v0.13.1

v0.13.1

Patch release on the v0.13.0 train shipping two RDS infra additions.

What's new

PostgreSQL aws_lambda extension

SQL inside fakecloud-managed PostgreSQL DB instances can now invoke
fakecloud Lambda functions, matching AWS RDS / Aurora's documented
surface (and LocalStack's):

CREATE EXTENSION IF NOT EXISTS aws_lambda CASCADE;
SELECT aws_lambda.invoke(
  aws_commons.create_lambda_function_arn('my-fn'),
  '{"hello": "world"}'::json
);

A plpython3u UDF posts to a new /_fakecloud/rds/lambda-invoke
bridge that resolves the function ARN against the fakecloud Lambda
service. Works with any Lambda runtime supported by fakecloud.

Prebuilt fakecloud-postgres images

CreateDBInstance no longer pays the ~60s apt install plpython3u
build on first use. Per release, we publish four multi-arch
(linux/amd64 + linux/arm64) images:

• ghcr.io/faiscadev/fakecloud-postgres:13-0.13.1 (and rolling :13)
• ghcr.io/faiscadev/fakecloud-postgres:14-0.13.1 (and rolling :14)
• ghcr.io/faiscadev/fakecloud-postgres:15-0.13.1 (and rolling :15)
• ghcr.io/faiscadev/fakecloud-postgres:16-0.13.1 (and rolling :16)

Runtime resolves images pull-first (docker image inspect ->
docker pull -> local build). Local build remains as the offline
/ unreleased / dev fallback, so airgapped setups keep working.

Override the registry with FAKECLOUD_POSTGRES_REGISTRY=.... Force
a fresh local rebuild with FAKECLOUD_REBUILD_POSTGRES_IMAGE=1.

Upgrade notes

• No breaking changes. v0.13.1 is drop-in over v0.13.0.
• Existing v0.13.0 deployments don't get the prebuilt-image speedup
  retroactively (the :<major>-0.13.0 tag was not backfilled).
  Upgrade to v0.13.1 to pick it up.

PRs

• #802 feat(rds): support PostgreSQL aws_lambda extension
• #803 feat(rds): publish prebuilt fakecloud-postgres images, pull-first runtime
• #804 ci(rds): PR dry-run + workflow_dispatch test path for image publish
• #805 release(v0.13.1)

