v0.3.8

nebula-mesh v0.3.8

Install — see README for the full snippets.

• Server: nebula-mgmt_0.3.8_<os>_<arch>.tar.gz or docker pull ghcr.io/forgekeep/nebula-mgmt:0.3.8
• Agent: nebula-agent_0.3.8_<os>_<arch>.tar.gz or docker pull ghcr.io/forgekeep/nebula-agent:0.3.8

Changelog

Bug fixes

• 3077efa: fix(api): require target group selector and bound its length in firewall rules (#200) (@juev)
• 4358d7a: fix(api): scope agent-poll blocklist to the host's CA (#206) (@juev)
• 60a512c: fix(cli): add request timeout to CLI HTTP client (#220) (@juev)
• c60ab50: fix(cli): check discarded io.ReadAll errors on response bodies (#218) (@juev)
• 0b8b74c: fix(cli): validate --server URL before issuing requests (#219) (@juev)
• 34d2e64: fix(config): create parent dir in SaveServerConfig before CreateTemp (#221) (@juev)
• c452237: fix(configgen): round-trip operator strings in generated YAML (#176) (#177) (@juev)
• d5010ef: fix(keystore): zeroize decoded master-key bytes in NewMasterFromBase64 (#201) (@juev)
• 7396708: fix(store): make ConsumeToken UPDATE conditional on used=0 and check RowsAffected (#202) (@juev)
• d7cf570: fix(web): invalidate operator sessions on admin password reset (#205) (@juev)

Others

• 7cb01ba: Merge commit from fork (@juev)
• 1f1ab9a: Merge commit from fork (@juev)
• 87bcdc4: chore(cli,models): check json.Marshal errors and fix function typo (#222) (@juev)
• 08e4be3: ci(security): gate PRs on standalone gosec + govulncheck (#212) (@juev)
• a8a9eea: docs(security): add STRIDE threat-model document (#210) (@juev)
• b2038fc: test(security): add local multi-operator offensive test bench (#211) (@juev)

---

Full changelog: v0.3.7...v0.3.8

v0.3.7

nebula-mesh v0.3.7

Install — see README for the full snippets.

• Server: nebula-mgmt_0.3.7_<os>_<arch>.tar.gz or docker pull ghcr.io/forgekeep/nebula-mgmt:0.3.7
• Agent: nebula-agent_0.3.7_<os>_<arch>.tar.gz or docker pull ghcr.io/forgekeep/nebula-agent:0.3.7

Changelog

Features

• 4ca1440: feat(serve): refuse plaintext HTTP on routable address unless opted in (#179) (#182) (@juev)

Bug fixes

• 1debc03: fix(agent): bound enroll/poll HTTP requests with a client timeout (#193) (#198) (@juev)
• 47ad44a: fix(api): bound host name and groups before signing (#186) (#190) (@juev)
• 08a1274: fix(api): gate /debug/vars, opt-in auth for /metrics, redact /readyz (#187) (#191) (@juev)
• 002bdec: fix(config): SSRF guards for alerts.webhook_url and oidc.issuer (#188) (#192) (@juev)
• bca1d59: fix(pki): zeroize decrypted CA key when manager construction fails (#181) (#184) (@juev)
• 725d5d4: fix(store): actionable migration-018 startup error on overlay-IP conflicts (#175) (@ak2k)
• 327a20e: fix(web): URL-escape store error text in CA redirect target (#194) (#199) (@juev)
• 977178e: fix(web): constant-time login to prevent username enumeration (#180) (#183) (@juev)
• c6b5eb6: fix: cap /ui request bodies + add HTTP timeouts and DB pool bounds (#185) (#189) (@juev)

Others

• 01e9fae: Merge commit from fork (@juev)
• b933a90: chore(gosec): drop orphan #nosec G120 on the CSRF ParseForm (#174) (@ak2k)
• 15ea357: chore(lint): drop stale govet printf.funcs entry (#168) (@juev)
• 92db29c: ci: add scheduled slow lane for generative fuzzing (ADR 0009) (#171) (@ak2k)
• 74c8a3f: docs(adr): 0009 review follow-ups (clock-seam status, migration 018, ADR index) (#169) (@ak2k)
• 975b475: test(simtest): Tier-2 fleet-simulation harness + clock seam (ADR 0009) (#170) (@ak2k)

---

Full changelog: v0.3.6...v0.3.7

v0.3.6

nebula-mesh v0.3.6

Install — see README for the full snippets.

