Changelog
What we've shipped, in plain language.
A reverse-chronological summary of meaningful changes to Tenura, scrubbed of internal planning identifiers. Subscribe to the RSS feed (coming) or the docs for deeper detail.
- 2026-05-13
0.2.8 — Windows binary
First release that ships a native Windows binary alongside macOS arm64 and Linux x86_64/arm64. grafos-0.2.8-x86_64-pc-windows-gnu.tar.gz is signed with the same minisign release key and verifies against the same public key as every other platform. The CLI also gained a USERPROFILE fallback for HOME resolution so credentials, agent skill installs, and the local cell-identity directory land under %USERPROFILE%\.config\grafos\ on Windows. Install on Windows: extract grafos.exe from the tarball and drop on PATH. Scheduler / fabricbiosd / dashboard binaries are functionally identical to 0.2.7.
- 2026-05-13
0.2.7 — grafos deploy run --mem accepts size suffixes
CLI quality-of-life: grafos deploy run --mem now accepts K/M/G/T (case-insensitive) suffixes — grafos deploy run inference.wasm --mem 80G works as written. No suffix still means raw bytes (back-compat with every existing script). Reuses the parse_bytes helper that grafos rate-card estimate already used. The scheduler / fabricbiosd / dashboard binaries are functionally identical to 0.2.6.
- 2026-05-13
0.2.6 — orchestrator-mode tenant_role mint hotfix
Hotfix on top of 0.2.5 surfaced by the live smoke test against production: the orchestrator-mode token-mint handler hadn't been threaded through the Phase 225 tenant_role field. Production runs in orchestrator mode, so the invite/redeem flow looked correct in cell-mode tests but didn't actually carry tenant_role end-to-end. 0.2.6 closes the gap; the orchestrator now mints tokens carrying the full TenantRole (Admin / Developer / Viewer).
- 2026-05-13
0.2.5 — Phase 225 RBAC wire closure
Closes the slice 333a load-bearing gap: POST /api/v1/admin/tokens now accepts an optional tenant_role parameter parsed via TenantRole::from_str, threading the per-token RBAC role from invite redemption all the way through the scheduler token store. Combined with 0.2.4's foundation, a tenant admin can invite a developer via email and the redeemed token carries Developer role end-to-end.
- 2026-05-13
0.2.4 — Phase 225 RBAC foundation
Ships the scheduler-side foundation for tenant role-based access control: typed TenantRole (Admin / Developer / Viewer), TokenRecord.tenant_role field, ProtectedAdminOrTenantAdmin route-class primitive, tenant-scoped admin mutations now require AdminOrTenantAdmin, and a new GET /api/v1/auth/whoami endpoint plus grafos auth whoami CLI for self-introspection. The dashboard also surfaces the resolved identity from whoami.
- 2026-05-13
0.2.3 — Phase 226 closure + service accounts + rate-card fix
Closes Phase 226 by retiring the orchestrator-mode billing pass-through in favor of orchestrator-native rate cards + invoice state; cells now push LeaseEvent records outbound rather than the orchestrator polling them. Adds grafos auth service-account CLI surface for CI/CD workflows and a /v1/billing/rate-card $/byte-second vs $/GiB-second default fix in the rate-card derivation.
- 2026-05-13
0.2.2 — Orchestrator-native billing
Wires the orchestrator-native rate card and invoice surface (Phase 226 step 2). Cells fan billing events out via the outbound work-poll channel they already use for heartbeats — there is no inbound poll path from the orchestrator to provider cells, aligning with the v1.1 cloud-scale control plane design's 'cells connect outbound' principle. Billing remains the orchestrator's authoritative state.
- 2026-05-13
0.2.1 — Beta hardening hotfix
Targeted hotfix on top of 0.2.0 closing four day-one beta gaps: orchestrator-mode billing pass-through (cells fanning events out via the outbound channel), tenant outbound-billing buffer with WAL durability, HttpBillingPusher wire-up at cell-mode startup, and the slice 311 / 312 cell-side billing path. Verifies that an orchestrator-mode scheduler sees billing events end-to-end without inbound polling against provider cells.
- 2026-05-12
0.2.0 limited beta — typed observability + verifiable rewrite history
Signed grafos, fabricbiosd, grafos-scheduler, and grafos-dashboard binaries are live at releases.tenura.systems/0.2.0 for macOS arm64 and Linux x86_64/arm64. The release threads a stable snake_case vocabulary across seventeen closed-set enums (lease state, admission outcome, rewrite phase, failure class, …) so SIEM rules and log filters can key on identifiers that survive future refactors. Every committed rewrite now seals an EdgeRewritten record into the same hash-linked audit chain that already carried lease and admission events — operators can decode the embedded edge bytes back to a typed EdgeRecord and replay the full mutation history. Install via the signed installer at get.tenura.systems/install.sh; verification path is unchanged.
- 2026-05-08
New website pages: security, about, pricing, use cases, glossary, comparisons
Substantial expansion of tenura.systems — full security model, pricing, use-case detail, /about, three competitor comparisons, and a glossary. Privacy and terms stubs published.
- 2026-05-07
FAQ search restyled and accent-themed
The /faq page is now a tag-filtered search over 25+ entries with the same chrome and burnt-sienna accent as the rest of the site. Submissions go straight to our triage queue.
- 2026-05-07
Hash-linked audit chain is now end-to-end
Lease lifecycle, preemption, and admission events are sealed into a SHA-256-linked chain. The daemon assembles records at emit time, persists the head pointer in its narrow durable surface, and an upstream collector validates the linkage on ingest. The same artifact powers metering and audit.
- 2026-05-04
Tier-aware metering
Memory leases now track capacity-seconds per (resource_kind, tier_kind). DRAM, CXL, and RDMA-attached memory bill at distinct rates aligned with the silicon a workload actually held.
- 2026-05-01
Replicated resource primitives
New cookbook: replicated log, map, object, lease, queue, and registry primitives with explicit quorum, freshness, and recovery policies. Failure drills (AZ loss, region loss, provider loss, network partition) exercise the contract surface.
- 2026-04-25
Operator readiness surface
A readiness state machine gates lease admission until persistence, replay cache, and revocation surfaces are loaded. GET /api/v1/readiness exposes the state. Operator fence list / fence clear ops surface and clear quarantined resources.
- 2026-04-22
L4 GPU silicon validated end-to-end
Direct BAR0 read/write, MMIO probe, and Booter image upload validated byte-exact against driver capture on real L4 silicon. The path from grafos deploy to running CUDA kernel is now exercisable on commodity NVIDIA hardware.
- 2026-04-15
BestEffort tier renamed to Standard
The middle priority tier is now called Standard to avoid confusion with CpuIsolationClass::BestEffort. Quota and preemption semantics are unchanged. Rolling clients should pin to the latest scheduler version.
- 2026-04-10
Pi5 fleet at 200/200 QUIC interop
A barrier-fix in the GEM TX path on bare-metal Raspberry Pi 5 takes mTLS QUIC interop to 200 of 200 connections, with full FBMU and FBBU data-plane round-trips. The Pi5 fleet remains our development target for bare-metal correctness.
- 2026-04-01
mTLS is the floor for the control plane
All TCP control-plane and data-plane code is removed. Every cell runs QUIC + TLS 1.3 with mutual auth by default. There is no plaintext mode.