TSDProxy v3.0.0-beta.2

Changes

New Features

• feat: auto-provision ACL tags and Funnel, fix broken-service dashboard hang and lint issues

Security Updates

Bug Fixes

• fix(tailscale): release mtx during exposure.Start to prevent dashboard deadlock
• fix(tailscale): re-advertise service listener after auto-approval
• fix(ci): use find instead of glob for chmod (paths are nested 2-3 levels)
• fix(docker): set executable permissions on binaries in CI images
• fix(ci): use slash-free artifact names for dev build matrix
• fix(docker): copy internal/ to frontend stage so Tailwind can scan .templ files
• fix(web): sync package.json versions with bun.lock
• fix(web): update bun.lock for frozen-lockfile CI builds
• fix(ci): pin cosign-installer to v4.1.2 (no major tag exists)
• fix(ci): correct Docker binary path mapping for armv6/armv7

Dependency Updates

Documentation

• docs(v3): fix image tag from :2 to :dev in v3 documentation

Other Changes

• ci: bump actions/cache to v5 (Node 24)
• ci: optimize release workflows with shared module cache, pre-built templ, and Docker GHA cache
• ci: use pre-built templ binary in PR workflow
• ci: eliminate redundant frontend+templ builds across matrix jobs
• ci: parallelize binary builds via matrix strategy (8 platforms → ~2 min wall time)
• ci: replace GoReleaser with plain GitHub Actions

tsdproxy-v3.0.0-beta.1

Changelog

New Features

• 57bb1e7: feat(docker): add rate limiting label parsing for containers (@almeidapaulopt)
• 98cc7c0: feat(list): add rate limiting config to list provider (@almeidapaulopt)
• 00fa7c2: feat(model): add configurable rate limiting defaults and config fields (@almeidapaulopt)
• f60ea8d: feat(server): add shutdownDrainSeconds for load balancer convergence (@almeidapaulopt)
• 8c3e380: feat(tlsproviders): add Closer interface for ACME certmagic cache lifecycle (@almeidapaulopt)

Bug fixes

• 26b2bc2: fix(cmd): use interface type for TracerProvider to avoid nil panic (@almeidapaulopt)
• f19590c: fix(config): add Close() to configfile watcher and add bounds validation (@almeidapaulopt)
• beb4e51: fix(docker): add NetworkList timeout and nil-guard GetFirstTarget (@almeidapaulopt)
• 72d21ad: fix(list): add mutex protection for ctx, eventsChan, errChan in WatchEvents (@almeidapaulopt)
• fb6cd70: fix(metrics): use checked Gatherer assertion with safe fallback (@almeidapaulopt)
• 053d9ad: fix(model): validate proxy protocol, redirect URLs, and return nil from GetFirstTarget (@almeidapaulopt)
• 3d54d50: fix(proxymanager): add acceptWg to tcpPort for proper connection drain on shutdown (@almeidapaulopt)
• a0e0997: fix(proxymanager): add keyedLocks primitive and parent proxy context under pm.ctx (@almeidapaulopt)
• 7d13dcc: fix(proxymanager): fix concurrency bugs and integrate configurable rate limiting (@almeidapaulopt)
• f041f40: fix(proxymanager): guard TCP handleConn against double-close with sync.Once (@almeidapaulopt)
• 5a44384: fix(proxymanager): guard UDP port close-while-starting race and fix provider proxy leak on register failure (@almeidapaulopt)
• db732a3: fix(proxymanager): retry transient TCP errors, deterministic rate limiter eviction, UDP double-close guard (@almeidapaulopt)
• e533b03: fix(proxymanager): serialize eventStop with hostname lock and make reconnectBackoff context-aware (@almeidapaulopt)
• 1c69693: fix(proxymanager): use DNSProviderMagicDNS constant, drop t.Parallel from providers tests (@almeidapaulopt)
• 394e95f: fix(tailscale): guard nil onEvent in StatusWatcher to prevent panic (@almeidapaulopt)
• 308d045: fix(tailscale): improve exposure logging, accept logger, add dropped connection counter (@almeidapaulopt)
• fe1b302: fix(test): replace nil context in eventloop tests to satisfy staticcheck (@almeidapaulopt)
• cbd5d93: fix(webhook): handle json.Marshal errors with fallback JSON (@almeidapaulopt)
• 9950202: fix: harden TLS validation, identity trust, and proxy lifecycle (@almeidapaulopt)
• be214be: fix: log errors in cleanup paths and return silenced errors (@almeidapaulopt)
• f75f379: fix: resolve errcheck warnings in test files (@almeidapaulopt)
• dfcb6e7: fix: resolve remaining mnd and nolint warnings (@almeidapaulopt)
• 395388d: fix: return errors from generateproviders instead of printing to stderr (@almeidapaulopt)
• deb180d: fix: specify linter in bare nolint directives and replace context.TODO (@almeidapaulopt)
• 8559058: fix: verify Tailscale API client initialization instead of discarding return (@almeidapaulopt)

