Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[v1.2.0] - 2026-04-13

Added

Dir: Multiprovider OIDC-based external authorization module (#1034)
Dir: DeleteReferrer API support (#993)
CLI: dirctl daemon command (#1200)
CLI/Daemon: Daemon configuration file support (#1218)
CLI/Daemon: Peer-ready routing defaults (#1268)
SDK: OIDC auth support for Python SDK (#1201)
SDK: OIDC auth support for JavaScript/TypeScript SDK (#1219)
Dir: SQLite support and configuration for server database (#1195)
Runtime: Runtime discovery component integration in daemon (#1277)
Runtime: Runtime client methods and daemon tests (#1283)
Importer: File fetcher support (#1217)
Importer: Agent skill import from file (#1276)
Release: Publish dir-apiserver binaries for multiple platforms (#1179)
Authz: Constrained wildcard matching for GitHub workflow principals (#1167)

Changed

Importer: Revamp importer module (#1092)
Dir: Refactor PullReferrer implementation (#1067)
OIDC: Replace Zitadel with Dex as OIDC provider (#1216)
CLI/Client: Simplify OIDC client and add device flow support (#1220)
Dir/CI: Reusable build-dirctl and GitHub OIDC token actions (#1168)
Dir/CI: Follow new OIDC pattern in import-records workflow (#1177)
Workflows: Pin demo and import workflows to dirctl version (#1207)
Tests: Remove e2e-production suite and update README (#1241)
Deps: OASF SDK 1.0.5 support (#1298)
Dir/Helm: Add latest Helm releases and render routing service annotations (#1290, #1309)
Dependencies: Update JavaScript, Go patches, GitHub Actions, uv, and Helm/Zot/PostgreSQL packages (#1306, #1305, #1303, #1302, #1304, #1301)

Fixed

Importer: Import workflow command paths and flags handling (#1090, #1226, #1230)
Importer: Revert import command type in workflow (#1238)
Tests: Flaky e2e network tests due to shared data and sync timeout (#1182)
CI: Switch to native Kind networking for e2e tests (#1199)
CI: Include package-lock.json in Docker builds for SDK e2e tests (#1142)
CI/Cron: Security scanning artifact names, permissions, and schedule fixes (#1152, #1183)
Renovate: Resolve buf dependencies and adjust deps handling (#1109, #1147)
Dir: Skip pre-commit install when hooksPath is set (#1215)
Dir: Test file check fix and remove parallel lint runs (#1214, #1227)
Dirctl: Use UTC millisecond timestamps for cached tokens (#1284)
Dir/Helm: Helm version fix (#1294)

Security

Dependencies: Replace Docker with Moby in dependency set (#1299)
Dir: Package upgrades to address security alerts (#1291)
Dependencies: Security bumps for golang.org/x/crypto, OpenTelemetry SDK/exporters, AWS eventstream, and go-jose (#1307, #1289, #1288, #1279, #1246)

[v1.1.0] - 2026-03-19

Added

Dir: Referrer CIDs (#1027)
Dir: Validation for referrer record CIDs (#1035)
Dir: Protovalidate (#1030)
Reconciler: Signature verification task (#985)
Importer: Behavioral scanner (#1043)
Importer: Allowed tools in MCP server configuration (#1051)
Importer: Security scanner boilerplate (#1014)
Tests: Production-like E2E test suite and Taskfile updates (#1050)
Tests: E2E tests for the referrer API (#1003)
Dir: Delve debugger (#1020)
MCP: Name verification MCP tool (#982)

Changed

Dir: Refactor PushReferrer (#1065)
Dir: Update SPIRE image (#1069)
Dependencies: Bump oasf-sdk to v1.0.3 across Go modules (#1079, #1062)
SDK: Update Python SDK pyasn1 package (#1066)
Dir: Update Go modules (#1077)
CI: Update actions (#1070)
CI: Collect coverage and upload at once (#1038)
CI: Migrate deprecated release actions to softprops/action-gh-release (#1052)
Dir: Bump SPIRE to 1.14.2 and unify container scan image list (#1044)
Dir: Fix vulnerable MCP SDK Go package (#1040)
CI: Update reusable actions version (#1037)
Dir: Documentation and repo cleanup (#1032)
Dir: Split up Taskfile tasks (#1025)
Dir: Update Zot image version (#1022)
Docker: Refactor Dockerfile build arguments (#1015)
Workflows: Change default dry_run to 'false' in import-records.yaml (#977)
Reconciler: Migrate reverification to reconciler name task (#976)
Dir: Add dir-demo-bot (#972)
Toolchain: Bump Go to 1.26.0 and golangci-lint to 2.10.1 (#975)
CI: Bump days to mark items stale (#970)
Packaging: Update brew formula version (#965)
CI: Update DMG and ZIP file names in GUI CI workflow (#978)
Dir: Update PostgreSQL (#995, #1000)
SDK: Update packages and example package-lock.json (#997, #996, #1028)
Dependencies: Bump modelcontextprotocol/go-sdk 1.3.0 → 1.3.1 in /mcp (#992)
SDK: Bump rollup 4.55.1 → 4.59.0 in dir-js (#990)
Docs: Update README for Directory CLI and installation (#987)
Docs: Add verify name MCP tool (#983)
Tests: Move E2E to tests and add MCP tests to CI (#1016)
Importer: Extend unit tests (#998)

