godaddy · jgowdy-godaddy · Aug 3, 2025 · Aug 4, 2025 · Aug 4, 2025 · Aug 4, 2025
diff --git a/.tool-versions b/.tool-versions
@@ -0,0 +1 @@
+golang 1.23.0
diff --git a/go/appencryption/go.work b/go/appencryption/go.work
@@ -1,5 +1,7 @@
 go 1.23.0
 
+toolchain go1.22.5
+
 use (
 	.
 	./cmd/example

diff --git a/go/appencryption/go.work.sum b/go/appencryption/go.work.sum
@@ -227,7 +227,6 @@ github.com/containerd/typeurl v1.0.2 h1:Chlt8zIieDbzQFzXzAeBEF92KhExuE4p9p92/QmY
 github.com/containerd/typeurl v1.0.2/go.mod h1:9trJWW2sRlGub4wZJRTW83VtbOLS6hwcDZXTn6oPz9s=
 github.com/containerd/typeurl/v2 v2.1.1 h1:3Q4Pt7i8nYwy2KmQWIw2+1hTvwTE/6w9FqcttATPO/4=
 github.com/containerd/typeurl/v2 v2.1.1/go.mod h1:IDp2JFvbwZ31H8dQbEIY7sDl2L3o3HZj1hsSQlywkQ0=
-github.com/containerd/typeurl/v2 v2.2.0/go.mod h1:8XOOxnyatxSWuG8OfsZXVnAF4iZfedjS/8UHSPJnX4g=
 github.com/containerd/zfs v1.0.0 h1:cXLJbx+4Jj7rNsTiqVfm6i+RNLx6FFA2fMmDlEf+Wm8=
 github.com/containerd/zfs v1.1.0 h1:n7OZ7jZumLIqNJqXrEc/paBM840mORnmGdJDmAmJZHM=
 github.com/containerd/zfs v1.1.0/go.mod h1:oZF9wBnrnQjpWLaPKEinrx3TQ9a+W/RJO7Zb41d8YLE=
@@ -324,7 +323,6 @@ github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
-github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/btree v1.0.0 h1:0udJVsspx3VBr5FwtLhQQtuAsVc79tTq0ocGIPAU6qo=
@@ -410,11 +408,8 @@ github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
 github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
 github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8=
 github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
-github.com/moby/sys/mount v0.3.4/go.mod h1:KcQJMbQdJHPlq5lcYT+/CjatWM4PuxKe+XLSVS4J6Os=
 github.com/moby/sys/mountinfo v0.6.2 h1:BzJjoreD5BMFNmD9Rus6gdd1pLuecOFPt8wC+Vygl78=
 github.com/moby/sys/mountinfo v0.6.2/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI=
-github.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4=
-github.com/moby/sys/reexec v0.1.0/go.mod h1:EqjBg8F3X7iZe5pU6nRZnYCMUTXoxsjiIfHup5wYIN8=
 github.com/moby/sys/signal v0.6.0 h1:aDpY94H8VlhTGa9sNYUFCFsMZIUh5wm0B6XkIoJj/iY=
 github.com/moby/sys/signal v0.7.0 h1:25RW3d5TnQEoKvRbEKUGay6DCQ46IxAVTT9CUMgmsSI=
 github.com/moby/sys/signal v0.7.0/go.mod h1:GQ6ObYZfqacOwTtlXvcmh9A26dVRul/hbOZn88Kg8Tg=
@@ -472,7 +467,6 @@ github.com/russross/blackfriday/v2 v2.0.1 h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8 h1:2c1EFnZHIPCW8qKWgHMH/fX2PkSabFc5mrVzfUNdg5U=
-github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY=
 github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=
 github.com/sclevine/spec v1.2.0 h1:1Jwdf9jSfDl9NVmt8ndHqbTZ7XCCPbh1jI3hkDBHVYA=
 github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646 h1:RpforrEYXWkmGwJHIGnLZ3tTWStkjVVstwzNGqxX2Ds=
@@ -575,6 +569,7 @@ golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
+golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/telemetry v0.0.0-20240521205824-bda55230c457/go.mod h1:pRgIJT+bRLFKnoM1ldnzKoxTIn14Yxz928LQRYYgIN0=
 golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
 golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=

diff --git a/go/appencryption/key_cache_benchmark_test.go b/go/appencryption/key_cache_benchmark_test.go
@@ -20,6 +20,15 @@ var (
 	enableDebug   = flag.Bool("debug", false, "enable debug logging")
 )
 
