OxiRS 0.3.0 Released — Compliance, SSO, and a Local LLM Marketplace for the JVM-Free Knowledge Graph

Your knowledge graph just grew a compliance department, a login page, and a local LLM marketplace — all in Pure Rust.

Today we released OxiRS 0.3.0 — a minor version that pushes the Rust-native Semantic Web / SPARQL 1.2 / GraphQL platform squarely into enterprise territory with audit-grade compliance, federated single sign-on, and a self-hosted model marketplace for AI-augmented reasoning.

No JVM. No Active-Directory connector you license by the seat. No SaaS round-trip to fine-tune a model on your own graph. OxiRS remains the Rust-first alternative to Apache Jena + Fuseki (and to Juniper for GraphQL): one dataset, two protocols, every crate stand-alone, compiled to a single static binary under 50 MB. With 0.3.0, that binary now knows how to satisfy an auditor and an identity team too.

Why OxiRS 0.3.0 is a game changer

The hard part of replacing Jena/Fuseki in a real organization was never the SPARQL — it was everything around it. Who logged in? What did they read? Can we prove GDPR erasure? Where does the embedding model come from, and can we keep it on-prem? Those questions are where a “fast triple store” usually hands you back to a pile of Java middleware. 0.3.0 answers them natively:

• Audit & privacy, built in. oxirs-core gains an audit/ module aimed at SOC2 and GDPR: AuditEvent, an InMemoryAuditLogger and a JsonLineAuditLogger, an AuditFilter, and a GdprService for data-subject workflows — 30 tests covering the path.
• Single sign-on, two ways. oxirs-chat ships an SSO module with OIDC (oidc.rs), SAML 2.0 SP (saml_sp.rs), and session management (session.rs) — 13 tests. On the server side, oxirs-fuseki adds SAML 2.0 XML parsing via quick-xml with RSA-SHA256 signature verification — 32 tests.
• A local model marketplace. oxirs-chat’s new marketplace/ module wires up HuggingFace Hub, Ollama, and a local GGUF registry — 28 tests — so your RAG models can come from your own machines.
• Fine-tune on your graph. oxirs-graphrag adds a model_loader/ (GGUF parser + ModelRegistry) and a hybrid/lora.rs LoRA adapter and trainer, so you can adapt models against your knowledge graph without leaving the stack.
• Certification, not vibes. oxirs-shacl-ai adds a certification/ module (ClassificationMetrics, CertificationRunner, report generation — 19 tests), and oxirs-cluster adds its own certification/ for consistency, partition, Raft, and SLA checks (13 tests).

All of this lands at ~41,400 tests across the workspace (up from ~40,530 in 0.2.4), on a codebase of 2.46M lines of Rust across 4,873 files, with zero warnings.

Technical Deep Dive: the enterprise layer

1. The compliance core. Putting audit and GDPR in oxirs-core — not in some optional add-on — means every higher crate inherits a consistent compliance vocabulary. AuditEvent is the unit; the two logger backends (in-memory for tests and embedded use, JSON-Lines for shippable audit trails) cover both ends; GdprService gives data-subject access and erasure a first-class home instead of bolting it on per deployment.

2. Identity that speaks the enterprise dialects. OIDC handles the modern OAuth-based world; SAML 2.0 covers the large-enterprise and government IdPs that still run the SAML show. Crucially, OxiRS does the cryptographic verification itself — the Fuseki server parses SAML assertions with quick-xml and validates RSA-SHA256 signatures — rather than trusting an upstream proxy to have done it.

3. AI you can host. The marketplace and model_loader together mean the GGUF model your RAG pipeline uses can be pulled from HuggingFace, served by a local Ollama, or registered from a file on disk — and then LoRA-adapted in place via oxirs-graphrag. That keeps proprietary knowledge graphs and the models trained against them inside your own trust boundary.

4. Operational confidence. The two certification/ modules turn “is the cluster actually consistent / is the AI validator actually accurate” into runnable checks with metrics and reports — the kind of evidence you hand to an SRE or an auditor, generated by the system itself.

