v0.8.0

Added

• Additional and comprehensive logging to all SPIKE Nexus and SPIKE Keeper API
  methods.
• Better error handling across the entire codebase.
• Pilot: Reduced CLI verbosity by removing structured JSON log output from
  all commands (policy, secret, cipher, operator). The CLI now outputs clean,
  concise error messages to stderr without internal debug logs cluttering the
  terminal.
• "Encryption as a service" support for SPIKE Pilot. There is an outstanding
  issue for JSON mode; however, streaming mode works as expected.
• make start includes additional smoke tests to ensure all SPIKE components are
  in good shape and ready to roll.
• Added extensive package documentation to ALL packages of SPIKE and
  SPIKE Go SGK.
• SDK: Improved documentation clarity for single return value functions, CSPRNG
  fatal behavior, and function distinctions (ValidatePath vs
  ValidatePathPattern).
• SDK: Significantly increased test coverage across all SDK packages with
  comprehensive unit and integration tests.
• SDK: Enhanced documentation for version numbering system - version numbers
  start at 1, and CurrentVersion == 0 indicates all versions have been deleted.
• SDK: Updated Delete() documentation to clarify soft-delete behavior and that
  paths remain in storage even when all versions are deleted.
• SDK: Added HasValidVersions() and Empty() helper methods to kv.Value for
  checking if secrets have any non-deleted versions, useful for identifying
  purgeable secrets.
• SDK: Added Destroy() method to kv.KV for hard-delete operations that
  permanently remove secret paths from storage and reclaim memory. Unlike
  soft-delete (Delete()), this cannot be undone.
• Nexus: Comprehensive documentation updates across ALL files ensuring
  consistency between function signatures, parameter types, return values, and
  actual code behavior. Updated error type references from generic error to
  specific *sdkErrors.SDKError types.
• Nexus: Added defensive nil source checks across concurrent/distributed systems
  where workload API can asynchronously invalidate X509Source. Updated
  InitializeBackingStoreFromKeepers, SendShardsPeriodically, CLI commands,
  and server startup with proper nil handling and documentation explaining
  retry behavior for transient failures.
• Nexus, Keeper: Added AST-based tests to enforce guard function usage in all
  route handlers. The tests scan route handler files and verify each Route*
  function calls either net.ReadParseAndGuard or a guard function directly.
  This prevents contributors from accidentally adding routes without
  authorization checks. See ADR-0031.

Changed

• BREAKING: SDK now returns typed sentinel errors instead of generic error
  values.
• BREAKING: SDK: Enhanced error handling - Get methods now return
  ErrAPINotFound instead of (nil, nil) when resources are not found,
  following idiomatic Go patterns (similar to os.Open, database/sql).
• SDK: Improved API consistency by standardizing policy function
  parameters from name to id across all operations, matching internal
  implementation.
• Nexus: Enhanced backend interface documentation with proper parameter and
  return type information, and documented CurrentVersion == 0 behavior in
  LoadSecret and LoadAllSecrets methods.
• Nexus: Comprehensive documentation updates for all secret management functions
  with accurate parameter names, return types, and behavioral details including
  soft-delete semantics and metadata update logic.
• Nexus: Made DeleteSecret more defensive when finding the new current version
  by removing unnecessary condition, improving code clarity and robustness.
• BREAKING: Nexus: Fixed inconsistent error returns in memory backend -
  LoadSecret now returns ErrEntityNotFound instead of (nil, nil) for
  missing secrets.
• Nexus: Optimized retry loop in InitializeBackingStoreFromKeepers with early
  nil check to avoid unnecessary function call overhead when X509 source is nil.
• Nexus: Refactored ShardGetResponse to return ([]byte, *sdkErrors.SDKError)
  instead of logging errors internally and returning empty slices, following
  canonical Go error handling patterns.
• Nexus: Improved resilience in data loading functions (LoadAllPolicies,
  LoadAllSecrets) by changing from aggressive exit behavior to graceful
  degradation - now logs warnings and continues processing valid entries instead
  of abandoning entire dataset on single entry corruption.
• Pilot: Comprehensive refactoring of CLI output handling across all commands
  (14 files) to use Cobra's cmd.Print*() methods instead of fmt.Print*().
  Error messages now properly route to stderr via cmd.PrintErrln()/
  cmd.PrintErrf(), while success and normal output routes to stdout via
  cmd.Println()/cmd.Printf(). This improves testability, respects Cobra's
  output configuration, and provides proper stderr/stdout separation. Updated
  helper functions printSecretResponse() and handleAPIError() to accept
  cmd parameter for consistent output handling.
• SDK: Added UpdatedAt field to Policy struct to track when policies are
  modified. Removed unused CreatedBy field.
• Nexus: Standardized error handling across recovery modules to use
  log.WarnErr/log.FatalErr with SDK error types instead of generic
  log.Warn/log.FatalLn calls. This provides searchable error codes and
  consistent error patterns.
• BREAKING: Nexus: Changed policy operations from create-only to upsert
  semantics for consistency with secret operations. state.CreatePolicy is now
  state.UpsertPolicy. If a policy with the same name exists, it is updated
  (preserving ID and CreatedAt); otherwise, a new policy is created.
• Code Quality: Eliminated error variable shadowing across the codebase. Error
  variables now use descriptive names (atoiErr, nonceErr, openErr,
  restoreErr, etc.) instead of reusing err. This prevents subtle bugs where
  a later error could inadvertently shadow an earlier one, and improves code
  readability by making error sources explicit.

