chore(release): router crates and artifacts (#583)

> [!IMPORTANT]
> Merging this pull request will create these releases

# query-planner 2.1.0 (2025-11-24)
## Features

### Directive-Based Authorization

Introducing directive-based authorization. This allows you to enforce
fine-grained access control directly from your subgraph schemas using
the `@authenticated` and `@requiresScopes` directives.

This new authorization layer runs before the query planner, ensuring
that unauthorized requests are handled efficiently without reaching your
subgraphs.

### Configuration

You can configure how the router handles unauthorized requests with two
modes:

- **`filter`** (default): Silently removes any fields the user is not
authorized to see from the query. The response will contain `null` for
the removed fields and an error in the `errors` array.
- **`reject`**: Rejects the entire GraphQL operation if it requests any
field the user is not authorized to access.

To configure this, add the following to your `router.yaml` configuration
file:

```yaml
authentication:
  directives:
    unauthorized:
      # "filter" (default): Removes unauthorized fields from the query and returns errors.
      # "reject": Rejects the entire request if any unauthorized field is requested.
      mode: reject
```

If this section is omitted, the router will use `filter` mode by
default.

### JWT Scope Requirements

When using the `@requiresScopes` directive, the router expects the
user's granted scopes to be present in the JWT payload. The scopes
should be in an array of strings or a string (scopes separated by
space), within a claim named `scope`.

Here is an example of a JWT payload with the correct format:

```json
{
  "sub": "user-123",
  "scope": [
    "read:products",
    "write:reviews"
  ],
  "iat": 1516239022
}
```

## Fixes

### Avoid extra `query` prefix for anonymous queries

When there is no variable definitions and no operation name, GraphQL
queries can be sent without the `query` prefix. For example, instead of
sending:

```diff
- query {
+ {
  user(id: "1") {
    name
  }
}
```
# config 0.0.12 (2025-11-24)
## Features

### Breaking

Removed `pool_idle_timeout_seconds` from `traffic_shaping`, instead use
`pool_idle_timeout` with duration format.

```diff
traffic_shaping:
-  pool_idle_timeout_seconds: 30
+  pool_idle_timeout: 30s
```

#540 by @ardatan
# node-addon 0.0.4 (2025-11-24)
## Fixes

### Avoid extra `query` prefix for anonymous queries

When there is no variable definitions and no operation name, GraphQL
queries can be sent without the `query` prefix. For example, instead of
sending:

```diff
- query {
+ {
  user(id: "1") {
    name
  }
}
```
# executor 6.1.0 (2025-11-24)
## Features

### Directive-Based Authorization

Introducing directive-based authorization. This allows you to enforce
fine-grained access control directly from your subgraph schemas using
the `@authenticated` and `@requiresScopes` directives.

This new authorization layer runs before the query planner, ensuring
that unauthorized requests are handled efficiently without reaching your
subgraphs.

### Configuration

You can configure how the router handles unauthorized requests with two
modes:

- **`filter`** (default): Silently removes any fields the user is not
authorized to see from the query. The response will contain `null` for
the removed fields and an error in the `errors` array.
- **`reject`**: Rejects the entire GraphQL operation if it requests any
field the user is not authorized to access.

To configure this, add the following to your `router.yaml` configuration
file:

```yaml
authentication:
  directives:
    unauthorized:
      # "filter" (default): Removes unauthorized fields from the query and returns errors.
      # "reject": Rejects the entire request if any unauthorized field is requested.
      mode: reject
```

If this section is omitted, the router will use `filter` mode by
default.

### JWT Scope Requirements

When using the `@requiresScopes` directive, the router expects the
user's granted scopes to be present in the JWT payload. The scopes
should be in an array of strings or a string (scopes separated by
space), within a claim named `scope`.

Here is an example of a JWT payload with the correct format:

```json
{
  "sub": "user-123",
  "scope": [
    "read:products",
    "write:reviews"
  ],
  "iat": 1516239022
}
```

### Breaking

Removed `pool_idle_timeout_seconds` from `traffic_shaping`, instead use
`pool_idle_timeout` with duration format.

```diff
traffic_shaping:
-  pool_idle_timeout_seconds: 30
+  pool_idle_timeout: 30s
```

#540 by @ardatan
# router 0.0.20 (2025-11-24)
## Features

- support authenticated and requiresScopes directives (#538)

### Directive-Based Authorization

Introducing directive-based authorization. This allows you to enforce
fine-grained access control directly from your subgraph schemas using
the `@authenticated` and `@requiresScopes` directives.

