CipherVault 1.6 → 1.9.1 — 8 subsystems novos em 3 dias
Em 72 horas a plataforma ganhou 8 subsystems novos, CLI Go e Terraform Provider oficial. Resumo dos 11 sub-releases (v1.6.0 a v1.9.1) que pavimentaram o caminho para o major v2.0.
v1.6.0 — Approvals (Dual-control / Break-glass / Quorum)
Framework completo de aprovação para operações destrutivas, configs críticas e break-glass. Estado: GA.
- Tabela
approval_requestscom status lifecycle, expiração, payload JSONB lib/approvalControl.js: middleware factoryrequireDualApproval(actionType, extractFn). Anti self-approval, anti cross-tenant, expiração, one-shot consumedlib/approvalExecutors.js: re-execução pós-aprovação para 7 actions (fortress_delete,vault_delete,mfa_disable,siem_change,rbac_change,fortress_viewbreak-glass,export_zipbreak-glass)- Routes wired:
DELETEfortress secret,DELETEvault,POSTfortress view,POSTexport-zip - Scheduler de expiração: 30min com leader-lock
- UI: página
/Approvalsfiltrável + painel de config + badge de pending count - JWT carrega
tenant_idclaim (necessário pro guard cross-tenant)
Limitações: 2-de-2 fixo (não suporta N-de-M arbitrário); master_key_rotate no enum mas sem endpoint.
v1.7.0 → 1.7.2 — Dynamic Secrets
JIT credentials com TTL ≤ 24h. License gate: enterprise.
| Engine | Paradigma | Versão |
|---|---|---|
postgres | CREATE ROLE + GRANT + DROP ROLE | 1.7.0 |
mysql | CREATE USER + GRANT + DROP USER | 1.7.1 |
aws_sts | AssumeRole / GetFederationToken (revoke no-op) | 1.7.1 |
gcp_iam | IAMCredentials.GenerateAccessToken | 1.7.2 |
azure_sp | Graph addPassword | 1.7.2 |
mongodb | createUser / dropUser admin DB | 1.7.2 |
Operacional: cap absoluto 24h • job de expiração 60s com leader-lock •
reconcile diário pra orphans cv_* (dynamic_lease_orphan_in_backend
severity critical) • rate limit token-bucket (capacity 30, refill 0.5/s) •
Prometheus metrics (7 custom + default process; /metrics gated por CV_METRICS_ENABLED=true).
Sensor mode (Phase 4): tabela dynamic_secret_tasks + sensorBridge.js
com poll 30s. Sensor reusa engines do backend via require relativo.
v1.7.3 — SSH Certificate Authority
CA Ed25519 lazy-bootstrapped por tenant.
- Roles:
default_principals,allowed_principals,default_ttl_sec,max_ttl_sec(cap 24h),cert_options,cert_extensions - Endpoints:
GET /ssh/ca(público),POST /ssh/roles/:id/sign(reason mín 5 chars) - Implementação via
ssh-keygensubprocess (sshpk não suporta principals/extensions OpenSSH cert) - KRL endpoint:
GET /ssh/krl
v1.7.4 — Encryption-as-a-Service
API REST /eaas/keys/:name/encrypt|decrypt para apps cifrarem payloads
sem ter chave local.
- AES-256-GCM, key versioning, AAD opcional
- Wire format:
eaas:v1:{name}:{version}:{iv}:{ct}:{tag} - DEK plaintext em cache 60s; KEK cifra DEK em DB (envelope encryption)
- Auth flexível (JWT OU X-Client-Id/Secret)
- Audit em todas operações (sem plaintext nos logs)
v1.7.5 — Kubernetes Mutating Admission Webhook + Sidecar
lib/k8sInjector.js: handler deAdmissionReview, gera JSONPatch RFC 6902- Mutation strategy: +
emptyDirvolume tmpfs + initContainer ou sidecar (K8s 1.28+ viarestartPolicy: Always) + volumeMount read-only - 8 annotations configuráveis:
inject,client-id,secrets,volume,cv-url,secret-name,refresh-interval,sidecar-image kubernetes/sidecar/— Node.js binary + Dockerfile non-root (uid 65534, RO root FS)
v1.8.0 — PKI as a Service + Workload Identity expandida
PKI
- CAs internas nomeadas por tenant. RSA-2048 self-signed via
node-forge - Roles com policy:
allowed_cn_regex,allowed_dns_regex,default_ttl_sec,max_ttl_sec(cap 90d),key_usages,ext_key_usages,is_ca - Issuance: CSR mode OR generateKey (CV gera RSA-2048)
- CRL endpoint público:
GET /pki/cas/:id/crl
Workload Identity (4 métodos)
| Tipo | Como valida |
|---|---|
k8s_sa | JWT de K8s ServiceAccount validado via TokenReview API |
aws_iam | re-executa STS:GetCallerIdentity preassinado, valida ARN |
gcp_iam | JWT GCP audience-bound validado via JWKS público Google |
azure_msi | JWT IMDS validado via JWKS do tenant Azure AD |
Endpoint POST /workload-identity/login (público) troca claim externa por
JWT CV de 1h.