Fixed

• Finally, fixed the flaky tests around the retry logic in SPIKE Go SDK for
  good.
• Various other bugfixes, refactorings, and security improvements.
• SDK: Added nil validation to CreateMTLSServer functions with fail-fast
  behavior for configuration errors.
• SDK: Fixed resource management bug in StreamPostWithContentType where defer
  was closing response body on success path, causing callers to receive closed
  body.
• SDK: Fixed critical bug in Undelete function that was ignoring the versions
  parameter due to missing else clause.
• Nexus: Added OldestVersion tracking to UndeleteSecret for consistency
  with DeleteSecret, ensuring metadata accurately reflects oldest non-deleted
  version.
• Nexus: Fixed bug in UndeleteSecret where undeleting a version higher than
  the current CurrentVersion did not update CurrentVersion to reflect the
  new highest active version, causing metadata inconsistency.
• Nexus: Fixed critical bug in UpsertSecret where adding a new version when all
  existing versions were deleted (CurrentVersion == 0) would create version 1,
  potentially colliding with an existing deleted version 1. Now correctly finds
  the highest existing version number and increments from there.
• Nexus: Fixed resource leak in internal/net/post.go where response body
  close was deferred after body read instead of immediately after response
  obtained, causing leaks when read operations failed.
• Nexus: Fixed critical bug in secret route handlers where error paths were not
  sending HTTP responses to clients. Added missing net.Fail() calls in
  put_intercept.go (3 locations) and undelete.go to ensure proper error
  responses.
• Nexus: Fixed bug in RouteDeletePolicy that returned HTTP 500 for all errors
  including "not found". Now correctly returns HTTP 404 when the policy does not
  exist

Security

• PoP validation after bootstrap sequence to ensure SPIKE Nexus has initialized
  properly.
• Update SPIKE Components' Go version to 1.25.3.
• log.FatalLn exits cleanly by default to avoid leaking sensitive information
  via stack traces in production. Stack traces can be enabled for
  development/testing by setting SPIKE_STACK_TRACES_ON_LOG_FATAL=true.
• SDK upgrade to Go 1.25.3 to fix GO-2025-4007.
• Fixed error handling inconsistency in NewPilotRecoveryShards to
  ensure fail-fast behavior on shard generation failures. The function now
  consistently uses log.FatalLn for all critical errors during shard
  marshaling to prevent silent generation of corrupted recovery material.
• Added SPIFFE ID validation to SPIKE Keeper shard endpoints.
  The RouteShard endpoint now validates that only SPIKE Nexus can retrieve
  shards during recovery operations. The RouteContribute endpoint validates
  that only SPIKE Bootstrap (during initial setup) or SPIKE Nexus (during
  periodic updates) can contribute shards. This prevents unauthorized access
  to sensitive shard data.
• Crypto: Consolidated GCM nonce size constant (crypto.GCMNonceSize) to
  internal/crypto/gcm.go. This removes duplication across cipher and bootstrap
  packages and documents the decision to use the NIST-recommended 12-byte
  standard. See ADR-0032.
• Fixed CWE-117: go-viper's mapstructure May Leak Sensitive Information in
  Logs When Processing Malformed
  Data
• Fixed CVE-2025-58181: golang.org/x/crypto/ssh allows an attacker to cause
  unbounded memory
  consumption
• Fixed [CVE-2025-47914: golang.org/x/crypto/ssh/agent vulne...

v0.6.0

This was a security release where the main focus was hardening SPIKE SDK mTLS
implementation. In addition, we created a configurable SPIKE backing store
directory to enable future HA development.