Fixed

Importer: Go version (#1049)
CI: List image task path (#1045)
Reconciler: Debug image (#1024)
Install/Docker: Compose health checks (#1017)
Dir: PostgreSQL version in Docker Compose (#1000)
Dir: Coverage test run (#953)

Security

Dir: Fix vulnerable MCP SDK Go package (#1040)

[v1.0.0] - 2026-02-19

Added

Server: Enable regsync atomic sync processing (#951)

Changed

Dependencies: Bump oasf-sdk v1.0.0 → v1.0.1 (#957)
Packaging: Fix packages and maintainers (#950)
Packaging: Update brew formula version (#949)
Server: Validate sync deletion requests (#956)

Fixed

Reconciler: Create reconciler ClusterSPIFFEID (#961)
Reconciler: Fix reconciler deployment SPIFFE socket path (#959)
Dirctl: Make publish and unpublish message similar (#952)
CI/CD: Update module extraction command in post-release workflow (#948)

[v1.0.0-rc.4] - 2026-02-13

Added

Helm: Topology-aware StorageClass support for Zot config (#937)
Client: Extended options for record signing/verification (#930)
Sign: Switch to local trust chain verification (#921)
CI/CD: Push record and validate record GitHub Actions (#935)

Changed

Security: Bump Go v1.25.7 and package versions (#945)
Dependencies: Update go mods across modules (#943)
Helm: Bump Bitnami PostgreSQL chart 18.2.3 → 18.2.6 (#927)
SDK: Update Python cryptography dependency (#933)
Dir: Remove unused OCI annotations (#923)
CI/CD: Simplify image security scanning GitHub Action (#940)
CI/CD: Add GH token env for gh cli, fix repository/owner params and PostgreSQL image version (#939)
CI/CD: Fix token timing in demo-dir workflow and remove demo-dirctl (#928)

Fixed

Sync/Zot: Registry URL handling and validation (#944)
Dir: Get latest tag without slash instead of release (#934)
GUI: Improve verification details parsing and add verification result widget (#932)
CI/CD: Handle command execution errors in import-records workflow (#938)

E2E

E2E: Add hardcoded expected CID for e2e test (#931)

[v1.0.0-rc.3] - 2026-02-06

Added

Runtime: Runtime process discovery service with multi-runtime support (#808)
- Event-based Docker container discovery with real-time monitoring
- Containerd runtime support for container lifecycle tracking
- Kubernetes workload discovery via CRD-based integration
- gRPC API for querying discovered processes and workloads
- Helm chart and installation scripts for deployment
- CRD (CustomResourceDefinition) for DiscoveredWorkload resources
- ETCD-based storage backend for workload state persistence
MCP: Signature verification tool for validating signed records (#906)
GUI: Record signature verification support in Flutter UI (#909)
Importer: Rate limiting for LLM API calls to prevent quota exhaustion (#888)
Importer: Enhanced dry-run functionality to save output records to file for debugging (#888)
Importer: Max-steps parameter for model configuration control (#888)
CI/CD: Scheduled MCP import workflow for automated registry population (#874)
- Filtered MCP import via configurable input settings
- Signing and rate limiting support during automated imports
- Production authentication for scheduled imports
CI/CD: Security scanning for runtime container images (#912)

Changed

Importer: Clear enricher session after each prompt to prevent context accumulation (#888)
Dependencies: Bump OASF and oasf-sdk from 1.0.0-rc.1 to 1.0.0 (#908)

Fixed

Runtime: Enable OASF resolvers with annotations for proper name resolution (#910, #911)
GUI: Restrict MCP write access to Agent Directory for security (#902)
CI/CD: Fix workflow inputs for improved automation (#900)
E2E: Add comprehensive tests for remote name resolution functionality (#895)
Docs: Extend runtime discovery and runtime documentation (#903)

[v1.0.0-rc.2] - 2026-02-02

Fixed

Helm: Fix Reconciler Zot connectivity by respecting explicit registry_address configuration. The chart.oci.registryAddress helper was incorrectly forcing the internal Zot service address when the Zot subchart configuration existed, ignoring the explicitly configured external config.store.oci.registry_address. This caused the Reconciler to attempt HTTPS connections to the internal HTTP-only Zot service, resulting in TLS handshake failures and indexer task failures. The fix ensures the Reconciler uses the same external Zot registry configuration as the apiserver.

[v1.0.0-rc.1] - 2026-01-30

Key Highlights

This release candidate marks a major milestone with production-ready authentication, authorization, database scalability, and async operations support:

Authentication & Authorization

Multi-provider authentication via Envoy External Authorization (GitHub OAuth2 + PAT support)
Role-Based Access Control (RBAC) with Casbin policy engine
Dynamic authorization policies with user/org/role-based permissions
CLI authentication flows (dirctl auth login/logout/status)

Database & Scalability

PostgreSQL as default database (replaces SQLite for production)
Bitnami PostgreSQL Helm subchart integration
Reconciler service for async operations (regsync + search indexer)
Cross-registry sync support (GHCR, Docker Hub, Zot)

Observability & Operations

Domain ownership verification and re-verification service
Enhanced GUI with Flutter implementation and Google Analytics
Improved MCP tools and workflows
OASF 1.0.0-rc.1 compatibility

