0.10.2-rc0

What's Changed

• refactor: lift denormalized-column list to MessageDb.DENORMALIZED_COLUMNS by @odesenfans in #1117
• feat: denormalize message and post tags into TEXT[] columns by @odesenfans in #1116
• Fix WS active-connection counter leak in MessageBroadcaster by @aliel in #1118
• refactor: eager-write lot cache for credit_balances by @odesenfans in #1122
• Chore(deps): Bump sentry-sdk from 2.57.0 to 2.58.0 by @dependabot[bot] in #1098
• Chore(deps): Bump types-aiofiles from 25.1.0.20251011 to 25.1.0.20260409 by @dependabot[bot] in #1086
• Chore(deps): Bump psycopg2-binary from 2.9.11 to 2.9.12 by @dependabot[bot] in #1105
• Chore(deps): Bump pydantic from 2.12.5 to 2.13.3 by @dependabot[bot] in #1106
• Chore(deps-dev): Bump more-itertools from 11.0.1 to 11.0.2 by @dependabot[bot] in #1092

Full Changelog: 0.10.1...0.10.2-rc0

0.10.1

This release brings authenticated IPFS uploads, a new instance price estimation endpoint, configurable upload limits, fan-out WebSocket metrics, and a broad sweep of security hardening, bug fixes, and Docker image improvements.

New Features ✨

• Authenticated IPFS Uploads: New POST /api/v0/ipfs/add_file endpoint for authenticated IPFS uploads. (PR #1110) 🔐
• Instance Price Estimation: New POST /api/v0/price/estimate/instance endpoint to estimate the cost of an instance before submitting it. (PR #1088) 💲
• Authorizations API: New endpoints for forward and reverse permission lookups. (PR #1045) 🔑
• Cursor-Based Pagination Everywhere: Cursor pagination is now available on all list endpoints. (PR #1085) 📄
• Storage Metadata Endpoint: New GET /storage/metadata/{file_hash} endpoint to retrieve storage metadata. (PR #1048) 📦
• Configurable Storage Upload Limits: Upload size limits are now configurable. (PR #1090) ⚙️
• Exclude Content from Messages: Added an excludeContent query parameter to GET /messages and the WebSocket stream to slim down responses. (PR #1043) ✂️
• Credit History Filtering & Sorting: /credit_history now supports filters and sorting. (PR #1099) 🔍
• Credit Details on Balance Endpoint: New include_credit_details parameter on /balance. (PR #1100) 💳
• Non-POST Message Content: /messages/{hash}/content now returns content for non-POST message types. (PR #1107) 📨
• Shared WebSocket Metrics: WebSocket metrics are now shared across gunicorn workers via Redis. (PR #1089) 📊
• In-Process Fanout Broadcaster: Replaced per-client RabbitMQ queues with an in-process fanout broadcaster, reducing broker pressure. (PR #1062) 📡

Security Hardening 🛡️

• Credit Expiration Bypass via Retransfer: Fixed a flaw allowing credit expiration to be bypassed by retransferring credits. (PR #1104)
• Chain Signature Verification: Tightened signature verification checks across chains. (PR #1076)
• Peer Identity Validation: Validate peer identity when processing alive messages. (PR #1079)
• Address Comparison Normalization: Normalize addresses before comparison to prevent mismatches. (PR #1080)
• Token Timestamp Validation: Tightened timestamp validation on tokens. (PR #1081)
• Credit History Sanitization: Sanitized credit history data handling. (PR #1077)
• CORS Configuration: Tightened CORS configuration. (PR #1078)

Bug Fixes 🐞

• Volume Credit Costs: Fixed consumed_credits resolution for volume resources on the /costs endpoint. (PR #1101) 💰
• GPU Tier Compute Units: GPU tier compute units are now treated as a lower bound rather than an exact value. (PR #1091) 🖥️
• Unknown NULS Chain IDs: NULS signature verification now handles unknown chain IDs gracefully. (PR #1087) 🔗
• PendingMessageFetcher Parallelism: Fixed parallelism bugs in the PendingMessageFetcher. (PR #1074) ⚙️
• MessageStatus HTTP Mapping: All MessageStatus values are now mapped in message_status_to_http_status. (PR #1075) 🗺️
• Ethereum Log Fetching Loop: Prevented an infinite loop when the block range reaches zero. (PR #1073) 🔁
• Aggregate Conflict Detection: Call .keys() instead of referencing the unbound method. (PR #1071) 🧩
• IPFS add_json Await: Added a missing await on the IPFS add_json call. (PR #1072) ⏳
• IPFS Directory Downloads: Use the IPFS /get endpoint for directory downloads in /storage/raw. (PR #1042) 📁
• Numeric Price Schemas: Accept numeric price values in credit distribution and expense schemas. (PR #1046) 💵
• Job Subprocess Crashes: Improved crash visibility for job subprocesses. (PR #1044) 🪲
• OpenAPI Version: OpenAPI documentation now uses the package version. (PR #1051) 📖
• Stale Tag Detection: Fixed version detection picking stale v-prefixed tags. (PR #1093) 🏷️

Docker Image 🐳

• Slim Base Image: Switched the Docker base image to python:3.12-slim-bookworm. (PR #1112)
• Slimmer Runtime: Dropped -dev header packages from the runtime image, install git only in the builder stage, and stopped running apt-get upgrade. (PR #1113, #1114, #1115)
• Reproducible Builds: Excluded .git from the image and require a VERSION build-arg. (PR #1111)

Maintenance & Dependency Updates ⬆️

• Bumped aleph-message to 1.1.1. (PR #1108)
• Reverted to uvloop 0.21 to resolve a regression. (PR #1047)
• Library refresh: aiohttp, web3, sqlalchemy, redis, gunicorn, sentry-sdk, protobuf, requests, eth-typing, aio-pika, multiaddr, ujson, and more.

