tcfs v0.11.0 — E2E Encrypted Fleet Sync

Highlights

E2E Encrypted Sync Pipeline

• Push: file → FastCDC → XChaCha20-Poly1305 encrypt → BLAKE3 hash → S3
• Pull: S3 → decrypt → verify → byte-identical roundtrip
• Per-file random keys wrapped by master key (Argon2id-derived)

Fleet Sync via NATS JetStream

• DeviceOnline/Offline lifecycle events
• FileSynced events trigger auto-pull on remote devices
• Vector clock conflict detection with AutoResolver
• Bi-directional sync verified: neo (macOS) ↔ honey (Rocky Linux RKE2)

Security

• Breaking: Removed SHA-256 KDF path (Jesssullivan#174) — crypto.key_derivation replaced by crypto.kdf_salt
• Short passphrases require per-vault random salt
• Config.toml authoritative for nats_url over env var

Testing

• 418 tests across workspace (0 failures)
• New E2E suite: fleet_live, encrypted_roundtrip, push_pull_roundtrip, vfs_e2e
• Per-crate tests: cli, file-provider, tui, vfs, daemon

Infrastructure

• Tailscale K8s operator on honey RKE2 exposes SeaweedFS + NATS
• CIVO fleet endpoints retired

Closes Jesssullivan#174