The code is stable; however, we are marking it as a "prerelease" because there is still
upstream Helm Charts work to be completed to smoothly enable SPIKE Bootstrap
on Kubernetes clusters.

Added

• Added SPIKE_TRUST_ROOT_BOOTSTRAP to enable SPIKE Bootstrap to be used
  in different trust boundaries.
• Added SPIKE_NEXUS_DATA_DIR to enable setting up custom data directories for
  SPIKE Nexus backing store.
• Added convenience methods to the SPIKE Go SDK.

Changed

• Improvements to the SPIKE Go SDK.
• Stricter SPIFFE ID validation. SPIKE SDK now ensures that the API client
  only talks to SPIKE Nexus as the server.

Fixed

• Minor bug fixes.
• Fixed flaky unit tests.

Security

• SPIKE Go SDK clients are hardened to only talk to SPIKE Nexus as the
  server during mTLS.

---

Below are the generated release notes of every commit since the last release cut:

What's Changed

• Configurable data directory for SPIKE Nexus backing store by @v0lkan in #232

Full Changelog: v0.5.1...v0.6.0

v0.5.1

Prerelease.

Changed

• Updated SPIKE Bootstrap to be more robust by adding exponential backoff while
  waiting for SPIKE Keepers to be ready.
• Enhancements in startup scripts to better enable local development with
  SPIFFE Helm Charts that have not been published yet.

---

Below are the generated release notes of every commit since the last release cut:

What's Changed

• make Boostrap more robust + prep for version bump by @v0lkan in #233
• v0.5.1 by @v0lkan in #234

Full Changelog: v0.5.0...v0.5.1

v0.5.0

This is still a prerelease version; however, it includes major changes
and improvements. We will cut a stable release once we have SPIKE Bootstrap
included in the SPIFFE Helm Charts.

Added

• Updates to documentation and usage examples.
• Updates to the SPIKE Go SDK around the logging API.
• Moved certain reusable features from in-tree to SPIKE Go SDK.
• A new make audit target that helps contributors run style checks and
  linters before submitting a PR.
• Enhancements to bare-metal installation scripts.

Changed

• Updated Go version to 1.25.1
• Updated SPIKE Bootstrap to be more robust and enabled it to work on
  Kubernetes too.
• Clarified documentation around path pattern and SPIFFE ID pattern matching
  in SPIKE policies.
• Slight improvements in the SPIKE logo and a brand-new landing page that
  highlights the project's vision and goals.
• Moved environment variable names to the SPIKE Go SDK as constants to prevent
  typos and to make it easier to use the SDK.

Fixed

• Bug fixes and stability improvements.
• Fixed failing unit tests on CI (that's a temporary fix that runs tests
  sequentially instead of in parallel; we will fix that soon)

Security

• Along with secrets, SPIKE Nexus now encrypts policies at rest too.

Upcoming

• A lot of ongoing design work around key rotation, encryption, and a secure
  web interface that leverages Web Cryptography API to provide a secure
  experience of managing secrets without having to interact with the command
  line.
• Ongoing work on the Cipher API to provide "encryption as a service" to
  systems and workloads that do not require to store secrets in a backing store.

---

Below are the generated release notes of every commit since the last release cut:

What's Changed

• Landing Page Redesign by @v0lkan in #211
• Sync CI pipeline with makefile targets and remove golangci-lint dependency by @mertssmnoglu in #210
• remove the caching layer to enable (easier/simpler) HA by @v0lkan in #214
• cleanup before release by @v0lkan in #215
• Update logger behavior on fatal errors by @v0lkan in #216
• Move policy Spec from in-tree to the SDK by @v0lkan in #218
• remove path normalization. by @v0lkan in #219
• rename cipher-related entitites by @v0lkan in #220
• ADR update an minor refactoring by @v0lkan in #221
• SDK Update. by @v0lkan in #224
• organize jira.xml by @v0lkan in #225
• minor refactoring. by @v0lkan in #226
• replace env var names with constants by @v0lkan in #227
• Keep policy information encrypted (#81) by @doguhanniltextra in #223
• Bootstrap with ConfigMap by @v0lkan in #228
• v0.5.0 by @v0lkan in #231

