Skip to content

Releases: open-proofline/server

v0.11.1

Choose a tag to compare

@github-actions github-actions released this 13 Jun 13:58
b20b297

Proofline Server v0.11.1

Proofline Server v0.11.1 is an ordinary pre-v1, experimental patch release. It is not production-ready public infrastructure and it is not a v1 preview readiness claim.

This patch release focuses on private admin web foundations, admin operational safety, branded email templates, and staged backend cleanup planning before broader server v1 work.

Highlights

Private admin web foundation

  • Organized the private admin web files before feature expansion.
  • Preserved the private-admin listener boundary.
  • Preserved existing bootstrap, login, logout, CSRF, and password workflows.
  • Added a staged internal/httpapi cleanup plan to guide future handler/package reorganization without accidentally weakening route boundaries.

Proofline admin design foundation

  • Added a Tailwind build path for embedded private admin templates.
  • Added source CSS, generated checked-in stylesheet, and maintainer build documentation.
  • Kept the admin interface server-rendered and scoped to the private /admin surface.
  • Redesigned and polished the private admin shell with Proofline visual parity while keeping it private-admin only.

Branded email templates

  • Added branded Proofline email templates for registration verification.
  • Added branded Proofline email templates for email challenge 2FA.
  • Preserved existing verification and email challenge semantics.
  • Did not add notification providers or new notification-delivery behavior.

Stronger admin 2FA enforcement

  • Admin accounts must complete second-factor setup before private /admin operator actions.
  • Admin accounts must complete second-factor setup before /admin/api/... JSON admin actions.
  • Newly bootstrapped admins are gated until admin second-factor setup is complete.
  • Legacy not_required admin accounts are also gated until admin second-factor setup is complete.
  • Admin sessions with active TOTP or WebAuthn factors must verify the session before operator access.

Upgrade notes

  • Operators should expect private admin accounts to require second-factor setup before usable admin/operator access.
  • Deployments with legacy admin accounts may need to complete admin 2FA enrollment after upgrade.
  • Private admin routes must remain private. Do not expose /admin or /admin/api/... from a public edge.
  • If maintaining the admin CSS, use the documented Tailwind build path and commit the generated stylesheet.

Explicit non-goals in this release

v0.11.1 does not add:

  • production readiness;
  • v1 preview readiness;
  • public admin tooling;
  • React or a SPA admin app;
  • notification providers;
  • SMS, push, Messenger, or emergency-services integration;
  • backend decryption;
  • browser decryption;
  • key escrow;
  • raw server-held media keys;
  • playable media export.

v0.11.0

Choose a tag to compare

@github-actions github-actions released this 12 Jun 19:40
0d9771b

Proofline Server v0.11.0

Proofline Server v0.11.0 is an ordinary pre-v1, experimental release. It is not production-ready public infrastructure and it is not a v1 preview readiness claim.

This release finalizes the v0.11.0 release-candidate cycle, publishes the v0.11.0-rc.1 technical review report, and includes the follow-up hardening fixes from that review.

Highlights

Release review and post-RC hardening

  • Published the v0.11.0-rc.1 technical review report under docs/reports/.
  • Pinned the PostgreSQL GitHub Actions service image by digest and documented the refresh command.
  • Added sanitized observability for committed-blob rollback cleanup failures after metadata insertion errors.
  • Added pre-send completed-bundle integrity checks: stream and incident bundle downloads now verify committed chunk byte counts and SHA-256 hashes against metadata before ZIP headers or body bytes are sent.
  • Missing or mismatched committed chunks fail closed with safe 409 bundle inconsistency errors instead of producing partial evidence bundles.

Regional stream-ingress relay groundwork

  • Added the cmd/stream-ingress regional relay skeleton.
  • Added service-authenticated core relay preflight, commit, and fanout authorization endpoints.
  • Added backend-issued relay upload and fanout capabilities.
  • Added relay-local encrypted chunk upload, temp staging, SHA-256 verification, and forwarding to the core API.
  • Added optimistic encrypted near-live relay fanout and bounded confirmation/rejection/terminal-failure state propagation.
  • Added relay readiness guardrails with safe aggregate readiness categories.
  • Added a separate relay container build, GHCR publishing path, local relay Compose smoke path, and simulator relay upload mode.

The relay remains experimental and scoped. It does not add durable relay storage, metrics dashboards, production deployment automation, notifications, decryption, or key-custody changes.

