Releases: EffortlessMetrics/uselesskey
Release list
v0.10.0
What's Changed
Other Changes
- release(v0.9.1): audit and close out release by @EffortlessSteven in #764
- ops: start v0.10.0 external adoption lane by @EffortlessSteven in #765
- docs(spec): define external adoption smoke by @EffortlessSteven in #766
- xtask: add external adoption smoke by @EffortlessSteven in #767
- docs: separate installed CLI and proof paths by @EffortlessSteven in #773
- examples: add clean-project adoption examples by @EffortlessSteven in #774
- feat(cli): improve profile and bundle inspect output by @EffortlessSteven in #775
- docs: decide installed proof handoff boundary by @EffortlessSteven in #776
- xtask: wire external adoption into adoption-regression by @EffortlessSteven in #777
- docs: close out v0.10.0 external adoption buildout by @EffortlessSteven in #778
- badge: refresh public endpoints by @github-actions[bot] in #772
- Harden seed parsing edge cases by @EffortlessSteven in #779
- Preserve CRLF line endings in PEM corruptions by @EffortlessSteven in #780
- Deduplicate PKCS#8/SPKI keypair accessors via shared macro by @EffortlessSteven in #771
- Improve token shape unit coverage by @EffortlessSteven in #786
- badge: refresh public endpoints by @github-actions[bot] in #787
- test: strengthen webhook unit coverage by @EffortlessSteven in #784
- Guard factory initialization concurrency by @EffortlessSteven in #781
- Refactor token JWT helper construction by @EffortlessSteven in #769
- badge: refresh public endpoints by @github-actions[bot] in #788
- test(x509): tolerate CRLF blank-line corruption by @EffortlessSteven in #790
- feat(cli): add installed bundle audit by @EffortlessSteven in #791
- badge: refresh public endpoints by @github-actions[bot] in #792
- ops: start downstream CI polish lane by @EffortlessSteven in #793
- docs(spec): define bundle audit JSON schema by @EffortlessSteven in #794
- feat(cli): add audit-bundle CI mode by @EffortlessSteven in #795
- docs: add downstream GitHub Actions audit recipes by @EffortlessSteven in #797
- badge: refresh public endpoints by @github-actions[bot] in #796
- xtask: test downstream CI recipes by @EffortlessSteven in #798
- feat(cli): improve audit-bundle failure diagnostics by @EffortlessSteven in #799
- feat(cli): add installed user doctor by @EffortlessSteven in #801
- badge: refresh public endpoints by @github-actions[bot] in #800
- feat(cli): align bundle inspect and audit output by @EffortlessSteven in #803
- badge: refresh public endpoints by @github-actions[bot] in #802
- examples: add downstream CI bundle audit example by @EffortlessSteven in #805
- badge: refresh public endpoints by @github-actions[bot] in #804
- test(cli): add audit receipt golden coverage by @EffortlessSteven in #806
- feat(cli): add compact audit bundle summary by @EffortlessSteven in #808
- badge: refresh public endpoints by @github-actions[bot] in #807
- docs: close out downstream CI polish lane by @EffortlessSteven in #810
- badge: refresh public endpoints by @github-actions[bot] in #809
- fix(cli): return usage code for audit mode conflicts by @EffortlessSteven in #811
- ops: start real workflow closure lane by @EffortlessSteven in #828
- docs(spec): define real user workflow contract by @EffortlessSteven in #829
- docs(spec): define negative fixture taxonomy by @EffortlessSteven in #830
- feat(jwk): add taxonomy-backed negative fixtures by @EffortlessSteven in #831
- feat(token): add taxonomy-backed missing-kid negative by @EffortlessSteven in #832
- examples: add OIDC JWKS validator workflow by @EffortlessSteven in #834
- docs(spec): define bundle product surface by @EffortlessSteven in #835
- feat(cli): add bundle product receipts by @EffortlessSteven in #836
- Improve proptest distinct-label generation in ECDSA property tests by @EffortlessSteven in #815
- test(core): strengthen error unit test coverage by @EffortlessSteven in #827
- test(core): strengthen proptest coverage and reduce rejects by @EffortlessSteven in #812