• Server: nebula-mgmt_0.3.6_<os>_<arch>.tar.gz or docker pull ghcr.io/forgekeep/nebula-mgmt:0.3.6
• Agent: nebula-agent_0.3.6_<os>_<arch>.tar.gz or docker pull ghcr.io/forgekeep/nebula-agent:0.3.6

Changelog

Features

• c4eaffb: feat(web): add apple-touch and PWA icons (mesh mark) (#160) (@juev)

Bug fixes

• 01fdc54: fix(ci): complete forgekeep migration in release/config refs (#167) (@juev)
• 552b162: fix(store): DeleteCA refuses while any ca_id-carrying table references the CA (#153) (@ak2k)
• 6b88878: fix(web): scope accessible hosts to owned CAs in SQL (#162) (@juev)
• 6842652: fix(web): unify host-ownership anchor on host.CAID across edit/update/mobile-bundle (#161) (@juev)

Others

• d777354: docs(adr): 0009 scale, concurrency, and fuzz testing (PR-gate vs scheduled boundary) (#163) (@ak2k)
• 7b20a00: docs(release): bump install examples to VERSION=0.3.6 (#166) (@juev)
• ce2558b: test(web): assert owner-allowed path in host update and mobile-bundle scope tests (#164) (@juev)

---

Full changelog: v0.3.5...v0.3.6

v0.3.5

nebula-mesh v0.3.5

Install — see README for the full snippets.

• Server: nebula-mgmt_0.3.5_<os>_<arch>.tar.gz or docker pull ghcr.io/juev/nebula-mgmt:0.3.5
• Agent: nebula-agent_0.3.5_<os>_<arch>.tar.gz or docker pull ghcr.io/juev/nebula-agent:0.3.5

Changelog

Bug fixes

• eface39: fix(api): consume enrollment token atomically with host enroll (#150) (@ak2k)
• 9886e92: fix(api): scope ListHosts to owned CAs in SQL so the row cap can't undercount (#154) (@ak2k)
• 6472dce: fix(configgen): round-trippable YAML for non-literal-safe inline PEM (GHSA-7hp6) (#155) (@ak2k)
• e17bdd3: fix(store): enforce network-scoped overlay-IP uniqueness (migration 018) (#149) (@ak2k)

Others

• 6bd5ce8: Merge commit from fork (@ak2k)
• fb35f97: docs(release): bump install examples to VERSION=0.3.5 (@juev)
• 7f6cecc: test(api): pin multi-tenant read-side scoping (property harness + boundary battery) (#151) (@ak2k)
• 5a2684d: test(pki): cover CA key decryption, destruction, and signer boundaries (#152) (@ak2k)

---

Full changelog: v0.3.4...v0.3.5

v0.3.4

nebula-mesh v0.3.4

Install — see README for the full snippets.

• Server: nebula-mgmt_0.3.4_<os>_<arch>.tar.gz or docker pull ghcr.io/juev/nebula-mgmt:0.3.4
• Agent: nebula-agent_0.3.4_<os>_<arch>.tar.gz or docker pull ghcr.io/juev/nebula-agent:0.3.4

Changelog

Bug fixes

• 0b2c28b: fix(api): durable signed-poll nonce store (GHSA-v2jf-442r-6mjh) (#148) (@ak2k)
• 9d8bcd7: fix(api): re-check operator status in admin authz gates (#147) (@ak2k)
• 6a1f76d: fix(web): fail closed on CSRF rotation entropy failure (closes #144) (#146) (@ak2k)

Others

• b84f5ce: docs(release): bump install examples to VERSION=0.3.4 (@juev)

---

Full changelog: v0.3.3...v0.3.4

v0.3.3

nebula-mesh v0.3.3

Install — see README for the full snippets.

