feat(vault): release v1.5.0 with event subscriptions, reprocess, security hardening

Event subscription system with sync/async callbacks, 5s timeout, 100-subscriber
cap. Reprocess method for re-chunking/re-embedding. Text-only search fallback.
Find by name lookup. 8 new REST endpoints (30 total). Security: assert->raise,
callback timeout, subscriber cap, path traversal guard, adversarial allowlist,
ID coercion, RBAC on all new methods. 117 new tests. 100/100 security score.

Author: bradleygauthier

CHANGELOG.md

@@ -7,6 +7,32 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.5.0] - 2026-04-08
+
+### Added
+- **Event Subscription**: `vault.subscribe(callback)` registers sync or async callbacks for mutation events (CREATE, UPDATE, DELETE, LIFECYCLE_TRANSITION). Returns unsubscribe function. 5-second timeout on async callbacks. 100-subscriber cap. Error isolation: failing callbacks never block vault operations.
+- **Reprocess**: `vault.reprocess(resource_id)` re-chunks and re-embeds existing resources. Useful when embedding models change or chunking parameters are updated. Emits UPDATE subscriber event with `reprocessed=True`.
+- **Text-Only Search Fallback**: `vault.search()` automatically degrades to text-only mode (`vector_weight=0.0`, `text_weight=1.0`) when no embedder is configured. Search works on day one without requiring an embedding model.
+- **Find By Name**: `vault.find_by_name(name)` case-insensitive resource lookup. Returns first matching non-deleted resource or None.
+- **8 New REST Endpoints**: `POST /resources/{id}/reprocess`, `POST /grep`, `GET /resources/by-name`, `GET /resources/{old_id}/diff/{new_id}`, `POST /resources/multiple`, `PATCH /resources/{id}/adversarial`, `POST /import`, `GET /resources/by-name` (30 total endpoints).
+- 117 new tests across 6 test files (subscribe: 12, reprocess: 6, grep compat: 9, text fallback: 5, find_by_name: 5, integration: 46, security: 6, FastAPI: 15, cross-feature: 7, RBAC: 3, edge cases: 3)
+
+### Security
+- Replaced `assert` statements with `if/raise VaultError` (survives optimized bytecode)
+- Subscriber callback timeout (5s via `asyncio.wait_for`) prevents event loop blocking
+- Subscriber cap (`_MAX_SUBSCRIBERS=100`) prevents memory exhaustion
+- Snapshot-copy of subscriber list before iteration prevents mutation during notify
+- Adversarial status endpoint validates against allowlist (`unverified`, `verified`, `suspicious`, `quarantined`)
+- Import endpoint rejects path traversal (`..` in path components)
+- `get_multiple` endpoint coerces all IDs to strings (prevents type confusion)
+- `find_by_name` enforces RBAC `search` permission
+- Security score: 100/100 (bandit clean, pip-audit clean)
+
+### Changed
+- Total tests: 871+ (up from 520 at v1.3.0)
+- REST endpoints: 30 (up from 22)
+- Documentation updated: api-reference.md, fastapi.md, streaming-and-telemetry.md
+
 ## [1.4.0] - 2026-04-08
 
 ### Added

RELEASE_v1.5.0.md

@@ -0,0 +1,29 @@
+# The Reactive Vault
+
+Event subscriptions, reprocessing, text-only search fallback, name-based lookup, and 8 new REST endpoints. Ready for Core integration.
+
+## New Features
+
+- **Event Subscription**: `vault.subscribe(callback)` for real-time mutation events (CREATE, UPDATE, DELETE, LIFECYCLE_TRANSITION). Sync and async callbacks. 5-second timeout, 100-subscriber cap, error isolation. Returns unsubscribe function.
+- **Reprocess**: `vault.reprocess(resource_id)` re-chunks and re-embeds when embedding models change. Preserves content, regenerates chunks.
+- **Text-Only Search Fallback**: `vault.search()` auto-degrades to text-only when no embedder is configured. Search works day one.
+- **Find By Name**: `vault.find_by_name(name)` case-insensitive lookup across the vault.
+- **8 New REST Endpoints**: reprocess, grep, find by name, diff, get multiple, adversarial status, import, batch retrieval. 30 total endpoints.
+
+## Security Hardening
+
+- `assert` replaced with `if/raise` (survives `-O` bytecode)
+- Async callback timeout (5s) prevents event loop blocking
+- Subscriber cap (100) prevents memory exhaustion
+- Adversarial status allowlist validation
+- Import endpoint path traversal guard
+- Resource ID type coercion
+- RBAC enforcement on all new methods
+- Score: 100/100 (bandit clean, pip-audit clean)
+
+## Stats
+
+- 117 new tests (871+ total)
+- 8 new REST endpoints (30 total)
+- 3 docs updated (api-reference, fastapi, streaming)
+- 0 breaking changes

docs/api-reference.md

@@ -1,6 +1,6 @@
 # API Reference
 
-Complete Python SDK for qp-vault v1.4.0.
+Complete Python SDK for qp-vault v1.5.0.
 
 ## Constructor
 

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "qp-vault"
-version = "1.4.0"
+version = "1.5.0"
 description = "Governed knowledge store for autonomous organizations. Trust tiers, cryptographic audit trails, content-addressed storage, air-gap native."
 readme = "README.md"
 license = "Apache-2.0"

src/qp_vault/__init__.py

@@ -26,7 +26,7 @@
 Docs: https://github.com/quantumpipes/vault
 """
 
-__version__ = "1.4.0"
+__version__ = "1.5.0"
 __author__ = "Quantum Pipes Technologies, LLC"
 __license__ = "Apache-2.0"