github DirektorBani/DataSafeS3 v1.0.3

5 hours ago

[1.0.3] - 2026-06-30

Trust-and-quality release: optional metadata field encryption (CE), Vault env-injection ops pattern, CI/Postgres regression hardening, security console panel, and STORAGE_OUTBOUND_HTTP_ALLOW sunset timeline.

Added

  • Field encryption (metadata at rest) — opt-in X25519 envelope for access keys, gateway credentials, and system-config secrets (enc:v1:). Community Edition, no license gate. Ops guide (EN, RU), spec field-encryption-1.0.3-tz.md, Postgres migration 012_field_encryption, scripts/crypto/. Vault Transit / HSM for KEK — Enterprise phase 2+.
  • HashiCorp Vault (env injection) — optional Agent / Injector pattern; maps KV v2 to existing STORAGE_* env (no in-app Vault SDK). Guide (EN, RU), Compose overlays (docker-compose.vault.yml, docker-compose.vault-product.yml), deploy/vault/, Helm values-vault-agent.yaml.
  • Console — Admin → Settings → Security posture panel (GET /api/v1/settings/security-status, including field_encryption block); gateway health shows public_read_rules count.

Changed

  • CIe2e-smoke mirrors feature-audit compose (--profile postgres, health wait); gates e2e/smoke.spec.ts only.
  • CI — Postgres 16 service for go test with TEST_POSTGRES_DSN; nullable team_id FK integration test.
  • SSRF — regression matrix for STORAGE_OUTBOUND_HTTP_ALLOW in prod vs dev.
  • Release workflow — GitHub Release body from CHANGELOG [version] section (body_path).

Deprecated

  • STORAGE_OUTBOUND_HTTP_ALLOW — scheduled removal in v1.1.0; migration timeline in upgrade guide.

Container images (on tag): ghcr.io/direktorbani/datasafe-storage-server:v1.0.3, ghcr.io/direktorbani/datasafe-console:v1.0.3.


Container images

  • ghcr.io/direktorbani/datasafe-storage-server:v1.0.3
  • ghcr.io/direktorbani/datasafe-console:v1.0.3

CycloneDX SBOM files and cosign signatures are attached. See SECURITY.md for cosign verify instructions.

Don't miss a new DataSafeS3 release

NewReleases is sending notifications on new releases.