- Strengthen core proptests for seed parsing and cache semantics by @EffortlessSteven in #814
- test(core): strengthen deterministic_from_str unit coverage by @EffortlessSteven in #825
- fuzz: add cross-domain order-independence target by @EffortlessSteven in #819
- badge: refresh public endpoints by @github-actions[bot] in #833
- ops: start usability polish lane by @EffortlessSteven in #837
- test(core): expand TempArtifact unit coverage by @EffortlessSteven in #824
- test(ssh): add cache-clear determinism coverage by @EffortlessSteven in #820
- test(webauthn): improve coverage for JSON payload and length-prefix boundary by @EffortlessSteven in #821
- Improve fuzz target orchestration by @EffortlessSteven in #816
- test(cli): add coverage for artifact/classifier helpers by @EffortlessSteven in #823
- badge: refresh public endpoints by @github-actions[bot] in #838
- Improve core proptest cache coverage by @EffortlessSteven in #813
- test(core): add PEM corruption edge-case coverage by @EffortlessSteven in #822
- docs: sharpen README front door by @EffortlessSteven in #839
- docs/cli: improve installed help and doctor by @EffortlessSteven in #840
- badge: refresh public endpoints by @github-actions[bot] in #841
- docs(spec): define library facade polish by @EffortlessSteven in #842
- examples: sharpen facade-first external fixtures by @EffortlessSteven in #843
- xtask: add external library smoke mode by @EffortlessSteven in #844
- docs(spec): define downstream policy pack by @EffortlessSteven in #845
- feat(cli): add audit bundle policy controls by @EffortlessSteven in #846
- docs: add downstream policy checklist by @EffortlessSteven in #848
- badge: refresh public endpoints by @github-actions[bot] in #847
- docs: close out usability polish lane by @EffortlessSteven in #850
- release: import v0.10 adoption handoff by @EffortlessSteven in #862
- release:...
v0.9.1
What's Changed
🛠️ Maintenance
- chore(deps): bump peter-evans/create-pull-request from 7 to 8 by @dependabot[bot] in #676
- chore(deps): bump assert_cmd from 2.2.0 to 2.2.2 by @dependabot[bot] in #681
- chore(deps): bump spin from 0.10.0 to 0.11.0 by @dependabot[bot] in #680
- chore(deps): bump rcgen from 0.14.7 to 0.14.8 by @dependabot[bot] in #679
- chore(deps): bump jsonwebtoken from 10.3.0 to 10.4.0 by @dependabot[bot] in #678
- chore(deps): bump aws-lc-rs from 1.16.3 to 1.17.0 by @dependabot[bot] in #677
Other Changes
- release(v0.9.0): post-release audit record by @EffortlessSteven in #674
- feat: generate stable RIPR PR summaries by @EffortlessSteven in #675
- ops: start first-run UX lane by @EffortlessSteven in #682
- docs: add start-here task router by @EffortlessSteven in #683
- docs: make contract packs visible by @EffortlessSteven in #684
- feat(cli): add profile discovery commands by @EffortlessSteven in #685
- docs(spec): define CLI proof handoff boundary by @EffortlessSteven in #687
- xtask: add local proof doctor by @EffortlessSteven in #688
- docs: compress README first-run path by @EffortlessSteven in #689
- xtask: add user-path smoke checks by @EffortlessSteven in #690
- docs: close out first-run UX lane by @EffortlessSteven in #692
- feat(cli): explain bundle profiles in place by @EffortlessSteven in #693
- test(ssh): cover host certs, accessors, debug redaction, and stable_bytes deltas by @EffortlessSteven in #695
- test(webhook): cover all profiles for near-miss, raw payloads, hmac key boundaries by @EffortlessSteven in #696
- test(webauthn): cover assertion fields, self-attestation, label/challenge uniqueness by @EffortlessSteven in #697
- test(entropy): cover variant constructor, zero-len, length-distinct caches, clone by @EffortlessSteven in #699
- test(hmac): cover label/spec/kid accessors and jwk use field across all specs by @EffortlessSteven in #700
- fix(cli): mark public asymmetric JWKs scanner-safe in runtime bundles by @EffortlessSteven in #691
- badge: refresh public endpoints by @github-actions[bot] in #704
- test(cli): cover runtime JWKS scanner-safe metadata by @EffortlessSteven in #706
- refactor(x509): split self-signed cert builder into SRP submodules by @EffortlessSteven in #694
