7.0.0-rc1

Added

• Added support for inline transaction receipt construction at commit time. Endpoint authors can use build_receipt_for_committed_tx() to construct a full TxReceiptImpl from the CommittedTxInfo passed to their ConsensusCommittedEndpointFunction callback. See the logging sample app (/log/blocking/private/receipt) for example usage (#7785).

Changed

• The ConsensusCommittedEndpointFunction callback signature now receives a CommittedTxInfo& struct (containing rpc_ctx, tx_id, status, write_set_digest, commit_evidence, claims_digest) instead of individual arguments. This enables commit callbacks to construct receipts inline (#7785).
• ccf::endpoints::default_respond_on_commit_func has been removed from the public API. A sample implementation is provided in the logging and basic sample apps (#7785).

Deprecated

• snapshots.read_only_directory configuration option is deprecated and will be removed in a future release. A warning will be logged if this option is set at startup. Use snapshots.backup_fetch to have backup nodes automatically fetch snapshots from the primary node instead.

7.0.0-rc0

Added

• Added files_cleanup.max_snapshots configuration option to limit the number of committed snapshot files retained on disk. When the number of committed snapshots exceeds this value, the oldest snapshots (by sequence number) are automatically deleted. The value must be at least 1 if set.
• Added files_cleanup.interval configuration option (default "30s") to periodically scan the snapshot directory and delete old committed snapshots exceeding max_snapshots. This ensures backup nodes (which receive snapshots via backup_fetch) also prune old snapshots. Only effective when max_snapshots is set.
• Added POST /node/snapshot:create, gated by the SnapshotCreate RPC interface operator feature, to create a snapshot via an operator endpoint rather than a governance action.
• Added make_cose_verifier_from_pem_cert() and make_cose_verifier_from_der_cert() that accept certificates in a known format. The existing make_cose_verifier_cert() is renamed to make_cose_verifier_any_cert() (#7768).

Changed

• The since query parameter on the GET /node/snapshot endpoint now uses closed (inclusive) semantics, consistent with the since parameter on GET /node/ledger_chunk. A request with ?since=N will now return snapshots with index greater than or equal to N, rather than strictly greater than N (#7742).

6.0.27

Added

• Backport the SnapshotCreate operator feature to preserve LTS compatibility on join with #7767 (#7773)

6.0.26

Fixed

• Fixed cache size calculations for historical queries, resolving a bug where signature transactions could become orphaned and fill the cache's useful space, resulting in incoming user-requested stores being immediately evicted (#7755).

7.0.0-dev13

Added

• Added time-based snapshot scheduling. Snapshots can now be triggered after a configurable wall-clock interval (snapshots.time_interval) elapses, in addition to the existing transaction-count threshold (snapshots.tx_count). A new snapshots.min_tx_count option (default 2) sets the minimum number of transactions required before a time-based snapshot fires. Snapshot timing state is replicated to backups via a new public:ccf.internal.snapshot_status internal table (#7731).
• Added support for endpoints that defer their HTTP response until the submitted transaction reaches a terminal consensus state (committed or invalidated). Endpoint authors can call set_consensus_committed_function() when installing an endpoint to register a callback that is invoked once the transaction is globally committed or invalidated. The callback receives the ccf::TxID and a ccf::FinalTxStatus (either Committed or Invalid), and may inspect or modify the response before it is sent. A built-in ccf::endpoints::default_respond_on_commit_func is provided that returns the original response on commit, or an error on invalidation. See the logging sample app (/log/blocking/private) for example usage (#7562).

Fixed

• Fixed the Turin SEV-SNP CPUID mapping used for product detection. (#7748)

6.0.25

Added

• Support for COSE-only receipts in snapshots to support (#7711, #7712)
• Support for Turin attestations (#7295, #7264, #7449, #7748, #7749)

7.0.0-dev12

Added

• Backup nodes can now be configured to automatically fetch snapshots from the primary when snapshot evidence is detected. This is controlled by the snapshots.backup_fetch configuration section, with enabled, max_attempts, retry_interval, max_size and target_rpc_interface options. Note that the target RPC interface selected must have the SnapshotRead operator feature enabled.
• Added ccf::IdentityHistoryNotFetched exception type to distinguish identity-history-fetching errors from other logic errors in the network identity subsystem (#7708).
• Added ccf::describe_cose_receipt_v1(receipt) to obtain COSE receipts with Merkle proof in unprotected header for non-signature TXs, and empty unprotected header for signature TXs (#7700).
• NetworkIdentitySubsystemInterface now exposes get_trusted_keys(), returning all trusted network identity keys as a TrustedKeys map (#7690).
• Added support for self-transparent code update policies (#7681).

Changed

• On recovery, the UVM descriptor SVN is now set to the minimum of the previously stored value in the KV and the value found in the new node's startup endorsements. On start, the behaviour is unchanged (#7716).
• Refactored the user facing surface of self-healing-open and local sealing. The whole feature is now sealing-recovery with self-healing-open now referred to as the recovery-decision-protocol (#7679).
• Local sealing is enabled by setting the sealing-recovery config field (for both the sealing node, and the unsealing recovery node).
• The local sealing identity is under sealing-recovery.location.name.
• The recovery-decision-protocol is configured via sealing-recovery.recovery_decision_protocol.
• Snapshots now carry COSE receipts, JSON receipts are no longer included (#7711).

6.0.24

Fixed

• Fix race condition when initialising a ledger secret's commit secret (#7689)
• Add missing cases for FailedInvalidCPUID and FailedInvalidTcbVersion in quote verification error handling (#7696).
• On recovery, the UVM descriptor SVN is now set to the minimum of the previously stored value in the KV and the value found in the new node's startup endorsements. On start, the behaviour is unchanged (#7716).

7.0.0-dev11

Changed

• When fetch_recent_snapshot is enabled, snapshot fetching now occurs in response to a StartupSeqnoIsOld error during join, rather than eagerly at startup. Fetched snapshots are verified before use, and corrupt local snapshots are skipped. See documentation (#7630).

7.0.0-dev10

Added

• GET and HEAD /node/ledger-chunk?since={seqno} and /node/ledger-chunk/{chunk_name} endpoints, gated by the LedgerChunkDownload RPC interface operator feature. See documentation for more detail.
• GET and HEAD /node/ledger-chunk/{chunk_name} and /node/snapshot/{snapshot_name} now support the Want-Repr-Digest request header and return the Repr-Digest response header accordingly (RFC 9530). Supported algorithms are sha-256, sha-384, and sha-512. If no supported algorithm is requested, the server defaults to sha-256 (#7650).
• ETag and If-None-Match support on GET /node/ledger-chunk/{chunk_name}, using SHA-256 by default for the ETag response header. Clients can supply If-None-Match with sha-256, sha-384, or sha-512 digest ETags to avoid re-downloading unchanged content (#7652).

Changed

• ccf::crypto::HashProvider::Hash() has been renamed to ccf::crypto::HashProvider::hash() for consistency with the rest of the API (#7660).

Fixed

• Only rollback uncommittable indices during become_leader (#7620)
• x509 parsing now correctly handles times validity beyond 2262. To support this, some public function signatures (ccf::ds::time_point_from_string(), ccf::crypto::Verifier::remaining_seconds()) now use time_points from ccf::nonstd::SystemClock rather than std::chrono::system_clock (#7648)