Release notes
The current source version is 0.1.2.
This project is source-first in the current cycle. There are release-client and checksum targets, but no published binary distribution is assumed by these docs.
Highlights:
- SSH tunnel reliability patch: long-running tunnel sessions no longer reuse short control-command ControlMaster sockets.
- Edge control-plane hardening: ctl commands load env/config defaults, Caddy Admin API must be loopback, DB/env permissions are tightened, and the SSH gate rejects daemon config override flags.
- Route drift repair: reconcile detects missing, stale, and drifted managed Caddy routes.
- Client diagnostics: local upstream preflight, JSON output for lease commands, structured remote hints, doctor output, release retries, and reconnect backoff.
- Release and verification workflow: Docker verification, govulncheck, shellcheck coverage, client release builds, and checksums.
- Operator script hardening: sandboxed systemd unit, safer token drop-in writes, edge/client uninstall dry-runs, and check scripts for permissions and loopback Admin API.
Release commands
Section titled “Release commands”Build:
make buildClient release artifacts:
make release-clientmake checksumsFull local checks:
make verifyDocker fallback:
make verify-dockerProduction-only validation still required
Section titled “Production-only validation still required”Before calling a release operationally ready for other people:
- Run
scripts/real-system-validation.shagainst a real edge host and domain. - Confirm wildcard DNS and TLS issuance with the real DNS provider token.
- Confirm Caddy Admin API is not reachable externally.
- Confirm the forced-command SSH user can run ctl commands and hold reverse tunnels.
- Confirm firewall policy exposes only SSH,
80/tcp, and443/tcp. - Confirm edge upgrade rollback with a real backup snapshot.