- xtask: add adoption-regression receipt by @EffortlessSteven in #713
- test(jwk): cover builder and negative fixture branches by @EffortlessSteven in #714
- test(entropy,hmac,ed25519): cover fixture invariants by @EffortlessSteven in #727
- test(pkcs11-mock): cover invalid-handle paths, domain constant, and copy/clone semantics by @EffortlessSteven in #707
- test(test-server): cover spec builders, phase accessors, and error variants by @EffortlessSteven in #710
- test(axum): cover builder methods, rotation phases, and middleware reject paths by @EffortlessSteven in #709
- test(rustls): cover default-provider mTLS config builders by @EffortlessSteven in #712
- badge: refresh public endpoints by @github-actions[bot] in #705
- fix(x509): remove self-signed generation panic debt by @EffortlessSteven in #732
- test(token): add mutant_killers and extra_coverage for derivation pins by @EffortlessSteven in #733
- test(pgp): pin DOMAIN constant, file-write paths, and PgpSpec derives by @EffortlessSteven in #736
- test(token): cover negative_value JWT variants and isolation invariants by @EffortlessSteven in #737
- test(rsa): cover mismatch variant identity and JWKS embed by @EffortlessSteven in #734
- test(rsa): cover JWK output and kid across all RSA spec sizes by @EffortlessSteven in #740
- test(ecdsa): cover mismatch variant identity and JWKS embed by @EffortlessSteven in #738
- test(pgp): cover tempfile writers, untested CorruptPem arms, and clone identity by @EffortlessSteven in #739
- test(jsonwebtoken): cover header kid/alg/typ round-trips and Validation knobs by @EffortlessSteven in #741
- test(x509): cover params helpers and clone-share invariants by @EffortlessSteven in #742
- docs: close out adoption-confidence lane by @EffortlessSteven in #744
- docs: refresh adoption how-to version snippets by @EffortlessSteven in #745
- badge: refresh public endpoints by @github-actions[bot] in #743
- test(test-server): cover serve flags, cache policies, and discovery etag by @EffortlessSteven in #746
- test(cli): cover materialize kinds and label-normalization edges by @EffortlessSteven in #747
- test(axum): cover JWT claim fallbacks and missing-context rejection by @EffortlessSteven in #753
- release: prepare v0.9.1 by @EffortlessSteven in #761
- badge: refresh public endpoints by @github-actions[bot] in #749
- release: prove v0.9.1 candidate by @EffortlessSteven in #762
- release: cut v0.9.1 by @EffortlessSteven in #763
Full Changelog: v0.9.0...v0.9.1
v0.9.0
[0.9.0] - 2026-05-14
v0.9.0 is the command-backed fixture-platform release. It turns public
claims into runnable receipts, adds local PR evidence receipts, finishes the
no-panic new-debt cleanup, and ships the first post-TLS contract pack:
deterministic webhook verifier fixtures.
The public promise is still deliberately narrow: uselesskey provides
scanner-safe fixture material and proof receipts for tests. It does not claim
production secret management, production PKI, provider compatibility matrices,
or broad security assurance.
Added
- Added the source-of-truth operating model: proposal/spec/ADR/plan indexes,
active goal manifests, policy ledgers, closeout records, and standalone
cargo xtask spec-checkwith strict and JSON output modes. - Added claim-backed verification surfaces:
cargo xtask claim-report,
claim-report --check-public-claims,contract-packs --check,
claim-proof, metadata-only verification packs, and release-evidence claim
receipts. - Added PR-lite evidence ergonomics through
cargo xtask pr-litereceipts,
heavy-evidence routing receipts, local validation guidance, and safe
diff-scoped mutation fallback behavior. - Added the webhook contract pack:
uselesskey bundle --profile webhook,
deterministic HMAC verifier fixtures, webhook bundle proof, claim-proof
coverage, verification-pack integration, and task-first webhook docs. - Added a v0.9.0 release evidence matrix for the command-backed claims,
verification-pack receipts, PR-lite evidence, no-panic posture, and webhook
contract-pack proof.
