0.8.0¶
Released 2026-06-22.
The SaaS-readiness release. 0.8.0 lands the two pillars a multi-tenant, externally-exposed Toise needs — access security and resilience / HA — alongside a multi-source identity overlay and a major attribute-enrichment pass. The throughline: Toise now scales from the zero-config single binary all the way to a hardened SaaS, with every step opt-in and additive — the default out-of-the-box experience is unchanged (and now guarded by a CI smoke test).
Not a wire-contract break, no data migration. See the 0.7 → 0.8 migration guide and the new Deployment tiers & SaaS operations guide.
Access security (ADR 0028)¶
Everything you need to expose Toise to external customers — all off by default:
derive-onlytenant trust mode — the tenant is derived from the request's scoped token and the clientX-Scope-OrgIDheader is ignored, so a caller can never claim another tenant. (The defaulttrust-headerstays correct behind an authenticating gateway.)- Tokens hashed at rest (SHA-256) — a leaked config or memory dump exposes no usable credential.
- Per-tenant RBAC — role-scoped tenant tokens (read / ingest / full).
- OIDC / JWT verification on the read surfaces — verify customer SSO tokens, with the tenant and role read from claims.
- mTLS on ingest — authenticate producers by client certificate.
- Audit log — an append-only JSON trail of operator writes.
Resilience & HA (ADR 0029)¶
- Scheduled online backups and continuous log shipping — to a directory or an S3-compatible store (AWS S3, MinIO, Ceph, R2 — one config shape).
restore-logrebuilds a data dir from shipped segments, directly from the configured target (S3 or a directory).- Read HA with no clustering — run N identical replicas behind a load balancer; each rebuilds its projection from the same OTLP fan-out.
- Tenant scaling — a per-node cap (
max_tenants) plus horizontal sharding, with atoise_tenants_opengauge to watch headroom. No Raft, no ring.
Multi-source identity (ADR 0020)¶
Producers can now assert that two entities are the same real thing — a same_as
belief edge carrying a confidence and a basis (e.g. a serial match or Hyper-V KVP
guest id). Above a configurable confidence threshold, get_entity shows the
canonical group, and impact_of / find_path treat a machine's facets as one
— without ever merging storage (the exact entities and any low-confidence
evidence stay intact).
Attribute enrichment¶
- A cross-cutting governance vocabulary (ownership, criticality, location,
lifecycle) advertised on
describe_schema, so an LLM discovers what it can filter on before any producer emits it. - Attribute filtering on the GraphQL
entitiesquery — parity with the MCPfind_entities. - Pinned descriptive vocabularies for
host,network.device,network.interface,compute.vm,service.listenerand the remote-probe entities (AT8–AT13).
Also¶
- ADRs 0028 / 0029 / 0030 ratified; a consolidated Deployment tiers & SaaS guide; a tier-0 zero-config CI smoke test so the out-of-the-box path can never silently regress.
- Fixes:
go installworks again, the/vizgraph no longer truncates at 200 items, and the cold subcommands tolerate shipping environment variables.
The full changelog is in
CHANGELOG.md.