Full Changelog: v0.13.0...v0.13.1

v0.13.0

What's Changed

• docs(numbers): bump every count to 26 services / 1,849 ops by @vieiralucas in #754
• docs(iam): drop stale "KMS key policies / NotPrincipal / SCPs" limitations claims by @vieiralucas in #755
• feat(elbv2): real health probes with state machine by @vieiralucas in #756
• docs(numbers): bump APIGW v2 28 -> 103, total 1,849 -> 1,924 by @vieiralucas in #758
• feat(sns): real RSA-SHA256 message signing with served public cert by @vieiralucas in #757
• feat(ses): RFC 5322 / MIME builder for TestRenderEmailTemplate by @vieiralucas in #760
• feat(logs): real GetLogGroupFields, ListLogGroupsForQuery, StartLiveTail by @vieiralucas in #761
• feat(stepfunctions): real UpdateExpression eval for dynamodb:updateItem by @vieiralucas in #762
• feat(ssm): real patch + association + document metadata tracking by @vieiralucas in #763
• fix(conformance): map every shipped service to its real wire protocol by @vieiralucas in #759
• feat(sqs): rate-limited async message move tasks with cancellation by @vieiralucas in #765
• feat(kms): AWS-shaped binary ciphertext blob with AES-256-GCM by @vieiralucas in #766
• fix(ecr): enforce 200-char Smithy cap on principalArn + reset baseline to 100% by @vieiralucas in #764
• chore(audit): close remaining stub gaps + ECS tag coverage by @vieiralucas in #767
• feat(elasticache): real Memcached engine via Docker by @vieiralucas in #768
• feat(scheduler): cross-account target delivery by @vieiralucas in #769
• feat(stepfunctions): real activity worker pool by @vieiralucas in #770
• feat(ecr): real image scanning via optional Trivy CLI by @vieiralucas in #771
• feat(rds): real Oracle, SQL Server, and Db2 engines via Docker by @vieiralucas in #773
• feat(apigateway): API Gateway v1 (REST APIs) — 118 ops, real Lambda data plane by @vieiralucas in #774
• feat(elbv2): in-process HTTP data plane for ALBs by @vieiralucas in #775
• feat(core): make request body cap env-tunable, raise default to 1 GiB by @vieiralucas in #776
• feat(core): streaming request body for S3 + ECR uploads by @vieiralucas in #777
• feat(cloudfront): scaffold service + distributions, invalidations, tags by @vieiralucas in #778
• feat(cloudfront): OAC + cache, origin request, response headers, continuous deployment policies by @vieiralucas in #779
• feat(cloudfront): Functions, Public Keys, Key Groups, KVS, OAI, Monitoring Subscriptions by @vieiralucas in #780
• feat(lambda): support legacy runtimes (nodejs16, python3.8-3.10, java11, go1.x) by @vieiralucas in #781
• feat(streaming): true chunk-by-chunk streaming for S3 + ECR uploads by @vieiralucas in #782
• feat(cloudfront): legacy Streaming Distributions (RTMP) — full CRUD by @vieiralucas in #783
• refactor(streaming): drop buffered fallback in S3/ECR upload paths by @vieiralucas in #785
• feat(cloudfront): field-level encryption + realtime log configs (batch 5) by @vieiralucas in #784
• feat(lambda): add nodejs24.x, python3.14, java25, dotnet10 runtimes by @vieiralucas in #787
• fix(s3): route virtual-hosted PUT object through streaming dispatch by @vieiralucas in #788
• test(dispatch): cover streaming_route path-style and virtual-hosted S3 by @vieiralucas in #789
• feat(cloudfront): VPC origins + anycast + trust stores + resource policies (batch 6a) by @vieiralucas in #786
• feat(cloudfront): connection groups + domain ops + managed cert + promote-staging by @vieiralucas in #790
• feat(route53): scaffold service + hosted zones + RRsets (batch 1) by @vieiralucas in #791
• feat(route53): health checks (batch 2) by @vieiralucas in #792
• feat(route53): traffic policies + instances (batch 3) by @vieiralucas in #793
• feat(route53): DNSSEC + KSK + query logging + CIDR collections (batch 4) by @vieiralucas in #794
• feat(route53): VPC + delegation sets + geo + tags + account limits (batch 5) by @vieiralucas in #795
• feat(acm): scaffold AWS Certificate Manager — full 17-op control plane by @vieiralucas in #796
• feat(application-autoscaling): scaffold full 14-op JSON 1.1 control plane by @vieiralucas in #797
• feat(wafv2): scaffold full 55-op JSON 1.1 control plane by @vieiralucas in #798
• feat(athena): scaffold AWS Athena - 70-op JSON 1.1 control plane by @vieiralucas in #799
• release(v0.13.0): bump versions, refresh docs, register new crates by @vieiralucas in #801

Full Changelog: v0.12.0...v0.13.0

v0.12.0

What's Changed

• feat(elbv2): scaffold Elastic Load Balancing v2 — LoadBalancers + Tags by @vieiralucas in #746
• feat(elbv2): target groups + targets + health (Batch 2) by @vieiralucas in #747
• feat(elbv2): listeners + rules + certificates (Batch 3) by @vieiralucas in #748
• feat(sdks): Go/PHP/Java introspection clients for ELBv2 + docs by @vieiralucas in #750
• feat(elbv2): LB attributes, mTLS trust stores, capacity, resource policies by @vieiralucas in #749
• fix(ecs): forward awslogs before flipping task to STOPPED by @vieiralucas in #752
• ci(release): publish fakecloud-elbv2 crate by @vieiralucas in #751
• release: 0.12.0 by @vieiralucas in #753

