- Add fips_configure_cipher() to pin FIPS-approved SQLCipher PRAGMAs
(HMAC-SHA512, PBKDF2-HMAC-SHA512, 256k iterations, 4096-byte pages)
- Call fips_configure_cipher() after sqlite3_key() in JNI and sample app
- Copy key material to OPENSSL_malloc buffer and zeroize with
OPENSSL_cleanse after use (SP 800-132 §5.3)
- Fix provider leak: unload FIPS provider on EVP_set_default_properties
failure to prevent silent FIPS bypass
- Delete stale DB before round-trip compliance test
- Add .codegraph/ and .grepai/ to .gitignore
- Document fips_configure_cipher API and key handling in CLAUDE.md
Christopher Fahlin
06429cfdb4