Added

• Capability call markers in MCP progress notifications (post1-T-2.2).
  boruna_run streaming progress events now carry a message field when
  a capability call fires during an execution slice: "cap: llm.call" for
  a single call or "caps: llm.call, net.fetch" for multiple. Slices with
  no capability calls continue to omit message (no noise for pure compute).
  MCP clients that display live execution status can now surface "calling llm.call…" feedback without polling. Backward-compatible: existing clients
  that ignore message see no change.

• Web evidence bundle inspector (post1-T-4.4). New boruna evidence serve <bundle-dir> [--port <port>] subcommand (requires serve feature) starts a
  local axum HTTP server on port 4444 and opens the browser automatically.
  Pages: /bundle (overview + verification status + file checksums),
  /audit (hash-chained event timeline), /outputs (per-step result JSON
  accordion), /api/bundle (raw JSON dump). Bundle data is loaded once at
  startup; verification runs via the existing verify_bundle() path and
  surfaces PASS/FAIL inline. Works offline — no external CDN dependencies.

• BYOH reference handler library (post1-T-1.2). Four new
  reference CapabilityHandler implementations under
  examples/llm_handlers/ joining the existing OpenAI example:
  Anthropic (Messages API), Ollama (local-LLM, deterministic-with-seed),
  vLLM-and-OpenAI-compatible (one handler covers vLLM/OpenRouter/
  Together/Groq/LiteLLM), and AWS Bedrock (skeleton using the AWS
  SDK because hand-rolling SigV4 adds nothing illustrative). Each
  is a self-contained ~80–120-LOC copy-and-tweak template with a
  README documenting auth, response shape, determinism options,
  and what the reference deliberately omits (multi-provider
  routing, streaming, cost accounting, etc.). New umbrella
  examples/llm_handlers/README.md indexes the library and
  cross-references the built-in LlmRouterHandler (sprint
  0.4-S13). New providers.toml.example documents a config-schema
  convention integrators can adopt for declarative router setup
  (Boruna does not parse this file); new router_setup.rs
  shows a reference parser that turns the toml into an
  LlmRouterHandler.

  This expansion is faithful to the BYOH design contract shipped
  in 0.3-S8: Boruna does not ship default handlers in core. Each
  reference is integrator-copyable code, not a Cargo dep.
  Auditing the original T-1.2 plan ("ship a boruna-effect-providers
  adapter crate") against the shipped BYOH guide flagged the
  premise conflict before any code was written; the reframed
  scope delivers the spirit of "more provider on-ramps" without
  violating the contract.

Changed

• BundleStorage trait promoted to public 1.x API surface.
  BundleStorage, StorageRef, StorageError, LocalFs, and the
  from_uri dispatcher in boruna_orchestrator::audit::storage
  shipped behind #[doc(hidden)] while the shape was still being
  validated against remote impls. With T-3.1 (S3), T-3.2 (GCS),
  and T-3.3 (Azure Blob) all landed and exercising the trait
  identically, the shape is stable and the hidden attribute is
  removed. The per-adapter modules
  (storage_s3 / storage_gcs / storage_azure) ship without
  #[doc(hidden)] from the start, so this change is purely a
  rustdoc visibility tweak — no API breakage. StorageError is
  now #[non_exhaustive] so future variants are additive.
  Backend kind strings (s3.transient, azure.permanent, etc.)
  are also additive — integrators switching on kind should
  treat unknown values as transient (retryable). New top-level
  concept page at docs/concepts/bundle-storage.md covers the
  shared contract; the per-provider operator guides remain in
  docs/guides/bundle-storage-{s3,gcs,azure}.md.

Decided

• Stdlib graduation tracker (post1-T-3.4). Assessed all 11
  std-* packages against the 4-criterion graduation checklist.
  Zero packages graduate to 1.0 this cycle. Two criteria fail
  uniformly: none of the packages is referenced from any
  examples/workflows/*, and none has a
  docs/reference/stdlib/<name>.md reference page. Per-package
  decisions and per-criterion notes are recorded in
  docs/stdlib-graduation-tracker.md. Closing the gates is filed
  as Wave-3 follow-up work.