Changed
- Minor release evidence now carries source-of-truth proof, claim reports,
contract-pack registry receipts, claim-proof receipts, verification-pack
summaries, and webhook bundle proof. - README, verification, and public-claim docs now route badge readers into
command-backed reports and explicit claim boundaries instead of treating
badges as a dashboard. - Contract packs are now registered product surfaces with specs, claims,
proof commands, how-to docs, and release-evidence lanes.
Fixed
- Cleaned up the no-panic-family new-debt surface and recorded the Stage A.5
policy posture without resetting historical baseline debt. - Refreshed generated public badge endpoints through the existing
command-backed badge path.
v0.8.0
uselesskey v0.8.0
TLS contract-pack and public crate-surface cleanup release.
What's new
TLS contract pack
uselesskey bundle --profile tlsgenerates a deterministic chain
fixture set with a valid intermediate-signed leaf plus four
negative classes (expired leaf, not-yet-valid leaf, hostname
mismatch, untrusted root). Per-fixture rejection expectations are
documented indocs/release/v0.8.0-tls-profile-design.md.cargo xtask bundle-proof --profile tlsproduces the release-
evidence proof artifact for the TLS pack, mirroring the OIDC
pattern.- Task-first how-to:
docs/how-to/test-tls-chain-validation.md.
Task-first user docs sweep
- Five new how-to pages covering common downstream test workflows:
Vault KV export,build.rsmaterialize, WebAuthn ceremony
validation, PKCS#11 mock fixtures, and webhook signature
validation. (#590-#594)
Public crate-surface cleanup
- 29 published-internal shim crates removed. v0.7.0 folded their
content into owner-cratesrp::*modules; v0.7.x kept the shims
as compatibility re-exports; v0.8.0 removes them entirely. The
v0.7.x crate versions remain on crates.io as historical records. - Migration guide:
docs/how-to/migrate-to-v0.8.md. Most users do
not need to migrate.
Publish-system hardening
- HMAC, rustls PKI, and PGP-native content moved from former compat
crates into ownersrp::*modules. (#595, #598, #599) - Rust 1.94/1.95 Clippy ratchets activated workspace-wide. (#505)
Toolchain
No MSRV change. v0.8.0 stays on Rust 1.95.
Claim boundary
uselesskey is a test-fixture layer. It is not production key
management, scanner evasion, or cryptographic assurance.
Evidence
target/release-evidence/summary.mdtarget/release-evidence/release-evidence.mdtarget/release-evidence/scanner-safe/scanner-safe-bundle-proof.mdtarget/release-evidence/oidc/oidc-contract-pack-proof.mdtarget/release-evidence/tls/tls-contract-pack-proof.md(new)target/mutation/nightly-receipt.mdtarget/xtask/perf/latest.md
See CHANGELOG.md for the full v0.8.0 list.
v0.7.1
uselesskey v0.7.1
Release-hardening patch for the Rust 1.95 scanner-safe fixture platform.
What's new
Publish-system guardrails
cargo xtask publish-checknow verifiesPUBLISH_CRATESis in
dependency-topological order at PR time (#572). Closes the
PUBLISH_CRATES-drift bug class fixed inline during v0.7.0.cargo xtask publish-preflightandpublish-checkreject
workspace.dependenciesentries withversion = "..."pointing at
publish = falsecrates (#578). Closes the test-helper dependency-leak
class fixed inline during v0.7.0.
Scanner-safe reference verification
cargo xtask scanner-safe-reference --check(#577) byte-compares the
regenerated scanner-safe bundle outputs against the committed
examples/scanner-safe-bundle/expected/*files and asserts the encoded
Kubernetes/Vault payloads are not committed.
External install smoke
cargo xtask cratesio-smoke --path .(pre-publish) and
cargo xtask cratesio-smoke --version 0.7.1(post-publish) (#580)
prove the outside-user view: fresh project,cargo add,cargo check,
CLI install, scanner-safe bundle workflow.
Patch release evidence
cargo xtask release-evidence --patch(#581) runs a focused gate set
for patch releases without the full minor-release mutation/perf load.
