v0.46.2

- net: Fix regression in TLS verification introduced in v0.46.1
  (every non-Signal certificate would fail *except* on Linux)

- Rust: net's DnsResolver has a useful Default implementation again

v0.46.1

- net: Expose authenticated sends on ChatService. (Note that there is
  yet no way to get messages *from* the server.)

- net: Setting an invalid proxy from Java/Swift/TypeScript will now
  result in all connections failing until it's cleared or replaced.

- net: Many internal improvements, including
  - DNS lookups will fall back to DNS-over-HTTPS to Cloudflare
  - Connection requests are debounced
  - TLS verification will now succeed on Linux for non-Signal servers

v0.46.0

- Net now requires a user agent string on initialization.

- Restores ProfileKeyCredentialPresentationV1, removed in v0.43.0.
  While this is no longer presented by clients, it can still appear
  in old gv2 change actions.

- ServiceId is now Comparable in Java and Swift, Ord in Rust.
  In JavaScript, ServiceId.comparator provides the same ordering.
  The order is consistent across all platforms.

- Swift: The message backup stream factory function can now throw.

- Rust: libsignal-protocol timestamps now use a strong type.

- The LibSignalClient podspec is now compatible with GNU ln as well as
  macOS's standard BSD ln.

v0.45.1

Network:
- Improved logging
- Replaced rustls-native-certs with rustls-platform-verifier

Swift:
- Use thin LTO even in debug builds
- C functions with no arguments are declared '(void)', not '()'

v0.45.0

- BackupAuthCredential now uses an enum for its level; credentials
  containing unknown levels will fail to deserialize. Receiving a
  BackupAuthCredentialResponse no longer requires an expected level,
  but now requires a timestamp; this timestamp should be the one
  provided by the server as the key in the JSON object containing the
  response.

- The backup validator has been updated; in particular, it now expects
  the IV to be in the file, and allows padding after the compressed
  backup frames.

- Support for issuing AuthCredentials with the PNI reinterpreted as
  an ACI has been removed.

- The connectionReused field from ChatService's DebugInfo has been
  removed.

- SVR3 now supports TPM2SNP on GCP, and no longer supports it on
  Azure.

- Node: Exposed Net.setIpv6Enabled(). IPv6 remains on by default.

- Java: libsignal's CompletableFuture now supports whenComplete.

- Java: A number of ClassNotFound issues have been quashed.

- Swift: PreKeyBundle.preKeyId no longer returns the *signed* pre-key
  ID, and the Kyber key info, if any, is available as well.

- Swift: Add missing invalidAttestationData and connectionFailed
  error cases.

- Rust: More zkcredential and zkgroup types implement Debug and
  PartialEq. More types in several crates implement Error.

- Changes for upstream boring v4.6.0 have been merged.

v0.44.0

- All platforms: TLS proxy support added
- Node: ChatService extracted in a separate class
- GroupSendEndorsement: refine issuance proof
- Internal changes to the reconnect logic in libsignal-net

v0.43.0

- Exposed API for unauthenticated chat service communication in Swift and Java.
  This closely follows the existing TypeScript API.
- Disabled chat connection auto-reconnect on disconnect().
- Added cleanup code to close chat server connections more promptly.
- Removed timeout parameters for SVR3 and CDSI operations.
- Improved CDSI error handling. More granular error types are returned and
  additional server errors are now handled correctly.
- Updated message backup protobuf definition.
- Removed ProfileKeyCredentialPresentationV1 which is no longer used.

v0.42.0

- GroupSendEndorsement has been added, and GroupSendCredential has
  been removed. Endorsements are similar to credentials but have some
  different characteristics; see endorsements.rs in the zkcredential
  crate for more information.

  THIS REQUIRES UPDATED SERVER ZKPARAMS.

- AuthCredentialZkc has been added as a variant of
  AuthCredentialWithPni that's built on top of zkcredential rather
  than bespoke poksho proofs. The PNI-less AuthCredential has been
  removed in favor of AuthCredentialWithPni and AuthCredentialZkc.

- SVR3 now supports enclaves based on AMD SEV SNP with TPM2
  attestation. The default configuration in libsignal-net is now
  3-of-3 secret sharing. (Note that this is still only supported in
  staging at this time.)

- cpufeatures is no longer an unconditional requirement for
  libsignal-ffi. (Thanks, @Kladki!)

- The Java code now uses Java 17; the Android build additionally
  requires SDK 34 to desugar `record` classes.

- Rust dependencies have been updated.

v0.41.2

- Reverted a breaking change (zkgroup: Implement GroupSendEndorsements)

v0.41.1

- protocol: Flip SSv2 encryption to the "new" key derivation (no client-visible impact)
- Update message backup proto definition
- Fix a configuration issue for libsignal-net