This new authorization layer runs before the query planner, ensuring
that unauthorized requests are handled efficiently without reaching your
subgraphs.

### Configuration

You can configure how the router handles unauthorized requests with two
modes:

- **`filter`** (default): Silently removes any fields the user is not
authorized to see from the query. The response will contain `null` for
the removed fields and an error in the `errors` array.
- **`reject`**: Rejects the entire GraphQL operation if it requests any
field the user is not authorized to access.

To configure this, add the following to your `router.yaml` configuration
file:

```yaml
authentication:
  directives:
    unauthorized:
      # "filter" (default): Removes unauthorized fields from the query and returns errors.
      # "reject": Rejects the entire request if any unauthorized field is requested.
      mode: reject
```

If this section is omitted, the router will use `filter` mode by
default.

### JWT Scope Requirements

When using the `@requiresScopes` directive, the router expects the
user's granted scopes to be present in the JWT payload. The scopes
should be in an array of strings or a string (scopes separated by
space), within a claim named `scope`.

Here is an example of a JWT payload with the correct format:

```json
{
  "sub": "user-123",
  "scope": [
    "read:products",
    "write:reviews"
  ],
  "iat": 1516239022
}
```

### Breaking

Removed `pool_idle_timeout_seconds` from `traffic_shaping`, instead use
`pool_idle_timeout` with duration format.

```diff
traffic_shaping:
-  pool_idle_timeout_seconds: 30
+  pool_idle_timeout: 30s
```

#540 by @ardatan

## Fixes

### Avoid extra `query` prefix for anonymous queries

When there is no variable definitions and no operation name, GraphQL
queries can be sent without the `query` prefix. For example, instead of
sending:

```diff
- query {
+ {
  user(id: "1") {
    name
  }
}
```

Co-authored-by: knope-bot[bot] <152252888+knope-bot[bot]@users.noreply.github.com>

Author: knope-bot[bot]

.changeset/authz-directives.md

@@ -116,6 +116,82 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Other
 
 - *(deps)* update release-plz/action action to v0.5.113 ([#389](https://github.com/graphql-hive/router/pull/389))
+## 0.0.20 (2025-11-24)
+
+### Features
+
+- support authenticated and requiresScopes directives (#538)
+
+#### Directive-Based Authorization
+
+Introducing directive-based authorization. This allows you to enforce fine-grained access control directly from your subgraph schemas using the `@authenticated` and `@requiresScopes` directives.
+
+This new authorization layer runs before the query planner, ensuring that unauthorized requests are handled efficiently without reaching your subgraphs.
+
+#### Configuration
+
+You can configure how the router handles unauthorized requests with two modes:
+
+- **`filter`** (default): Silently removes any fields the user is not authorized to see from the query. The response will contain `null` for the removed fields and an error in the `errors` array.
+- **`reject`**: Rejects the entire GraphQL operation if it requests any field the user is not authorized to access.
+
+To configure this, add the following to your `router.yaml` configuration file:
+
+```yaml
+authentication:
+  directives:
+    unauthorized:
+      # "filter" (default): Removes unauthorized fields from the query and returns errors.
+      # "reject": Rejects the entire request if any unauthorized field is requested.
+      mode: reject
+```
+
+If this section is omitted, the router will use `filter` mode by default.
+
+#### JWT Scope Requirements
+
+When using the `@requiresScopes` directive, the router expects the user's granted scopes to be present in the JWT payload. The scopes should be in an array of strings or a string (scopes separated by space), within a claim named `scope`.
+
+Here is an example of a JWT payload with the correct format:
+
+```json
+{
+  "sub": "user-123",
+  "scope": [
+    "read:products",
+    "write:reviews"
+  ],
+  "iat": 1516239022
+}
+```
+
+#### Breaking
+
+Removed `pool_idle_timeout_seconds` from `traffic_shaping`, instead use `pool_idle_timeout` with duration format.
+
+```diff
+traffic_shaping:
+-  pool_idle_timeout_seconds: 30
++  pool_idle_timeout: 30s
+```
+
+##540 by @ardatan
+
+### Fixes
+
+#### Avoid extra `query` prefix for anonymous queries
+
+When there is no variable definitions and no operation name, GraphQL queries can be sent without the `query` prefix. For example, instead of sending:
+
+```diff
+- query {
++ {
+  user(id: "1") {
+    name
+  }
+}
+```
+
 ## 0.0.19 (2025-11-19)
 
