Added

• New Lifecycle system allowing to create global and app level lifecycle hooks. With more explanatory
  documentation.
• Dependency Scopes — Introduced a flexible scoping system for dependency lifetimes.
  • Scope.REQUEST: Default per-request lifetime.
  • Scope.APP: Application-wide shared dependencies.
  • Scope.GLOBAL: Process-level shared instances.
• New security SignedURL utility for generating and verifying time-limited signed URLs.
• New SSEChannel class for creating in-memory Server-Sent Events channels with pub/sub support.

New Responses

• CSVResponse as a new available response for CSV files directly in the lilya.responses.
• YAMLResponse as a new available response for YAML files directly in the lilya.responses.
• XMLResponse as a new available response for XML files directly in the lilya.responses.
• MessagePackResponse as a new available response for MessagePack files directly in the lilya.responses.
• NDJSONResponse as a new available response for Newline Delimited JSON files directly in the lilya.responses.
• ImageResponse as a new available response for images directly in the lilya.responses.
• TextResponse as a new available response for plain text files directly in the lilya.responses.
• EventStreamResponse as a new available response for Server-Sent Events directly in the lilya.responses.

Fixed

• CompactSerializer was not overriding kwargs properly.

Added

• OpenTelemetry integration under lilya.contrib.opentelemetry:
  • Introduced OpenTelemetryMiddleware for automatic request tracing.
    • Creates one SERVER span per HTTP request.
    • Records standard HTTP attributes (method, path, status, client.address, url.query, etc.).
    • Captures exceptions and marks spans with StatusCode.ERROR.
    • Handles parent context extraction from inbound headers for trace propagation.
  • Added setup_tracing(config: OpenTelemetryConfig | None) helper.
    • Initializes a global TracerProvider with a BatchSpanProcessor.
    • Automatically selects between ConsoleSpanExporter, OTLP/gRPC, and OTLP/HTTP exporters.
    • Safe to call multiple times (idempotent).
  • Added OpenTelemetryConfig dataclass for configuration.
    • Supports fields:
      • service_name: logical name reported to telemetry backends.
      • exporter: "otlp" or "console".
      • otlp_endpoint: e.g. "http://localhost:4317" or "http://collector:4318".
      • otlp_insecure: disable TLS verification for gRPC exporters.
      • sampler: "parentbased_always_on", "always_on", or "always_off".
  • Added get_tracer_provider() utility to retrieve the active TracerProvider.
• Async testing utilities:
  • Introduced AsyncTestClient and create_async_client() to allow fully asynchronous testing of Lilya apps.
  • Both support full middleware stacks, including OpenTelemetryMiddleware.
  • Enables concurrent request tests and real async span creation with in-memory exporters.
• Contrib Shortcuts:
  • New abort function to raise HTTP exceptions.
  • New responses shorcuts including:
    • send_json(): send JSON responses with proper headers.
    • json_error(): send JSON error responses with status codes.
    • stream(): stream response content from async generators.
    • empty(): return empty 204 No Content responses.
    • redirect(): send HTTP redirects with proper status codes and headers.
    • forbidden(): send 403 Forbidden responses.
    • not_found(): send 404 Not Found responses.
    • unauthorized(): send 401 Unauthorized responses.

Changed

• redirect now is in lilya.contrib.responses.shortcuts.

Fixed

• send_file now correctly sets Content-Disposition headers for file downloads.
• Late binding in the make_response.

Added

• Python 3.14 support.

Fixed

• Validation upper() was not being applied properly in the csrf token.

This was supposed to go in the version 0.20.8 and it was forgotten.

Added

• __exclude_from_openapi__ Added to the base controller allowing the exclusion from the BaseTemplates.

Changed

• Lilya create project default was still using an old version of the generator.

Fixed

• OpenAPI documentation was not excluding templating system and statics.

Added

• itsdangerous to requirements all and standard.

Changed

• @directive(display_in_cli=True) discovery improved by showing errors and not throw directly
  an exception.
• Update minimum Sayer version to 0.6.0.
• Custom directives under @directive are now displayed in a "Custom directives" group.

Added

• csrf_token_name as new parameter in the Lilya settings. This will allow you to globally set the name of the
  csrf token when using CSRFMiddleware.
• csrf_enabled flag to TemplateController. This will automatically inject the csrf token in the context of the templates.
• csrf_token_form_name to TemplateController. This defaults to csrf_token and corresponds to the name of the variable
  that is injected in the context of the template for the CSRF token when csrf_enabled.
• Support for @directive to be display when calling lilya client.
• display_in_cli to @directive.

Changed

• Make response optional in the get_or_set_csrf_token.

Removed

• Wrong example for the CSRF token in the security with CSRF.

Added

• Relay. This allows to create objects that are ASGI compatible and upstream services within your Lilya application.
• WebSocket proxying: Added full support for bidirectional WS proxying (text + binary frames).
• Retry & backoff: Configurable retry logic with exponential backoff on retryable statuses/exceptions.
• Timeout mapping: Upstream timeouts now map to 504 Gateway Timeout.
• Header policies: Added support for allow-list mode (allow_request_headers, allow_response_headers) in addition to drop-lists.
• Structured logging: Proxy events (upstream_error, upstream_timeout, upstream_retryable_error) now emit consistent log messages for observability.
• Support for CSRFMiddleware to understand the HTML forms allowing also custom fields.
• New HTML response as an alternative to HTMLResponse.
• New documentation section for security with CSRF.

Changed

• Added python-multipart as part of the all and standard Lilya packages.
• Replaced python-multipart with a fully native multipart, urlencoded, and octet-stream form parser.
• Improved RFC 5987 parameter decoding for proper handling of UTF-8 filenames and headers.
• AuthenticationError exception is now located in lilya.exceptions.

This was a change for the newer sayer 0.5.1 that affects the client.

Changed

• Allow minimum Sayer to be 0.5.1.
• Lilya cli now loses the name argument. This is now handled directly by the newest Sayer that
  was internal refactored for the @callback.

Changed

• Update sayer dependency version to 0.5.0 and pin it.