7.0.0

Release highlights: CCF 7.0.0 is a major release with significant architectural and API changes:

• cchost has been removed. Each CCF application is now built as its own standalone binary. The add_ccf_app CMake function builds an executable; callers provide a main function and invoke ccf::run() (see samples/apps/main.cpp). The js_generic sample is now installed at /ccf/bin/js_generic. The separate "run" package is no longer published — only the -devel package is available.
• Unified platform build. There is no longer a separate SNP or Virtual build. A single build auto-detects the platform at runtime, so the COMPILE_TARGET CMake option and per-platform release artifacts are gone.
• Classic governance API removed. The legacy /gov endpoints (without an api-version query parameter), deprecated since 5.0.0, have been removed. All /gov endpoints now require passing an api-version query parameter. The most recent value is 2024-07-01.
• COSE-only ledger signatures. Networks can start in COSE-only signing mode or transition from dual signing, and a new /receipt/cose endpoint returns COSE Sign1 receipts with Merkle proofs (see https://datatracker.ietf.org/doc/draft-ietf-cose-merkle-tree-proofs/18/ and https://datatracker.ietf.org/doc/draft-ietf-scitt-receipts-ccf-profile/01/ for a full specification).
• Commit-aware endpoints. Endpoints can now defer their HTTP response until the transaction reaches a terminal consensus state (committed or invalidated), with optional inline receipt construction at commit time.
• Improved snapshot management. Backup nodes can auto-fetch snapshots from the primary, snapshots can be scheduled by wall-clock interval, and new file-cleanup options automatically prune old ledger chunks and snapshots.

Developer API

C++

Added

• Added support for endpoints that defer their HTTP response until the submitted transaction reaches a terminal consensus state (committed or invalidated). A set_consensus_committed_function() call on the RpcContext registers a callback invoked once the transaction is globally committed or invalidated. The callback receives a CommittedTxInfo& struct (containing rpc_ctx, tx_id, status, write_set_digest, commit_evidence, claims_digest). See the logging sample app (/log/private/optional_commit and /log/blocking/private) for example usage (#7562, #7785).
• Added support for inline transaction receipt construction at commit time. Endpoint authors can use build_receipt_for_committed_tx() to construct a full TxReceiptImpl from the CommittedTxInfo passed to their consensus committed callback. See the logging sample app (/log/blocking/private/receipt) for example usage (#7785).
• Added COSEVerifier::verify_decomposed() method that accepts pre-parsed COSE_Sign1 components, bypassing envelope parsing.
• Added ccf::describe_cose_receipt_v1(receipt) to obtain COSE receipts with Merkle proof (#7700).
• Added make_cose_verifier_from_pem_cert() and make_cose_verifier_from_der_cert(). The existing make_cose_verifier_cert() is renamed to make_cose_verifier_any_cert() (#7768).
• NetworkIdentitySubsystemInterface now exposes get_trusted_keys(), returning all trusted network identity keys as a TrustedKeys map (#7690).
• Added ccf::IdentityHistoryNotFetched exception type to distinguish identity-history-fetching errors from other logic errors in the network identity subsystem (#7708).

