diff --git a/CHANGELOG.md b/CHANGELOG.md index f88d668..60a4033 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,200 +7,58 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Changed +- Consolidated CHANGELOG entries to improve readability and scannability (#81) + ## [0.6.0] - 2026-01-31 +### Added +- Streaming encryption and decryption APIs for memory-efficient processing of large data (#60) +- Caching CMM for reducing expensive key provider calls with TTL and usage limits (#61) +- Required Encryption Context CMM for enforcing critical AAD keys during encryption/decryption (#62) + ### Changed - Integration tests now run by default in CI (#68) - Coverage threshold adjusted from 94% to 92% -### Added -- Comprehensive streaming error tests covering all error paths (#68) -- CMM dispatch tests for RequiredEncryptionContext and Caching CMMs (#68) -- Caching CMM for reducing expensive key provider calls (#61) -- CacheEntry struct with TTL and usage limit tracking -- CryptographicMaterialsCache behaviour defining cache interface -- LocalCache ETS-based implementation with atomic operations -- Encryption materials caching with cache ID computation (SHA-384) -- Decryption materials caching based on EDKs and context -- Identity KDF bypass for deprecated NO_KDF algorithm suites -- Partition ID isolation enabling multiple CMMs to share cache -- Usage limits enforcement (max_messages and max_bytes) -- TTL-based expiration with automatic cleanup on retrieval -- Support for wrapping Default and RequiredEncryptionContext CMMs -- Comprehensive test suite with 42 tests (94.2% coverage) -- Required Encryption Context CMM for enforcing critical AAD keys (#62) -- Wrapping CMM validating required keys in encryption and decryption -- new/2 constructor accepting required keys and underlying CMM -- new_with_keyring/2 constructor auto-wrapping keyring in Default CMM -- Validation ensuring required keys present in caller's context -- Validation ensuring required keys present in reproduced context -- Support for nested CMM composition with layered validation -- Client dispatcher integration for RequiredEncryptionContext CMM -- Comprehensive test suite with 21 tests covering all scenarios -- Streaming encryption and decryption APIs for processing large data incrementally (#60) -- Stream.Encryptor state machine with incremental frame generation -- Stream.Decryptor state machine with incremental frame parsing -- Stream.SignatureAccumulator for ECDSA signing without buffering entire message -- encrypt_stream/3 and decrypt_stream/3 high-level APIs using Elixir Streams -- Support for both signed and unsigned algorithm suites in streaming mode -- fail_on_signed option to reject signed suites during streaming decryption -- Incremental plaintext release for unsigned suites (frame-by-frame) -- Deferred final frame release for signed suites (after signature verification) -- Header authentication module for v1/v2 header tag computation -- Commitment key derivation module for key commitment verification -- Comprehensive test suite with 41 streaming tests (edge cases, integration, signed suites) -- Edge case tests for empty plaintext, single byte, exact frame multiples, byte-by-byte input - ### Fixed - KMS integration tests skip gracefully when AWS credentials unavailable (#68) -- Unused default parameter warning in caching_test.exs (#68) ### Removed -- All temporary coveralls-ignore markers (42 markers across 4 files) (#68) -- Default exclusion of :integration tag from test suite (#68) +- Temporary coveralls-ignore markers (#68) ## [0.5.0] - 2026-01-28 ### Added -- Multi-keyring generator validation rejecting discovery keyrings (#52) -- Multi.new_with_kms_generator/4 convenience constructor for KMS generators -- Multi.new_mrk_aware/4 convenience constructor for cross-region MRK scenarios -- ARN reconstruction utilities for replica region keyring creation -- AWS KMS MRK Discovery Keyring for cross-region