Compatibility Matrix

Component	Version	Compatible With
dir-apiserver	v1.0.0-rc.1	oasf v1.0.0-rc.1
dirctl	v1.0.0-rc.1	dir-apiserver >= v0.6.0
dir-go	v1.0.0-rc.1	dir-apiserver >= v0.6.0
dir-py	v1.0.0-rc.1	dir-apiserver >= v0.6.0
dir-js	v1.0.0-rc.1	dir-apiserver >= v0.6.0
envoy-authz	v1.0.0-rc.1	dir-apiserver v1.0.0-rc.1
dir-reconciler	v1.0.0-rc.1	dir-apiserver v1.0.0-rc.1
helm-charts/dir	v1.0.0-rc.1	dir-apiserver v1.0.0-rc.1
helm-charts/dirctl	v1.0.0-rc.1	dirctl v1.0.0-rc.1

Added

Auth: Envoy External Authorization with GitHub OAuth2 and PAT support (#807)
Auth: Casbin-based RBAC with role/user/org policy engine (#845)
Auth: Dynamic authorization policies with wildcard method matching (#834)
Auth: CLI authentication commands (dirctl auth login/logout/status) (#807)
Database: PostgreSQL support with Bitnami subchart integration (#849, #876)
Reconciler: Async operations service with task-based architecture (#835)
Reconciler: Regsync task for cross-registry synchronization (GHCR, Docker Hub) (#835)
Reconciler: Search indexer task for database-backed search (#875)
Verification: Domain ownership verification system (#803)
Verification: Re-verification service and verification storage (#826)
CLI: dirctl pull by name for pulling records by name (#842)
CLI: dirctl validate command for record validation (#793)
CLI: --sign flag for import command (#858)
GUI: Initial Flutter UI implementation with MCP integration (#804)
GUI: Google Analytics via Measurement Protocol (#850)
GUI: Runtime configuration for GA4 analytics (#883)
MCP: GitHub authentication setup documentation with PAT recommendations (#853)
SDK: JavaScript SDK npm trusted publishers (#800)
Dependencies: OASF 1.0.0-rc.1 support (#884)
Testing: HTTP validation for record names (e2e) (#818)

Changed

Database: Default database type changed from SQLite to PostgreSQL (#876)
PostgreSQL: Helm subchart enabled by default (Bitnami 18.2.3) (#876)
Auth: Server-side signature verification (moved from client) (#809)
Storage: Abstract OCI registry interface for multi-backend support (#801)
Validation: Server-side validation configuration (#785)
Sync: Worker authentication with remote directory nodes (#848)
CLI: UI/UX improvements for Agent Directory GUI (#837)
Release: Decouple SDK releases from main CI/CD (#800)
Refactor: Remove DNS name verification (#833)
Dependencies: Bump zot to latest version (#879)
Dependencies: Update go-tuf/v2 to v2.4.0 (#838)
Dependencies: Update OASF SDK to v0.0.16 (#847)
Dependencies: Bump lodash to v4.1.23 in SDK JavaScript (#869)
Dependencies: Bump github.com/theupdateframework/go-tuf/v2 to v2.4.1 (#868)
Dependencies: Bump github.com/sigstore/cosign/v3 to v3.0.4 (#817)
Security: Update Go packages to fix vulnerabilities (#839, #821)

Fixed

Reconciler: Docker warning with regsync version (#885)
Authz: Federation e2e authorization config (#854)
GUI: mcp-server.exe extension handling on Windows (#866)
GUI: Runtime GA4 analytics configuration (#883)
GUI: Test coverage and flaky tests (#843)
Importer: Mandatory enrichment and MCP fixes (#860)
SDK: Python version resolution for SDK tests (#865)
SDK: Python package updates (#824)
SDK: JavaScript SDK example and CI validation (#794)
CLI: Unit tests with OASF server update (#827)
CI: Post-release tag filtering and robust Windows build (#864)
CI: Release upload paths and signature verification (#862)
CI: Robust macOS signing and release upload (#861, #859, #855)
CI: mcp-server permissions on macOS (#859)
CI: Write permissions for macOS app re-signing (#855)
CI: Skip full runs on non-code changes with paths-ignore (#806)

Removed

Refactor: DNS name verification (replaced with domain ownership verification) (#833)

Full Changelog

[v0.6.0] - 2025-12-19

Key Highlights

This release consolidates improvements from v0.5.1 through v0.5.7, focusing on operational reliability, integration enhancements, and cross-registry support, including:

Tooling & Integration

Enhanced local search implementation with wildcard support
Configurable server-side OASF validation with auto-deployment support
Extended MCP tools for record enrichment and import/export workflows
Domain-based enrichment capabilities for importer service
Support across different OCI Registry storage backends

Observability & Operations

Enhanced SPIRE support for reliability and multi-SPIRE deployments
Prometheus metrics with ServiceMonitor and gRPC interceptors

Compatibility Matrix

Component	Version	Compatible With
dir-apiserver	v0.6.0	oasf v0.3.x, v0.7.x, v0.8.x
dirctl	v0.6.0	dir-apiserver >= v0.5.0
dir-go	v0.6.0	dir-apiserver >= v0.5.0
dir-py	v0.6.0	dir-apiserver >= v0.5.0
dir-js	v0.6.0	dir-apiserver >= v0.5.0
helm-charts/dir	v0.6.0	dir-apiserver >= v0.5.0
helm-charts/dirctl	v0.6.0	dirctl >= v0.5.0

