sdk: v0.6.0

0.6.0 (2025-10-30)

Features

• ci: Add a workflow to update the generated code for new protocol/go versions (#767) (c9d5f21)
• sdk: Add requiredObligations to the PermissionDeniedError (#781) (9cd7b44)
• sdk: Move to rewrap v2 request/response format (#774) (e7718d5)

Bug Fixes

• sdk: Additional comments and cleanup of Rewrap V2 code (#780) (bb29962)

sdk: v0.5.0

0.5.0 (2025-10-17)

Features

• add system metadata assertion (#630) (922965c)
• Certificates & Obligations (#755) (688c304)
• Get Namespace (#756) (5b8ef25)
• sdk: initial obligations support in rewrap flow (#748) (0361361)

Bug Fixes

• signingKey should not be part of the computed hash (#696) (b763278)
• sdk: Fix new API not setting nano attributes (#679) (f0d9719)
• SEC-4653 prevent ReDoS vulnerability in HTML payload unwrapping regex (#686) (09d0360)

sdk: v0.4.1

0.4.1 (2025-07-18)

Bug Fixes

• sdk: Fix new API not setting nano attributes (#679) (#680) (2d2459b)

sdk/v0.4.0

Changelog

0.4.0 (2025-06-26)

Features

• Add initial Dependency Review configuration (#587) (8f9d343)
• Assertion signing key handling and verification in the CLI (#409) (242150b)
• cli: Adds --allowList parameter to cli (#328) (297cec6)
• cli: Adds --policyBinding ecdsa option (#352) (4e54c0d)
• cli: Enables experimental ec in KAOs (#457) (203563c)
• cli: Pass the platform url on decrypt, add the platform kas to the allowlist when fetching (#565) (5afd0d0)
• core: Adds kao.schemaVersion (#416) (7925669)
• core: KID in NanoTDF (#325) (6d01eff)
• export connect rpc generated platform from package.json (#610) (cbd8a10)
• get kas public key from base key (#623) (5bde0a1)
• lets nanoTDF client take options instead (#278) (048bd30)
• lib: Bump for EC feature (#452) (6178877)
• lib: generate ts code from platform protos (#280) (d88c612)
• lib: Load abac config from policy service (#351) (48b2442)
• lib: offline abac KAO configuration (#349) (6eb70c1)
• lib: Updated error types (#362) (7fb29c5)
• sdk: Adds OpenTDF.open method (#485) (6ba9044)
• sdk: Adds opts for collection cache (#411) (47a5287)
• sdk: Allow custom KAO array templates (#307) (fd1b386)
• sdk: Allows skipping verification (#371) (8529461)
• sdk: Assertion support (#350) (10ff5c7)
• sdk: connect rpc client export (#545) (92de145)
• sdk: ec-wrapped key support (#422) (9d4eab4)
• sdk: Export AttributeObject and others (#487) (3d45ecf)
• sdk: get KASes list from platform when allowedKases list is not passed (#557) (598c39f)
• sdk: remove hex encoding for segment hash (#397) (ec4a55a)
• sdk: sdk to use connect rpc calls (#596) (f8e54e5)
• sdk: Updates to jose 6.x (#449) (9667747)

Bug Fixes

• add ignoreAllowList flag (#331) (29a9b82)
• Assertion verification key input (#412) (5be9bb1)
• audit: npm audit fix (#304) (ca2dddd)
• audit: npm audit fix (#318) (bc574f7)
• Changes to make regex patterns more efficient, accurate and simpler (#376) (2fe2c43)
• ci: Get platform_roundtrip working again (#413) (6ca50e6)
• ci: ignore auto-formatting of proto-generated files (#296) (30fb685)
• ci: use keycloack docker (#555) (dc4e48e)
• cli: Better errors and properly set exit code in more cases (#418) (11ad526)
• cli: Enables concurrent rewrap in cli (#391) (ab40664)
• client: Normalize allowlist to origins (#321) (ac1f634)
• core: npm audit fix (#380) (496f07c)
• docs: Update README.md - remove outdated / incorrect quickstart links / ins… (#301) (2dbca15)
• dpop: respect dpop disabled flag in oidc access token class methods (#299) (24319f7)
• keySplitInfo Promise.any Promise.all (#379) (c6cdbef)
• lib: Adds a 10 MiB cap to manifest size (#353) (e775ba5)
• logs: Improves on decrypt unsafe fail (#303) (4efa118)
• nano: Allow padding of kids (#338) (e1ae891)
• nano: ecdsa policy binding support for encrypt (#346) (031bbb7)
• nano: resource locator kid parse issue (#330) (4eef553)
• nano: Store kid (#334) (63721f6)
• Remove environment logging in vite.config.ts (#373) ([d1e0a45](d1e0a4538e2f5ba58d4...