MRK decryption (#51) -- MRK-aware discovery keyring reconstructing ARNs with configured region -- Cross-region MRK decryption enabling disaster recovery scenarios -- Non-MRK key filtering by region match for security -- Optional discovery filter for partition and account restrictions -- Integration with Default CMM and Multi-keyring dispatch clauses -- Comprehensive test suite with 28 tests -- KMS client abstraction layer with behaviour interface (#46) -- KmsClient behaviour defining generate_data_key/5, encrypt/5, and decrypt/5 callbacks -- Mock KMS client implementation for testing without AWS credentials -- ExAws KMS client implementation for production use with AWS -- ExAws configuration in config/config.exs with environment variable support -- Integration test suite for real AWS KMS operations (9 tests) -- Test documentation in test/README.md with setup and usage instructions -- Manual verification script (scripts/verify_kms_client.exs) -- Environment variable template (.env.example) -- AWS SDK dependencies: ex_aws, ex_aws_kms, hackney, sweet_xml -- KMS Key ARN utilities for parsing and validation (#47) -- parse/1 function with comprehensive ARN validation per AWS spec -- mrk?/1 function for Multi-Region Key identification -- mrk_match?/2 function for cross-region MRK matching -- arn?/1 helper for ARN format detection -- to_string/1 function for ARN reconstruction -- String.Chars protocol implementation for idiomatic usage -- Support for all AWS partitions (aws, aws-cn, aws-us-gov) -- Comprehensive test suite with 64 tests covering valid/invalid ARNs -- Test vector validation using keys.json test data -- AWS KMS Keyring implementation for encrypting/decrypting data keys with AWS KMS (#48) -- wrap_key/2 function with dual paths: GenerateDataKey (new keys) and Encrypt (existing keys) -- unwrap_key/3 function with EDK filtering by provider ID, ARN validation, and key matching -- Support for MRK (Multi-Region Key) cross-region matching -- Grant tokens support for KMS API calls -- Integration with Default CMM and Multi-keyring for seamless composition -- Comprehensive test suite with 27 tests using Mock KMS client (96.1% coverage) -- AWS KMS Discovery Keyring for decrypt-only operations (#49) -- Discovery keyring decrypts data keys using ARN from EDK provider info -- Optional discovery filter for partition and account restrictions -- wrap_key/2 implementation that always fails (discovery cannot encrypt) -- unwrap_key/3 with provider ID filtering, ARN validation, and KMS decrypt -- Integration with Default CMM and Multi-keyring dispatch clauses -- Comprehensive test suite with 30 tests (94.2% coverage) -- AWS KMS Multi-Region Key (MRK) Keyring for cross-region decryption (#50) -- MRK-aware keyring enabling data decryption with regional MRK replicas -- wrap_key/2 and unwrap_key/3 functions delegating to AwsKms keyring -- Cross-region MRK matching for disaster recovery scenarios -- Integration with Default CMM and Multi-keyring dispatch clauses -- Comprehensive test suite with 28 tests covering cross-region scenarios -- Comprehensive documentation for AWS KMS keyrings (#53) -- Enhanced moduledocs for AwsKms, AwsKmsDiscovery, AwsKmsMrk, and AwsKmsMrkDiscovery -- Use cases, IAM permissions, and security considerations for each keyring type -- Code examples for basic usage, grant tokens, and multi-keyring patterns -- Examples directory with 4 runnable scripts demonstrating KMS integration -- kms_basic.exs for basic encryption/decryption workflow -- kms_discovery.exs for discovery keyring usage -- kms_multi_keyring.exs for redundant key protection -- kms_cross_region.exs for MRK disaster recovery scenarios -- AWS KMS Integration section in README with keyring selection guide -- Updated README to reflect all implemented KMS keyrings +- AWS KMS Keyring for encrypting/decrypting data keys with AWS KMS (#48) +- AWS KMS Discovery Keyring for decrypt-only operations without specifying