v0.9.3

What's Changed

• Manual shutdown by @RomanEmreis in #193

Full Changelog: 0.9.2...0.9.3

v0.9.2

What's Changed

• HSTS validation by @RomanEmreis in #190
• Polishing invariants + removed deprecated code by @RomanEmreis in #191
• multipart response by @RomanEmreis in #192

Breaking Changes

• HstsConfig::with_preload() panics if max_age < 1 year; HstsConfig::with_max_age(...) panics if called when preload is enabled and the new value is below 1 year (#190).
• TlsConfig, RedirectionConfig, and Problem are now #[non_exhaustive]. External code can no longer construct them with struct literals or exhaustively pattern-match (#190, #191).
• Removed the deprecated problem! macro. Use volga::error::Problem instead (#191).
• From<Algorithm> for jsonwebtoken::Algorithm and the reverse impl are removed. jsonwebtoken::Algorithm is no longer reachable through volga's public API; conversion is crate-internal via Algorithm::to_jwt() (#191).
• Problem responses now use the correct application/problem+json content type (#191).

Full Changelog: 0.9.1...0.9.2

v0.9.1

What's Changed

• Make auth/config APIs explicit and decouple JWT (breaking) by @RomanEmreis in #189

Breaking Changes

• volga::auth no longer re-exports jsonwebtoken::Algorithm, DecodingKey, EncodingKey, JwtError, or ErrorKind. Replaced by volga-owned Algorithm, DecodingKey, and EncodingKey at the same paths. User code that imports these by name continues to compile; code using ErrorKind for pattern-matching JWT errors or calling EncodingKey::from_rsa_der / from_ec_der / from_ed_der / DecodingKey::from_jwk / from_rsa_components will break. Use the dedicated PEM / base64 / secret / env / file constructors instead.
• BearerTokenService::validation() is removed. Configure via BearerAuthConfig; no introspection is exposed.
• BearerAuthConfig::with_aud now automatically adds aud to required claims. Tokens missing aud are rejected when audiences are configured. Call without_strict_aud() to opt out.
• require_https is enabled by default. Non-TLS, non-loopback requests are rejected with 400 Bad Request. Reverse-proxy deployments must call require_https(false).
• strip_token_from_request is enabled by default. The Authorization header is removed after successful bearer auth. Disable via strip_token_from_request(false) if downstream handlers need it.
• CorsConfig::with_credentials(bool) and with_vary_header(bool) no longer take a bool. The no-arg forms enable the feature; use the new without_credentials() / without_vary_header() to disable.
• HstsConfig::with_preload(bool) and with_sub_domains(bool) no longer take a bool. The no-arg forms enable the feature; use the new without_preload() / without_sub_domains() to disable.
• WebSocketConnection::with_accept_unmasked_frames(bool) no longer takes a bool. Use the no-arg form to enable and without_accept_unmasked_frames() to disable.
• Removed App::with_default_cors(). Use .set_cors(CorsConfig::default()) instead.
• Removed App::with_default_tracing(). Use .set_tracing(TracingConfig::default()) instead.
• Removed TlsConfig::with_hsts_preload, with_hsts_sub_domains, with_hsts_max_age, and with_hsts_exclude_hosts shortcuts. Configure through the with_hsts(|h| h. ...) closure on TlsConfig (e.g. with_hsts(|h| h.with_preload().with_sub_domains())).

Full Changelog: 0.9.0...0.9.1

v0.9.0

What's Changed

• Public API stabilization & bugfix by @RomanEmreis in #188

💥 Breaking Changes

• Header mutation methods now return &mut Self (was Header<T>/()).
• append_header() is now infallible and no longer returns Result.
• Changed visibility of RESPONSE_ERROR and SERVER_NAME constants.
• Changed visibility of Error::status and Error::instance fields, now these data can be fetched by methods: Error::status(), Error::instance()

Full Changelog: 0.8.9...0.9.0

v0.8.9

What's Changed

• Performance improvements by @RomanEmreis in #174
• Parameterized middleware by @RomanEmreis in #175
• Improved graceful shutdown by @RomanEmreis in #176

💥 Breaking Changes

• Renamed middleware traits to match DSL:
  MiddlewareHandler → With,
  TapReqHandler → TapReq,
  MapOkHandler → MapOk,
  MapErrHandler → MapErr

• call() replaced with DSL-aligned methods (with, tap_req, map_ok, map_err)

• Removed type Future from middleware traits (now using impl Future)

• Introduced attach(...) for parameterized middleware (preferred over wrap(...))

Full Changelog: 0.8.8...0.8.9

v0.8.8

What's Changed

• rate limiting pluggable store re-exports by @RomanEmreis in #172
• file-base server config by @RomanEmreis in #173

Full Changelog: 0.8.7...0.8.8

v0.8.7

What's Changed

• Added to_map method for HttpHeaders extrator by @RomanEmreis in #169
• rustfmt formatting by @RomanEmreis in #170
• Rate Limiter Pluggable store & greeter updates by @RomanEmreis in #171

Full Changelog: 0.8.6...0.8.7

v0.8.6

What's Changed

• Framework size optiomization, small refactoring and polishing by @RomanEmreis in #165
• Add fuzz testing for router and OpenAPI by @RomanEmreis in #166
• Middleware perf tuning by @RomanEmreis in #167

Full Changelog: 0.8.5...0.8.6

v0.8.5

What's Changed

• OpenAPI: per-status response config + RFC 7807 problem+json support by @RomanEmreis in #162
• Global Error Handler and hot-path optimizations by @RomanEmreis in #163
• Nested Route Groups by @RomanEmreis in #164

Full Changelog: 0.8.4...0.8.5

v0.8.4

What's Changed

• HTTP headers updates by @RomanEmreis in #158
• Open API integration by @RomanEmreis in #159

Full Changelog: 0.8.3...0.8.4