CHANGELOG.md

Changelog

0.1.4 (2026-04-15)

Features

• Add release workflow, cargo-deny, and coverage reporting (#5) (097d5e6)
• add SCITT verification for offline-capable trust verification (#29) (f03f977)

Bug Fixes

• add version to workspace deps and configure release-please to update them (#12) (410fd1f)
• let release-please always run, simplify publish conditionals (#11) (7ffcdc7)
• release: Update release-please-config with changelog sections (#21) (0e411d1)
• remove crate Cargo.toml from release-please extra-files (#6) (44e45b2)
• remove publish dry-run step from release workflow (#13) (8ed8a35)
• simplify release-please config for independent crate versioning (#14) (a69d1f1)
• update ans crate versions to 0.1.3 and enhance release configuration (#43) (076812a)
• use explicit crate versions for release-please compatibility (#7) (e32aa42)
• use releases_created (plural) for per-crate release-please output (#10) (4789795)

Miscellaneous

• release main (#15) (e4d88cf)
• release main (#22) (9d8d006)
• release main (#8) (f1bce3f)
• reorganize release configuration for ans-sdk components (#45) (9820f54)
• update release configuration for ans-sdk and add version file (#44) (aeea958)

Build System

• deps: Bump actions/upload-artifact from 4.6.2 to 7.0.0 (#16) (125bf71)
• deps: Bump quinn-proto from 0.11.13 to 0.11.14 (#19) (baa6a57)
• deps: Bump taiki-e/install-action from 2.68.16 to 2.68.25 (#17) (c61f01f)
• deps: Bump the rust-dependencies group across 1 directory with 13 updates (#9) (012449a)
• deps: Bump the rust-dependencies group with 3 updates (#18) (2517be2)

0.1.0 (Unreleased)

Added

• ans-types: Shared domain types — Fqdn, AnsName, Version, Badge, CertFingerprint
• ans-verify: Trust verification with DNS and transparency log integration
  • ServerVerifier for client-side TLS verification
  • ClientVerifier for server-side mTLS verification
  • AnsVerifier high-level facade combining both
  • HickoryDnsResolver for _ans-badge / _ra-badge TXT record lookup
  • HttpTransparencyLogClient for badge API access
  • BadgeCache with TTL-based caching via moka
  • DANE/TLSA verification support
  • rustls integration (AnsServerCertVerifier, AnsClientCertVerifier) behind rustls feature flag
  • Mock implementations behind test-support feature flag
• ans-client: ANS Registry API client
  • Agent registration, discovery, and resolution
  • Certificate management (server and identity CSRs)
  • Agent revocation with RFC 5280 reason codes
  • Event pagination for Agent Host Providers
  • JWT and API key authentication with secrecy::SecretString
  • HTTPS-only enforcement by default (.allow_insecure() opt-out)

Security

• All public types annotated with #[non_exhaustive] for semver-safe evolution
• Authentication secrets wrapped in secrecy::SecretString (zeroized on drop)
• reqwest types hidden behind SDK-owned wrappers to decouple semver
• unsafe_code forbidden at workspace level
• Panic-prevention lints (unwrap_used, expect_used, panic) denied in production code
• Constant-time certificate fingerprint comparison via subtle::ConstantTimeEq
• HTTPS enforced on AnsClientBuilder base URL by default