Changelog

Unreleased

Bug Fixes

P1.2 — preserve KeyBackendError variant identity in load/sync
correct HTTP status codes for operator-fixable + caller-fault errors
P2.1 — replace std HashSet with ahash AHashSet in unauthenticated policy
P2.2/P2.3/P2.4 — eliminate inline crate paths and function-local use aliases
restore SDK error logging and thread shared master-key cell through boot

CI/CD

add concurrency, drop duplicate gen-docs check, cache build-linux
enable npm manager for website dependencies

Documentation

Phase F — verification + ADR-0011 + AGENTS.md updates
fix three stale rustdoc references (P3.3, P3.5, P3.7)
forbid —no-verify pre-commit bypass
refresh AGENTS.md structure trees + LOC counts (audit §2.3, §2.4)
fix Helm chart bug + sweep stale config-schema/path references
fix stale paths and broken doc links after ceremony refactor
align with current code surface
trim contributor folder to non-duplicated content
trim root AGENTS.md, remove duplicate CLAUDE.md
re-add working principles to AGENTS.md, refresh CONTEXT.md
audit every AGENTS.md, strip drift-prone facts
document dependency-update workflow
raise vite chunk-size warning to 1500 kB
migrate contributor docs from docs/ to website/
audit against current code
fix 10 drift items against current code
collapse 4 API tables into a 5-bullet summary
fix diagram drift, register /healthcheck, declare 503 on sealed-state endpoints
rewrite Key Sources section for accuracy
align config layout with chamber.keys.* migration

Features

fix chart and dockerfile
fix chart
Phase F — signer-state CLI flags + canary tests + docs
Phase A — define KeyBackend + MutableKeyBackend traits
Phase B — implement KeyBackend + MutableKeyBackend traits
Phase C — add key-source factory + supervised refresh task
Phase D — rename key_refresh_interval_minutes → refresh_interval_seconds
Phase E — atomic migration to KeyBackend trait
require Noop antislashing in stateless deployments
list fallback for stateless deployments
add chamber.keys.{write,generate}.enabled with backward-compat shim
support import/delete/patch in stateless deployments
thread Option through sqlite/postgres/dynamodb backends
gate keygen on unsealed chamber state (P3.11)
reject unknown fields in policy/token/seal/keys bodies

Refactoring

typed MasterKeyRow trait surface + drop DynamoMode
typed constructors + drop Debug derive on MasterKeyRow
drop inline crate paths + retype reconstruct doc
drop pre-existing inline crate paths + delete dead init_signer
split SignerStateConfig into common fields + backend enum
move factory to state_backend module
P1.1 — delete dead MasterKeyVault wrapper
P2.5 — abstract storage errors via StateBackendError
P2.7 — separate domain outcomes from errors
rename chamber/import to chamber/keys; move keygen into chamber/keys/generate
make AntiSlashingError engine-agnostic via Infrastructure/Internal
construct at boot via antislashing::build factory; thread Arc through
relax SQL hmac NOT NULL + add Option-aware HMAC helpers
drop deprecated-alias migration shim — pre-release hard cutover
align verb (insert) and collapse outcome enums to InsertOutcome
merge DynamoDbKeyBackend into DynamoDbKeyStore
move dynamodb under key_source, collapse to single file
tighten visibility and trait shapes (P3.1, P3.8, P3.9)
consolidate two top-level use blocks into one (P3.4)
MutableKeyBackend takes &PubkeyHex instead of &str (P3.2)
tighten internal pubkey types to PubkeyHex
mechanical visibility + dedup wins
rename AppState->SignerContext + InitState->ChamberContext
embed Arc in ChamberContext via Deref (DUP-8) + rate_limiter -> operator_rate_limiter
unify master-key access through MasterKeyAccessor (FN-6) + opaque sealed-state error bodies
promote 6 free fns to impl methods (FN-1..FN-5 + FN-7)
move unix_now from http::auth to crate::util (BL-1)
drop cross-subsystem error coupling (BL-5)
extract epoch_to_i64 helper (DUP-3)
extract parse_gvr_bytes helper (DUP-4)
extract gvr_mismatch helper (DUP-1)
extract keygen_validation_err + keygen_crypto_err helpers (DUP-7)
move BackupEncryptor from DDB-impl to crypto.rs (BL-3)
move Policy/Token domain types to auth_types (BL-4)
clean up BL-4 commit per idiom review
share ImportProgress between sqlite + postgres (DUP-2)
unify process_key_results + fix cache-lag (DUP-5)
drop over-broad pub on deserialize_token (FN-8)
promote extract_encrypted_blob to EncryptedBlsSk::from_dynamodb_row (FN-12)
introduce DynamoRow newtype for DDB attribute parsing (FN-13)
drop residual DynamoDB-specific naming from generic helpers (audit §2.6, §2.7, §2.9)
drop dead ChamberContext.dynamodb_client field + cascade
replace last two DDB-presence-as-mode-check anti-patterns (audit §2.7)
promote key/antislashing-backend construction into Bootstrap (audit §2.1)
fold signer_init into signer_state/init alongside watcher
collapse MasterKeyAccessor trait into MasterKeyHolder newtype (audit §2.10)
collapse TaggedBackend tag duplication + iteration-2 of audit §2.11
replace test-mod std::collections::HashSet with ahash::AHashSet (audit §3.x)
deepen seal/unseal ceremony into chamber::Ceremony
extract OperatorClient module from main.rs
DRY server-error printing + use infallible to_string fallback
consolidate validation into Config::validate()
centralize scope+metric prologue in record_chamber_keys_request
extract eth-signer error mapping into errors/eth_signer.rs
extract prepare_atls_state helper from serve_*atls fns
extract cipher envelope into sibling module
tighten visibility + drop dead Serde variant from final review
strip internal annotations + apply audit findings
move ceremony primitives into chamber::ceremony::quorum_share
consolidate TEE-blob unseal in chamber::signer_load
extract validator-key domain to signer::ethereum::keygen + add batch parallelism
typed StateRow parser + fix aws::dynamodb layering
one outcome classifier for metrics + audit log
fold kms_attested.rs into kms.rs
move harden_process from server.rs to security.rs
unify section validators on Result<(), ConfigError>
table-driven IntoResponse for ApiError
share CBOR primitives + drop vestigial cose parsers
pre-release canonical naming sweep
decouple chamber HTTP config from key_sources storage
merge test-fast-argon2 into test-utils

