chore(main): release 0.1.0

[github-actions]

🤖 I have created a release beep boop

0.1.0 (2026-05-23)

Features

• Add ACME certificate automation module (fb074af)
• Add alt-svc header to 103 Early Hints + update docs (3fca87e)
• add canary / percentage traffic splitting (da8cd88)
• add canary routing and traffic shadowing to HTTP/3/QUIC listener (17d30e4)
• Add client/server error type filtering to /metrics/errors endpoint (12718d9)
• Add comprehensive ClientHello/SNI parser unit tests (7bcc046)
• Add comprehensive Prometheus metrics registry (640c9dc)
• Add configurable 0-RTT setting with secure default (b98fc39)
• Add enterprise load balancer with 6 algorithms and session affinity (c490589)
• Add HTTP/3 Performance & Monitoring headers (f8c9a86)
• Add HTTP/3 performance headers to QUIC listener (43d67bf)
• add native QUIC speed test handler via WebTransport /speedtest path (468c263)
• add native WebTransport telemetry wall handler at /telemetry (18f98c7)
• Add nginx-compatible access logging for HTTP/3 and HTTP/1.1 (9d74280)
• Add OCSP stapling automation service (b352e2c)
• add OpenTelemetry distributed tracing (7d6b38c)
• Add per-error detail tracking to proxy metrics (63d8658)
• Add PQC-TLS, compression, security, and HTTP/3 features (f011cbf)
• Add proper WebTransport support using wtransport crate (c817ce5)
• Add server header branding to all HTTP/3 responses (6a07a4d)
• add setup_fingerprint_db.sh to download Salesforce JA3 database (a606bd6)
• Add standalone HTTP listener for Alt-Svc advertisement (65c0c7f)
• add tcp_only_hosts config — send Alt-Svc: clear to prevent QUIC upgrades (d2624d1)
• add webtransport_cert_path/key_path config for explicit cert override (fdc5c44)
• add weekly JA3 fingerprint database refresh cron (040515f)
• Complete security integration - JA3/JA4 fingerprinting, circuit breaker, TLS capture (f330a97)
• Config-driven TLS version + remove nginx replacement claims (29a6628)
• cors: multi-origin reflection for pqpdf.com (b323ad0)
• distributed rate limiting with Redis backend on all paths (f3a0691)
• Enable ACME certificate automation with SAN support (b22d5a1)
• Enable dedicated WebTransport server with proper protocol support (342fbc5)
• Enable OCSP stapling and ACME certificate automation services (32f4b30)
• Enable X25519MLKEM768 hybrid PQC key exchange via rustls-post-quantum (4540813)
• Full nginx replacement with TLS terminate, re-encrypt, and passthrough modes (4b99eb0)
• handle SIGHUP to reopen log files for log rotation (622f464)
• HMAC nonce replay prevention, path+query signing, zero-trust admin constraint (e2e0aab)
• HTTP/1.1-only ALPN per SNI — prevent browser HTTP/2 connection coalescing (1596b0a)
• implement 30 security and operational features (87c4f26)
• implement allow_http11 enforcement for per-route HTTP/1.1 control (fd0ebd0)
• Implement full RFC 8555 ACME protocol for certificate automation (547a90a)
• Implement HTTP/3 103 Early Hints support (28aa5e5)
• Implement OpenSSL TLS accept loop with fingerprinting (d0a4b39)
• Implement proper HTTP/3 support via QuicListener (7fa9fb3)
• Implement PROXY protocol v2 and extend PQC configuration (42a12e8)
• implement RFC 9111 response caching across HTTP/1.1, HTTP/2, HTTP/3, QUIC and WebTransport (e6fe977)
• implement traffic shadowing / mirroring (4dff0e9)
• Initial release of PQCrypta Proxy (b7472f9)
• Integrate TLS fingerprinting and fix silent error handling (8aa1c5f)
• Integrate TLS fingerprinting, composite rate limiting, and HTTP/3 features (d5eb7b3)
• Make all hardcoded values configurable (b8d3124)
• Make security error thresholds configurable (7aa5350)
• multi-location speedtest — remotellm deployment + dynamic IP updater (b2a7eb0)
• normalize_paths config flag — disable path lowercasing per site (ab8d47d)
• per-domain ACME certs with SNI routing and hot-reload (0b514df)
• pqc: Integrate OpenSSL 3.5+ as primary PQC TLS backend (61a00c0)
• pqc: Successfully enable X25519MLKEM768 hybrid PQC TLS (a88cc25)
• rate-limiter: Implement cutting-edge multi-dimensional rate limiting (6324a70)
• split tcp2/api2 endpoints — tcp2 HTTP/1.1 only, api2 QUIC/WebTransport (d2ebb7c)
• streaming multi-probe traceroute with concurrent ICMP/UDP/TCP/QUIC methods (c97490c)
• TCP speedtest handler supports any tcp_only_hosts, not just tcp.pqcrypta.com (08881d5)
• TLS/QUIC improvements, config updates, HTTP listener and ACME enhancements (de6b95f)
• v0.2.2 — CIDR blocklists, proactive health checks, QUIC shared state, session TTL, configurable ports (be6ffb4)
• waf: add scanner/reconnaissance probe path blocking (dab6ee7)
• WebSocket upgrade passthrough (802c35f)
• Wire up fully implemented features (fd5c9b5)
• zero-trust primitives — HMAC proof-of-possession, internal mTLS, zero_trust_mode (41ce906)

