Skip to content

mirim 1.0.0

Choose a tag to compare

@cristiancmoises cristiancmoises released this 14 Jun 08:42

First stable release. No code change from 0.14.0; this milestone declares
the public API and the on-disk formats stable. The per-version history
that follows records how the project reached here.

What mirim is

A tiny embedded SQL database (~3.4 kLOC of safe Rust, #![forbid(unsafe_code)]),
encrypted at rest by default, with post-quantum sealed exports and no
classical asymmetric cryptography anywhere in any file format.

Capabilities

  • SQL subset over in-memory tables: CREATE/INSERT/SELECT/UPDATE/DELETE,
    INTEGER and TEXT, single-column PRIMARY KEY / UNIQUE with an O(1)
    equality index, ? parameter binding, no type coercion.
  • Encrypted vault (.mrm): XChaCha20-Poly1305 over the snapshot, key from
    Argon2id (passphrase) or a caller-held 32-byte key; atomic saves.
  • Durable sessions (DurableDb): an encrypted write-ahead log; an
    acknowledged mutation survives kill -9 and power loss, enforced by a
    SIGKILL harness. checkpoint() folds the log into a fresh snapshot.
  • Post-quantum sealed exports: ML-KEM-768 (FIPS 203), single- and
    multi-recipient. Signed manifests: ML-DSA-87 (FIPS 204) via mirim-sign,
    with monotonic-counter rollback enforcement; mirim signs its own
    releases with it.
  • Key rotation, one-writer advisory locking, and a C FFI (mirim-ffi).

Security

  • No classical public-key cryptography in any persisted artifact, so
    archived vaults and sealed exports are outside harvest-now-decrypt-later
    scope. Primitives are vetted RustCrypto / ML-KEM / ML-DSA crates.
  • Official test vectors pass: FIPS 203, FIPS 204, RFC 9106, RFC 8439.
  • A plain-English threat model with an explicit "does NOT protect against"
    section lives in SECURITY.md.

Assurance

  • 97 native tests, a SIGKILL power-cut harness, 5 libFuzzer targets, a
    proptest property layer, a model-based differential test against an
    independent oracle, and Miri on the logic-bearing suites.
  • The C FFI runs under ASan + UBSan.
  • Reproducible release builds (bit-identical), a CycloneDX SBOM of the
    runtime dependency closure, and cargo audit / cargo deny gates in CI.

Measured (x86-64, in-memory, vs SQLite)

  • Bulk insert 10k rows with a PRIMARY KEY: 13.4 ms (SQLite 33.6 ms).
  • Point SELECT by PK over 10k rows: 1.42 µs (SQLite 0.62 µs).
  • Durable commit (fsynced): 578 µs. CLI binary with the full crypto
    stack: ~436 KiB.

Licensing

Dual-licensed: AGPL-3.0-only (see LICENSE), or a commercial license for
uses the AGPL does not fit — closed-source embedding, or running a
modified version as a network service without publishing source. See
LICENSING.md; commercial licensing via securityops.co. (Relicensed from
MIT during 1.0.0 finalization, before any tagged release.)

Stability commitment

The vault, WAL, sealed-export, and manifest formats are frozen at their
v1/v2 layouts and will remain readable. The public Rust API and the C ABI
are stable; breaking changes would be a 2.0.


Website: https://mirim.securityops.co · Source build & verification steps in README.md and RELEASE.md. Source mirrored to Forgejo, Codeberg, and GitHub.