Tests

cover deprecated-alias migration shim
mirror chamber.keys deprecated-alias migration in test_config_with_dynamodb
cover stateless mode for sqlite/postgres/dynamodb
route fixtures through Arc
unit-cover tee_auto_unseal_and_finalize via MockTeeAutoUnseal
live HTTP API compliance suite
drop spurious top-level status field

Just

add ci-full recipe matching GitHub Actions test-coverage gate
enable test-fast-argon2 in pre-push gate
make version check podman-rootless compatible

Polish

hoist crate paths + drop let _ bandaid + must_use on test helper
hoist MasterKeyAccessor + AntiSlashingConfig imports (self-review followup)
drop stale check_row_hmac_presence intra-doc link
replace let _ = with explicit expect() in write_temp_yaml
tighten visibility and hoist Config import (self-review)
use ? for error coercion and dedup keypair conversion
destructure ValidatorInfo to avoid unnecessary clone + fix indent drift

Rename

build_dynamodb_routes -> build_chamber_routes

v0.1.0-rc.40 — 2026-05-04

Bug Fixes

update age digest to d28f10e (#78)
add #[must_use] to TeeConfig::is_active, map_or→is_some_and
use strong-consistent read in get_secret_key
HMAC-verify master key recovered from TEE auto-unseal
constrain TEE-blob shares[].arn to configured KMS ARN set
defer auto_unseal swap until after blob persist
tighten KMS attestation classification + cap auto-unseal blob size
tighten body.version + integer-only PCR keys + post-rename docstrings

Documentation

update TEE config section from enclave.* to tee.nitro.*
fix stale config.enclave.* reference in values.yaml/README
regenerate config reference + fix stale enclave.log_vsock_port ref
update config-and-cli-modernization completion summary
align flag references with dotted-path convention + ServerCommand layout
add AWS KMS policy runbook for TEE auto-unseal
add architectural refactor plan with 17 deepening opportunities
add ADR-0001 — build_dynamodb_routes is pub for route-assembly tests
add ADR-0002 — client-IP helpers split by extraction layer
add ADR-0003 + module-layering docstring for verifier.rs (REFACTOR_PLAN.md #16)
add ADR-0004 — DynamoDB CAS retry is GVR-specific (REFACTOR_PLAN.md #2)
add ADR-0005 — auth wrapping and models.rs are correct (REFACTOR_PLAN.md #14 + #15)
add ADR-0006 + fix auth_types.rs docstring (REFACTOR_PLAN.md #5)
add ADR-0008 + fix TeePlatform docstring (REFACTOR_PLAN.md #7)
add ADR-0009 — KeySource enum correctly models asymmetry (REFACTOR_PLAN.md #12)

Features

implement Shamir-over-multi-KMS for TEE auto-unseal
rename Unseal mode -> Quorum + DDB strong reads + KMS rotation re-seal
wire MASTER_KEY row schema_version through typed enum
wire BLS-key cipher_version through typed enum
centralize token prefix conventions + prefix all secrets
add typed schema-version field to known_enclaves.toml
migrate BLS key KEK to HKDF-derived K_bls (Phase 3)
update deps
ct equal
update website

Performance

cache expected_gvr_hex on EthereumSigner

Refactoring

simplify nitro cfg gates and migrate sealed-storage to auto-unseal
split TEE attestation into two narrow traits
rename NitroKmsState to NitroKmsAttestation
replace TlsAttestationBackend enum with trait dispatch
replace EthAntiSlashingBackend enum with AntiSlashing trait
replace SignerStateBackend enum with trait dispatch
concentrate TEE code under src/tee/, rename tee_attestation to tee
extract KmsClient trait, split KmsPool via composition
rename StreamAccept -> StreamAcceptor, move vsock impl to tee/nitro
introduce TeePlatform trait, collapse boot-time cfg gates
fold auto_unseal into tee module, eliminate runtime cfg branches
narrow TeePlatform — drop is_active and spawn_extra_metrics_listener
extract ServerCommand; add Config/Docs subcommands; rename tee_bootstrap_from_vsock
update Dockerfile and Helm chart for tee.nitro config rename
remove unapproved DocsCommand stub
move config + bootstrap into ServerCommand, require subcommand
inject ‘server’ subcommand into Dockerfile entrypoints
rename server flags to mirror YAML config dotted paths
track F
shamir magic number and PCR
rename “TEE seal” → “TEE auto-unseal” — docs + identifiers + wire format
extract decrypt_kms_shares helper; surface attestation classification in MasterKeyError
tighten auto-unseal vocabulary in type/var/field names
DRY split-and-encrypt + registration-token loops
introduce MasterKeyAccessor trait and factor AuthManager
centralize master-key subkey derivation via HKDF + MasterKeyPurpose enum
centralize master-key subkey derivation via HKDF + MasterKeyPurpose enum
inline Subkey::hmac() method, remove free hmac_with_subkey
thread pubkey_bytes through internal methods + Option<&[u8]>
replace Backend(String) catch-all with typed variants
replace CryptoError String-payloads with typed variants
replace anyhow with typed NitroVerifyError + strum convention
spell out abbreviated local names for readability
mark growth-prone public enums #[non_exhaustive]
use PubkeyHex instead of String in HTTP response types
move zxcvbn off the tokio runtime (REFACTOR_PLAN.md #6)
rename MasterKeyProvider to MasterKeyVault (REFACTOR_PLAN.md #13)
extract signer_init module from boot (REFACTOR_PLAN.md #9)
extract init choreography to seal/init.rs (REFACTOR_PLAN.md #1, partial)
consolidate policy+token handlers to use api_call (REFACTOR_PLAN.md #3, partial)
fix mode-name docstring + delete dead Minimal functions (REFACTOR_PLAN.md #4, partial)
add deny_unknown_fields + ADR-0010 deferring CLI/config infra (REFACTOR_PLAN.md #10 + #11)
flatten util/ and http/cidr_guard/ single-file folders
rename master-key modes to KmsAuto + OperatorQuorum
split 610-line run() into RuntimeBootstrap + phase helpers
replace metric_definitions slice with CaptureRecorder
extract seccomp syscall arrays to const slices

