v0.1.1

[0.1.1] - 2026-05-14

Highlights

Security-fix patch. Closes 14 advisories against wasmtime (incl. CRITICAL
sandbox-escape RUSTSEC-2026-0095 / -0096), the hickory-proto baseline DoS
RUSTSEC-2026-0119, time stack-exhaustion RUSTSEC-2026-0009, and the serde_yml
unsoundness RUSTSEC-2025-0068 / -0067. No public API changes.

• wasmtime 26.0.1 → 43.0.2 — drop the WebAssembly plugin sandbox onto a CVE-free
  release line. The 24 LTS branch lacks backports for 6 Winch / pooling-allocator
  advisories; 43.x is API-compatible with linpodx-plugin and required zero source
  changes downstream.
• hickory-{resolver,server,proto} 0.24 → 0.25 — closes the message-encoding CPU
  exhaustion in the egress DNS filter. Adapted linpodx-netfilter::resolver and
  linpodx-runtime::network_filter for the new TokioResolver builder API.
• serde_yml → serde_norway — serde_yml was archived upstream (RUSTSEC-2025-0068)
  and pulled the unsound libyml (RUSTSEC-2025-0067). serde_norway is the
  maintained drop-in fork of serde_yaml; touches workspace dep + 4 crate manifests
  • 6 source files (cli/main.rs, sandbox/{profile,schema,snapshot_trigger}.rs,
    cluster/k8s.rs).
• time 0.3.45 → 0.3.47 — transitive bump via cargo update -p time closes the
  stack-exhaustion DoS in x509-parser / rcgen.

Changed

• .cargo/audit.toml (new) mirrors deny.toml [advisories].ignore so
  rustsec/audit-check exits 0 on CI. Nine well-rationalized waivers cover
  hickory NSEC3 (we never validate DNSSEC), the hickory encoder DoS (loopback-only
  forwarder), the rsa Marvin advisory (sqlx-mysql is in Cargo.lock only, not in
  the compiled graph — workspace sqlx uses default-features = false with only
  runtime-tokio,sqlite,macros,migrate), and the transitive unmaintained crates
  (backoff, instant, paste, rustls-pemfile, serial, lru GUI-only).
• deny.toml adds BSL-1.0 and CDLA-Permissive-2.0 to the license allow-list
  (Boost-licensed ryu / clipboard-win / error-code / xxhash-rust and the
  Mozilla CA-trust-store data crate webpki-roots), removes the now-unused
  Unicode-DFS-2016, and pins jsonpath-rust to MIT via [[licenses.clarify]]
  (LICENSE file ships MIT; upstream Cargo.toml omits the license = field).

Fixed

• 14 wasmtime advisories closed in full via the 43.x bump, including the two
  CRITICAL sandbox-escape paths that initially demoted v0.1.0 to prerelease.

v0.1.0

[0.1.0] - 2026-05-13

Highlights

First pre-alpha release of linpodx. This release establishes the Linux-native
container manager, AI-agent sandbox, desktop GUI, remote daemon, plugin system, and
multi-distro foundation that future 0.x releases will harden.

• Local daemon + Rust CLI + iced GUI over a shared JSON-RPC surface.
• AI-agent sandbox with approvals, tamper-evident audit log, sessions, snapshots, and bridge controls.
• GUI passthrough, multi-distro templates, remote daemon security, plugin signing, and cluster scaffolding.
• Source installer/uninstaller, release artifacts, and a winpodx-style release workflow.

Added — Core

• Rust workspace with daemon, CLI, GUI, runtime, sandbox, common IPC, distro, MCP, network filtering, plugin, cluster, and web UI crates.
• Rootless Podman-backed container lifecycle: list, inspect, create, start, stop, remove, pull, logs, exec, and minimum Podman version detection.
• Unix-socket JSON-RPC daemon with typed IPC envelopes, event notifications, graceful shutdown, structured logging, SQLite migrations, and stable error responses.
• CLI coverage for containers, images, volumes, networks, snapshots, sessions, MCP bridges, distro environments, passthrough, egress policy, remote daemon access, cluster operations, plugins, K8s operations, and registry workflows.
• Image, volume, and network management, port mapping, registry push with optional client certificates, multi-arch manifest creation and push, and progress/event streaming.
• Snapshot lifecycle with async jobs, lineage, diff support, branch aliases, pruning, encryption status, and file-level diff_v2 over OCI layers.
• Session timelines that merge audit and MCP activity by container, plus table and JSON output across the CLI.
• Source-based install.sh and uninstall.sh for release/main/local checkout installs, GUI launcher setup, optional helper capability setup, and data-preserving uninstall.

