=== Added ===
- Debug endpoints (#1792)
- Agent support for SDS v3 API (#1906)
- Improved metrics handling (#1885, #1925, #1932)
- Significantly improved performance related to performing agent authorization lookups (#1859, #1896, #1943, #1944, #1956)
- Database indexes to attested node columns (#1912)
- Support for configuring Vault roles, namespaces, and re-authentication to the Vault UpstreamAuthority plugin (#1871, #1981)
- Support for non-renewable Vault tokens to the Vault UpstreamAuthority plugin (#1965)
- Delete mode for federated bundles to the bundle API (#1897)
- The CLI now reads JSON from STDIN for entry create/update commands (#1905)
- Support for multiple CA bundle files in x509pop (#1949)
- Added `ExpiresAt` to `entry show` output (#1973)
- Added `k8s_psat:agent_node_ip` selector (#1979)
=== Changed ===
- The agent now shuts down when it is no longer attested (#1797)
- Internals now rely on new server APIs (#1849, #1878, #1907, #1908, #1909, #1913, #1947, #1982, #1998, #2001)
- Workload API now returns a standardized JWKS object (#1904)
- Log message casing and punctuation are more consistent with project guidelines (#1950, #1952)
=== Deprecated ===
- The Registration and Node APIs are deprecated, and a warning is logged on use (#1997)
- The `registration_api` configuration section is deprecated in favor of `server_api` in the k8s-workload-registrar (#2001)
=== Removed ===
- Removed some superfluous or otherwise unusable metrics and labels (#1881, #1946, #2004)
=== Fixed ===
- Fixed CLI exit codes when entry create or update fails (#1990)
- Fixed a bug that could cause external plugins to become orphaned processes after agent/server shutdown (#1962)
- Fixed handling of the Vault PKI certificate chain (#2012, #2017)
- Fixed a bug that could cause some gRPC libraries to fail to connect to the server over HTTP/2 (#1968)
- Fixed Registration API to validate selector syntax (#1919)
=== Security ===
- JWT-SVIDs that fail validation are no longer logged (#1953)