Tests

update integration-test assertions to match quorum rename
hmac column in PG schema + valid hex unique_pubkey

Tls

restrict pinned PCR set to image-identity measurements

v0.1.0-rc.39 — 2026-04-23

Bug Fixes

handle BER constructed [0] IMPLICIT for CMS encryptedContent

v0.1.0-rc.38 — 2026-04-23

Diag

log KMS CiphertextForRecipient + CMS field preview (TEMP)

v0.1.0-rc.37 — 2026-04-23

Bug Fixes

render vsock-proxy specs as JSON env var, parse with jq
pass bare rustls::ClientConfig to reqwest use_preconfigured_tls
parse BER-encoded KMS CMS EnvelopedData (CiphertextForRecipient)

Refactoring

mount enclave entrypoint as ConfigMap, render vsock-proxy lines via Helm

Style

rustfmt + clippy pedantic/nursery fixes for src/enclave/cms.rs

v0.1.0-rc.36 — 2026-04-22

Bug Fixes

pin DynamoDB to regional endpoint (disable account-scoped routing)

CI/CD

share rust-builder layer between enclave and pod builds

v0.1.0-rc.35 — 2026-04-22

Bug Fixes

bake AWS_CONTAINER_CREDENTIALS_FULL_URI into enclave-image stage

v0.1.0-rc.34 — 2026-04-22

Bug Fixes

cap body at MAX_CREDS_BYTES regardless of Content-Length

CI/CD

merge Dockerfile.enclave + Dockerfile.pod, share rust-builder stage

Features

unified multi-endpoint egress plane
add credentials wire-protocol constants
AWS credentials via Pod Identity transparent vsock proxy

v0.1.0-rc.33 — 2026-04-22

Enclave

bring loopback up via SIOCSIFFLAGS ioctl, not the ip binary

v0.1.0-rc.32 — 2026-04-22

Enclave

pin region based on CLI flag, not config flag
source /etc/hosts region from config, not env

v0.1.0-rc.31 — 2026-04-22

Enclave

pin AWS region from config, bypass IMDS

v0.1.0-rc.30 — 2026-04-22

Features

update deps

Enclave

length-prefix framing for vsock config bootstrap

v0.1.0-rc.29 — 2026-04-21

Bug Fixes

chart and docs

Chart

provide vsock-proxy allowlist via ConfigMap

Enclave

early-init tracing so bootstrap failures reach kubectl logs

v0.1.0-rc.28 — 2026-04-21

Bug Fixes

chart

Dockerfile.enclave

append —enclave-bootstrap-from-vsock to ENTRYPOINT

Chart

bump to 2.1.0 for SPEC-ENCLAVE-CFG-001

Config+server

wire enclave vsock bootstrap into startup

Enclave

introduce src/enclave/vsock.rs wire-protocol constants
add config_bootstrap module (vsock YAML fetcher)
bootstrap observability + operator digest tool + pod wiring
satisfy pedantic+nursery clippy on bootstrap path

Enclave-proxy

add vsock-config subcommand for bootstrap delivery

Entrypoint

align CONFIG_PATH default with existing chart mount

Server

emit merged_config_digest in server_started event

v0.1.0-rc.27 — 2026-04-21

Features

previous fixes

Chart

collapse parallel .Values.tls.* tree into .Values.config.tls.*

Config

reuse TCP listen_port keys for vsock ingress ports
add tls.listen_address + fix chart metrics default typo

