v1.1.0

Highlights:

• read-only decrypt paths now use the official SOPS Go decrypt library for render, exec, doctor, and verify
• production/deploy machines no longer need external sops or age binaries for read-only decrypt/render/exec/validation workflows; they still need Keyseal, encrypted files, and age private key material
• external SOPS CLI remains required for mutating workflows: add, edit, and updatekeys
• SOPS library compatibility warnings, such as older unencrypted comment warnings, are suppressed during render and exec but reported deliberately by doctor/verify
• documentation now distinguishes developer/admin machines from production/deploy machines and calls out that servers need the age key, not the age CLI

v1.0.0

This release marks the first stable release of Keyseal.

It adds keyseal verify, a strict, non-mutating validation command designed for CI. verify reuses the same core checks as doctor, but fails on warnings as well as errors, making it suitable as a proper pipeline gate. --json output can also now be used more cleanly in automated workflows.

With this release, the v1 keyseal.yaml config contract and the kind: env secret document shape are now treated as stable. The documentation has also been tightened up to better distinguish production-ready workflows from starter templates that still need real secret values.

Highlights:

• keyseal verify adds a strict, non-mutating CI gate that reuses doctor checks but fails on warnings as well as failures
• Keyseal is now documented as production-ready for Barkway's Git-backed SOPS secret workflow
• the v1 keyseal.yaml config contract and kind: env secret document shape are treated as stable
• docs now distinguish production-ready tooling from starter templates that still require real secret values