nova-cache-0.4.2.0: CHANGELOG.md
# Changelog
## 0.4.2.0 — 2026-06-10
- **Signing: public-key derivation and rendering** — new `toPublicKey`
(derive the `PublicKey` for a `SecretKey`) and `renderPublicKey` (render
the `name:base64` trust-anchor format clients put in
`trusted-public-keys`).
- **Signing: `normalizeKeyText`** — strips byte-order marks and surrounding
whitespace from key text. The server applies it to `CACHE_API_KEY` and
the signing key file, so keys that picked up a BOM or stray CRLF in
transit load byte-clean instead of silently failing auth or signing.
- **Server: the landing page shows the cache public key**, derived at
startup from the live signing key, as a copyable `trusted-public-keys`
line. The published trust anchor can no longer drift from the key in
use.
- README: the public cache key now matches the key the server signs with.
- Removed the CI seed action and its README section; native pushing from
nova-nix replaces it.
## 0.4.1.1 — 2026-06-10
- Documentation-only release: the 0.4.1.0 entry below now records everything
that release actually contained. No code changes.
## 0.4.1.0 — 2026-06-10
- **Server: landing page at `GET /`** — a human-facing page with live stats
(store-path count, signing status, priority), the substituter snippet, and
protocol endpoint documentation. The cache protocol routes are unchanged;
the page is briefly cacheable (`max-age=300, must-revalidate`) since its
stats change as paths are added.
- **Correctness and hardening sweep** (a post-0.4.0.0 audit; note: shipped in
this release without individual entries at tag time — recorded here for the
honest history):
- `Base32.decode` rejects non-canonical encodings (overflow bits must be zero).
- NAR deserialisation is strict on untrusted input: trailing bytes rejected,
regular nodes require a `contents` token, directory entry names must be
sorted, unique, and safe.
- narinfo integer fields parse as strict base-10 (no hex/octal/whitespace),
so a non-canonical `NarSize` can no longer be re-signed under the cache key.
- Hash validation compares decoded digest bytes, accepting any valid
encoding of the same hash.
- Ed25519 verification is name-keyed, matching Nix's lookup-by-name.
- `decompressXz` re-raises asynchronous exceptions, so timeouts can cancel it.
- Server: per-route body caps (narinfo small, NAR large), uploaded narinfos
must name the store path of the request URL, signing failures refuse the
write instead of storing unsigned, and narinfo responses are revalidatable
rather than immutable.
- **Breaking (should have been a major bump; noted for transparency):**
`getCacheInfo` returns a `CacheInfo` record instead of a tuple.
## 0.4.0.0 — 2026-06-08
### Breaking changes
- **`NarInfo` drops the `niSystem` field** — `System` is not part of the Nix
narinfo wire format (Nix ignores unknown keys), so it is removed from the
exported record and `renderNarInfo` no longer emits a `System:` line.
### Security
- **API key required for writes** — the server refuses to start when
`CACHE_API_KEY` is unset, unless `--allow-open-writes` is passed explicitly,
so a missing environment variable can no longer leave the cache
world-writable.
- **Streaming request-body cap** — request bodies are read in bounded chunks
with a running size check, so an unsized (chunked) upload can no longer
buffer past the 100 MB limit into memory before it is rejected.
- **Stricter path validation** — `sanitizePath` now accepts only
`[A-Za-z0-9._+-]` names that are neither dotfiles nor Windows reserved device
names (`nul`, `con`, `com1`…), rejecting device access, alternate-data-stream
syntax, and the temporary-write prefix in addition to traversal.
- **No internal detail in error responses** — store reads tolerate I/O errors
(treated as absence) and any uncaught handler exception maps to a plain 500,
so filesystem paths and error text are never returned to clients.
### Bug fixes
- **CRLF-tolerant narinfo parsing** — lines are split on the first colon with a
trailing carriage return stripped, so narinfo produced by other tools (or
with `\r\n` line endings) parses correctly instead of corrupting text fields
or rejecting valid integer fields.
## 0.3.2.1 — 2026-03-18
- Replace partial `decodeUtf8` with total `decodeLatin1` in `Base64.encode`
and `Signing.sign` — provably safe on base64 ASCII output, eliminates last
partial function usage
- Fix redundant `T.breakOn` call in `NarInfo.parseLine`
- No API changes
## 0.3.2.0 — 2026-03-18
### Server logging
- **Request logging** — Apache Combined format via `wai-extra` middleware,
configurable with `LOG_REQUESTS=0` to disable.
- **Error logging** — auth rejections, validation failures, oversized uploads,
and bad paths now logged to stderr with request method and path context.
- **`withLimitedBody` combinator** — extracted common body-limiting pattern from
PUT handlers, reducing duplication.
- **`notFound` named constant** — replaces three inline 404 responses.
- Fixed `loadSigningKey` warnings going to stdout instead of stderr.
### Seed action fixes
- **Resolve runtime outputs, not derivations** — `nix-instantiate` replaced
with `nix-build --no-out-link` so the cache stores actual binaries instead of
`.drv` build recipes.
- **Filter uploads to diff-only** — `nix copy` exports transitive deps; uploads
now filtered against the missing-hashes diff to avoid re-uploading cached paths.
- **Fix broken pipe** — `find | xargs` with `pipefail` caused spurious failures;
now writes to intermediate files.
- **Fix xargs line-too-long** — large path lists passed via file instead of inline.
- **Diagnostic output** — upload failure HTTP codes now printed; `nix copy` errors
no longer silenced.