Full Changelog: v0.11.0...v0.12.0

v0.11.0

What's Changed

• docs(seo): upstream-query landing page + migration guide + comparison post by @vieiralucas in #675
• docs(seo): upstream-query tutorials + slug-exact landing pages by @vieiralucas in #676
• docs(seo): depth-first reframe on landing + migration + comparison posts by @vieiralucas in #678
• docs(seo): refresh llms.txt and llms-full.txt to current numbers by @vieiralucas in #677
• docs(seo): Terraform + CDK tutorials + slug-exact mock-X landings by @vieiralucas in #679
• docs(seo): vs-competitor slug-exact landing pages by @vieiralucas in #680
• docs(seo): JSON-LD structured data + OpenGraph + canonical links by @vieiralucas in #681
• docs(seo): AI-coding-assistants blog (Claude Code / Cursor / Copilot) by @vieiralucas in #682
• docs(seo): address Cubic findings on SEO landings by @vieiralucas in #684
• fix(dynamodb): aliased top-level attr names containing dots by @vieiralucas in #683
• docs(seo): 6 more slug-exact mock-X/local-X landings by @vieiralucas in #685
• docs(seo): 6 more vs-competitor peer landings by @vieiralucas in #686
• docs(seo): FAQ page with FAQPage JSON-LD schema by @vieiralucas in #687
• refactor(conformance): refresh baseline, expand audit, fill 28 test gaps by @vieiralucas in #688
• fix(conformance): address Cubic findings from PR #688 by @vieiralucas in #689
• feat(conformance): generic @http-driven REST probe by @vieiralucas in #690
• feat(conformance): probe API Gateway v2 via Smithy model by @vieiralucas in #691
• refactor(seo): rename /mock-/ landings to /-emulator/ by @vieiralucas in #692
• content(seo): 4 Bedrock landing pages by @vieiralucas in #693
• docs(readme): foreground Bedrock as signature differentiator by @vieiralucas in #694
• content(blog): Bedrock batch 1 — three posts on tests, guardrails, LocalStack Ultimate by @vieiralucas in #695
• feat(conformance): strict route detection via SUPPORTED list by @vieiralucas in #696
• feat(sqs): implement message-move tasks by @vieiralucas in #697
• feat(sts): implement AssumeRoot, GetDelegatedAccessToken, GetWebIdentityToken by @vieiralucas in #698
• feat(sns): SMS sandbox + data protection policy ops by @vieiralucas in #699
• feat(ses): deliverability dashboard, IP pool fetch, insights, recommendations by @vieiralucas in #700
• feat(rds): close 140-op conformance gap by @vieiralucas in #708
• feat(cloudformation): close 82-op conformance gap by @vieiralucas in #707
• ci(codecov): relax patch target to 50% for conformance batches by @vieiralucas in #709
• feat(elasticache): close conformance gap with 31 missing ops by @vieiralucas in #702
• ci(codecov): drop patch target to 0% (informational only) by @vieiralucas in #710
• feat(s3): close conformance gap with 33 missing bucket/object ops by @vieiralucas in #701
• feat(iam): close conformance gap with 46 missing ops by @vieiralucas in #704
• feat(stepfunctions): close conformance gap with 23 missing ops by @vieiralucas in #703
• feat(lambda): close conformance gap with 72 missing ops by @vieiralucas in #705