Changed

• cchost is removed, and each application now provides its own executable. CCF nodes no longer contain a separate cchost executable and enclave library (.so) file. Each former enclave library is now its own executable. The js_generic sample app is now an executable installed at /ccf/bin/js_generic. The add_ccf_app function in CMake now builds an executable rather than a library — the caller should provide a main function and call ccf::run() from include/ccf/run.h to start the node (see samples/apps/main.cpp for a minimal example).
• Crypto interface refactored for RSA and EC keys (#7425):
• ccf::crypto::PublicKey becomes ccf::crypto::ECPublicKey.
• ccf::crypto::KeyPair becomes ccf::crypto::ECKeyPair.
• Error-prone inheritance between RSA and EC key classes has been removed.
• RSA keys no longer re-use CSR functionality from the EC key interface.
• set_consensus_committed_function() has moved from an endpoint-registration-time decorator to a runtime call on ctx.rpc_ctx->set_consensus_committed_function(). The callback signature now receives a CommittedTxInfo& struct instead of individual arguments. This allows the same endpoint to conditionally block until committed based on per-request state. ccf::endpoints::default_respond_on_commit_func has been removed from the public API; a sample implementation is provided in the logging and basic sample apps (#7785).
• In the C++ API, get_txid() on ccf::kv::ReadOnlyStore has been renamed to current_txid() (#7477).
• ccf::crypto::HashProvider::Hash() has been renamed to ccf::crypto::HashProvider::hash() (#7660).
• ccf::historical::verify_self_issued_receipt now verifies COSE CCF receipts against the current service identity, including receipts signed by past service identities if they were back-endorsed (#7494, #7546).
• Application code (in both C++ and JS) can now access the current time directly, with no concept of enclave time vs untrusted host time.
• Application logging no longer traverses the ringbuffer and is now immediately sent to stdout. The format of CCF's stdout logging has changed: alignment padding for enclave timestamps has been removed (#7491).

Removed

• ccf::historical::adapter_v3 has been removed; use ccf::historical::read_only_adapter_v4 and ccf::historical::read_write_adapter_v4 instead (#7553).
• Removed CHECK0() from ccf::crypto::OpenSSL in the public header openssl_wrappers.h (#7817).
• Removed aes_gcm_encrypt(), aes_gcm_decrypt(), and default_iv from ccf::crypto (#7811).
• Removed get_responder() from the public ccf::RpcContext API and made http_responder.h a private header (#7818).
• Removed ccf::crypto::openssl_sha256_init() and ccf::crypto::openssl_sha256_shutdown() (#7251).
• Removed the ccf/pal/hardware_info.h header (#7117).
• Removed the make_[read_only_]endpoint_with_local_commit_handler methods on EndpointRegistry (#7487).

Deprecated

• get_untrusted_host_time_v1 in the C++ API is deprecated, and will be removed in a future release.

TypeScript/JavaScript

• Added toArrayBuffer to ccfapp/utils which converts ArrayBufferLike to ArrayBuffer (#7171).
• Removed the unused experimental ccf.host.triggerSubprocess() JS API.
• ccf.enableUntrustedDateTime in the JS API is deprecated, and will be removed in a future release.

Governance

Added

• Added ccf.gov.validateConstitution function to the JS API for validating basic properties of a proposed constitution. This is called in the default sample constitution's set_constitution.validate.

Removed

• The classic governance API which was deprecated in 5.0.0 has been removed. Any operations under /gov which do not take an api-version query parameter are no longer available.
• Removed fallback JWT authentication (#7442). It is recommended to clean up old tables for services started before 6.x — see cleanup_legacy_jwt_records proposal in the default sample constitution.

Operations

Added

• Added support for COSE-only ledger signatures. Networks can start in COSE-only mode or transition from dual signing, see documentation for details (#7772).
• Backup nodes can now be configured to automatically fetch snapshots from the primary when snapshot evidence is detected. This is controlled by the snapshots.backup_fetch configuration section, with enabled, max_attempts, retry_interval, max_size and target_rpc_interface options. The target RPC interface must have the SnapshotRead operator feature enabled. Snapshot fetching occurs in response to a StartupSeqnoIsOld error during join, and fetched snapshots are verified before use (#7314, #7630).
• Added time-based snapshot scheduling. Snapshots can now be triggered after a configurable wall-clock interval (snapshots.time_interval) elapses, in addition to the existing transaction-count threshold (snapshots.tx_count). A new snapshots.min_tx_count option (default 2) sets the minimum number of transactions required before a time-based snapshot fires (#7731).
• Added files_cleanup.max_committed_ledger_chunks configuration option to limit the number of committed ledger chunk files retained in the main ledger directory. When exceeded, the oldest chunks are automatically deleted, but only after verifying that an identical copy exists in at least one ledger.read_only_directories entry. At least one read-only ledger directory must be configured; the node will refuse to start otherwise. See documentation for details.
• Added files_cleanup.max_snapshots configuration option to limit the number of committed snapshot files retained on disk. When exceeded, the oldest snapshots are automatically deleted. The value must be at least 1 if set.
• Added files_cleanup.interval configuration option (default "30s") to periodically scan and delete old committed snapshots exceeding max_snapshots.
• Added POST /node/snapshot:create, gated by the SnapshotCreate RPC interface operator feature, to create a snapshot via an operator endpoint rather than a governance action.
• Added experimental self-healing recovery (recovery-decision-protocol) for automatically transitioning-to-open during disaster reco...

