tun-el
Docs
Changelog

What's new.

Recent changes to tun-el — stable releases and operational notes.

v0.3.0FeatureSecurity

Security hardening phase 2

  • Persistent auto-revoke. Auto-revoke decisions are now stored in Supabase and seeded at boot — attackers stay blocked across daemon restarts and across every edge node.
  • New POST /_tunel/admin/reset endpoint to recover from a false-positive auto-revoke one user at a time, instead of restarting the whole daemon.
  • MFA backup codes. Ten single-use codes hashed with SHA-256 plus a server pepper, with a recovery flow that wipes factors and forces re-enrollment.
  • TOTP re-auth is now required to disable MFA or regenerate backup codes — not just a password.
  • Public abuse report form at /abuse that captures a snapshot of the offending tunnel for investigation, plus a new abuse policy doc at /docs/security/abuse-policy.
Related: #MAR-95, #MAR-101, #MAR-103, #MAR-107, #MAR-110Read full notes →
v0.2.0Security

Security audit sprint marathon

  • Fourteen tickets shipped in a single sprint, MAR-111MAR-126.
  • Content-Security-Policy now enforced (no more report-only) across the dashboard.
  • Runtime input validation with Zod added to every server action.
  • gosec triage complete: 36 findings reviewed, 0 true positives, all annotated and suppressed with justification.
  • bodyclose audit closed every leaked HTTP response body, and golangci-lint v2 is now wired into CI as a required check.
  • License finalized as AGPL-3.0.
Related: #MAR-111, #MAR-126Read full notes →
v0.1.0Feature

Public launch

  • Marketing landing page and the first public docs at /docs and /pricing.
  • Supabase auth with email + GitHub OAuth, plus an onboarding flow for new accounts.
  • The dashboard ships with a realtime tunnel list, toasts, and a command palette bound to ⌘K.
  • Custom 404 and 500 pages.
Related: #MAR-60, #MAR-78Read full notes →
v0.0.1Feature

MVP shipped

  • Working tunnels end to end via the Go server (tuneld) and Go client (tunel).
  • Inspector dashboard live at dashboard.tu-nl.dev.
  • Token CRUD and automatic TLS via ACME / Let's Encrypt.
Related: #MAR-1, #MAR-12Read full notes →