# Changelog All notable changes to SecretumVault will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] ### Added #### Post-Quantum Cryptography (Production-Ready) - **OQS Backend Implementation** - Complete production-ready PQC via Open Quantum Safe - ML-KEM-768 (NIST FIPS 203) key encapsulation mechanism fully implemented - ML-DSA-65 (NIST FIPS 204) digital signatures fully implemented - Native OQS type caching for performance optimization - NIST compliance verified (1088-byte ciphertext, 32-byte shared secret) - Feature flag: `oqs` and `pqc` for post-quantum support - Hybrid mode (classical + PQC) in development #### CLI Implementation - Command-line interface for vault operations - `server` subcommand - Start vault server with config - `init` subcommand - Initialize vault with Shamir shares - `unseal` subcommand - Unseal vault with key shares - `status` subcommand - Check vault status - Config file support via `--config` flag - Feature flag: `cli` for command-line tools #### Examples and Demos - Added `examples/` directory with runnable demos - `demo.sh` - Bash demo script for quick start - `demo-simple.nu` - Nushell simple demo - `demo-server.nu` - Nushell server interaction demo - `README.md` with usage instructions #### Configuration - Enhanced configuration system in `src/config/` - `crypto.rs` - Cryptographic backend configuration - Modular config structure (vault, server, storage, seal, engines) - Config validation and error handling - Support for `svault.toml` configuration file in `config/` directory - Production config example in `config/svault.toml.example` #### Documentation - **Production Status Documentation** - Clear PQC production-ready status - Updated `README.md` with production-ready PQC badges - "Why SecretumVault?" section with competitive comparison - "30-Second Demo" for quick start - "Production Status" with backend comparison table - "Quick Navigation" for different user personas (Security Teams, Platform Engineers, Compliance Officers) - Updated GitHub URL to correct repository (jesuspc/secretumvault) - **Architecture Decision Records (ADRs)** - `docs/architecture/adr/001-post-quantum-cryptography-oqs-implementation.md` - ADR index in `docs/architecture/adr/README.md` - **User Guides** - Expanded `docs/user-guide/howto.md` with detailed how-to guides - CLI usage documentation - Unseal procedures and best practices - **Development Guides** - Updated `docs/development/pqc-support.md` with OQS implementation details - Updated `docs/development/build-features.md` with feature flag documentation - **Architecture Documentation** - Enhanced `docs/architecture/README.md` with PQC architecture - Updated `docs/README.md` with navigation improvements #### Secrets Engines - **Transit Engine Enhancements** - Expanded encryption/decryption operations - Key rotation support - Multiple algorithm support - PQC integration with OQS backend - **PKI Engine Enhancements** - Certificate generation improvements - X.509 certificate handling - Root CA and intermediate CA support #### API Improvements - Enhanced API handlers in `src/api/handlers.rs` - Better error handling and responses - Request validation improvements - Support for new PQC operations - Server improvements in `src/api/server.rs` - Better routing and middleware integration - Health check endpoints - Metrics integration #### Core Cryptography - **CryptoBackend Trait Extensions** in `src/crypto/backend.rs` - Added PQC operations to trait - Backend registry improvements - Type-safe backend selection - **AWS-LC Backend Updates** in `src/crypto/aws_lc.rs` - Experimental PQC support - Code cleanup and improvements - **RustCrypto Backend Refactoring** in `src/crypto/rustcrypto_backend.rs` - Simplified implementation - Better error handling - Testing support #### Build and Dependencies - Updated `Cargo.toml` with new dependencies - `oqs = "0.10"` for production PQC - CLI dependencies (clap, etc.) - Enhanced feature flags - Updated `Cargo.lock` with dependency resolution ### Changed - **README.md** - Major improvements - Added professional badges (Rust version, License, Classical Crypto, PQC status, CI) - Restructured with "Why SecretumVault?" positioning - Added competitive comparison tables (vs HashiCorp Vault, vs AWS Secrets Manager) - Added 30-second demo for quick evaluation - Production Status section with clear backend comparison - Quick Navigation for different user personas - Updated feature descriptions with production status - Corrected GitHub repository URL - Updated roadmap with completed PQC tasks marked ✅ - Enhanced feature flags documentation - **Configuration** - Better organization - Moved config files to `config/` directory - Improved config structure and validation - Better error messages - **Main Entry Point** - CLI integration - `src/main.rs` now supports subcommands - Better argument parsing - Config file loading - Improved error handling - **Build System** - Feature organization - `.cargo/config.toml` cleanup - Better feature flag organization - **Documentation** - Comprehensive updates - All docs reflect production-ready PQC status - Improved navigation and structure - Added missing sections ### Fixed - Clippy warnings and linting issues - Markdown formatting issues in documentation - Pre-commit hooks configuration - CI/CD configuration improvements ### Security - Production-ready post-quantum cryptography (ML-KEM-768, ML-DSA-65) - Cryptographic agility through pluggable backends - NIST PQC standard compliance - Secure configuration defaults ## [0.1.0] - 2024-12-21 ### Added - Initial project structure and repository setup - Core vault architecture with pluggable backends - Secrets engines: KV, Transit, PKI, Database - Storage backends: etcd, SurrealDB, PostgreSQL, Filesystem - Cryptographic backends: OpenSSL, AWS-LC (experimental), RustCrypto (testing) - Cedar policy-based authorization (ABAC) - Shamir Secret Sharing for unsealing - Token-based authentication - TLS/mTLS support - Prometheus metrics integration - Structured logging - Docker and Docker Compose deployment - Kubernetes manifests and Helm charts - Comprehensive documentation structure - Pre-commit hooks and CI/CD setup - Branding and logos ### Security - Encryption at rest for all secrets - Least privilege via Cedar policies - Audit logging for compliance - Secure defaults (non-root, read-only filesystem) --- ## Release Notes ### Unreleased - Post-Quantum Cryptography Production Release This release marks SecretumVault as the **first Rust secrets vault with production-ready post-quantum cryptography**. Key highlights: **🔐 Production-Ready PQC:** - ML-KEM-768 and ML-DSA-65 fully implemented via OQS backend - NIST FIPS 203/204 compliance verified - One-line config change to enable PQC: `crypto_backend = "oqs"` - No code changes needed - cryptographic agility through pluggable backends **🚀 Enhanced Developer Experience:** - CLI for easy vault operations (init, unseal, status, server) - Runnable examples in `examples/` directory - Comprehensive how-to guides and documentation - 30-second demo for quick evaluation **📚 Improved Documentation:** - Clear production status with backend comparison - Competitive positioning vs HashiCorp Vault and AWS Secrets Manager - Quick navigation for different user personas - Architecture Decision Records (ADRs) for design decisions **🔧 Better Configuration:** - Modular config structure - Validation and error handling - Production config examples This release positions SecretumVault as the premier choice for organizations deploying post-quantum cryptography today, with production-ready NIST PQC standards, multi-cloud portability, and Rust's memory safety guarantees. --- **Unique Differentiator:** Only Rust secrets vault with production-ready post-quantum cryptography (ML-KEM-768, ML-DSA-65) available today.