Documentation updates

• bc18a78: docs(agents): update nolint and magic number conventions (@almeidapaulopt)
• 3193153: docs(config): update AGENTS.md for injected static snapshot model (@almeidapaulopt)
• 21b241d: docs: trim anti-patterns section to actionable warnings only (@almeidapaulopt)
• 51f3254: docs: update AGENTS.md files for Phase 4 lifecycle changes (@almeidapaulopt)
• 3ac79ae: docs: update AGENTS.md files to reflect completed anti-pattern work (@almeidapaulopt)
• 48afc8b: docs: update anti-patterns section in AGENTS.md (@almeidapaulopt)

Build process updates

• b879bf0: build(deps): bump codeberg.org/miekg/dns from 0.6.80 to 0.6.81 (#475) (@dependabot[bot])
• 8acaec9: build(deps): bump golang.org/x/crypto from 0.52.0 to 0.53.0 (#476) (@dependabot[bot])
• 8391ad8: build: fix Makefile ldflags and remove inert prod build tag (@almeidapaulopt)

Other work

• 406ae3e: fix(api,dashboard): use GetFirstTargetString to nil-guard target URLs (@almeidapaulopt)
• 2dd4203: lint: extract string constants for goconst compliance (@almeidapaulopt)
• f7c78a7: refactor(config): inject zerolog.Logger into InitializeConfig (@almeidapaulopt)
• 53cf7d8: refactor(config): remove Provider interface and Data.Clone() (@almeidapaulopt)
• 8cdb0ca: refactor(config): replace global singleton with dependency injection (@almeidapaulopt)
• efc14a3: refactor(core): extract ProxyAuth struct from package-level mutable state (@almeidapaulopt)
• e87cabb: refactor(core): extract VersionInfo struct from sync.Once singleton (@almeidapaulopt)
• 01b12e6: refactor(core): inject logger into admin middleware (@almeidapaulopt)
• 59c9b6b: refactor(core): introduce httpclient.Doer interface for HTTP dependency injection (@almeidapaulopt)
• 585e0c1: refactor(core): remove dead trace.Span parameter from ErrorResponse (@almeidapaulopt)
• abae3c3: refactor(core): separate webhook Sender Start() from constructor (@almeidapaulopt)
• b809e6c: refactor(dashboard): separate Dashboard Start() from constructor (@almeidapaulopt)
• 946f4f5: refactor(docker): extract APIClient interface from Docker SDK (@almeidapaulopt)
• 4040f70: refactor(docker): update test helpers for injected Assets (@almeidapaulopt)
• 3f01613: refactor(metrics): inject prometheus.Registerer into Metrics (@almeidapaulopt)
• c1a8d06: refactor(proxymanager): document lock hierarchy, add urlReady signal, protect SetDNSAndTLSProviders (@almeidapaulopt)
• b33aa6c: refactor(proxymanager): extract port orchestration and TLS methods from proxy.go (@almeidapaulopt)
• fa07eb6: refactor(proxymanager): inject TracerProvider for explicit OTEL wiring (@almeidapaulopt)
• d32e567: refactor(proxymanager): introduce ProxyParams struct for NewProxy (@almeidapaulopt)
• 1bad3d3: refactor(proxymanager): replace newPortProxy positional params with struct (@almeidapaulopt)
• a4cc96b: refactor(proxymanager): replace sync.Map mutexes with keyedLocks and add targetIndex (@almeidapaulopt)
• b755b59: refactor(proxymanager): split proxymanager.go into focused files (@almeidapaulopt)
• 229885d: refactor(tailscale): extract TSNetServer interface from tsnet.Server (@almeidapaulopt)
• d06ed5f: refactor(tailscale): separate provider Start() from constructor (@almeidapaulopt)
• 1f7044d: refactor(web): inject Assets into Docker target provider (@almeidapaulopt)
• 2c47385: refactor(web): remove dead GuessIcon shim and add nil-guard (@almeidapaulopt)
• dcc6713: refactor(web): replace init() with explicit Assets constructor (@almeidapaulopt)
• a3ae4fc: refactor: extract named constants (@almeidapaulopt)
• d474282: refactor: resolve goconst warnings with shared constants (@almeidapaulopt)
• 707ec67: refactor: thread ProxyAuth token through proxymanager constructors (@almeidapaulopt)
• 11645b7: style(proxymanager): reorder Proxy and ProxyParams struct fields (@almeidapaulopt)
• 3bd518e: style(server): remove redundant comments from bootstrap (@almeidapaulopt)
• e6bcffa: style: fix whitespace and formatting issues (@almeidapaulopt)
• 65703d4: test(api): extend REST API tests with webhook and proxy action coverage (@almeidapaulopt)
• b293e48: test(config): add validation and secrets loading tests (@almeidapaulopt)
• 972f4e3: test(config): strengthen assertions in generateproviders and secrets tests (@almeidapaulopt)
• e5cd856: test(core): add sessions, csrf, version, healthcheck, and concurrent...

tsdproxy-v3.0.0-alpha.3

Changelog

New Features

• 8f1fd72: feat(config): add case-insensitive YAML key normalizer with fuzzy suggestions (@almeidapaulopt)
• c00a0ce: feat(config): add provider-level validation guardrails (@almeidapaulopt)
• 4922499: feat(docker): integrate SSH tunnel into Docker target provider (@almeidapaulopt)
• dbaff21: feat(lifecycle): add internal/lifecycle package with Status and StateTracker (@almeidapaulopt)
• 8fb3f86: feat(model): add mode-aware proxy config validation (@almeidapaulopt)
• f5bf9ad: feat(sshtunnel): add SSH tunnel package for remote Docker daemon access (@almeidapaulopt)
• 36ed6d4: feat: add X-Real-IP header forwarding with anti-spoofing (@almeidapaulopt)