+// newBenchmarkPolicy returns a CryptoPolicy with simple cache for benchmarks
+// that directly access cache internals
+func newBenchmarkPolicy() *CryptoPolicy {
+	policy := NewCryptoPolicy()
+	policy.IntermediateKeyCacheEvictionPolicy = "simple"
+	policy.SystemKeyCacheEvictionPolicy = "simple"
+	return policy
+}
+
 func ConfigureLogging() {
 	if *enableDebug {
 		log.SetLogger(logger{})
@@ -29,7 +38,7 @@ func ConfigureLogging() {
 func BenchmarkKeyCache_GetOrLoad_MultipleThreadsReadExistingKey(b *testing.B) {
 	ConfigureLogging()
 
-	c := newKeyCache(CacheTypeIntermediateKeys, NewCryptoPolicy())
+	c := newKeyCache(CacheTypeIntermediateKeys, newBenchmarkPolicy())
 
 	c.keys.Set(cacheKey(testKey, created), cacheEntry{
 		key:      newCachedCryptoKey(internal.NewCryptoKeyForTest(created, false)),
@@ -53,7 +62,7 @@ func BenchmarkKeyCache_GetOrLoad_MultipleThreadsReadExistingKey(b *testing.B) {
 func BenchmarkKeyCache_GetOrLoad_MultipleThreadsWriteSameKey(b *testing.B) {
 	ConfigureLogging()
 
-	c := newKeyCache(CacheTypeIntermediateKeys, NewCryptoPolicy())
+	c := newKeyCache(CacheTypeIntermediateKeys, newBenchmarkPolicy())
 
 	b.ResetTimer()
 	b.RunParallel(func(pb *testing.PB) {
@@ -82,7 +91,7 @@ func BenchmarkKeyCache_GetOrLoad_MultipleThreadsWriteUniqueKeys(b *testing.B) {
 	ConfigureLogging()
 
 	var (
-		c = newKeyCache(CacheTypeIntermediateKeys, NewCryptoPolicy())
+		c = newKeyCache(CacheTypeIntermediateKeys, newBenchmarkPolicy())
 		i int64
 	)
 
@@ -114,7 +123,7 @@ func BenchmarkKeyCache_GetOrLoad_MultipleThreadsWriteUniqueKeys(b *testing.B) {
 
 func BenchmarkKeyCache_GetOrLoad_MultipleThreadsReadRevokedKey(b *testing.B) {
 	var (
-		c       = newKeyCache(CacheTypeIntermediateKeys, NewCryptoPolicy())
+		c       = newKeyCache(CacheTypeIntermediateKeys, newBenchmarkPolicy())
 		created = time.Now().Add(-(time.Minute * 100)).Unix()
 	)
 
@@ -151,7 +160,7 @@ func BenchmarkKeyCache_GetOrLoad_MultipleThreadsReadRevokedKey(b *testing.B) {
 
 func BenchmarkKeyCache_GetOrLoad_MultipleThreadsRead_NeedReloadKey(b *testing.B) {
 	var (
-		c       = newKeyCache(CacheTypeIntermediateKeys, NewCryptoPolicy())
+		c       = newKeyCache(CacheTypeIntermediateKeys, newBenchmarkPolicy())
 		created = time.Now().Add(-(time.Minute * 100)).Unix()
 	)
 
@@ -188,7 +197,7 @@ func BenchmarkKeyCache_GetOrLoad_MultipleThreadsRead_NeedReloadKey(b *testing.B)
 }
 
 func BenchmarkKeyCache_GetOrLoad_MultipleThreadsReadUniqueKeys(b *testing.B) {
-	c := newKeyCache(CacheTypeIntermediateKeys, NewCryptoPolicy())
+	c := newKeyCache(CacheTypeIntermediateKeys, newBenchmarkPolicy())
 
 	for i := 0; i < b.N && i < DefaultKeyCacheMaxSize; i++ {
 		keyID := fmt.Sprintf(testKey+"-%d", i)
@@ -221,7 +230,7 @@ func BenchmarkKeyCache_GetOrLoad_MultipleThreadsReadUniqueKeys(b *testing.B) {
 }
 
 func BenchmarkKeyCache_GetOrLoadLatest_MultipleThreadsReadExistingKey(b *testing.B) {
-	c := newKeyCache(CacheTypeIntermediateKeys, NewCryptoPolicy())
+	c := newKeyCache(CacheTypeIntermediateKeys, newBenchmarkPolicy())
 
