jesus/secretumvault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
secretumvault/CHANGELOG.md
Jesús Pérez 0c01da9b14
feat(storage): replace fake SurrealDB backend with real Surreal<Any> 
SurrealDBBackend was backed by Arc<RwLock<HashMap>> — no connection to
  SurrealDB whatsoever. Rewrite to a real Surreal<Any> connection:

  - engine::any dispatch: mem:// (embedded, tests) and ws://wss:// (prod)
  - All 11 StorageBackend methods: SurrealQL upsert/select/delete/query
  - Vec<u8> fields base64-encoded; timestamps as RFC3339 UTC strings
  - MVCC write-conflict retry: exponential backoff 5ms→80ms + uniform
    jitter, 5 attempts — resolves SurrealDB optimistic-concurrency errors
    under concurrent load without external locking
  - Mirror ID fields in records to avoid RecordId enum parsing in lists
  - 9 unit tests (mem://, no server) + 19 integration tests with UUID
    database isolation; concurrent coverage: 16 secret + 8 key writers
2026-02-17 21:38:06 +00:00

9.1 KiB
Raw Blame History

Changelog

All notable changes to SecretumVault will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

Added

Post-Quantum Cryptography (Production-Ready)

  • OQS Backend Implementation - Complete production-ready PQC via Open Quantum Safe
    • ML-KEM-768 (NIST FIPS 203) key encapsulation mechanism fully implemented
    • ML-DSA-65 (NIST FIPS 204) digital signatures fully implemented
    • Native OQS type caching for performance optimization
    • NIST compliance verified (1088-byte ciphertext, 32-byte shared secret)
    • Feature flag: oqs and pqc for post-quantum support
    • Hybrid mode (classical + PQC) in development

CLI Implementation

  • Command-line interface for vault operations
    • server subcommand - Start vault server with config
    • init subcommand - Initialize vault with Shamir shares
    • unseal subcommand - Unseal vault with key shares
    • status subcommand - Check vault status
    • Config file support via --config flag
    • Feature flag: cli for command-line tools

Examples and Demos

  • Added examples/ directory with runnable demos
    • demo.sh - Bash demo script for quick start
    • demo-simple.nu - Nushell simple demo
    • demo-server.nu - Nushell server interaction demo
    • README.md with usage instructions

Configuration

  • Enhanced configuration system in src/config/
    • crypto.rs - Cryptographic backend configuration
    • Modular config structure (vault, server, storage, seal, engines)
    • Config validation and error handling
    • Support for svault.toml configuration file in config/ directory
    • Production config example in config/svault.toml.example

Documentation

  • Production Status Documentation - Clear PQC production-ready status

    • Updated README.md with production-ready PQC badges
    • "Why SecretumVault?" section with competitive comparison
    • "30-Second Demo" for quick start
    • "Production Status" with backend comparison table
    • "Quick Navigation" for different user personas (Security Teams, Platform Engineers, Compliance Officers)
    • Updated GitHub URL to correct repository (jesuspc/secretumvault)

  • Architecture Decision Records (ADRs)

    • docs/architecture/adr/001-post-quantum-cryptography-oqs-implementation.md
    • ADR index in docs/architecture/adr/README.md

  • User Guides

    • Expanded docs/user-guide/howto.md with detailed how-to guides
    • CLI usage documentation
    • Unseal procedures and best practices

  • Development Guides

    • Updated docs/development/pqc-support.md with OQS implementation details
    • Updated docs/development/build-features.md with feature flag documentation

  • Architecture Documentation

    • Enhanced docs/architecture/README.md with PQC architecture
    • Updated docs/README.md with navigation improvements

Storage Layer

  • SurrealDB Backend (Production-Ready) — complete rewrite replacing fake in-memory HashMap with a real Surreal<Any> connection
    • surrealdb::engine::any::Any engine dispatch: ws:///wss:// for production, mem:// for embedded testing
    • All eleven StorageBackend methods implemented with real SurrealQL queries (upsert, select, delete, query with bind)
    • Binary fields (Vec<u8>) base64-encoded for transport-agnostic serialization; timestamps as RFC3339 UTC strings
    • MVCC optimistic-concurrency retry: exponential backoff starting at 5 ms with uniform random jitter, up to 5 attempts per write — resolves SurrealDB write conflicts under concurrent load without external coordination
    • Mirror ID fields in record structs to avoid RecordId enum parsing during list operations
    • 9 unit tests using embedded mem:// engine (no external server)
    • 19 integration tests with real SurrealDB via mem:// and UUID-named databases for isolation
    • Concurrent write coverage: 16 parallel secret writes + 8 parallel key writes verified conflict-free

Secrets Engines

  • Transit Engine Enhancements

    • Expanded encryption/decryption operations
    • Key rotation support
    • Multiple algorithm support
    • PQC integration with OQS backend

