Release v0.3.1: Enterprise readiness with security, auth, and observability

Version bump to 0.3.1 with comprehensive enterprise features:

**Security:**
- Real cryptography: AES-256-GCM, ChaCha20-Poly1305, Argon2 key derivation
- Secrets management: SecretStore trait, key rotation, caching
- K2K message encryption with forward secrecy
- TLS/mTLS support with rustls, certificate rotation, SNI

**Authentication & Authorization:**
- ApiKeyAuth and JwtAuth providers
- ChainedAuthProvider for fallback chains
- RBAC with deny-by-default PolicyEvaluator
- Multi-tenancy with ResourceQuota and TenantContext

**Observability:**
- OpenTelemetry OTLP export to Jaeger/Honeycomb/Datadog
- Structured logging with trace correlation
- Alert routing with deduplication (Slack/Teams/PagerDuty)
- Remote audit sinks (Syslog, CloudWatch, Elasticsearch)

**Rate Limiting:**
- TokenBucket, SlidingWindow, LeakyBucket algorithms
- RateLimiterBuilder with fluent configuration

**Operational:**
- Operation timeouts with deadline propagation
- Automatic recovery with configurable policies per failure type

Feature flags: crypto, auth, tls, rate-limiting, alerting, enterprise

Test count increased from 825+ to 900+ tests.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: mivertowski

