SPIKE Changelog

Recent

TBD

SPIKE Nexus now accepts dynamic number of SPIKE Keepers and Shamir share threshold (defaults to 3 keepers, and minimum 2 shares (out of 3) to recreate the root key).
Started containerization work (created a Dockerfile); yet it’s far from complete: We will work on that.
Various documentation updates.
Minor bug fixes in initialization scripts.

Secrets now rehydrate from the backing store immediately after SPIKE Nexus crashes. Former implementation was using an optimistic algorithm (i.e., do not load the secret unless you need it), yet that was causing calls to spike secret list return an empty collection. This implementation fixes that issue, and also ensures that SPIKE Nexus’ memory continues to be the primary source of truth (by design).

SPIKE Nexus now securely erases old root key and shards from memory after it is no longer needed. Before, it was left the the garbage collector to handle that. The current approach is NIST recommendation and provides better memory protection.
Fixed CVE-2025-271447: DoS in go-jose Parsing

This release was focused around bugfixes, stability, documentation, and disaster recovery.

Documentation: SPIKE Production Hardening Guide is complete and ready for consumption (it was in draft mode before).
Implemented spike operator recover and spike operator restore commands that provide disaster recovery capabilities if there is a total system crash and the remaining SPIKE Keepers are less than the threshold to recover the root key.
Several bugfixes and performance improvements.
Added coverage report to the repository. The coverage is not as high as we would like to be; yet we have to start somewhere :).
Added several architectural decision records to share the projects vision and design decisions transparently.
Started working on containerization (though it’s still a work in progress).

SPIKE Website has undergone a major overhaul.
Documentation updates, especially around security and disaster recovery.
Documentation is now consistent with the code: Removed outdated sections, introduced new modules, explained current workflows and state transitions.
Moved documentation from Docsify to Zola, that gave, speed, flexibility, templateability, and consistency to the overall documentation.
Significant updates in SPIKE go SDK.

Enabled policy-based access control.
The root key that SPIKE Nexus generates is now split into several Shamir shards and distribute to SPIKE Keepers.
New additions and improvements to SPIKE Go SDK.
Various minor bugfixes.
Code cleanup.
Implemented several recovery scenarios.
SPIKE now has static analysis, CI integration, linting, and automated tests.
Documentation updates. Documentation is still lagging behind, but we are updating and improving it along the way.
Created a makefile to group related scripts into make targets.
Made the start script more robust.
Ensured that the policies and the demo app work as expected.
Implemented a Secret Metadata API.
Implemented exponential retries across several API-consuming methods.

BREAKING: changed the CLI usage. Instead of spike get, for example, we now use spike secret get. The reason for this change is that we introduced a policy command (i.e. spike policy get).

Removed password authentication for admin users. Admin users’ SVIDs are good enough to authenticate them.
Implemented passwordless admin login flow (the neat thing about passwords is: you don’t need them).

Implemented put, read, delete, undelete, and list functionalities.
Created initial documentation, README, and related files.
Compiled binaries targeting various platforms (x86, arm64, darwin, linux).
SPIKE is demoable, however we need to update certain login and initialization flows.
In memory secrets storage only (using database as a backing store is coming up next)
Created a jira.txt to track things (to avoid polluting GitHub issues unnecessarily)
This is an amazing start; more will come. Turtle power 🐢⚡️.