Documentation
docs/release/v0.7.0-lessons-learned.md(#571) — the v0.7.0
publish-lane retrospective.docs/how-to/recover-partial-publish.mdand
docs/release/publish-recovery.md(#579) — partial-publish recovery
procedure and registry-truth rules.docs/how-to/migration.mdinstall snippets bumped to 0.7.0 (#582).
Toolchain
No MSRV change. v0.7.1 stays on Rust 1.95.
Claim boundary
uselesskey is a test-fixture layer. It is not production key
management, scanner evasion, or cryptographic assurance.
Evidence
- Release-evidence patch lane:
target/release-evidence/release-evidence.md - Scanner-safe bundle proof:
target/release-evidence/scanner-safe/scanner-safe-bundle-proof.md
See CHANGELOG.md for the full v0.7.1 list.
v0.7.0
uselesskey v0.7.0
The Rust 1.95 scanner-safe fixture platform release.
What's new
Scanner-safe bundles, verification, inspection, and handoff
uselesskey bundle --profile scanner-safeproduces a deterministic
fixture directory with a manifest and per-artifact receipts.uselesskey verify-bundlechecks bundle outputs against the recorded
manifest.jsonand receipts.uselesskey inspect-bundleprints a human-readable summary without
exposing fixture payloads.uselesskey export k8sanduselesskey export vault-kv-jsonrender
Kubernetes and Vault payloads from a verified bundle.
OIDC/JWKS contract pack
uselesskey bundle --profile oidcemits valid JWKS and JWT-shape
fixtures plus duplicate-kid, missing-kid,alg: none, and
bad-audience negatives for downstream validator tests.
Negative payload shapes
- Scanner-safe negative JWK/JWKS and token-shape helpers in
uselesskey-jwkanduselesskey-token. - A new facade example,
negative_payload_shapes, demonstrates the
failure-path workflow end-to-end.
Public surface and compatibility
- A public-surface promise map separates supported public crates from
published-internal implementation shards. cargo xtask public-surfaceenforces the map.- Internal JWK, token, core, and X.509 shards have been folded into their
owner crates; the formeruselesskey-core-*,uselesskey-token-spec,
anduselesskey-core-x509*crates remain published as compatibility
shims for this release.
Evidence lanes
- RIPR PR exposure, targeted PR mutation, nightly public-scope mutation,
scheduled performance evidence, and a release-evidence runner with
scanner-safe and OIDC bundle proofs. - Mutation survivor ledger and per-run receipts.
Documentation
- Failure atlas covering protocol-shaped negative fixtures.
- Scanner-safe bundle reference and OIDC/JWT validator how-tos.
- Release category notes, evidence matrix, checklist issue map, and
post-release audit checklist.
Toolchain change
This release raises MSRV from Rust 1.92 to Rust 1.95 and enables the
Rust 1.95 compiler/Clippy lint floor. Downstreams pinned to 1.92 should
remain on v0.6.x or upgrade their toolchain.
Claim boundary
uselesskey is a test-fixture layer. It is not production key
management, scanner evasion, or cryptographic assurance.
Evidence
target/release-evidence/summary.mdtarget/release-evidence/release-evidence.mdtarget/release-evidence/scanner-safe/scanner-safe-bundle-proof.mdtarget/release-evidence/oidc/oidc-contract-pack-proof.mdtarget/mutation/nightly-receipt.mdtarget/xtask/perf/latest.md
See CHANGELOG.md for the full v0.7.0 list.
v0.6.0
Highlights
- Added the cheap
entropylane. - Published
uselesskey-cliwithmaterializeandverifyworkflows. - Split build-time materialization into
materialize-shapeandmaterialize-rsalanes. - Added
cargo xtask economicsandcargo xtask audit-surfacereceipts. - Updated docs to lead with lane choice and downstream fixture policy.
Lane economics
| lane | deps | status |
|---|---|---|
entropy |
58 | common-lane-clean |
token |
87 | common-lane-clean |
materialize-shape |
81 | common-lane-clean |
materialize-rsa |
120 | specialized-lane |
Notes
- This release ships the work merged in PR #405.