sdk/v0.3.1

What's Changed

• fix(sdk): Fixes generating ztdf 4.2.2 output by @dmihalcik-virtru in #530
• chore(ci): Fix prefix submatch operator for tags by @dmihalcik-virtru in #532
• fix(sdk): Don't set schemaV in older target specs by @dmihalcik-virtru in #531
• fix(sdk): Fix assertion output for legacy mode by @dmihalcik-virtru in #533

Full Changelog: sdk/v0.3.0...sdk/v0.3.1

sdk/v0.3.0

• Supports creating files compatible with older versions, with the targetSpecVersion flag
  • support hex encoding signature hash for legacy sdk #520
• Adds OpenTDF.open method, to allow inspecting a TDFs contents without decrypting it
• EXPERIMENTAL: Adds support for ec-wrapped key access objects

sdk/0.2.0

SDK 0.2.0

Creates new type OpenTDF, which adds more uniform createX and read methods for TDF objects, instead of separate client objects for each file format.

Breaking Changes!

• #407 Sequesters old APIs into the @opentdf/sdk/singlecontainer entry point. If the old API is desired, use this import, not @opentdf/sdk.
• #397 Generates TDF3 version 4.3.0

New Features

• #407: New OpenTDF client object API

sdk/v0.1.0

What's Changed

• CCR-3144: Expose loadTDFStream on Client. by @ntrevino-virtru in #364
• fix(sdk): Remove stray call to node:Buffer by @dmihalcik-virtru in #365
• 🆙 2.1.0 minor feat(core): for new assertions package by @dmihalcik-virtru in #369
• feat(sdk): Allows skipping verification by @dmihalcik-virtru in #371
• fix: Rewrap response handling typo by @elizabethhealy in #372
• fix: Remove environment logging in vite.config.ts by @jentfoo in #373
• feat!(sdk): renames opentdf/client opentdf/sdk by @dmihalcik-virtru in #374
• fix: Changes to make regex patterns more efficient, accurate and simpler by @jentfoo in #376
• fix(core): npm audit fix by @dmihalcik-virtru in #380
• fix: keySplitInfo Promise.any Promise.all by @pflynn-virtru in #379
• chore: Remove backend-roundtrip job from workflows by @pflynn-virtru in #383
• chore: Remove 'make test' step from deploy workflow by @pflynn-virtru in #386
• chore: documentation generation to include npm ci by @pflynn-virtru in #387

Full Changelog: v2.0.0...sdk/v0.1.0

2.0.0

Stable release of the 2.x branch, this release focuses on improved stability of the nanoTDF and ZTDF APIs.

Breaking Changes:

• #285 Targets Node 20 (replacing the previous target of node 18)
• #210 Removes 'remote-store' AWS S3 Client code to a separate library. See the README for more information.
• #362 error type revision

New Features

• #350 ZTDF Assersions
• #362 More fine grained errors
• #351, #349 Attribute based configuration of ZTDF KAOs
• #346 NanoTDF ECDSA policy
• #243 Key Identifier support (support for KAS key rotation)
• Allow List for decrypt

Bug fixes

• A large number of dep updates, and many removals
• #353 10MiB cap on manifest size

Other changes of note:

• Target backend is now the https://github.com/opentdf/platform, instead of the previous opentdf/backend repo.
• Include sourcemaps in bundle

1.3.0

• Adds new allowKases allowlist feature for clients, to enable preventing surprising requests to unknown KAS services when decrypting a .tdf or .ntdf file
• Fixes bug in bundling of ajv tool