conxius-enclave-sdk 2.0.11

Hardware-backed security primitives for the broader Conxian ecosystem. Provides high-integrity root of trust for security-sensitive wallet, signing, attestation, and policy flows.
Documentation
# Releasing conxius-enclave-sdk

This document defines the release process for `conxius-enclave-sdk`.

All releases must follow [Governance](GOVERNANCE.md) and [Security](SECURITY.md), and versioning must follow [Semantic Versioning](https://semver.org/).

## Versioning Policy

- **Major (`X.Y.Z``(X+1).0.0`)**: Incompatible API changes.
- **Minor (`X.Y.Z``X.(Y+1).0`)**: Backward-compatible additive features.
- **Patch (`X.Y.Z``X.Y.(Z+1)`)**: Backward-compatible bug fixes and maintenance updates.

### Beta-phase note (`0.x.y`)

During beta (`0.x.y`), breaking changes may occur in minor bumps (for example `0.2.3` → `0.3.0`). Patch releases remain backward-compatible.

## Required Automation and Gates

The repository now enforces release readiness through GitHub Actions:

- `CI` workflow: tests, lint, and wasm build on push/PR to `main`.
- `Security` workflow: `cargo audit` + `cargo deny` on push/PR/schedule.
- `CodeQL` workflow: Rust static analysis on push/PR/schedule.
- `Release` workflow:
  - Runs automatically on `vX.Y.Z` tag push.
  - Runs manually via `workflow_dispatch` for controlled publish.
  - Uses `.github/scripts/verify-release-metadata.sh` to validate release metadata.

## Release Metadata Requirements

Before a release tag is pushed:

1. `Cargo.toml` `[package].version` must be the target release version (`X.Y.Z`).
2. `CHANGELOG.md` must include a version section for that release (not only `[Unreleased]`).
3. Release tags must use `vX.Y.Z` format and map to the same Cargo version.

These checks are enforced by CI and release workflows.

## GitHub Release Environment Setup

1. Open the repository in GitHub and go to **Settings****Environments**.
2. Create (or open) an environment named `release`.
3. In that environment, under **Environment secrets**, click **Add secret**.
4. Add secret name `CARGO_REGISTRY_TOKEN` and set it to the crates.io API token used for publishing.

## Manual Publish Operator Checklist

- Go to **Actions****Release****Run workflow**.
- Set **Use workflow from** to the release tag (`vX.Y.Z`).
- Set `release_version` to `X.Y.Z` or `vX.Y.Z` matching the tag/Cargo version.
- Set `publish_to_crates_io` to `true`.
- Verify both `validate-release` and `publish-crates-io` jobs pass.
- Verify the expected version appears on crates.io.

## Release Flow

1. **Prepare release commit**
   - Move release notes from `[Unreleased]` to a new version section in `CHANGELOG.md`.
   - Set `Cargo.toml` version to that same version.
   - Run local preflight checks (below).

2. **Merge to `main`**
   - Release metadata changes must land on default branch before tagging.

3. **Create and push release tag**
   ```bash
   git tag -s vX.Y.Z -m "Release vX.Y.Z"
   git push origin main
   git push origin vX.Y.Z
   ```

4. **Verify tag gate run**
   - The `Release` workflow runs automatically on tag push.
   - It validates metadata, runs `cargo test`, and runs `cargo publish --dry-run`.
   - No automatic crates.io publish occurs on tag push.

5. **Manual publish (controlled)**
   - If tag validation passes, run the `Release` workflow manually (`workflow_dispatch`) against that tag with:
     - `release_version`: `X.Y.Z` or `vX.Y.Z`
     - `publish_to_crates_io`: `true`
   - Publishing requires `CARGO_REGISTRY_TOKEN` configured in the `release` environment.

6. **Optional WASM package publication**
   - Build and inspect package contents before publishing:
   ```bash
   wasm-pack build --release --target bundler
   cd pkg
   TARBALL="$(npm pack)"
   tar -tzf "$TARBALL"
   npm publish "$TARBALL" --access public
   ```

## Local Preflight Commands

`Cargo.lock` remains untracked in this repository. Generate it locally/ephemerally for checks:

```bash
cargo fmt --all -- --check
cargo clippy -- -D warnings
cargo test

# Security checks
mkdir -p .cargo
cp audit.toml .cargo/audit.toml
cargo generate-lockfile
cargo audit --file Cargo.lock
cargo deny --locked check --config deny.toml advisories bans licenses sources
```

## Mainnet Readiness and Security

- Versions `>= 1.0.0` require an independent security audit for handshake/enclave-critical paths.
- Resolve dependency advisories before release, or document explicit, committed policy exceptions.
- Ensure no credentials or local secrets are included in release artifacts.