Skip to content

v0.1.21

Choose a tag to compare

View all tags
@github-actions github-actions released this 13 May 14:54
· 301 commits to main since this release
v0.1.21
f0e3c0d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

What's Changed

  • env pushdown: silence anthropic_manual_key + add DENO_CERT/PIP_CERT + opt-out by @littledivy in #77
  • linux run: split v4+v6 Address; drop fd77 ghost rows on boot by @littledivy in #78
  • codex: WS upgrade detection + device-code OAuth + chatgpt-account-id + uTLS for chatgpt.com by @littledivy in #79
  • gofmt by @littledivy in #80
  • sessions: persist across restarts; auto-sweep idle; tighter title heuristic by @littledivy in #81
  • oauth: match Anthropic token endpoint by URL, not hardcoded ID by @ry in #82
  • codex: env pushdown via synthesized Agent Identity JWT + JWKS MITM by @piscisaureus in #83
  • feat: add --profile flag to join command by @crowlKats in #85
  • feat: add --hostname flag to join by @crowlKats in #88
  • env-pushdown: source vars from gateway, not local plugin set by @piscisaureus in #87
  • Analytics: per-device latency chart, expandable request detail by @ry in #52
  • rename action_samples migration to 0006 by @ry in #89
  • Add SSH endpoint plugin with DNS-MitM virtual IPs by @piscisaureus in #90
  • Apple-aligned NE hardening and dashboard perf by @littledivy in #84
  • analytics: count-by charts, top routes, filtering by @ry in #91
  • analytics: count-by charts, top routes, filtering by @ry in #92
  • fix: drop port-specific UDP rules in NE provider by @littledivy in #93
  • mac ext: bypass non-tunnel UDP via host socket by @littledivy in #94
  • Add layered glossary doc by @arnauorriols in #75
  • Analytics polish + cross-page consistency by @littledivy in #95
  • Fix broken cross-links between glossary and architecture docs by @arnauorriols in #96
  • ui: bump breadcrumb to 13px; fix per-device stat grid by @littledivy in #97
  • fix: SSE backlog ships as one event, no per-row flood by @littledivy in #98
  • Add ClickHouse native protocol gateway by @arnauorriols in #71
  • dnsvip: synthesise A/AAAA from gateway resolver for non-VIP names by @arnauorriols in #101
  • bump request page breadcrumb to 13px by @littledivy in #99
  • relay: emit dashboard events + bigger pipe buffer by @littledivy in #103
  • relay: feed agent activity sparkline from wgRelay by @littledivy in #104
  • relay/splice: stream activity track per-second, not at end by @littledivy in #105
  • ssh: accept the none userauth method so no-credential clients connect cleanly by @piscisaureus in #106
  • ssh: drop OpenSSH UpdateHostKeys global requests at the gateway by @piscisaureus in #107
  • join: preserve SSH on linux --whole-machine via PostUp source-route by @littledivy in #108
  • clickhouse_native: sslmode for self-signed upstreams by @arnauorriols in #102
  • join: lower SSH-exempt PostUp pref 10 → 5 so it beats wg-quick by @littledivy in #109
  • doc: collect repo-internal architecture notes under /doc by @ry in #110
  • slack body token replacement and codex http sessions by @littledivy in #115
  • fix: strip legacy body token for Slack so Authorization header takes precedence by @littledivy in #116
  • fix: add SecretSlots to notion_oauth so dashboard shows token input by @littledivy in #117
  • fix: stable session ID for codex HTTP sessions by @littledivy in #119
  • ci: bump deploy health-check sleep 2→5s by @littledivy in #121
  • fix: kubectl exec/portforward through k8s mTLS endpoints by @littledivy in #123
  • clickhouse_native: SQL parsing + per-query matching/events by @arnauorriols in #100
  • feat: HITL Slack thread context + OAuth credential reuse for LLM approver by @littledivy in #132
  • remove OAuthInjectAny. LLM approver must use per-profile credentials only by @littledivy in #133
  • Rewrite architecture doc to match current Go implementation by @arnauorriols in #72
  • feat: add additional scope selection for github plugin by @crowlKats in #131
  • clickhouse_native: track agent compression on every Query, allow or deny by @arnauorriols in #134
  • Initial design explorations by @josh-collinsworth in #135
  • More design exploration by @josh-collinsworth in #136
  • site: fix ProtocolDepth section to show real HCL rules by @ry in #137
  • fix: request body truncation >1MiB + stale idle connections by @littledivy in #138
  • site: reframe landing page around production access by @ry in #139
  • fix: WireGuard/gVisor TCP throughput (backpressure + TCP tuning) by @littledivy in #140
  • fix: assign action ids to persisted live events by @magurotuna in #120