5. Industrial reach. oxirs-modbus gains a ratatui 0.30 TUI browser (feature-gated as tui, 33 tests) — a terminal cockpit for the industrial-IoT side of OxiRS, alongside the existing Modbus / CANbus / time-series support.

To anchor all of this for the long haul, 0.3.0 also publishes formal support policies: docs/policies/lts.md (RFC-001, long-term support) and docs/policies/enterprise.md (RFC-002, enterprise deployment), with 26 TODO.md files updated to reference them.

Getting Started

Install the CLI:

cargo install oxirs

Stand up a graph and serve it:

oxirs init mykg
oxirs import mykg data.ttl --format turtle
oxirs query mykg "SELECT * WHERE { ?s ?p ?o } LIMIT 10"
oxirs serve mykg/oxirs.toml --port 3030

Building a service and want the audit-aware core directly? Add the library crate:

cargo add oxirs-core

Then reach for the audit module to record access:

use oxirs_core::audit::{AuditEvent, JsonLineAuditLogger};

let logger = JsonLineAuditLogger::new("audit.log")?;
logger.record(AuditEvent::query("alice", "SELECT * WHERE { ?s ?p ?o }"))?;

What’s New in 0.3.0

• SOC2/GDPR audit module in oxirs-core — AuditEvent, in-memory + JSON-Lines loggers, AuditFilter, GdprService (30 tests).
• Single sign-on in oxirs-chat — OIDC, SAML 2.0 SP, session management (13 tests); plus SAML 2.0 parsing with RSA-SHA256 verification in oxirs-fuseki (32 tests).
• Model marketplace in oxirs-chat — HuggingFace Hub, Ollama, and local GGUF registry (28 tests).
• GraphRAG fine-tuning — GGUF model_loader/ + ModelRegistry and a hybrid/lora.rs LoRA adapter/trainer.
• Certification suites — SHACL-AI certification/ (19 tests) and cluster certification/ for consistency/partition/Raft/SLA (13 tests).
• Industrial TUI — oxirs-modbus gains a ratatui 0.30 browser behind the tui feature (33 tests).
• Support policies — RFC-001 LTS and RFC-002 enterprise deployment docs published.
• Workspace — all 26 crates bumped to 0.3.0; ~41,400 tests; 2.46M SLoC across 4,873 files; zero warnings.

Tips

• Wire audit logging in early. Use JsonLineAuditLogger for anything you might need to hand to an auditor — JSON-Lines is trivial to ship to a log pipeline — and keep InMemoryAuditLogger for tests and ephemeral tooling.
• Pick the right SSO front door. OIDC for modern OAuth IdPs, SAML 2.0 for enterprise/government IdPs. Because oxirs-fuseki verifies RSA-SHA256 signatures itself, you do not need a trusted reverse proxy in front to make SSO safe.
• Keep your models on-prem. Register a local GGUF file or point at a local Ollama through the marketplace, then LoRA-adapt it via oxirs-graphrag — your graph and your tuned model never leave your boundary.
• Certify before you promise an SLA. Run the oxirs-cluster certification checks (consistency, partition, Raft, SLA) and the SHACL-AI certification runner to generate the evidence, rather than asserting it.
• Enable the Modbus TUI only when you need it. It is gated behind tui and pulls ratatui; the headless industrial paths stay lean without it.
• Read the LTS policy if you are deploying for real. RFC-001 spells out the support lifecycle so you can plan upgrades instead of guessing.

This is the foundation

OxiRS sits in the COOLJAPAN ecosystem of Pure-Rust infrastructure. Its scientific and graph-analytics core rides on SciRS2 (the 0.4.x line), and every byte of compression goes through the OxiARC family rather than C libraries like zip, zstd, or flate2. Around it, siblings such as OxiZ (SMT), OxiFFT, and OxiRAG extend the same principle: an auditable, JVM-free, single-binary path from raw data to reasoned answer — now with the compliance and identity machinery an enterprise actually needs.

Repository: https://github.com/cool-japan/oxirs

Star the repo if you want a knowledge graph that an auditor, an identity team, and an ML engineer can all say yes to — without a single line of Java. Pure Rust Semantic Web is here — fast, safe, and sovereign.

— KitaSan at COOLJAPAN OÜ May 4, 2026