v0.4.9

Highlights

This release lands the NIP-55 / NIP-46 signer policy surface in the audited Rust core (mobile platforms previously duplicated this in Kotlin), plus NIP-55 interop features and the NIP-44 v3 cipher.

• Signer policy moved into Rust (RMP): permission decision + sensitive-kind duration clamp + expiry (#594), keyed-HMAC tamper-evident audit chain + verification (#595), caller trust-on-first-use decision + challenge-nonce store (#596), persistent SigningRateLimiter over a storage callback with monotonic/wall-clock survival (#598), front-door rate limiter + request-count velocity policy (#599), and the NIP-46 bunker rate limiter — global + per-client + exponential backoff (#600).
• NIP-55 interop: Amber-compatible batch / multi-event results wire format (#601), get_public_key permissions-array parsing into declared grants (#602), and NIP-42 (kind 22242) relay-host extraction + relay-auth whitelist gate (#603).
• NIP-44 v3: kind/scope-aware (context-bound) encrypt/decrypt cipher in keep-core, verified byte-for-byte against the nostr-land/nip44v3 draft test vectors (#605).
• NIP-46 grants: persist bunker remember-grants with the engine as the single source of truth (#593); drop the silent NIP-98 grant in favor of prompt-on-first-use with a remember-duration (#592).
• Security fixes: enclave fail-closed PCR matching — ExpectedPcrs required by construction (#590), FROST refuses a partial refresh_shares to prevent silent share orphaning (#589), and password rotation verifies the old password when unlocked + audits every failure path (#588).

Install

• CLI / Desktop: download the asset for your platform from the Assets section below.
• StartOS: bundled via keep-startos.
• Build from source: see the README.

Verify

sha256sum -c SHA256SUMS

Full changelog

v0.4.8...v0.4.9

v0.4.8

Highlights

• Production race fixes in ECDH (#562) and signing (#570) coordination: subscribe() now happens before publishing, so a fast cosigner's response can no longer fire before the requester is listening (which previously stalled until the 30s timeout).
• Persistent NIP-46 grants CLI — keep nip46 apps / grant / revoke (#506), hidden-vault grant support (#514), and a bunker auto-approval + transport-key persistence fix (#574).
• Audit-log expansion covering rotate_password / rotate_data_key (#578), RateLimitTripped on next successful unlock (#521), hidden-vault outer-volume audit (#538, #540), and a richer audit stats (#528).
• Mutation-testing campaign (#417) closed out across signing / ECDH / descriptor / PSBT / NIP-46 with end-to-end MockRelay integration tests for each.
• FROST coordination: fast failover on co-signer timeout (#505), frost-network sign-event end-to-end software path (#523), opt-in RefuseRawSignatureHooks (#530).
• Dependency bumps: frost 3.0 (#585) and signature 3.0 (#548).

Install

• CLI / Desktop: download the asset for your platform from the Assets section below.
• StartOS: bundled via keep-startos.
• Build from source: see the README.

Verify

sha256sum -c SHA256SUMS

Full changelog

v0.4.7...v0.4.8

v0.4.7

Highlights

• Automated fund sweep on descriptor migration (#391): when a wallet descriptor is migrated to a new version, keep can coordinate moving funds from the OLD descriptor's recovery output into the NEW descriptor's primary address.
• Bounded multi-event pre-approval cache (#397): NIP-46 sessions can stage multiple authorizations within a 100-event cap and 5-minute TTL without unbounded growth.
• Single-party FROST sign + ECDH refinements: eliminates a stale-cosigner edge case in the local-quorum signing path.

Install

• CLI / Desktop: download the asset for your platform from the Assets section below.
• StartOS: bundled via keep-startos.
• Build from source: see the README.