Tls

delete serve_tls_tcp_with_listener; tests go through serve_tls_stream

v0.1.0-rc.26 — 2026-04-21

Bug Fixes

MDX-escape generated tables and regenerate d2 SVGs

Features

previous fixes

Tests

update default-values assertion for health=9000 + signing=9443

Enclave

vsock dual listener + aTLS unification + chart plumbing

v0.1.0-rc.25 — 2026-04-20

Bug Fixes

metrics init
remove dead update_process_metrics tests left by previous cleanup
preserve Zeroizing wrapper in AttestedKmsClient::decrypt
zeroize auth credential intermediates in extract_credentials
use transition_signer_state for kms_only auto-unseal path
cache signer state load in metrics loop and record attestation failure metric
include DynamoDB anti-slashing in needs_dynamodb check and fix minor issues
run clippy on both default and nitro feature sets
fix lint expectations and mark auth enforcement tests
address P0-P2 audit findings
config field, token extraction dedup, DynamoDB client dedup
clear auth state on re-seal (G4)
delete obsolete config-driven auth tests
extract derive_auth_hmac_secret, delete dead code, fix &*
address all audit findings H5, M1-M8, L2-L3
tighten visibility on PutAuthPolicyError and conditional put
M7 integration tests + correct key-restricted signing semantics
don’t leak bearer tokens via tracing spans
serialize background refresh with mutation_lock
make generated root token immediately usable
seal preserves unauth policy; remove auth-disabled grace period (deny-by-default)
keep master key inside Zeroizing, never bitwise-copy onto the stack
unify SharedMasterKey ownership; allow Sealed→Unsealed for TEE auto-unseal
SQL backends fail closed on corrupt signing_root
decrypt_keystores preserves input order
create_token validates policies under mutation_lock (TOCTOU)
clear root_token_shares on seal and rotation
SQLite uses sqlite3_interrupt, not JoinHandle::abort
import_keys uses InsertOutcome, no has_key+insert race
preserve Zeroizing on Shamir share through spawn_blocking (Z1)
fail closed on unverified COSE_Sign1 attestation documents (SEC1 P0)
close 6 Zeroize-wrapper leaks (Z-1..Z-6)
SEC2 gate list_credentials + SEC3 ASCII-only validate_identifier
SEC4-6 log injection, seal docstring, kms_only/unseal semantic split
add Handler Panics panel to dashboards + auth config in values.yaml
remove 5 surviving stale auth references missed by subagents
resolve Zeroizing AsRef ambiguity after dep update
initialize AuthManager HMAC secret on operator-driven unseal
add missing IAM permissions for auth API and anti-slashing
remove stale gen_docs entries + add 8 missing config fields
resolve 5 docs-vs-code discrepancies from codebase audit
add 16 missing TLS + enclave config fields to gen_docs
3 AGENTS.md line drifts + terraform README table/key count
CID 2→3, CMS zeroize + OID validation, nsm-hwrng check
DynamoDB import_interchange fail-open → fail-closed
DynamoDB import_interchange consistent hard-fail + target-before-source ordering
runtime watermark invariant check in check_attestation_hybrid
comprehensive audit remediation — P1 security + P2 defense-in-depth
5 defense-in-depth improvements from Nitro audit
cfg-gate skip_attestation, attestation freshness, port validation, cert hash reload
unify AtlsServerCertVerifier::new() signature and update all callsites
cfg-gate skip_attestation CLI flag and harden verifier API
upgrade CORS wildcard log to warn with security context
sanitize NetworkMismatch response to avoid GVR disclosure
rename source_ip to x_forwarded_for and document spoofability
use saturating arithmetic in retry_with_backoff
restrict share passphrase fns to crate-internal
pre-check key existence before anti-slashing to avoid phantom records
atomic claim-then-verify rate limit eliminates TOCTOU burst
pass just lint (clippy pedantic + nursery)
post-audit cleanup from external review
log stderr write failure in emit_changed_warning
rate-limit credential-management passphrase proofs
validate enclave_cid and fix PROXY v2 encoder gating
supervise per-connection tasks inside the enclave binary
apply securityContext in enclave mode
wire METRICS_VSOCK_PORT to defined values entry

Documentation

update AGENTS.md and ARCHITECTURE.md after KmsPool migration
rewrite auth documentation for API-driven policy and token management
add Web3Signer-compatible unauthenticated_policy example
update all references for signing config migration to nested struct
complete config.example.yaml with every config field
document HTTP Basic auth as supported alternative to Bearer
correct apply_load_shed_stack doc comment
document read-only directory requirement
clarify age crate git-pin rationale
document operator label access-control requirement
fix step numbering in check_attestation_hybrid
refresh stale comments and module references after refactoring
clarify basic-auth transport-shim exception
@MX:WARN covers both PEM intermediate buffers
HANDOFF.md with status + process norms + pending findings
update HANDOFF.md — H5 fully closed
HANDOFF update — all H-tier closed, M-tier next
close M10 as working-as-intended + document skipped findings
HANDOFF update — M-tier progress + full finding inventory
HANDOFF update — M-tier near-complete, M18 next
clarify seed_entropy covers the rand::rng() thread-local path (audit M4)
HANDOFF roll-forward — M-tier now fully closed (M18 + M4 + M3)
module headers + rustdoc for types.rs and dynamodb/error.rs (audit L2 pt.1)
module headers for signing.rs + keystore_decrypt.rs + dynamodb.rs + key_source.rs (audit L2 pt.2)
module header + EthereumSigner error class docs + sign/remove_key docs (audit L2 pt.3)
HANDOFF roll-forward — L2 shipped, L-tier triage complete
trim narration and tombstone comments flagged by simplify review
HANDOFF final roll-forward — audit fully closed
SPEC-OPREG-001 v1.0.0 — operator passphrase entropy enforcement + server-generated flag (draft)
tighten leak-detection guarantee scope
fix stale audit_capture reference in server_tests
bump rust 1.95, sync AGENTS.md tree to code, document enclave log forwarding

Features

add signer_state, startup_duration, key_refresh_duration metrics and dashboard panels
crit findings
centralize KMS operations in KmsPool with Nitro Enclave attestation
add domain types, DynamoDB backend, evaluator
add AuthManager, policy/token HTTP handlers
bootstrap integration, server migration, config cleanup
CLI auth commands, OpenAPI spec, generate-root-token
generate-root-token endpoint + CLI command
generate-root-token via operator quorum, delete obsolete tests
API-driven auth policy management
install CatchPanicLayer for clean 500 on handler panics
full COSE_Sign1 attestation verification against pinned Nitro root CA (SEC1 P0 follow-up)
update deps
EIP-3076 interchange types + export/import for all backends
wire interchange into delete and import handlers
register interchange types in OpenAPI + regenerate spec
add PrometheusRule with 16 alerting rules
priority signing queues with configurable dual semaphore
supervise background tasks with panic counter
verify client IP for audit log via trusted-proxy CIDRs
unified CIDR-based access control for ceremony and token-gated routes
wire SSH-style TOFU attestation for operator aTLS client
enforce attestation document freshness in operator CLI
constant-time dummy decrypt to eliminate operator-existence oracle
split /upcheck (liveness) from /healthcheck (readiness)
point readinessProbe at /healthcheck + wire probes for enclave mode
audit findings
audit findings
passphrase entropy + generate flag (SPEC-OPREG-001)
cap passphrase at MAX_PASSPHRASE_BYTES before zxcvbn
update deps
add vsock log-forwarder writer + telemetry wiring
activate vsock log forwarder in entrypoint + chart
expose log-forward dropped-events metric always

