Skip to content

v1.4.0

Choose a tag to compare

@github-actions github-actions released this 12 Jul 09:53
bc29f63

Added

  • Added the realm-native control plane under d2b.realms.<realm>, including
    canonical <workload>.<realm-path>.d2b targets, provider-neutral workload
    identity, realm network and UI metadata, generated realm artifacts, bounded
    realm/operation inspection commands, and metadata-only topology, access, and
    resource-allocation layers.
  • Added the explicit, default-denied unsafe-local provider for host-user
    workloads. Generic typed exec and shell launcher items now work across
    local VMs, qemu-media, and unsafe-local targets through d2b launch, with
    persistent host shells, same-UID helper supervision, Wayland identity rails,
    and visible no-isolation posture.
  • Added daemon-owned serial-console and audio operations, including
    provider-capability dispatch and host/guest mute and volume controls.
  • Added an opt-in FIDO2/WebAuthn security-key proxy that presents a host device
    to opted-in guests as virtual HID over vsock without transferring USB
    ownership, plus status, session, cancellation, test, and notification
    commands.
  • Added explicit USB attachment for any physically present device to an
    eligible VM, with preflight validation, audited ownership, and rollback.
  • Added the opt-in d2b-clipd clipboard authority, picker-driven cross-realm
    paste, virtualized guest clipboard transport, and Niri focused-window
    attribution.
  • Added a compositor-agnostic UI color contract rendered as
    /etc/d2b/ui-colors.json and /etc/d2b/ui-colors.css, with a Niri VM-border
    backend and per-realm accent metadata.
  • Added macvtap-backed external network attachment for env net VMs, including
    independent egress NAT, port forwards, and mDNS/.local reflection.
  • Added generated storage and synchronization contracts, read-only startup
    validation, d2b host doctor --read-only, and
    d2b host migrate-storage --dry-run.
  • Added provider-aware graceful VM shutdown with configurable global and per-VM
    timeouts, plus explicit --force lifecycle overrides.
  • Added experimental remote full-host and provider-managed Azure Container Apps
    adapters with capability matrices, bounded backoff/circuit behavior, and
    redacted diagnostics. Production remote transport remains out of scope.
  • Added release automation that creates a version tag and GitHub release with
    host binaries, checksums, and a Nix hash manifest when a dated changelog
    section reaches main.

Changed

  • Breaking: Renamed the project to d2b: Double Dutch Bus. Commands,
    packages, services, sockets, Nix options, paths, schemas, and telemetry now
    use only d2b naming; no legacy aliases are provided.
  • Breaking: Removed the legacy d2b.gateways and nested gateway/ACA sandbox
    configuration surfaces. Configurations must migrate to d2b.realms.
  • Breaking: Explicit d2b:// targets must include the reserved .d2b
    suffix; omitted suffixes no longer fall back to local VM routing.
  • Breaking: Unsupported constellation streams and operations now return
    typed unsupported errors instead of falling back to generic byte streams.
  • Breaking: VMs using usbip.yubikey = true must enable guest control;
    USBIP attach and detach no longer have an SSH fallback.
  • Advanced the public manifest schema to version 7 and the private bundle
    contract to version 11. The release adds runtime/provider capabilities,
    graceful-shutdown metadata, realm artifacts, configured launcher items,
    unsafe-local helper policy, and storage/synchronization contracts.
  • Renamed the Wayland proxy package and binary to d2b-wayland-proxy and the
    configuration surface to graphics.waylandProxy.*. The former option path is
    retained as a compatibility alias for this release.
  • Moved audio process identity entirely into the daemon-managed audio runner and
    retired the former audio service path.
  • Changed live VM activation to a broker-prepare, guest-control activation, and
    broker-commit flow. Offline activation now fails closed except for explicit
    boot staging.
  • Changed daemon list/status handling to use request-scoped artifact snapshots
    and parallel per-VM status probes, improving consistency and desktop-client
    latency.
  • Changed runtime/state creation to rely on tmpfiles-owned parents and
    narrowly-scoped ACLs instead of activation-time permission repair.
  • Changed d2b-priv-broker.service default logging from debug to info.

Fixed

  • Fixed unsafe-local graphical launches by supervising the proxy and configured
    app in one verified user scope with private runtime paths, typed readiness,
    first-client gating, bounded socket names, exact child reaping, canonical
    realm colors, and no direct-compositor fallback.
  • Fixed picker/clipboard protocol compatibility, focus restoration, proxied
    virtual-keyboard replay, endpoint payload handling, cancellation, and
    backpressure while preserving picker-only transfer authority.
  • Fixed USBIP claim, bind/unbind, firewall, ACL rollback, restart reconciliation,
    and revocation races; hardened security-key UHID framing, socket lifetime, and
    udev behavior.
  • Fixed console and audio session ownership, QMP chardev handling, PipeWire
    targeting, and provider dispatch.
  • Fixed daemon restart and host-switch continuity: d2bd.service reports ready
    only after socket bind and runner adoption, while running VMs remain alive.
  • Fixed guest exec and GUI launch establishment timeouts under heavy virtiofs
    load.
  • Fixed runtime, state, guest-control, observability, and per-role ACL ordering
    so daemon and runner access survives reboot and host switches without local
    overrides.
  • Fixed net-VM cold-boot host preparation, qemu-media synchronization contract
    rendering, broker child reaping, and existing disk-image validation.
  • Fixed realm controller and workload identity JSON field names and nesting to
    match their Rust DTOs.
  • Fixed realm workload CLI routing, bare-VM migration hints, persistent-shell
    owner framing, and guest journal sizing.

Removed

  • Removed d2b usb enroll; qemu-media USB boot selection now uses
    qemuMedia.source.usbSelector.byIdName and d2b usb probe.

Security

  • Kept realm relay/provider credentials, remote registries, and realm audit out
    of the host daemon, broker, and bundle; relay identity is never mapped to
    local lifecycle authorization.
  • Enforced same-UID unsafe-local helper registration, private proxy/readiness
    sockets, immutable proxy binaries, operation fingerprint parity, fail-closed
    group eligibility, and explicit logout/login after new group assignment.
  • Enforced picker/clipd-only cross-realm clipboard transfer, strict bounded and
    redacted protocol metadata, destination-focus verification, and proxy-safe
    synthetic paste ordering.
  • Tightened broker, runtime, qemu-media, observability, and per-role path
    ownership so diagnostics remain redacted and mutable host state stays within
    its declared authority.