CHANGELOG.md

@@ -7,6 +7,168 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.3.1] - 2026-01-19
+
+### Added
+
+#### Enterprise Security Features
+
+- **Real Cryptography** (`ringkernel-core/src/security.rs`)
+  - AES-256-GCM and ChaCha20-Poly1305 encryption algorithms
+  - Proper nonce generation with `rand::thread_rng()`
+  - Key derivation using Argon2id and HKDF-SHA256
+  - Secure memory wiping with `zeroize` crate
+  - Feature-gated via `crypto` feature flag
+
+- **Secrets Management** (`ringkernel-core/src/secrets.rs`) - **NEW FILE**
+  - `SecretStore` trait for pluggable secret backends
+  - `InMemorySecretStore` for development/testing
+  - `EnvVarSecretStore` for environment variable secrets
+  - `CachedSecretStore` with TTL-based caching
+  - `ChainedSecretStore` for fallback chains
+  - `KeyRotationManager` for automatic key rotation
+  - `SecretKey` and `SecretValue` types with secure memory handling
+
+- **Authentication Framework** (`ringkernel-core/src/auth.rs`) - **NEW FILE**
+  - `AuthProvider` trait for pluggable authentication
+  - `ApiKeyAuth` for simple API key validation
+  - `JwtAuth` for JWT token validation (RS256/HS256) - requires `auth` feature
+  - `ChainedAuthProvider` for fallback authentication chains
+  - `AuthContext` with identity and credential management
+  - `Credentials` enum: ApiKey, Bearer, Basic, Certificate
+
+- **Role-Based Access Control** (`ringkernel-core/src/rbac.rs`) - **NEW FILE**
+  - `Role` enum: Admin, Operator, Developer, Viewer, Custom
+  - `Permission` enum: Read, Write, Execute, Admin, Custom
+  - `RbacPolicy` with subject-role-permission bindings
+  - `PolicyEvaluator` with deny-by-default evaluation
+  - `ResourceRule` for fine-grained resource access control
+
+- **Multi-Tenancy Support** (`ringkernel-core/src/tenancy.rs`) - **NEW FILE**
+  - `TenantContext` for request scoping with tenant ID
+  - `TenantRegistry` for managing tenant configurations
+  - `ResourceQuota` with limits for memory, kernels, message rate
+  - `ResourceUsage` tracking with quota enforcement
+  - `QuotaUtilization` for monitoring tenant resource usage
+
+#### Enterprise Observability
+
+- **OpenTelemetry OTLP Export** (`ringkernel-core/src/observability.rs`)
+  - `OtlpExporter` for sending spans to OTLP endpoints
+  - `OtlpConfig` with endpoint, headers, and transport configuration
+  - Batch export with configurable interval and queue size
+  - HTTP and gRPC transport options via `OtlpTransport` enum
+  - Automatic retry with exponential backoff
+  - `OtlpExporterStats` for monitoring export success/failure
+
+- **Structured Logging** (`ringkernel-core/src/logging.rs`) - **NEW FILE**
+  - `StructuredLogger` with multi-sink support
+  - `LogLevel`: Trace, Debug, Info, Warn, Error, Fatal
+  - `LogOutput`: Text, Json, Compact, Pretty
+  - `TraceContext` for automatic trace_id/span_id injection
+  - `LogConfig` with builder pattern and presets (development, production)
+  - Built-in sinks: `ConsoleSink`, `MemoryLogSink`, `FileLogSink`
+  - JSON structured output for log aggregation
+  - Global logger functions: `init()`, `info()`, `error()`, etc.
+
+- **Alert Routing System** (`ringkernel-core/src/alerting.rs`) - **NEW FILE**
+  - `AlertSink` trait for pluggable alert destinations
+  - `AlertRouter` for routing alerts based on severity
+  - `WebhookSink` for Slack, Teams, PagerDuty (requires `alerting` feature)
+  - `LogSink` and `InMemorySink` for testing/debugging
+  - `DeduplicationConfig` for alert deduplication with time windows
+  - `AlertSeverity`: Info, Warning, Error, Critical
+  - `AlertRouterStats` for monitoring alert delivery
+
+- **Remote Audit Sinks** (`ringkernel-core/src/audit.rs`)
+  - `SyslogSink` for RFC 5424 syslog with configurable facility/severity
+  - `CloudWatchSink` for AWS CloudWatch Logs integration
+  - `ElasticsearchSink` for direct Elasticsearch indexing (requires `alerting` feature)
+  - Async batch sending with configurable flush intervals
+
+#### Enterprise Rate Limiting
+
+- **Rate Limiting** (`ringkernel-core/src/rate_limiting.rs`) - **NEW FILE**
+  - `RateLimiter` with pluggable algorithms
+  - `RateLimitAlgorithm`: TokenBucket, SlidingWindow, LeakyBucket
+  - `RateLimitConfig` with burst, window size, and rate configuration
+  - `RateLimiterBuilder` with fluent configuration API
+  - `RateLimitGuard` RAII wrapper for rate-limited operations
+  - `SharedRateLimiter` for distributed rate limiting
+  - `RateLimiterExt` trait for easy integration
+  - `RateLimiterStatsSnapshot` for monitoring
+  - Feature-gated via `rate-limiting` feature flag
+
+#### Network Security
+
+- **TLS Support** (`ringkernel-core/src/tls.rs`) - **NEW FILE**
+  - `TlsConfig` with builder pattern for server/client configuration
+  - `TlsAcceptor` for server-side TLS with rustls
+  - `TlsConnector` for client-side TLS connections
+  - `CertificateStore` with automatic rotation and hot reload
+  - `SniResolver` for multi-domain certificate selection
+  - mTLS (mutual TLS) with client certificate validation
+  - `TlsVersion` enum: Tls12, Tls13
+  - `TlsSessionInfo` for connection metadata
+  - Feature-gated via `tls` feature flag
+
+- **K2K Message Encryption** (`ringkernel-core/src/k2k.rs`)
+  - `K2KEncryptor` for kernel-to-kernel message encryption
+  - `K2KEncryptionConfig` with algorithm and key configuration
+  - `K2KEncryptionAlgorithm`: Aes256Gcm, ChaCha20Poly1305
+  - `EncryptedK2KMessage` with nonce and authentication tag
+  - `EncryptedK2KEndpoint` wrapper for transparent encryption
+  - `EncryptedK2KBuilder` for fluent endpoint creation
+  - `K2KKeyMaterial` with secure key handling
+  - Forward secrecy support with ephemeral keys
+  - Feature-gated via `crypto` feature flag
+
+#### Operational Excellence
+
+- **Operation Timeouts** (`ringkernel-core/src/timeout.rs`) - **NEW FILE**
+  - `Timeout` wrapper for async operations with deadlines
+  - `Deadline` for absolute timeout tracking
+  - `CancellationToken` for cooperative cancellation
+  - `OperationContext` with deadline propagation
+  - `timeout()` and `timeout_named()` helper functions
+  - `with_timeout()` and `with_timeout_named()` for futures
+  - `TimeoutStats` and `TimeoutStatsSnapshot` for monitoring
+
+- **Automatic Recovery** (`ringkernel-core/src/health.rs`)
+  - `RecoveryPolicy` enum: Restart, Migrate, Checkpoint, Notify, Escalate, Circuit
+  - `FailureType` enum: Timeout, Crash, DeviceError, ResourceExhausted, QueueOverflow, StateCorruption
+  - `RecoveryConfig` with builder pattern and per-failure-type policies
+  - `RecoveryManager` for coordinating recovery actions
+  - `RecoveryAction` with retry tracking and timestamps
+  - `RecoveryResult` with success/failure details
+  - `RecoveryStatsSnapshot` for monitoring recovery attempts
+  - Automatic escalation after max retries exceeded
+  - Configurable cooldown periods between recovery attempts
+
+### Changed
+
+- **Feature Flags** - New enterprise feature flags in `ringkernel-core/Cargo.toml`:
+  - `crypto` - Real cryptography (AES-GCM, ChaCha20, Argon2)
+  - `auth` - JWT authentication support
+  - `rate-limiting` - Governor-based rate limiting
+  - `alerting` - Webhook alerts via reqwest
+  - `tls` - TLS support via rustls
+  - `enterprise` - Combined feature enabling all enterprise features
+
+- **Test Coverage** - Increased from 825+ to 900+ tests
+  - 14 crypto tests for K2K encryption
+  - 14 logging tests for structured logging
+  - 15 recovery tests for automatic recovery
+  - 13 TLS tests for certificate management
+  - Plus tests for secrets, auth, RBAC, tenancy, rate limiting, alerting
+
+### Fixed
+
+- Fixed SpanStatus pattern matching for OTLP export
+- Fixed AttributeValue JSON serialization in observability
+- Fixed TraceId/SpanId Display formatting with hex output
+- Fixed reqwest blocking feature for webhook alerts
+
 ## [0.3.0] - 2026-01-17
 