Performance

eliminate hot-path policy cloning in evaluator
wrap unauthenticated_policy in Arc for zero-cost clones
single-allocation parse via direct byte iteration
parallelize KMS Shamir decrypts at boot
eliminate 1 alloc and 1 DashMap lookup per sign() request
downgrade EthereumSigner::sign span to debug level
drop redundant passphrase clone before encrypt_share_blocking

Refactoring

extract create_and_load_signer shared helper
extract try_tee_unseal from boot_full_dynamodb
delegate initialize_signer_with_dynamodb to create_and_load_signer
extract resolve_boot_state unifying Full and StateOnly dispatch
unify boot sequence into single boot() dispatcher
extract KmsError and collapse crypto mirrors in DynamoDbKeystoreError
remove InvalidKeygenRequest from DynamoDbKeystoreError
extract is_enclave_enabled and create_kms_pool to reduce cfg gate noise in run()
move KeygenFailed and BackupEncryptionFailed out of DynamoDbKeystoreError
share DynamoDB client with anti-slashing backend and deduplicate scan-delete loops
extract GVR CAS retry constants and fix #![allow] convention
delete legacy.rs and mod.rs, clean break
deduplicate management token generation
consolidate test helpers into common/mod.rs (M6)
extract apply_load_shed_stack; wrap auth routes in backpressure
dedupe dynamo_unavailable, share rows, MASTER_KEY reads
single source of truth for SealStatus → &str
merge router states + extract build_token helper
extract ceremony helpers shared by unseal + generate-root-token
checked TTL arithmetic + drop redundant CryptoError wrap
consolidate default_* helpers into defaults.rs
unify rule matchers via MatchContext enum
dedupe dynamo helpers (C2+C3+C4/C5)
fail-closed parity for sqlite gvr cache + dynamodb cancel handlers
rename try_advance_from_kms_unsealed (S2)
wrap instance_secret in Zeroizing (S2)
centralize random_alphanumeric + random_32_bytes (D2)
shared validate_identifier + close 7 validation gaps (D3)
unify token accessor generation + bump management entropy
shared unix_now + dynamodb keystore clock-skew alignment (D4)
make remove_key best-effort semantics explicit (D5)
replace inline crate:: paths with use imports (ST1 Category B)
resolve metrics crate name clash via selective macro imports (ST1 Category A)
add module-root re-exports + close test-file inline paths (ST3)
dedupe TCP and vsock accept loops via spawn_tls_connection helper
dedupe master-key guard lookup across three crypto sites (DUP2)
close DUP3-6 audit findings (signer extractors, require_store, spawn_blocking, blob extraction)
delete PolicyFields shim — unauthenticated_policy uses PolicyRule directly
normalize default function naming + poll→refresh rename
normalize all 18 default function names to match config paths
extract mutation lock helper to eliminate 8-site duplication
extract StateWatcher into signer_state::watcher module
extract router construction into http::router module
rename signer init helpers for clarity
extract boot sequence into dedicated module
switch DynamoDB GVR cache to OnceLock
compute key counts from DashMap instead of separate atomics
AppState.trusted_proxy_cidrs uses Arc<[IpNet]>
zero-alloc ceremony layer + remove Clone from AuthContext
migrate from rustls-pemfile to rustls-pki-types PemObject
single-copy HMAC secret with type-level seal guard
supervise TLS rotation, enclave egress, and metrics tasks
typed EgressService enum for supervised task labels
async file I/O in reload task, eliminate double-read
share parse_cert_config between startup + reload, parallel reads
align operator attestation max-age default with server config
decouple share-row not-found from auth-failed
version Argon2 parameters per share row
reject test-utils feature in release builds
align admission cap with concurrency + bump defaults for 10k validators
configurable pool sizes for Postgres + DynamoDB backends
promote retry_with_backoff to src/util/retry.rs
extract build_graceful_shutdown helper (audit M16)
MasterKeyRow.mode becomes a typed MasterKeyMode enum (M12)
extract require_* state-gate helpers + close state-variant leak (M17)
split http/chamber/import.rs into focused submodules (audit M18)
delete 7 vestigial typed transition helpers, centralize on validate_transition_to (audit L9 pt.2)
remove last 4 typed transition helpers; single-source state machine via validate_transition_to (audit L9 pt.3)
gate Category-A test-only pub fns behind cfg(test-utils) (audit L9 pt.4a)
delete compute_spki_hash + is_priority_operation; inline callers (audit L9 pt.4b)
delete parse_v2_preamble pub fn; move logic into a test-mod helper (audit L9 pt.4c)
wire validate_interchange into prod + gate remaining test fixtures (audit L9 pt.4d)
extract test_read/write_state fixtures + validate_and_import_json helper (simplify)
decrypt_share_blocking takes &EncryptedShare
migrate 8 enums to strum derives
model passphrase as Option in register/add-credential
extract shared integration-test harness base
drop misread clippy::redundant_pub_crate suppressions
drop legacy-share compat wrapper + test scenario
move passphrase-policy constants to validation
split into tcp-vsock / vsock-stdout subcommands

