Changes
New Features
- feat: add si/ icon dark mode invert and use strings.HasSuffix for extension detection
- feat: add icons config section and CLI download command
- feat: embed chrome glyphs and add icon serving handler with on-demand runtime download
- feat: add icon downloader with on-demand fetching, caching, and extraction
- feat: merge healthcheck into server binary as subcommand
- feat(config): add CleanupTLS flag for independent TLS cert cleanup
- feat(config): add allowContainerFunnel and allowTlsValidateDisable security gates
- feat(metrics): add ProxyUp/connection/cert-expiry gauges, Grafana dashboard, and lifecycle fixes
- feat: webhook template functions, templateContentType, and docs (#483)
- feat: Go template support for custom webhook payloads (#480)
Security Updates
Bug Fixes
- fix: fix test file permissions from 0o644 to 0o600 for gosec G306
- feat: merge healthcheck into server binary as subcommand
- fix(proxymanager): move UDP backend dial outside client map lock
- fix(proxymanager): optimize rate limiter LRU eviction to O(1)
- fix(proxymanager): improve domain error handling and cert monitoring
- fix(proxymanager): prevent lock corruption with token-based unlock API
- fix(proxymanager): harden port lifecycle with start lock, TCP timeout, and error logging
- fix(server): start HTTP listener before proxy setup
- fix(proxymanager): fix cert tracker race and DNS rollback context
- fix(proxymanager): harden port start with shared guard, add connection limits
- fix(proxymanager): consolidate teardown into removeAndTeardown primitive
- fix(proxymanager): log instead of panic on keyedLocks double-unlock
- fix(proxymanager): re-pause proxy when Resume fails all listeners
- fix(proxymanager): harden TCP/HTTP port forwarding
- fix(proxymanager): close rate-limit bypass for unresolvable peer IPs
- fix(docker): allow explicit port labels to bypass bridge-mode guard
- fix(tailscale): silence 'use of closed network connection' warn on shutdown
Dependency Updates
Documentation
- docs: update AGENTS.md for icon architecture and downloader
- docs: document icon-on-demand system with custom icons, server config, and airgapped deployment
- feat: merge healthcheck into server binary as subcommand
- docs: rewrite llms.txt and llms-full.txt for deployment/configuration focus
- docs: group e2e test files by theme in AGENTS.md
- docs: fix stale claims in dashboard, config, and dnsproviders AGENTS.md
- docs: update tailscale AGENTS.md with eventloop, ACL, and exposure docs
- docs: rewrite proxymanager AGENTS.md for RF-2 concurrency redesign
- docs: add AGENTS.md for internal/ui and web directories
- docs: add goleak and bug-test conventions to root AGENTS.md
- docs: add CleanupTLS to v3 user docs
- docs: correct TLS cleanup gating in tlsproviders AGENTS.md
- docs: add allowContainerFunnel and allowTlsValidateDisable to v3 docs
- docs(v3): expand ACL Auto-Provisioning with examples, errors, and rollback
- docs: add Bug-fix TDD protocol to AGENTS.md
- docs(v3): add rate limiting and shutdownDrainSeconds to changelog
Other Changes
- web: update htmx, daisyui
- refactor(tlsproviders): rename TLSLifecycleManager to LifecycleManager
- refactor(proxymanager): split port.go into per-protocol files
- refactor(model): use SecretString for ResolvedAuthKey
- style: enable additional linters