OxiRS 0.2.2 Released — Zero-Panic Production Audit and a Workspace-Wide Cleanup

The most boring release notes are the ones your ops team likes best.

Today we released OxiRS 0.2.2 — a stability and maintenance release that audits every panic path out of production code, migrates the whole workspace onto shared dependency management, refreshes dependencies, and reviews open security advisories. No new SPARQL features here; this is the kind of work that makes the features you already have safe to run at 3 a.m.

No JVM. No Fortran. No surprise panic! deep in a request handler. OxiRS stays a Rust-native alternative to Apache Jena + Fuseki that compiles to a single static binary — and 0.2.2 is about making that binary boringly dependable. Everything is backward compatible with 0.2.0; if you’re already on the line, this is a clean step forward.

Why 0.2.2 matters

A triple store that panics is a triple store that drops requests. The single most common way a Rust service panics is a stray .unwrap() on a value that usually exists — until production hands it the one input that doesn’t. So the headline of 0.2.2 is a deliberately unglamorous one:

• Production unwrap() audit complete — zero violations. Every unwrap() call remaining in the codebase was confirmed to live in test code only; the production request and storage paths carry no unwrap()-induced panic sites. That’s the difference between a server that returns an error and one that takes down a worker.
• A clean security posture. Two advisories were run down and documented: RUSTSEC-2026-0002 (lru 0.12.5, reached via tantivy) is suppressed with a written rationale — tantivy never calls the affected iter_mut() path — and RUSTSEC-2025-0134 (rustls-pemfile unmaintained) is documented as carrying no CVE. No hand-waving; each is recorded in the audit config.
• A workspace that finally manages versions in one place. All 27 subcrate manifests now inherit shared dependencies via .workspace = true, with 28 more dependencies promoted to [workspace.dependencies]. One edit, not twenty-seven, the next time a version needs to move.

The test suite reflects the churn: 40,786 tests passing, zero warnings, across all 26 crates.

Technical Deep Dive: cleanup that holds up

This release is mostly invisible from the outside and very visible inside the repo.

• Refactoring oversized files. cloud_integration.rs had grown to 2,000 lines — past the project’s 2,000-line ceiling. It was split into a six-file module using splitrs, the AST-aware refactoring tool used across these projects, so the boundaries fall on real semantic seams rather than arbitrary line cuts. Public APIs are preserved through re-exports.
• Workspace policy, in two phases. Phase 1 converted all 27 subcrate Cargo.toml files to .workspace = true for their shared dependencies. Phase 2 promoted 28 further crates to [workspace.dependencies] — axum, rustls, blake3, prometheus, metrics, moka, kube, k8s-openapi, rcgen, and more — and converted roughly 60 additional inline entries. The payoff is that dependency drift between crates simply stops being possible.
• Test-compilation hardening. A wave of earlier ?-operator and Result-return changes had left test code that no longer compiled cleanly: 792 such errors in oxirs-rule’s test functions and 66 in oxirs-vec were fixed, along with a missing StarError import and a non-exhaustive match in oxirs-star, chrono::LocalResult handling in oxirs-tsdb/oxirs-federate/oxirs-graphrag, and a large_enum_variant warning in oxirs-stream. Green tests you can trust are the point.
• Documentation and dependency freshness. Version badges in 23 lib.rs files (html_root_url, shields) were moved to 0.2.2, and dependencies were refreshed: tempfile 3.26, chrono 0.4.44, rsa 0.9.10, clap 4.6.0, serde_with 3.18.0, tracing-subscriber 0.3.23, serial_test 3.4, and oxigdal-proj 0.1.1, among others.

Getting Started

The library is on crates.io as oxirs-core:

cargo add oxirs-core

Or use the CLI to drive a dataset:

# Install the CLI tool
cargo install oxirs

# Initialize a new knowledge graph
oxirs init mykg

# Import RDF data (automatically persisted to mykg/data.nq)
oxirs import mykg data.ttl --format turtle

# Query the data (loaded automatically from disk)
oxirs query mykg "SELECT * WHERE { ?s ?p ?o } LIMIT 10"

# Start the Fuseki-style server
oxirs serve mykg/oxirs.toml --port 3030

Open http://localhost:3030 for the admin UI, or http://localhost:3030/graphql for GraphiQL.

What’s New in 0.2.2

• Production unwrap() audit — confirmed all unwrap() calls live in test code only; zero production panic sites.
• Security advisories reviewed — RUSTSEC-2026-0002 (lru via tantivy) and RUSTSEC-2025-0134 (rustls-pemfile) documented and suppressed with written rationale, no CVE exposure.
• Workspace policy migration — all 27 subcrate manifests on .workspace = true; 28 more dependencies (and ~60 inline entries) centralized in [workspace.dependencies].
• cloud_integration.rs refactor — 2,000-line file split into a six-file module via splitrs, public API preserved.
• Test-compilation fixes — oxirs-rule (792), oxirs-vec (66), plus oxirs-star, oxirs-tsdb, oxirs-federate, oxirs-graphrag, and oxirs-stream.
• Slow-test hygiene — quantum_sparql_optimizer (>30s simulation) marked #[ignore] so the default suite stays fast.
• Dependency refresh — tempfile, chrono, rsa, clap, serde_with, tracing-subscriber, serial_test, oxigdal-proj, and more.
• Doc badges — 23 lib.rs files updated to 0.2.2.

Tips

• Upgrade in place. 0.2.2 is API-compatible with 0.2.0/0.2.1 — bump the version, rebuild, and you inherit the panic-path audit and dependency refresh with no code changes.
• Read the advisory rationale before your own audit flags it. If cargo audit surfaces RUSTSEC-2026-0002 or RUSTSEC-2025-0134 in your dependency tree through OxiRS, the suppression reasoning is recorded in .cargo/audit.toml — they’re reviewed, not ignored.
• Mirror the workspace pattern. If you vendor or fork OxiRS crates, keep them on .workspace = true so your shared dependencies stay pinned to one set of versions; that’s exactly the drift this release eliminated upstream.
• Keep the slow tests handy. quantum_sparql_optimizer is #[ignore]d for speed, not deleted — run it explicitly with cargo test -- --ignored when you’re validating the optimizer end to end.
• Hold the line at 2,000 lines. The cloud_integration.rs split is the policy in action; if you extend a module past that ceiling, splitrs will carve it on semantic boundaries instead of leaving you a 3,000-line file to read by hand.

This is the foundation

OxiRS 0.2.2 keeps its Pure Rust base intact: numerics on SciRS2, binary serialization through Oxicode instead of bincode, and compression/archiving via OxiARC (oxiarc-archive, oxiarc-zstd, oxiarc-lz4) rather than C zlib/zstd bindings — all of them real dependencies of this release, all keeping the default build free of C and Fortran. The reliability discipline in this release — no production panics, one place to manage versions, advisories tracked — is the same discipline the rest of the COOLJAPAN ecosystem is built on.

Repository: https://github.com/cool-japan/oxirs

Star the repo if a knowledge graph engine with no production panic paths and a security posture you can audit is what you want under your data.

Pure Rust Semantic Web is here — fast, safe, and sovereign.

— KitaSan at COOLJAPAN OÜ March 16, 2026