Summary
Major release featuring a complete P2P networking refactor, enterprise CPU burst support, new
monitoring endpoints, server-side analytics, security hardening, and dependency modernization.
P2P Networking Refactor
- Replace global WebSocket arrays with encapsulated FluxPeerSocket and FluxPeerManager classes
using proper hash-private fields - Add capability handshake via HTTP upgrade headers for per-peer feature negotiation
- Add binary protocol (peerCodec) for unsigned messages with NAK support
- Add peer exchange capability for topology discovery
- Add NTP clock offset exchange for transmission delay correction
- Add per-peer metrics: message counters, version exchange, reconnect stats, uptime, and history
ring buffer - Add NetworkHealthMonitor with disconnect velocity tracking and topology analysis
- Add X-Flux-Reconnect header for asymmetric disconnect recovery
- New API endpoints: /flux/peers, /flux/unstablenodes, /flux/topology
- Fix reconnect queue counter accumulation, relay pattern, and connection race conditions
Enterprise CPU Burst
- Enterprise apps (owned by enterpriseAppOwners) get Linux CFS burst capability instead of CPU
throttling - Supports cgroups v2 with kernel >= 5.14; burst capped per container to (host vCPUs -
reservedCores)
Monitoring & Observability
- New /flux/clockdrift endpoint exposing per-node NTP clock drift via chrony/timesyncd
- Server-side analytics middleware for event tracking with buffer/flush, backoff, 429 handling, and
component-level terminal session tracking
Security
- Verify sender pubkey matches target node in P2P broadcast messages
- Add authentication to syncthing events endpoints
- Validate IP against confirmed fluxnode list before availability check
- Add rate limiting, IP validation, size limits, and buffer length validation in peer codec
- Use Number.isFinite for syncthing random string length validation
Bug Fixes
- Use local daemon RPC for sync check in streamChainPreparation (avoids 5s timeout per peer when
explorer is unreachable) - Fix usersToExtend signature check failure during resync for expired apps
- Fix null crash in trySpawningGlobalApplication for syncthing-queued apps
- Fix duplicate analytics init from HTTP+HTTPS server instances
Dependency Changes
- Replace zeltrezjs with local fluxCryptoUtils and direct dependencies
- Bump axios and fast-xml-parser to resolve 6 security vulnerabilities
- Inline splitargs and remove dependency
- Remove unused store and path dependencies
Tests
- Comprehensive test coverage for new peer classes, codec, network health monitor, and CPU burst
helper - Fix hanging test suite and 9 pre-existing test failures
- Skip mongo-dependent and linux-only tests when unavailable