Tests

fix test compilation after auth migration
add auth API integration tests with LocalStack
add 27 unit tests for coverage gaps (errors, config, lib)
add 3 integration tests for interchange export/import wiring
add priority semaphore routing integration tests
require cargo nextest for env-mutating tests
close help-text drift; cover all top-level CLI defaults
fix silent coverage erosion in Scenario N
production integration tests + just recipe
direct tests for every CmsError variant
drop duplicate Score::Four fixture pre-flight
fail loudly on subscriber conflict
drop redundant install() call
drop stale block_on pitfall comment
pin identifier-before-passphrase validation order
add TRACE-level canary for leak-detection coverage

Bench

add auth evaluation, keystore decryption, and AES-GCM benchmarks
add raw key decode benchmark (hex → BLS keypair, no KDF)
raise bench_concurrent_signing cap to 3000 (audit M15)

Config

lower auth_refresh_interval_seconds default from 30s to 5s

Metrics

extend histogram buckets to 2.5s for tail visibility

Style

add reason strings to #[expect(clippy::redundant_clone)] in tests
replace inline crate:: paths with use imports (AGENTS.md §230)
use imported Duration instead of inline std::time path

v0.1.0-rc.24 — 2026-04-06

Bug Fixes

critical findings
remaining findings

Documentation

document PostgreSQL egress configuration
clarify hostname matching requirement between Helm and connection string

Features

add postgres egress port to EnclaveEgressPorts
add PG hostname extraction from antislashing config
add enclave+postgres startup validation
refactor spawn_forwarder for decoupled TCP/VSOCK ports
wire PG egress in server init block
add postgres egress port to enclave deployment
add conditional PG vsock-proxy to enclave-entrypoint
update deps

v0.1.0-rc.22 — 2026-04-04

Bug Fixes

update docs

Features

build main
build main
add DynamoDB table and KMS encryption outputs to examples

v0.1.0-rc.19 — 2026-04-03

Features

more decoupling

v0.1.0-rc.17 — 2026-04-03

Bug Fixes

add missing IAM permissions
state transition and various bugs
signer mutex hotpath
audit moai
move aTLS docs to security section, update ARCHITECTURE.md
security review fixes — structured SPKI binding, TOCTOU, atomic save
security review fixes + test cleanup
exclude NSM hardware test from coverage-full
improve get_n error message to distinguish missing vs unparsable
use alternate Display format for error chain preservation
rename metric to containment_dynamodb_keystore_errors_total
gen docs feature flag

Build

add tokio-rustls, arc-swap, rcgen, x509-parser for aTLS

Documentation

add aTLS configuration reference, operator guide, architecture

Features

split state backend
add self-signed cert generation with attestation ext
add TLS listener module with aTLS cert generation and tokio-rustls accept loop
wire TLS listener into server (file + disabled modes)
add attestation-bound cert generation for aTLS mode
wire aTLS mode into server with mock attestation
add custom ServerCertVerifier for attestation verification
add TOFU measurement pinning for aTLS enclaves
add cert rotation background task (aTLS + file modes)
wire TLS client into operator CLI
add NitroTlsAttestation implementation
wire TLS metrics into server
add TLS mode to Helm chart
implement COSE_Sign1 attestation document parsing
add configurable max_connections with semaphore (default 512)

Performance

parallelize GSI queries across all status+shard pairs

Refactoring

upgrade rcgen 0.14 + x509-parser 0.18, fix audit issues
consolidate OID constant, replace inline metric paths
extract run_dual_listener, move scoped imports to top
move MASTER_KEY_PK constants to signer state module
move master key reconstruction from aws_keystore to top-level module
split AwsKeystoreError — extract seal-specific variants to MasterKeyError
DynamoDbKeyStore receives key bytes instead of MasterKeyProvider
flip validation — key source requires signer state, not reverse
fix integration tests for decouple-signer-state error types
break circular dependency between master_key and aws_keystore
add DynamoDB attribute extraction helpers (get_s/get_b/get_n)
move ApiScope + SigningOperation to domain-level auth_types module
move dynamo ops + MasterKeyRow to state_backend module
extract sealed storage builders + setup token from server.rs
replace ActiveMasterKey Mutex with SharedMasterKey ArcSwap
rename aws_keystore module to dynamodb + consolidate config
add AccumulatedShares type alias for readability

Tests

add TLS test infrastructure and integration tests
add aTLS end-to-end integration tests
add 27 integration tests for seal/unseal error paths
complete lifecycle test and strengthen rotation assertion

v0.1.0-rc.12 — 2026-03-29

Features

trigger release
trigger release

v0.1.0-rc.11 — 2026-03-29

Features

trigger release

v0.1.0-rc.10 — 2026-03-26

Bug Fixes

enclave and unseal bug
confirm password for operator
cli and refactor
auto advance state
capabilities and logging

Features

fix cli async reqwest
transition to kms unseal without restart and use master key hmac

v0.1.0-rc.9 — 2026-03-25

Features

trigger release

v0.1.0-rc.8 — 2026-03-25

Bug Fixes

use stored threshold from DynamoDB during reconstruction (#57)
enable registration during rotation + multi-credential rotation
move Argon2id encryption to spawn_blocking in register_handler
convert remaining allow(clippy) to expect(clippy)
fix AES-GCM AAD mismatch in master key encrypt/decrypt
correct PCR_LEN from 32 to 48 bytes (SHA-384)
use EthereumSigner re-export instead of redundant signer::signer path
add operator name validation to prevent partition key injection

Documentation

add YubiKey setup guide
update seal/unseal docs for multi-credential support
regenerate AGENTS.md files after refactors