Added

SPIRE: SPIFFE CSI driver support for reliable identity injection (#724)
SPIRE: Automatic writable home directory when readOnlyRootFilesystem is enabled (#724)
SPIRE: ClusterSPIFFEID className field for proper workload registration (#774)
Helm: External Secrets Operator integration for credential management (#691)
Helm: DNS name templates for SPIRE ClusterSPIFFEID (#681)
Helm: SQLite PVC configuration support (#713)
Helm: OASF configuration for API validation (#769)
Helm: Recreate deployment strategy to prevent PVC lock conflicts (#720)
Observability: Prometheus metrics with ServiceMonitor and gRPC interceptors (#757)
Security: Container security scan workflow with automated version detection (#746)
SDK: Additional gRPC service methods in Python and JavaScript SDKs (#709)
MCP: Import/export tools and prompts for workflow automation (#705)
MCP: OASF schema exploration tools for enricher workflow (#680)
Importer: Domain-based record enrichment (#696)
Importer: Deduplication checker prioritization (#743)
Validation: Server-side OASF API validation (#711)
CI/CD: Feature branch build workflows for images and charts (#739)

Changed

Search: Refactored local search implementation (#747)
Search: Removed search subcommands for simplified CLI (#759)
Importer: Migration to oasf-sdk/translator (#624)
Configuration: Updated OASF validation environment variables (#754)
Toolchain: Disabled Go workspace mode (#732)
Dependencies: Bump golang.org/x/crypto to v0.45.0 (#744)
Dependencies: Bump js-yaml to v4.1.1 (#745)
Dependencies: Update zot and fix CodeQL warnings (#761)
Dependencies: Bump github.com/sigstore/cosign (#773)

Fixed

SPIRE: X.509-SVID retry logic for timing issues in short-lived workloads (#735, #741)
SPIRE: "certificate contains no URI SAN" errors in CronJobs (#724)
Helm: Add /tmp volume when rootfs is read-only (#718)
CI: Prevent disk space issues in runners (#749)
CI: Avoid PR label duplication (#755)
CI: Fix unit test execution (#733)
CI: Fix reusable build workflow component tag handling (#742)
CI: Add SPIRE task cleanup with sudo (#734)
CI: Helm linting integration (#780)
Brew: Formula updater process after public release (#686)

Removed

Cleanup: Outdated components and unused code (#783)

Full Changelog

[v0.5.7] - 2025-12-12

Key Highlights

This patch release fixes a critical SPIRE integration bug and adds OASF configuration support:

Critical Fix: Added mandatory className field to ClusterSPIFFEID resources to ensure proper SPIRE workload registration
New Feature: OASF configuration support in Helm chart for API validation
Dependencies: Updated cosign and zot dependencies

Compatibility Matrix

Component	Version	Compatible With
dir-apiserver	v0.5.7	oasf v0.3.x, v0.7.x, v0.8.x
dirctl	v0.5.7	dir-apiserver >= v0.5.0
dir-go	v0.5.7	dir-apiserver >= v0.5.0
dir-py	v0.5.7	dir-apiserver >= v0.5.0
dir-js	v0.5.7	dir-apiserver >= v0.5.0
helm-charts/dir	v0.5.7	dir-apiserver >= v0.5.0
helm-charts/dirctl	v0.5.7	dirctl >= v0.5.0

Added

Helm: OASF configuration support for API validation settings (#769)
Helm: OASF server deployment option with directory (#769)

Changed

Dependencies: Bump github.com/sigstore/cosign dependency (#773)
Dependencies: Update zot dependency (#761)

Fixed

Helm: Add mandatory className field to ClusterSPIFFEID resources in both apiserver and dirctl charts (#774)
CI: Pin CodeQL analyze action version to match init version (#774)

Full Changelog

[v0.5.6] - 2025-12-05

Key Highlights

This patch release adds observability improvements, refactors search functionality, and updates configuration validation.

Compatibility Matrix

Component	Version	Compatible With
dir-apiserver	v0.5.6	oasf v0.3.x, v0.7.x, v0.8.x
dirctl	v0.5.6	dir-apiserver >= v0.5.0
dir-go	v0.5.6	dir-apiserver >= v0.5.0
dir-py	v0.5.6	dir-apiserver >= v0.5.0
dir-js	v0.5.6	dir-apiserver >= v0.5.0
helm-charts/dir	v0.5.6	dir-apiserver >= v0.5.0
helm-charts/dirctl	v0.5.6	dirctl >= v0.5.0

Added

Observability: Prometheus metrics support with ServiceMonitor and gRPC interceptors (#757)
CLI: Add --format flag to search command for output control (#747, #759)

Changed

Refactor: Improve local search implementation and testing (#747)
Configuration: Update OASF API validation environment variables (#754)

Fixed

CI: Avoid PR label duplication (#755)
CI: Prevent disk space issues in CI runners (#749)

Full Changelog

[v0.5.5] - 2025-12-01

Key Highlights

This patch release refactors SPIFFE X.509-SVID retry logic into a shared package for better code organization and maintainability.

