Release v1.5.0 · mulgadc/spinifex

What’s Changed

TLS 1.3 minimum across the stack with hybrid post-quantum key exchange (X25519 + ML-KEM)
Raft cluster traffic now TLS-wrapped using the s3db certificate
QUIC server certificates loaded from disk; InsecureSkipVerify removed from production paths
AWS SigV4 verification unified across S3 and gateway endpoints on top of the upstream aws-sdk-go-v2 signer

RunInstances fails fast on ENI attach failure, so no more half-created instances stuck in a broken state
StopAll persists instance state so the daemon restores the correct set on restart
Concurrent RunInstances allocation race fixed; two callers can no longer double-claim the same node slot
Load balancer system VMs relaunch reliably, with firmware blobs (fw_cfg) regenerated each launch to fix restart failures
Block device and QMP readiness are now polled instead of using fixed sleeps, eliminating "device not ready" launch failures under load
Load balancer target health resets to initial on daemon startup, preventing stale unhealthy flags from carrying across restarts
Starting a missing instance returns the AWS-correct InvalidInstanceID.NotFound instead of a generic error
Tap device creation uses numeric uid/gid, so missing user/group names no longer cause silent skips

NAT rule setup rolls back cleanly on partial failure, leaving no orphaned iptables entries behind
VPC NAT rules re-publish on instance recovery, restoring connectivity automatically after a node bounce
New tenant accounts auto-provision a default VPC and internet gateway on iam.account.created, so RunInstances works out-of-the-box on a fresh tenant
System VM instance metadata corrected so internal control-plane VMs report accurate identity to the metadata service
ELBv2 event subscriber only runs when a gateway URL is configured, removing startup noise on stripped-down deployments