Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion docs/compatibility-promise.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,6 @@ way that breaks stored data or removes/alters public surface.
- Core value types: `KeyId`, `TenantId`, `LogicalName`, `EncryptedDataScope`, `EncryptionContext`,
`KeyDescriptor`, `CiphertextEnvelope`, `CiphertextEnvelopeHeader`, and the envelope id types
(`EnvelopeVersion`, `CryptoSuiteId`, `AadSchemeId`).
- The tenant key-catalogue model: `ITenantKeyRegistry`, `TenantKeyRecord`, `TenantKeyVersion`.
- Entity Framework Core integration: the attributes (`[Encrypted]`, `[EncryptedSearchable]`,
`[EncryptedEmail]`, `[Plaintext]`, `[EncryptedEntity]`), the fluent configuration API, the query
helpers (`WhereEncryptedEquals`, `WhereEncryptedIn`, `WhereEncryptedEmail`), the registration entry
Expand Down Expand Up @@ -66,6 +65,14 @@ change in a minor release without a major bump.
- **Reserved, not active** — the reserved crypto suites (`AES-256-GCM-SIV`, `XChaCha20-Poly1305`,
`AES-256-SIV`) and the reserved `ContextBound` AAD scheme. They occupy ids so those ids can never be
repurposed, but they are not implemented and carry no behavioural promise yet.
- **Tenant key-catalogue types (stabilizing)** — `ITenantKeyRegistry`, `TenantKeyRecord`,
`TenantKeyVersion`, `ProviderKeyReference`, `KeyProviderKind` and `WrappedKey`. These exist and are
usable, but their **type signatures are not yet frozen**. They are the least-exercised surface (there is
no end-to-end production sample yet) and they pair with the preview KMS providers, so they are expected
to settle alongside production KMS guidance — for instance, `ITenantKeyRegistry.GetRecord` is synchronous
and a database-backed registry may want an asynchronous form. What **is** stable is the *data* they
encode: the KeyId byte layout, wrapped-key handling, and therefore the readability of data already
written. Only the API shapes may still change before `1.0`.

## Allowed Future Changes

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,20 @@
<Description>Core abstractions for Proteos Application Layer Encryption: interfaces, attributes, envelope and key contracts. Contains no cryptographic implementation.</Description>
<PackageReadmeFile>README.md</PackageReadmeFile>
<GenerateDocumentationFile>true</GenerateDocumentationFile>
<!-- A public API change that is not reflected in the PublicAPI.*.txt files fails the build. -->
<WarningsAsErrors>$(WarningsAsErrors);RS0016;RS0017</WarningsAsErrors>
</PropertyGroup>

<ItemGroup>
<None Include="..\..\README.md" Pack="true" PackagePath="\" />
<None Include="..\..\icon.png" Pack="true" PackagePath="\" Condition="Exists('..\..\icon.png')" />
</ItemGroup>

<!-- Track the public API surface so changes are explicit in review (build-only dev dependency). -->
<ItemGroup>
<PackageReference Include="Microsoft.CodeAnalysis.PublicApiAnalyzers" Version="3.3.4" PrivateAssets="all" />
<AdditionalFiles Include="PublicAPI.Shipped.txt" />
<AdditionalFiles Include="PublicAPI.Unshipped.txt" />
</ItemGroup>

</Project>
218 changes: 218 additions & 0 deletions src/Proteos.Encryption.Abstractions/PublicAPI.Shipped.txt

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
#nullable enable
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@
<Description>AWS KMS key provider for Proteos Application Layer Encryption: wraps and unwraps tenant master keys with an AWS KMS symmetric key (Encrypt/Decrypt). Implements the IKeyProvider KEK seam only — no EF Core, tenant or derivation logic. Preview: the adapter is functional, but its configuration and production guidance are still being stabilized.</Description>
<PackageReadmeFile>README.md</PackageReadmeFile>
<GenerateDocumentationFile>true</GenerateDocumentationFile>
<!-- A public API change that is not reflected in the PublicAPI.*.txt files fails the build. -->
<WarningsAsErrors>$(WarningsAsErrors);RS0016;RS0017</WarningsAsErrors>
</PropertyGroup>

