v1.2.0

Manual-install robustness: defensive preflight, honest failure reporting, clear
actionable errors, and Ubuntu 26.04 support. Validated by real installs on
Ubuntu 24.04 and 26.04.

Added

• Ubuntu 26.04 support. Preflight now admits 22.04/24.04/26.04 (was a
  hard block on anything but 22.04/24.04). A unified /etc/os-release parser
  (ID + VERSION_ID) replaces the two divergent parsers; a genuinely-unsupported
  OS fails with a message naming the detected OS + the supported set. Validated:
  a full install on Ubuntu 26.04 reaches a Ready control-plane node (k8s 1.35.4,
  containerd 2.2.2).
• Preflight checks with clear remedies: not-root, CPU arch (amd64/arm64),
  swap enabled, required ports in use (6443/10250/2379/2380/6446 + udp
  51820/8472), clock/NTP skew, and Nodeward host:port reachability (classifies
  DNS-fail vs refused vs firewall). Cheap/local checks run before network ones.

Fixed

• Honest failure reporting (the "install said success but the node never came
  up" bug). The on-node installer now checks the exit code of every step
  (register + install were previously unchecked) and only prints the success
  banner if all passed; otherwise it prints a FAILED: <step> block and exits
  non-zero. The install/register cobra commands now exit non-zero on failure
  (were exit 0), log.Fatalf/panic on recoverable errors are replaced with a
  structured FAILED: <step> — Cause — Try block, and gRPC registration errors
  map to actionable messages (bad/expired token, bad --aid, Nodeward
  unreachable).
• Register flag validation: empty/missing --token/--aid/--server are
  rejected up front (an empty --server no longer silently persists an empty
  Nodeward host).

v1.1.1

Fixed

• uninstall no longer stalls for minutes. All package removals are now a single
  non-interactive apt-get (was five separate, lock-contending invocations), and
  every potentially-blocking step (kubeadm reset, systemctl, netplan, apt) is
  bounded by timeout so a wedged step can't hang the whole uninstall. Also
  removes the previously-missed wireguard-tools. Measured ~12s end to end on a
  control-plane node (was minutes).

Security

• runos uninstall now requires --yes (or an interactive "yes" confirmation)
  before it wipes Kubernetes/etcd and reboots, so a bare invocation can't destroy
  a node by accident. The nodeward UNINSTALL_NODE instruction path is
  unaffected.

v1.1.0

Security hardening pass (file permissions, secret logging, instruction-handler
input validation, transport trust, and connection resilience). No on-wire
protocol change.

Security

• The mTLS private key (/etc/runos/mtls.key) and the agent log
  (/var/log/runos.log) are now created 0600 (were world-readable 0644).
  The key is also re-tightened to 0600 on every agent startup, so already
  deployed nodes are remediated on the next restart.
• Removed cleartext logging of certificate/key PEM material; command and script
  logging now redacts secret-bearing values (PASSWORD= / TOKEN= / ...).
• RUN_REMOTE_SCRIPT no longer builds curl … | bash: the script id/path is
  validated and the fetched script runs argv-style (no shell string).
• RUN_WEB_REQUEST blocks loopback / link-local / cloud-metadata targets
  (dialing the resolved IP to defeat DNS-rebinding) and ignores caller-supplied
  TLS-skip.
• REINSTALL_NODE writes its command to a root-only 0600 script rather than
  interpolating it into a systemd unit.
• UPDATE_DNSMASQ (directive allow/deny-list) and INSTALL_HELM_CHART
  (https-only, internal-IP block, name validation) now validate their inputs.
• The L1Sec public CA is verified against a pinned SHA256 (set at release;
  warn-only until set). TLS minimum version raised to 1.2.

Changed

• The agent now reconnects in-process with capped exponential backoff instead of
  exiting on a transient stream/connection error and relying on a systemd
  restart, so network blips no longer cause full process restarts (and a re-run
  of VPN sync). Dial is bounded by a timeout.

v1.0.0

First public release of the RunOS node agent.

• Source-available under the Elastic License 2.0.
• Published as attested linux/amd64 + linux/arm64 binaries on GitHub
  Releases, built by GitHub Actions on a v* tag with a keyless Sigstore
  build-provenance attestation and a checksums.txt. The installer downloads the
  exact release the control plane selects and verifies its checksum before
  installing.
• Pre-release tags (-rc.N) publish a hidden release candidate: pushed and
  pinnable by exact version, and excluded from the "Latest release" pointer.
• Verify a released binary with:
  gh attestation verify nodeagent-linux-amd64 --repo runos-official/nodeagent.