• feat(apigatewayv2): close 75-op conformance gap by @vieiralucas in #706
• feat(apigatewayv2): align path routing + JSON case with Smithy model by @vieiralucas in #712
• feat(apigatewayv2): enrich extras response shapes to match Smithy by @vieiralucas in #713
• feat(apigatewayv2): close conformance gap to 100% by @vieiralucas in #715
• feat(apigatewayv2): strip summary-only fields from Create/Update by @vieiralucas in #714
• content(blog): sharpen title of LocalStack Ultimate Bedrock post by @vieiralucas in #716
• feat(ecr): add ECR Batch 1 — repository CRUD, tags, policies by @vieiralucas in #717
• feat(ecr): Batch 2 — image + layer ops, content-addressed blob storage by @vieiralucas in #718
• feat(ecr): Batch 3 — OCI v2 Distribution, real docker push/pull by @vieiralucas in #719
• feat(ecr): Batch 4 — full 58-op API, lifecycle eval, scanning, registry by @vieiralucas in #720
• feat(ecr): SDKs + introspection + website catch-up by @vieiralucas in #721
• feat(ecs): Batch 1 — scaffold + control-plane CRUD by @vieiralucas in #722
• feat(ecs): Batch 2 — real Fargate-style task execution via Docker by @vieiralucas in #723
• feat(ecs): Batch 3 — services with rolling deployments by @vieiralucas in #724
• feat(ecs): Batch 4 — completeness, 60-op full API by @vieiralucas in #725
• feat(ecr-ecs-lambda): wire fakecloud ECR into ECS + Lambda image pull by @vieiralucas in #726
• feat(ecs): awslogs -> CloudWatch Logs + EventBridge task state change by @vieiralucas in #727
• feat(ecs): task role credentials + secrets injection by @vieiralucas in #728
• feat(ecr): lifecycle evaluator — tagPrefixList, tagPatternList, wildcards by @vieiralucas in #729
• feat(ecs+ecr): account-setting ARN format + scan findings synthetic flag by @vieiralucas in #730
• feat(ecr): pull-through cache real upstream proxy by @vieiralucas in #731
• feat(kms+ecr): real AES-256-GCM layer encryption on KMS repos by @vieiralucas in #732
• feat(ecr): real cosign signature verification (keyed ECDSA-P256) by @vieiralucas in #733
• fix(ecs): honor containerDefinition.entryPoint in docker run by @vieiralucas in #734
• feat(rds): emit aws.rds EventBridge events on lifecycle ops by @vieiralucas in #735
• feat(cognito): route verification email -> SES, SMS -> SNS; add CustomEmailSender/CustomSMSSender triggers by @vieiralucas in #736
• feat(lambda): async destinations on InvocationType=Event by @vieiralucas in #737
• feat(ses): execute Bounce, AddHeader, Stop receipt rule actions by @vieiralucas in #738
• feat(iam): PassRole trust-policy enforcement on Lambda + ECS by @vieiralucas in #739
• feat(kms): cross-service KMS hook + introspection (Secrets Manager wired) by @vieiralucas in #741
• feat(kms): real S3 SSE-KMS + SSM SecureString encryption via KMS hook by @vieiralucas in #742
• feat(lambda): ESM FilterCriteria + partial-batch failure + StartingPosition by @vieiralucas in #740
• feat(kms): wire KMS hook into SQS, SNS, DynamoDB by @vieiralucas in #743
• docs(ecr,ecs): catch up website + cross-service matrix by @vieiralucas in #744
• release: 0.11.0 by @vieiralucas in #745