License feature gating
lib/license.js: requireFeature(name) middleware + FEATURE_MIN_PLAN map
(dynamic_secrets requer enterprise).
v1.8.1 — CLI Go cv
Single binary cobrindo administração + consumo via terminal.
- 8 grupos de comandos:
login,secret,lease,ssh,eaas,pki,approval - Config: flags
--url --token, envCV_URL CV_TOKEN, ou~/.ciphervault/config.yaml(mode 0600) - Output formats:
json | table | raw(raw é pipe-friendly) - Pipe-friendly:
echo "data" | cv eaas encrypt key | cv eaas decrypt key
v1.8.2 — SDK Python AdminClient
Novo módulo ciphervault.admin com bindings administrativos (JWT bearer).
7 sub-resources: cv.dynamic, cv.eaas, cv.ssh, cv.pki, cv.approvals,
cv.workload, cv.tokenization. Consumer SDK (mTLS+DPoP) inalterado.
v1.8.3 — Terraform Provider oficial
Provider em Go usando terraform-plugin-framework v1.6+.
- 8 resources:
ciphervault_secret,ciphervault_vault,ciphervault_eaas_key,ciphervault_pki_ca,ciphervault_pki_role,ciphervault_ssh_role,ciphervault_dynamic_backend,ciphervault_dynamic_role - 3 data sources:
ciphervault_secret,ciphervault_pki_ca_cert,ciphervault_ssh_ca_pubkey - Auth via env
CV_URL+CV_TOKENou bloco provider explícito
v1.9.0 — Tokenization / Format-Preserving Encryption + Secretless Proxy
Tokenization / FPE
3 formatos: preserving (mantém char-class), uuid (v4 determinístico),
alphanumeric (length match).
- Determinístico via blind index
HMAC-SHA256(blind_key, value)→ mesma input gera mesmo token (idempotente, permite JOIN/lookup estável em DB do app) - AES-256-GCM ciphertext + KEK envelope. Plaintext nunca em logs
- Cross-tenant guard em todas as ops. Delete vault exige
reason ≥ 10 chars - Endpoints:
POST /tokenization/vaults,POST /vaults/:id/tokenize,POST /vaults/:id/detokenize - Tabelas:
tokenization_vaults(DEK + blind_key cifrados),tokenization_records(token + ciphertext + UNIQUE em blind_index)
Secretless Proxy (Go binary, MVP)
Sidecar local que escuta TCP, intercepta Postgres StartupMessage, pede
lease no CV, conecta upstream com cred efêmera, daí byte-puro bidirecional.
- App configura conexão pra
localhost:5432com user/pass arbitrários — proxy injeta cred real - Lease revogado em close (defer)
- Limitações MVP: só Postgres CleartextPassword auth, sem TLS upstream, sem pool de leases. Roadmap em
secretless-proxy/README.md
Documentação operacional
docs/HA_MULTI_REGION.md— 3 topologias (single-region HA, active-passive multi-region, active-active sharded), checklist pré-prod, monitoring obrigatório, capacity planning, DR test proceduresdocs/COMPLIANCE.md— mapping completo SOC 2 Trust Services (CC6/CC7) + ISO 27001:2022 Annex A → features do produto. Auditor checklist + gaps organizacionais
v1.9.1 — AdminClient nos 4 SDKs restantes
sdks/go/admin.go:NewAdmin(url, token)com sub-resourcesDynamic,EaaS,SSH,PKI,Approvals,Workload,Tokenization. Structs tipados (Lease,EaasEnvelope,SshCert,PkiCert)sdks/nodejs/src/admin.ts:AdminClientcom fetch() nativo + AbortController. Tipos exportados emindex.tssdks/java/src/main/java/io/ciphervault/AdminClient.java: inner classes pra cada subsystem. Usajava.net.http(Java 11+, zero deps externas)sdks/csharp/CipherVault.Sdk/AdminClient.cs: async/await com records C# 9 +System.Text.Json
Todos seguem o mesmo contrato do Python AdminClient (v1.8.2). Consumer SDKs (mTLS+DPoP) preservados intactos.
Resumo
| Subsystem | Versão | Estado |
|---|---|---|
| Approvals (dual-control) | 1.6.0 | GA |
| Dynamic Secrets (6 engines) | 1.7.0–1.7.2 | GA |
| SSH Certificate Authority | 1.7.3 | GA |
| Encryption-as-a-Service | 1.7.4 | GA |
| K8s Mutating Admission Webhook | 1.7.5 | GA |
| PKI as a Service | 1.8.0 | GA |
| Workload Identity (4 métodos) | 1.8.0 | GA |
| Tokenization / FPE | 1.9.0 | GA |
| Secretless Proxy | 1.9.0 | MVP |
CLI Go cv | 1.8.1 | GA |
| Terraform Provider | 1.8.3 | GA |
| AdminClient (5 SDKs) | 1.8.2 + 1.9.1 | GA |
Próxima parada: v2.0.0 — major release consolidando tudo.