v0.7.1

• Support multiple JWT issuers in jwt_authenticate for multi-tenant setups (e.g. Microsoft Entra)
• Docs site restructured: 4 tabs (Home, API Reference, Guides, About)
• Access Log and Conformance Testing pages added to Guides
• Sidebar navigation restored on all grouped pages

v0.7.0

Access Log Enrichment

Every vgi_rpc.access log entry now includes full call context:

• request_data — base64-encoded Arrow IPC bytes of the request batch (all call parameters)
• stream_id — UUID correlating all HTTP requests in one logical stream
• authenticated — bool from AuthContext
• claims — JWT/OAuth claims dict
• error_message — raw exception text (truncated to 500 chars) on error entries
• server_version — static string passed to RpcServer at construction
• request_state / response_state — base64 state token bytes for HTTP exchange streams

Infrastructure

• RpcServer accepts server_version parameter
• HTTP state token format bumped v2 → v3 (adds stream_id segment). Breaking: existing v2 tokens are rejected.
• _AccessLogContextMiddleware prevents cross-request contextvar leakage on WSGI thread pools
• _produce_stream_response returns error message alongside error type

Conformance Validator

New vgi_rpc.access_log_conformance CLI module validates access log output against field-presence rules. Language-agnostic — any VGI server implementation can be validated.

python -m vgi_rpc.access_log_conformance /tmp/server.log

Documentation

• New "Access Log" page in docs site
• "Conformance" page added to navigation

v0.6.12

Changes

• Pass scopes_supported from OAuth resource metadata through to the PKCE middleware so authorization requests advertise the same scopes the server publishes. Falls back to openid email when scopes_supported is unset.

v0.6.11

Changes

• Support pa.RecordBatch and pa.Schema as dataclass field types. _infer_arrow_type now maps these to pa.binary(), matching the existing value serialization/deserialization paths — you can now declare fields as pa.RecordBatch / pa.Schema directly without the Annotated[..., ArrowType(pa.binary())] boilerplate.

v0.6.10

What's Changed

Bug Fixes

• Fix expired token redirect loop: Added JWT exp claim check in OAuth PKCE middleware's process_request. The landing page path is exempt from _AuthMiddleware, so an expired cookie token would cause an infinite redirect loop — now detected and the OAuth flow re-runs instead.

Improvements

• Themed error pages: Extracted shared HTML styles (_FONT_IMPORTS, _ERROR_PAGE_STYLE, _VGI_LOGO_HTML) into _common.py. OAuth error page and 404 page now use the branded theme with Inter/JetBrains Mono fonts, green color scheme, logo, and footer.
• Pin pygments<2.20: Fixes docs build crash (pymdownx filename=None).
• Origin allowlist for return_to redirects: Added configurable allowed origins for external frontend redirect validation.

Full Changelog: v0.6.8...v0.6.10

v0.6.9

Changes

• Origin allowlist for return_to redirects: _vgi_return_to redirects are now restricted to configured allowed origins (default: cupola.query-farm.services) and localhost, preventing open redirect vulnerabilities.
• Early auth redirect: Already-authenticated users with a _vgi_return_to parameter are redirected immediately via process_request, skipping the OAuth flow entirely.
• Configurable allowed origins: _OAuthPkceMiddleware accepts an allowed_return_origins parameter to customize the allowlist.

v0.6.8

What's Changed

• Request offline access for external frontends: When return_to is set, the OAuth authorization URL now includes access_type=offline and prompt=consent so Google returns a refresh_token. This lets external frontends (e.g. DuckDB WASM) silently refresh expired id_tokens without user interaction.

v0.6.7

What's Changed

• External frontend redirect now includes OAuth metadata: The URL fragment on return_to redirects now passes refresh_token, token_endpoint, client_id, client_secret, and use_id_token so external frontends can refresh tokens independently.
• Token exchange returns refresh_token: _exchange_code_for_token now returns a 3-tuple (token, max_age, refresh_token).
• All fragment values are URL-encoded via urllib.parse.quote.

v0.6.6

What's Changed

• OAuth PKCE external frontend support: Session cookie wire format bumped to v4 with a new return_to field. External frontends can pass _vgi_return_to query parameter to receive auth tokens via URL fragment redirect instead of cookies.
• Bug fix: Fixed session cookie cleanup path mismatch in the external redirect branch — the cookie path now correctly matches where it was set ({prefix}/_oauth/), ensuring browsers actually delete it.
• Lint fixes: Sorted __slots__, import ordering, and indentation cleanup.

v0.6.5

Changes

• HTTP 500 → 200 for server errors: Server errors are now returned as HTTP 200 with an X-VGI-RPC-Error: true header. This ensures clients that discard response bodies on 5xx status codes still receive the Arrow IPC error metadata. Client errors (400/401/404/415) remain unchanged.
• CORS: X-VGI-RPC-Error is now included in the CORS expose headers.
• OAuth PKCE: Added browser-based OAuth PKCE flow support and fixed mypy/ty strict type narrowing issues.