v0.8.18 — production-readiness sweep (threat model + runbook + AWS test vectors + server fuzz + coverage CI)
Production-readiness sweep. Three audit cycles (v0.8.11-v0.8.17)
closed every CRIT / HIGH / MED security finding. v0.8.18 lifts the
operational maturity, AWS conformance posture, and
quality-gate infrastructure to match. No code-correctness
changes outside what already shipped in v0.8.17 — this release is
docs, tests, and CI.
Published to crates.io as s4-server@0.8.18, s4-codec@0.8.18,
s4-config@0.8.18, s4-codec-py@0.8.18. Install via
cargo install s4-server (CPU build).
What's new since v0.8.17
Added
- #165 P1 —
docs/security/threat-model.md.
STRIDE-shape threat model covering 5 attack surfaces (public S3
wire, compressed payload at rest, key handling, backend trust
boundary, Object Lock posture). Every mitigation traces to a
shipped issue number from the three audit cycles. Explicit
non-goals + known residual risks (therustls-webpkiCVE
chain etc.) documented so reviewers don't reverse-engineer
them. - #166 P2 —
docs/ops/runbook.md.
12 operational procedures (disk full, GPU OOM, backend 5xx
storm, SSE key rotation, KMS KEK loss, MFA secret loss,
replication backlog, TLS rotation, orphan sweep, legacy
reserved-key migration, audit advisory, graceful shutdown)
— each in Symptom → Diagnose → Mitigate → Recover →
Prevent shape. - #167 P3 — AWS SigV4 canonical-request test vectors
(crates/s4-server/src/routing.rs::aws_sigv4_canonical_vectors).
11 vectors pinning the v0.8.16 #150 byte-level helpers to
AWS-published expected outputs (vanilla / vanilla-query-order
key + value / utf8 / non-UTF8 byte round-trip / reserved-char
encoding / mixed-case percent normalisation / bare key /
unreserved set / S3 ListObjectsV2 / path with spaces). - #168 P4 — server-side bolero fuzz targets
(crates/s4-server/tests/fuzz_bolero.rs):
sigv4a_auth_header_bolero(SigV4a Authorization parser),
policy_json_bolero(IAM bucket-policy JSON parser). Pairs
with the existing 7 codec-layer bolero targets so the fuzz
farm now covers every untrusted parser on the listener edge. - #170 P6 — code coverage CI job (
cargo-llvm-cov+ Codecov
upload, push-to-main only) + bench smoke job (runs the three
examples/bench_*binaries to surface bit-rot; not a
regression gate). - #171 P7 — chaos / fault-injection test scaffold
(crates/s4-server/tests/chaos.rs). Placeholder establishing
the target; backend-method-level fault injection populates
v0.8.19+.
Changed
- #169 P5 — README proptest claim corrected from 38 → 39
properties. - #172 —
.github/workflows/ci.ymlnotify-on-failure
step now deduplicates by SHA prefix before opening an issue;
companion.github/workflows/ci-close-resolved.yml
auto-closes ci-failure issues once a subsequent main commit
lands green. Closes the auto-issue spam observed during the
v0.8.13 / v0.8.14 retry cycle.
Fixed
- Stale
ci-failureGitHub issues #115 / #116 / #117 closed
with the v0.8.13 / v0.8.14 supersession trail.
Tests
449 lib + 45 integration + 11 SigV4 vectors + 2 bolero + 1
chaos scaffold = total test target count climbs from 519 to
~540, all green under RUSTFLAGS=\"-D warnings\"; cargo clippy --workspace --all-targets clean; cargo fmt --all --check clean; MinIO E2E job green on CI; coverage job
green on CI.
Roadmap (deferred from this release)
- criterion regression-tracking benches — needs baseline
storage likebenchmark-action/github-action-benchmark. The
v0.8.18 bench-smoke job is the floor; the regression gate is
the ceiling. - Full chaos scenarios — 5+ tests against backend-method-
level fault injection. Scaffold ships here; scenarios
populate v0.8.19+. - Supply-chain hardening — sigstore release signing,
reproducible builds, SBOM badge.
Upgrade notes
- No new operator-visible knobs since v0.8.17. The three
opt-ins from prior releases (--trust-x-forwarded-for,
--prefer-columnar-gpu,--allow-legacy-reserved-key-reads)
are the entire knob surface. - Recommended pre-launch reading order:
Full per-issue notes: CHANGELOG.md.