Added

• Azure Blob Storage adapter for BundleStorage (post1-T-3.3,
  Wave 3). The --bundle-storage azblob://account/container[/prefix]
  URI now constructs an Azure Blob Storage adapter when the binary
  is built with the azure feature
  (cargo build --features boruna-cli/azure). Same shape as the
  T-3.1 / T-3.2 adapters, also backed by object_store (with the
  azure feature toggled). URI shape encodes both the storage
  account and the blob container so an operator can grep their
  config and see exactly which account a bundle landed in. Auth
  via standard AZURE_STORAGE_* env vars (account key, SAS, or
  service-principal OAuth);
  AzureBlobBucketBuilder::with_use_emulator(true) switches the
  SDK into Azurite-emulator mode for local testing. Off by
  default. When the azure feature is OFF, azblob:// URIs
  reject at parse time with the actionable-message pattern S3 and
  GCS use. Backend errors surface with stable error_kind
  strings (azure.transient, azure.permanent, azure.runtime,
  azure.unexpected_key). 18 unit tests cover URI parsing,
  object-path concatenation, ref-to-run-id extraction, and error
  classification. An Azurite-backed integration test is deferred —
  Azurite requires SharedKey-signed container creation and
  object_store doesn't expose a create_container primitive;
  pulling in the full azure-storage crate or implementing
  SharedKey signing for one test wasn't a proportionate cost. See
  docs/guides/bundle-storage-azure.md. All three remote
  schemes (S3, GCS, Azure) now ship — the BundleStorage trait
  can graduate from #[doc(hidden)] to pub in a follow-up.
• GCS adapter for BundleStorage (post1-T-3.2, Wave 3). The
  --bundle-storage gs://bucket[/prefix] URI now constructs a
  Google Cloud Storage adapter when the binary is built with the
  gcs feature (cargo build --features boruna-cli/gcs). Same
  shape as the T-3.1 S3 adapter, also backed by object_store
  (with the gcp feature toggled). Auth via standard
  GOOGLE_SERVICE_ACCOUNT / GOOGLE_APPLICATION_CREDENTIALS env
  vars; GcsBucketBuilder::with_endpoint lets integration tests
  point at fake-gcs-server. Off by default. When the gcs feature
  is OFF, gs:// URIs reject at parse time with the same
  actionable-message pattern S3 uses. Backend errors surface with
  stable error_kind strings (gcs.transient, gcs.permanent,
  gcs.runtime, gcs.unexpected_key). Integration tests behind
  the gcs-it feature spin up fsouza/fake-gcs-server via a
  custom testcontainers Image (testcontainers-modules has no GCS
  module) and self-skip when Docker is unreachable. See
  docs/guides/bundle-storage-gcs.md.
• S3 adapter for BundleStorage (post1-T-3.1, Wave 3). The
  --bundle-storage s3://bucket[/prefix] URI now constructs a real
  remote-storage adapter when the binary is built with the s3
  feature (cargo build --features boruna-cli/s3). Backed by the
  Apache Arrow object_store crate's aws feature — works against
  AWS S3, MinIO, Cloudflare R2, Backblaze B2, and LocalStack via
  the standard AWS_* environment variables (including
  AWS_ENDPOINT_URL for non-AWS endpoints). The adapter bridges
  the sync BundleStorage trait against the async SDK with a
  per-instance current-thread tokio runtime; bundle reads
  materialize into a local cache directory rooted at
  BORUNA_BUNDLE_CACHE (defaults to <temp>/boruna-bundle-cache).
  When the s3 feature is OFF, s3:// URIs reject at parse time
  with an actionable message that points operators at the feature
  flag — never silently ignored. gs:// (T-3.2) and azblob://
  (T-3.3) remain reserved for upcoming adapters. Backend errors
  surface with stable error_kind strings (s3.transient,
  s3.permanent, s3.runtime, s3.unexpected_key). MinIO-backed
  integration tests live behind the s3-it feature and self-skip
  when Docker is unreachable. See docs/guides/bundle-storage-s3.md.
• boruna evidence rotate-kek (post1-T-2.4) re-wraps the DEK of one
  or more encrypted evidence bundles under a new KEK. Operations are
  manifest-only — per-file ciphertext stays valid because the DEK
  itself is unchanged. Supports single-bundle and batch (directory)
  modes; batch mode runs in parallel via rayon, bounded by
  --parallelism N (default min(8, num_cpus)). --dry-run
  validates without writing. --kek-id-from <id> defends against
  accidental double-rotation in mixed-state batches. New
  Envelope::rewrap API on the encryption module exposes the same
  primitive to library consumers. See
  docs/guides/kek-rotation.md.
• Pluggable evidence-bundle storage trait BundleStorage and a
  LocalFs adapter (post1-T-2.3). boruna workflow run --record
  now accepts --bundle-storage <uri> (or BORUNA_BUNDLE_STORAGE
  env var); when set, the finalized bundle is copied to the
  configured backend after the local write succeeds. Storage
  failure is logged but never fails the workflow — the local
  bundle remains the authoritative record. Only the local:<root>
  scheme ships in this release; s3://, gs://, azblob:// are
  reserved for Wave 3 adapters and reject at parse time. The
  trait is #[doc(hidden)] until at least one remote adapter
  ships.
• boruna_run MCP progress notifications are now part of the 1.x
  LTS-stable surface (post1-T-1.1). When a client supplies the
  standard MCP progressToken in the request's _meta field, the
  server drives the VM in ~100k-opcode slices and emits
  notifications/progress events between slices with the cumulative
  step cou...