Features

replace built-in hyper metrics server with Axum and add HTTP request metrics
add AWS Nitro Enclave support (#56)
deep review (#58)
vault-style unseal, API-first key management & security hardening (#59)
pre-release consolidation (#62)
add credential_id field to RegisterRequest and RegisterResponse
add challenge_response dependency and yubikey module
extend DynamoDB ops for multi-credential storage
add —yubikey and —yubikey-slot flags to operator commands
support multi-credential registration
add credential management endpoints
implement YubiKey HMAC-SHA1 challenge-response module
update unseal_handler to try all credentials
wire YubiKey module into operator passphrase flow
YubiKey HMAC-SHA1 + multi-credential operator support

Refactoring

migrate #[allow(clippy::…)] to #[expect(clippy::…)]
remove duplicate encrypt_master_key, use canonical master_key::encrypt_master_key
return Zeroizing<Vec> from AES-GCM encrypt/decrypt
centralize crypto functions in crypto.rs
deduplicate Shamir/HMAC into crypto.rs and fix zeroization gaps
split seal.rs into submodules (models, dynamo, register, unseal, rotate)
replace use super::* with explicit imports in seal submodules
move sealed_storage_nitro into sealed_storage/nitro submodule
rename seal.rs to signer_state.rs for clarity
move Shamir tests from master_key.rs to crypto.rs
extract scan_credential_ids_by_prefix to deduplicate DynamoDB scan logic
replace inline crate::sealed_storage::nitro path with use import
replace inline EthereumSigner paths with use import in import.rs
extract dynamo_unavailable helper to deduplicate 20 error mappings
fix remaining inline crate paths and use AHashMap for application data
replace inline crate:: paths with use imports in production code
replace inline crate::config paths with use imports in auth.rs

Tests

add multi-credential seal/unseal integration tests
add credential management integration tests

Style

run cargo +nightly fmt to fix import grouping across 22 files
rename val to value in shamir_combine_bytes
move per-function test imports to module level in import.rs
fmt

v0.1.0-rc.7 — 2026-03-13

Bug Fixes

use per-variant log levels in error handler
set health check TraceLayer to TRACE level
migrate to vergen 9 API with vergen-git2
migrate to OpenTelemetry 0.31 API
resolve lighthouse_types and rusqlite 0.38 breaking changes
use cast_signed/cast_unsigned for clippy compliance
pre-release hardening — constant-time auth, error mapping, graceful shutdown
deny unsafe_code, disable test retries, apply nightly fmt
harden security, fix metrics port, add terminationGracePeriodSeconds
flatten containmentChamber wrapper from values.yaml
wire fork_schema and signing request oneOf into spec
add servers field and clean handler summaries
correct signing_auth format in README and remove stale screenshots
remove handler doc leaks and orphaned schemas
remove incorrect .trim() from base64 Authorization header decode
preserve error chain in From implementations
add 5s timeout to health check handler
sanitize error responses + standardize JSON format
upgrade OTLP failure log from warn to error
update classic dashboard metric names to containment_ prefix and add missing panels
update kubernetes dashboard metric names to containment_ prefix and add missing panels
use correct error variant for semaphore closure and missing config
add debug logging to noop backend
validate stored GVR length in Postgres and name advisory lock constants
make SQLite permission failure fatal and validate stored GVR length
add jitter to DynamoDB GVR retry backoff
validate stored GVR length in Postgres and name advisory lock constants
validate allowed/denied operations mutual exclusivity and document CLI flag semantics
convert list_yaml_files to sync and follow symlinks
use NonZeroUsize for concurrency fields to prevent zero-value bugs
make TokenHash pub(crate) to satisfy clippy visibility lint
update test to reflect PubkeyHex accepting pubkeys without 0x prefix
replace string-based ConditionalCheckFailed detection with SDK error types
make create_isolated_table idempotent for re-runs (#22)
harden DynamoDB backend against data corruption and non-atomic reads (#24)
comprehensive security remediation (#28)
flaky test
remove cache and deadcode
remove dead code
remove more dead code
better postgres URL parsing
exhaustive match
hash comparison
flaky test
better error chain on AWS SDK
better logging
make dynamodb reload more efficient
decrease startup delay
add warning when no backup encryptor
dashboard should not sum
aggregate and proof based on lighthouse types
update lighthouse to v8.1.2 (#48)
action for crane
conditional cpu flag for different arch

Build

add hmac and sha2, move rand to dependencies
use nightly rustfmt in fmt and ci recipes

CI/CD

add cargo-deny supply chain audit job
simplify and align workflows with justfile (#16)

Documentation

add doc comments and #[must_use] to public functions
scaffold Astro Starlight documentation site
add website project foundation
add Docker and nginx preview server
add site assets, styles and content config
migrate existing documentation to Starlight
add getting started guides
add feature guides, configuration reference and deployment guides
add dormant GitHub Pages workflow and update README
add hierarchical AGENTS.md knowledge base
fix outdated recipe names, CLI flags, and config format
remove developer-only pages from documentation site
clean Rust-specific language and fix accuracy issues in operator pages
add operator guides for key formats, security, troubleshooting, upgrade, and validator clients
remove signing behavior matrix, add metrics reference, unify deployment section, fix Helm values
add advisory lock safety comment and sign() architecture note
update metric references to containment_ prefix
update AppState references to remove stale generic parameter
documentation overhaul — restructure, fix, and automate (#39)