Compatibility Matrix

Component	Version	Compatible With
dir-apiserver	v0.5.5	oasf v0.3.x, v0.7.x, v0.8.x
dirctl	v0.5.5	dir-apiserver >= v0.5.0
dir-go	v0.5.5	dir-apiserver >= v0.5.0
dir-py	v0.5.5	dir-apiserver >= v0.5.0
dir-js	v0.5.5	dir-apiserver >= v0.5.0
helm-charts/dir	v0.5.5	dir-apiserver >= v0.5.0
helm-charts/dirctl	v0.5.5	dirctl >= v0.5.0

Changed

Refactor: Centralize X.509-SVID retry logic in utils/spiffe package (#741)

Fixed

Code Quality: Remove duplicate retry constants and improve code organization (#741)

Full Changelog

[v0.5.4] - 2025-11-26

Key Highlights

This patch release improves SPIFFE authentication reliability for short-lived workloads:

Client-side retry logic with exponential backoff for X509-SVID fetching
Handles SPIRE agent sync delays in CronJobs and ephemeral pods
Prevents "certificate contains no URI SAN" authentication failures

Compatibility Matrix

Component	Version	Compatible With
dir-apiserver	v0.5.4	oasf v0.3.x, v0.7.x, v0.8.x
dirctl	v0.5.4	dir-apiserver >= v0.5.0
dir-go	v0.5.4	dir-apiserver >= v0.5.0
dir-py	v0.5.4	dir-apiserver >= v0.5.0
dir-js	v0.5.4	dir-apiserver >= v0.5.0
helm-charts/dir	v0.5.4	dir-apiserver >= v0.5.0
helm-charts/dirctl	v0.5.4	dirctl >= v0.5.0

Fixed

Client: X509-SVID retry logic with exponential backoff to handle SPIRE agent sync delays (#725)
Client: "certificate contains no URI SAN" errors in CronJobs and short-lived workloads (#725)

Full Changelog

[v0.5.3] - 2025-11-25

Key Highlights

This patch release improves SPIFFE identity injection reliability and chart security:

SPIFFE CSI driver support eliminates authentication race conditions
Automatic writable home directory for security-hardened deployments
Read-only SPIRE socket mounts for enhanced security

Compatibility Matrix

Component	Version	Compatible With
dir-apiserver	v0.5.3	oasf v0.3.x, v0.7.x, v0.8.x
dirctl	v0.5.3	dir-apiserver >= v0.5.0
dir-go	v0.5.3	dir-apiserver >= v0.5.0
dir-py	v0.5.3	dir-apiserver >= v0.5.0
dir-js	v0.5.3	dir-apiserver >= v0.5.0
helm-charts/dir	v0.5.3	dir-apiserver >= v0.5.0
helm-charts/dirctl	v0.5.3	dirctl >= v0.5.0

Added

Helm: SPIFFE CSI driver support with spire.useCSIDriver flag for both charts (#724)
Helm: Automatic home-dir emptyDir when readOnlyRootFilesystem is enabled (#724)

Changed

Helm: Default to SPIFFE CSI driver for production reliability (#724)

Fixed

Helm: "certificate contains no URI SAN" authentication failures in CronJobs (#724)
Helm: SPIRE socket mounts now use readOnly: true for security (#724)
Helm: "read-only file system" warnings when creating config files (#724)

Full Changelog

[v0.5.2] - 2025-11-23

Key Highlights

This release focuses on storage improvements, SDK enhancements, MCP tooling, and operational stability, including:

Storage & Deployment Improvements

SQLite PVC configuration support for persistent storage in Kubernetes deployments
Recreate deployment strategy to prevent database lock conflicts during rolling updates
Automatic /tmp emptyDir mount when readOnlyRootFilesystem is enabled for security hardening
Fixes compatibility issue between SQLite temp files and read-only root filesystem
Enhanced unit test coverage and stability

SDK Enhancements

Added Events (listen) gRPC client to Python and JavaScript SDKs
Added Publication gRPC client to Python and JavaScript SDKs
Comprehensive test coverage for new SDK methods

MCP Enhancements

Import/export tools for record management workflows
Domain enrichment capabilities for importer

CI/CD Improvements

Brew formula updater process improvements
Better release automation and publication workflow

Compatibility Matrix

Component	Version	Compatible With
dir-apiserver	v0.5.2	oasf v0.3.x, v0.7.x, v0.8.x
dirctl	v0.5.2	dir-apiserver >= v0.5.0
dir-go	v0.5.2	dir-apiserver >= v0.5.0
dir-py	v0.5.2	dir-apiserver >= v0.5.0
dir-js	v0.5.2	dir-apiserver >= v0.5.0
helm-charts/dir	v0.5.2	dir-apiserver >= v0.5.0
helm-charts/dirctl	v0.5.2	dirctl >= v0.5.0

Added

Storage: PVC configuration support for SQLite (#713)
Helm: Deployment strategy configuration to prevent PVC lock conflicts (#720)
SDK: Events (listen) gRPC client for Python and JavaScript SDKs (#709)
SDK: Publication gRPC client for Python and JavaScript SDKs (#709)
MCP: Import/export tools and prompts for record workflows (#705)
Importer: Domain enrichment capabilities (#696)

Changed

CI: Update brew formula version (#702)

Fixed

Helm: Add /tmp emptyDir mount when readOnlyRootFilesystem is enabled (#718)
CI: Brew formula updater to work after release is public (#686)
Testing: Fix unit tests for storage components (#713)

Full Changelog

[v0.5.1] - 2025-11-17

Key Highlights

This release focuses on operational improvements and deployment enhancements, including:

Helm & Deployment Improvements

External Secrets Operator integration for secure credential management
SPIRE ClusterSPIFFEID DNS name templates support for external access
Improved TLS certificate SAN configuration for production deployments