7.0.0-rc2

Added

• Added support for COSE-only ledger signatures. Networks can start in COSE-only mode or transition from dual signing (#7772).
• Added /receipt/cose endpoint returning a COSE Sign1 receipt with Merkle proof for a given transaction. Returns 404 if no COSE receipt is available (e.g. for signature transactions) (#7772).

Changed

• set_consensus_committed_function() has moved from an endpoint-registration-time decorator (Endpoint::set_consensus_committed_function()) to a runtime call on the RPC context (ctx.rpc_ctx->set_consensus_committed_function()). This allows the same endpoint to conditionally block until committed based on query parameters, headers, or other per-request state. The endpoint-level method has been removed. See the logging sample app (/log/private/optional_commit) for example usage.

Removed

• Removed CHECK0() from ccf::crypto::OpenSSL in the public header openssl_wrappers.h (#7817).
• Removed aes_gcm_encrypt(), aes_gcm_decrypt(), and default_iv from ccf::crypto (#7811).
• Removed get_responder() from the public ccf::RpcContext API and made http_responder.h a private header (#7818).
• Removed the /node/memory endpoint. This endpoint was originally useful for monitoring SGX enclave memory usage, which is no longer relevant now that SGX support has been removed.

7.0.0-rc1

Added

• Added support for inline transaction receipt construction at commit time. Endpoint authors can use build_receipt_for_committed_tx() to construct a full TxReceiptImpl from the CommittedTxInfo passed to their ConsensusCommittedEndpointFunction callback. See the logging sample app (/log/blocking/private/receipt) for example usage (#7785).

Changed

• The ConsensusCommittedEndpointFunction callback signature now receives a CommittedTxInfo& struct (containing rpc_ctx, tx_id, status, write_set_digest, commit_evidence, claims_digest) instead of individual arguments. This enables commit callbacks to construct receipts inline (#7785).
• ccf::endpoints::default_respond_on_commit_func has been removed from the public API. A sample implementation is provided in the logging and basic sample apps (#7785).

Deprecated

• snapshots.read_only_directory configuration option is deprecated and will be removed in a future release. A warning will be logged if this option is set at startup. Use snapshots.backup_fetch to have backup nodes automatically fetch snapshots from the primary node instead.

7.0.0-rc0

Added

• Added files_cleanup.max_snapshots configuration option to limit the number of committed snapshot files retained on disk. When the number of committed snapshots exceeds this value, the oldest snapshots (by sequence number) are automatically deleted. The value must be at least 1 if set.
• Added files_cleanup.interval configuration option (default "30s") to periodically scan the snapshot directory and delete old committed snapshots exceeding max_snapshots. This ensures backup nodes (which receive snapshots via backup_fetch) also prune old snapshots. Only effective when max_snapshots is set.
• Added POST /node/snapshot:create, gated by the SnapshotCreate RPC interface operator feature, to create a snapshot via an operator endpoint rather than a governance action.
• Added make_cose_verifier_from_pem_cert() and make_cose_verifier_from_der_cert() that accept certificates in a known format. The existing make_cose_verifier_cert() is renamed to make_cose_verifier_any_cert() (#7768).

