Fluxheim 1.0.0

Fluxheim 1.0.0 Release Notes

Release Metadata

• Version: 1.0.0
• Release date: 2026-05-08
• Git tag: v1.0.0
• Release type: stable gateway foundation

Summary

Fluxheim 1.0.0 is the first stable gateway foundation release. It is intended
for production testing of static sites, vhosts, redirects, TLS/SNI, HTTP/2,
secure defaults, systemd/RPM deployment, and external ACME challenge forwarding.

Highlights

• Static site serving with secure path validation, index files, ETags, range
  requests, and optional directory listing.
• Vhost routing with default-vhost fallback, wildcard host matching, route
  exact/prefix/fallback matching, redirects, static route actions, and proxy
  route actions.
• HTTP to HTTPS redirects and canonical host redirects that preserve safe request
  URIs.
• TLS with rustls by default, static vhost certificates, SNI selection, and
  default-vhost fallback certificate support.
• External ACME HTTP-01 challenge forwarding helper for
  /.well-known/acme-challenge/.
• Dynamic request header templates for common proxy migrations.
• Native systemd/RPM packaging, packaged default config/site, and server
  preparation helper.
• CodeQL, cargo audit/deny, SBOM generation, reproducible-build checks, panic
  policy hardening, zeroized admin token handling, and constant-time admin token
  verification.

Validated Scope

• Native RPM/systemd deployment.
• Static web roots and config preflight.
• HTTP/80 and TLS/443 listeners.
• HTTP/2 via ALPN.
• Multi-certificate SNI with rustls.
• External certbot/Actalis challenge forwarding.
• Basic proxy migration headers and route/vhost proxying.

Known Limits

• Native ACME certificate issuance/storage is still future work; use an external
  ACME client plus deploy hook for this release.
• HTTP/3/QUIC is post-1.0 work.
• Advanced gateway modules such as compression policy, identity-aware auth,
  trusted proxy providers, secure links, WAF, and WASM are roadmap items.
• Vhost TLS certificate changes require the normal process restart/reload
  workflow; automatic renewal reload is not first-class yet.

Checksums And Signatures

• Commit: bb6d6606d529d589fd62eeaf2d8c1e1abff33732
• Local gate: GitHub CI green before tag; local release metadata checks passed
• CodeQL/code scanning: no open release-blocking alerts before tag
• Source archive checksums:
  • a6a4ffc9bf29e872ed2f31015dc6a3872bd2745d447fbd93359bb135dd15fe0e fluxheim-1.0.0.tar.gz
  • 85cdd6b31e002b214ab3457dd99ea9ff12ef4ac515e894853b401d8ea50df30b fluxheim-1.0.0.zip
• Binary checksums:
  • b5c2e4478f6f80690fbb8b2fee63e616865ac84d1fee4c1cbcf840cebc691690 fluxheim-1.0.0-linux-x86_64.tar.gz
• SBOM checksums:
  • f5c0add6030b7c0411a59847a8e0e634ff1945a84526c4fdff372b27b6bf7f1c fluxheim.spdx.json
  • d62619bbe42c8adc09abcdba8f957f84753ea82df30dd6286ac16fdb9fe9e3c8 fluxheim.cyclonedx.json
• Reproducible build:
  • c3b173663b2740b4054eb931cceca82932081eb68a5e717ac5bf6fcf77f97b62
• Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:71f51f4e7d4091c0a13401adb0b8654adf2cca8f2070857ef6b9adb5924ff6ce
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:0c1042d4ea8f2c3c6f9a2be9f92f22d9cabbbb18a801d30821ac7e18bd6de080
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:10f8b8d425a6db2c6d315c97ad916ba1877d06910539ff379e5929e6df8ebf5d
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:4662635e64d267e404fcc5caa8700c73684e2a4ccac9ceff3fb4b704505794b7
• Tag signature:
  • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4