Bug Fixes

• add 50ms timeout to Early Hints send_response to prevent QUIC flow control deadlock (a422b6b)
• add ALPN select callback to per-domain SslContext — fixes HTTP 426 (fe37e05)
• Add Alt-Svc header to all error responses for HTTP/3 discovery (ee297c6)
• Add Alt-Svc header to HTTP/3 responses from config (ccb5482)
• add Alt-Svc: clear to QUIC 404 responses and TCP upload logging (7792340)
• add CDLA-Permissive-2.0 to license allow list for webpki-root-certs (3e116b4)
• add CORS headers to 429 rate-limit responses on all paths (4dbb827)
• add excluded_hosts to response cache; fix HTTP/2 host extraction from URI authority (54b5a8d)
• add idle timeout and max duration to speedtest and telemetry sessions (ce551b3)
• Add permissions for Security Audit check run creation (3b39f38)
• Add platform-specific cfg for Unix socket code (2c74b1d)
• Add server header to 103 Early Hints response (e4c589d)
• add tcp-upload-stream route to run_http_listener (basic Rustls path) (3af7ca6)
• Add timeouts and size limits to WebTransport handlers (4a27099)
• address all 6 security findings from static analysis report (aa25ae5)
• address all 8 findings from February 2026 security review (705a981)
• address all 9 findings from security review (SEC-A01 through SEC-A09) (28ed13f)
• Address security vulnerabilities and Docker build issues (fdb8db9)
• allow pqcrypta.com origin for WebTransport sessions (SR-02) (66a6cec)
• apply rustfmt formatting to SR-04 and SR-06 changes (1c12938)
• cargo-deny CI — remove invalid version input, allow OpenSSL license, skip redox_syscall duplicate (b3863ec)
• CI compliance - clippy lints, formatting, and test fixes (e948f54)
• ci: Skip pqc-signatures feature on macOS tests (2540853)
• Clean up warnings and add handle_session method (c17226e)
• clippy cast_possible_wrap, or_fun_call, explicit_clone; rustfmt; doc blank line (7473b5e)
• Copy vendor directory in Docker build for path dependencies (10f9e35)
• Correct ALPN protocol parsing with length-prefixed format (1d385da)
• deps: upgrade quinn-proto 0.11.13 -> 0.11.14 (RUSTSEC-2026-0037) (8ef5dec)
• ExcessiveLoad on QUIC + host port-stripping in proxy_handler (4f06046)
• Fine-grained histogram buckets with linear interpolation for accurate proxy latency percentiles (3a922d8)
• Forward original request headers in HTTP/3 to HTTP/1.1 proxy (1f7f903)
• Forward query strings in HTTP/3 QUIC proxy requests (ec99854)
• Forward Set-Cookie headers in QUIC listener for auth (ab0b1b6)
• Handle CORS preflight requests in QuicListener (74f30de)
• Health check traffic invisible to all proxy metrics (a8b6aa5)
• ignore RUSTSEC-2025-0134 (rustls-pemfile deprecated, not a vulnerability) (aea48cb)
• improve brute force PASS message for 401-rejecting login endpoints (ef49aab)
• Increase QUIC buffer sizes to prevent ExcessiveLoad errors (307fdff)
• migrate deny.toml to cargo-deny 0.16+ format (remove deprecated keys) (980e584)
• Move hyperlocal to Unix-only dependencies for Windows build (d2035aa)
• Move signal-hook dependencies to Unix-only for Windows build (0a683a2)
• Move tempfile to cross-platform dependencies (7e89939)
• OCSP stapling gracefully handles missing responder URL (2145708)
• preserve backend CSP header — only inject proxy default when backend did not set one (9985109)
• QUIC early hints restricted to GET/HEAD, Grafana cookie Domain rewriting, route header overrides (a37d718)
• reject WebTransport CONNECT when no WT route matches the host/path (dd1383e)
• remove duplicate worker_threads key in remotellm-proxy.toml (474371a)
• Remove PQ Crypta-specific integration references (62f9487)
• Replace cumulative latency histogram with 5-minute sliding window (73dee93)
• Replace implicit clone with explicit clone for clippy (0b1d42b)
• replace unsafe casts with checked conversions to resolve Clippy warnings (b3bce5f)
• resolve all 2 errors and 12 warnings in pentest suite (9bfee0e)
• Resolve all CI Clippy and Rustfmt failures (e03b5df)