Bug fixes

• e4ba716: fix(config): preserve AuthKey in ClearSecrets for runtime per-proxy resolution (@almeidapaulopt)
• 963f9d3: fix(dashboard): trust Tailscale CGNAT addresses in IsTrustedSource (@almeidapaulopt)
• 030c3ac: fix(lint): resolve 23 golangci-lint warnings and fix test failures (@almeidapaulopt)
• e7259e4: fix(lint): resolve cyclop and mnd warnings in keynormalizer (@almeidapaulopt)
• e355621: fix(lint): resolve goconst and gosec warnings in config tests (@almeidapaulopt)
• 00b664c: fix(proxymanager): handle localhost hostname in isManagementTarget (@almeidapaulopt)
• 084668c: fix(proxymanager): route TCP ports through RawTCPListener interface (@almeidapaulopt)
• ed287fd: fix(proxymanager): show proxies in dashboard during Tailscale auth (@almeidapaulopt)
• de20510: fix(security): reject null bytes and absolute paths in validateDatadir (@almeidapaulopt)
• d4658b0: fix(security): skip online devices in VIP service conflict resolution (@almeidapaulopt)
• 434819b: fix(security): stop leaking auth token to proxied backends (@almeidapaulopt)
• e8200b7: fix(security): strip spoofed X-Forwarded-For in reverse proxy (GHSA-pqg7-v6wh-3pfp) (@almeidapaulopt)
• 2bb6334: fix(tailscale): deduplicate concurrent TLS cert IPC with singleflight (@almeidapaulopt)
• 3caebe5: fix(tailscale): defend cert helpers against typed-nil interface panics (@almeidapaulopt)
• 3f93a53: fix(tailscale): defend whoisFromAddr against typed-nil interface panics (@almeidapaulopt)
• 15456ae: fix(tailscale): defer release reply until VIP service cleanup completes (@almeidapaulopt)
• 1ecb6de: fix(tailscale): force-clean online devices when local state is missing (@almeidapaulopt)
• 85ed9c7: fix(tailscale): serialize ListenService calls to prevent etag mismatch race (@almeidapaulopt)
• 4511205: fix(tailscale): trigger lazy init before accessing client.BaseURL in service device approval (@almeidapaulopt)
• e126e8c: fix(targetproviders): add ErrTargetNotFound sentinel (@almeidapaulopt)

Documentation updates

• 0c562e8: docs(agents): add config and tlsproviders AGENTS.md, update root structure (@almeidapaulopt)
• 2fcdb82: docs: add SSH tunnel configuration to v3 docs (@almeidapaulopt)
• 2e6fdcc: docs: add v2.3.1 and v2.3.2 changelog entries (@almeidapaulopt)

Build process updates

• 9c37be4: build(deps): bump codeberg.org/miekg/dns from 0.6.79 to 0.6.80 (#471) (@dependabot[bot])
• b5e8597: build(deps): bump tailscale.com from 1.98.5 to 1.100.0 (#469) (@dependabot[bot])