• Server: nebula-mgmt_0.3.3_<os>_<arch>.tar.gz or docker pull ghcr.io/juev/nebula-mgmt:0.3.3
• Agent: nebula-agent_0.3.3_<os>_<arch>.tar.gz or docker pull ghcr.io/juev/nebula-agent:0.3.3

Changelog

Bug fixes

• cdec478: fix(audit): validate URL params before audit + redirect in operator handlers (#140) (@ak2k)
• 3ce9930: fix(tests): plumb CSRF token through operator-existence regression tests (#145) (@juev)
• cf773c9: fix(web): CSRF protection on /ui/* mutating endpoints (GHSA-273q-qgh5-wrj6) (#139) (@juev)

Others

• 47fa414: chore(gosec): drop orphan #nosec G117 on yaml.Marshal(cfg) (#141) (@ak2k)
• 2b5ef31: docs(release): bump install examples to VERSION=0.3.3 (@juev)
• 59e73c8: test(store): atomic CAS coverage for ConsumeToken (GHSA-v2jf, enrollment side) (#143) (@ak2k)

---

Full changelog: v0.3.2...v0.3.3

v0.3.2

nebula-mesh v0.3.2

Install — see README for the full snippets.

• Server: nebula-mgmt_0.3.2_<os>_<arch>.tar.gz or docker pull ghcr.io/juev/nebula-mgmt:0.3.2
• Agent: nebula-agent_0.3.2_<os>_<arch>.tar.gz or docker pull ghcr.io/juev/nebula-agent:0.3.2

Changelog

Features

• c1506f7: feat(configgen): yaml.v3 typed-struct config marshal (closes #126) (#130) (@ak2k)

Bug fixes

• 32ab968: fix(api): audit mobile-bundle authz decisions (closes #119) (#128) (@ak2k)
• 68ae5fe: fix(bootstrap): close SeedAdminOperator check-then-write race (#133) (@ak2k)
• b8a8ac0: fix(lint): clean up linter issues introduced by #135 (#137) (@juev)
• ffdd67d: fix(oidc): harden operator login path + add httptest mock IdP scaffolding (#135) (@ak2k)
• e63187a: fix(tests): add explicit return after t.Fatal for SA5011 false-positives (sweep) (#132) (@ak2k)
• 2571bdd: fix(tests): add explicit return after t.Fatal in remaining SA5011 hits (@juev)
• 2995b98: fix(tests): add explicit return after t.Fatal in web session-cookie test (#131) (@ak2k)
• 7489d03: fix(tests): return after t.Fatal in web_test.go (SA5011) (#129) (@ak2k)

Others

• c13d5b2: Merge commit from fork (@juev)
• 8baaace: Merge commit from fork (@juev)
• ef65582: Merge commit from fork (@juev)
• c490de4: Merge commit from fork (@juev)
• 74ca1b4: Remove cfg.APIKey field; add CLI recovery for admin key (#127) (#138) (@juev)
• 8f495a8: build: pin golangci-lint version and add make ci target (@juev)
• 1315ff4: chore(gosec): suppress 27 baseline gosec findings with inline justifications (#134) (@ak2k)
• ccd7dbd: chore(lint): adopt opinionated golangci-lint v2 config and migrate to context-aware DB/HTTP calls (#136) (@juev)
• ba0db80: ci: bump actions to versions running on Node.js 24 (@juev)
• bda2703: docs(release): bump install examples to VERSION=0.3.2 (@juev)
• 56c07b7: refactor(auth): remove legacy config-file API key fallback (@juev)
• da2f3cd: refactor(auth): simplify CA handler auth checks (@juev)

---

Full changelog: v0.3.1...v0.3.2

v0.3.1

nebula-mesh v0.3.1

Install — see README for the full snippets.

• Server: nebula-mgmt_0.3.1_<os>_<arch>.tar.gz or docker pull ghcr.io/juev/nebula-mgmt:0.3.1
• Agent: nebula-agent_0.3.1_<os>_<arch>.tar.gz or docker pull ghcr.io/juev/nebula-agent:0.3.1

Changelog

Bug fixes

• d838cad: fix(docker): bump GO_VERSION to 1.26.3 to match go.mod toolchain (@juev)
• b45fda5: fix(http): add security response headers middleware (#125) (@juev)
• 1b38aa4: fix(oidc): refuse start when default_role would silently grant admin (#122) (@ak2k)
• e8f2c75: fix(tests): add explicit return after t.Fatal in remaining SA5011 hits (@juev)
• a379099: fix(tests): add explicit return after t.Fatal to satisfy SA5011 (@juev)

Others

• c674617: chore(go): bump toolchain from 1.26.1 to 1.26.3 (#123) (@ak2k)
• ba059e1: docs(release): bump install examples to VERSION=0.3.1 (@juev)

---

Full changelog: v0.3.0...v0.3.1

v0.3.0

nebula-mesh v0.3.0

Install — see README for the full snippets.