New Contributors

• @mertssmnoglu made their first contribution in #210
• @doguhanniltextra made their first contribution in #223

Full Changelog: v0.4.3.1...v0.5.0

v0.4.3.1

This is a "prerelease" version to enable upstream SPIFFE Helm Charts
integration initiatives. The most significant change is the introduction of a
SPIKE Bootstrap app that is responsible for initializing
SPIKE Nexus. This new approach separates the bootstrapping workflow that
had been inside SPIKE Nexus' initialization workflow before. And that
enables us an opportunity to run SPIKE Nexus in HA mode without designing
elaborate, and potentially error-prone, consensus algorithms.

Added

• FIPS 140.3 Compliance: FIPS is now enabled at build time, and it's
  enforced everywhere. We are using GOFIPS140=v1.0.0, the modern way of
  enabling FIPS, retiring our older boringcrypto implementation.
• spike policy list command can now filter by SPIFFE ID pattern and path
  pattern.
• spike policy command cano now accept a YAML file as input, instead of
  requiring command-line parameters.
• SPIKE Go SDK now has a generator that creates pattern-based, secure,
  randomized secrets.
• Implemented a (currently experimental) "SPIKE Lite" mode where SPIKE Nexus
  would not need a backing store, or policies, and can leverage the storage
  and policy mechanism of S3-compatible object stores (such as Minio). Once
  we fully implement and polish SPIKE Lite, we will also update documentation
  and use cases to allow users to understand the benefits and liabilities of
  SPIKE Lite and why they might want to use one over the other.

Changed

• Better alignment with idiomatic Go practices. SPIKE and SPIKE Go SDK code
  has been refactored to better align with common Go idioms and conventions.
  We also created a make audit target to run style checks and linters that
  enforce a consistent code style and some of these guidelines. make audit
  is also a part of the CI pipeline to ensure that the code is always compliant
  at every commit. In addition make audit also does vulnerability checks.
• BREAKING: SPIKE Nexus now requires a separate initializer (SPIKE Bootstrap)
  to begin its lifecycle. The user guides and relevant documentation have been
  updated to reflect this change.
• Updated Go to the latest version (1.24.6).

Fixed

• Fixed a bug related to Windows builds. SPIKE Nexus, SPIKE Pilot, and SPIKE
  Keeper can now be built as Windows binaries too.
• Various refactorings, improvements, code cleanup, and bug fixes.

---

Below are the generated release notes of every commit since the last release cut:

What's Changed

• rename "msg" with "message" by @v0lkan in #189
• Restify Nexus crypto operations. by @v0lkan in #191
• Add integration test by @kfox1111 in #190
• Add streaming mode and some other checks to encrypt/decrypt. by @v0lkan in #192
• Re-align integration test with newer api by @kfox1111 in #194
• Bump testing dependency by @kfox1111 in #197
• Fix race condition with tests by @kfox1111 in #199
• feat(policy): Add filtering to policy list command by @marikann in #201
• Update policy-related documentation. by @v0lkan in #202
• Add stricter linting. by @v0lkan in #203
• Fix further lints. by @v0lkan in #204
• fixes spike pilot CLI to work in windows. by @v0lkan in #205
• Add @parlakisik as a Codeowner for SPIKE and SPIKE SDK by @v0lkan in #207
• Separate Bootstrap Logic into its own app by @v0lkan in #206
• SPIKE v0.4.3 (prerelease). by @v0lkan in #208
• v0.4.3.1 by @v0lkan in #209

Full Changelog: v0.4.2...v0.4.3.1

v0.4.3

This is a "prerelease" version to enable upstream SPIFFE Helm Charts
integration initiatives. The most significant change is the introduction of a
SPIKE Bootstrap app that is responsible for initializing
SPIKE Nexus. This new approach separates the bootstrapping workflow that
had been inside SPIKE Nexus' initialization workflow before. And that
enables us an opportunity to run SPIKE Nexus in HA mode without designing
elaborate, and potentially error-prone, consensus algorithms.

