sniproxy 0.9.13 (2025-11-25)
===============================

* Packaging/CI: Release workflow now discovers Rocky Linux releases via mirrors
  and Docker tags, builds both latest and previous Rocky majors with consistent
  jobs, falls back to microdnf when dnf is missing, and the openSUSE autoconf
  download uses a mirrored source when ftp.gnu.org is unavailable.
* Testing: Buffer tests create/destroy a dedicated libev loop to stop leaks,
  Valgrind workflow runs from the tests directory and surfaces failures, and
  the buffer leak regression is fixed.
* Bug fixes: Resolved a use-after-free when config files have incorrect
  permissions.

sniproxy 0.9.12 (2025-11-24)
===============================

* Packaging: rpmbuild now preserves distribution `%{optflags}` while appending
  the libev include path, drops the unused perl dependency, ships the missing
  `hostname_sanitize.h` in release tarballs, and the release-packages workflow
  can be triggered manually to build RPM/DEB artifacts on demand.
* Installation: Remove the `sniproxy` wrapper so only the real daemon is
  installed under sbin, avoiding duplicate or stale binaries on PATH.
* Tests: Added a resolver response fuzz harness with fuzz-only resolver helpers,
  expanded the libev stub to cover timers/signals/loop lifecycle, and fixed a
  resolver fuzz leak to keep fuzz runs stable.

sniproxy 0.9.11 (2025-11-23)
===============================

* Security: HTTP parsing now enforces a configurable `http_max_headers` guard
  (default 100), TLS ClientHello parsing counts extensions before iterating
  through them, and IPC crypto rejects frames via constant-time dummy decrypts
  that use dedicated zero_tag buffers so failure timing and nonce contents stay
  hidden.
* Reliability: All absolute-path directives are canonicalized, the config
  parser wires typed cleanup hooks so repeated resolver/logger/listener ACL
  blocks free their previous allocations, resolver restart paths serialize the
  pending list, and assertions in address/table helpers were replaced with
  runtime guardrails to avoid crashes on malformed input.
* Tooling/Tests: The deprecated `sniproxy-cfg` binary/man page were removed, a
  hardened `scripts/sniproxy.service` unit now ships while the wrapper script
  is gone so the daemon only installs under sbin, GitHub releases build
  Debian/RPM packages, and the fuzzing suite gained address/table/listener
  ACL/ipc harnesses with quieter logging by default.

sniproxy 0.9.10 (2025-11-22)
===============================

* Security: Temporary-file directories now use lstat() checks for /var/run and
  /tmp fallbacks plus the existing O_NOFOLLOW open, closing the last symlink
  attack window before dump generation.
* Robustness: Unix-domain listener/target parsing forcibly null-terminates
  sun_path after strncpy(), and cfg_tokenizer always null-terminates buffers
  even when hitting EOF or buffer limits.
* DNS: Configuration reloads and startup both apply the per-client DNS query
  cap together with the global limit so resolver throttles stay in sync.

sniproxy 0.9.9 (2025-11-21)
==============================

* Security: PROXY header emission now checks buffer capacity, logs the client
  when the header cannot be appended, and aborts routing instead of silently
  continuing; sockaddr parsing validates sa_len bounds, copy_sockaddr_to_storage
  clamps copies to the destination size, and backend match caching rejects
  lengths that would overflow allocations.
* Networking: Per-client DNS concurrency limits stack on the existing global cap
  so abusive clients cannot starve other lookups, the defaults rise to 16 per
  client and 512 overall with resolver max_concurrent_queries(_per_client)
  options, and address parsing handles optional trailing ports iteratively with
  centralized apply_port_if_needed logic while enforcing a maximum parser
  recursion depth.
* Crypto: ipc_crypto_seal verifies header/tag overhead, halts once the send
  counter reaches UINT64_MAX, and refuses SIZE_MAX-topping frames; derive_key now
  rejects HKDF labels longer than 1024 bytes before allocating.
* Reliability: Buffer helpers assert read/write offsets never exceed capacity and
  setup_write_iov bails out when a buffer reports a larger length than it
  allocated, preventing corruption before data hits the socket.

