[1.0.3] - 2026-06-30
Trust-and-quality release: optional metadata field encryption (CE), Vault env-injection ops pattern, CI/Postgres regression hardening, security console panel, and STORAGE_OUTBOUND_HTTP_ALLOW sunset timeline.
Added
- Field encryption (metadata at rest) — opt-in X25519 envelope for access keys, gateway credentials, and system-config secrets (
enc:v1:). Community Edition, no license gate. Ops guide (EN, RU), spec field-encryption-1.0.3-tz.md, Postgres migration012_field_encryption, scripts/crypto/. Vault Transit / HSM for KEK — Enterprise phase 2+. - HashiCorp Vault (env injection) — optional Agent / Injector pattern; maps KV v2 to existing
STORAGE_*env (no in-app Vault SDK). Guide (EN, RU), Compose overlays (docker-compose.vault.yml,docker-compose.vault-product.yml), deploy/vault/, Helm values-vault-agent.yaml. - Console — Admin → Settings → Security posture panel (
GET /api/v1/settings/security-status, includingfield_encryptionblock); gateway health showspublic_read_rulescount.
Changed
- CI —
e2e-smokemirrors feature-audit compose (--profile postgres, health wait); gatese2e/smoke.spec.tsonly. - CI — Postgres 16 service for
go testwithTEST_POSTGRES_DSN; nullableteam_idFK integration test. - SSRF — regression matrix for
STORAGE_OUTBOUND_HTTP_ALLOWin prod vs dev. - Release workflow — GitHub Release body from CHANGELOG
[version]section (body_path).
Deprecated
STORAGE_OUTBOUND_HTTP_ALLOW— scheduled removal in v1.1.0; migration timeline in upgrade guide.
Container images (on tag): ghcr.io/direktorbani/datasafe-storage-server:v1.0.3, ghcr.io/direktorbani/datasafe-console:v1.0.3.
Container images
ghcr.io/direktorbani/datasafe-storage-server:v1.0.3ghcr.io/direktorbani/datasafe-console:v1.0.3
CycloneDX SBOM files and cosign signatures are attached. See SECURITY.md for cosign verify instructions.