v1.7.0

What's Changed

• fix(api): remove dead code handlers and fix security issues by @jessedye in #52
• test: add comprehensive coverage for security-critical paths by @jessedye in #53
• feat: add custom error types for consistent API error responses by @jessedye in #54

Full Changelog: v1.6.1...v1.7.0

v1.6.1

What's Changed

• deps(web): bump @types/react from 19.2.8 to 19.2.9 in /web in the types group by @dependabot[bot] in #45
• deps(web): bump react-router-dom from 7.12.0 to 7.13.0 in /web in the react group by @dependabot[bot] in #44
• deps(web): bump axios from 1.13.2 to 1.13.3 in /web in the npm-dependencies group by @dependabot[bot] in #43
• build(docker): update Alpine to 3.23 for all images by @jessedye in #46
• build(docker): update Node.js to 25-alpine for web build by @jessedye in #47
• refactor: remove unused code and fix AI scaffolding artifacts by @jessedye in #48
• refactor: remove unused scaffolding and aspirational code by @jessedye in #49
• fix: address production readiness issues by @jessedye in #50
• docs(configs): add missing config examples and fix naming by @jessedye in #51

Full Changelog: v1.6.0...v1.6.1

What's Changed

• deps(web): bump @types/react from 19.2.8 to 19.2.9 in /web in the types group by @dependabot[bot] in #45
• deps(web): bump react-router-dom from 7.12.0 to 7.13.0 in /web in the react group by @dependabot[bot] in #44
• deps(web): bump axios from 1.13.2 to 1.13.3 in /web in the npm-dependencies group by @dependabot[bot] in #43
• build(docker): update Alpine to 3.23 for all images by @jessedye in #46
• build(docker): update Node.js to 25-alpine for web build by @jessedye in #47
• refactor: remove unused code and fix AI scaffolding artifacts by @jessedye in #48
• refactor: remove unused scaffolding and aspirational code by @jessedye in #49
• fix: address production readiness issues by @jessedye in #50
• docs(configs): add missing config examples and fix naming by @jessedye in #51

Full Changelog: v1.6.0...v1.6.1

v1.6.0 - FIPS Mode Enforcement

What's New

FIPS 140-3 Mode Enforcement

This release adds the ability to enforce FIPS 140-3 cryptographic compliance at the OS level for gateways, mesh hubs, and mesh spokes.

Key Features:

• New "Enforce FIPS Mode" checkbox in gateway, mesh hub, and spoke admin forms
• Per-gateway and per-spoke granular control over FIPS enforcement
• Automatic inheritance from hub to spokes (with optional override)
• Database migration included for seamless upgrade

Requirements:

• FIPS-enabled operating system on the gateway/spoke host (e.g., RHEL/CentOS with FIPS mode enabled)
• When enabled, the gateway agent will verify FIPS mode is active before starting

CI/CD Improvements

• Release pipeline now automatically cascades to Helm chart and Homebrew repositories
• Ensures all distribution channels stay in sync with new releases

Documentation

• New comprehensive Kubernetes Ingress Guide covering:
  • Istio service mesh configuration
  • NGINX Ingress Controller setup
  • Traefik IngressRoute configuration
  • UDP ingress options for VPN traffic
  • Certificate management with cert-manager
  • Cloud load balancer integrations (AWS ALB, GCP, Cloudflare Tunnel)

Upgrade Notes

1. Run database migrations to add the enforce_fips_mode column:

   gatekey-server migrate up

2. The new FIPS mode option defaults to disabled - no action required for existing deployments

3. To enable FIPS mode on a gateway, edit the gateway in the admin UI and check "Enforce FIPS Mode"

Full Changelog

See CHANGELOG.md for complete details.

