secretumvault/CHANGELOG.md

# Changelog

All notable changes to SecretumVault will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [Unreleased]

### Added

#### Post-Quantum Cryptography (Production-Ready)

- **OQS Backend Implementation** - Complete production-ready PQC via Open Quantum Safe
  - ML-KEM-768 (NIST FIPS 203) key encapsulation mechanism fully implemented
  - ML-DSA-65 (NIST FIPS 204) digital signatures fully implemented
  - Native OQS type caching for performance optimization
  - NIST compliance verified (1088-byte ciphertext, 32-byte shared secret)
  - Feature flag: `oqs` and `pqc` for post-quantum support
  - Hybrid mode (classical + PQC) in development

#### CLI Implementation

- Command-line interface for vault operations
  - `server` subcommand - Start vault server with config
  - `init` subcommand - Initialize vault with Shamir shares
  - `unseal` subcommand - Unseal vault with key shares
  - `status` subcommand - Check vault status
  - Config file support via `--config` flag
  - Feature flag: `cli` for command-line tools

#### Examples and Demos

- Added `examples/` directory with runnable demos
  - `demo.sh` - Bash demo script for quick start
  - `demo-simple.nu` - Nushell simple demo
  - `demo-server.nu` - Nushell server interaction demo
  - `README.md` with usage instructions

#### Configuration

- Enhanced configuration system in `src/config/`
  - `crypto.rs` - Cryptographic backend configuration
  - Modular config structure (vault, server, storage, seal, engines)
  - Config validation and error handling
  - Support for `svault.toml` configuration file in `config/` directory
  - Production config example in `config/svault.toml.example`

#### Documentation

- **Production Status Documentation** - Clear PQC production-ready status
  - Updated `README.md` with production-ready PQC badges
  - "Why SecretumVault?" section with competitive comparison
  - "30-Second Demo" for quick start
  - "Production Status" with backend comparison table
  - "Quick Navigation" for different user personas (Security Teams, Platform Engineers, Compliance Officers)
  - Updated GitHub URL to correct repository (jesuspc/secretumvault)

- **Architecture Decision Records (ADRs)**
  - `docs/architecture/adr/001-post-quantum-cryptography-oqs-implementation.md`
  - ADR index in `docs/architecture/adr/README.md`

- **User Guides**
  - Expanded `docs/user-guide/howto.md` with detailed how-to guides
  - CLI usage documentation
  - Unseal procedures and best practices

- **Development Guides**
  - Updated `docs/development/pqc-support.md` with OQS implementation details
  - Updated `docs/development/build-features.md` with feature flag documentation

- **Architecture Documentation**
  - Enhanced `docs/architecture/README.md` with PQC architecture
  - Updated `docs/README.md` with navigation improvements

#### Storage Layer

- **SurrealDB Backend (Production-Ready)** — complete rewrite replacing fake in-memory `HashMap` with a real `Surreal<Any>` connection
  - `surrealdb::engine::any::Any` engine dispatch: `ws://`/`wss://` for production, `mem://` for embedded testing
  - All eleven `StorageBackend` methods implemented with real SurrealQL queries (`upsert`, `select`, `delete`, query with `bind`)
  - Binary fields (`Vec<u8>`) base64-encoded for transport-agnostic serialization; timestamps as RFC3339 UTC strings
  - MVCC optimistic-concurrency retry: exponential backoff starting at 5 ms with uniform random jitter, up to 5 attempts per write — resolves SurrealDB write conflicts under concurrent load without external coordination
  - Mirror ID fields in record structs to avoid `RecordId` enum parsing during list operations
  - 9 unit tests using embedded `mem://` engine (no external server)
  - 19 integration tests with real SurrealDB via `mem://` and UUID-named databases for isolation
  - Concurrent write coverage: 16 parallel secret writes + 8 parallel key writes verified conflict-free

#### Secrets Engines

- **Transit Engine Enhancements**
  - Expanded encryption/decryption operations
  - Key rotation support
  - Multiple algorithm support
  - PQC integration with OQS backend

- **PKI Engine Enhancements**
  - Certificate generation improvements
  - X.509 certificate handling
  - Root CA and intermediate CA support

#### API Improvements

- Enhanced API handlers in `src/api/handlers.rs`
  - Better error handling and responses
  - Request validation improvements
  - Support for new PQC operations

- Server improvements in `src/api/server.rs`
  - Better routing and middleware integration
  - Health check endpoints
  - Metrics integration

