TKeeper

TKeeper moved from “sign arbitrary bytes” to an authority-bound signing model.
This is a major release with API, SDK, build, and runtime changes.

Highlights

• Introduced authority-bound key usage with policy evaluation before crypto operations.
• Added command artifact signing flow (arbitrary, typed, evm, bitcoin, x509).
• Added mono quorum mode (1-of-1) and promotion to threshold.
• Split optional capabilities into feature modules.
• Updated SDK to 2.0.0 for the new API model.
• Migrated crypto foundation from tss4j references to Anvil stack.
• TKeeper is now supports only Java 25+ runtimes.

Breaking Changes

• POST /sign no longer accepts standalone hash + algorithm in the old shape.
• Key authorities now must be either:
• arbitrary only, or
• one or more concrete authorities
• Mixing arbitrary with concrete authorities is rejected.
• API surface standardized under /v2 endpoints.
• SDK naming changes:
• SigMethod replaced by SigScheme
• new authority and command artifact models required in request payloads.

New Capabilities

• New command artifacts:
• ArbitraryData
• TypedData
• UnsignedEvmTransaction
• UtxoInput
• TBSDerEncoded
• New endpoint:
• POST /v2/keeper/quorum/promote
• Trusted Dealer improvements:
• authority-aware import
• metadata/commitment persistence parity with DKG-generated keys
• mono mode support

Quorum Modes

• Added explicit QuorumMode:
• mono (1-of-1)
• threshold (t-of-n)
• Added mono-specific flows for:
• key generation
• signing sessions
• ECIES decrypt
• destroy lifecycle
• Added promotion flow from mono to threshold:
• creates next generation
• redistributes key material to peer shares
• rewrites local init data
• requires restart
• one-way migration (no rollback to mono)

Build and Packaging

• Optional capabilities extracted into runtime feature modules:
• authority-evm
• authority-bitcoin
• authority-x509
• ecies
• seal-aws
• seal-gcloud
• ui
• integration-only:
• failure-injection
• Feature selection via Gradle properties:
• -Pkeeper.features=...
• -Pkeeper.feature.<name>=true
• -Pkeeper.docker.features=...
• Added shadowJarIntegration for integration builds with test-only feature injection.
• Docker flow now expects prebuilt jar at build/docker/tkeeper.jar (no in-container jar build).
• Runtime/toolchain upgrades:
• Java 25 for runtime build
• Gradle wrapper update
• modern Shadow plugin migration

SDK 2.0.0

• Updated models and modules to authority/command flow.
• Added quorum promotion models and module.
• Updated Generate, Store, Sign, Verify, Import.
• Added new error coverage and authority-aware request types.

Security and Policy

• Authority policy is evaluated before sensitive operations.
• Added protections for:
• authority mismatch attempts
• partial peer policy tampering scenarios
• arbitrary vs concrete authority misuse
• Audit now includes policy evaluation context for authority decisions.

Integration and Testing

• Integration tests split into:
• functional
• performance
• Added coverage for:
• authority policies and effects
• EVM/Bitcoin/X509 payload handling
• four-eye/time-policy edge cases
• trusted dealer + import lifecycle
• mono mode and promotion
• byzantine/failure injection scenarios
• ECIES mono/threshold paths

Documentation and OpenAPI

• OpenAPI updated for /v2 model and new request/response schemas.
• Documentation expanded across docs/:
• overview
• authorities
• signing
• key lifecycle
• trusted dealer
• ECIES
• security quorum mode guidance
• build/docker flows
• threat model links and structure refresh