Account security and recovery

  • Added required second-factor setup state for accounts.
  • Added email challenge second-factor setup and verification.
  • Added TOTP authenticator-app setup and verification.
  • Added disabled-by-default WebAuthn/FIDO2 passkey and roaming security-key setup and verification.
  • Added private-admin assisted second-factor recovery reset with controlled reason codes, audit metadata, and session revocation.
  • Added configurable account registration modes for disabled, admin-only, open self-registration with email verification, and paid-placeholder deployments.
  • Added optional browser cookie-session support for future web-client use, with CSRF protection and configured credentialed CORS.

Evidence storage, quotas, bundles, and deletion

  • Added account-scoped committed encrypted blob quota enforcement.
  • Added local temp-upload staging quota enforcement.
  • Added a trusted-shell operator request-deletion command for creating one incident deletion decision through SQLite or PostgreSQL metadata.
  • Strengthened backup and restore drill docs around deletion state, tombstones, private restore reconciliation, sharing-grant and wrapped-key consistency, and public viewer fail-closed behavior.
  • Added bundle hardening so completed bundles verify stored chunk integrity before serving.

Evidence bundles remain encrypted ZIP bundles. They are not decrypted, playable, or merged media exports.

Trusted-contact, wrapped-key, and viewer-link groundwork

  • Added account/device recipient-key lifecycle routes and metadata.
  • Added trusted-contact relationship lifecycle routes and metadata.
  • Added trusted-contact public-key lifecycle routes and metadata.
  • Added sharing-grant and wrapped-key metadata routes.
  • Added signed-in trusted-contact wrapped-key read routes for active accepted relationships and active grants.
  • Added owner-authenticated viewer-token metadata list/read routes that expose non-secret token metadata only.
  • Added token-scoped web-client viewer payload support for no-account incident viewers.

This release does not add trusted-contact decryption, backend decryption, browser decryption, key escrow, raw server-held keys, notification delivery, or emergency-services integration.

Post-quantum envelope and v1-preview direction

  • Made the accepted post-quantum evidence envelope the default runtime upload profile.
  • Added fail-closed upload validation for the public PQ payload frame.
  • Added PQ scheme/suite identifiers to bundle manifests without key material.
  • Updated simulator defaults to PQ encrypted uploads.
  • Accepted the v1 preview production post-quantum wrapped-key profile as documentation and validation direction.
  • Added v1 preview direction and release-gate documentation without claiming v1 readiness.

Private admin and route-boundary cleanup

  • Renamed private-admin JSON API routes into /admin/api/....
  • Removed the old JSON route aliases.
  • Updated tests and docs so admin JSON routes, the /admin dashboard, public viewer routes, and authenticated main routes remain separated.

Private admin routes must remain behind a private boundary such as localhost, LAN, WireGuard, firewall, or equivalent strict reverse-proxy access control.

Documentation, validation, and release hygiene

  • Added a standard-library local Markdown link checker for README, AGENTS, SECURITY, docs, and Codex prompt files.
  • Updated Deep Research report validation guidance.
  • Added planning-only boundaries for notifications, break-glass/dead-man-switch behavior, upload telemetry, browser decryption trust gates, public web-client deployment, location context, billing, and v1 preview readiness.

Upgrade notes

  • Private admin API clients must use /admin/api/...; old private-admin JSON aliases are removed.
  • Review any deployment that exposes /v1 broadly. This release does not make Proofline production-ready public infrastructure.
  • Keep /admin and /admin/api/... private.
  • If using GitHub Actions PostgreSQL integration tests, note that the service image is now digest-pinned and has a documented refresh path.
  • If relying on evidence bundle downloads, bundle generation now fails closed when committed chunk bytes do not match metadata.

Explicit non-goals in this release

v0.11.0 does not add:

  • production readiness;
  • v1 preview readiness;
  • backend decryption;
  • browser decryption;
  • trusted-contact decryption;
  • key escrow;
  • raw server-held media keys;
  • playable media export;
  • notification delivery;
  • emergency-services integration;
  • production relay deployment automation;
  • public admin/operator tooling;
  • active billing or payment-gated account creation.