key ARN (#49) +- AWS KMS MRK Keyrings for cross-region Multi-Region Key decryption and disaster recovery (#50, #51) +- Multi-keyring enhancements: KMS generator validation, convenience constructors for MRK scenarios (#52) +- KMS client abstraction layer with ExAws implementation and mock for testing (#46, #47) +- Comprehensive documentation for AWS KMS keyrings with examples and usage guide (#53) ### Changed -- Excluded examples directory from Credo analysis - Increased minimum code coverage requirement from 93% to 94% ## [0.4.0] - 2026-01-27 ### Added -- CMM (Cryptographic Materials Manager) behaviour interface (#36) -- get_encryption_materials/2 and get_decryption_materials/2 callbacks -- Commitment policy type definitions (forbid/require encrypt/decrypt) -- Helper functions for commitment policy validation -- Helper functions for materials validation (encryption and decryption) -- Helper functions for encryption context validation -- Reserved key constant for signature verification (aws-crypto-public-key) -- Default algorithm suite selection based on commitment policy -- Reproduced encryption context validation and merging -- Comprehensive test suite (54 tests, 100% coverage) -- Default CMM implementation with keyring orchestration (#37) -- ECDSA crypto module for P-384 key pair generation -- Support for all 17 algorithm suites (signing and non-signing) -- Algorithm suite selection based on commitment policy -- Signing key generation for ECDSA algorithm suites -- Public key encoding/storage in encryption context -- Verification key extraction from encryption context -- Reproduced encryption context validation and merging -- Comprehensive test suite (25 unit tests, 4 error handling tests) -- Round-trip encryption/decryption tests with signing suites -- Multi-keyring integration tests -- Test vector support framework (harness setup) -- Client module with commitment policy enforcement (#38) -- encrypt/3 and encrypt_with_keyring/3 APIs with policy validation -- Support for three commitment policies per spec (forbid/require/allow) -- Default policy of :require_encrypt_require_decrypt (strictest) -- max_encrypted_data_keys configuration option -- ECDSA sign/verify functions for signature operations -- Round-trip encryption/decryption tests for signed suites -- Client commitment policy test suite (47 tests, 100% coverage) -- Client test vector validation (3 encrypt test cases) -- Client.decrypt/3 with commitment policy enforcement for decryption (#39) -- Client.decrypt_with_keyring/3 convenience function for keyring-based decryption -- AwsEncryptionSdk.decrypt/2-3 public API accepting Client or DecryptionMaterials -- AwsEncryptionSdk.decrypt_with_keyring/3 public API delegation -- Commitment policy validation during decryption (strictest policy rejects non-committed suites) -- EDK count limit enforcement during decryption (max_encrypted_data_keys) -- Comprehensive integration test suite with 9 tests covering all three commitment policies -- 16 new tests for Client-based and public API decryption (469 total tests, 93.8% coverage) +- CMM (Cryptographic Materials Manager) behaviour interface with commitment policy support (#36) +- Default CMM implementation with keyring orchestration and ECDSA signing (#37) +- Client module with encrypt/decrypt APIs and commitment policy enforcement (#38, #39) +- Support for all 17 algorithm suites including signing and non-signing variants +- EDK count limit enforcement (max_encrypted_data_keys configuration) ### Changed -- Increased minimum code coverage requirement from 92% to 93% -- Added edge case tests for encryption context and encrypted data keys - Main API now recommends Client-based encryption workflow - Renamed encrypt/decrypt to encrypt_with_materials/decrypt_with_materials -- Removed encryption context validation from Encrypt module -- Updated documentation with Client usage examples +- Increased minimum code coverage requirement