Changed

• The since query parameter on the GET /node/snapshot endpoint now uses closed (inclusive) semantics, consistent with the since parameter on GET /node/ledger_chunk. A request with ?since=N will now return snapshots with index greater than or equal to N, rather than strictly greater than N (#7742).

6.0.27

Added

• Backport the SnapshotCreate operator feature to preserve LTS compatibility on join with #7767 (#7773)

6.0.26

Fixed

• Fixed cache size calculations for historical queries, resolving a bug where signature transactions could become orphaned and fill the cache's useful space, resulting in incoming user-requested stores being immediately evicted (#7755).

7.0.0-dev13

Added

• Added time-based snapshot scheduling. Snapshots can now be triggered after a configurable wall-clock interval (snapshots.time_interval) elapses, in addition to the existing transaction-count threshold (snapshots.tx_count). A new snapshots.min_tx_count option (default 2) sets the minimum number of transactions required before a time-based snapshot fires. Snapshot timing state is replicated to backups via a new public:ccf.internal.snapshot_status internal table (#7731).
• Added support for endpoints that defer their HTTP response until the submitted transaction reaches a terminal consensus state (committed or invalidated). Endpoint authors can call set_consensus_committed_function() when installing an endpoint to register a callback that is invoked once the transaction is globally committed or invalidated. The callback receives the ccf::TxID and a ccf::FinalTxStatus (either Committed or Invalid), and may inspect or modify the response before it is sent. A built-in ccf::endpoints::default_respond_on_commit_func is provided that returns the original response on commit, or an error on invalidation. See the logging sample app (/log/blocking/private) for example usage (#7562).

Fixed

• Fixed the Turin SEV-SNP CPUID mapping used for product detection. (#7748)

6.0.25

Added

• Support for COSE-only receipts in snapshots to support (#7711, #7712)
• Support for Turin attestations (#7295, #7264, #7449, #7748, #7749)

7.0.0-dev12

Added

• Backup nodes can now be configured to automatically fetch snapshots from the primary when snapshot evidence is detected. This is controlled by the snapshots.backup_fetch configuration section, with enabled, max_attempts, retry_interval, max_size and target_rpc_interface options. Note that the target RPC interface selected must have the SnapshotRead operator feature enabled.
• Added ccf::IdentityHistoryNotFetched exception type to distinguish identity-history-fetching errors from other logic errors in the network identity subsystem (#7708).
• Added ccf::describe_cose_receipt_v1(receipt) to obtain COSE receipts with Merkle proof in unprotected header for non-signature TXs, and empty unprotected header for signature TXs (#7700).
• NetworkIdentitySubsystemInterface now exposes get_trusted_keys(), returning all trusted network identity keys as a TrustedKeys map (#7690).
• Added support for self-transparent code update policies (#7681).

Changed

• On recovery, the UVM descriptor SVN is now set to the minimum of the previously stored value in the KV and the value found in the new node's startup endorsements. On start, the behaviour is unchanged (#7716).
• Refactored the user facing surface of self-healing-open and local sealing. The whole feature is now sealing-recovery with self-healing-open now referred to as the recovery-decision-protocol (#7679).
• Local sealing is enabled by setting the sealing-recovery config field (for both the sealing node, and the unsealing recovery node).
• The local sealing identity is under sealing-recovery.location.name.
• The recovery-decision-protocol is configured via sealing-recovery.recovery_decision_protocol.
• Snapshots now carry COSE receipts, JSON receipts are no longer included (#7711).

6.0.24

Fixed

• Fix race condition when initialising a ledger secret's commit secret (#7689)
• Add missing cases for FailedInvalidCPUID and FailedInvalidTcbVersion in quote verification error handling (#7696).
• On recovery, the UVM descriptor SVN is now set to the minimum of the previously stored value in the KV and the value found in the new node's startup endorsements. On start, the behaviour is unchanged (#7716).