Other work

• d9e078b: fix(targetproviders/docker): remove stale ctx, signal disconnect, normalize hostname (@almeidapaulopt)
• 2218664: fix(targetproviders/docker): sort legacy ports numerically (@almeidapaulopt)
• 402dd66: fix(targetproviders/list): fix missing return, data race, and event dropping (@almeidapaulopt)
• 4552e25: refactor(config): add debounce to config file watcher (@almeidapaulopt)
• 26422da: refactor(config): wire keynormalizer into File.Load (@almeidapaulopt)
• d87beec: refactor(core): move FormatDuration to core/format.go (@almeidapaulopt)
• ef0ab8e: refactor(dashboard): improve SSE stream with resync and client prefs (@almeidapaulopt)
• 33f46a6: refactor(dns,tls): consolidate status types to lifecycle.Status (@almeidapaulopt)
• 6724147: refactor(docker): propagate context in target provider (@almeidapaulopt)
• 04adf37: refactor(tailscale): add isNilInterface helper for typed-nil defense (@almeidapaulopt)
• 277dd3d: refactor(tailscale): improve shared server state machine and idle handling (@almeidapaulopt)
• 6aeec75: refactor(tailscale): reduce cyclomatic complexity to satisfy cyclop linter (@almeidapaulopt)
• 80c7348: refactor(tailscale): reorder SharedSNIExposure struct fields (@almeidapaulopt)
• 01b4b59: refactor(tailscale): use consts.HeaderXForwardedFor in services_server (@almeidapaulopt)
• d4c57c9: refactor(tls): enhance Tailscale TLS provider with DataDir and MaxCertConcurrency (@almeidapaulopt)
• 9be34b9: refactor(webhook): simplify Sender close state to mutex-only (@almeidapaulopt)
• 1064d66: refactor: deduplicate identity header strip lists into shared constants (@almeidapaulopt)
• e46059b: style: reorder struct fields, use errors.New for static strings, fix indentation (@almeidapaulopt)
• 8f77d04: test(api): add REST API unit tests (@almeidapaulopt)
• ce811dc: test(config): add unit tests for File load, save, watch lifecycle (@almeidapaulopt)
• 5075a3a: test(config): add unit tests for secrets and provider generation (@almeidapaulopt)
• 4f59842: test(core): add unit tests for HTTP server, logging, health, and format (@almeidapaulopt)
• a0869c4: test(core): add unit tests for SecretString leak prevention (@almeidapaulopt)
• cffd1b4: test(core): harden admin tests with subtest isolation and IP coverage (@almeidapaulopt)
• 4e4bb89: test(core/metrics): add metrics middleware unit tests (@almeidapaulopt)
• 8415ac3: test(dashboard): add dashboard preferences and SSE unit tests (@almeidapaulopt)
• 58945a8: test(docker): add unit tests for label parsing and proxy config helpers (@almeidapaulopt)
• 582e617: test(e2e): add REST API, dashboard actions, and metrics tests (@almeidapaulopt)
• a278aee: test(e2e): add SSE, webhook, health config, and verbose control tests (@almeidapaulopt)