 ### Features

.changeset/extra-query-avoid.md

@@ -1,6 +1,6 @@
 [package]
 name = "hive-router"
-version = "0.0.19"
+version = "0.0.20"
 edition = "2021"
 description = "GraphQL router/gateway for Federation"
 license = "MIT"
@@ -16,9 +16,9 @@ name = "hive_router"
 path = "src/main.rs"
 
 [dependencies]
-hive-router-query-planner = { path = "../../lib/query-planner", version = "2.0.2" }
-hive-router-plan-executor = { path = "../../lib/executor", version = "6.0.1" }
-hive-router-config = { path = "../../lib/router-config", version = "0.0.11" }
+hive-router-query-planner = { path = "../../lib/query-planner", version = "2.1.0" }
+hive-router-plan-executor = { path = "../../lib/executor", version = "6.1.0" }
+hive-router-config = { path = "../../lib/router-config", version = "0.0.12" }
 
 tokio = { workspace = true }
 futures = { workspace = true }

.changeset/shared_utilities_to_handle_vrl_expressions.md

@@ -94,6 +94,65 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Other
 
 - *(deps)* update release-plz/action action to v0.5.113 ([#389](https://github.com/graphql-hive/router/pull/389))
+## 6.1.0 (2025-11-24)
+
+### Features
+
+#### Directive-Based Authorization
+
+Introducing directive-based authorization. This allows you to enforce fine-grained access control directly from your subgraph schemas using the `@authenticated` and `@requiresScopes` directives.
+
+This new authorization layer runs before the query planner, ensuring that unauthorized requests are handled efficiently without reaching your subgraphs.
+
+#### Configuration
+
+You can configure how the router handles unauthorized requests with two modes:
+
+- **`filter`** (default): Silently removes any fields the user is not authorized to see from the query. The response will contain `null` for the removed fields and an error in the `errors` array.
+- **`reject`**: Rejects the entire GraphQL operation if it requests any field the user is not authorized to access.
+
+To configure this, add the following to your `router.yaml` configuration file:
+
+```yaml
+authentication:
+  directives:
+    unauthorized:
+      # "filter" (default): Removes unauthorized fields from the query and returns errors.
+      # "reject": Rejects the entire request if any unauthorized field is requested.
+      mode: reject
+```
+
+If this section is omitted, the router will use `filter` mode by default.
+
+#### JWT Scope Requirements
+
+When using the `@requiresScopes` directive, the router expects the user's granted scopes to be present in the JWT payload. The scopes should be in an array of strings or a string (scopes separated by space), within a claim named `scope`.
+
+Here is an example of a JWT payload with the correct format:
+
+```json
+{
+  "sub": "user-123",
+  "scope": [
+    "read:products",
+    "write:reviews"
+  ],
+  "iat": 1516239022
+}
+```
+
+#### Breaking
+
+Removed `pool_idle_timeout_seconds` from `traffic_shaping`, instead use `pool_idle_timeout` with duration format.
+
+```diff
+traffic_shaping:
+-  pool_idle_timeout_seconds: 30
++  pool_idle_timeout: 30s
+```
+
+##540 by @ardatan
+
 ## 6.0.1 (2025-11-04)
 
 ### Fixes

Cargo.lock

@@ -1,6 +1,6 @@
 [package]
 name = "hive-router-plan-executor"
-version = "6.0.1"
+version = "6.1.0"
 edition = "2021"
 description = "GraphQL query planner executor for Federation specification"
 license = "MIT"
@@ -12,8 +12,8 @@ authors = ["The Guild"]
 [lib]
 
 [dependencies]
-hive-router-query-planner = { path = "../query-planner", version = "2.0.2" }
-hive-router-config = { path = "../router-config", version = "0.0.11" }
+hive-router-query-planner = { path = "../query-planner", version = "2.1.0" }
+hive-router-config = { path = "../router-config", version = "0.0.12" }
 
 graphql-parser = { workspace = true }
 graphql-tools = { workspace = true }

bin/router/CHANGELOG.md

@@ -1,4 +1,21 @@
 # @graphql-hive/router-query-planner changelog
+## 0.0.4 (2025-11-24)
+
+### Fixes
+
+#### Avoid extra `query` prefix for anonymous queries
+
+When there is no variable definitions and no operation name, GraphQL queries can be sent without the `query` prefix. For example, instead of sending:
+
+```diff
+- query {
++ {
+  user(id: "1") {
+    name
+  }
+}
+```
+
 ## 0.0.3 (2025-11-06)
 
 ### Fixes

bin/router/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 edition = "2021"
-version = "0.0.3"
+version = "0.0.4"
 name = "node-addon"
 publish = false