Node v0.2.0 — Securitas

Codename: Securitas — Roman goddess of state security and stability.

First entry in the sigillum release line. Each minor version takes the name of a Roman virtue mapping to what the release delivers.

This one is security hardening:

• SEC-006: replay cache wired into loadSealed/unseal by default (10k-entry LRU). Inject a custom ReplayCache for cross-process state. Opt out via replayCache: null.
• SEC-007: strict base64 charset validation for token epoch field before decode (aligns Node with Java's already-strict behavior).
• SEC-005: unseal requires --file or --salt (legacy zero-salt now --unsafe-zero-salt opt-in only).
• SEC-009: 5-attempt / 300-second TOTP unseal lockout, fingerprint persisted at ~/.sealed-env-state/unseal-attempts/ mode 0600.
• SEC-003 + SEC-019: atomic writeSealedFile via temp + fsync + rename. Mode 0600 on POSIX.
• SEC-002: scrypt N bumped from 32768 → 131072 (OWASP 2024 floor).
• SEC-021: all GitHub Actions uses: pinned to commit SHAs + Dependabot grouped weekly updates.
• CVE-2026-45091 fix (RESERVED): resealLikeSource now decodes SEALED_ENV_TOTP_SECRET as base32 (it's base32 per RFC 6238, not hex).

Breaking behavior

• loadSealed() rejects re-used unseal tokens within their TTL by default. Pass replayCache: null to opt out (emits one-time stderr warning).

Companion Java release

java-v0.2.0 ships in parallel with the same SEC-006 replay cache fixes.

Next release

0.3.0 — Simplicitas (credential modernization, sealed_env_* token format, one-paste-in-CI ergonomics). SPEC.md §11+§12 already merged on main as the cross-stack contract.