• Server: nebula-mgmt_0.3.0_<os>_<arch>.tar.gz or docker pull ghcr.io/juev/nebula-mgmt:0.3.0
• Agent: nebula-agent_0.3.0_<os>_<arch>.tar.gz or docker pull ghcr.io/juev/nebula-agent:0.3.0

Changelog

Features

• 4b8df69: feat(agent): idle-standby mode + first-class enroll subcommand (#88) (#89) (@juev)
• e7dd7b6: feat(agent): preflight validation for signing key directory (@juev)
• 26987ce: feat(agent): unify enroll/run into a single command (#67) (#71) (@juev)
• 91ffa55: feat(alerts): cert-expiry alerter with audit + webhook sinks (#41) (#56) (@juev)
• 6c344a6: feat(api): configurable enrollment-token TTL + regenerate endpoint (#75) (#79) (@juev)
• 0165db0: feat(api): re-enroll endpoint (#75) (#84) (@juev)
• 9e6c31b: feat(api,agent): HTTP-signed agent polls (#75) (#80) (@juev)
• 3e56531: feat(api,agent): force-rotate cert endpoint + rekey flow (#75) (#83) (@juev)
• b5666de: feat(api,agent): structured revocation 403/410 (#75) (#82) (@juev)
• 1c60255: feat(auth): admin-enforced 2FA via enforce_2fa setting (#49) (#63) (@juev)
• fe9c741: feat(auth): configurable password policy (#48) (#61) (@juev)
• b3344b2: feat(ca): hybrid CA rotation — warning badge + manual rotate + opt-in auto-rotate (#110) (#117) (@juev)
• 8049952: feat(host): edit and patch API for host updates (@juev)
• 13c67df: feat(mobile): iOS/Android host enrollment with QR code bundles (#112) (@juev)
• 1b9f1e5: feat(mobile): improve QR rendering and mobile bundle UX (@juev)
• bc94bb7: feat(packaging): ship nebula-mgmt as deb/rpm + reverse-proxy snippets (#51) (#62) (@juev)
• d3d6a7b: feat(ratelimit): per-IP rate limiter on auth / enroll / UI / API (#52) (#60) (@juev)
• 9a0d68c: feat(server): Prometheus exporter at /metrics (#40) (#55) (@juev)
• 7758f11: feat(server): auto-assign lighthouses by host role (#39) (#54) (@juev)
• 416ac7f: feat(server): cert rotation overlap window (#75) (#81) (@juev)
• b04cfd6: feat(store): foundation for ADR 0004 agent auth (#75) (#78) (@juev)
• d49c60b: feat(web): admin Settings page at /ui/settings (#47) (#64) (@juev)
• d62fe7d: feat(web): admin operator + API-key management UI (#45) (#65) (@juev)
• dceb22f: feat(web): auto-provision default CA on operator onboarding (@juev)
• 4dd920c: feat(web): inline field-level validation and form state preservation (@juev)
• 90b446c: feat(web): live host status via SSE (#43) (#58) (@juev)
• 486b3ae: feat(web): per-operator CA management UI (#46) (#66) (@juev)
• cc9511c: feat(web): pre-fill network prefix + hint in Nebula IP field (#97) (@juev)
• 8cc35e9: feat(web): route / to UI, /api to API; document UI-only mTLS via proxy (#69) (#72) (@juev)
• ce69582: feat: support multiple overlay addresses per network and per host (#108) (#113) (@juev)

Bug fixes

• f495600: fix(hosts): reject lighthouse/relay without public_ip+listen_port (#95) (@juev)
• a58b938: fix(web): gate network/host creation on operator-owned CA (#98) (@juev)
• e0ebd31: fix(web): render inline form errors on host/network create (#96) (@juev)
• 30ade25: fix(web): stats partial leak + Cache-Control: no-store on /ui/* (#90) (@juev)
• 2ba44d5: fix(web,api): constrain Nebula IP input + friendly IP/CIDR errors (#100) (#109) (@juev)
• 6759fa0: fix: add server.local.yaml and local-data to gitignore (@juev)

