v0.3.7

nebula-mesh v0.3.7

Install — see README for the full snippets.

• Server: nebula-mgmt_0.3.7_<os>_<arch>.tar.gz or docker pull ghcr.io/forgekeep/nebula-mgmt:0.3.7
• Agent: nebula-agent_0.3.7_<os>_<arch>.tar.gz or docker pull ghcr.io/forgekeep/nebula-agent:0.3.7

Changelog

Features

• 4ca1440: feat(serve): refuse plaintext HTTP on routable address unless opted in (#179) (#182) (@juev)

Bug fixes

• 1debc03: fix(agent): bound enroll/poll HTTP requests with a client timeout (#193) (#198) (@juev)
• 47ad44a: fix(api): bound host name and groups before signing (#186) (#190) (@juev)
• 08a1274: fix(api): gate /debug/vars, opt-in auth for /metrics, redact /readyz (#187) (#191) (@juev)
• 002bdec: fix(config): SSRF guards for alerts.webhook_url and oidc.issuer (#188) (#192) (@juev)
• bca1d59: fix(pki): zeroize decrypted CA key when manager construction fails (#181) (#184) (@juev)
• 725d5d4: fix(store): actionable migration-018 startup error on overlay-IP conflicts (#175) (@ak2k)
• 327a20e: fix(web): URL-escape store error text in CA redirect target (#194) (#199) (@juev)
• 977178e: fix(web): constant-time login to prevent username enumeration (#180) (#183) (@juev)
• c6b5eb6: fix: cap /ui request bodies + add HTTP timeouts and DB pool bounds (#185) (#189) (@juev)

Others

• 01e9fae: Merge commit from fork (@juev)
• b933a90: chore(gosec): drop orphan #nosec G120 on the CSRF ParseForm (#174) (@ak2k)
• 15ea357: chore(lint): drop stale govet printf.funcs entry (#168) (@juev)
• 92db29c: ci: add scheduled slow lane for generative fuzzing (ADR 0009) (#171) (@ak2k)
• 74c8a3f: docs(adr): 0009 review follow-ups (clock-seam status, migration 018, ADR index) (#169) (@ak2k)
• 975b475: test(simtest): Tier-2 fleet-simulation harness + clock seam (ADR 0009) (#170) (@ak2k)

---

Full changelog: v0.3.6...v0.3.7