• 54eb5b0: test(e2e): add SSH Docker host e2e test (@almeidapaulopt)
• 1118821: test(e2e): add Tailscale device and VIP service cleanup via OAuth API (@almeidapaulopt)
• 35f49c7: test(e2e): add auth, identity, and access control tests (@almeidapaulopt)
• de364f1: test(e2e): add ephemeral label to httpLabels helper (@almeidapaulopt)
• 53e7471: test(e2e): add port range, UDP, and concurrent stress tests (@almeidapaulopt)
• 76b511e: test(e2e): add services mode and shared Tailscale FQDN tests (@almeidapaulopt)
• c157e5f: test(e2e): prevent env leakage, fix tag mismatch, and harden flaky tests (@almeidapaulopt)
• c97b802: test(lifecycle): add StatusTracker unit tests (@almeidapaulopt)
• a0b6570: test(proxymanager): add comprehensive proxy manager, health, and port unit tests (@almeidapaulopt)
• 061e2de: test(tailscale): add exposure, retry policy, and services server unit tests (@almeidapaulopt)
• 83223ae: test(targetproviders): add Docker and list target provider unit tests (@almeidapaulopt)
• 4dea479: typo (@almeidapaulopt)

tsdproxy-v3.0.0-alpha.2

Changelog

Bug fixes

• 6e577f0: fix(ci): decouple make_latest from DISABLE_PACKAGE_MANAGERS (@almeidapaulopt)
• dd3ed06: fix(dashboard): trust Tailscale CGNAT addresses in IsTrustedSource (@almeidapaulopt)

tsdproxy-v3.0.0-alpha.1

Changelog

New Features

• 543716b: feat(config): add TSDPROXY_TAILSCALE__CLIENTID env var overrides (@almeidapaulopt)
• db5d675: feat(config): add authRetry, reconcileInterval, preventDuplicates tri-state (@almeidapaulopt)
• 587cfa2: feat(config): add autoApproveDevices, fix env var loading order, relax services tags (@almeidapaulopt)
• beace2d: feat(dashboard): add status styles and filter buttons for new statuses (@almeidapaulopt)
• 87009af: feat(dashboard): handle AwaitingApproval status in UI and API (@almeidapaulopt)
• 9cda864: feat(dashboard): handle new proxy statuses in data builder, API, and webhooks (@almeidapaulopt)
• 509863b: feat(dev): add tailscale VIP Services example to dev environment (@almeidapaulopt)
• 3715cf2: feat(model): add AuthFailed, DeviceConflict, Reconciling proxy statuses (@almeidapaulopt)
• 16aadb7: feat(proxymanager): warn on provider change during proxy restart (@almeidapaulopt)
• 4280e6a: feat(tailscale): add TrafficExposure interface and remove stub files (@almeidapaulopt)
• 93960c2: feat(tailscale): add autoRemoveConflicts option for VIP service 409 recovery (@almeidapaulopt)
• 6eca792: feat(tailscale): implement TrafficExposure on all three exposure types (@almeidapaulopt)
• 9fa78b0: feat(tailscale): validate OAuth credentials at startup (@almeidapaulopt)
• 2a580c4: feat: shared tsnet server with custom domain DNS/TLS support (#440) (@almeidapaulopt)