<ItemGroup>
Expand All @@ -24,4 +26,11 @@
<InternalsVisibleTo Include="Proteos.Encryption.AwsKms.Tests" />
</ItemGroup>

<!-- Track the public API surface so changes are explicit in review (build-only dev dependency). -->
<ItemGroup>
<PackageReference Include="Microsoft.CodeAnalysis.PublicApiAnalyzers" Version="3.3.4" PrivateAssets="all" />
<AdditionalFiles Include="PublicAPI.Shipped.txt" />
<AdditionalFiles Include="PublicAPI.Unshipped.txt" />
</ItemGroup>

</Project>
30 changes: 30 additions & 0 deletions src/Proteos.Encryption.AwsKms/PublicAPI.Shipped.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
#nullable enable
Microsoft.Extensions.DependencyInjection.ProteosAwsKmsServiceCollectionExtensions
override Proteos.Encryption.AwsKms.AwsKmsKeyReference.ToString() -> string!
Proteos.Encryption.AwsKms.AwsKmsKeyProvider
Proteos.Encryption.AwsKms.AwsKmsKeyProvider.AwsKmsKeyProvider(Proteos.Encryption.AwsKms.AwsKmsKeyReference! keyReference, Amazon.KeyManagementService.IAmazonKeyManagementService! kms) -> void
Proteos.Encryption.AwsKms.AwsKmsKeyProvider.ProviderId.get -> string!
Proteos.Encryption.AwsKms.AwsKmsKeyProvider.UnwrapAsync(Proteos.Encryption.Abstractions.WrappedKey! wrappedKey, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.ValueTask<byte[]!>
Proteos.Encryption.AwsKms.AwsKmsKeyProvider.WrapAsync(Proteos.Encryption.Abstractions.KeyId! keyId, System.ReadOnlyMemory<byte> plaintextKey, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.ValueTask<Proteos.Encryption.Abstractions.WrappedKey!>
Proteos.Encryption.AwsKms.AwsKmsKeyReference
Proteos.Encryption.AwsKms.AwsKmsKeyReference.KeyId.get -> string!
Proteos.Encryption.AwsKms.AwsKmsKeyReference.Kind.get -> Proteos.Encryption.AwsKms.AwsKmsKeyReferenceKind
Proteos.Encryption.AwsKms.AwsKmsKeyReference.Region.get -> string?
Proteos.Encryption.AwsKms.AwsKmsKeyReferenceKind
Proteos.Encryption.AwsKms.AwsKmsKeyReferenceKind.AliasArn = 1 -> Proteos.Encryption.AwsKms.AwsKmsKeyReferenceKind
Proteos.Encryption.AwsKms.AwsKmsKeyReferenceKind.AliasName = 3 -> Proteos.Encryption.AwsKms.AwsKmsKeyReferenceKind
Proteos.Encryption.AwsKms.AwsKmsKeyReferenceKind.KeyArn = 0 -> Proteos.Encryption.AwsKms.AwsKmsKeyReferenceKind
Proteos.Encryption.AwsKms.AwsKmsKeyReferenceKind.KeyId = 2 -> Proteos.Encryption.AwsKms.AwsKmsKeyReferenceKind
Proteos.Encryption.AwsKms.AwsKmsOptions
Proteos.Encryption.AwsKms.AwsKmsOptions.AwsKmsOptions() -> void
Proteos.Encryption.AwsKms.AwsKmsOptions.KeyId.get -> string?
Proteos.Encryption.AwsKms.AwsKmsOptions.KeyId.set -> void
Proteos.Encryption.AwsKms.AwsKmsOptions.Region.get -> string?
Proteos.Encryption.AwsKms.AwsKmsOptions.Region.set -> void
Proteos.Encryption.AwsKms.KmsKeyProviderException
Proteos.Encryption.AwsKms.KmsKeyProviderException.KmsKeyProviderException(string! message) -> void
Proteos.Encryption.AwsKms.KmsKeyProviderException.KmsKeyProviderException(string! message, System.Exception! innerException) -> void
static Microsoft.Extensions.DependencyInjection.ProteosAwsKmsServiceCollectionExtensions.AddProteosAwsKms(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services, System.Action<Proteos.Encryption.AwsKms.AwsKmsOptions!>! configure) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
static Proteos.Encryption.AwsKms.AwsKmsKeyProvider.Create(Proteos.Encryption.AwsKms.AwsKmsKeyReference! keyReference, string? region = null) -> Proteos.Encryption.AwsKms.AwsKmsKeyProvider!
static Proteos.Encryption.AwsKms.AwsKmsKeyReference.FromProviderKeyReference(Proteos.Encryption.Abstractions.ProviderKeyReference! reference) -> Proteos.Encryption.AwsKms.AwsKmsKeyReference!
static Proteos.Encryption.AwsKms.AwsKmsKeyReference.Parse(string! keyReference) -> Proteos.Encryption.AwsKms.AwsKmsKeyReference!
1 change: 1 addition & 0 deletions src/Proteos.Encryption.AwsKms/PublicAPI.Unshipped.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
#nullable enable
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@
<Description>Azure Key Vault key provider for Proteos Application Layer Encryption: wraps and unwraps tenant master keys with an Azure Key Vault RSA key (RSA-OAEP-256). Implements the IKeyProvider KEK seam only — no EF Core, tenant or derivation logic. Preview: the adapter is functional, but its configuration and production guidance are still being stabilized.</Description>
<PackageReadmeFile>README.md</PackageReadmeFile>
<GenerateDocumentationFile>true</GenerateDocumentationFile>
<!-- A public API change that is not reflected in the PublicAPI.*.txt files fails the build. -->
<WarningsAsErrors>$(WarningsAsErrors);RS0016;RS0017</WarningsAsErrors>
</PropertyGroup>