#### Core Cryptography

- **CryptoBackend Trait Extensions** in `src/crypto/backend.rs`
  - Added PQC operations to trait
  - Backend registry improvements
  - Type-safe backend selection

- **AWS-LC Backend Updates** in `src/crypto/aws_lc.rs`
  - Experimental PQC support
  - Code cleanup and improvements

- **RustCrypto Backend Refactoring** in `src/crypto/rustcrypto_backend.rs`
  - Simplified implementation
  - Better error handling
  - Testing support

#### Build and Dependencies

- Updated `Cargo.toml` with new dependencies
  - `oqs = "0.10"` for production PQC
  - CLI dependencies (clap, etc.)
  - Enhanced feature flags

- Updated `Cargo.lock` with dependency resolution

### Changed

- **README.md** - Major improvements
  - Added professional badges (Rust version, License, Classical Crypto, PQC status, CI)
  - Restructured with "Why SecretumVault?" positioning
  - Added competitive comparison tables (vs HashiCorp Vault, vs AWS Secrets Manager)
  - Added 30-second demo for quick evaluation
  - Production Status section with clear backend comparison
  - Quick Navigation for different user personas
  - Updated feature descriptions with production status
  - Corrected GitHub repository URL
  - Updated roadmap with completed PQC tasks marked ✅
  - Enhanced feature flags documentation

- **Configuration** - Better organization
  - Moved config files to `config/` directory
  - Improved config structure and validation
  - Better error messages

- **Main Entry Point** - CLI integration
  - `src/main.rs` now supports subcommands
  - Better argument parsing
  - Config file loading
  - Improved error handling

- **Build System** - Feature organization
  - `.cargo/config.toml` cleanup
  - Better feature flag organization

- **Documentation** - Comprehensive updates
  - All docs reflect production-ready PQC status
  - Improved navigation and structure
  - Added missing sections

### Fixed

- Clippy warnings and linting issues
- Markdown formatting issues in documentation
- Pre-commit hooks configuration
- CI/CD configuration improvements

### Security

- Production-ready post-quantum cryptography (ML-KEM-768, ML-DSA-65)
- Cryptographic agility through pluggable backends
- NIST PQC standard compliance
- Secure configuration defaults

## [0.1.0] - 2024-12-21

### Added

- Initial project structure and repository setup
- Core vault architecture with pluggable backends
- Secrets engines: KV, Transit, PKI, Database
- Storage backends: etcd, SurrealDB, PostgreSQL, Filesystem
- Cryptographic backends: OpenSSL, AWS-LC (experimental), RustCrypto (testing)
- Cedar policy-based authorization (ABAC)
- Shamir Secret Sharing for unsealing
- Token-based authentication
- TLS/mTLS support
- Prometheus metrics integration
- Structured logging
- Docker and Docker Compose deployment
- Kubernetes manifests and Helm charts
- Comprehensive documentation structure
- Pre-commit hooks and CI/CD setup
- Branding and logos

### Security

- Encryption at rest for all secrets
- Least privilege via Cedar policies
- Audit logging for compliance
- Secure defaults (non-root, read-only filesystem)

---

## Release Notes

### Unreleased - Post-Quantum Cryptography Production Release

This release marks SecretumVault as the **first Rust secrets vault with production-ready post-quantum cryptography**. Key highlights:

**🔐 Production-Ready PQC:**

- ML-KEM-768 and ML-DSA-65 fully implemented via OQS backend
- NIST FIPS 203/204 compliance verified
- One-line config change to enable PQC: `crypto_backend = "oqs"`
- No code changes needed - cryptographic agility through pluggable backends

**🚀 Enhanced Developer Experience:**

- CLI for easy vault operations (init, unseal, status, server)
- Runnable examples in `examples/` directory
- Comprehensive how-to guides and documentation
- 30-second demo for quick evaluation

**📚 Improved Documentation:**

- Clear production status with backend comparison
- Competitive positioning vs HashiCorp Vault and AWS Secrets Manager
- Quick navigation for different user personas
- Architecture Decision Records (ADRs) for design decisions

**🔧 Better Configuration:**

- Modular config structure
- Validation and error handling
- Production config examples

This release positions SecretumVault as the premier choice for organizations deploying post-quantum cryptography today, with production-ready NIST PQC standards, multi-cloud portability, and Rust's memory safety guarantees.

---

**Unique Differentiator:** Only Rust secrets vault with production-ready post-quantum cryptography (ML-KEM-768, ML-DSA-65) available today.