Fluxheim 1.6.16

Fluxheim 1.6.16 Release Notes

Fluxheim 1.6.16 starts the native proxy cutover gate for the Pingora-exit line.
The release does not switch production traffic away from the compatibility
adapter yet; instead it makes native HTTP/1.1 proxy eligibility stricter and
more auditable so only configurations whose semantics are represented by the
native handler can be marked ready.

Security and Correctness

• Native HTTP/1.1 proxy planning now fails closed when a route uses
  strip_prefix, rewrite_prefix, or rewrite_template. The native handler
  does not apply those request-path transforms yet, so these routes remain on
  the Pingora compatibility adapter until the native pipeline owns the same
  behavior.
• Vhost-level ACME challenge routing and vhost redirects now block native
  HTTP/1.1 proxy eligibility. Both features alter request routing before
  upstream forwarding and must be implemented explicitly before cutover.
• Proxy configs using auth subrequests, traffic mirroring, proxy error pages,
  advanced upstream transport settings, per-proxy downstream throttling, or
  advanced load-balancer policy now receive explicit compatibility-only
  reasons from the native proxy builder.
• Parsed TOML configs now receive the same proxy downstream write and
  total-response timeout defaults as ProxyConfig::default(). This keeps the
  native cutover readiness gate from treating omitted timeout fields as
  per-proxy overrides.
• ServerPlan now exposes a native HTTP/1.1 proxy cutover summary with
  NoProxy, NativeReady, Mixed, and CompatibilityRequired states. This
  gives the next runtime wiring release a single audited readiness signal
  instead of requiring callers to reinterpret every candidate row.
• Fluxheim now logs the native HTTP/1.1 proxy cutover readiness state at
  startup, including compatibility-only reasons for proxy paths that are not
  native-ready yet.

Tests

• Added native HTTP/1.1 proxy tests for auth-request, traffic-mirror,
  error-page, upstream-transport, and downstream-policy blockers.
• Added server-plan tests proving route strip/rewrite and vhost ACME challenge
  routing keep affected proxy paths on the compatibility adapter.
• Added server-plan coverage for vhost redirects and TOML parsing coverage for
  proxy downstream timeout defaults.
• Added server-plan tests for aggregate native HTTP/1.1 cutover readiness.
• Native HTTP/1.1 TLS proxy tests now clean up temporary PEM fixture
  directories through a drop guard even if a test assertion panics.

Compatibility

• The active runtime adapter remains PingoraCompatibility in this release.
  Native HTTP/1.1 proxy, upstream TLS, and HTTP/2 upstream primitives continue
  to be built and tested as staged cutover components.