Full Changelog: v0.10.1...v0.11.0

v0.10.1

What's Changed

• fix(ci): disable persist-credentials in packagist job by @vieiralucas in #669
• fix(dynamodb): BETWEEN-aware + whitespace-tolerant AND/OR tokenizer by @vieiralucas in #670
• fix(dynamodb): resolve dotted paths in filter LHS and function args by @vieiralucas in #671
• fix(dynamodb): align size() type semantics with AWS by @vieiralucas in #672
• fix(dynamodb): SET complex RHS into nested paths by @vieiralucas in #673
• chore: release 0.10.1 by @vieiralucas in #674

Full Changelog: v0.10.0...v0.10.1

v0.10.0

Biggest release yet. fakecloud crosses from "accurate AWS emulator" into "accurate AWS deployment emulator": multiple accounts, organization-wide policy ceilings, production-grade IAM, durable state across restarts, and two new services.

Multi-account

All stateful services now isolate state per AWS account — not a single global scope.

• New MultiAccountState<T> core primitive; every service refactored onto it across S3, DynamoDB, SQS, SNS, IAM/STS, KMS, Secrets Manager, Kinesis, Bedrock, SSM, CloudFormation, Lambda, EventBridge, CloudWatch Logs, Cognito, SES, RDS, ElastiCache, API Gateway v2, Step Functions, EventBridge Scheduler.
• Cross-account delivery for SQS/SNS; cross-account resource access evaluated with real AWS semantics (identity policy in caller account + resource policy in owner account).
• STS trust policies enforced as resource policies — AssumeRole across accounts works like AWS.
• New /_fakecloud/iam/create-admin endpoint bootstraps an admin user in any account so test suites can provision per-account credentials without chicken-and-egg.
• Bucket uniqueness, introspection endpoints, and background tasks all multi-account aware.

AWS Organizations + SCPs (new service)

Entire Organizations control plane with service control policy enforcement as a top-of-chain ceiling on every authorization decision.

• CRUD for organizations, OUs, accounts, and policies; attach/detach across Root/OU/Account targets; target listings.
• OU tree with account membership and auto-enrollment of accounts created via create-admin.
• FullAWSAccess seeded on Root and auto-attached to new OUs/accounts (matches AWS default).
• SCP evaluation: same-target SCPs union, cross-level SCPs intersect, management account and service-linked roles exempted, NotPrincipal supported.
• Wired into the IAM evaluator so every request is bounded by its org's SCP ceiling.

EventBridge Scheduler (new service)

Full Scheduler control plane plus a real firing loop.

• Schedule + ScheduleGroup CRUD, flexible time windows, rate/cron/at expressions, dead-letter config, retry policy, KMS-encrypted inputs.
• Background firing loop delivers to SQS (including FIFO with dedup ID cap), SNS, Lambda, Step Functions, EventBridge buses (including nested).
• DLQ routing on delivery failure, wired through IAM so target invocations use the schedule's role.
• Disk persistence via snapshot store; introspection endpoints + a client in every SDK (TS/Python/Go/Java/PHP).

IAM: production-grade policy evaluation

v0.9.2 introduced Phase 1 (identity policy evaluation). v0.10.0 completes Phases 2–6.

• Condition block framework with context populated at dispatch. Service-specific condition keys shipped for:
  • aws:* global keys (PrincipalTag, RequestTag, ResourceTag, TagKeys)
  • s3:prefix, s3:delimiter, s3:max-keys
  • sqs:MessageAttribute.<Name>
  • sns:Protocol, sns:Endpoint
  • lambda:FunctionArn, lambda:Principal
  • Pluggable per-service via new iam_condition_keys_for hook on AwsService.
• Resource policies evaluated with real cross-account semantics. Providers for S3 bucket policies, SNS topic policies, Lambda function policies (new AddPermission/RemovePermission/GetPolicy), and KMS key policies.
• Permission boundaries + session policies under FAKECLOUD_IAM=strict, with an intersection evaluator. Session policies enforced on STS temporary credentials.
• ABAC everywhere: PrincipalTag conditions on IAM/STS; ResourceTag/RequestTag/TagKeys on S3, SQS, SNS, IAM.
• NotPrincipal in resource policies, including the tricky exclusion semantics.

Disk persistence (every service)

Opt-in durable state via a snapshot store — set FAKECLOUD_PERSIST_DIR=/path and state survives restarts. Every service is wired:

DynamoDB, SQS, SNS, IAM/STS, Kinesis, Secrets Manager, KMS, SSM, EventBridge, CloudWatch Logs, SES, API Gateway v2, CloudFormation, Cognito, Lambda, Step Functions, RDS, ElastiCache, Bedrock, EventBridge Scheduler, plus S3 from v0.9.0.

Writes are serialized and offloaded to the blocking pool, so persistence doesn't block request handling.

PHP SDK (5th first-party SDK)

Introspection SDK for PHP ≥8.1, published to Packagist via subtree split on release. Joins TypeScript, Python, Go, Java, and Rust. All five SDKs ship a Scheduler introspection client.