  • site: glossary entries for Action and Facet by @arnauorriols in #146
  • fix: gVisor netTun throughput — blockingChanEP + minRTO + diagnostics by @littledivy in #147
  • docs: WireGuard/gVisor diagnostics guide by @littledivy in #148
  • fix: bring down clawpatrol tunnel before poll in whole-machine rejoin by @littledivy in #149
  • fix: revert blockingChanEP to fix memory leak by @littledivy in #150
  • analytics: real top-stat counts, legend hover, color fixes by @ry in #151
  • analytics: stable scatter sample, exact bar counts, gated polling by @ry in #152
  • Fonts and docs overhaul by @josh-collinsworth in #153
  • request body: pretty-print SSE streams by @ry in #154
  • Tunnel primitive + plugin system by @piscisaureus in #111
  • telemetry: worker, design doc, gateway-side ping by @ry in #155
  • postgres: emit allow event when no rule matches by @piscisaureus in #158
  • Docs overhaul and some design/logo testing by @josh-collinsworth in #159
  • slack: add missing space between host and path in HITL title by @piscisaureus in #160
  • join: take gateway URL as positional arg by @ry in #161
  • hitl: compact Slack message + matching dashboard labels by @ry in #162
  • ci: add golangci-lint by @magurotuna in #122
  • chore: add oxc for frontend format and lint by @magurotuna in #130
  • test: cover HTTP body forwarding after match buffering by @magurotuna in #163
  • Add safe gateway.hcl save review flow by @magurotuna in #125
  • test: cover k8s parser edge cases by @magurotuna in #126
  • test: cover header redaction by @magurotuna in #127
  • test: cover protocol parser edge cases by @magurotuna in #128
  • chore: update dashboard build dependencies by @magurotuna in #164
  • telemetry: reject oversized payloads with 413 by @magurotuna in #165
  • site: update deps to clear npm audit by @magurotuna in #166
  • Fix Postgres pump context cancellation by @ry in #169
  • Log HTTP server startup failures by @ry in #174
  • Stop accepting dashboard secret in query string by @ry in #172
  • Require dashboard auth for onboarding approvals in non-tailscale modes by @magurotuna in #176
  • Centralize dashboard auth policy by @magurotuna in #178
  • site: fix landing page mobile layout by @ry in #181
  • Fix settings editor render after dependency update by @magurotuna in #184
  • Use context diffs for realistic gateway configs by @magurotuna in #186
  • Don't block internet on wake/captive portal by @littledivy in #187
  • doc: add tailscale mode guide by @littledivy in #188
  • fix(ne): rename sleepWithCompletionHandler for Xcode 16.4 by @littledivy in #189
  • fix(macos): bypassUDP silently drops all IPv4 UDP — AF_UNSPEC/AF_INET6 sockaddr mismatch by @littledivy in #190
  • debug(macos): log errno for session socket failures by @littledivy in #192
  • Test Postgres client frame forwarding by @ry in #175
  • fix(darwin): resolve golangci-lint warnings in run_darwin.go by @ry in #196
  • doc: document wg-go PreallocatedBuffersPerPool and upstream PR #69 by @divybot in #170
  • fix: gateway init defaults to ~/.clawpatrol when not root by @littledivy in #168
  • Match default-port TLS hosts by bare SNI by @magurotuna in #183
  • Add facet plugin system for per-protocol-family behaviour by @piscisaureus in #198
  • site: add Download button to header + rewrite getting-started by @ry in #197
  • Route browser TLS through endpoint tunnels by @magurotuna in #180
  • Add --read-only-config flag to gateway by @ry in #203
  • mitm: strip credential-bearing response headers by @piscisaureus in #199
  • dashboard: render facets like the headers list by @piscisaureus in #206
  • Design & doc rendering iterations by @josh-collinsworth in #210
  • Add clawpatrol validate <config.hcl> by @ry in #211
  • Linux per-run ephemeral WG identity by @littledivy in #215
  • chore(ci): remove golangci-lint by @littledivy in #217
  • deploy: --read-only-config, rename gateway.hcl -> deno.hcl by @ry in #207
  • deploy.yml: rename clawall -> clawpatrol, poll for active by @ry in #218
  • site: rewrite approval-rules doc around HCL syntax by @arnauorriols in #144
  • fix(ephemeral): no devices row, correct profile inheritance by @littledivy in #220
  • docs: auto-generated HCL config reference by @arnauorriols in #142
  • kubernetes_port_forward: shell out to kubectl, drop k8s.io/client-go by @ry in #205
  • site/docs: serve raw .md and use toc.json for ordering by @ry in #223
  • fix: separate map prevents SetExternalIPs leaking device rows by @littledivy in #224