- **Parallelism** — per-upload `--max-time` added (120s for NARs, 30s for narinfos).
### Server validation
- **Reject derivation narinfos** — `validateNarInfo` now rejects any narinfo
where StorePath ends in `.drv` with a new `DerivationStorePath` error. Binary
caches serve build outputs, not build recipes.
- 1 new test (75 total)
## 0.3.1.0 — 2026-03-07
### Drop `memory` dependency, use `ram`
- **`memory` → `ram`** — Replaced `memory` package with `ram` (modern, minimal replacement). Same `Data.ByteArray` API, drops the heavy `basement` transitive dependency. Fixes build failure with `crypton >= 1.1` which switched from `memory` to `ram` internally — `Data.ByteArray.ByteArrayAccess` instances were no longer compatible across packages.
- **`crypton >= 1.1` required** — Lower bound bumped from `1.0` to `1.1` so that `crypton` and `nova-cache` both link against `ram` for `ByteArrayAccess` instances. Older `crypton` versions used `memory`, causing instance mismatches at link time.
- All imports remain `Data.ByteArray` — no source-level changes needed for downstream consumers.
## 0.3.0.0 — 2026-02-28
### Breaking changes
- **`decompressXz`** signature changed from `ByteString -> ByteString` to
`ByteString -> IO (Either String ByteString)` — catches lzma exceptions
instead of crashing on malformed input
- **`writeNarInfo`** / **`writeNar`** now return `IO Bool` instead of `IO ()` —
`False` indicates a rejected path (traversal, empty)
### Security
- **Request body size limit** — PUT endpoints reject bodies over 100 MB with
413 Payload Too Large (prevents memory exhaustion)
- **Constant-time auth comparison** — API key check uses `constEq` from
`Data.ByteArray` instead of `==` (prevents timing side-channel)
### Bug fixes
- **Safe UTF-8 decoding in NAR deserializer** — `decodeUtf8` replaced with
`decodeUtf8'`; malformed UTF-8 in symlink targets or directory entry names
now returns a parse error instead of throwing
### New features
- **`GET /narinfo-hashes`** endpoint — returns all cached narinfo hashes as
newline-delimited text, enabling efficient cache diffing
- **`listNarInfoHashes`** function added to `NovaCache.Store`
### Improvements
- Server logs warnings to stderr when narinfo signing fails (parse error or
sign error) instead of silently returning unsigned body
- Server returns 400 Bad Request when PUT paths fail sanitization instead of
silently discarding the upload
- README: license badge and footer corrected from MIT to BSD-3-Clause
- README: `parallel` input documented in seed action table
- README: `CACHE_API_KEY` and `SIGNING_KEY_FILE` env vars documented
- Seed action: replaced per-path HEAD checks with single `GET /narinfo-hashes`
call and local diff for dramatically faster cache seeding
## 0.2.4.1 — 2026-02-26
- License changed from MIT to BSD-3-Clause
## 0.2.4.0 — 2026-02-25
- New module: `NovaCache.Base64` — base64 encode/decode re-exported so
downstream consumers don't need a direct `base64-bytestring` dependency
- No changes to existing modules
## 0.2.3.0 — 2026-02-23
- Drop `unix` dependency — `checkExecutable` now uses cross-platform
`System.Directory.getPermissions` instead of `System.Posix.Files`
- Fixes Windows build (the `unix` package is not available on Windows)
- No API changes
## 0.2.2.0 — 2026-02-23
- Gate `NovaCache.Compression` and `lzma` dependency behind a `compression`
cabal flag (default on, backwards compatible)
- Consumers that only need hashing/NAR/narinfo can build with `-compression`
to avoid the system `liblzma` C dependency
- Compression tests moved to separate test suite (`nova-cache-compression-test`)
- No changes to any library source modules
## 0.2.1.0 — 2026-02-22
- Server: `validateNarInfo` wired into PUT handler — rejects malformed uploads
with 400 Bad Request and collected validation errors
- Server: `Cache-Control: public, max-age=31536000, immutable` on narinfo and
NAR GET responses for CDN edge caching
- Store: default priority changed from 30 to 50 (community cache fallback
behind cache.nixos.org at 40)
- Seed action: fix round-trip validation to account for server-side signing;
now verifies StorePath field, signature presence, and NAR fetchability
- Public binary cache documented with key and nix.conf instructions
## 0.2.0.0 — 2026-02-22
- New module: `NovaCache.Validate` — pure protocol validation layer
- `ValidationError` sum type with 10 constructors covering sizes, store paths,
hash formats, content hashes, and Ed25519 signatures
- `validateNarInfo` — field semantic validation (non-negative sizes, parseable
store paths/hashes/references), collects all errors instead of short-circuiting
- `validateNarHash` / `validateFileHash` — SHA-256 content hash verification
against declared narinfo values
- `validateSignature` — Ed25519 signature verification against a trusted public
key (at-least-one semantics, matching Nix behaviour)
- `validateFull` — composes all four stages, collecting errors across all
- 17 new tests (74 total across 9 groups)
- No new dependencies
## 0.1.0.0 — 2026-02-21
- Initial release (renamed from gb-nix-cache)
- Nix-base32 encoding/decoding
- SHA-256 hashing with Nix hash formatting
- Store path parsing and rendering
- NAR binary format serialization/deserialization
- NarInfo text format parsing/rendering
- Ed25519 signing and verification
- xz compression/decompression
- Filesystem storage backend
- Optional WAI cache server (behind `server` flag)
- Path traversal protection on all store operations
- Total port parsing (no partial `read`)
- 54 tests across 8 modules