Changelog

Every improvement, automatically tracked from our commit history.

Subscribe via Atom feed
← Prev Page 18 of 117 Next →
February 28, 2026
patch Server

Copy native Rust FFI library to Server output directory

ed873391
patch Server

Fix build warnings in HeadlessSetupWizard and HeadlessPluginRegistry

bfc39e1b
patch Server

Add --setup-network sectional re-configuration

350e6c5a
Details

Completes the sectional setup flags:

  • --setup-network: re-configure bind address and port independently
  • --setup-tls: already implemented in TLS commit
  • --setup-policy: already implemented in policy commit

All three flags modify the existing headless-config.json without

touching password, workspace, or recovery settings.

patch Server

Add enterprise policy: TOML config, enforcement, and audit logging

ed78bbd2
Details

Enterprise policy system for headless server deployments:

  • EnterprisePolicy: TOML-based config with optional ECDSA P-256 signature

verification to prevent tampering. Supports [plugins], [network], [api],

and [audit] sections with an [authority] signing block.

  • PolicyEnforcer: Three enforcement points:

1. Plugin allowlist/blocklist — restricts which plugins can load via

WorkspacePluginConfig's existing whitelist mechanism

2. Network CIDR filtering — ASP.NET Core middleware that blocks requests

from IPs outside allowed CIDR ranges

3. TLS requirement — blocks server startup if policy requires TLS but

it's not configured

  • AuditLogger: JSON Lines file writer at admin-controlled path. Logs API

requests (method, path, status, IP, duration) with configurable level

filtering (all/write/auth). Records policy and auth events.

  • HeadlessHost: Loads policy before plugin discovery, applies plugin

restrictions, injects network + audit middleware, validates TLS

requirement. --setup-policy flag allows interactive policy configuration.

patch ServerServices

Add TLS support: manual certificates and Let's Encrypt

d902ddd3
Details

LocalApiServer now supports HTTPS via two modes:

1. Manual certificate — load PFX/P12 or PEM+key files directly.

Configured via HeadlessConfig.Tls with mode=Manual.

2. Let's Encrypt (ACME) — automatic free certificate provisioning

via LettuceEncrypt. Requires a public domain and port 80 for

HTTP-01 challenges. Certificates are persisted to disk and

auto-renewed.

Architecture: TlsOptions model lives in PrivStack.Services (shared).

LettuceEncrypt NuGet (1.3.3) is only in PrivStack.Server — the Desktop

never activates it. LocalApiServer exposes OnConfigureServices,

OnConfigureKestrel, and OnConfigureApp hooks so the Server project can

inject LettuceEncrypt without adding the dependency to Services.

Setup wizard now offers both TLS modes interactively. The --setup-tls

flag allows re-configuring TLS independently of the full setup wizard.

← Prev Page 18 of 117 Next →

Get notified about new releases