 ### Added
@@ -609,7 +771,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - CLAUDE.md with build commands and architecture overview
 - Code examples for all major features
 
-[Unreleased]: https://github.com/mivertowski/RustCompute/compare/v0.3.0...HEAD
+[Unreleased]: https://github.com/mivertowski/RustCompute/compare/v0.3.1...HEAD
+[0.3.1]: https://github.com/mivertowski/RustCompute/compare/v0.3.0...v0.3.1
 [0.3.0]: https://github.com/mivertowski/RustCompute/compare/v0.2.0...v0.3.0
 [0.2.0]: https://github.com/mivertowski/RustCompute/compare/v0.1.3...v0.2.0
 [0.1.3]: https://github.com/mivertowski/RustCompute/compare/v0.1.2...v0.1.3

CLAUDE.md

@@ -216,10 +216,37 @@ The following enterprise-grade features provide production-ready infrastructure:
 - **`CircuitBreaker`** - Fault tolerance with automatic recovery
 - **`DegradationManager`** - Graceful degradation with 5 levels (Normal → Critical)
 - **`KernelWatchdog`** - Stale kernel detection with heartbeat monitoring
+- **`RecoveryManager`** - Automatic recovery with configurable policies per failure type
 
 **Observability:**
 - **`PrometheusExporter`** - Prometheus metrics export
+- **`OtlpExporter`** - OpenTelemetry OTLP export to Jaeger/Honeycomb/Datadog
 - **`ObservabilityContext`** - Distributed tracing with spans
+- **`StructuredLogger`** - Multi-sink logging with trace correlation (JSON/Text output)
+- **`AlertRouter`** - Alert routing with deduplication and severity-based routing
+
+**Security (feature-gated via `crypto`, `auth`, `tls`):**
+- **`MemoryEncryption`** - AES-256-GCM and ChaCha20-Poly1305 encryption
+- **`K2KEncryptor`** - Kernel-to-kernel message encryption with forward secrecy
+- **`SecretStore`** - Pluggable secrets management with key rotation
+- **`TlsConfig`/`TlsAcceptor`/`TlsConnector`** - TLS/mTLS with rustls and cert rotation
+- **`KernelSandbox`** - Kernel isolation and resource control
+
+**Authentication & Authorization (feature-gated via `auth`):**
+- **`ApiKeyAuth`** - Simple API key validation
+- **`JwtAuth`** - JWT token validation (RS256/HS256)
+- **`ChainedAuthProvider`** - Fallback authentication chains
+- **`RbacPolicy`/`PolicyEvaluator`** - Role-based access control with deny-by-default
+
+**Multi-tenancy:**
+- **`TenantContext`** - Request scoping with tenant ID
+- **`TenantRegistry`** - Tenant configuration management
+- **`ResourceQuota`** - Per-tenant limits (memory, kernels, message rate)
+
+**Rate Limiting (feature-gated via `rate-limiting`):**
+- **`RateLimiter`** - TokenBucket, SlidingWindow, LeakyBucket algorithms
+- **`RateLimiterBuilder`** - Fluent configuration API
+- **`SharedRateLimiter`** - Distributed rate limiting
 