- Publish order for the new surface was
uselesskey-entropy, thenuselesskey-cli, thenuselesskey.
v0.5.1
What's Changed
🛠️ Maintenance
- chore(deps): bump toml from 1.0.7+spec-1.1.0 to 1.1.0+spec-1.1.0 by @dependabot[bot] in #310
- chore(deps): bump insta from 1.46.3 to 1.47.0 by @dependabot[bot] in #313
- chore(deps): bump sha2 from 0.11.0-rc.5 to 0.11.0 by @dependabot[bot] in #312
Other Changes
- ci: run cargo deny advisories on PRs by @EffortlessSteven in #309
- fixture: add x.509 trust/time/path negatives by @EffortlessSteven in #314
- fix: preserve X.509 chain determinism after #279 by @EffortlessSteven in #315
- fix(ci): align fuzz hmac dependency with rustcrypto adapter by @EffortlessSteven in #316
- chore: prep 0.5.1 release by @EffortlessSteven in #317
- fix(ci): clean target test scratch dirs before cache save by @EffortlessSteven in #319
Full Changelog: v0.5.0...v0.5.1
v0.5.0
What's Changed
🛠️ Maintenance
- chore(deps): bump aws-lc-rs from 1.16.1 to 1.16.2 by @dependabot[bot] in #286
Other Changes
- docs(roadmap): reset planning for v0.5.x by @EffortlessSteven in #289
- docs(adr): define adapter and public surface criteria by @EffortlessSteven in #288
- feat(xtask): add docs-sync and examples smoke by @EffortlessSteven in #290
- ci: enforce docs-sync and examples-smoke in PR checks by @EffortlessSteven in #293
- docs: refresh hand-maintained README prose and add feature-choice how-to by @EffortlessSteven in #297
- xtask: keep docs-sync generated blocks untouched by @EffortlessSteven in #298
- docs: tighten hand-maintained README prose by @EffortlessSteven in #294
- chore: scaffold adapter A (JOSE/OpenID) by @EffortlessSteven in #300
- chore: scaffold adapter B (PGP-native) by @EffortlessSteven in #301
- chore: add reusable adapter template by @EffortlessSteven in #299
- release: prepare v0.5.0 cleanup artifacts by @EffortlessSteven in #302
- chore(deps): bump proptest to 1.11.0 by @EffortlessSteven in #303
- fix(rsa): preserve V1 deterministic RSA fixtures while adopting rsa 0.10 types by @EffortlessSteven in #304
- chore(release): prepare v0.5.0 by @EffortlessSteven in #307
- release: add release note categories by @EffortlessSteven in #306
- fix(ci): resolve cargo-deny advisory on main by @EffortlessSteven in #308
Full Changelog: v0.4.1...v0.5.0
v0.4.1
What's Changed
- docs: add ADR index and v0.4 requirements reference by @EffortlessSteven in #246
- chore(deps): bump actions/upload-artifact from 4 to 7 by @dependabot[bot] in #248
- chore(deps): bump clap from 4.5.60 to 4.6.0 by @dependabot[bot] in #252
- chore(deps): bump tempfile from 3.26.0 to 3.27.0 by @dependabot[bot] in #254
- chore(deps): bump toml from 1.0.3+spec-1.1.0 to 1.0.6+spec-1.1.0 by @dependabot[bot] in #249
- chore(deps): ignore rng major bumps pending convergence decision by @EffortlessSteven in #258
- test(rng): pin crypto-edge deterministic fingerprints by @EffortlessSteven in #259
- refactor(rng): localize legacy rng line to blocked crates by @EffortlessSteven in #260
- refactor(rng): converge ecdsa off legacy rand line by @EffortlessSteven in #262
- chore(rng): post-convergence housekeeping by @EffortlessSteven in #263
- fix(fmt): align rustfmt.toml edition with workspace edition 2024 by @EffortlessSteven in #264
- fix(interop-tests): add missing forbid(unsafe_code) attribute by @EffortlessSteven in #265
- feat(api): add missing spec() and label() accessors by @EffortlessSteven in #266
- chore(release): prepare v0.4.1 by @EffortlessSteven in #267
- chore(release): security/dependency cleanup for v0.4.1 by @EffortlessSteven in #268
- docs: align examples commands and cache wording by @EffortlessSteven in #269
Full Changelog: v0.4.0...v0.4.1