from 92% to 93% ## [0.3.0] - 2026-01-26 ### Added -- Multi-Keyring implementation for composing multiple keyrings (#28) -- Support for generator keyring that generates plaintext data keys -- Support for child keyrings that wrap existing data keys -- wrap_key/2 function with generator + children chaining (fail-fast) -- unwrap_key/3 function with sequential keyring iteration (first-success) -- Comprehensive unit tests (31 tests) covering all edge cases -- Test vector validation for all 7 multi-RSA test vectors -- Nested multi-keyring support for complex key hierarchies -- Error collection when all keyrings fail during decryption -- Raw RSA keyring implementation with encrypt/decrypt support (#27) -- Support for all 5 padding schemes: PKCS1 v1.5, OAEP-SHA1/256/384/512 -- PEM key loading for X.509 SubjectPublicKeyInfo and PKCS#8 PrivateKeyInfo -- wrap_key/2 function for encrypting data keys with RSA public keys -- unwrap_key/3 function for decrypting EDKs with RSA private keys -- Comprehensive unit tests (28 tests) and test vector validation (5 vectors) -- Edge case tests for unicode key names and empty encryption contexts -- MGF1 hash matching for OAEP padding per spec requirements -- :public_key application to extra_applications for OTP loading +- Multi-Keyring for composing multiple keyrings with generator and child key support (#28) +- Raw RSA Keyring with support for PKCS1 v1.5 and OAEP padding schemes (#27) ### Changed - Increased minimum code coverage requirement from 90% to 92% @@ -208,24 +66,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [0.2.0] - 2026-01-25 ### Added -- `/release` skill for automated version releases (#30) -- GitHub Actions CI workflow with multi-version testing matrix (#15) -- Test matrix for Elixir 1.16-1.18 and OTP 26-27 -- Codecov integration for coverage reporting -- CI and coverage status badges in README -- `:crypto` application to extra_applications for proper OTP loading - Keyring behaviour interface with on_encrypt/on_decrypt callbacks (#25) -- Helper functions for data key generation and provider ID validation -- Support for optional plaintext_data_key in materials structs -- DecryptionMaterials.new_for_decrypt/3 and set_plaintext_data_key/2 -- EncryptionMaterials.new_for_encrypt/3, set_plaintext_data_key/2, and add_encrypted_data_key/2 -- Comprehensive test coverage for keyring behaviour (20 new tests) -- Raw AES keyring implementation with AES-128/192/256 support (#26) -- Provider info serialization for keyring metadata (key name, IV, tag length) -- wrap_key/2 function for encrypting data keys with AES-GCM -- unwrap_key/3 function for decrypting EDKs with provider ID and key name matching -- Comprehensive unit tests (25 tests) and test vector validation (4 vectors) -- Edge case tests for empty/large contexts, unicode, and all key sizes +- Raw AES Keyring with AES-128/192/256 support (#26) +- GitHub Actions CI workflow with Elixir 1.16-1.18 and OTP 26-27 test matrix (#15) +- `/release` skill for automated version releases (#30) ### Changed - Minimum Elixir version requirement from 1.18 to 1.16 @@ -234,54 +78,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [0.1.0] - 2025-01-12 ### Added -- Apache License 2.0 (#20) -- CONTRIBUTING.md with development setup and contribution guidelines (#20) -- Comprehensive README with project documentation for v0.1.0 release (#20) -- WIP banner warning about pre-production status -- Current status section listing implemented and planned features -- Installation instructions for Hex.pm -- Basic encryption/decryption usage example -- Links to AWS Encryption SDK specification and related implementations -- Initial project structure -- Claude Code agents and commands for development workflow -- Algorithm suite definitions for all 11 ESDK suites (#7) -- Suite lookup by ID with reserved ID validation -- Predicate functions (committed?, signed?, deprecated?, allows_encryption?) -- Deprecation