Validation

Release-prep and follow-up PRs ran the project’s standard validation set as applicable, including Go formatting, Go tests, Go vet, Markdown link checks, targeted handler tests, workflow checks, and diff hygiene checks.

v0.11.0-rc.1

v0.11.0-rc.1 Pre-release
Pre-release

Choose a tag to compare

@github-actions github-actions released this 12 Jun 14:43
4644ec7

Proofline Server v0.11.0-rc.1

This is an ordinary pre-v1, experimental release candidate for Proofline Server.

It is not production-ready public infrastructure, not a v1 preview readiness claim, and not final v0.11.0.

This RC is intended for validation before the final v0.11.0 release.

Highlights

Regional stream-ingress relay

This release candidate includes the first complete regional encrypted stream-ingress relay path:

  • Added the separate cmd/stream-ingress relay service.
  • Added backend-issued relay upload and fanout capabilities.
  • Added service-authenticated core relay preflight and durable commit endpoints.
  • Added encrypted complete-chunk relay upload with temporary ciphertext staging, SHA-256 verification, and core forwarding.
  • Added optimistic near-live encrypted SSE relay fanout.
  • Added backend confirmation, rejection, and terminal-failure fanout state propagation.
  • Added relay readiness guardrails with safe aggregate /health/ready categories.
  • Added final relay documentation alignment for current-versus-future behavior.

The relay remains ciphertext-only and subordinate to the core backend. Relay-local staging is not durable evidence truth.

Relay packaging, CI, and simulator support

  • Added Dockerfile.ingress for the stream-ingress relay image.
  • Added GHCR publishing for ghcr.io/open-proofline/stream-ingress.
  • Added CI validation for the relay image.
  • Added loopback-bound local Compose relay smoke support.
  • Added opt-in cmd/simclient relay upload mode for local stream-ingress testing.
  • Kept direct main-API upload as the simulator default.

Account security and recovery

  • Added required second-factor setup state for account gating.
  • Added email challenge second-factor setup and verification.
  • Added TOTP second-factor setup and verification.
  • Added disabled-by-default WebAuthn/FIDO2 passkey and roaming security-key second-factor setup and verification.
  • Added private-admin assisted second-factor recovery reset with controlled reason codes, audit metadata, and target-session revocation.
  • Kept recovery separate from self-service recovery codes, key escrow, raw-key access, and decryption.

Post-quantum envelope and wrapped-key direction

  • Made the accepted post-quantum envelope the runtime upload validation and simulator default.
  • Added fail-closed validation for the public PQ payload frame.
  • Added bundle manifest PQ scheme/suite metadata without key material.
  • Accepted the v1 preview production post-quantum wrapped-key profile as a documented direction.
  • Preserved legacy envelope behavior only behind explicit compatibility paths where documented.

Trusted-contact and key metadata groundwork

  • Added account/device recipient-key metadata lifecycle routes.
  • Added trusted-contact relationship lifecycle routes.
  • Added trusted-contact public-key lifecycle metadata.
  • Added sharing-grant and wrapped-key metadata storage.
  • Added authenticated trusted-contact wrapped-key reads for accepted recipient accounts when relationship, key, grant, and wrapped-key state are all active.
  • Added private audit metadata for trusted-contact public-key, sharing-grant, wrapped-key, and deletion-pruning lifecycle events.

This remains metadata and wrapped-key delivery infrastructure. It does not add backend decryption, browser decryption, raw key storage, or key escrow.

Admin route boundary cleanup

  • Renamed private-admin JSON API routes into the /admin/api/... namespace.
  • Removed the old /v1/admin/... JSON route aliases.
  • Updated listener-boundary tests and docs so admin JSON routes, the /admin dashboard, and public viewer/main routes remain separated.

Quotas, deletion, and operator workflows

  • Added account-scoped committed encrypted blob quota enforcement.
  • Added local temp-upload staging quota enforcement.
  • Added a disabled-by-default local operator mode-retention-preview scaffold.
  • Added a trusted-shell local operator request-deletion command for one incident deletion decision.
  • Strengthened backup and restore drill documentation around deletion state, tombstones, restored deleted incidents, sharing grants, wrapped keys, and public viewer fail-closed behavior.

