build: release 5.16.0

[Manuthor]

[5.16.0] - 2026-02-04

🚀 Features

• Add PQC hybridized KEM support via cosmian_cover_crypt:
  • The Cosmian KMS supports Post-Quantum Cryptography (PQC) hybridized Key Encapsulation Mechanisms (KEM)
    via the cosmian_cover_crypt crate. This crate provides
    a configurable KEM framework that can operate in pure classical, pure post-quantum, or hybrid mode
    by combining a pre-quantum KEM with a post-quantum KEM through a KEM combiner (using SHA-256).
  • Server supports CreateKeyPair for Configurable-KEM and Encrypt/Decrypt encapsulation/decapsulation flows.
• Add server-side KMIP algorithm policy allowlists (enforcement via kmip.policy_id and [kmip.allowlists]) #700
  • kmip.policy_id selects a policy (case-insensitive):
    • DEFAULT: built-in conservative allowlists (e.g., SHA-2/3, P-256/P-384/P-521 + Curve25519/448, AEAD/wrapping modes, OAEP/PSS/PKCS5, RSA 3072/4096).
    • CUSTOM: enforce the allowlists you set under [kmip.allowlists].
  • If kmip.policy_id is unset, the KMIP policy layer is disabled.
  • None vs [] semantics (for each allowlist): None means "no restriction", while an empty list [] means "deny all" when enforcement is enabled.
• (UI) Runtime branding support via /ui/branding.json (title, theme, and favicon resolved before React renders)
  • Theme asset support under /ui/themes/<theme>/... with Ant Design token overrides
  • Replace the example theme favicons with neutral, non-Cosmian icons
  • (docs) Add post-install UI branding / theme override guide (paths under /usr/local/cosmian/ui/dist/)
  • (packaging) Include nested UI theme assets in linux packages (recursive dist/**/* globs)
  • (nix) Stage and validate UI dist/ content during packaging (checks index.html, assets/, themes/, branding.json)

🐛 Bug Fixes

• Fix SQL Locate request for OpenTelemetry metrics collector (fix: OpenTelemetry metrics collector - fix Locate query #694):
  • Refactored SQL Locate query building in locate_query.rs to use bound, typed parameters (LocateQuery + LocateParam) instead of interpolating values into SQL (safer + fixes type/cast handling across SQLite/Postgres/MySQL).
  • Updated the SQL backends to consume the new LocateQuery API: crate/server_database/src/stores/sql/{mysql,pgsql,sqlite}.rs.
  • Improved DB test error context in json_access_test.rs to make failures easier to diagnose.
  • OpenTelemetry wiring updates:
    • mod.rs: add OTEL resource attributes (service name/version + optional environment).
    • otel_metrics.rs: ensure active_keys_count time series exists even when 0.
    • cron.rs: fall back to default username if hsm_admin is empty.
• Fix regression on KMIP 1.0 (Fresh and InitialDate attributes) (fix: KMIP 1.0 does not support Fresh attribute #689)
• Fix Linux packaging smoke tests when the host has /etc/cosmian/kms.toml present by running with an explicit temp config.
• Make OpenTelemetry export tests resilient under FIPS Nix shells by running curl in a clean environment (avoid inherited OpenSSL/LD overrides).
• (ui) Azure BYOK export (fix(ui): Azure BYOK export #697)

⚙️ Build

• Nix builds now target GLIBC ≤ 2.34 (Rocky Linux 9 compatibility) by updating pins and building Linux OpenSSL/server outputs against a glibc 2.34 stdenv; server vendor hash expectations are split by static/dynamic on Linux.
• SBOM generation improvements:
  • .github/scripts/nix.sh sbom strictly validates --target/--variant/--link, defaults to generating all combinations, and supports generating a specific server subset.
  • SBOM tooling runs in an isolated workdir to avoid stray repo-root artifacts, keeps only final sbom.csv + vulns.csv reports per output directory, and deduplicates CVE rows in-place (via nix/scripts/dedup_cves.py, with optional filtering helper nix/scripts/filter_vulns.py).
• (deps) Bump jsonwebtoken in the cargo group across 1 directory (build(deps): bump jsonwebtoken from 9.3.1 to 10.3.0 in the cargo group across 1 directory #702)
• (deps) Bump bytes in the cargo group across 1 directory (build(deps): bump bytes from 1.11.0 to 1.11.1 in the cargo group across 1 directory #703)
• (deps) Bump time in the cargo group across 1 directory (build(deps): bump time from 0.3.44 to 0.3.47 in the cargo group across 1 directory #706)
• (deps) Bump actix-files in the cargo group across 1 directory (build(deps): bump actix-files from 0.6.9 to 0.6.10 in the cargo group across 1 directory #707)

📚 Documentation

• Update SBOM documentation to match the generator output layout and behavior.
• Update OpenSSL versions (docs: update OpenSSL versions #713)