<ItemGroup>
Expand All @@ -25,4 +27,11 @@
<InternalsVisibleTo Include="Proteos.Encryption.AzureKeyVault.Tests" />
</ItemGroup>

<!-- Track the public API surface so changes are explicit in review (build-only dev dependency). -->
<ItemGroup>
<PackageReference Include="Microsoft.CodeAnalysis.PublicApiAnalyzers" Version="3.3.4" PrivateAssets="all" />
<AdditionalFiles Include="PublicAPI.Shipped.txt" />
<AdditionalFiles Include="PublicAPI.Unshipped.txt" />
</ItemGroup>

</Project>
27 changes: 27 additions & 0 deletions src/Proteos.Encryption.AzureKeyVault/PublicAPI.Shipped.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
#nullable enable
const Proteos.Encryption.AzureKeyVault.AzureKeyVaultKeyProvider.WrapAlgorithm = "RSA-OAEP-256" -> string!
Microsoft.Extensions.DependencyInjection.ProteosAzureKeyVaultServiceCollectionExtensions
override Proteos.Encryption.AzureKeyVault.AzureKeyVaultKeyReference.ToString() -> string!
Proteos.Encryption.AzureKeyVault.AzureKeyVaultKeyProvider
Proteos.Encryption.AzureKeyVault.AzureKeyVaultKeyProvider.AzureKeyVaultKeyProvider(Proteos.Encryption.AzureKeyVault.AzureKeyVaultKeyReference! keyReference, Azure.Core.TokenCredential! credential) -> void
Proteos.Encryption.AzureKeyVault.AzureKeyVaultKeyProvider.ProviderId.get -> string!
Proteos.Encryption.AzureKeyVault.AzureKeyVaultKeyProvider.UnwrapAsync(Proteos.Encryption.Abstractions.WrappedKey! wrappedKey, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.ValueTask<byte[]!>
Proteos.Encryption.AzureKeyVault.AzureKeyVaultKeyProvider.WrapAsync(Proteos.Encryption.Abstractions.KeyId! keyId, System.ReadOnlyMemory<byte> plaintextKey, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.ValueTask<Proteos.Encryption.Abstractions.WrappedKey!>
Proteos.Encryption.AzureKeyVault.AzureKeyVaultKeyReference
Proteos.Encryption.AzureKeyVault.AzureKeyVaultKeyReference.HasVersion.get -> bool
Proteos.Encryption.AzureKeyVault.AzureKeyVaultKeyReference.KeyIdentifier.get -> System.Uri!
Proteos.Encryption.AzureKeyVault.AzureKeyVaultKeyReference.KeyName.get -> string!
Proteos.Encryption.AzureKeyVault.AzureKeyVaultKeyReference.KeyVersion.get -> string?
Proteos.Encryption.AzureKeyVault.AzureKeyVaultKeyReference.VaultUri.get -> System.Uri!
Proteos.Encryption.AzureKeyVault.AzureKeyVaultOptions
Proteos.Encryption.AzureKeyVault.AzureKeyVaultOptions.AzureKeyVaultOptions() -> void
Proteos.Encryption.AzureKeyVault.AzureKeyVaultOptions.Credential.get -> Azure.Core.TokenCredential?