v0.7.0-alpha.1 (speculative 0.7.x branch)

Pre-release — speculative 0.7.x branch. Not part of the 1.x LTS line.

This tag captures the current state of the 0.7.x branch, which holds LTS-incompatible features being incubated before a future major version.

What's in 0.7.x

• mTLS CRL support (--tls-client-crl) — revocation checking via rustls WebPkiClientVerifier::with_crls (T-4.2, PR #27)
• mTLS OCSP stapling (--tls-ocsp-staple) — pre-fetched DER OCSP response stapled into every TLS handshake via with_single_cert_with_ocsp (T-4.3, PR #36)
• MCP protocol_version: 2 — natural JSON value encoding for boruna_run results: Option::None → null, Some(v) → v, Ok(v) → {"ok": v}, Err(v) → {"err": v}, records as named-field objects, enums as {"VariantName": payload} (T-4.1, PR #40)

Stability

All items are 0.7.x-only — they will not be backported to the 1.x LTS line. CRL SIGHUP reload is documented but not yet implemented.

v1.0.0-rc3

Theme: final GA-readiness polish. rc2 shipped W6 (mTLS +
bundle encryption) and W7 (security-review closures). rc3
folds the W8-W11 GA-polish work into a tagged candidate so
operators have a single artifact representing the actual GA
candidate to soak. Highlights:

• 4th formal versioned specification (bytecode 1.0)
  publishes alongside the existing three (.ax language,
  workflow DAG, evidence bundle), all locked behind reader
  constants per docs/lts.md §B.
• Algorithm-gate enforcement in evidence bundle decryption
  (W7 NEW-1): Envelope::unwrap now rejects bundles declaring
  algorithm ≠ aes-256-gcm with evidence.unsupported_algorithm,
  before any KEK-related work — matches the spec's reader
  contract.
• CI hardening: bench harness compiles on every PR
  (W8); examples run end-to-end + verify on every PR (W9-D);
  parallel-test flakes fixed (W10).
• Operator-facing GA-cut tooling: scripts/pre-release-check.sh
  is the single command that confirms GA-readiness before
  tagging (W11-A).
• CHANGELOG-driven release notes (W9-B): the GitHub
  Release page body is now the CHANGELOG section for the tag,
  not auto-generated commit noise. First release using this
  flow is rc3 itself.

After rc3 soak, the v1.0.0 GA tag is a 5-min coding step:
bash scripts/pre-release-check.sh 1.0.0 → bump to 1.0.0
→ tag → push.