Verify

sha256sum -c SHA256SUMS

Full changelog

v0.4.6...v0.4.7

v0.4.6

Highlights

• Multi-group co-signer: the keep-web co-signer no longer crashes when the vault holds more than one FROST group. It auto-selects a group to serve, and the Web Admin's Shares section can switch which group is served (single-flight, no-op on re-select).
• Default relay → wss://bucket.coracle.social (reliable FROST coordination), pre-populated in the UI.
• Desktop About section added.

Install

• CLI / Desktop: download the asset for your platform from the Assets section below.
• StartOS: bundled via keep-startos.
• Build from source: see the README.

Verify

sha256sum -c SHA256SUMS

Full changelog

v0.4.5...v0.4.6

v0.4.5

Highlights

• Co-signer reliability: accurate online/offline peer presence (no more stale "online" status after disconnects) and a stale_nonce fallback in keep-frost-net so a co-signer whose nonce pool went stale recovers automatically on the next round instead of failing the request.

Install

• CLI / Desktop: download the asset for your platform from the Assets section below.
• StartOS: bundled via keep-startos.
• Build from source: see the README.

Verify

sha256sum -c SHA256SUMS

Full changelog

v0.4.4...v0.4.5

v0.4.4

Highlights

• Restored pre_approve_nostr_event binding for keep-mobile: pre-approval of NIP-46 events on Android works again end-to-end.

Install

• CLI / Desktop: download the asset for your platform from the Assets section below.
• StartOS: bundled via keep-startos.
• Build from source: see the README.

Verify

sha256sum -c SHA256SUMS

Full changelog

v0.4.3...v0.4.4

v0.4.3

Highlights

• keep-web Web Admin UX: decluttered activity feed and a prominent approval bar so pending bunker approvals stay visible without scrolling.

Install

• CLI / Desktop: download the asset for your platform from the Assets section below.
• StartOS: bundled via keep-startos.
• Build from source: see the README.

Verify

sha256sum -c SHA256SUMS

Full changelog

v0.4.2...v0.4.3

v0.4.2

Highlights

• Fix bunker connect for real NIP-46 clients (#405): keep-nip46 / keep-web now handshake correctly against external NIP-46 clients (Amber, nostr-tools, etc.).

Install

• CLI / Desktop: download the asset for your platform from the Assets section below.
• StartOS: bundled via keep-startos.
• Build from source: see the README.

Verify

sha256sum -c SHA256SUMS

Full changelog

v0.4.1...v0.4.2

v0.4.1

Highlights

• keep-web peer online/offline status surfaced in the activity feed so operators can see at a glance which co-signers are reachable.

Install

• CLI / Desktop: download the asset for your platform from the Assets section below.
• StartOS: bundled via keep-startos.
• Build from source: see the README.

Verify

sha256sum -c SHA256SUMS

Full changelog

v0.4.0...v0.4.1

v0.4.0

Highlights

• keep-web: always-on network-FROST co-signer daemon (#394) shipped, with auth hardening + WS tickets (#398), polished setup-status UI + tooltips + click-to-copy + signing-log export (#401), active-share delete + multi-relay + login (#402).
• Recovery-tier PSBT signing flow (#388): coordinated script-path spends for recovery tiers through the Wallet Descriptor Coordination protocol.
• Descriptor versioning and migration (#387, #353): wallet descriptors carry a version chain; sessions persist across node restarts.
• Nonce pre-exchange for instant signing (#390): co-signers can stage nonces in advance so the actual signing round completes in one round-trip.
• NIP-46 hardware register_wallet + get_device_info (#369, #386): hardware signers can register wallets and report device kind/fingerprint.
• License switched from AGPL-3.0 to MIT (#324).
• BIP-39 mnemonic + NIP-06 key derivation (#352).
• JSON export for audit logs (#360).

Install

• CLI / Desktop: download the asset for your platform from the Assets section below.
• StartOS: bundled via keep-startos.
• Build from source: see the README.

Verify

sha256sum -c SHA256SUMS

Full changelog

v0.3.0...v0.4.0