Added

• FIPS 140.3 Compliance: FIPS is now enabled at build time, and it's
  enforced everywhere. We are using GOFIPS140=v1.0.0, the modern way of
  enabling FIPS, retiring our older boringcrypto implementation.
• spike policy list command can now filter by SPIFFE ID pattern and path
  pattern.
• spike policy command cano now accept a YAML file as input, instead of
  requiring command-line parameters.
• SPIKE Go SDK now has a generator that creates pattern-based, secure,
  randomized secrets.
• Implemented a (currently experimental) "SPIKE Lite" mode where SPIKE Nexus
  would not need a backing store, or policies, and can leverage the storage
  and policy mechanism of S3-compatible object stores (such as Minio). Once
  we fully implement and polish SPIKE Lite, we will also update documentation
  and use cases to allow users to understand the benefits and liabilities of
  SPIKE Lite and why they might want to use one over the other.

Changed

• Better alignment with idiomatic Go practices. SPIKE and SPIKE Go SDK code
  has been refactored to better align with common Go idioms and conventions.
  We also created a make audit target to run style checks and linters that
  enforce a consistent code style and some of these guidelines. make audit
  is also a part of the CI pipeline to ensure that the code is always compliant
  at every commit. In addition make audit also does vulnerability checks.
• BREAKING: SPIKE Nexus now requires a separate initializer (SPIKE Bootstrap)
  to begin its lifecycle. The user guides and relevant documentation have been
  updated to reflect this change.
• Updated Go to the latest version (1.24.6).

Fixed

• Fixed a bug related to Windows builds. SPIKE Nexus, SPIKE Pilot, and SPIKE
  Keeper can now be built as Windows binaries too.
• Various refactorings, improvements, code cleanup, and bug fixes.

---

Below are the generated release notes of every commit since the last release cut:

What's Changed

• rename "msg" with "message" by @v0lkan in #189
• Restify Nexus crypto operations. by @v0lkan in #191
• Add integration test by @kfox1111 in #190
• Add streaming mode and some other checks to encrypt/decrypt. by @v0lkan in #192
• Re-align integration test with newer api by @kfox1111 in #194
• Bump testing dependency by @kfox1111 in #197
• Fix race condition with tests by @kfox1111 in #199
• feat(policy): Add filtering to policy list command by @marikann in #201
• Update policy-related documentation. by @v0lkan in #202
• Add stricter linting. by @v0lkan in #203
• Fix further lints. by @v0lkan in #204
• fixes spike pilot CLI to work in windows. by @v0lkan in #205
• Add @parlakisik as a Codeowner for SPIKE and SPIKE SDK by @v0lkan in #207
• Separate Bootstrap Logic into its own app by @v0lkan in #206

Full Changelog: v0.4.2...v0.4.3

v0.4.2

Added

• Ability to configure to not how SPIKE banner on startup.
• Ability to configure to show a warning if memory locking is not
  available on the system.
• SPIKE can now be deployed from SPIFFE helm charts. Tested and verified!
• Documentation updates.
• SPIKE Lite (a WIP SPIKE mode where you won’t need a backing store)
• SPIKE can be now be installed from SPIFFE Helm
  Charts and can
  federate secrets across clusters

Changed

• Moved logging to SPIKE SDK. VSecM v2 will share the same logging setup.
• spike policy command now accepts file input; you can design your policies
  as yaml files and then spike policy apply -f them.

Security

• Fixed GHSA-fv92-fjc5-jj9h: mapstructure May Leak Sensitive Information
  in Logs When Processing Malformed
  Data

---

Below are the generated release notes of every commit since the last release cut:

What's Changed

• minor changes by @v0lkan in #168
• Disable banner via env config; disable memory warning via env config by @v0lkan in #169
• Docs and other things for the 4.1 prerelease. by @v0lkan in #170
• moved files around. by @v0lkan in #171
• Consume SPIKE from helm-charts-hardened by @v0lkan in #172
• minor changes to add clarity. by @v0lkan in #173
• Fix bare metal scripts by @rohatcan in #174
• fix orphaned spike processes by adding exec command to scripts by @rohatcan in #176
• WIP: (Potential) KubeCon Demo by @v0lkan in #175
• Add third edge cluster to demo. by @v0lkan in #180
• Using yaml file for policy creation by @parlakisik in #177
• introduce SPIKE Lite. by @v0lkan in #181
• Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 by @dependabot[bot] in #182
• Document: Update policy command with policy apply parameter by @parlakisik in #184
• Initial kind integration for spike by @parlakisik in #179
• Move logging to SDK by @v0lkan in #187
• SPIKE v0.4.2 by @v0lkan in #188