Proteos.Encryption.AzureKeyVault.AzureKeyVaultOptions.Credential.set -> void
Proteos.Encryption.AzureKeyVault.AzureKeyVaultOptions.KeyIdentifier.get -> System.Uri?
Proteos.Encryption.AzureKeyVault.AzureKeyVaultOptions.KeyIdentifier.set -> void
Proteos.Encryption.AzureKeyVault.KeyVaultKeyProviderException
Proteos.Encryption.AzureKeyVault.KeyVaultKeyProviderException.KeyVaultKeyProviderException(string! message) -> void
Proteos.Encryption.AzureKeyVault.KeyVaultKeyProviderException.KeyVaultKeyProviderException(string! message, System.Exception! innerException) -> void
static Microsoft.Extensions.DependencyInjection.ProteosAzureKeyVaultServiceCollectionExtensions.AddProteosAzureKeyVault(this Microsoft.Extensions.DependencyInjection.IServiceCollection! services, System.Action<Proteos.Encryption.AzureKeyVault.AzureKeyVaultOptions!>! configure) -> Microsoft.Extensions.DependencyInjection.IServiceCollection!
static Proteos.Encryption.AzureKeyVault.AzureKeyVaultKeyReference.FromProviderKeyReference(Proteos.Encryption.Abstractions.ProviderKeyReference! reference) -> Proteos.Encryption.AzureKeyVault.AzureKeyVaultKeyReference!
static Proteos.Encryption.AzureKeyVault.AzureKeyVaultKeyReference.Parse(string! keyIdentifier) -> Proteos.Encryption.AzureKeyVault.AzureKeyVaultKeyReference!
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
#nullable enable
9 changes: 9 additions & 0 deletions src/Proteos.Encryption.Core/Proteos.Encryption.Core.csproj
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@
<Description>Cryptographic core for Proteos Application Layer Encryption: AEAD, key derivation, ciphertext envelope, blind indexes and key rotation support, built on standard .NET cryptography.</Description>
<PackageReadmeFile>README.md</PackageReadmeFile>
<GenerateDocumentationFile>true</GenerateDocumentationFile>
<!-- A public API change that is not reflected in the PublicAPI.*.txt files fails the build. -->
<WarningsAsErrors>$(WarningsAsErrors);RS0016;RS0017</WarningsAsErrors>
</PropertyGroup>

<ItemGroup>
Expand All @@ -19,4 +21,11 @@
<InternalsVisibleTo Include="Proteos.Encryption.Core.Tests" />
</ItemGroup>

<!-- Track the public API surface so changes are explicit in review (build-only dev dependency). -->
<ItemGroup>
<PackageReference Include="Microsoft.CodeAnalysis.PublicApiAnalyzers" Version="3.3.4" PrivateAssets="all" />
<AdditionalFiles Include="PublicAPI.Shipped.txt" />
<AdditionalFiles Include="PublicAPI.Unshipped.txt" />
</ItemGroup>

</Project>
Loading
Loading