 	c.mapLatestKeyMeta(testKey, KeyMeta{testKey, created})
 	c.keys.Set(cacheKey(testKey, created), cacheEntry{
@@ -243,7 +252,7 @@ func BenchmarkKeyCache_GetOrLoadLatest_MultipleThreadsReadExistingKey(b *testing
 }
 
 func BenchmarkKeyCache_GetOrLoadLatest_MultipleThreadsWriteSameKey(b *testing.B) {
-	c := newKeyCache(CacheTypeIntermediateKeys, NewCryptoPolicy())
+	c := newKeyCache(CacheTypeIntermediateKeys, newBenchmarkPolicy())
 
 	b.ResetTimer()
 	b.RunParallel(func(pb *testing.PB) {
@@ -262,7 +271,7 @@ func BenchmarkKeyCache_GetOrLoadLatest_MultipleThreadsWriteSameKey(b *testing.B)
 
 func BenchmarkKeyCache_GetOrLoadLatest_MultipleThreadsWriteUniqueKey(b *testing.B) {
 	var (
-		c = newKeyCache(CacheTypeIntermediateKeys, NewCryptoPolicy())
+		c = newKeyCache(CacheTypeIntermediateKeys, newBenchmarkPolicy())
 		i int64
 	)
 
@@ -286,7 +295,7 @@ func BenchmarkKeyCache_GetOrLoadLatest_MultipleThreadsReadStaleRevokedKey(b *tes
 	ConfigureLogging()
 
 	var (
-		c       = newKeyCache(CacheTypeIntermediateKeys, NewCryptoPolicy())
+		c       = newKeyCache(CacheTypeIntermediateKeys, newBenchmarkPolicy())
 		created = time.Now().Add(-(time.Minute * 100)).Unix()
 	)
 
@@ -322,7 +331,7 @@ func BenchmarkKeyCache_GetOrLoadLatest_MultipleThreadsReadRevokedKey(b *testing.
 	ConfigureLogging()
 
 	var (
-		c       = newKeyCache(CacheTypeIntermediateKeys, NewCryptoPolicy())
+		c       = newKeyCache(CacheTypeIntermediateKeys, newBenchmarkPolicy())
 		created = time.Now().Unix()
 	)
 
@@ -363,7 +372,7 @@ func BenchmarkKeyCache_GetOrLoadLatest_MultipleThreadsReadRevokedKey(b *testing.
 func BenchmarkKeyCache_GetOrLoadLatest_MultipleThreadsReadUniqueKeys(b *testing.B) {
 	ConfigureLogging()
 
-	c := newKeyCache(CacheTypeIntermediateKeys, NewCryptoPolicy())
+	c := newKeyCache(CacheTypeIntermediateKeys, newBenchmarkPolicy())
 
 	for i := 0; i < b.N && i < DefaultKeyCacheMaxSize; i++ {
 		keyID := fmt.Sprintf(testKey+"-%d", i)

diff --git a/go/appencryption/key_cache_test.go b/go/appencryption/key_cache_test.go
@@ -48,6 +48,21 @@ func (suite *CacheTestSuite) Test_NewKeyCache() {
 	cache := newKeyCache(CacheTypeIntermediateKeys, NewCryptoPolicy())
 	defer cache.Close()
 
+	assert.NotNil(suite.T(), cache)
+	assert.IsType(suite.T(), new(keyCache), cache)
+	assert.NotNil(suite.T(), cache.keys)
+	// Default is now LRU cache, not simple cache
+	assert.NotNil(suite.T(), cache.policy)
+	assert.Equal(suite.T(), DefaultKeyCacheMaxSize, cache.keys.Capacity())
+}
+
+func (suite *CacheTestSuite) Test_NewKeyCache_Simple() {
+	policy := NewCryptoPolicy()
+	policy.IntermediateKeyCacheEvictionPolicy = "simple"
+
+	cache := newKeyCache(CacheTypeIntermediateKeys, policy)
+	defer cache.Close()
+
 	assert.NotNil(suite.T(), cache)
 	assert.IsType(suite.T(), new(keyCache), cache)
 	assert.NotNil(suite.T(), cache.keys)

diff --git a/go/appencryption/policy.go b/go/appencryption/policy.go
@@ -6,13 +6,14 @@ import (
 