Documentation and policy boundaries

  • Added a planning-only notification boundary for future trusted-contact alerts, missed safety checks, and no-account viewer-token link delivery.
  • Expanded the break-glass and dead-man-switch policy boundary with wrapped-key-release-first direction, trigger/cancellation state, contact review, safe audit fields, offline-device handling, false-positive/false-negative considerations, and server-escrow review gates.
  • Added a browser-decryption trust-gate decision rejecting dynamic same-origin decrypting viewers as sufficient production trusted-contact review surfaces by themselves.
  • Added encrypted location context design.
  • Added upload telemetry boundary documentation.
  • Added public web-client deployment-boundary planning.
  • Added v1 preview readiness checklist and release-gate guidance.

These are design and release-boundary updates. They do not add notification delivery, emergency-services integration, backend decryption, browser decryption, key escrow, or production deployment approval.

Tooling and validation

  • Added a standard-library local Markdown link checker for README, AGENTS, SECURITY, docs, and Codex prompt files.
  • Added fenced-example and external-link exclusions.
  • Added link-check self-test coverage.
  • Updated Codex release, PR, documentation, and prompt-review workflows to reference the checker.
  • Updated the Deep Research report validation prompt to read v1 direction and post-quantum envelope source documents without silent fixed line caps.

Known limitations

This release candidate is still pre-v1 and experimental.

Not included:

  • No iOS app.
  • No Android app.
  • No implemented web client or account portal.
  • No protocol repository or shared conformance test suite.
  • No production recording client.
  • No production client-side encryption implementation.
  • No notification delivery.
  • No emergency-services integration.
  • No backend/browser decryption.
  • No key escrow or break-glass runtime access.
  • No playable decrypted media export.
  • No production deployment hardening claim.
  • No production relay deployment automation.
  • No relay replay, durable relay storage, relay metrics endpoint, relay Valkey coordination, or production relay service-identity rotation.

Artifacts

Expected release artifacts and packages:

  • proofline-server-linux-amd64
  • ghcr.io/open-proofline/server
  • ghcr.io/open-proofline/stream-ingress

v0.10.0

Choose a tag to compare

@github-actions github-actions released this 01 Jun 02:54
74ec526

Proofline Server v0.10.0

Proofline Server v0.10.0 is a public-backend prototype groundwork release.

This release adds the main API/viewer listener split, main API route-class rate limiting, optional Valkey/Redis-compatible upload-operation coordination, contact public-key and sharing-grant metadata, wrapped media-key metadata storage and delivery, retention/deletion maintenance tools, SQLite-to-PostgreSQL migration guidance, and a design for future regional stream-ingress relays.

Proofline Server remains experimental and is not production-ready public infrastructure.

Highlights

  • Moved the read-only incident viewer onto the main listener alongside authenticated /v1 routes.
  • Split the private-admin dashboard onto its own listener, serving only /admin and /admin/static/....
  • Added configurable main API route-class rate limiting for authentication, bootstrap, account, incident, upload, reconciliation, stream, token, download, and admin API routes.
  • Added optional Valkey/Redis-compatible short-lived complete-upload coordination leases and retry hints.
  • Added owner-scoped contact public-key metadata and incident/stream sharing-grant routes.
  • Added owner-scoped wrapped media-key metadata storage and private API delivery for active sharing grants.
  • Added a planning design for future regional stream-ingress relay nodes.

Public-backend preparation

v0.10.0 changes the server topology toward a future public prototype shape:

  • the main listener now carries authenticated /v1 routes and the token-gated read-only incident viewer
  • the private-admin listener is reserved for the /admin dashboard surface
  • existing /v1/admin/... JSON routes remain authenticated admin-only routes on the main handler and must not be routed from a public edge
  • app-level rate limiting now covers main API route classes as well as public viewer route classes
  • deployment-specific TLS, edge filtering, abuse controls, logging review, and operational hardening are still required before public exposure

Upload reliability and coordination

  • Added short-lived Valkey/Redis-compatible upload leases and upload_in_progress retry hints when coordination is explicitly configured.

  • Kept metadata-backed upload-operation rows and blob no-overwrite behavior authoritative.

  • Preserved the default no-coordination local mode.

  • Added shared SQLite/PostgreSQL upload-operation race and metadata parity tests for:

    • duplicate uploads
    • upload-versus-close/completion interleavings
    • idempotency replay and conflict behavior
    • token revocation
    • completed stream bundle metadata reconstruction
  • Added simulator ambiguous upload retry coverage so desktop-recorder retries treat Idempotency-Replayed: true responses as successful after response loss.