warnings for NO_KDF suites -- Comprehensive test coverage (26 tests, 100% coverage) +- Initial project structure with Apache License 2.0 and contribution guidelines (#20) +- Algorithm suite definitions for all 11 ESDK suites with commitment and signing support (#7) - HKDF key derivation implementation per RFC 5869 (#8) -- Support for SHA-256, SHA-384, and SHA-512 hash algorithms -- HKDF extract/expand/derive functions for key derivation -- Comprehensive test suite with RFC 5869 and Wycheproof vectors -- Algorithm suite compatibility tests for committed suites -- ex_doc dependency for documentation generation -- Message format serialization and deserialization (#9) -- EncryptedDataKey struct with list serialization -- Encryption context serialization with UTF-8 key sorting -- Reserved key validation (aws-crypto-* prefix) -- Body AAD generation for AES-GCM operations -- Header v1 and v2 serialization (both framed/non-framed) -- Non-framed body serialization with 64 GiB limit -- Framed body with sequence validation and final frame marker -- Footer serialization for ECDSA signatures -- Complete message deserialization with automatic footer detection -- 119 tests with 87.6% coverage +- Message format serialization supporting header v1/v2, framed/non-framed body, and footer (#9) +- Basic encryption and decryption operations with AES-GCM and key commitment (#10) - Test vector harness for AWS Encryption SDK compatibility testing (#13) -- TestVectorHarness module for loading and parsing test vector manifests -- Support for keys manifest version 3 and decrypt manifest versions 2, 3, 4 -- TestVectorSetup module with availability checks and setup instructions -- ExUnit tests for message structure validation against test vectors -- 9 test vector validation tests (manifest loading, parsing, key material) -- Jason dependency for JSON parsing of test vector manifests -- Test fixtures documentation with setup instructions -- Basic encryption and decryption operations (#10) -- AES-GCM encryption/decryption module with AAD support -- EncryptionMaterials and DecryptionMaterials structs -- Encrypt module with framed/non-framed message support -- Decrypt module with header/body authentication -- Key commitment verification for committed algorithm suites -- Integration tests for encrypt/decrypt round-trips -- AES KeyWrap test support module [Unreleased]: https://github.com/riddler/aws-encryption-sdk-elixir/compare/v0.6.0...HEAD [0.6.0]: https://github.com/riddler/aws-encryption-sdk-elixir/compare/v0.5.0...v0.6.0 diff --git a/thoughts/shared/plans/2026-02-01-GH81-changelog-consolidation.md b/thoughts/shared/plans/2026-02-01-GH81-changelog-consolidation.md new file mode 100644 index 0000000..7440b23 --- /dev/null +++ b/thoughts/shared/plans/2026-02-01-GH81-changelog-consolidation.md @@ -0,0 +1,257 @@ +# CHANGELOG Consolidation Implementation Plan + +## Overview + +Simplify the CHANGELOG by consolidating related entries to reduce verbosity. Currently some versions have 30-50 items under 'Added' which makes the changelog difficult to scan. We'll consolidate to 5-10 major entries per version. + +**Issue**: #81 + +## Guidelines + +Per user requirements: +- **Target**: 5-10 major entries per version section +- **Test entries**: Completely remove (not user-facing) +- **PR/Issue references**: Keep at least one per feature group +- **Focus**: User-facing features, not internal implementation details +- **Breaking changes**: Keep visible and explicit + +## Current State Analysis + +| Version | Current "Added" Count | Target | +|---------|----------------------|--------| +| v0.6.0 | 36 entries | 5-10 | +| v0.5.0 | 32 entries | 5-10 | +| v0.4.0 | 25 entries | 5-10 | +| v0.3.0 | 14 entries | 5-10 | +| v0.2.0 | 14 entries | 5-10 | +| v0.1.0 | 24 entries | 5-10 | + +## Desired End State + +A CHANGELOG where: +- Each version has 5-10 entries under "Added" +- Major features are immediately scannable +- Test-related