Added

• Versioned bytecode 1.0 specification at
  docs/spec/bytecode-1.0.md (sprint W9-A).
  bytecode_version: "1.0" exposed via
  boruna_bytecode::BYTECODE_VERSION. Locks the on-disk module
  format, opcode table, value model, capability table, and
  determinism contract for the 1.x line. Forward-compat: 1.x
  VMs accept any 1.y bytecode module.
• CHANGELOG-driven GitHub Release notes (sprint W9-B).
  The release pipeline now extracts the CHANGELOG section for
  the current tag and uses it as the GitHub Release body
  instead of auto-generating from commits. Operators MUST
  update CHANGELOG.md before tagging — empty section fails
  the release loudly. Improves release-page readability for
  integrators.
• End-to-end smoke gate for example workflows in CI
  (sprint W9-D). Each example workflow under
  examples/workflows/ now runs to completion with
  --policy allow-all --record and the produced bundle is
  evidence verify-ed on every push/PR. Catches integration
  regressions where DAG validation passes but execution fails.
• cargo bench --no-run gate in CI (sprint W8). The
  criterion bench harness now compiles on every push/PR so
  refactors that break bench compilation surface at PR time
  instead of at the next operator-run baseline.
• Pre-release validation script at
  scripts/pre-release-check.sh (sprint W11-A). Read-only
  script the operator runs before tagging that confirms repo
  state, version alignment, CHANGELOG coverage, all spec
  constants, every CI gate, and the examples smoke flow.
• evidence.unsupported_algorithm typed error (sprint
  W7 NEW-1). Envelope::unwrap now rejects bundles with an
  algorithm field other than aes-256-gcm BEFORE any KEK
  work — matches the
  evidence-bundle-1.0.md
  reader contract. Closes the spec/code gap flagged by the
  W7 follow-up security review.
• Smoke-test report for v1.0.0-rc2 macOS arm64 artifact at
  docs/release-smoke-tests/v1.0.0-rc2.md (sprint W9-C).
  End-to-end verification of the published GitHub Releases
  binary; pre-GA sign-off for the macOS arm64 target. Linux
  musl targets remain operator smoke tests on real hardware.
• 9 missing MCP-layer error_kind strings added to
  docs/reference/error-kinds.md (sprint W7 NEW-2): closes
  the taxonomy completeness gap flagged by the W7 follow-up
  security review. The doc now enumerates 36+ stable
  error_kind strings across coord.*, evidence.*,
  workflow.*, policy.*, and MCP-layer namespaces.

Changed

• scripts/ci.sh refreshed (sprint W11-A) to match the
  current .github/workflows/ci.yml: clippy --all-targets
  (W1-A), serve-feature clippy run, bench compile gate (W8).
• docs/INTEGRATION_GUIDE.md v0.1.0 references replaced
  with v1.0-GA-aware framing (sprint W10 H-1). The body of
  the guide remains structurally accurate for v1.0; only the
  trailing "What Boruna Does Not Do" section was patched.
• docs/FRAMEWORK_API.md version label dropped (sprint
  W10 H-2). The framework crate is in the Experimental
  stability tier per docs/stability.md; the doc now cross-
  links to that tier definition + the LTS contract instead of
  carrying a misleading (v0.1.0) heading next to the
  workspace's 1.0.0-rc tag.

Decided

• Cut a third release candidate (v1.0.0-rc3) instead of
  GA directly (sprint W11). rc2 was published before
  W7-W11 work landed; cutting GA on current master would skip
  the soak window entirely and lock the LTS contract on
  unverified-in-field surfaces (notably the W7 NEW-1 algorithm
  gate change in Envelope::unwrap). rc3 represents the
  actual GA candidate; soak runs against rc3, then GA cut.

v1.0.0-rc2

Full Changelog: v1.0.0-rc1...v1.0.0-rc2

v1.0.0-rc1

Full Changelog: v0.5.0...v1.0.0-rc1

v1.0.0

First stable release. The 1.x LTS contract takes effect from
this tag forward — every 1.0 .ax program, workflow.json,
evidence bundle, MCP integration, and CLI invocation is committed
to keep working on every 1.y release per docs/lts.md
§B.

Same surface as 1.0.0-rc3. No code changes between rc3 and
this GA cut; this tag exists to crystallize the 1.0 LTS commitment
and ship final-named binaries.

The four formal versioned specifications frozen at 1.0:

• docs/spec/ax-language-1.0.md — LANGUAGE_VERSION = "1.0"
• docs/spec/bytecode-1.0.md — BYTECODE_VERSION = "1.0"
• docs/spec/workflow-dag-1.0.md — WORKFLOW_DAG_SCHEMA_VERSION = 1
• docs/spec/evidence-bundle-1.0.md — BUNDLE_FORMAT_VERSION = "1.0"

For the full feature scope shipped between v0.5.0 and v1.0.0,
see the [1.0.0-rc1], [1.0.0-rc2], and [1.0.0-rc3] sections
below.

Decided

• 1.x LTS contract is now in force. docs/lts.md
  §B surfaces are stable through 2027-11 (active) / 2028-05 (security).
  Surfaces classified Experimental in docs/stability.md
  remain Experimental within 1.x; pin to a specific Boruna release
  tag if your integration depends on those.

v0.5.0

Full Changelog: v0.4.0...v0.5.0

v0.4.0

Full Changelog: v0.3.0...v0.4.0