MCP Enhancements

OASF schema exploration tools for AI-assisted record enrichment
Hierarchical domain and skill navigation capabilities

Dependencies & Stability

OASF SDK upgrade to v0.0.11 with latest schema improvements
SDK testing fixes for X.509 authentication mode

Compatibility Matrix

Component	Version	Compatible With
dir-apiserver	v0.5.1	oasf v0.3.x, v0.7.x, v0.8.x
dirctl	v0.5.1	dir-apiserver >= v0.5.0
dir-go	v0.5.1	dir-apiserver >= v0.5.0
dir-py	v0.5.1	dir-apiserver >= v0.5.0
dir-js	v0.5.1	dir-apiserver >= v0.5.0
helm-charts/dir	v0.5.1	dir-apiserver >= v0.5.0
helm-charts/dirctl	v0.5.1	dirctl >= v0.5.0

Added

Helm: External Secrets Operator integration for credential management (#691)
Helm: DNS name templates support for SPIRE ClusterSPIFFEID (#681)
MCP: OASF schema domain and skill exploration tools for enricher workflow (#680)
Importer: OASF SDK translator for MCP Registry conversion with deduplication and debug diagnostics (#624)

Changed

Dependencies: Bump OASF SDK to v0.0.11 (#679)
CI: Update upload-artifacts version (#682)
CI: Update brew formula version (#684)
Docs: Update readme versions (#685)

Fixed

SDK: Use X.509 auth mode for testing (#678)

Full Changelog

[v0.5.0] - 2025-11-12

Key Highlights

This release focuses on extending API functionalities, improving operational reliability, strengthening security capabilities, and adding MCP (Model Context Protocol) integrations support, including:

MCP Integrations

MCP registry importer for automated OASF record ingestion
MCP server implementation with OASF and Directory tools
Added support for MCP server announce and discovery via DHT

API & Client Improvements

Event listener RPC for real-time updates across services
gRPC connection management and streaming enhancements
Rate limiting at application layer for improved stability
Health checks migrated from HTTP to gRPC

Security & Reliability

Simplified TLS-based authentication support for SDKs
Panic recovery middleware and structured logging for gRPC
Critical resource leak fixes and improved context handling
Enhanced security scanning with CodeQL workflows

Developer Experience

MCP tooling for easy record management and API access
LLM-based enrichment for OASF records
Simplified SDK integration in secure environments
Unified CLI output formats with --output flag and JSONL support

Compatibility Matrix

Component	Version	Compatible With
dir-apiserver	v0.5.0	oasf v0.3.x, v0.7.x, v0.8.x
dirctl	v0.5.0	dir-apiserver >= v0.5.0
dir-go	v0.5.0	dir-apiserver >= v0.5.0
dir-py	v0.5.0	dir-apiserver >= v0.5.0
dir-js	v0.5.0	dir-apiserver >= v0.5.0
helm-charts/dir	v0.5.0	dir-apiserver >= v0.5.0
helm-charts/dirctl	v0.5.0	dirctl >= v0.5.0

Added

MCP: Add tools for record management and API operations (#465, #574, #619, #611, #650, #660)
MCP: Registry importer for automated record ingestion (#544, #568)
MCP: LLM-based record enrichment for OASF records (#646)
API: Event listener RPC exposure (#537)
API: Structured gRPC request/response logging interceptor (#566)
API: Panic recovery middleware for gRPC handlers (#573)
API: Application-layer rate limiting for gRPC (#593)
API: Readiness checks for apiserver services (#582)
API: gRPC connection management (#647)
Security: Container security scanning workflow (#547)
Security: CodeQL security workflows (#584)
Security: TLS token-based authentication for Go client/CLI (#606)
Helm: Routing service deployment configuration (#599)
Helm: Extra environment variables support in dir chart (#605)
Helm: Zot configuration and authentication (#576)
CLI: Unified output formats with --output flag and JSONL support (#587)
CLI: MCP dirctl subcommand (#660)
Testing: Unit test coverage for all Go modules (#555)
Testing: E2E test coverage (#591)

Changed

API: Push/pull API refactoring and improvements (#585, #595)
Storage: Store Capability Interfaces refactoring (#562)
SDK: Migration to local generated proto stubs (#569, #588)
CLI: Hub sign/verify commands restoration (#612)
Helm: Ingress deployment fixes (#600, #601)
Security: Security fixes and dependency updates (#602)
Health: Health checks migrated from HTTP to gRPC (#597)
Dependencies: Bump OASF SDK to v0.0.8 and v0.0.9 (#603, #640)
Dependencies: Bump Zot to latest version (#578, #579)
Dependencies: Set SPIRE version in taskfile (#583)
CI: Update container tags for security scans (#558)
CI: Tag for SDK/JS package releases (#617, #621)

Fixed

Client: Critical resource leaks and context handling issues (#577)
Client: Push stream hanging with multiple errors (#644)
Security: JWT auth test and authentication fixes (#545)
API: Rate limit E2E tests (#598)
API: Hub API updates (#595)
API: MCP search limit handling (#623)
Storage: OCI E2E concurrent issues and healthcheck service (#620)
SDK: SPIFFE sign test (#592)
SDK: Add proto stubs to repository (#588)
SDK: JS package release prefix for RC tags (#621, #625)
CLI: Sign and verify options cleanup (#673)
CLI: API key methods improvements (#659)

