chore(release): duroxide-python 0.1.25

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: affandar

CHANGELOG.md

@@ -5,7 +5,26 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [0.1.24] - 2026-05-03
+## [0.1.25] - 2026-05-09
+
+### Added
+
+- **`PostgresEntraOptions`** — new Python class for tuning Microsoft Entra ID
+  (Azure AD) authentication: keyword-only optional fields `audience`,
+  `max_connections`, `acquire_timeout_ms`, and `refresh_interval_ms`.
+- **`PostgresProvider.connect_with_entra(host, port, database, user, options=None)`** —
+  connect to Azure Database for PostgreSQL Flexible Server via Entra token auth.
+  Tokens are fetched and refreshed automatically via the `DefaultAzureCredential`
+  chain (managed identity, environment variables, Azure CLI, etc.).
+- **`PostgresProvider.connect_with_schema_and_entra(host, port, database, user, schema, options=None)`** —
+  same as above with a custom schema for multi-tenant isolation.
+
+### Changed
+
+- **Bumped `duroxide` dependency** — `0.1.28` → `0.1.29`
+- **Bumped `duroxide-pg` dependency** — `0.1.30` → `0.1.32`
+
+
 
 ### Added
 

Cargo.toml

@@ -1,15 +1,15 @@
 [package]
 name = "duroxide-python"
-version = "0.1.24"
+version = "0.1.25"
 edition = "2021"
 
 [lib]
 name = "duroxide_python"
 crate-type = ["cdylib"]
 
 [dependencies]
-duroxide = { version = "0.1.28", features = ["sqlite"] }
-duroxide-pg = "0.1.30"
+duroxide = { version = "0.1.29", features = ["sqlite"] }
+duroxide-pg = "0.1.32"
 pyo3 = { version = "0.23", features = ["extension-module"] }
 async-trait = "0.1"
 tokio = { version = "1", features = ["full"] }

README.md

@@ -14,7 +14,7 @@ Write durable workflows as Python generators. The Rust runtime handles replay, p
 - **Fan-out/Fan-in** — `ctx.all()` for parallel execution, `ctx.race()` for first-to-complete
 - **Continue-as-new** — long-running orchestrations with bounded history
 - **Deterministic replay** — safe resume after crashes
-- **SQLite & PostgreSQL** — pluggable storage providers
+- **SQLite & PostgreSQL** — pluggable storage providers, including Microsoft Entra ID auth for Azure Database for PostgreSQL
 - **Custom Status** — `ctx.set_custom_status()` / `ctx.reset_custom_status()` for orchestration progress reporting, `client.wait_for_status_change()` for efficient polling
 - **KV Store** — durable per-instance state via `ctx.set_kv_value()` / `ctx.get_kv_value()` / `ctx.get_kv_all_values()` / `ctx.get_kv_all_keys()` / `ctx.get_kv_length()` / `ctx.clear_kv_value()` / `ctx.clear_all_kv_values()` / `ctx.prune_kv_values_updated_before()`, plus `client.get_kv_value()` / `client.wait_for_kv_value()`
 - **Event Queues** — `ctx.dequeue_event(queue_name)` for FIFO mailbox-style message passing, `client.enqueue_event()` to send messages
@@ -122,7 +122,7 @@ def send_email(ctx, input):
 ## PostgreSQL Provider
 
 ```python
-from duroxide import PostgresProvider, Client, Runtime
+from duroxide import PostgresEntraOptions, PostgresProvider, Client, Runtime
 
 provider = PostgresProvider.connect("postgresql://user:pass@localhost:5432/mydb")
 # or with custom schema:
@@ -132,6 +132,31 @@ runtime = Runtime(provider)
 client = Client(provider)
 ```
 