Upgrade Guide

Make sure that your node is running v0.10.0 or later.

From v0.10.0, simply bump the version of these services:

• On the docker-compose.yml file, the pyaleph and pyaleph-api services must now use alephim/pyaleph-node:0.10.1.

Then run docker compose pull && docker compose up -d to restart the services.

Full Changelog: 0.10.0...0.10.1

0.10.1-rc8

What's Changed

• build: exclude .git from docker image, require VERSION build-arg by @odesenfans in #1111
• build: switch docker base image to python:3.12-slim-bookworm by @odesenfans in #1112
• build: drop -dev header packages from runtime docker image by @odesenfans in #1113
• build: stop running apt-get upgrade in dockerfile by @odesenfans in #1114
• build: install git only in builder stage by @odesenfans in #1115

Full Changelog: 0.10.1-rc7...0.10.1-rc8

0.10.1-rc7

What's Changed

• feat: add include_credit_details param to /balance endpoint by @amalcaraz in #1100
• fix: resolve consumed_credits for volume resources in /costs endpoint by @amalcaraz in #1101
• feat: add filters and sorting to /credit_history endpoint by @amalcaraz in #1099

Full Changelog: 0.10.1-rc6...0.10.1-rc7

0.10.1-rc6

What's Changed

• Fix/credit expiration bypass via retransfer by @amalcaraz in #1104
• Allow /messages/{hash}/content to return non-POST message content by @aliel in #1107
• Fix version detection picking stale v-prefixed tags by @aliel in #1093
• chore: bump aleph-message to 1.1.1 by @odesenfans in #1108

Full Changelog: 0.10.1-rc5...0.10.1-rc6

0.10.1-rc5

What's Changed

• feat: add POST /api/v0/price/estimate/instance endpoint by @odesenfans in #1088

Full Changelog: 0.10.1-rc4...0.10.1-rc5

0.10.1-rc4

What's Changed

• Share WebSocket metrics across gunicorn workers via Redis by @aliel in #1089
• fix: treat GPU tier compute units as a lower bound by @odesenfans in #1091

Full Changelog: 0.10.1-rc3...0.10.1-rc4

0.10.1-rc3

What's Changed

• feat: make storage upload limits configurable by @odesenfans in #1090

Full Changelog: 0.10.1-rc2...0.10.1-rc3

0.10.1-rc2

What's Changed

• fix: PendingMessageFetcher parallelism bugs by @aliel in #1074
• fix: handle unknown NULS chain IDs gracefully by @odesenfans in #1087
• Chore(deps-dev): Bump pytest from 9.0.2 to 9.0.3 by @dependabot[bot] in #1083

Full Changelog: 0.10.1-rc1...0.10.1-rc2

0.10.1-rc1

What's Changed

• feature: GET /storage/metadata/{file_hash} by @odesenfans in #1048
• Replace per-client RabbitMQ queues with in-process fanout broadcaster by @aliel in #1062
• Chore(deps): Bump web3 from 7.14.1 to 7.15.0 by @dependabot[bot] in #1064
• Chore(deps): Bump aiohttp from 3.13.3 to 3.13.4 by @dependabot[bot] in #1063
• Chore(deps): Bump requests from 2.32.5 to 2.33.0 by @dependabot[bot] in #1061
• Chore(deps): Bump multiaddr from 0.1.1 to 0.2.0 by @dependabot[bot] in #1052
• Chore(deps): Bump aio-pika from 9.6.1 to 9.6.2 by @dependabot[bot] in #1054
• Chore(deps): Bump ujson from 5.11.0 to 5.12.0 by @dependabot[bot] in #1050
• Chore(deps-dev): Bump pytest-cov from 7.0.0 to 7.1.0 by @dependabot[bot] in #1055
• Chore(deps): Bump sentry-sdk from 2.54.0 to 2.56.0 by @dependabot[bot] in #1057
• Chore(deps): Bump redis from 7.3.0 to 7.4.0 by @dependabot[bot] in #1058
• Chore(deps): Bump protobuf from 7.34.0 to 7.34.1 by @dependabot[bot] in #1056
• Chore(deps): Bump sqlalchemy from 2.0.48 to 2.0.49 by @dependabot[bot] in #1066
• Chore(deps): Bump aiohttp from 3.13.4 to 3.13.5 by @dependabot[bot] in #1067
• Chore(deps-dev): Bump more-itertools from 10.8.0 to 11.0.1 by @dependabot[bot] in #1068
• Chore(deps): Bump requests from 2.33.0 to 2.33.1 by @dependabot[bot] in #1069
• Chore(deps): Bump eth-typing from 5.2.1 to 6.0.0 by @dependabot[bot] in #1070
• Chore(deps): Bump gunicorn from 25.1.0 to 25.3.0 by @dependabot[bot] in #1065
• fix: correct aggregate conflict detection by @odesenfans in #1071
• fix: prevent infinite loop in Ethereum log fetching by @odesenfans in #1073
• fix: add missing await on IPFS add_json call by @odesenfans in #1072
• fix: complete MessageStatus to HTTP status mapping by @odesenfans in #1075
• fix: harden chain signature verification by @odesenfans in #1076
• fix: tighten CORS configuration by @odesenfans in #1078
• fix: sanitize credit history data handling by @odesenfans in #1077
• fix: tighten token timestamp validation by @odesenfans in #1081
• fix: normalize address comparisons by @odesenfans in #1080
• fix: validate peer identity in alive message processing by @odesenfans in #1079
• feat: add cursor-based pagination to all list endpoints by @odesenfans in #1085
• fix: use package version in OpenAPI doc by @odesenfans in #1051

Full Changelog: 0.10.1-rc0...0.10.1-rc1