Contact sharing and wrapped-key metadata

  • Added owner-scoped contact public-key registration.
  • Added incident/stream-scoped sharing-grant metadata routes.
  • Added private API storage and delivery for wrapped media-key metadata bound to active sharing grants.
  • Kept public viewer routes and bundle manifests key-free.
  • Preserved backend ciphertext-only behavior.
  • Did not add trusted-contact accounts, browser decryption, backend decryption, raw media-key storage, key escrow, break-glass access, or playable export.

Retention, deletion, and migration maintenance

  • Added disabled-by-default pruning for expired/revoked viewer-token metadata and completed deletion tombstones.
  • Added local read-only operator commands to preview closed-incident retention candidates and inspect deletion job status using safe counts and retry categories.
  • Added explicit-age orphan temp upload cleanup for local upload-* staging files, with dry-run support and safe count-only startup logs.
  • Added opt-in S3-compatible object-store deletion smoke coverage for incident deletion.
  • Expanded SQLite-to-PostgreSQL migration guidance into a private operator runbook covering copy order, validation, rollback limits, and tooling boundaries.
  • Added a planning document for future private reassignment or quarantine of legacy unowned incidents.
  • Added a mode-aware retention policy design for future incident-mode-specific retention behavior.

Stream-ingress planning

This release adds a design for a future optional regional stream-ingress relay for complete encrypted chunk uploads.

The planned relay keeps the core API authoritative for:

  • authorization
  • idempotency decisions
  • durable blob commits
  • metadata
  • ciphertext-only behavior

The design also calls for pre-body abuse controls, core upload preflight, denial-feedback rate limiting, temporary ciphertext staging, hash verification, and regional deployment patterns such as a Melbourne ingress node behind global load balancing.

No stream-ingress implementation is included in this release.

Security and scope notes

  • Proofline Server is still experimental.

  • The server is not production-ready public infrastructure.

  • The main /v1 API requires local account sessions, but public exposure still needs deployment-specific TLS, abuse controls, browser credential review, logging review, and operational hardening.

  • Existing /v1/admin/... JSON routes remain authenticated admin-only routes and must not be routed from a public edge.

  • The private-admin listener must remain private.

  • The backend remains ciphertext-oriented and does not decrypt uploaded evidence.

  • Wrapped-key metadata is access-enabling metadata, not raw key material.

  • This release does not add:

    • iOS app
    • Android app
    • web client or account portal
    • production recording client
    • protocol repository
    • trusted-contact account delivery
    • backend decryption
    • browser decryption
    • raw server-held media keys
    • key escrow
    • break-glass access
    • playable media export
    • push/SMS/Messenger notifications
    • emergency-services integration

Validation

Release-prep validation should include:

  • gofmt -w ./cmd ./internal ./migrations
  • go test ./...
  • go vet ./...
  • git diff --check
  • local Docker Compose smoke stacks where available, especially for SQLite/local, PostgreSQL/local, SQLite/S3-compatible MinIO, and PostgreSQL/MinIO/Valkey combinations

Full changelog

See CHANGELOG.md for the complete v0.10.0 changelog.

v0.9.0

Choose a tag to compare

@github-actions github-actions released this 31 May 14:39
4f60047

Proofline Server v0.9.0

Proofline Server v0.9.0 adds the first authenticated server/admin foundation, safer upload retry behavior, operational readiness checks, public-viewer abuse controls, deletion/retention enforcement, and a much more realistic recorder simulator.

This release remains experimental and is not production-ready public infrastructure.

Highlights

  • Added local username/password accounts for the private /v1 API.
  • Added bcrypt password hashing, opaque server-side sessions stored only as hashes, owner/admin incident authorization, admin account management routes, and a fail-closed first-admin bootstrap flow.
  • Added a private admin-only HTML surface under /admin, with browser login/bootstrap forms, local account management, admin password-change and account password-reset workflows, HttpOnly admin-session cookies, authenticated form CSRF checks, no-store page behavior, and public/private mux separation.
  • Added private-only liveness and readiness checks for coarse metadata, blob, and coordination backend status without exposing backend diagnostics through the public viewer.
  • Added app-level public viewer rate limiting for page lookup, JSON polling, encrypted ZIP downloads, and static assets, with local in-memory counters by default and optional Valkey/Redis-compatible counters when coordination is configured.

