Skip to main content

Release Readiness

Spring Prism v1.1.0 now carries a broader production-ready release train than the original 1.0.0 cut. This page is the operational definition of what the train currently ships, what must stay green, and what every new feature must bring before merge.

The current release branch validates this baseline with:

mvn clean verify

Shipped Today

The following modules are part of the supported published library surface:

ModuleRoleStatus
prism-coreZero-dependency detectors, rule packs, vault, tokenization, streaming bufferSupported
prism-spring-aiSpring AI advisor integration for synchronous and streaming chat flowsSupported
prism-langchain4jLangChain4j ChatModel and StreamingChatModel wrappersSupported
prism-mcpMCP client-side protection for stdio and Streamable HTTP transportsSupported
prism-spring-boot-starterSpring Boot properties, auto-configuration, Redis selection, metrics surface, readiness signalsSupported
prism-rulepack-ro/us/pl/nl/gb/fr/deOptional regional Big 7 rulepacks with checksum-backed validationSupported
prism-extensions-nlpOptional person-name redaction through heuristic, OpenNLP, and hybrid modesSupported
prism-dashboardEmbedded dashboard with retained history, filters, exports, and alertsSupported

The following modules remain in the repository for contributor workflows, manual QA, and release verification, but are not part of the published Maven library surface:

ModuleRoleStatus
prism-integration-testsTestcontainers Redis and WireMock-backed multi-node release validationRepo-only
prism-benchmarksJMH benchmark suite for detector, vault, streaming, and Redis-backed pathsRepo-only
prism-examplesRunnable Spring Boot sample apps for Spring AI, LangChain4j, and MCPRepo-only
demo-appClone-and-play Enterprise Lab with two nodes, Redis, Grafana, Big 7 rulepacks, NLP modes, and outage simulationRepo-only

v1.1.0 Release Scope

Spring Prism v1.1.0 currently covers:

  • zero-dependency core redaction and restoration primitives
  • Spring AI, LangChain4j, and MCP client-side integrations
  • Redis-backed distributed vault support through the starter
  • large-context and RAG-oriented performance improvements
  • optional NLP extensions for person-name redaction outside prism-core
  • an embedded operator dashboard with live history, alerts, exports, and readiness posture
  • runnable repository example applications and Docusaurus documentation for supported deployment paths

Deferred

The following surfaces are intentionally outside the current release boundary:

SurfaceStatus
MCP server-side interceptionDeferred
Cluster-wide dashboard aggregation across nodesDeferred
Multi-tenant vault separationDeferred
Redis encryption-at-rest strategyDeferred

What We Validate

The current verification baseline covers:

  • full root mvn verify
  • prism-core JaCoCo coverage gate at 90%+
  • Spotless, Checkstyle, and Enforcer policies across the reactor
  • WireMock-backed Spring AI integration tests
  • LangChain4j wrapper tests
  • MCP stdio + Streamable HTTP transport tests with structured payload sanitization/restoration
  • starter auto-configuration tests, including Redis-absent startup safety
  • dedicated prism-integration-tests coverage for cross-node Redis restore, TTL expiry, noisy LLM restoration, and large-payload distributed flows
  • dedicated prism-integration-tests coverage for Redis outage handling during tokenize and restore flows
  • dedicated prism-integration-tests coverage for optional NLP disabled-by-default behavior and person-name restore flows
  • runnable Spring AI, LangChain4j, and MCP example applications that boot and prove redaction/restoration
  • a dedicated prism-benchmarks JMH module for scan, vault, streaming, and Redis-vault measurements
  • embedded dashboard coverage for control-plane UI and readiness rendering
  • Docusaurus documentation for onboarding, deployment, troubleshooting, and release posture

See Integration Test Tracker for the current suite inventory and branch-level status.

Definition of Done for new features

Every new feature or runtime behavior change merged into the release line should include:

  • module-local unit coverage
  • prism-integration-tests coverage when the feature changes real runtime behavior across module boundaries
  • Docusaurus documentation updates before merge
  • release_notes.v1.1.0.md updates while the v1.1.0 train is active
  • example config or example-app updates when the feature changes adoption guidance
  • operationally truthful metrics, readiness signals, or troubleshooting notes when behavior changes operator expectations

Release Profile

The Maven release profile is configured to attach:

  • source jars
  • javadoc jars
  • GPG signing
  • Central publishing metadata

For local release-profile verification without publishing, use:

mvn -Prelease -Dgpg.skip=true -DskipTests package

Final v1.1.0 Checklist

Use this as the final gate before cutting v1.1.0.

Already Complete

  • Redis-first distributed restore path is shipped and documented
  • Large-context and RAG performance work is shipped and documented
  • Optional NLP extension path is shipped and documented
  • Example apps and integration suites exist for the supported release train paths
  • Example apps, benchmarks, and the unified demo app remain repo-only contributor assets and are not published to Maven Central
  • release profile produces sources.jar and javadoc.jar

Must Pass Right Before Tagging

  • v1.1.0 is green in GitHub Actions
  • No open release-blocking PRs remain
  • Full local verification succeeds:
mvn clean verify
  • Release-profile packaging succeeds without publishing:
mvn -Prelease -Dgpg.skip=true -DskipTests package
  • Docusaurus docs build succeeds:
cd website && npm run build
  • Release notes describe the final shipped scope
  • README still reflects the recommended onboarding path

Central Publishing Readiness

  • io.github.catalin87 namespace is verified in Sonatype Central
  • GitHub environment maven-central-release exists
  • GitHub Action secrets exist and are current:
    • OSSRH_USERNAME
    • OSSRH_TOKEN
    • GPG_PRIVATE_KEY
    • GPG_PASSPHRASE
  • Release workflow references the same signing key already registered publicly

Release Cut

  1. Update root pom.xml from 1.1.0 to 1.1.0
  2. Commit with:
git add pom.xml
git commit -s -m "release: v1.1.0"
git push origin main
  1. Tag and push:
git tag v1.1.0
git push origin v1.1.0
  1. Monitor release.yml until:
    • build and tests pass
    • signing succeeds
    • Central publish succeeds
    • GitHub Release is created

Immediately After Release

  1. Bump root pom.xml to the next development version, for example 1.2.0-SNAPSHOT
  2. Commit and push:
git add pom.xml
git commit -s -m "chore: begin 1.2.0-SNAPSHOT development cycle"
git push origin main

Notes

  • spring.prism.app-secret must be overridden in every real deployment.
  • Fail-open remains the default behavior through spring.prism.failure-mode=FAIL_SAFE.
  • spring.prism.security-strict-mode and spring.prism.mcp.security-strict-mode are deprecated compatibility properties and will be removed in v2.0.0. Use spring.prism.failure-mode instead.
  • Redis is the supported distributed vault path for this release boundary.
  • optional NLP remains opt-in and must not change the deterministic default detector behavior
  • MCP support in this release boundary covers the client role first. Server-side MCP interception remains a later milestone.
  • Prism tokens remain HMAC-SHA256 signed, and restoration only succeeds for valid vault-backed tokens produced inside the trusted application boundary.