+### PostgreSQL with Microsoft Entra ID
+
+For Azure Database for PostgreSQL Flexible Server, use Entra ID token authentication instead of a password:
+
+```python
+provider = PostgresProvider.connect_with_entra(
+    host="my-server.postgres.database.azure.com",
+    port=5432,
+    database="appdb",
+    user="my-managed-identity",
+    options=PostgresEntraOptions(max_connections=10),
+)
+
+provider = PostgresProvider.connect_with_schema_and_entra(
+    host="my-server.postgres.database.azure.com",
+    port=5432,
+    database="appdb",
+    user="my-managed-identity",
+    schema="duroxide_python",
+    options=PostgresEntraOptions(refresh_interval_ms=1_200_000),
+)
+```
+
+`PostgresEntraOptions` also accepts `audience`, `acquire_timeout_ms`, and `refresh_interval_ms`.
+
 ## Admin APIs
 
 ```python

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "maturin"
 
 [project]
 name = "duroxide"
-version = "0.1.24"
+version = "0.1.25"
 description = "Python SDK for the Duroxide durable execution runtime"
 readme = "README.md"
 license = { text = "MIT" }

python/duroxide/__init__.py

@@ -8,6 +8,7 @@
 from duroxide._duroxide import (
     PySqliteProvider,
     PyPostgresProvider,
+    PyPostgresEntraOptions,
     PyClient,
     PyRuntime,
     RuntimeOptions,
@@ -133,6 +134,41 @@ def in_memory() -> "SqliteProvider":
         return SqliteProvider(PySqliteProvider.in_memory())
 
 
+class PostgresEntraOptions:
+    """Options for Entra ID (Azure AD) authentication with PostgreSQL.
+
+    All parameters are keyword-only and optional; omitting a parameter uses
+    the duroxide-pg default for that setting.
+
+    Parameters
+    ----------
+    audience:
+        Token audience/scope. Override for sovereign clouds (e.g., Azure US
+        Government: ``https://ossrdbms-aad.database.usgovcloudapi.net/.default``).
+    max_connections:
+        Maximum pool connection count.
+    acquire_timeout_ms:
+        Pool connection acquisition timeout in milliseconds.
+    refresh_interval_ms:
+        Upper bound on time between token refresh attempts, in milliseconds.
+    """
+
+    def __init__(
+        self,
+        *,
+        audience: "str | None" = None,
+        max_connections: "int | None" = None,
+        acquire_timeout_ms: "int | None" = None,
+        refresh_interval_ms: "int | None" = None,
+    ):
+        self._native = PyPostgresEntraOptions(
+            audience=audience,
+            max_connections=max_connections,
+            acquire_timeout_ms=acquire_timeout_ms,
+            refresh_interval_ms=refresh_interval_ms,
+        )
+
+
 class PostgresProvider:
     """PostgreSQL provider for duroxide."""
 
@@ -152,6 +188,60 @@ def connect_with_schema(database_url: str, schema: str) -> "PostgresProvider":
             PyPostgresProvider.connect_with_schema(database_url, schema)
         )
 
+    @staticmethod
+    def connect_with_entra(
+        host: str,
+        port: int,
+        database: str,
+        user: str,
+        options: "PostgresEntraOptions | None" = None,
+    ) -> "PostgresProvider":
+        """Connect to Azure Database for PostgreSQL using Entra ID (Azure AD) auth.
+
+        The SDK fetches and refreshes the access token automatically via the
+        DefaultAzureCredential chain (managed identity, environment variables,
+        Azure CLI, etc.).
+
+        Parameters
+        ----------
+        host:
+            PostgreSQL server hostname (e.g. ``myserver.postgres.database.azure.com``).
+        port:
+            PostgreSQL server port (usually 5432).
+        database:
+            Target database name.
+        user:
+            Entra principal name mapped to a PostgreSQL role on the server.
+        options:
+            Optional :class:`PostgresEntraOptions` for tuning. Pass ``None``
+            (or omit) to use defaults.
+        """
+        native_opts = options._native if options is not None else None
+        return PostgresProvider(
+            PyPostgresProvider.connect_with_entra(host, port, database, user, native_opts)
+        )
+
+    @staticmethod
+    def connect_with_schema_and_entra(
+        host: str,
+        port: int,
+        database: str,
+        user: str,
+        schema: str,
+        options: "PostgresEntraOptions | None" = None,
+    ) -> "PostgresProvider":
+        """Same as :meth:`connect_with_entra` but uses a custom schema.
+
+        The schema will be created if it does not exist. Useful for
+        multi-tenant deployments where each tenant has its own schema.
+        """
+        native_opts = options._native if options is not None else None
+        return PostgresProvider(
+            PyPostgresProvider.connect_with_schema_and_entra(
+                host, port, database, user, schema, native_opts
+            )
+        )
+
 
 class Client:
     """Client for starting and managing orchestration instances."""
@@ -504,6 +594,7 @@ def default_and(tags: list) -> str:
 __all__ = [
     "SqliteProvider",
