Last tagged release: v5.3.2 (2026-03-15)
Current release state: v6.0.0 prepared on main; the annotated tag has not been created yet.
Playback truth: main
Runtimes: Node.js 22.x, Bun, Deno
Current planning method: WORKFLOW.md
Live backlog: docs/method/backlog/README.md
STATUS.md is a compact snapshot, not the active planning surface.
- The human CLI and TUI are real and materially shipped.
- The machine-facing
git cas agentsurface exists and now supports OS-keychain passphrase sources for vault-derived key flows, but parity and portability are still partial. - v6.0.0 artifact posture — pre-tag release prep and final local
verification are complete; the annotated tag has not been created. JSR
publication is deferred because the current
jsr/Deno toolchain panics before package validation. Once the operator approves the tag, the tag workflow publishes npm and creates the GitHub Release; JSR can return in a later 6.x maintenance change once its dry-run is healthy. - v6.0.0 encryption scheme simplification —
whole-v1/whole-v2collapsed towhole,framed-v1/framed-v2collapsed toframed,convergent-v1collapsed toconvergent. AAD is now always on. Legacy scheme strings in stored manifests throwLEGACY_SCHEMEatreadManifest()time with migration guidance. - Migration script —
npm run upgrade(ornode scripts/migrate-encryption.js) migrates existing vault entries. Two modes: fast (rename-only for v2 schemes andconvergent-v1) and full (re-encryption for v1 whole/framed schemes that lacked AAD). Defaults to dry-run. legacyMode—CasServiceconstructor option allows reading legacy manifests without throwingLEGACY_SCHEME, used by the migration script.- Convergent encryption — new default scheme for CDC + encryption that preserves deduplication across encrypted stores.
- Fixed-chunk encrypted stores default to
framed, which provides an authenticated streaming encrypted restore path. CDC encrypted stores default toconvergent, preserving deduplication across encrypted versions.wholeremains the explicit compatibility whole-object mode forrestoreStream(), whilerestoreFile()now has a bounded temp-file restore path forwholeand buffered compression modes. - Buffered
restoreStream()/restore()now enforcemaxRestoreBufferSizeagainst streamed gunzip output and, on stream-native blob adapters, against actual blob reads instead of only manifest-estimated sizes. - Custom persistence adapters must now provide
readBlobStream()for those hard-limited buffered restore modes;readBlob()remains a plaintext compatibility fallback only. - Passphrase-bearing store, restore, vault init, and vault rotation now use stronger KDF defaults and reject out-of-policy stored metadata before derive work begins.
- Stored KDF salt metadata now rejects malformed base64 at both schema time and runtime stored-KDF validation, keeping manifest and vault metadata aligned before derive work starts.
- Manifest parsing now rejects unsupported encryption schemes,
encrypted: false, malformed AES-GCM nonce/tag values, and framed manifests that omitframeBytes, across both JSON and CBOR manifest codecs. - Node, Bun, and Web Crypto decrypt paths now enforce AES-GCM metadata at the adapter boundary too, so malformed algorithm, nonce, or tag values are rejected before runtime-specific decrypt calls run.
- Web Crypto whole-object decrypt paths are now explicitly bounded by
maxDecryptionBufferSizeinstead of collecting ciphertext without a guard.framedremains the actual cross-runtime streaming-encrypted mode. - Fresh work is now organized through METHOD backlog lanes and numbered cycle directories.
- TUI modernization is queued for the v6.x line after v6.0.0, not as a v6.0.0 tag blocker.