Release v0.3.0
Fixed
- Binary payloads are no longer corrupted by mirror and replay. Both paths
converted payloads through a lossy UTF-8 string, mangling non-UTF-8 data
(protobuf, compressed payloads) before republishing and recording. Payloads
now stay raw bytes end-to-end. - Long gaps between recorded messages no longer block Ctrl+C, MQTT keepalives,
or TUI toggles during mirror playback; replay shutdown mid-delay now
disconnects from the broker gracefully. --tls-insecurenow actually skips certificate verification (it previously
fell through to full verification against system roots — a documented no-op).- Every multi-word CLI flag in the README was documented in snake_case that the
binary rejects; all corrected to the real kebab-case spellings. - Replay connection failures are logged instead of silently retried forever.
Added
--bind-addrfor the embedded broker (binds127.0.0.1by default — see
Security below),--no-mirror,--no-audit,--completions <shell>, and
MQTT_USERNAME/MQTT_PASSWORDenvironment variables for credentials.--versionnow includes the git commit hash.- CI:
cargo auditjob with monthly scheduled run, Dependabot (monthly,
grouped), all GitHub Actions pinned to commit SHAs. - Test coverage for binary payload round-trips (property + integration) and
--speedwall-clock timing.
Changed
- Security: the embedded broker now binds to loopback by default instead
of0.0.0.0. The broker has no authentication; exposing it on a network
interface requires an explicit--bind-addrand logs a warning. - Recorded CSVs and audit log files are created with mode
0600on Unix. --csv-field-size-limitnow bounds memory during parsing instead of
checking after the full record is buffered.- Dependencies: rumqttc 0.25, rumqttd 0.20, ratatui 0.30, crossterm 0.29,
thiserror 2. The MQTT client TLS path now runs on a patched rustls-webpki. - Minimum supported Rust version is 1.88 (the previous 1.70 claim was stale).
Pull Requests
- Audit fixes: binary payload corruption, security hardening, dep upgrades, UX (#6)
- docs: open-source standards — changelog, security policy, issue/PR templates (#7)
- ci: auto-merge Dependabot PRs after CI passes (#9)
- test: fix shutdown race flake in combined verify test (#10)
- chore(deps): bump the actions group with 4 updates (#8, first @dependabot contribution)
- chore: release v0.3.0 — docs freshness pass and version bump (#11)
Full Changelog: v0.2.1...v0.3.0