Added — AI sandbox

• YAML sandbox profiles with network policy, mount whitelist, capability drop/add, CPU and memory caps, read-only rootfs, distro/systemd metadata, passthrough policy, and approval gates.
• Policy engine that enforces denied mounts, denied capabilities, network-disabled profiles, read-only rootfs, resource caps, and profile reloads before container creation.
• Tamper-evident audit log with SHA-256 hash chaining, verification command, typed audit events, and event publication.
• Approval workflow for sensitive operations with request fan-out, timeouts, grant/deny outcomes, CLI listener, and GUI subscription support.
• MCP host-stdio bridge with allowlists, per-method policy, audit events, lifecycle commands, and session integration.
• Agent-oriented safety features including pre-run snapshots, rollback support, network allowlists, and isolated runtime configuration.

Added — Multi-distro

• Distro templates for Ubuntu, Fedora, Arch, Debian, Alpine, and NixOS with default image, init mode, package list, shell, and recommended passthrough.
• VM-mode lightweight environments with persistent home volumes, auto-restart behavior, systemd support, and --userns=keep-id host UID/GID mapping.
• Distro CLI and IPC for listing, inspecting, creating, building, entering, and removing managed environments.

Added — GUI

• iced desktop dashboard with live event subscriptions, reconnect handling, and container/image/volume/network views.
• Embedded web UI with REST endpoints, legacy fallback, Leptos SPA support, sortable/filterable views, per-row modals, logs view, image push flow, and exec workflows.
• Interactive PTY support over WebSocket with CLI raw-mode handling and browser terminal integration.
• GUI/container passthrough support for Wayland, X11, audio, GPU, DBus session bus, clipboard, HiDPI/theme environment, and optional desktop file registration.

Added — Cluster

• P2P gossip, node liveness transitions, and container view aggregation over the remote transport.
• Kubernetes read/write adapter for pod, service, namespace, and deployment operations with daemon IPC and CLI commands.
• Raft-backed leader election, multi-node membership, learner promotion, voter demotion, HTTP Raft transport, and audit events.
• Replicated cluster state machine for container proposals/removals, state snapshots, install-snapshot restore, and raft-first/fallback container views.

Added — Plugins

• WASM plugin runtime with approval short-circuiting, audit filters, profile validation, network decisions, runtime injection, and example plugins.
• Plugin manifest installation path with signed package support, detached signatures, publisher key lookup, unsigned-plugin bypass gate, and audit events.
• ed25519 signature verification with strict signature checks, key registry search paths, key listing, revocation markers, and revoke/list CLI commands.

Added — Remote

• WebSocket remote daemon transport with bearer authentication, browser-friendly query-token fallback, first-frame fallback, and subprotocol bearer support.
• mTLS remote daemon mode, certificate generation command, server/client certificate loading, and client common-name extraction.
• Client certificate pinning with SQLite persistence, add/list/remove commands, audit events, and TOFU auto-enrollment with count and time-window controls.

Security

• Seccomp OCI JSON and AppArmor profile compilation, SELinux dynamic and static label flows, runtime fallback option, and security option propagation into Podman.
• L4 egress firewall helper with nftables enforcement and DNS-based egress allowlist support.
• Snapshot at-rest encryption using AES-256-GCM, passphrase/raw-key sources, ciphertext hashing, side-car metadata, and decrypt/load path.
• Supply-chain controls for plugin signing, key revocation, cargo audit, cargo deny, license policy, and exact pinning for selected crypto dependencies.
• Remote hardening with mTLS, bearer token handling, client certificate pinning, TOFU expiry, and detailed audit events for accepted/rejected paths.

Performance

• Live container metrics via podman stats with GUI sparkline support.
• Criterion benchmark tooling, per-platform benchmark baselines, Linux x86_64 and Linux ARM64 CI coverage, and comparison scripts for regression checks.
• Async snapshot jobs and streaming operations keep long-running runtime work off the interactive control path.

Changed

• MSRV: 1.85 (was 1.83).
• CI tests the stable toolchain and Rust 1.85 baseline.
• Release notes are organized by user-visible capability area, with phase-level development notes kept below as pre-release history.

Documentation

• README, install guide, release process, contribution guide, security policy, code of conduct, architecture notes, ADRs, scenarios, example profiles, and Korean documentation coverage.
• README reorganized around quick install, launch, feature matrix, workflows, architecture, supported distros, and testing.
• Example sandbox profiles for GUI passthrough, distro environments, strict MCP policy, interactive mount approvals, and signed/unsigned plugin workflows.

Testing

• cargo test --workspace: 829 passed / 0 failed / 54 ignored.
• 883 total tracked tests including ignored live integration coverage.
• Pre-release integration coverage spans container, image, volume, network, approval, event, sandbox, snapshot, session, MCP, distro, passthrough, egress, K8s, cluster, remote, plugin, and encryption flows.