Routing

• Decode real AWS Host headers (<service>.<region>.amazonaws.com, S3 virtual-hosted style, dotted bucket names on the global endpoint).
• Decode LocalStack-style Host headers so existing LocalStack test setups work unchanged.

DynamoDB

• OnDemandThroughput on tables and GSIs, propagated through billing-mode changes.
• Parenthesized KeyCondition clauses and nested-path SET targets — thanks @Bowbaq (#368, #660).
• StreamSpecification + LatestStream* returned on create/update.
• Reject unresolvable nested-path SET RHS instead of silently corrupting items.

Stability

• testkit startup hardened: OS-assigned ports with a stdout handshake eliminate port races; wall-clock deadline on wait_for_port.
• Panics in spawned Step Functions executions are caught instead of taking the runtime down.
• Docker container reaper on test-harness startup/shutdown clears orphans from crashed runs.
• IPv6 endpoint URLs bracketed per RFC 3986.
• Serialized snapshot writes for DynamoDB/SQS moved off the async runtime onto the blocking pool.

Full Changelog: v0.9.2...v0.10.0

v0.9.2

What's Changed

• feat(tfacc): run upstream terraform-provider-aws acc tests against fakecloud by @vieiralucas in #369
• feat(tfacc,sqs): canonicalize JSON-valued queue attributes; enable SQS by @vieiralucas in #370
• fix(dynamodb): paren-aware comma split in parse_update_clauses by @Bowbaq in #368
• feat(sqs): SSE encryption defaults + mode-switch reset by @vieiralucas in #371
• feat(ssm,tfacc): tolerate name:version selector; enable ssm + secretsmanager by @vieiralucas in #372
• feat(tfacc): enable iam with 4 core CRUD tests by @vieiralucas in #373
• feat(logs,tfacc): return logGroupClass on DescribeLogGroups; enable kms + logs by @vieiralucas in #374
• feat(tfacc): enable sns + events services with core smoke tests by @vieiralucas in #375
• feat(kinesis,tfacc): allow same-value IncreaseStreamRetentionPeriod; enable kinesis by @vieiralucas in #376
• feat(apigatewayv2,tfacc): default metadata fields on CreateApi; enable apigatewayv2 by @vieiralucas in #377
• feat(parity): run same tests against fakecloud and real AWS by @vieiralucas in #378
• feat(tfacc): enable bedrock with foundation models data source by @vieiralucas in #379
• ci(parity): run real-aws weekly instead of nightly by @vieiralucas in #382
• ci: pin all third-party actions by commit SHA by @vieiralucas in #383
• test(parity): add error-case and edge-semantics coverage by @vieiralucas in #384
• blog: fix awkward em-dash in spicy post description by @vieiralucas in #385
• docs(conformance): explain parity testing and how it differs from E2E by @vieiralucas in #386
• feat(dynamodb): implement deletion_protection_enabled by @vieiralucas in #380
• feat(dynamodb): process GlobalSecondaryIndexUpdates in UpdateTable by @vieiralucas in #387
• feat(auth): plumb --verify-sigv4 and --iam flags through DispatchConfig by @vieiralucas in #388
• feat(iam): persist STS temp credential secrets for later lookup by @vieiralucas in #389
• feat(auth): implement opt-in SigV4 cryptographic verification by @vieiralucas in #390
• feat(auth): resolve principal up front and attach to AwsRequest by @vieiralucas in #391
• feat(iam): Phase 1 identity-policy evaluator by @vieiralucas in #392
• feat(sdk): add first-party Java SDK by @vieiralucas in #393
• feat(auth): wire IAM enforcement through dispatch by @vieiralucas in #394
• feat(iam,sts): wire Phase 1 enforcement for IAM + STS services by @vieiralucas in #395
• feat(sdk): publish Java SDK to Maven Central on release tags by @vieiralucas in #396
• chore: remove outdated and unused ROADMAP.md by @vieiralucas in #397
• chore: release 0.9.2 by @vieiralucas in #398
• feat(s3,sqs,sns): wire Phase 1 IAM enforcement by @vieiralucas in #399
• fix(dynamodb): propagate billing-mode changes through GSIs by @vieiralucas in #400
• ci(release): exclude fakecloud-parity from release check job by @vieiralucas in #401