Upload and evidence reliability

  • Added Idempotency-Key support for complete encrypted chunk uploads.
  • Stored idempotency keys as hashes in SQLite or PostgreSQL metadata.
  • Added equivalent retry success for matching upload retries and conflict handling for idempotency-key reuse with different upload inputs.
  • Added a private duplicate chunk reconciliation route for comparing expected chunk fingerprints against accepted metadata without re-uploading ciphertext or exposing stored values.
  • Added PostgreSQL metadata integration testing in GitHub Actions using a disposable PostgreSQL service.

Desktop recorder simulator

  • Added a durable desktop-recorder simulator mode to cmd/simclient.
  • Added encrypted local staging and restart/resume upload recovery.
  • Added generated and local pre-recorded file sources.
  • Added optional ffmpeg video segment capture.
  • Added poor-network retry controls.
  • Added complete-chunk idempotent uploads, bundle decrypt verification, encrypted-only bundle output, offline bundle verification, and token/path-safe simulator output.
  • Ignored the simulator’s default stage key filename so local simulator keys are not accidentally committed when a staging directory lives under the repository.

Incident lifecycle and metadata

  • Added private incident deletion and closed-incident retention enforcement.
  • Added SQLite/PostgreSQL deletion decision metadata.
  • Added owner-scoped and admin-global deletion routes.
  • Added a retryable background deletion worker.
  • Added public viewer fail-closed behavior for deleting or deleted incidents.
  • Added safe maintenance error logging and updated retention, security, and API documentation.
  • Added optional incident-mode, capture-profile, escalation-policy, and sharing-state metadata fields to private incident creation and read responses while preserving generic legacy incidents.

Key-custody prototyping

  • Added opt-in simulator-only contact-wrapped key metadata artifacts.
  • Used local development contact keys and the maintained filippo.io/age wrapping library.
  • Kept backend manifests, routes, storage, and decryption behavior unchanged.
  • This release does not add production key custody, backend decryption, browser decryption, key escrow, raw server-held media keys, or playable media export.

Security and scope notes

  • The public incident viewer remains read-only.
  • The private admin dashboard remains on the private listener only.
  • Public viewer rate limiting is defense-in-depth and does not make private/admin APIs safe to expose without proper deployment boundaries.
  • The backend remains ciphertext-oriented and does not decrypt uploaded evidence.
  • This release does not add web-client code, mobile-client code, public admin dashboards, notifications, emergency-services integration, backend decryption, browser decryption, raw server-held media keys, key escrow, or break-glass behavior.

Full changelog

See CHANGELOG.md for the full v0.9.0 changelog.

v0.8.0

Choose a tag to compare

@github-actions github-actions released this 30 May 05:40
4ff318b

Proofline Server v0.8.0

Proofline Server v0.8.0 promotes the accumulated release-prep work from develop to main.

This release expands the backend’s optional storage and coordination backends, adds local smoke-test stacks, strengthens release/CI validation, and documents several future security and product boundaries while keeping the current server deliberately backend-only and experimental.

Highlights

  • Added optional PostgreSQL metadata storage via SAFE_METADATA_BACKEND=postgresql, while keeping SQLite as the default.
  • Added optional S3-compatible encrypted blob storage via SAFE_BLOB_BACKEND=s3, while keeping local filesystem storage as the default.
  • Added optional Valkey/Redis-compatible coordination startup checking via explicit coordination backend configuration, while keeping no coordination as the default.
  • Added local Docker Compose smoke-test stacks for:
    • SQLite + local blob storage
    • PostgreSQL + local blob storage
    • SQLite + S3-compatible MinIO blob storage
    • PostgreSQL + MinIO + Valkey
  • Added CI smoke tests for both the built Linux binary and Docker image startup.
  • Added Dependabot tracking for local Docker Compose smoke-test image tags.

Documentation and design updates

  • Added a cluster backup, restore, and failure runbook for optional PostgreSQL metadata, S3-compatible encrypted blobs, and Valkey/Redis-compatible coordination.
  • Added SQLite WAL operational guidance covering sidecar files, local filesystem expectations, backup/restore handling, and checkpoint-pressure checks.
  • Added future design documents for:
    • first-class incident modes, capture profiles, escalation policies, and sharing state
    • future /v1 access-control boundaries
    • incident deletion and retention enforcement
    • cluster-safe upload operation semantics
    • resumable uploads and upload leases
    • duplicate-chunk reconciliation
    • live or partial stream access boundaries
    • simulator-only contact-wrapped key metadata
  • Documented the current and future-client policy for original_filename metadata.