Checksums And Signatures

• Commit: 9c8dded4ef712e18c7482f9aa82219cd7c0077ce
• Local gate: GitHub CI green before tag; local release metadata checks passed
• CodeQL/code scanning: no open release-blocking alerts before tag
• Source archive checksums:
  • d6f8837af987dd3f9ae05dc4e93644e7df9ef76089db3cdfc84e106379afcdd9 fluxheim-1.6.16.tar.gz
  • 9e7f62f8504fecbb9a09b2b2012c371c03c0824c1dbeda348cb985b2c98d6b8a fluxheim-1.6.16.zip
• Binary checksums:
  • x86_64:
    • 81722447c40c54f1dcfc1177d08667535fadcd2c85976129871c14b759f52797 fluxheim-1.6.16-full-x86_64-linux.tar.gz
    • b4d74f4945dc0df667eefc973764a08b738cab2cb67a2187b7a6d881001cb943 fluxheim-1.6.16-cache-x86_64-linux.tar.gz
    • 43917771a686bc94d2780413aea81ae199f7041fdbd70b246e935a87c2e30f0c fluxheim-1.6.16-proxy-x86_64-linux.tar.gz
    • 5c54ea1da82748f6d78ddc2ce423cd7899537e5e2a58a87eee22984beb2c25c2 fluxheim-1.6.16-php-x86_64-linux.tar.gz
    • 240b8a6e1ee56416ad00818c999081af7c4dc1fbd06b3dffcd1d6a8dd77f340b fluxheim-1.6.16-load-balancer-x86_64-linux.tar.gz
    • 8f1928c08c4c15c87945677a64a32554fad71f439ae8c73ab0499d12d027faa4 fluxheim-1.6.16-config-tester-x86_64-linux.tar.gz
  • aarch64:
    • 7b25b86a8c5f5ba712648fdb7c2e85bf0314e255e4072df932a518212676c78f fluxheim-1.6.16-full-aarch64-linux.tar.gz
    • 320b9c4414acb7db861708dc0edf1a731242e6c53993f36071f1d876c8570920 fluxheim-1.6.16-cache-aarch64-linux.tar.gz
    • 52c73b7a19ee8a72800aa1680bb2b587e83d951a1a3daaae5fcbc4c18603e439 fluxheim-1.6.16-proxy-aarch64-linux.tar.gz
    • 69897af87da2b25015eaf577ddb85422d5b5cd668bb375d33104ba5e90719c49 fluxheim-1.6.16-php-aarch64-linux.tar.gz
    • d899df77b0e87d13e960157b66afac3ed412abe0611d44fa4bb0021cdeeedec6 fluxheim-1.6.16-load-balancer-aarch64-linux.tar.gz
    • 32036d539b07c7d6021b459c01b9bfd473f00bdb36473cfe1206184f185be442 fluxheim-1.6.16-config-tester-aarch64-linux.tar.gz
  • macos:
    • 7ae977b67e79c8a3e15a702faf9931c70d186b01401ca34a8b9be86658aa9441 fluxheim-1.6.16-dev-aarch64-macos.tar.gz
• SBOM checksums:
  • ac10d4f4d90b04fd17e023b299bc4e41eb4fbda706d28cb47530fe6667a5587d fluxheim.spdx.json
  • 40f410bf9064d4fdcda8c04539a0c3e4439fbe7fe37bdf55748701cad04e6d8c fluxheim.cyclonedx.json
• Reproducible build:
  • 5a396d84787cb48a13d030f3dfba67b311c6043b60ba37aa62a89354ef270e89 x86_64
  • b28f2fe0bf0f2a4b841417235485a62158bbd976f9217cb8f561b4955cb8d8ed aarch64
  • 79656cb34e0f51a6ddff00d1d7356a7748d0c9a68e5ff39c9a454c66f5e51e7d macos
• Full Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:b224ccf63c9ad17918d68dbf878982f4264d8f6ce7937aae87f3ef8c967dc8c1
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:21afa5b462acb6e8a1ebb2d1035ca2b4806bdd34bf004c896d8cbdcbd166cf9a
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:14795f64f92b13b449e7ce479b9774a6aca1dbfd1e7ca6fd58f69a6b7c0d34c9
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:2db126c35af682691fe5d77a3bdc19b15f93132777da3aca2a2eaff3f51804b6
• Cache Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:93fa4a8608754bec03d47b0d9650bcd468c729461d3de1afc37f0af2f8e7ad41
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:157e5cc637c334ac1e99fcdff87d36b3504d828e87863c699205dc7f2d527611
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:5469fc69ecee0b138b3381b7f3f06c9f28809bdb88cc3316f44c67d95bab0e4f
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:42d23e994d4e089e85df4b7e02877649fcac062955426464af80daef647e791c
• Proxy Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:47b8a60ebbba38e3f359858d799994632bef482a1440f480f4e52d8e27632f34
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:a0be0fa37611bfd68b928212c8e82e85afbc622f8240077ad10b793757ad5ab1
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:2cb4d561d4c40dcdf7ede16f19b9dffb9cb3e4a8090cb5ca4114dc11b2e31ed1
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:5d9f04606d47721a77a850aa69afefe271086e08a48f8dbc9ce3ba51783ba4b9
• PHP Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:c1bd3599c338935c5b237eb9235c72063bb6147b609b5f0d5721ad854045ca1a
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:4e2e323ced7f3539d74fb4619749c983b3fe0c0fe5e9b653e6623df0eefcf18f
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:ae88cb42aaf3d4b3867638f1ab84b1c27b89d8a91eb97ffb6303aa5735b9675e
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:e123320415992161ea846c46ae6de7a36703a14eb3e062c90e9ff764d1ec2ce9
• Load Balancer Build Container digests:
  • Wolfi: ghcr.io/valkyoth/fluxheim@sha256:0f069e0ba708472349a57277f557c3e065a690edf235b6198b3a7bb545ca602a
  • Alpine: ghcr.io/valkyoth/fluxheim@sha256:9ae78f15a8bbe6018d8d2e617491437fc92cbde159ea809311a83356dbe1d590
  • SUSE Micro: ghcr.io/valkyoth/fluxheim@sha256:5e02ccf60b252170f56d044ecf73640ee9227f5d1fd1aa6636290eaccd15dba1
  • Debian: ghcr.io/valkyoth/fluxheim@sha256:3621b2fba6ddfe15c5c68305b27df39153a5f4a9c53994ff4bcecaa55cc55991
• Tag signature:
  • Good "git" signature for 1921261+eldryoth@users.noreply.github.com with ED25519 key SHA256:EoLRQ5k4J5pYz3UMFmkrV798gYFNkToGS2xEPvebqB4