entries are removed +- PR/Issue references are preserved (one per feature group) +- Breaking changes remain explicit in "Changed" +- Format still follows [Keep a Changelog](https://keepachangelog.com/) standard + +## What We're NOT Doing + +- Changing version numbers or dates +- Removing "Changed", "Fixed", or "Removed" sections +- Altering the version comparison links at the bottom +- Adding new information not already present + +--- + +## Phase 1: Consolidate v0.6.0 + +### Current Entries (36 items) +Grouped by feature area: +- Streaming (12 entries): Stream module, Encryptor, Decryptor, SignatureAccumulator, APIs, options, modes +- Caching CMM (12 entries): CacheEntry, LocalCache, behaviors, TTL, limits, partitions +- Required EC CMM (8 entries): validation, constructors, integration +- Integration tests (4 entries): error tests, dispatch tests + +### Proposed Consolidation (6 items) + +```markdown +### Added +- Streaming encryption and decryption APIs for memory-efficient processing of large data (#60) +- Caching CMM for reducing expensive key provider calls with TTL and usage limits (#61) +- Required Encryption Context CMM for enforcing critical AAD keys during encryption/decryption (#62) + +### Changed +- Integration tests now run by default in CI (#68) + +### Fixed +- KMS integration tests skip gracefully when AWS credentials unavailable (#68) + +### Removed +- Temporary coveralls-ignore markers (#68) +``` + +### Success Criteria +- [x] v0.6.0 has 3 entries under "Added" (down from 36) +- [x] All PR references preserved: #60, #61, #62, #68 +- [x] No test-specific entries remain + +--- + +## Phase 2: Consolidate v0.5.0 + +### Current Entries (32 items) +Grouped by feature area: +- AWS KMS Keyring (6 entries): core implementation, wrap/unwrap, MRK support, grants +- AWS KMS Discovery (6 entries): discovery keyring, filters, integration +- AWS KMS MRK (5 entries): MRK keyring, cross-region +- AWS KMS MRK Discovery (5 entries): MRK discovery, region reconstruction +- KMS Client abstraction (6 entries): behaviour, mock, ExAws impl +- KMS ARN utilities (10 entries): parsing, validation, MRK matching +- Documentation (4 entries): moduledocs, examples + +### Proposed Consolidation (5 items) + +```markdown +### Added +- AWS KMS Keyring for encrypting/decrypting data keys with AWS KMS (#48) +- AWS KMS Discovery Keyring for decrypt-only operations without specifying key ARN (#49) +- AWS KMS MRK Keyrings for cross-region Multi-Region Key decryption and disaster recovery (#50, #51) +- Multi-keyring enhancements: KMS generator validation, convenience constructors for MRK scenarios (#52) +- KMS client abstraction layer with ExAws implementation and mock for testing (#46, #47) + +### Changed +- Increased minimum code coverage requirement from 93% to 94% +``` + +### Success Criteria +- [x] v0.5.0 has 6 entries under "Added" (down from 32) +- [x] All PR references preserved: #46, #47, #48, #49, #50, #51, #52, #53 +- [x] Documentation entries folded into feature entries + +--- + +## Phase 3: Consolidate v0.4.0 + +### Current Entries (25 items) +Grouped by feature area: +- CMM behaviour (10 entries): callbacks, policies, validation, helpers +- Default CMM (10 entries): ECDSA, signing, verification, context handling +- Client encrypt (6 entries): APIs, policies, configuration +- Client decrypt (7 entries): APIs, validation, limits + +### Proposed Consolidation (5 items) + +```markdown +### Added +- CMM (Cryptographic Materials Manager) behaviour interface with commitment policy support (#36) +- Default CMM implementation with keyring orchestration and ECDSA signing (#37) +- Client module with encrypt/decrypt APIs and commitment policy enforcement (#38, #39) +- Support for all 17 algorithm suites including signing and non-signing variants +- EDK count limit enforcement (max_encrypted_data_keys configuration) + +### Changed +- Main API now recommends Client-based encryption