Full Changelog: v0.9.1...v0.9.2

v0.9.1

What's Changed

• test(e2e): fix all ignored tests, drop duplicates by @vieiralucas in #367

Full Changelog: v0.9.0...v0.9.1

v0.9.0

What's Changed

• fix: replace unwraps on user input with proper error handling by @vieiralucas in #280
• refactor: extract shared Query protocol helpers to fakecloud-core by @vieiralucas in #281
• refactor(cognito): split 9,058-line service.rs into sub-modules by @vieiralucas in #282
• refactor(iam): split 8,018-line iam_service.rs into sub-modules by @vieiralucas in #283
• refactor(dynamodb): split 7,935-line service.rs into sub-modules by @vieiralucas in #284
• feat(ses): implement real SES inbound receipt rule action execution by @vieiralucas in #288
• test: fix weak assertions and add error path coverage by @vieiralucas in #289
• refactor(ses): split 7,464-line service.rs into sub-modules by @vieiralucas in #285
• refactor: standardize ARN construction to use Arn utility by @vieiralucas in #291
• docs: fix conformance numbers, add known limitations and security note by @vieiralucas in #297
• refactor: use selective tokio features and fix blocking fs in async by @vieiralucas in #296
• fix(cognito): add input validation for CreateUserPool, ListUserPools, DescribeUserPoolDomain by @vieiralucas in #287
• feat(cognito): implement user-facing device and token operations by @vieiralucas in #293
• fix(kinesis): add input validation for CreateStream, DeleteStream, ListStreams by @vieiralucas in #286
• feat(eventbridge): implement real EventBridge → Step Functions delivery by @vieiralucas in #294
• feat(cognito): implement pool/client management operations by @vieiralucas in #298
• feat(kinesis): implement all remaining operations for 100% conformance by @vieiralucas in #305
• feat(cognito): implement legacy MFA, provider linking, and auth event operations by @vieiralucas in #301
• feat(cognito): implement remaining 20 operations for 100% conformance by @vieiralucas in #306
• refactor: replace clippy::too_many_arguments allows with config structs by @vieiralucas in #308
• refactor(cognito): extract user-status wire values into constants by @vieiralucas in #309
• refactor: extract copy-paste helpers (rds, cognito, s3, bedrock, dynamodb, iam) by @vieiralucas in #310
• refactor: trim unnecessary clones in kms, dynamodb, and lambda by @vieiralucas in #311
• refactor: simplify SesState::reset and prefer vec![] in bedrock by @vieiralucas in #312
• chore: clean up decorative section-header comments by @vieiralucas in #307
• refactor(s3): derive Default on S3Object and collapse constructions by @vieiralucas in #313
• refactor(server): extract ResetState into its own module by @vieiralucas in #314
• refactor(bedrock): parse request body once in the handler dispatch by @vieiralucas in #315
• refactor(ssm): split put_parameter into parse/overwrite/create by @vieiralucas in #316
• refactor(rds): name the arguments to db_instance_xml's format string by @vieiralucas in #317
• refactor: typed enums for DynamoDB UpdateAction, IAM PolicyScope, ElastiCache engine by @vieiralucas in #318
• refactor(server): extract Cli and introspection helpers from main.rs by @vieiralucas in #319
• refactor(cognito): split admin_initiate_auth into named helpers by @vieiralucas in #320
• refactor(cognito): split initiate_auth match arms into per-flow helpers by @vieiralucas in #321
• refactor(cognito): split handle_auth_challenge_response per challenge by @vieiralucas in #322
• refactor(iam): extract helpers from delete_user, update_user, create_access_key by @vieiralucas in #323
• refactor(iam): split long IAM ops in roles, account, and oidc by @vieiralucas in #324
• refactor(ssm): split long parameter, document, command, and maintenance ops by @vieiralucas in #325
• refactor(dynamodb): split filter and SET assignment evaluators by @vieiralucas in #326