Others

• 411c02f: docs(adr): 0005 pre-auth keys — reusable/ephemeral/tag-bound tokens (#99) (@juev)
• 881d140: docs(adr): ADR 0003 — CA key encryption model (#68) (#73) (@juev)
• 1cf02dc: docs(adr): ADR 0004 — agent authorization model (#70) (#74) (@juev)
• ce3abaf: docs(adr): ADR 0004 — separate Ed25519 signing key for poll PoP (#77) (@juev)
• c4eec52: docs(agent): document ADR 0004 signed polls + new endpoints (#75) (#85) (@juev)
• 21c46b8: docs(readme): align with ADR 0004 protocol + systemd enrollment flow (#86) (@juev)
• 071db75: docs(readme): bump install examples to VERSION=0.3.0 (@juev)
• 01ffd10: docs(readme): collapse only large sections, drop duplicates (@juev)
• c30bd2a: docs(readme): defer agent enrollment details to docs/agent.md (#87) (@juev)
• b435342: docs(readme): document agent install from deb/rpm package manager (#50) (@juev)
• 3540cf0: docs(readme): fold long sections behind
  (#53) (#59) (@juev)
• de58879: docs(readme): simplify install steps, drop stale Roadmap (@juev)
• 00eee8e: refactor(ca): consolidate CA-mint helper and remove legacy on-disk CA stack (#114) (#115) (@juev)
• a085c0e: test(ca): auto-provision default CA for admin-role operators (#116) (@juev)
• 80cc180: test(web): add settings form structure and flash message assertions (@juev)

---

Full changelog: v0.2.0...v0.3.0

v0.2.0

nebula-mesh v0.2.0

Install — see README for the full snippets.

• Server: nebula-mgmt_0.2.0_<os>_<arch>.tar.gz or docker pull ghcr.io/juev/nebula-mgmt:0.2.0
• Agent: nebula-agent_0.2.0_<os>_<arch>.tar.gz or docker pull ghcr.io/juev/nebula-agent:0.2.0

Changelog

Features

• 3f46685: feat(auth): add OIDC operator login (Keycloak/Authentik/Okta/...) (#24) (@juev)
• 824328a: feat(auth): add TOTP 2FA with recovery codes for operators (#23) (@juev)
• af34cf3: feat(auth): add configurable self-registration flow with admin-only operator API (#32) (@juev)
• f5d835a: feat(auth): support multiple operator users (foundation) (#22) (@juev)
• cfea47b: feat(cli): add host delete, block, and unblock subcommands (#21) (@juev)
• 4eb3c6e: feat(hosts): support advanced per-host config overrides (#30) (@juev)
• 7c69877: feat(pki): per-operator CAs with envelope-encrypted in-DB key storage (#35) (@juev)
• 30b015c: feat(ui): add profile page and move logout out of the main navigation (#33) (@juev)
• ec81320: feat(web): add SVG favicon and /favicon.ico route (#20) (@juev)

Bug fixes

• c74a2fe: fix(hosts): validate IP belongs to network CIDR, is unique, and is not reserved (#29) (@juev)
• 8f0267e: fix(store): apply each migration once and split multi-statement scripts (#38) (@juev)
• b9fb288: fix(web): show network name instead of UUID in dashboard and hosts list (#19) (@juev)

Others

• 1272820: build(release): expand nebula-agent target matrix to Nebula-aligned platforms (#27) (@juev)
• 8733bb8: build(release): produce .deb and .rpm packages for nebula-agent (#28) (@juev)
• 96283a9: docs(adr): record ADR 0002 — per-operator CAs with in-DB encrypted storage (#34) (@juev)
• c99e014: docs(adr): record decision to keep CA key on the filesystem (#25) (@juev)
• 21aa498: docs(agent): add comprehensive nebula-agent operations guide (#26) (@juev)
• 0e34833: docs(readme): hoist badges, dedup auth sections, refresh Features/Security/Roadmap (#44) (@juev)

---

Full changelog: v0.1.2...v0.2.0