New Contributors

• @rohatcan made their first contribution in #174
• @parlakisik made their first contribution in #177

Full Changelog: v0.4.1...v0.4.2

v0.4.1

Added

• Initial support for Kubernetes deployments.
• Better shard sanitization during recovery procedures.
• Added memory locking to SPIKE Pilot too.
• Finer control of the startup script via flags.
• Added the ability to optionally skip database schema creation during SPIKE
  initialization.

Changed

• BREAKING: SDK validation methods now take trust root as an argument.
• BREAKING: SPIKE_NEXUS_KEEPER_URL is now a comma-delimited list of URLs
  (instead of JSON).
• SPIKE components can now be configured to accept multiple trust roots as
  legitimate peers---this will be useful in complex mesh and federation
  deployment scenarios.
• SPIKE now uses GitHub Container Registry to store its container image
  (instead of Docker Hub).

---

Below are the generated release notes of every commit since the last release cut:

What's Changed

• Project Status Change. by @v0lkan in #130
• Store state from backing store immediately after doomsday recovery. by @v0lkan in #131
• restoration files are hex encoded now. by @v0lkan in #132
• Stricter pattern matching for Secret and Policy Operations by @v0lkan in #143
• Ability to accept multiple trust roots. by @v0lkan in #144
• KEEPER_URL format change. by @v0lkan in #145
• option to skip db schema initialization. by @v0lkan in #148
• Log keeper warning to stderr by @kfox1111 in #155
• Fix containers by @kfox1111 in #156
• spike secret get format by @kfox1111 in #157
• Containerization by @v0lkan in #165
• Fix workflow after merge by @kfox1111 in #167

New Contributors

• @kfox1111 made their first contribution in #155

Full Changelog: v0.4.0...v0.4.1

v0.4.0

Added

• Added more configuration options to SPIKE Nexus.
• Updated documentation around security and production hardening.
• Updated release instructions, added a series of tests to follow and cutting
  a release only after all tests pass. These test are manual for now, but
  can be automated later down the line.

Fixed

• Fixed a bug related to policies not recovering after a SPIKE Nexus crash.
  Now, both secrets and policies recover without an issue.
• Ensured that "in memory" mode works as expected, and we can create policies
  and secrets.
• Fixed inconsistencies in the audit log format.
• Fixed NilPointer exception during certain shard creation paths.
• Fixed regressions due to premature memory cleanup. Now the memory is cleaned
  up when no longer needed (but not before).
• Various bug fixes and improvements.

Changed

• Moved some common reusable code to spike-sdk-go.
• Various changes and improvements in SPIKE Go SDK.
• The startup script does not initiate SPIKE Keepers if SPIKE is running in
  "in memory" mode.
• Renamed AuditCreated enum as AuditEntryCreated to specify its intention
  better (i.e., it's not an creation of a an entity or a DAO, but rather it's
  the start of an audit trail).
• Improved spike policy commands with better UX and error handling.

Security

• Added cache invalidation headers to all API responses.
• For added security, we strip symbols during the build process now.
• Implemented better memory protection with cleaning up memory when no longer needed.
• SPIKE Nexus and SPIKE Keepers use mlock to avoid memory swapping when possible.
• Fixed CVE-2025-22872: golang.org/x/net vulnerable to Cross-site Scripting
• Fixed CVE-2025-22870: HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net

---

Below are the generated release notes of every commit since the last release cut:

What's Changed

• Improve policy commands with better UX and error handling by @marikann in #118
• documentation updates and refactoring by @v0lkan in #122
• Bump golang.org/x/net from 0.33.0 to 0.36.0 by @dependabot in #125
• Add cache invalidation headers to API responses (#123) by @marikann in #124
• Cleanup and Documentation Update by @v0lkan in #126
• Remove book. by @v0lkan in #127
• Bump golang.org/x/net from 0.36.0 to 0.38.0 by @dependabot in #129
• v0.4.0 by @v0lkan in #128

Full Changelog: v0.3.24...v0.4.0

v0.3.24

Full Changelog: v0.3.23...v0.3.24