sniproxy 0.9.8 (2025-11-20)
==============================

* Security: libpcre2 is now the sole supported regex backend across runtime,
  fuzzers, and packaging; all builds fail fast if the legacy PCRE1 headers or
  libraries are missing.
* Security: HKDF info buffers are wiped before free, oversized labels are
  rejected, DNS resolver cancellation uses an explicit memory fence, and
  temporary connection dumps rely on `mkostemp()` with CLOEXEC/NOFOLLOW.
* Networking: Resolver blocks can now use DNS-over-TLS upstreams via
  `dot://address/hostname` entries, verifying upstream certificates with the
  system trust store.
* Hardening: configuration reloads re-check file permissions, path directives
  require absolute paths, and resolver search domains are treated as literal
  suffixes instead of being parsed as hostnames.
* Tooling/Docs: README, ARCHITECTURE.md, Debian/RPM metadata, and tests now
  describe the libpcre2 dependency and other behavioral refinements for 0.9.8.

sniproxy 0.9.7 (2025-11-19)
==============================

* DNS: resolver blocks now default to `dnssec_validation relaxed`, enabling AD
  bit enforcement whenever upstream supports DNSSEC without requiring manual
  configuration tweaks.
* Security: sniproxy refuses to load configuration files that
  are group/world accessible by validating permissions on the opened descriptor,
  ensuring both initial startup and reloads uphold the guardrail.
* Documentation: README, architecture notes, and man pages were refreshed to
  describe the DNSSEC default, resolver requirements, and stricter configuration
  permission enforcement.

sniproxy 0.9.6 (2025-11-18)
==============================

* Security: Harden per-IP rate limiting and parser guardrails with FNV-1a hashes,
  collision cutoffs, HTTP header caps, TLS extension limits, and IPC payload clamps
  to block CPU or memory exhaustion attempts.
* DNS: arc4random()-seeded query IDs, leak-resistant handle tracking, and
  mutex-protected restarts prevent counter drift, leaks, or use-after-free in
  resolver lifecycle transitions.
* Reliability: shrink candidate queues now cap at 4096 entries with active
  trimming, buffer growth failures close connections explicitly, and log
  duration math clamps wraparound to 0.0.
* Hardening: secure memory wiping, PID file sanity checks, and buffer pool magic
  numbers detect corruption and ensure sensitive state never lingers in RAM.

sniproxy 0.9.5 (2025-11-15)
==============================

* Performance: cached ev_now() readings and idle hysteresis reduce needless wakeups and buffer thrash.
* Reliability: resolver crash logging avoids noisy write/writev warnings on Linux builds.
* CI: fuzz workflow auto-selects a libFuzzer-capable clang and surfaces compiler diagnostics.

sniproxy 0.9.4 (2025-11-14)
==============================

* Resource: connection_buffer_limit/client_buffer_limit/server_buffer_limit cap per-connection buffering.
* Security: configs with group/world permissions now abort startup instead of warning.
* IPC: helper children close all inherited descriptors other than their IPC socket.

sniproxy 0.9.3 (2025-11-12)
==============================

* Security: privilege dropping now verifies real/effective UID and aborts if root.
* Security: sniproxy warns when config files are readable or executable by group/others.
* IPC: binder/logger/resolver channels now encrypt control traffic and tighten validation/error reporting.
* Performance: idle connection buffers shrink proactively once a soft memory budget is exceeded.
* Resource: new connection_buffer_limit/client_buffer_limit/server_buffer_limit directives cap per-connection buffering.

sniproxy 0.9.2 (2025-11-10)
==============================

* Reliability: resolver restarts keep pending DNS queries and
  automatically retry after the child process respawns.
* Reliability: binder helper respawns on IPC failures and uses
  length-prefixed framing to handle partial reads safely.
* Networking: outbound connects retry transient EADDRNOTAVAIL
  errors to smooth bursts of transparent proxy traffic.
