Publaryn 1.1.0 Release Notes

Publaryn 1.1.0 adds operational and security intelligence on top of the stable 1.0 contract. The release keeps the existing control-plane, adapter, ownership, and visibility model intact while making package risk, search discovery, operator recovery, dependency metadata, and delegated access easier to explain.

Highlights

• Risk posture on package and release details: bundle-analysis payloads now include an explainable risk summary derived from unresolved security findings, install lifecycle scripts, native build hints, and dependency-surface signals.
• Search discovery hints: package search results surface risk, unresolved findings, trusted publisher coverage, latest release status, and freshness signals without weakening visibility rules.
• Operator queue recovery: platform operators can see retry eligibility, stale-lock status, and recovery hints, then use safe retry and stale recovery endpoints for background jobs.
• Dependency overview: release detail pages normalize stored ecosystem dependency metadata into grouped counts and representative dependency names for Cargo, NuGet, RubyGems, Composer, and Maven releases.
• Delegated access history: organization admins can inspect and export audit-backed package, repository, and namespace access changes to answer who had delegated access and when it changed.

Supported in 1.1.0

• the full 1.0 management API and native adapter baseline remains supported
• explainable risk posture on package and release detail surfaces derived from bundle analysis and unresolved security findings
• search result hints for risk level, unresolved findings, trusted publishing, latest release state, and freshness signals
• platform-operator job retry and stale-lock recovery endpoints documented in docs/operator/job-queue-recovery.md
• normalized dependency overview groups for Cargo, NuGet, RubyGems, Composer, and Maven release detail pages
• delegated access history listing and CSV export for organization package, repository, and namespace grants

Explicitly not part of 1.1.0

The 1.1.0 release continues to defer the non-goals named in the 1.0 contract:

• proxy, mirror, and virtual repositories
• Maven snapshot repositories and generic promotion pipelines
• SSO, SAML, SCIM, billing, federation, and air-gapped synchronization
• broad attestation policy, signature UX, and Sigstore productization

Operational notes

• New operator recovery actions are audited as administrative job events and are documented in docs/operator/job-queue-recovery.md.
• Delegated access history is built from immutable organization audit events; it does not introduce a parallel access ledger or change the enforcement model.
• Access-history CSV export uses the same filters as the list endpoint so audit and compliance reviews can reproduce the visible workspace view.

Validation notes

Focused backend and frontend regression coverage was added for every accepted 1.1.0 slice. Full CI remains the release gate before tagging a final 1.1.0 build.

Final release handoff

The release workflow syncs this document into the GitHub release description when the release is created or published. Keep the supported versus deferred sections unchanged unless the code and contract changed in the tagged revision.