chore: release main

[github-actions]

🤖 I have created a release beep boop

cli: 0.2.3

0.2.3 (2026-02-20)

Features

• cli: omit peer in route add when exactly one peer is connected (aa1aced)

wallhack: 0.1.0

0.1.0 (2026-02-20)

Features

• add Cidr type and extend control protocol for routing (7ea58a2)
• add high connection rate warning for scan mode hint (a978a3d)
• add peer registry and route table for per-peer routing (cf29aee)
• add ping/pong messages to tunnel protocol (f4320ee)
• add ping/pong to tunnel protocol (6f5ef6c)
• add REPL support for exit nodes (2f52bf3)
• add REST API for headless node control (ae3c4de)
• bridge: support persistent control and dedicated data streams for plane separation (ec55455)
• enable PSK and peer limit configuration for tunnel auth (33575e8)
• entry: propagate ICMP unreachable errors for UDP scanning (7875eaf)
• entry: SYN proxy for accurate TCP port scanning (5741ad8)
• exit: reap idle UDP/ICMP sessions to prevent unbounded memory growth (75a90fc)
• HTTP CONNECT and SOCKS5 proxy support for WebSockets transport (ce2f8cf)
• implement routing control handlers and wire into servers (686e352)
• integrate REST API with NodeApi trait (e9998b5)
• proto: add ControlMessage definition and arc-swap dependency (aefb441)
• server: enforce mTLS when CA roots are configured (30b6595)
• tls: support TOFU certificate pinning via SHA-256 fingerprint (a06a683)
• transport: rewire connection lifecycle to use persistent control stream and gated handshake (b550168)
• transport: update connection types to support control stream task and simplified handshake (67537bf)
• wire PSK and fingerprint through server and client transports (2ccc48e)
• ws: enable TLS by default with self-signed cert for zero-config security (1e15455)

Bug Fixes

• add session status handshake to fix nmap showing all ports open (6515f67)
• api: propagate route added_at timestamp to REST API (0a2c5de)
• avoid panicking on unimplemented code paths (d2d562d)
• ci: restore slim variant with proper feature isolation and fix r… (e8f0f3b)
• ci: restore slim variant with proper feature isolation and fix release upload race (7a04c81)
• entry: bring TUN device UP on creation (9cb264e)
• exit: loop UDP recv in orchestrator to match TCP behaviour (2dd3442)
• gate ICMP code behind #[cfg(unix)] for Windows compatibility (cae65e9)
• netstack: drop unmatched TCP segments to prevent false open ports (d0aa453)
• parallel TCP streams and QUIC stream exhaustion (347c0b3)
• prevent timing side-channel in credential validation (0090b0b)
• repl: use exit_id as peer ID and normalize IPv4-mapped addresses (a349de6)
• server: move test module to end of tls.rs (eeebd7b)
• tls: default fingerprint hash prefix to sha256 (51b130b)
• transport: preserve control_tx lifetime to prevent control stream death (39894ce)
• update client run_incoming_data calls for new signature (5c0b48a)
• update WebSocket client and bench scripts for REPL changes (923a3b6)
• upgrade bytes to 1.11.1 (security) (40e8962)

Performance Improvements

• control: replace RwLock with arc-swap for wait-free reads (53117e1)
• netstack: replace 1ms sleep poll with epoll-based fd readiness (37ddd67)
• netstack: zero-copy peek_all_ingress and reduce poll interval to 1ms (b33274a)
• orchestrator: use bytes::Bytes for protobuf data fields (6cdb10b)
• transport: persistent streams with length-delimited framing and buffer reuse (936a0da)
• transport: reduce broadcast channel capacity to prevent OOM (5875824)

Reverts

• transport: restore broadcast channel capacity to 65536 (3f86316)

---

This PR was generated with Release Please. See documentation.

[github-actions]

🤖 Created releases:

• cli-v0.2.3

🌻