Release

Announcing Toise 0.8.0 — the SaaS-readiness release

2026-06-22

Toise has always started the same way: one binary, no config — point your OTLP producers at it and the graph appears. 0.8.0 does not touch that. What it adds is everything you need at the other end of the spectrum: running Toise as a multi-tenant service exposed to external customers — and all of it is opt-in.

This is the SaaS-readiness release. Nothing here is on by default; the out-of-the-box path is unchanged and now guarded by a CI smoke test so it can never silently regress. It is not a wire-contract break and needs no data migration — a 0.7 deployment upgrades in place.

Access security for multi-tenant SaaS

The headline of ADR 0028 is the derive-only tenant trust mode: instead of trusting a client-supplied X-Scope-OrgID header, Toise derives the tenant from the caller's scoped token, so a customer can never read or write another customer's graph. Around that: bearer tokens are hashed at rest (SHA-256), so a leaked config leaks nothing usable; per-tenant RBAC gives read / ingest / full roles; OIDC / JWT verifies a customer's SSO tokens directly; mTLS authenticates producers by client certificate; and an append-only audit log records every operator write. All off by default — the single-binary user never sees any of it.

Resilience and HA, without consensus

Toise is event-sourced — the log is the asset, and the graph is just a projection of it. So high availability needs no Raft, no ring, no clustered datastore (ADR 0029). Instead: scheduled online backups and continuous log shipping to a directory or any S3-compatible store (AWS S3, MinIO, Ceph, R2 — one config shape); a restore-log command that rebuilds a data directory from those shipped segments; and read HA by running N identical stateless replicas behind a load balancer, each rebuilding its projection from the same OTLP fan-out. Multi-tenancy scales with a per-node cap (max_tenants) plus horizontal sharding, watched by a new toise_tenants_open gauge.

Multi-source identity, without merging

Real infrastructure shows the same machine through many lenses — a host agent, an SNMP poll, a hypervisor's guest inventory — and they rarely share one identifier. Toise refuses to guess that two entities are the same thing; fuzzy merges are how a topology graph quietly becomes wrong. ADR 0020 gives producers a precise way to say it instead: a same_as belief edge carrying a confidence and a basis — a serial-number match, a Hyper-V KVP guest id, whatever evidence the producer has. Above a threshold you configure, get_entity surfaces the canonical group, and impact_of and find_path treat a machine's facets as one node — at read time, with storage never merged and low-confidence evidence kept rather than silently applied.

Better data for the consumer

The graph is increasingly read by an LLM, so 0.8.0 makes it more legible. A cross-cutting governance vocabulary (ownership, criticality, location, lifecycle) is advertised on describe_schema, so a consumer discovers what it can filter on before any producer emits it. The GraphQL entities query gains attribute filtering at parity with the MCP find_entities tool, and we pinned descriptive vocabularies for host, network.device, network.interface, compute.vm, service.listener and the remote-probe entities.


Get it

go install github.com/toise-dev/toise/cmd/toise-server@v0.8.0

Binaries for linux and darwin (amd64 / arm64) are on the release, each with a checksum. See the 0.8.0 docs and the new Deployment tiers & SaaS guide for turning each feature on, plus the migration guide and the changelog.