Release 2.8.0-preview.1

[mtmk]

Preview release bumping version to 2.8.0-preview.1. Ships two breaking changes on the preview channel before they land in a stable minor: subject validation is now on by default (subjects containing whitespace throw; set SkipSubjectValidation=true to opt out), and the public NATS.Client.Core.NKeys and NKeyPair types are removed in favour of the NATS.NKeys package. Also includes protocol size checks, KV watcher cancellation fixes, and assorted test and CI fixes.

• auth: sign nonce regardless of auth_required (Fix nonce signing when auth_required is omitted #1109)
• auth: use NATS.NKeys package for nkey signing (auth: use NATS.NKeys package for nkey signing #1101) [breaking]
• conn: reset state on credential loading failure (Reset state on credential loading failure #1107)
• Improve package metadata and README (Improve package metadata and README #1103)
• tests: fix TlsPreferTest flap on net481 (tests: fix TlsPreferTest flap on net481 #1108)
• Fix release workflow (Fix release workflow #1106)
• Fix test flaps (Fix test flaps #1083)
• ci: add contents and actions read permissions to Claude workflow (Update Claude workflow permissions #1102)
• tls: document Prefer mode plaintext behavior (tls: document Prefer mode plaintext behavior #1094)
• tests: increase NuidTests thread join timeouts (Fix NuidTests flaky timeouts #1100)
• Improve Pin ID handling (Improve Pin ID handling #1099)
• Fix KV watcher cancellation behavior (Fix KV watcher cancellation behavior #1084)
• Clear ArrayPool buffers before returning to pool (Clear ArrayPool buffers before returning to pool #1097)
• Enable subject validation by default (Enable subject validation by default #1093) [breaking]
• Add protocol size checks (Add protocol size checks #1095)
• Fix Range attribute for MaxBytes property (Fix Range attribute for MaxBytes property #1096)
• Add CC reviews (Add CC reviews #1092)

[synadia-claude-reviewer]

Claude finished @mtmk's task in 6m 6s —— View job

---

PR Review: Release 2.8.0-preview.1

• Gather context (CLAUDE.md, PR diff)
• Analyze changed files and commits
• Review for correctness, security, and performance
• Post inline comments on specific issues
• Summarize findings

---

This PR is a version bump only (version.txt: 2.7.3 → 2.8.0-preview.1). All substantive changes were already merged to main individually. I reviewed the code behind each major change in this release.

Overall Assessment

The implementation is sound. The two breaking changes are well-handled: subject validation defaults to enabled with a clear opt-out (SkipSubjectValidation = true), and the NATS.NKeys package migration is clean. Below are specific findings.

---

Issues Found

1. NatsException.Throw missing [DoesNotReturn] — src/NATS.Client.Core/NatsException.cs:19

Every other throw-helper in the file (NatsNoReplyException.Throw, NatsProtocolViolationException.Throw, NatsTimeoutException.Throw) is annotated with [DoesNotReturn], but the base NatsException.Throw is not. Callers in Internal/HeaderWriter.cs (lines 71, 86) use it as a non-returning throw, so the compiler can't perform accurate control-flow analysis there. Fix this →

2. NatsKVWatcher.DisposeAsync — potential subscription leak — src/NATS.Client.KeyValueStore/Internal/NatsKVWatcher.cs:148

The dispose sequence is:

1. _nats.ConnectionDisconnected -= OnDisconnected   // stops disconnect-triggered CreateSub
2. if (_sub != null) await _sub.DisposeAsync()       // disposes current sub
3. TryComplete() on all channels
4. await _consumerCreateTask

ConsumerCreateLoop runs concurrently. If a "recreate" message was already dequeued from _consumerCreateChannel before step 3 completes, CreatePushConsumer will create and register a new _sub (step 4 only waits for the task to finish — after the new sub is already created). That new sub never gets DisposeAsync called. The connection's subscription manager will eventually clean it up, but it's an avoidable leak. A fix would be to cancel an internal CancellationTokenSource in DisposeAsync before awaiting tasks, rather than relying solely on channel completion.

3. ClearingMemoryPool is pipe-wide, not credential-scoped — src/NATS.Client.Core/Internal/ClearingMemoryPool.cs:5-8

The class doc says "preventing credential data from leaking through pooled memory." The pool is actually used for the entire CommandWriter pipe (Commands/CommandWriter.cs:81), clearing all outbound protocol data (subjects, headers, payloads) on return. The security property is correct — credential bytes that flow through the pipe will be zeroed — but the comment implies narrower scope than the actual behavior.

4. maxPayloadHardCap not validated against server-advertised max_payload — src/NATS.Client.Core/Internal/NatsReadProtocolProcessor.cs:181

The read-side hard cap (default 64 MB) is independent of the server's advertised MaxPayload. A server could advertise max_payload = 1 MB but the client won't reject incoming messages up to 64 MB. The write-side correctly enforces info.MaxPayload. Incoming messages exceeding the server's own limit shouldn't normally occur (the server enforces its own cap), but the inconsistency is worth noting for defense-in-depth. Not a regression — pre-existing design.

---

Positive Notes

• Auth nonce signing (Fix nonce signing when auth_required is omitted #1109): the fix opts.Sig = info is { Nonce: { } } ? Sign(info.Nonce, seed) : null correctly decouples nonce signing from auth_required, handling servers with no_auth_user properly.
• Protocol size checks (Add protocol size checks #1095): negative payload length and oversized message detection in NatsReadProtocolProcessor will disconnect (not crash or OOM) the client, and the NatsProtocolViolationException path correctly calls SignalDisconnected to allow reconnect.
• Subject validation (Enable subject validation by default #1093): the dual-path implementation (manual loop for short subjects, SearchValues/SIMD for long ones) and consistent application across Publish, Subscribe, and Request APIs is well done.
• Credential state reset on failure (Reset state on credential loading failure #1107): credential load failures now set ConnectionState = Closed before rethrowing, allowing retry connect without getting stuck.

[synadia-claude-reviewer]

Version bump looks correct for a SemVer preview release. The 2.8.0-preview.1 label is appropriate given the two breaking changes shipped: subject validation enabled by default and the NATS.NKeys type removal.

[Jarema]

LGTM!