Patch release rolling up all post-v0.1.0 security, correctness, and CI
work. Full notes in CHANGELOG.md.

Highlights

• External pentest remediation (5 findings, 2 HIGH) — Strix.ai
• Audit #8 — 21 findings remediated, zero open vulnerabilities
• Thrift Correctness Phase — parquet-format 2.9.0 alignment, 47 new tests
• 73 → 92 enterprise compliance gaps — FIPS 140-3, EU AI Act, MiFID II, GDPR, DORA
• Performance — lock-free EventBus publish (~53 ns), FeatureReader RG cache (~0.14 μs cached get)
• Local KMS — additive `IKmsClient` interface for on-premise deployments
• CI — 17 jobs across Ubuntu / macOS / Windows MSVC / sanitizers / fuzz / mutation / codeql / sbom

Migration

• C++: no public API breaks
• Rust: `ParquetReader::schema()` now returns `SchemaRef<'a>` (lifetime-bound) — fixes a use-after-free (CWE-416). Existing `let s = reader.schema();` continues to compile; storing the schema beyond the reader'''s lifetime now fails at compile time as intended.

Tests

• 779 → 830 unit tests in the canonical `server-pq` build
• 844/844 passing in the `RelWithDebInfo + commercial` preset (PQ tests skipped without liboqs)

SBOM

CycloneDX and SPDX SBOMs attached as release assets (auto-generated by the SBOM workflow on tag push).

Verification

```bash
git clone https://github.com/SIGNETSTACK/SIGNET_FORGE.git
cd SIGNET_FORGE
git checkout v0.1.1
cmake --preset server-pq
cmake --build build-server-pq --target signet_tests
cd build-server-pq && ctest --output-on-failure
```

Signet Forge v0.1.0 — Initial Public Release

The first public release of Signet Forge — a standalone, header-only C++20 Parquet library purpose-built for AI/ML infrastructure, quantitative finance, and regulated industries. Zero mandatory dependencies. Post-quantum encryption. Sub-microsecond streaming. Compliance-native audit trails for MiFID II and the EU AI Act. No other Parquet library fills these gaps.

What Makes Signet Forge Different

Core Parquet Engine

• ParquetWriter / ParquetReader / MmapParquetReader — streaming write, random-access read, zero-copy mmap path
• 7 physical types — BOOLEAN, INT32, INT64, INT96, FLOAT, DOUBLE, BYTE_ARRAY, FIXED_LEN_BYTE_ARRAY
• 5 encodings — PLAIN, RLE/Bit-Packing Hybrid, DELTA_BINARY_PACKED, BYTE_STREAM_SPLIT, RLE_DICTIONARY
• 4 compression codecs — Snappy (bundled, zero-dep), ZSTD, LZ4, Gzip (optional link)
• Column/offset index — predicate pushdown, page-level min/max statistics
• Split-block bloom filters — xxHash64, PME-encrypted bloom support
• CSV-to-Parquet converter — automatic type detection

Encryption & Post-Quantum Cryptography

• Parquet Modular Encryption (PME) — full spec: AES-256-GCM footer encryption + AES-256-CTR column data encryption
• Post-quantum KEM — Kyber-768 key encapsulation (NIST FIPS 203 candidate)
• Post-quantum signatures — Dilithium-3 digital signatures (NIST FIPS 204 candidate)
• X25519 key agreement — real RFC 7748 Montgomery ladder implementation
• Hybrid KEM — X25519 + Kyber-768 combined encapsulation (classical + post-quantum security)
• Key metadata serialization — TLV format with overflow guards

AI/ML Infrastructure

• FLOAT32_VECTOR(dim) logical type — SIMD-accelerated I/O for embedding vectors
• INT8/INT4 quantized vectors — on-read dequantization for compressed model weights
• Zero-copy tensor bridge — Parquet columns to ONNX OrtValue, Arrow ArrowArray, DLPack, NumPy buffer protocol
• Feature Store — FeatureWriter + FeatureReader with point-in-time correct as_of() lookups (12 us per entity)
• Event Bus — Vyukov MPMC ring (10.4 ns push+pop) + columnar ColumnBatch + three-tier topic router

Streaming WAL (Write-Ahead Log)

• WalWriter — fwrite-based, 339 ns per 32 B append, CRC-32 integrity on every record
• WalMmapWriter — mmap ring-buffer, ~38 ns per 32 B append, background segment pre-allocation
• WalReader — crash-safe recovery with truncated-record tolerance
• WalManager — segment rolling, compaction, lifecycle management
• StreamingSink — lock-free ring buffer to automatic row group flushing

Regulatory Compliance (BSL 1.1)

• SHA-256 audit chain — tamper-evident hash chain across row groups; any modification breaks the chain
• DecisionLogWriter / Reader — structured AI decision logging with strategy ID, confidence, feature snapshots
• InferenceLogWriter / Reader — ML inference audit trail (model version, input hash, output, latency)
• MiFID II RTS 24 Reporter — Annex I report generation in JSON, NDJSON, and CSV formats
• EU AI Act Reporter — Articles 12, 13, and 19 conformity assessment reports
• Row lineage tracking — monotonic row IDs with prev_hash chain for provenance

Language Bindings

• Python — 44 C++ API exports via pybind11, NumPy integration, 35 pytest tests
• Rust — C FFI layer + signet-forge-sys (unsafe) + signet-forge (safe wrapper), 10 tests
• WASM — Emscripten embind, drag-and-drop browser demo
• C FFI — portable C99 interface for any language with C interop

Quality & Security

• 394 unit tests — 100% passing across 17 test files
• 4 security hardening passes — 87 vulnerabilities identified and fixed across entire codebase
• 6 fuzz harnesses — libFuzzer on reader, Thrift parser, RLE, Delta, BSS, Dictionary encoders
• 59 enterprise benchmark cases — write/read throughput, WAL latency, encoding speed, feature store, MPMC ring, compliance reporters
• 11 CI jobs — Ubuntu + macOS + Windows MSVC + ASan + TSan + UBSan + server codecs (ZSTD/LZ4/Gzip) + post-quantum (liboqs) + fuzz + coverage + benchmarks
• Platform CSPRNG — arc4random_buf (macOS), getrandom (Linux) for IV generation
• Key-zeroing destructors — AES round keys and cipher adapter buffers wiped on destruction

Installation

include(FetchContent)
FetchContent_Declare(signet_forge
 GIT_REPOSITORY https://github.com/SIGNETSTACK/SIGNET_FORGE.git
 GIT_TAG v0.1.0)
FetchContent_MakeAvailable(signet_forge)
target_link_libraries(your_target PRIVATE signet::forge)

Full Changelog

See CHANGELOG.md for complete details.

License

• Core library: Apache 2.0
• AI audit & compliance tier: BSL 1.1 (converts to Apache 2.0 on January 1, 2030)