 **Multi-GPU:**
 - **`MultiGpuCoordinator`** - Device selection with load balancing strategies
@@ -229,6 +256,7 @@ The following enterprise-grade features provide production-ready infrastructure:
 **Lifecycle:**
 - **`LifecycleState`** - Initializing → Running → Draining → ShuttingDown → Stopped
 - **`ShutdownReport`** - Final statistics on graceful shutdown
+- **`Timeout`/`Deadline`** - Operation timeouts with deadline propagation
 
 ```rust
 // Enterprise runtime usage
@@ -514,6 +542,14 @@ Main crate (`ringkernel`) features:
 CUDA-specific features:
 - `cooperative` - Enable CUDA cooperative groups for grid-wide synchronization (`grid.sync()`). Requires nvcc at build time for PTX compilation.
 
+Core crate (`ringkernel-core`) enterprise features:
+- `crypto` - Real cryptography (AES-256-GCM, ChaCha20-Poly1305, Argon2)
+- `auth` - JWT authentication support (jsonwebtoken crate)
+- `rate-limiting` - Governor-based rate limiting
+- `alerting` - Webhook alerts via reqwest
+- `tls` - TLS support via rustls
+- `enterprise` - Combined feature enabling all enterprise features
+
 Ecosystem crate (`ringkernel-ecosystem`) features:
 - `persistent` - Core persistent GPU kernel traits (backend-agnostic)
 - `persistent-cuda` - CUDA implementation of `PersistentHandle` via `CudaPersistentHandle`
@@ -557,8 +593,8 @@ let handle = CudaPersistentHandle::new(simulation, "fdtd_3d");
 
 ### Test Count Summary
 
-825+ tests across the workspace:
-- ringkernel-core: 345 tests (including memory pool, analytics context, pressure reactions)
+900+ tests across the workspace:
+- ringkernel-core: 457 tests (including memory pool, analytics context, pressure reactions, enterprise security, auth, RBAC, tenancy, rate limiting, TLS, logging, alerting, recovery)
 - ringkernel-cpu: 11 tests
 - ringkernel-cuda: 52 tests (reduction cache, phases, K2K, persistent actors)
 - ringkernel-cuda-codegen: 190+ tests (loops, shared memory, ring kernels, K2K, envelope format, energy calculation, checksums, 120+ GPU intrinsics)
@@ -769,7 +805,7 @@ let _ = device.poll(wgpu::PollType::wait_indefinitely());
 
 ## Dependency Versions
 
-Key workspace dependencies (as of v0.1.3):
+Key workspace dependencies (as of v0.3.1):
 
 | Category | Package | Version | Notes |
 |----------|---------|---------|-------|

Cargo.toml

@@ -26,7 +26,7 @@ members = [
 ]
 
 [workspace.package]
-version = "0.3.0"
+version = "0.3.1"
 edition = "2021"
 authors = ["Michael Ivertowski <mivertowski@outlook.com>"]
 license = "Apache-2.0"
@@ -90,18 +90,18 @@ aws-config = { version = "1.6", features = ["behavior-version-latest"] }
 bytes = "1.9"
 
 # Internal crates - version must match workspace version for publishing
-ringkernel-core = { version = "0.3.0", path = "crates/ringkernel-core" }
-ringkernel-derive = { version = "0.3.0", path = "crates/ringkernel-derive" }
-ringkernel-cpu = { version = "0.3.0", path = "crates/ringkernel-cpu" }
-ringkernel-cuda = { version = "0.3.0", path = "crates/ringkernel-cuda" }
-ringkernel-wgpu = { version = "0.3.0", path = "crates/ringkernel-wgpu" }
-ringkernel-metal = { version = "0.3.0", path = "crates/ringkernel-metal" }
-ringkernel-codegen = { version = "0.3.0", path = "crates/ringkernel-codegen" }
-ringkernel-cuda-codegen = { version = "0.3.0", path = "crates/ringkernel-cuda-codegen" }
-ringkernel-wgpu-codegen = { version = "0.3.0", path = "crates/ringkernel-wgpu-codegen" }
-ringkernel-ir = { version = "0.3.0", path = "crates/ringkernel-ir" }
-ringkernel-wavesim = { version = "0.3.0", path = "crates/ringkernel-wavesim" }
-ringkernel-ecosystem = { version = "0.3.0", path = "crates/ringkernel-ecosystem" }
+ringkernel-core = { version = "0.3.1", path = "crates/ringkernel-core" }
+ringkernel-derive = { version = "0.3.1", path = "crates/ringkernel-derive" }
+ringkernel-cpu = { version = "0.3.1", path = "crates/ringkernel-cpu" }
+ringkernel-cuda = { version = "0.3.1", path = "crates/ringkernel-cuda" }
+ringkernel-wgpu = { version = "0.3.1", path = "crates/ringkernel-wgpu" }
+ringkernel-metal = { version = "0.3.1", path = "crates/ringkernel-metal" }
+ringkernel-codegen = { version = "0.3.1", path = "crates/ringkernel-codegen" }
+ringkernel-cuda-codegen = { version = "0.3.1", path = "crates/ringkernel-cuda-codegen" }
+ringkernel-wgpu-codegen = { version = "0.3.1", path = "crates/ringkernel-wgpu-codegen" }
+ringkernel-ir = { version = "0.3.1", path = "crates/ringkernel-ir" }
+ringkernel-wavesim = { version = "0.3.1", path = "crates/ringkernel-wavesim" }
+ringkernel-ecosystem = { version = "0.3.1", path = "crates/ringkernel-ecosystem" }
 
 [profile.release]
 lto = true