Removed

MCP: Remove dedicated MCP artifacts (#663)

Full Changelog

[v0.4.0] - 2025-10-15

Key Highlights

This release delivers improvements to application layer via generic referrers, security schema with JWT/X.509 support, network capabilities, operational stability, and developer experience, with a focus on:

Security & Authentication

Added JWT/X.509 over TLS versus mTLS for flexible authentication
Authenticated PeerID integration with libp2p transport
Secure credential management for zot sync operations
OCI 1.1 referrers specification migration for signature attachments

Networking & Connectivity

GossipSub implementation for efficient label announcements
Connection Manager implementation with removal of custom peer discovery
Improved routing search with better peer address handling
Locator-based record search capabilities across the network

Generic Record Referrers

Support for storage and handling of generic record referrers
Referrer object encoding across server and SDK components
Application support via referrer (e.g., signatures, attestations)

Developer Experience & Tooling

Streaming package for Golang gRPC client functionality
Standardized CLI output formats and command improvements
Reusable setup-dirctl GitHub Action for CI/CD workflows

Quality & Stability Improvements

Comprehensive test suite enhancements including SPIRE tests
E2E network test stability with environment warm-up phases
Bug fixes for API key formatting, file permissions, and documentation

Compatibility Matrix

Component	Version	Compatible With
dir-apiserver	v0.4.0	oasf v0.3.x, v0.7.x
dirctl	v0.4.0	dir-apiserver >= v0.3.0, oasf v0.3.x, v0.7.x
dir-go	v0.4.0	dir-apiserver >= v0.3.0, oasf v0.3.x, v0.7.x
dir-py	v0.4.0	dir-apiserver >= v0.3.0, oasf v0.3.x, v0.7.x
dir-js	v0.4.0	dir-apiserver >= v0.3.0, oasf v0.3.x, v0.7.x
helm-charts/dir	v0.4.0	dir-apiserver >= v0.3.0
helm-charts/dirctl	v0.4.0	dirctl >= v0.3.0

Added

Networking: GossipSub for efficient label announcements (#472)
Networking: AutoRelay, Hole Punching, and mDNS for better peer connectivity (#503)
Networking: Connection Manager implementation (#495)
Security: JWT authentication and TLS communication support (#492)
Security: Authenticated PeerID from libp2p transport (#502)
Storage: Generic record referrers support (#451, #480)
Storage: Referrer encoding capabilities (#491, #499)
API: Server validator functionality (#456)
SDK: Streaming package for gRPC client (#527)
CI: Zot dependency for server config (#444)
CI: Reusable setup-dirctl GitHub Action (#441)
CI: SPIRE tests action (#488)
CI: Local tap for testing homebrew formulae (#437)

Changed

Security: Rename mTLS to x.509 for clarity (#508)
Storage: Secure credential management for zot sync operations (#457)
API: Unify extensions to modules architecture (#463)
CLI: Standardize CLI output formats (#509)
CLI: Update search command to use routing search command flags (#521)
Docs: Update SDK source and release links (#434)
CI: Improvements to pipeline and taskfile setup (#438, #442)
CI: Bump Go, golangci-lint and libp2p (#534)
CI: Bump OASF SDK to versions 0.0.6 and 0.0.7 (#481, #489)
CI: Bump brew tap to v0.3.0 (#435)

Fixed

Networking: Empty peer addresses in routing search results (#513)
Networking: Locator-based remote record search (#469)
Networking: E2E network test flakiness with environment warm-up (#516)
Security: Auth mode mTLS issues (#517)
Security: Cosign signature attachment migration to OCI 1.1 referrers spec (#464)
Security: Signature verification against expected payload (#493)
Storage: Demo testdata and flaky test removal (#504)
SDK: JavaScript package release issues (#432)
CLI: API key list format (#494)
Docs: Remove broken links from README (#458)
Docs: Fix push and pull documentation (#436)
CI: Support multiple federation artifacts via charts (#519)
CI: Enable push to buf registry on merge (#484)
CI: Bug report template to allow version input (#460)
CI: File permissions for hub/api/v1alpha1/* (#518)

Removed

Networking: Custom peer discovery (replaced with Connection Manager) (#495)
CI: Useless files in hub/ directory (#522)

Full Changelog

[v0.3.0] - 2025-09-19

Key Highlights

This release delivers foundational improvements to security schema, storage services, network capabilities, and user/developer experience, with a focus on:

Zero-Trust Security Architecture

X.509-based SPIFFE/SPIRE identity framework with federation support
Policy-based authorization framework with fine-grained access controls
Secure mTLS communication across all services
OCI-native PKI with client- and server-side verification capabilities

Content Standardization

Unified Core v1 API with multi-version support for OASF objects
Deterministic CID generation using canonical JSON marshaling
Cross-language and service consistency with CIDv1 record addressing
OCI-native object storage and relationship management

Search & Discovery

Local search with wildcard and pattern matching support
Network-wide record discovery with prefix-based search capabilities
DHT-based routing for distributed service announcement and discovery

Data Synchronization

Full and partial index synchronization with CID selection
Automated sync workflows for simple data migration and replication
Post-sync verification checks and search capabilities across records

Developer Experience

Native Client SDKs for Golang, JavaScript, TypeScript, and Python
Standardized CLI and SDK tooling with consistent interfaces
Decoupled signing workflows for easier usage and integration
Kubernetes deployment with SPIRE and Federation support