Security and scope notes

  • Proofline Server remains experimental and is not production-ready public infrastructure.
  • The private /v1 API remains unauthenticated and must stay behind localhost, LAN, WireGuard, firewall rules, or an equivalent private boundary.
  • Public incident viewer routes remain token-scoped and read-only.
  • The backend remains ciphertext-only.
  • This release does not add backend decryption, browser decryption, raw server-held media keys, key escrow, key-sharing behaviour, user accounts, OAuth/JWT, push/SMS/Messenger notifications, or emergency-services integration.

Validation

Release-prep validation included:

  • gofmt -w ./cmd ./internal ./migrations
  • go test ./...
  • go vet ./...
  • git diff --check
  • Docker Compose config checks for all smoke stacks
  • smoke tests for full, SQLite/local, PostgreSQL/local, and SQLite/S3-compatible configurations

Full changelog

See CHANGELOG.md for the detailed v0.8.0 changelog.

v0.7.0

Choose a tag to compare

@github-actions github-actions released this 27 May 17:45
12e9754

v0.7.0

This release completes the repository-layout migration for Proofline Server. The Go server module now lives at the repository root instead of under the former server/ subdirectory.

Highlights

  • Moved the Go server module from server/ to the repository root.
  • Moved root server code paths to:
    • cmd/
    • internal/
    • migrations/
    • go.mod
    • go.sum
    • Dockerfile
    • .dockerignore
  • Updated the Go module path for the new open-proofline/server repository layout.
  • Updated Docker, CI, Dependabot, development, deployment, and Codex documentation to use the new root-level project structure.
  • Removed the old server/README.md now that the repository root is the server project root.

Build and workflow changes

  • Updated GitHub Actions to run Go commands from the repository root.
  • Updated Docker build references for the root-level Dockerfile.
  • Updated Dependabot configuration paths after moving manifests to the root.
  • Updated release, development, and validation docs to remove stale cd server assumptions.

Documentation updates

  • Updated setup, development, deployment, simulator, architecture, code-map, and review workflow documentation for the new root layout.
  • Updated Codex prompts and project guidance so future AI-assisted work treats the repository root as the Go server module root.
  • Updated migration notes to distinguish current artifact names from historical safety-recorder compatibility references.

Compatibility notes

  • This is a repository-layout and module-path migration release.
  • Existing local clones should refresh branches and review any scripts that assume Go code lives under server/.
  • Commands that previously used cd server should now generally run from the repository root.
  • Docker builds should use the repository root as the build context.
  • Historical migration names, database migration filenames, encryption scheme names, and legacy route/config/schema compatibility names remain unchanged unless explicitly migrated elsewhere.

Validation

No intentional server behavior changes are included in this release. The change is structural: file layout, module path, build context, CI paths, and documentation.

v0.6.1

Choose a tag to compare

@github-actions github-actions released this 27 May 15:13
7ef26b2

v0.6.1

This patch release completes post-transfer repository cleanup after moving the server repository to open-proofline/server.

Changes

  • Updated repository badges and references after the transfer to open-proofline/server, including the GHCR badge for ghcr.io/open-proofline/server.
  • Updated server-scope documentation to reflect that the repository now lives under the open-proofline organisation.
  • Updated Codex/project-context guidance to use the new repository path.
  • Updated architecture documentation to describe the repository as already transferred, while keeping module and artifact migration separate.
  • Configured Dependabot version updates to target develop by default for:
    • Go modules
    • Docker base images
    • GitHub Actions

Compatibility notes

  • The published GHCR image now follows the transferred repository path: ghcr.io/open-proofline/server.
  • The previous image path, ghcr.io/thesilkky/safety-recorder, was the pre-transfer package path and should be treated as a legacy/pre-transfer artifact unless explicitly supported later.
  • Go module paths are unchanged.
  • Binary artifact names are unchanged.
  • Local Docker example names may still use safety-recorder-backend unless separately migrated.
  • Database file names are unchanged.
  • Encryption scheme names are unchanged.
  • Legacy route, config, and schema names remain unchanged unless already migrated in v0.6.0.