  • tunnel: refresh always-on pins on config change by @magurotuna in #212
  • config: flatten gateway {} and defaults {} into top-level fields by @ry in #225
  • Switch rule matching to CEL expressions by @piscisaureus in #219
  • chore: drop AWS SDK via ts_omit_identityfederation build tag by @littledivy in #228
  • config: reject unknown top-level blocks by @ry in #226
  • dashboard: SQL request rows clickable + per-action SQL detail by @arnauorriols in #145
  • ci: restore Go build cache explicitly by @magurotuna in #227
  • k8s: parse non-resource URIs as verb=meta by @piscisaureus in #230
  • www: format timestamps as yyyy-MM-dd HH:mm:ss.SSS by @ry in #234
  • audit: gunzip response samples so the dashboard renders plaintext by @ry in #233
  • fix(ephemeral): guard upsertLocked + fix migration number by @littledivy in #237
  • doc: replace Node.js runtime references with Go binary by @divybot in #238
  • Separate HITL operator identity from credential profile selection by @magurotuna in #182
  • chore: bump Go and x/net for govulncheck by @magurotuna in #247
  • fix: normalize matcher want-values to lowercase for case-insensitive paths by @littledivy in #253
  • linux run: test splitWGAddresses for dual-stack peers by @divybot in #246
  • mitm: trailer / obs-fold / synth-path auth-header strip by @divybot in #236
  • feat: Discord bot token credential by @magurotuna in #251
  • fix(ne): fail-fast pumpUDP on WG not ready; log BypassUDP socket errors by @littledivy in #260
  • fix: accept join flags after gateway URL by @magurotuna in #261
  • docs: refresh approval-rules for recent landed changes by @arnauorriols in #229
  • tailscale_oauth credential: design proposal by @arnauorriols in #221
  • fix(ephemeral): remap agentAddr in handleWSUpgrade by @littledivy in #265
  • fix(ephemeral): purge ephemeral WG peers on gateway restart by @littledivy in #262
  • Header revisions by @josh-collinsworth in #270
  • fix: skip orphaned ephemeral sessions on startup (last phantom device source) by @littledivy in #269
  • ux: detect EUID==0 in join and run, emit actionable errors by @divybot in #240
  • dashboard: breadcrumb shows UUIDv7 tail, not the timestamp prefix by @ry in #271
  • docs: clarify uninstall help text by @magurotuna in #274
  • SEO, a11y, and crawler audits by @josh-collinsworth in #276
  • Tracked logo by @josh-collinsworth in #277
  • Rename HTTPS facet family identifier to "http" by @piscisaureus in #275
  • feat: clawpatrol test subcommand + per-action JSON fixtures by @ry in #278
  • Responsive header fix; add icon version by @josh-collinsworth in #280
  • docs: publish clawpatrol test as a user-facing page by @ry in #279
  • cli: positional gateway config + -v/--version aliases + docs link by @ry in #283
  • design: ephemeral WG keypair per clawpatrol run session by @arnauorriols in #216
  • gateway: keep all persistent state in sqlite by @piscisaureus in #222
  • docs: simplify, correct, and reframe the user-facing docs by @ry in #285
  • Renumber gateway-state migration 0008 → 0010 by @piscisaureus in #288
  • gateway: fix --read-only-config position in help text by @piscisaureus in #289
  • Remove legacy on-disk → sqlite state import by @piscisaureus in #290
  • fix: support GitHub smart HTTP credentials by @magurotuna in #291
  • audit: decode br/deflate/zstd response bodies for action samples by @piscisaureus in #292
  • docs: add skill.md — single-page operator reference by @ry in #287
  • docs(site): strip YAML frontmatter; render skill page properly by @ry in #293
  • docs(intro): surface deep-protocol inspection (Postgres / k8s) by @ry in #286
  • gateway: serve /ca.crt from in-memory CertCache, not disk by @piscisaureus in #298
  • fix: WireGuard session dies after ~4h with handshakeInitiationCreated, no reconnect by @littledivy in #299
  • testdata: redact internal database hostnames by @avocet-bot in #281
  • plugins: fail-closed on inspection-buffer overflow by @arnauorriols in #200
  • docs: fill generated tunnel config reference by @magurotuna in #301
  • docs(site): skill page rendering polish + post-sqlite-state cleanup by @ry in #303
  • Rename sql facet function -> functions by @arnauorriols in #302
  • site: switch body sans to self-hosted Source Sans 3 by @josh-collinsworth in #307
  • Add Terraform-style external plugin system by @piscisaureus in #300
  • Cleanup stale scripts by @littledivy in #324
  • switch releases from GH Pages to gh release by @littledivy in #328

New Contributors

Full Changelog: v0.1.10...v0.1.21

Contributors

ry, piscisaureus, and 7 other contributors
Assets 8
Loading