Stable 0.4.1. Promotes 0.4.1rc2, with the cloud-to-OSS audit-chain known issue resolved.
Added
- Post-quantum / hybrid signing (FIPS 204 ML-DSA-65 + Ed25519, optional
[pqc]extra). Cryptosuitesmldsa65-jcs-2026andhybrid-ed25519-mldsa65-jcs-2026; the default Ed25519 path is unchanged.
Security
- Credential verification key-binding: keys are decoded from the trust anchor (
issuer.idfor credentials, the server DID for presentations), closing an issuer key-substitution masquerade. - Fail-closed REST API auth when
ATTESTIX_API_KEYis unset. - Dependency CVE floors (
cryptography>=46.0.7,PyJWT[crypto]>=2.12.0).
Fixed
- Cloud-to-OSS audit-chain re-verification: the importer now preserves each row's chain tenant and persists the audit chain under it, decoupled from the storage tenant, so bundles minted under a workspace UUID import and re-verify cleanly.
- Bundle import reads the cloud
vc_jsonldcredential key.
585 passing tests (494 functional + 91 conformance). pip install attestix