# Alpha

> Postgres binaries get a registry, a signature, and a trust chain that survives rotation.

URL: https://bkpdb.com/changelog/2025-11-25/
Date: 2025-11-25
Tag: alpha

---

## Agent

### Added

- HTTPS binary registry with signed manifests. The agent fetches a `pg_dump` / `pg_restore` bundle for the server's major on demand and verifies the manifest signature before extraction.
- Two-key trust hierarchy: a long-lived <strong>ROOT</strong> public key baked into the agent at build time signs a short-lived <strong>MSK</strong> certificate; the MSK signs every published manifest. Rotation does not require a new agent build.
- `bkpdb binaries list`, `bkpdb backup`, and `bkpdb restore` as one-shot dev CLI subcommands against the configured registry.
- Real-fixture error tests for the registry path: server failures, network failures, cache corruption. Each one returns a clean, well-typed error rather than a panic.

### Changed

- Build pipeline: `make build-dev` and `make build-prod` bake the registry URL into the binary via `-ldflags`. The runtime YAML block becomes optional.

### Fixed

- Response size caps on registry fetches, a deterministic clock for manifest-validity checks, and a defensive path for resolving the cert URL relative to the manifest.