What's Changed

• feat(ci): cascade releases to Helm chart and Homebrew repos by @jessedye in #37
• docs: add ingress configuration guide by @jessedye in #39
• feat(gateway): add FIPS mode enforcement option by @jessedye in #38
• feat(mesh): add independent FIPS mode setting for spokes by @jessedye in #40

Full Changelog: v1.5.4...v1.6.0

What's Changed

• feat(ci): cascade releases to Helm chart and Homebrew repos by @jessedye in #37
• docs: add ingress configuration guide by @jessedye in #39
• feat(gateway): add FIPS mode enforcement option by @jessedye in #38
• feat(mesh): add independent FIPS mode setting for spokes by @jessedye in #40

Full Changelog: v1.5.4...v1.6.0

v1.5.4 - Gateway Connectivity & Name Immutability

Summary

This release fixes a critical VPN connectivity issue and adds safeguards to prevent authentication failures when gateway configurations are modified.

What's Changed

Bug Fixes

• Fixed gateway client-connect timing issue - VPN connections were being skipped because the client-connect hook checked the OpenVPN status file for client presence, but OpenVPN updates this file on a 10s timer, not immediately on connect. Connections now process immediately without waiting for status file updates.
• Fixed missing database columns - Added missing columns for gateway and mesh configurations that were causing schema validation errors.

Security & Stability

• Gateway names are now immutable - Gateway, mesh hub, and mesh spoke names can no longer be changed after creation. This prevents authentication failures that occur when an agent's local config has a different name than the control plane database.

Why This Matters

When a gateway/hub/spoke is renamed in the web UI, the agent running on the server still has the old name in its config file. On the next reconnection, authentication fails with "Invalid token" because the control plane looks up the token by name. Making names immutable prevents this operational issue.

Upgrade Notes

• No breaking changes - this is a drop-in replacement for v1.5.3
• If you have gateways that were renamed and are now failing to connect, you'll need to update the agent config file to match the database name, or delete and recreate the gateway

Full Changelog: v1.5.3...v1.5.4

What's Changed

• chore: consolidate Dockerfiles into single parameterized file by @jessedye in #31
• chore: remove unused Homebrew formula templates by @jessedye in #32
• fix(web): add missing nginx proxy routes for backend endpoints by @jessedye in #33
• fix(api): fix OpenVPN mesh and gateway creation issues by @jessedye in #34
• fix(docker): include install scripts in server image by @jessedye in #35
• fix(gateway): resolve client connect timing issue and make names immutable by @jessedye in #36

Full Changelog: https://github.com/dye-tech/GateKey/commits/v1.5.4

What's Changed

• chore: consolidate Dockerfiles into single parameterized file by @jessedye in #31
• chore: remove unused Homebrew formula templates by @jessedye in #32
• fix(web): add missing nginx proxy routes for backend endpoints by @jessedye in #33
• fix(api): fix OpenVPN mesh and gateway creation issues by @jessedye in #34
• fix(docker): include install scripts in server image by @jessedye in #35
• fix(gateway): resolve client connect timing issue and make names immutable by @jessedye in #36

Full Changelog: https://github.com/dye-tech/GateKey/commits/v1.5.4

v1.5.3 - OpenVPN Gateway & Mesh Fixes

Summary

Fixes critical issues with OpenVPN gateway and mesh hub creation that were preventing new deployments.

What's Changed

Bug Fixes

• Fixed OpenVPN mesh and gateway creation - Certificate generation was failing during gateway and mesh hub creation due to missing validation
• Fixed crypto profile validation - Crypto profile settings are now properly validated during gateway creation

Full Changelog: v1.5.2...v1.5.3

v1.5.2 - Docker & Web Proxy Fixes

Summary

Improves Docker build infrastructure and fixes web proxy routing issues.

What's Changed

Infrastructure

• Consolidated Dockerfiles - All Docker images now use a single parameterized Dockerfile for easier maintenance
• Removed unused Homebrew templates - Cleaned up legacy Homebrew formula files

Bug Fixes

• Fixed nginx proxy routes - Added missing backend API endpoint routes in the web container
• Fixed server image install scripts - Server Docker image now includes install scripts needed for gateway provisioning

Full Changelog: v1.5.1...v1.5.2

v1.5.1 - WireGuard Mesh Config Fix

This patch release fixes WireGuard mesh hub configuration generation.

Fixed

• WireGuard mesh hub configs were incorrectly generated in OpenVPN format - The frontend was calling the OpenVPN config endpoint for all mesh hubs regardless of type. Now correctly calls /api/v1/mesh/wireguard/generate-config for WireGuard hubs.