• refactor(ses): extract receipt_action_xml from rule_to_xml by @vieiralucas in #327
• refactor(sqs): extract create_queue validation and redrive-policy helpers by @vieiralucas in #328
• refactor(kms): extract ciphertext envelope decoding by @vieiralucas in #330
• refactor(rds): extract engine defaults and final-snapshot helpers by @vieiralucas in #329
• refactor(kinesis): extract shard-management helpers by @vieiralucas in #331
• refactor(stepfunctions): extract apply_state_catcher helper by @vieiralucas in #332
• refactor(sns): extract publish_to_phone_number from publish by @vieiralucas in #333
• refactor(eventbridge): extract put_events entry validation and time parsing by @vieiralucas in #334
• refactor(apigatewayv2): split resolve_action by endpoint shape by @vieiralucas in #335
• refactor(logs): extract subscription filter delivery and promote action list by @vieiralucas in #336
• refactor(cloudformation): extract provision_stack_resources helper by @vieiralucas in #337
• refactor(secretsmanager): extract version idempotency check by @vieiralucas in #338
• refactor(lambda): flatten resolve_action and drop per-arm segs clones by @vieiralucas in #340
• refactor(lambda): extract CreateFunctionInput from create_function by @vieiralucas in #339
• refactor(stepfunctions): split run_states into per-state helpers by @vieiralucas in #341
• refactor(ses): split resolve_action by collection and factor action parsers by @vieiralucas in #342
• refactor(sqs): split sqs_response XML builders and send-message FIFO constraints by @vieiralucas in #343
• refactor(sns): split publish topic fan-out into subscribers + per-protocol deliverers by @vieiralucas in #344
• refactor(bedrock): replace apply_guardrail temp clone with a borrowed view by @vieiralucas in #345
• test(harness): wait for an HTTP response, not a bare TCP connect by @vieiralucas in #346
• refactor(rds): extract build_read_replica_instance from create_db_instance_read_replica by @vieiralucas in #347
• refactor(rds): extract build_restored_instance from restore_db_instance_from_db_snapshot by @vieiralucas in #348
• refactor(eventbridge): split start_replay into phases by @vieiralucas in #349
• refactor(eventbridge): bundle fire_rule context refs into FireRuleContext by @vieiralucas in #350
• refactor(kms): split create_key / encrypt / verify / create_alias by @vieiralucas in #352
• refactor(eventbridge): extract archive_matching_event from put_events by @vieiralucas in #351
• refactor(dynamodb): split evaluate_single_key_condition + find_partiql_where_indices by @vieiralucas in #353
• refactor(iam): collapse delete_access_key duplicated 404 branches by @vieiralucas in #354
• refactor(iam): extract CreateRoleInput from create_role by @vieiralucas in #355
• refactor(ssm): split parameters.rs long fns into named helpers by @vieiralucas in #357
• refactor(ssm): split update_document and list_documents in documents.rs by @vieiralucas in #358
• refactor(iam): promote supported_actions to const, extract CreatePolicyInput by @vieiralucas in #356
• refactor(secretsmanager): extract CreateSecretInput from create_secret by @vieiralucas in #360
• refactor(cloudformation): extract UpdateStackInput and apply_resource_update...

v0.8.1

What's Changed

• fix: prevent panics from unwrap calls and unsafe integer casts by @vieiralucas in #273
• fix(rds): add MySQL/MariaDB dump/restore, fix license model and metadata by @vieiralucas in #276
• fix(stepfunctions): fix execution overwrite, IsPresent null, catcher short-circuit by @vieiralucas in #274
• fix(bedrock): validate TagResource ARN, add embed schema, fix profanity and deployments by @vieiralucas in #277
• fix(apigatewayv2): fix route priority, proxy errors, CORS, and dispatch by @vieiralucas in #275
• fix: address remaining Cubic findings across DynamoDB, ElastiCache, RDS, S3, SDK by @vieiralucas in #278

Full Changelog: v0.8.0...v0.8.1