Implementation notes

No Go code changed in this release.

v0.6.0

Choose a tag to compare

@github-actions github-actions released this 27 May 11:01
6899412

v0.6.0

This release renames the project documentation to Proofline Server and clarifies that this repository is the Go server/backend component for the planned open-proofline/server repository. The current GitHub repository, Go module path, Docker image, and GHCR package names may still use safety-recorder until a separate repository and artifact migration is performed.

Highlights

  • Reframed the project as Proofline Server, the Go backend for encrypted incident capture.
  • Documented the planned open-proofline multi-repo layout:
    • server
    • web-client
    • ios-client
    • android-client
    • protocol
  • Added planned incident capture modes:
    • emergency incidents
    • interaction records
    • timed safety checks
    • evidence notes
  • Migrated current server terminology from emergency-viewer/emergency-token language toward incident-viewer/incident-token naming.
  • Added incident_tokens compatibility migration support while preserving existing data expectations.
  • Renamed the public viewer template and backend viewer code toward incident-viewer terminology.
  • Kept the backend ciphertext-only: no backend decryption, browser decryption, key escrow, raw server-held keys, or key-sharing behavior was added.

Backend readability and maintenance

  • Split large Go files into smaller responsibility-focused files across:
    • server/cmd/api
    • server/cmd/simclient
    • server/internal/config
    • server/internal/db
    • server/internal/envelope
    • server/internal/httpapi
    • server/internal/incidents
    • server/internal/storage
  • Refactored server lifecycle helpers, simulator flow helpers, config parsing, database migration orchestration, encryption-envelope helpers, HTTP viewer/stream/upload helpers, incident repository methods, and storage helpers.
  • Preserved existing backend behavior while making the code easier to review and maintain.

Documentation and process

  • Added and updated documentation for:
    • Proofline Server repository scope
    • open-proofline migration planning
    • incident capture modes
    • server-only repository boundaries
    • key custody and trusted-contact access direction
    • browser-side incident viewer decryption planning
    • break-glass/dead-man-switch design boundaries
    • retention, backup, deletion, security, and threat-model expectations
  • Added a public technical review report for v0.5.0.
  • Added Phase 0 Deep Research preflight workflow and updated report-validation prompts.
  • Documented Go readability standards and aligned Codex maintenance prompts with those standards.
  • Updated Codex prompt guidance and work orders for the Proofline rename and incident-token migration.

CI and release workflow

  • Updated CI/release documentation and workflow expectations.
  • Documented branch and ruleset expectations for develop, release/v*, and main.
  • Kept release validation, binary artifact, Docker image, and attestation workflow expectations aligned with the current server repository.

Compatibility notes

  • Existing safety-recorder repository/module/container names remain compatibility names for now.
  • Existing emergency route/config/schema names may remain where explicitly retained as compatibility aliases.
  • The private /v1 API remains private and unauthenticated; do not expose it publicly.
  • Evidence bundles remain encrypted chunk bundles with JSON manifests, not decrypted or playable media exports.
  • The backend still does not include web, iOS, Android, protocol, account-management, notification, or production key-custody implementations.

v0.5.0

Choose a tag to compare

@github-actions github-actions released this 25 May 23:13
fe2f8bf

Safety Recorder v0.5.0

Safety Recorder remains experimental and is not production-ready public infrastructure.

Highlights

  • Added artifact attestations for release binary and GHCR image provenance.
  • Automated GitHub Release creation and Linux amd64 binary asset upload for v* tags.
  • Added deployment guidance for localhost Docker, WireGuard/private /v1, Traefik HTTPS emergency viewer exposure, and deployment-edge rate limiting.
  • Added retention, backup, restore, secure deletion, key custody, browser decryption, break-glass, and iOS local recorder planning documents.
  • Hardened streamed chunk identity, stream completion, emergency-token expiry, SQLite WAL startup verification, upload race handling, and schema migration tracking.
  • Pinned GitHub Actions and Docker base images by immutable SHAs/digests.
  • Broadened Docker build-context ignore policy.

Known limitations

  • Backend remains ciphertext-only and does not decrypt uploaded chunks.
  • Evidence bundles are encrypted chunk bundles, not playable media exports.
  • Private /v1 API is not public-authenticated and must not be exposed publicly.
  • iOS client, production key custody, browser decryption, and break-glass access remain design/planning work unless explicitly implemented later.