CHANGELOG.md

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

qos_core - 0.7.0 - 2026-04-16

Changed

• [breaking] Removed Arc<RwLock<>> wrapping from ProtocolProcessor — the processor is now Clone and passed by value, eliminating a read-lock acquisition on every incoming request (#660)

• [breaking] Removed SharedProcessor<P> type alias; SocketServer::listen_all and listen_to now take P: RequestProcessor + Clone instead of &SharedProcessor<P> (#660)

• Added blanket RequestProcessor impl for any T: Deref<Target = U> where U: RequestProcessor (#660)

• EphemeralKeyHandle is now generic over P: AsRef<Path> and derives Copy (#660)

• Adhere closer to clippy::pedantic

qos_p256 - 0.7.0 - 2026-04-16

Changed

• Added #[must_use] to P256Pair::encryption_key() (#658)
• Adhere closer to clippy::pedantic

qos_host - 0.7.0 - 2026-04-16

Added

• /enclave-info endpoint now returns the ephemeral public key extracted from the live attestation document (#659)

qos_client - 0.7.0 - 2026-04-16

Changed

• Adhere closer to clippy::pedantic

qos_net - 0.7.0 - 2026-04-16

Changed

• Adhere closer to clippy::pedantic

qos_nsm - 0.7.0 - 2026-04-16

Changed

• Adhere closer to clippy::pedantic

qos_hex - 0.7.0 - 2026-04-16

Changed

• Adhere closer to clippy::pedantic

qos_test_primitives - 0.7.0 - 2026-04-16

Changed

• Adhere closer to clippy::pedantic

qos_client - 0.6.1 - 2026-04-09

Other

• publish qos_test_primitives

qos_core - 0.6.1 - 2026-04-09

Other

• workaround kernel bug by writing < 32KiB chunks to vsock

qos_p256 - 0.6.1 - 2026-04-09

Added

• Expose encryption_secret accessor on P256Pair (#662)

qos_net - 0.6.0 - 2026-04-02

Fixed

• ProxyMsg::ProxyError responses now properly propagated instead of being silently dropped as InvalidMsg (#655)

Changed

• Removed unused error variants DuplicateConnectionId, ConnectionOverridden, ConnectionIdNotFound (#655)

Security

• Patched aws-lc-rs, tar, rustls-webpki (#650)
• Patched time and keccak crates (#649)

qos_core - 0.5.0 - 2026-02-28

Added

• Async runtime with tokio and tokio-vsock — migrated the server, reaper, and I/O subsystem from synchronous to fully asynchronous (#524, #583)
• Dynamic resizing StreamPool with per-connection task spawning and configurable max_connections via semaphore (#524, #596)
• HostBridge for transparent VSOCK-to-TCP bridging, letting pivot applications use standard TCP without VSOCK awareness (#596)
• BridgeConfig in PivotConfig — configures bridge routing (server/client variants) as flat JSON (#596, #631)
• pool_size and client_timeout fields in Manifest, replacing pivot-args-based configuration (#584)
• debug_mode flag in PivotConfig to control output piping for pivot processes (#596)
• StreamMode for backward-compatible stream handling with legacy applications (#524)
• PoolGuard with Mutex on SocketClient::call for safe concurrent stream access (#524)
• MAX_PAYLOAD_SIZE (128 MiB) enforcement with gradual buffer allocation to prevent OOM (#527, #582)

Changed

• Manifest, ManifestEnvelope, GenesisOutput, and QuorumKey serialization changed from Borsh to JSON (*V0 types retained for backward compat) (#594, #616)
• PivotConfig restructured — host_config replaced with bridge_config: Vec<BridgeConfig>, old PivotHostConfig consolidated (#596, #631)
• Ephemeral keys rotated post-boot and retained for app proofs, improving forward secrecy (#523, #571)
• Quorum key written last during provisioning to prevent partially-provisioned state on interruption (#523)
• Removed async feature flags — async runtime unified into main code path (#524)
• Upgraded borsh from v0.1 to v1.0 (#449, #458, #459)
• MSRV raised to Rust 1.88 (#524, #576)

Fixed

• Client reconnects no longer logged as errors (#590)
• tcp_to_vsock bridge listen loop could exit prematurely (#596)
• HostBridge now properly handles multiple connections on the same port (#596)
• Stream state cleanup in all error paths (#524, #528, #583)
• ProtocolError variants now include expected/actual values for debuggability (#605)