• Download content-type headers - WireGuard config downloads now use application/x-wireguard-profile instead of application/x-openvpn-profile.

• File extension in download modal - The modal now correctly displays .conf for WireGuard configs and .ovpn for OpenVPN configs.

• Manual configuration instructions - When connecting to a WireGuard mesh hub, the UI now shows WireGuard-specific setup instructions (wireguard.com download links, wg-quick commands) instead of OpenVPN instructions.

Upgrade Notes

No migration required. Simply update to v1.5.1 and WireGuard mesh hub configs will generate correctly.

Full Changelog: v1.5.0...v1.5.1

What's Changed

• feat(homebrew): add formulas for WireGuard and mesh components by @jessedye in #20
• docs: update Go and PostgreSQL version references by @jessedye in #21
• ci: add descriptive job names and build all components by @jessedye in #22
• fix(docs): use universal font stack in SVG diagrams by @jessedye in #23
• chore(build): standardize Makefile target names to match binary names by @jessedye in #24
• docs: fix broken TOC link and update make targets in README by @jessedye in #25
• docs(claude): update CLAUDE.md with current project state by @jessedye in #26
• docs(readme): add permission flow diagram to Security Features by @jessedye in #27
• fix(api): use correct content-type for WireGuard config downloads by @jessedye in #28

Full Changelog: https://github.com/dye-tech/GateKey/commits/v1.5.1

v1.5.0 - CI/CD Optimization & Config Standardization

Breaking Changes

• Config file renamed: gatex.yaml → gatekey.yaml across all deployment methods
• Environment variable prefix changed: GATEX_* → GATEKEY_* for consistency
• Server image architecture: gatekey-server no longer includes embedded frontend - deploy gatekey-web separately

Highlights

• 4x faster CI/CD builds with parallel Docker image builds using matrix strategy
• Standalone gatekey-web image with nginx for flexible deployment architectures
• Standalone gatekey-hub image for containerized mesh hub deployments
• Server image is now API-only - lighter and faster builds

Docker Images

Image	Description
dyetech/gatekey-server	API backend (no embedded frontend)
dyetech/gatekey-web	nginx serving React frontend
dyetech/gatekey-gateway	VPN gateway agent
dyetech/gatekey-hub	Mesh hub server

What's Changed

• CI/CD pipeline now builds all 4 Docker images in parallel (~18min → ~4min)
• Config loader auto-discovers gatekey.yaml in /app/configs, ./configs, or current directory
• Updated Helm chart templates to use gatekey.yaml config filename
• Updated Kustomize base with proper config file mounting and secret structure
• Removed frontend build stage from main server Dockerfile

Migration Guide

If upgrading from v1.4.x:

1. Rename gatex.yaml to gatekey.yaml in your ConfigMaps
2. Update any GATEX_* environment variables to GATEKEY_*
3. Deploy the gatekey-web container alongside gatekey-server for the web UI

Full Changelog

See CHANGELOG.md for complete details.

Full Changelog: v1.4.6...v1.5.0

v1.4.6

What's Changed

• deps(web): bump @types/react from 19.2.7 to 19.2.8 in /web in the types group by @dependabot[bot] in #15
• deps(web): bump react-router-dom from 7.11.0 to 7.12.0 in /web in the react group by @dependabot[bot] in #14
• deps(web): bump vite from 7.3.0 to 7.3.1 in /web in the npm-dependencies group by @dependabot[bot] in #13
• deps: bump golang.org/x/crypto from 0.46.0 to 0.47.0 in the go-dependencies group by @dependabot[bot] in #16

Full Changelog: v1.4.5...v1.4.6

v1.4.5

Added

• Per-app TLS verification skip option for proxy applications
• Database support for storing per-app TLS verification settings
• Admin settings for TLS verification configuration

Changed

• SSRF protection disabled by default for better compatibility
• Added mesh network health check endpoint

Security

• Enhanced TLS verification controls for enterprise environments

Full Changelog: v1.4.4...v1.4.5