 // Default values for CryptoPolicy if not overridden.
 const (
-	DefaultExpireAfter          = time.Hour * 24 * 90 // 90 days
-	DefaultRevokedCheckInterval = time.Minute * 60
-	DefaultCreateDatePrecision  = time.Minute
-	DefaultKeyCacheMaxSize      = 1000
-	DefaultSessionCacheMaxSize  = 1000
-	DefaultSessionCacheDuration = time.Hour * 2
-	DefaultSessionCacheEngine   = "default"
+	DefaultExpireAfter                = time.Hour * 24 * 90 // 90 days
+	DefaultRevokedCheckInterval       = time.Minute * 60
+	DefaultCreateDatePrecision        = time.Minute
+	DefaultKeyCacheMaxSize            = 1000
+	DefaultSessionCacheMaxSize        = 1000
+	DefaultSessionCacheDuration       = time.Hour * 2
+	DefaultSessionCacheEngine         = "default"
+	DefaultSessionCacheEvictionPolicy = "slru" // Already documented as default
 )
 
 // CryptoPolicy contains options to customize various behaviors in the SDK.
@@ -33,7 +34,7 @@ type CryptoPolicy struct {
 	// This value is ignored if IntermediateKeyCacheEvictionPolicy is set to "simple".
 	IntermediateKeyCacheMaxSize int
 	// IntermediateKeyCacheEvictionPolicy controls the eviction policy to use for the shared cache.
-	// Supported values are "simple", "lru", "lfu", "slru", and "tinylfu". Default is "simple".
+	// Supported values are "simple", "lru", "lfu", "slru", and "tinylfu". Default is "lru".
 	IntermediateKeyCacheEvictionPolicy string
 	// SharedIntermediateKeyCache determines whether Intermediate Keys will use a single shared cache. If enabled,
 	// Intermediate Keys will share a single cache across all sessions for a given factory.
@@ -50,7 +51,7 @@ type CryptoPolicy struct {
 	// This value is ignored if SystemKeyCacheEvictionPolicy is set to "simple".
 	SystemKeyCacheMaxSize int
 	// SystemKeyCacheEvictionPolicy controls the eviction policy to use for the shared cache.
-	// Supported values are "simple", "lru", "lfu", "slru", and "tinylfu". Default is "simple".
+	// Supported values are "simple", "lru", "lfu", "slru", and "tinylfu". Default is "lru".
 	SystemKeyCacheEvictionPolicy string
 	// CacheSessions determines whether sessions will be cached.
 	CacheSessions bool
@@ -124,17 +125,20 @@ func WithSessionCacheDuration(d time.Duration) PolicyOption {
 // NewCryptoPolicy returns a new CryptoPolicy with default values.
 func NewCryptoPolicy(opts ...PolicyOption) *CryptoPolicy {
 	policy := &CryptoPolicy{
-		ExpireKeyAfter:              DefaultExpireAfter,
-		RevokeCheckInterval:         DefaultRevokedCheckInterval,
-		CreateDatePrecision:         DefaultCreateDatePrecision,
-		CacheSystemKeys:             true,
-		CacheIntermediateKeys:       true,
-		IntermediateKeyCacheMaxSize: DefaultKeyCacheMaxSize,
-		SystemKeyCacheMaxSize:       DefaultKeyCacheMaxSize,
-		SharedIntermediateKeyCache:  false,
-		CacheSessions:               false,
-		SessionCacheMaxSize:         DefaultSessionCacheMaxSize,
-		SessionCacheDuration:        DefaultSessionCacheDuration,
+		ExpireKeyAfter:                     DefaultExpireAfter,
+		RevokeCheckInterval:                DefaultRevokedCheckInterval,
+		CreateDatePrecision:                DefaultCreateDatePrecision,
+		CacheSystemKeys:                    true,
+		CacheIntermediateKeys:              true,
+		IntermediateKeyCacheMaxSize:        DefaultKeyCacheMaxSize,
+		IntermediateKeyCacheEvictionPolicy: "lru", // Use LRU eviction by default for bounded cache
+		SystemKeyCacheMaxSize:              DefaultKeyCacheMaxSize,
+		SystemKeyCacheEvictionPolicy:       "lru", // Use LRU eviction by default for bounded cache
+		SharedIntermediateKeyCache:         false,
+		CacheSessions:                      false,
+		SessionCacheMaxSize:                DefaultSessionCacheMaxSize,
+		SessionCacheDuration:               DefaultSessionCacheDuration,
+		SessionCacheEvictionPolicy:         DefaultSessionCacheEvictionPolicy,
 	}
 
 	for _, opt := range opts {