• resolve all clippy -D warnings (unwrap_or, casts, clamp, doc length) (df94076)
• resolve all clippy -D warnings errors (82840b4)
• resolve all clippy warnings in quic_listener.rs and cache.rs (6ec7558)
• resolve all vulnerabilities from 2026-02-22 security audit (4ecff0e)
• resolve cargo-deny CI failures (1b48e7b)
• Resolve CI clippy and dead code warnings (9f1650c)
• Resolve CI failures - clippy warnings and dead code (84f6282)
• Resolve CI failures - clippy, rustfmt, and test issues (e5bc0db)
• Resolve CI failures — clippy warnings, test assertion for composite error keys (aa9f399)
• Resolve CI failures across all platforms (e154e0d)
• resolve clippy and rustfmt CI failures (f490bc1)
• Resolve clippy and rustfmt CI failures (d98fda7)
• Resolve Clippy errors (too_many_arguments, return_self_not_must_use) (7e66c24)
• resolve clippy errors in rate_limiter (raw strings, u128 cast) (d40264a)
• resolve clippy too-many-arguments and while-let-loop warnings (75009ea)
• Resolve clippy warnings and fix tests for ACME implementation (7062399)
• resolve Rust 1.95 clippy lints; pin cargo-deny to 0.19.7 (2455de4)
• Resolve rustfmt formatting violations (8e83ac8)
• rustfmt + clippy too_many_arguments on handle_h3_request (19942f0)
• rustfmt and clippy compliance (2146784)
• rustfmt compliance in proxy.rs (8655435)
• rustfmt violations and time crate security advisory (CVE-2026-25727) (ef8c888)
• SEC-007 evict stale admin auth entries; add Semgrep suppression for NoVerifier (9555a07)
• SEC-008 QUIC/H3 security middleware bypass + SEC-009 nosemgrep placement (d87d39e)
• Security hardening release v0.2.0 (6b2452c)
• server download timeout now matches client test duration via max_secs (dea4d36)
• set HTTP/2 flow control windows to 16 MB/64 MB to match QUIC throughput (9d6ed8d)
• share SNI cert resolver with HTTP listener for ACME hot-reload (f5c6774)
• skip SSRF patterns on X-Forwarded-For header to prevent false positives (52663c1)
• Store last_status and last_seen per endpoint error entry (cdff143)
• stream SSE responses through proxy without buffering (bb28fc0)
• strip hop-by-hop headers from backend responses to prevent ERR_QUIC_PROTOCOL_ERROR (1668773)
• strip hop-by-hop headers; buffer body before releasing backend connection (ab5e604)
• strip port from Host header in proxy_handler before all host comparisons (f3e8281)
• Support multiple Set-Cookie headers in QUIC proxy (6dab0d8)
• suppress Alt-Svc on TCP speedtest endpoints to allow real TCP testing (76ec83d)
• TCP upload streaming — exempt /speedtest/tcp-upload-stream from body size limit (cdae633)
• unchecked_time_subtraction clippy lint + upgrade aws-lc-sys/aws-lc-fips-sys for RUSTSEC-2026-0042..0049 (cac0ff8)
• Update blocklists, QUIC listener, sync status (4acd64c)
• Update blocklists, security rules, and sync status (626213d)
• update bytes 1.11.0 → 1.11.1 to patch CVE-2026-25541 (integer overflow) (dc18a52)
• update deny.toml unmaintained field for cargo-deny v2 compatibility (1f683d5)
• Update dependencies for h3 0.0.8 compatibility (e9ae125)
• Update Priority header to match RFC 9218 standard format (ebd24e2)
• Update proxy config, blocklists, and connection handling (a25d131)
• Update server header to match Cargo.toml version v0.2.0 (1e47101)
• upgrade rustls-webpki for RUSTSEC-2026-0049; add itertools skip in deny.toml (ae96b08)
• Use set_certificate_chain_file for proper intermediate cert (285e776)
• use toml code block in doc comment to avoid doc_link_with_quotes clippy warning (7472b9f)
• WebTransport CONNECT rejection must verify route.webtransport=true (e2fdb2b)
• WebTransport server cert mismatch — use api-domain cert for port 4433 (3d386a7)

Performance Improvements

• reduce pentest timing oracle samples 50→20, tune resilience timeouts (80792ed)

Reverts

• restore pentest timing oracle to 50 samples, resilience to original timeouts (e6f1870)

---

This PR was generated with Release Please. See documentation.