Security

• Updated rsa crate for security patch (#606)
• Patched bytes crate (#619)

qos_client - 0.5.0 - 2026-02-28

Added

• json-to-borsh CLI command for converting JSON-format Manifests back to Borsh (#616)
• get-ephemeral-key-hex CLI command to extract ephemeral public key from attestation documents (#571)
• Command list shown as default output when run with no arguments (#591)
• CLI arguments for --pool-size and --client-timeout (#584)
• Human approval check when setting socket pool size during manifest generation (#589)
• generate_file_key and advanced_provision_yubikey exported as public functions at crate root (#581)
• Bridge configuration CLI parsing (--bridge-config, --app-host-port) (#596)

Changed

• Backward-compatible Manifest reading — auto-detects Borsh (*V0) vs JSON format (#591, #596)
• Removed x509 crate dependency; simplified certificate name generation for Yubikey provisioning (#564)
• Updated p256 crate to newer version (#564)
• Upgraded borsh from v0.1 to v1.0 (#449)

Fixed

• Yubikey serial generation logic bug (#564)
• Deserialization errors now include detail context (#620)
• Filesystem write errors template the underlying OS error (#593)
• macOS dot-underscore (._*) files now ignored during directory traversal (#628)

qos_net - 0.5.0 - 2026-02-28

Added

• Fully async Proxy implementation using tokio — each connection spawned as a separate task (#524)
• max_connections enforcement per proxy listener (#524)
• Maximum timeout (10s) bounding entire proxy request lifecycle (#625)
• Drop implementation on ProxyStream to properly close connections and prevent resource leaks (#528)
• Connection pool limit with CloseRequest/CloseResponse protocol (#449)

Changed

• DNS resolver switched to hickory-resolver with full DNSSEC validation enabled (#554)
• Removed async_proxy feature flag — async proxy is now the only implementation (#524)
• Removed connection_id from all Proxy structs and messages (#524)
• Removed unused ProxyMsg variants (ConnectionClosed, EmptyRead) (#449, #582)
• Upgraded borsh from v0.1 to v1.0 (#449)

Fixed

• Proxy error handling loop return bug (#524)
• MAX_PAYLOAD_SIZE enforcement on receive to prevent memory exhaustion (#527, #582)
• Connection ID collisions (switched to u128 random IDs) (#536)
• CLI builds correctly without default features (#504)

Security

• Full DNSSEC validation on all DNS lookups, preventing DNS spoofing (#554)
• Bumped tracing-subscriber to fix CVE-2025-58160 (#587)

qos_p256 - 0.5.0 - 2026-02-28

Added

• Formal cryptographic specification (SPEC.md) for QOS Key Set covering P256 Signing, P256 HPKE, and AES-GCM-256 (#598)
• Cargo-fuzz test harnesses for coverage-guided testing (#439)

Changed

• P256SignPublic::from_bytes and P256EncryptPublic::from_bytes now reject compressed SEC1 points (uncompressed 65-byte format only) (#499)
• File I/O errors now include the file path in error messages (#593)
• Upgraded borsh from v0.1 to v1.0 (#449)

qos_nsm - 0.5.0 - 2026-02-28

Added

• Cargo-fuzz test harnesses for attestation document parsing and verification (#514)
• PCR0 mismatch logging with expected/actual values (#524)

Changed

• AttestError variants (DifferentUserData, DifferentPcr0/1/2/3) now include expected and actual hex fields (#605)
• InvalidPivotHash error displays both expected and actual hash values (#605)
• Updated to aws-nitro-enclaves-nsm-api 0.4 (#505)
• Upgraded borsh from v0.1 to v1.0 (#449)

qos_hex - 0.5.0 - 2026-02-28

Fixed

• Corrected hex encoding/decoding logic (#576)

Changed

• unsafe code denied at crate level (#576)
• Missing rust docs enforced (#621)

qos_crypto - 0.5.0 - 2026-02-28

Added

• Cargo-fuzz test harnesses for Shamir secret sharing functionality (#441)

Changed

• Switched to vsss-rs 5.1 for share generation/reconstruction with zeroize enabled (secret shares securely cleared from memory) (#502)
• Removed unused RSA key material (#490)