  • PKI Engine Enhancements

    • Certificate generation improvements
    • X.509 certificate handling
    • Root CA and intermediate CA support

API Improvements

  • Enhanced API handlers in src/api/handlers.rs

    • Better error handling and responses
    • Request validation improvements
    • Support for new PQC operations

  • Server improvements in src/api/server.rs

    • Better routing and middleware integration
    • Health check endpoints
    • Metrics integration

Core Cryptography

  • CryptoBackend Trait Extensions in src/crypto/backend.rs

    • Added PQC operations to trait
    • Backend registry improvements
    • Type-safe backend selection

  • AWS-LC Backend Updates in src/crypto/aws_lc.rs

    • Experimental PQC support
    • Code cleanup and improvements

  • RustCrypto Backend Refactoring in src/crypto/rustcrypto_backend.rs

    • Simplified implementation
    • Better error handling
    • Testing support

Build and Dependencies

  • Updated Cargo.toml with new dependencies

    • oqs = "0.10" for production PQC
    • CLI dependencies (clap, etc.)
    • Enhanced feature flags

  • Updated Cargo.lock with dependency resolution

Changed

  • README.md - Major improvements

    • Added professional badges (Rust version, License, Classical Crypto, PQC status, CI)
    • Restructured with "Why SecretumVault?" positioning
    • Added competitive comparison tables (vs HashiCorp Vault, vs AWS Secrets Manager)
    • Added 30-second demo for quick evaluation
    • Production Status section with clear backend comparison
    • Quick Navigation for different user personas
    • Updated feature descriptions with production status
    • Corrected GitHub repository URL
    • Updated roadmap with completed PQC tasks marked
    • Enhanced feature flags documentation

  • Configuration - Better organization

    • Moved config files to config/ directory
    • Improved config structure and validation
    • Better error messages

  • Main Entry Point - CLI integration

    • src/main.rs now supports subcommands
    • Better argument parsing
    • Config file loading
    • Improved error handling

  • Build System - Feature organization

    • .cargo/config.toml cleanup
    • Better feature flag organization

  • Documentation - Comprehensive updates

    • All docs reflect production-ready PQC status
    • Improved navigation and structure
    • Added missing sections

Fixed

  • Clippy warnings and linting issues
  • Markdown formatting issues in documentation
  • Pre-commit hooks configuration
  • CI/CD configuration improvements

Security

  • Production-ready post-quantum cryptography (ML-KEM-768, ML-DSA-65)
  • Cryptographic agility through pluggable backends
  • NIST PQC standard compliance
  • Secure configuration defaults

[0.1.0] - 2024-12-21

Added

  • Initial project structure and repository setup
  • Core vault architecture with pluggable backends
  • Secrets engines: KV, Transit, PKI, Database
  • Storage backends: etcd, SurrealDB, PostgreSQL, Filesystem
  • Cryptographic backends: OpenSSL, AWS-LC (experimental), RustCrypto (testing)
  • Cedar policy-based authorization (ABAC)
  • Shamir Secret Sharing for unsealing
  • Token-based authentication
  • TLS/mTLS support
  • Prometheus metrics integration
  • Structured logging
  • Docker and Docker Compose deployment
  • Kubernetes manifests and Helm charts
  • Comprehensive documentation structure
  • Pre-commit hooks and CI/CD setup
  • Branding and logos

Security

  • Encryption at rest for all secrets
  • Least privilege via Cedar policies
  • Audit logging for compliance
  • Secure defaults (non-root, read-only filesystem)

Release Notes

Unreleased - Post-Quantum Cryptography Production Release

This release marks SecretumVault as the first Rust secrets vault with production-ready post-quantum cryptography. Key highlights:

🔐 Production-Ready PQC:

  • ML-KEM-768 and ML-DSA-65 fully implemented via OQS backend
  • NIST FIPS 203/204 compliance verified
  • One-line config change to enable PQC: crypto_backend = "oqs"
  • No code changes needed - cryptographic agility through pluggable backends

🚀 Enhanced Developer Experience:

  • CLI for easy vault operations (init, unseal, status, server)
  • Runnable examples in examples/ directory
  • Comprehensive how-to guides and documentation
  • 30-second demo for quick evaluation

📚 Improved Documentation:

  • Clear production status with backend comparison
  • Competitive positioning vs HashiCorp Vault and AWS Secrets Manager
  • Quick navigation for different user personas
  • Architecture Decision Records (ADRs) for design decisions

🔧 Better Configuration:

  • Modular config structure
  • Validation and error handling
  • Production config examples

This release positions SecretumVault as the premier choice for organizations deploying post-quantum cryptography today, with production-ready NIST PQC standards, multi-cloud portability, and Rust's memory safety guarantees.

Unique Differentiator: Only Rust secrets vault with production-ready post-quantum cryptography (ML-KEM-768, ML-DSA-65) available today.