* Initial plan
* Fix insecure TLS configuration - make secure by default
- Changed util/tls/Config() to be secure by default (InsecureSkipVerify=false)
- Added MICRO_TLS_INSECURE=true environment variable for development/testing
- Updated documentation to emphasize security-first approach
- Added comprehensive tests for TLS configuration
- All existing broker tests pass
Co-authored-by: asim <17530+asim@users.noreply.github.com>
* Revert to backward-compatible TLS defaults to avoid breaking changes
- Reverted default to InsecureSkipVerify=true for backward compatibility
- Changed environment variable to MICRO_TLS_SECURE=true (opt-in security)
- Added deprecation warning that logs once per process
- Updated tests to reflect backward-compatible behavior
- Added comprehensive migration guide
- No breaking changes - production systems safe to upgrade
- Security improvement is opt-in via environment variable
- Planned breaking change for v6 with proper major version bump
Co-authored-by: asim <17530+asim@users.noreply.github.com>
* Add TLS security update documentation
Co-authored-by: asim <17530+asim@users.noreply.github.com>
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: asim <17530+asim@users.noreply.github.com>
* fix: remove deprecated rand.Seed calls
Go 1.20+ automatically seeds the global random number generator.
These calls are no-ops and generate warnings with newer Go versions.
Removed from:
- selector/strategy.go
- registry/cache/cache.go
- broker/memory.go
- broker/http.go
- cmd/cmd.go
- transport/memory.go
Co-authored-by: Shelley <shelley@exe.dev>
* fix: handle previously ignored errors
- MySQL store: properly handle prepared statement errors in initDB()
- Consul registry: handle client creation errors in Client() method
These silent failures could cause hard-to-debug issues in production.
Co-authored-by: Shelley <shelley@exe.dev>
* feat(genai): improve provider interface with context and streaming
Breaking changes:
- Generate() and Stream() now require context.Context as first parameter
- Stream.Close() added for proper resource cleanup
Improvements:
- Proper context support for cancellation and timeouts
- Real SSE streaming for OpenAI and Gemini text generation
- Better error handling with wrapped errors and API error responses
- Thread-safe provider registry with sync.RWMutex
- New options: WithMaxTokens, WithTemperature, WithTimeout
- Stream has proper Close() method for cleanup
- Results can include Error field for per-chunk errors
Provider updates:
- OpenAI: true streaming with SSE parsing, proper HTTP client with timeout
- Gemini: true streaming with streamGenerateContent endpoint
- Default model updated to gpt-4o-mini (OpenAI) and gemini-2.0-flash (Gemini)
Co-authored-by: Shelley <shelley@exe.dev>
* feat(tls): make TLS secure by default, configurable via environment
BREAKING: TLS now verifies certificates by default. Set MICRO_TLS_INSECURE=true
to restore previous behavior (NOT recommended for production).
Changes:
- Add util/tls.Config(), SecureConfig(), InsecureConfig(), ConfigFromEnv() helpers
- Update all components to use ConfigFromEnv() instead of hardcoded InsecureSkipVerify
- Set MinVersion to TLS 1.2 for all TLS configs
Affected components:
- broker/http
- broker/rabbitmq
- registry/etcd
- registry/consul
- transport/grpc
This improves security posture while allowing opt-out for development environments.
Co-authored-by: Shelley <shelley@exe.dev>
* feat(tls): add TLS helpers with opt-in secure mode
NOT a breaking change - keeps InsecureSkipVerify=true as default for
local development compatibility.
New util/tls helpers:
- Config() - returns config based on MICRO_TLS_SECURE env var
- SecureConfig() - certificate verification enabled
- InsecureConfig() - certificate verification disabled (dev only)
For production security, use one of:
- Set MICRO_TLS_SECURE=true with proper CA-signed certs
- Use a service mesh (Istio, Linkerd) for automatic mTLS
- Configure TLSConfig directly with your certificates
Also: Changed CLI alias from 'g' to 'gen' for clarity
- micro generate handler -> micro gen handler
Co-authored-by: Shelley <shelley@exe.dev>
* refactor(cli): rename generate directory to gen for consistency
Directory name now matches the command alias:
cmd/micro/cli/gen/ -> micro gen handler
Co-authored-by: Shelley <shelley@exe.dev>
---------
Co-authored-by: Shelley <shelley@exe.dev>
* [fix] etcd config source prefix issue (#2389)
* http transport data race issue (#2436)
* [fix] #2431 http transport data race issue
* [feature] Ability to close connection while receiving.
Ability to send messages while receiving.
Icreased r channel limit to 100 to more fluently communication.
Do not dropp sent request if r channel is full.
* [fix] Use pool connection close timeout
* [fix] replace Close with private function
* [fix] Do not close the transport client twice in stream connection , the transport client is closed in the rpc codec
* [fix] tests
---------
Co-authored-by: Johnson C <chengqiaosheng@gmail.com>
asim
Copilot
Ak-Army
guangwu
Guillaume Bour
mamadeusia
Lukasz Raczylo
David Brouwer
Rene Jochum
Mohamed MHAMDI
Benjamin
simon
Tt yo
Cui Gang
Shubhendra Singh Chauhan
Dominic Wong
Di Wu
Janos Dobronszki
ben-toogood
mlboy
Máximo Cuadros
Dominic Wong