     "PostgresProvider",
+    "PostgresEntraOptions",
     "Client",
     "Runtime",
     "OrchestrationResult",

src/lib.rs

@@ -191,6 +191,7 @@ fn _duroxide(m: &Bound<'_, PyModule>) -> PyResult<()> {
     m.add_function(wrap_pyfunction!(init_tracing, m)?)?;
     m.add_class::<provider::PySqliteProvider>()?;
     m.add_class::<pg_provider::PyPostgresProvider>()?;
+    m.add_class::<pg_provider::PyPostgresEntraOptions>()?;
     m.add_class::<client::PyClient>()?;
     m.add_class::<runtime::PyRuntime>()?;
     m.add_class::<runtime::PyRuntimeOptions>()?;

src/pg_provider.rs

@@ -1,8 +1,59 @@
 use pyo3::prelude::*;
 use std::sync::Arc;
+use std::time::Duration;
 
 use crate::runtime::TOKIO_RT;
 
+/// Python-visible options for Entra ID (Azure AD) authentication.
+///
+/// All fields are optional; omitting a field uses the duroxide-pg default.
+#[pyclass]
+#[derive(Clone, Default)]
+pub struct PyPostgresEntraOptions {
+    pub audience: Option<String>,
+    pub max_connections: Option<u32>,
+    pub acquire_timeout_ms: Option<u64>,
+    pub refresh_interval_ms: Option<u64>,
+}
+
+#[pymethods]
+impl PyPostgresEntraOptions {
+    #[new]
+    #[pyo3(signature = (*, audience=None, max_connections=None, acquire_timeout_ms=None, refresh_interval_ms=None))]
+    fn new(
+        audience: Option<String>,
+        max_connections: Option<u32>,
+        acquire_timeout_ms: Option<u64>,
+        refresh_interval_ms: Option<u64>,
+    ) -> Self {
+        Self {
+            audience,
+            max_connections,
+            acquire_timeout_ms,
+            refresh_interval_ms,
+        }
+    }
+}
+
+impl PyPostgresEntraOptions {
+    fn into_entra_auth_options(self) -> duroxide_pg::EntraAuthOptions {
+        let mut opts = duroxide_pg::EntraAuthOptions::new();
+        if let Some(aud) = self.audience {
+            opts = opts.audience(aud);
+        }
+        if let Some(mc) = self.max_connections {
+            opts = opts.max_connections(mc);
+        }
+        if let Some(ms) = self.acquire_timeout_ms {
+            opts = opts.acquire_timeout(Duration::from_millis(ms));
+        }
+        if let Some(ms) = self.refresh_interval_ms {
+            opts = opts.refresh_interval(Duration::from_millis(ms));
+        }
+        opts
+    }
+}
+
 /// Wraps duroxide-pg's PostgresProvider for use from Python.
 #[pyclass]
 pub struct PyPostgresProvider {
@@ -46,4 +97,72 @@ impl PyPostgresProvider {
             inner: Arc::new(provider),
         })
     }
+
+    /// Connect to Azure Database for PostgreSQL using Microsoft Entra ID
+    /// (Azure AD) token authentication. The runtime fetches and refreshes
+    /// the token automatically via the DefaultAzureCredential chain.
+    ///
+    /// `user` must be the Entra principal name mapped to a PostgreSQL role
+    /// on the server. Pass `None` for `options` to use defaults.
+    #[staticmethod]
+    #[pyo3(signature = (host, port, database, user, options=None))]
+    fn connect_with_entra(
+        host: String,
+        port: u16,
+        database: String,
+        user: String,
+        options: Option<PyPostgresEntraOptions>,
+    ) -> PyResult<Self> {
+        let entra_opts = options.unwrap_or_default().into_entra_auth_options();
+        let provider = TOKIO_RT
+            .block_on(async {
+                duroxide_pg::PostgresProvider::new_with_entra(
+                    &host, port, &database, &user, entra_opts,
+                )
+                .await
+            })
+            .map_err(|e| {
+                pyo3::exceptions::PyRuntimeError::new_err(format!(
+                    "Failed to connect to PostgreSQL with Entra auth: {e}"
+                ))
+            })?;
+        Ok(Self {
+            inner: Arc::new(provider),
+        })
+    }
+
+    /// Same as `connect_with_entra` but uses a custom schema for tenant
+    /// isolation. The schema will be created if it does not exist.
+    #[staticmethod]
+    #[pyo3(signature = (host, port, database, user, schema, options=None))]
+    fn connect_with_schema_and_entra(
+        host: String,
+        port: u16,
+        database: String,
+        user: String,
+        schema: String,
+        options: Option<PyPostgresEntraOptions>,
+    ) -> PyResult<Self> {
+        let entra_opts = options.unwrap_or_default().into_entra_auth_options();
+        let provider = TOKIO_RT
+            .block_on(async {
+                duroxide_pg::PostgresProvider::new_with_schema_and_entra(
+                    &host,
+                    port,
+                    &database,
+                    &user,
+                    Some(&schema),
+                    entra_opts,
+                )
+                .await
+            })
+            .map_err(|e| {
+                pyo3::exceptions::PyRuntimeError::new_err(format!(
+                    "Failed to connect to PostgreSQL with Entra auth: {e}"
+                ))
+            })?;
+        Ok(Self {
+            inner: Arc::new(provider),
+        })
+    }
 }