Features

refactor pg errors
aurora tls
aurora tls
aurora tls
add force_ipv4 flag to gate IPv4 DNS resolution
add truncate_pubkey utility and Key Manager API startup log
add auth rejection logging
add DynamoDB anti-slashing init logging
verify antislashing backend health and fix test
comprehensive metrics audit — new metrics, operation labels, backend instrumentation, build info
add classic Grafana dashboard with instance selector
add Kubernetes Grafana dashboard with namespace/pod selectors
prepare release
prepare release
prepare release
prepare release
prepare release
prepare release
add unauthenticated_policy and update keystore import return type
signing auth hardening — HMAC hashing, unauthenticated_policy, validation, and exhaustive matrix tests
remove multi protocol support
refactor to use ahash
security review
security review
add utoipa dependency and gen-openapi bin target
add ToSchema derives to project-owned types
add manual schemas for external Lighthouse types
annotate HTTP handlers with utoipa::path
add ApiDoc and gen-openapi binary
add gen-openapi justfile recipe
add Scalar API reference page to docs site
remove hand-written API reference, update links
add named variant schemas with discriminator mapping and examples
add custom histogram buckets for signing + antislashing
add W3C Trace Context propagator + extraction middleware
add containment_keys_load_errors gauge for startup failures
add metrics and update dashboard
small fixes
small fixes
use zeroize string for auth token
add HexSignature type safety
create PubkeyHex newtype and update KeyStore key type
update EthereumSigner to use PubkeyHex
update HTTP layer to use PubkeyHex
complete PubkeyHex newtype integration across all call sites
add new tests
add new tests
update cargo
DynamoDB + KMS key management with Shamir secret sharing (#20)
upgrade DynamoDB backend to Hybrid mode (#23)
various fixes (#27)
make --network flag functional (Eth2Network enum, GVR guard, network-aware keygen) (#30)
unified auth policy engine with scope-based access control (#31)
release readiness — config defaults, API redesign, AWS docs, Helm docs (#32)
chamber API redesign — State+FromRef, /chamber/keys namespace, KeySource, writable config (#33)
enhance config parsing
rework tracelayer
simplify policy handling
test auth fallback
more tests
more sensible and safe defaults
holistic Prometheus metrics overhaul — label-based unification + full error path coverage (#37)
add more integration tests
cleanup test
cleanup test
cleanup test
update chart netpol
better response format for import
update grafana dashboard
rework dynamodb antislashing logic
rework dynamodb antislashing logic
update logging config
website visual overhaul + docs restructure (#44)
Chamber API superset — KeySource::Memory, KeyStatus, type unification, PATCH endpoint (#45)
add cors support
align naming across the project (#47)
add reproducible build (#50)

Performance

eliminate double-allocation in signature hex encoding
eliminate double-allocation in signature hex encoding
cache list_keys result to avoid per-request DashMap iteration
replace RwLock cache with ArcSwap for lock-free list_keys reads
skip cache rebuild during bulk key loading, rebuild once at end
borrow static slashing protection instead of cloning
use into_iter() instead of iter().clone() in import handler
remove unnecessary PublicKey clone in keygen deposit data

Refactoring

audit log messages, levels, and pubkey truncation
revert pubkey truncation and delete utility
rename sign_owned to sign
remove dead Deposit variant and unused PublicKeyBytes import
rename project from vortessence/remote-signer-rs to containment-chamber
remove AppState ~~generic, use concrete Arc~~

merge KeyStore dual DashMaps into single map

eliminate provider clone, deduplicate subscriber init, improve OTLP error message

extract helper functions to reduce main() complexity

remove unused AntiSlashing trait and NoopAntiSlashing

introduce TokenHash newtype for HMAC policy map keys

remove phantom EthSpec generic from SigningRequestOwned

replace SlashingViolation(String) with typed SlashingViolationType enum

encapsulate hex encoding in HexSignature::from_bytes()

split DynamoDbUnavailable into specific error variants

move EncryptedBlsSk to keys.rs as private implementation detail

replace DynRecipient trait object with concrete x25519::Recipient

add Display impl for ValidatorStatus, remove status_to_str()

use NonZeroUsize/NonZeroU64 for config fields that must be positive

replace stringly-typed import status with ImportStatus enum

use anyhow::Context instead of anyhow::anyhow! in backup.rs

code cleanup — design pattern consolidation & deduplication (#25)

migrate CLI to Figment Provider pattern with 37 structured flags (#29)

standardize on ahash::AHashSet across codebase for consistency (#34)

standardize error handling on thiserror across library code (#35)

idiomatic Rust quality improvements (#36)

idiomatic repository structure cleanup (#38)

post-Chamber API code quality cleanup (#46)

Tests
Section titled “Tests”

add error-path loading tests

add HTTP-level slashing edge case tests

add graceful shutdown drain test

update sign tests to reflect PubkeyHex format validation (400 vs 404)

replace committed keystore fixtures with runtime generation (#17)

improve test coverage from 79% to 82% (#21)

add backpressure and load shedding integration tests (#26)

Bench
Section titled “Bench”

add isolated BLS, concurrent, and scaling benchmarks

Sec
Section titled “Sec”

zeroize imported keystore passwords

zeroize Key Manager API token in memory

sanitize import error messages in API responses

zeroize FileRaw private_key field

fix zizmor findings (#41)

v0.1.0-rc.6 — 2026-02-19
Section titled “v0.1.0-rc.6 — 2026-02-19”

Features
Section titled “Features”

add tls to postgres

v0.1.0-rc.5 — 2026-02-18
Section titled “v0.1.0-rc.5 — 2026-02-18”

Features
Section titled “Features”

rename chart to vortessence and restructure values

adapt templates for vortessence binary

remove migration hook, update README, finalize chart

v0.1.0-rc.3 — 2026-02-18
Section titled “v0.1.0-rc.3 — 2026-02-18”

Features
Section titled “Features”

Vortessence v0.1.0-rc.0 — Ethereum remote signer

initial release

fix naming in logs

initial release