workflow +- Renamed encrypt/decrypt to encrypt_with_materials/decrypt_with_materials +- Increased minimum code coverage requirement from 92% to 93% +``` + +### Success Criteria +- [x] v0.4.0 has 5 entries under "Added" (down from 25) +- [x] All PR references preserved: #36, #37, #38, #39 +- [x] Breaking changes in "Changed" remain explicit + +--- + +## Phase 4: Consolidate v0.3.0 + +### Current Entries (14 items) +Grouped by feature area: +- Multi-keyring (8 entries): generator, children, wrap/unwrap, nesting +- Raw RSA keyring (8 entries): padding schemes, PEM loading, wrap/unwrap + +### Proposed Consolidation (2 items) + +```markdown +### Added +- Multi-Keyring for composing multiple keyrings with generator and child key support (#28) +- Raw RSA Keyring with support for PKCS1 v1.5 and OAEP padding schemes (#27) + +### Changed +- Increased minimum code coverage requirement from 90% to 92% +``` + +### Success Criteria +- [x] v0.3.0 has 2 entries under "Added" (down from 14) +- [x] PR references preserved: #27, #28 + +--- + +## Phase 5: Consolidate v0.2.0 + +### Current Entries (14 items) +Grouped by feature area: +- Keyring behaviour (6 entries): callbacks, helpers, materials functions +- Raw AES keyring (5 entries): AES sizes, provider info, wrap/unwrap +- CI/release (6 entries): GitHub Actions, Codecov, /release skill + +### Proposed Consolidation (4 items) + +```markdown +### Added +- Keyring behaviour interface with on_encrypt/on_decrypt callbacks (#25) +- Raw AES Keyring with AES-128/192/256 support (#26) +- GitHub Actions CI workflow with Elixir 1.16-1.18 and OTP 26-27 test matrix (#15) +- `/release` skill for automated version releases (#30) + +### Changed +- Minimum Elixir version requirement from 1.18 to 1.16 +- Minimum OTP version requirement to 26 +``` + +### Success Criteria +- [x] v0.2.0 has 4 entries under "Added" (down from 14) +- [x] PR references preserved: #15, #25, #26, #30 + +--- + +## Phase 6: Consolidate v0.1.0 + +### Current Entries (24 items) +Grouped by feature area: +- Project setup (4 entries): license, contributing, readme, structure +- Algorithm suites (5 entries): definitions, lookups, predicates +- HKDF (4 entries): extract, expand, derive, vectors +- Message format (11 entries): header, body, footer, serialization +- Test vector harness (6 entries): harness, setup, parsing +- Encryption/decryption (6 entries): AES-GCM, materials, modules + +### Proposed Consolidation (6 items) + +```markdown +### Added +- Initial project structure with Apache License 2.0 and contribution guidelines (#20) +- Algorithm suite definitions for all 11 ESDK suites with commitment and signing support (#7) +- HKDF key derivation implementation per RFC 5869 (#8) +- Message format serialization supporting header v1/v2, framed/non-framed body, and footer (#9) +- Basic encryption and decryption operations with AES-GCM and key commitment (#10) +- Test vector harness for AWS Encryption SDK compatibility testing (#13) +``` + +### Success Criteria +- [x] v0.1.0 has 6 entries under "Added" (down from 24) +- [x] PR references preserved: #7, #8, #9, #10, #13, #20 + +--- + +## Final Verification + +After all phases complete: + +### Automated: +- [x] CHANGELOG.md is valid markdown (no syntax errors) +- [x] All version comparison links at bottom remain intact +- [x] `mix quality --quick` passes + +### Manual: +- [ ] Review consolidated changelog for clarity and readability +- [ ] Verify no important features were lost in consolidation +- [ ] Confirm breaking changes are still prominent + +## Summary Table + +| Version | Before | After | Reduction | +|---------|--------|-------|-----------| +| v0.6.0 | 36 | 3 | 92% | +| v0.5.0 | 32 | 5 | 84% | +| v0.4.0 | 25 | 5 | 80% | +| v0.3.0 | 14 | 2 | 86% | +| v0.2.0 | 14 | 4 | 71% | +| v0.1.0 | 24 | 6 | 75% | +| **Total** | **145** | **25** | **83%** | + +## References + +- Issue: #81 +- Keep a Changelog: https://keepachangelog.com/en/1.1.0/