v0.4.2

Fixes

• Fix npm publish failure: Updated repository URLs from anonymous review (anonymous.4open.science) to github.com/agucova/tacet to fix npm provenance verification
• Fix internal dependency versions: Updated tacet-core and tacet-macros dependency versions to match release

What's Changed

This is a minor patch release to fix the npm package publishing that failed in v0.4.1 due to repository URL mismatch with GitHub provenance verification.

Full Changelog: v0.4.1...v0.4.2

v0.4.1

v0.4.1

Bug Fixes

• CI Stability: Fixed flaky tests in virtualized CI environments

  • Increased synthetic timing differences in C++/Go tests for reliable leak detection
  • Skip timing-sensitive tests that produce false positives in noisy environments
  • Ignore frequency validation and async timing tests on macOS runners

• C/C++ Bindings: Updated for v6.0 API compatibility

  • Fixed library name references (tacet_c instead of timing_oracle_c)
  • Corrected DudeCT test patterns (all-zeros secret for proper timing difference)
  • Updated C++ header and tests for v6.0 effect model (maxEffectNs)

• Go Bindings: Fixed test reliability

  • Corrected DudeCT pattern in TestKnownLeakyEarlyExitComparison
  • Increased timing differences in synthetic tests

Notes

This is a patch release to fix CI issues discovered after v0.4.0. No API changes.

v0.4.0

Breaking Changes

Specification v6.0

This release implements specification v6.0, which simplifies the effect reporting model:

EffectEstimate API:

• Removed: shift_ns, tail_ns, pattern (the 2D projection decomposition)
• New: max_effect_ns — maximum absolute timing difference across all 9 deciles
• New: top_quantiles — the 2-3 quantiles contributing most to leak detection, with per-quantile exceedance probabilities

// Before (v0.3.x)
println!("Effect: shift={:.1}ns, tail={:.1}ns", effect.shift_ns, effect.tail_ns);

// After (v0.4.0)
println!("Effect: max={:.1}ns", effect.max_effect_ns);
for q in &effect.top_quantiles {
    println!("  Q{:.0}: {:.1}ns (P(exceed)={:.1}%)", 
        q.quantile * 100.0, q.mean_ns, q.exceedance_prob * 100.0);
}

IssueCode consolidated: Reduced from 12+ diagnostic categories to 8 clear categories: DependenceHigh, PrecisionLow, DiscreteMode, ThresholdIssue, FilteringApplied, StationarityIssue, NumericalIssue, LikelihoodInflated.

Stricter Attacker Model Thresholds

Cycle-based thresholds now use a 5 GHz reference frequency (was 3 GHz), making detection more conservative:

Preset	v0.3.x	v0.4.0
SharedHardware	0.6 ns	0.4 ns
PostQuantumSentinel	3.3 ns	2.0 ns

Rationale: Vulnerabilities exist in the code, not the attacker's hardware. A faster reference frequency means smaller thresholds, which is safer.

New Features

• Benchmark infrastructure: Added synthetic_sigma_ns parameter for configurable noise levels in sweep benchmarks
• AWS validation: Added scripts for running large-scale validation on AWS

Documentation

The specification has been restructured into three focused documents:

• specification.md — Core statistical methodology and normative requirements
• implementation-guide.md — Algorithms and numerical procedures (IACT, block bootstrap, Gibbs sampler)
• specification-power.md — Power/EM side-channel analysis module

Deprecations

• tacet-napi is now deprecated. Use tacet-wasm instead for Node.js/browser support.

Bug Fixes

• Fixed documentation warnings and broken links
• Fixed sidebar order conflicts in website reference docs
• Fixed tlsfuzzer hash for upstream changes
• Accept perf_event timer backend on Linux ARM64

v0.3.4

What's Changed

Bug Fixes

• effect: Add warmup to fix thread-local init overhead
• timer: Add runtime validation for ARM64 CNTFRQ_EL0 frequency
• effect: Remove duplicate timer frequency detection code
• calibration: Add init_effect_injection() calls to all calibration tests
• website: Prevent auto-scroll on tab auto-selection

Documentation

• Improve homepage installation instructions

Maintenance

• Clean up repository for USENIX Security submission
• Anonymize package URLs for double-blind review

Full Changelog: v0.3.3...v0.3.4

v0.3.2

Release v0.3.2 with pkg-config fix for Go bindings

v0.3.1

Changes

Fixes

• Fixed clippy warnings across the codebase
• Fixed clippy::missing_const_for_thread_local in effect.rs
• Fixed clippy::redundant_closure warnings in test files
• Fixed clippy::let_and_return in analyze_silent_interleaved.rs
• Fixed clippy::manual_repeat_n in discrete_mode test
• Fixed clippy::needless_update in realistic.rs benchmark

Chore

• Bumped all crate versions from 0.3.0 to 0.3.1

v0.2.3

@tacet/js

• Auto-initialize WASM: No more await initializeWasm() needed - just import and use
• Add logo: README now includes the tacet logo with badges
• Clarify supported runtimes: Node.js, Bun, Deno (not browsers due to Spectre timer mitigations)

import { TimingOracle, AttackerModelValues } from '@tacet/js';

const result = TimingOracle
  .forAttacker(AttackerModelValues.AdjacentNetwork)
  .timeBudget(30_000)
  .test(inputs, operation);

v0.2.0

What's New

Core Changes

• Moved calibration and preflight functionality to tacet-core for WASM support
• Improved TSC frequency detection on Linux (CPUID-based fallback)
• Fixed CI reliability for timing-sensitive tests

Bug Fixes

• Fixed assert_leak_detected! macro to accept high-probability Inconclusive outcomes
• Fixed cross-platform timer support in examples

Infrastructure

• Added crates.io publish workflow
• Added JSR publish workflow for TypeScript bindings