Compatibility Matrix

The following matrix shows compatibility between different component versions:

Core Component	Version	Compatible With
dir-apiserver	v0.3.0	oasf v0.3.x, oasf v0.7.x
dirctl	v0.3.0	dir-apiserver v0.3.0, oasf v0.3.x, oasf v0.7.x
dir-go	v0.3.0	dir-apiserver v0.3.0, oasf v0.3.x, oasf v0.7.x
dir-py	v0.3.0	dir-apiserver v0.3.0, oasf v0.3.x, oasf v0.7.x
dir-js	v0.3.0	dir-apiserver v0.3.0, oasf v0.3.x, oasf v0.7.x

Helm Chart Compatibility

Helm Chart	Version	Deploys Component	Minimum Requirements
dir/helm-charts/dir	v0.3.0	dir-apiserver v0.3.0	Kubernetes 1.20+
dir/helm-charts/dirctl	v0.3.0	dirctl v0.3.0	Kubernetes 1.20+

Compatibility Notes

Full OASF support is available across all core components
dir-apiserver v0.3.0 introduces breaking changes to the API layer
dirctl v0.3.0 introduces breaking changes to the CLI usage
dir-go v0.3.0 introduces breaking changes to the SDK usage
Older versions of dir-apiserver are not compatible with dir-apiserver v0.3.0
Older versions of client components are not compatible with dir-apiserver v0.3.0
Older versions of helm charts are not compatible with dir-apiserver v0.3.0
Data must be manually migrated from older dir-apiserver versions to dir-apiserver v0.3.0

Migration Guide

Data from the OCI storage layer in the Directory can be migrated by repushing via new API endpoints. For example:

repo=localhost:5000/dir
for tag in $(oras repo tags $repo); do
    digest=$(oras resolve $repo:$tag)
    oras blob fetch --output - $repo@$digest | dirctl push --stdin
done

Added

API: Implement Search API for network-wide record discovery using RecordQuery interface (#362)
API: Add initial authorization framework (#330)
API: Add distributed label-based announce/discovery via DHT (#285)
API: Add wildcard search support with pattern matching (#355)
API: Add max replicasets to keep in deployment (#207)
API: Add sync API (#199)
CI: Add Codecov workflow & docs (#380)
CI: Introduce BSR (#212)
SDK: Add SDK release process (#216)
SDK: Add more gRPC services (#294)
SDK: Add gRPC client code and example for JavaScript SDK (#248)
SDK: Add sync support (#361)
SDK: Add sign and verification (#337)
SDK: Add testing solution for CI (#269)
SDK: Standardize Python SDK tooling for Directory (#371)
SDK: Add TypeScript/JavaScript DIR Client SDK (#407)
Security: Implement server-side verification with zot (#286)
Security: Use SPIFFE/SPIRE to enable security schema (#210)
Security: Add spire federation support (#295)
Storage: Add storage layer full-index record synchronisation (#227)
Storage: Add post sync verification (#324)
Storage: Enable search on synced records (#310)
Storage: Add fallback to client-side verification (#373)
Storage: Add policy-based publish (#333)
Storage: Add custom type for error handling (#189)
Storage: Add sign and verify gRPC service (#201)
Storage: Add new hub https://hub.agntcy.org/directory (#202)
Storage: Add cid-based synchronisation support (#401)
Storage: Add rich manifest annotations (#236)

Changed

API: Switch to generic OASF objects across codebase (#381)
API: Version upgrade of API services (#225)
API: Update sync API and add credential RPC (#217)
API: Refactor domain interfaces to align with OASF schema (#397)
API: Rename v1alpha2 to v1 (#258)
CI: Find better place for proto APIs (#384)
CI: Reduce flaky jobs for SDK (#339)
CI: Update codebase with proto namespace changes (#398)
CI: Update CI task gen to ignore buf lock file changes (#275)
CI: Update brew formula version (#372, #263, #257, #247)
CI: Bump Go (#221)
CI: Update Directory proto imports for SDKs (#421)
CI: Bump OASF SDK version to v0.0.5 (#424)
Documentation: Update usage documentation for record generation (#287)
Documentation: Add and update README for refactored SDKs (#273)
Documentation: Update README to reflect new usage documentation link and remove USAGE.md file (#332)
Documentation: Update documentation setup (#394)
SDK: Move and refactor Python SDK code (#229)
SDK: Bump package versions for release (#274)
SDK: Bump versions for release (#249)
SDK: Support streams & update docs (#284)
SDK: Update API code and add example code for Python SDK (#237)
Storage: Migrate record signature to OCI native signature (#250)
Storage: Store implementations and digest/CID calculation (#238)
Storage: Standardize and cleanup store providers (#385)
Storage: Improve logging to suppress misleading errors in database and routing layers (#289)
Storage: Refactor E2E Test Suite & Utilities Enhancement (#268)
Storage: Refactor e2e tests multiple OASF versions (#278)
Storage: Refactor: remove semantic tags keep only CID tag (#265)
Storage: Refactor: remove generated OASF objects (#356)
Storage: Refactor: remove builder artifacts and build cmd usages (#329)
Storage: Refactor: remove agent refs (#331)
Storage: Refactor: remove redundant proto files (#219)
Storage: Refactor: remove Legacy List API and Migrate to RecordQuery-Based System (#342)
Storage: Refactor: remove Python code generation (#215)