Bug fixes

• 0ef268c: fix(ci): pass LATEST_TAG and DISABLE_PACKAGE_MANAGERS env vars to GoReleaser (@almeidapaulopt)
• 20844c5: fix(ci): pass LATEST_TAG and DISABLE_PACKAGE_MANAGERS env vars to GoReleaser (@almeidapaulopt)
• 5ab42dd: fix(ci): stop setting DISABLE_PACKAGE_MANAGERS=false that broke make_latest (@almeidapaulopt)
• b0dca17: fix(config): preserve ClientSecret in ClearSecrets for runtime OAuth operations (@almeidapaulopt)
• fc3e4d9: fix(config): use server proxyAccessLog setting as default for Docker and List providers (@almeidapaulopt)
• 41e106a: fix(docker): auto-enable adminAllowLocalhost inside containers and improve 403 guidance (@almeidapaulopt)
• 27a5377: fix(lint): resolve errcheck, gosec, shadow, and unused warnings in tailscale (@almeidapaulopt)
• 515c8a6: fix(lint): specify gosec linter in nolint directives (@almeidapaulopt)
• 682850a: fix(proxymanager): set X-Forwarded-Proto correctly for HTTPS ports behind TLS-terminating proxies (@almeidapaulopt)
• a88a6a1: fix(proxymanager): show proxies in dashboard during Tailscale auth (@almeidapaulopt)
• ee97cf6: fix(tailscale): add cert prefetch for VIP services to prevent CT errors (@almeidapaulopt)
• a111a77: fix(tailscale): add nolint directives for apiTimeout multiplier (@almeidapaulopt)
• 8671bfb: fix(tailscale): async VIP acquire, port stripping, ephemeral cleanup, status polling, TLS caching (@almeidapaulopt)
• 09757dd: fix(tailscale): delete offline exact-match devices on restart even with local state (@almeidapaulopt)
• 1575cf0: fix(tailscale): eliminate data races in services server tests (@almeidapaulopt)
• 305f270: fix(tailscale): harden proxy provider against leaks, races, and path traversal (@almeidapaulopt)
• 037d905: fix(tailscale): lifecycle leaks, context timeouts, and quality improvements (@almeidapaulopt)
• b4b27d7: fix(tailscale): plug goroutine, semaphore, and shutdown leaks (@almeidapaulopt)
• 850ca5a: fix(tailscale): recover from panic in OAuth key generation due to nil API response (@almeidapaulopt)
• fa9845d: fix(tailscale): remove recover() workaround for OAuth nil pointer panic (@almeidapaulopt)
• a1780f8: fix(tailscale): use errors.New for static error string (@almeidapaulopt)
• a42c68e: fix(tailscale): validate cert domains before prefetch to avoid 500 errors (@almeidapaulopt)

Documentation updates

• b499a1b: docs(tailscale): update AGENTS.md for unified architecture (@almeidapaulopt)
• 1bb1c6f: docs(v3): document autoRemoveConflicts option for VIP service 409 recovery (@almeidapaulopt)
• e4bd75c: docs(v3): improve getting started OAuth flow and config clarity (@almeidapaulopt)
• 28138f8: docs: add AGENTS.md for docker target provider and dns providers (@almeidapaulopt)
• a0d64dc: docs: add v3 documentation with Services mode, auth retry, and new proxy statuses (@almeidapaulopt)
• 1304d82: docs: improve getting started config clarity and flow (@almeidapaulopt)
• 9c80d1e: docs: update AGENTS.md knowledge base with Services mode and new symbols (@almeidapaulopt)

Build process updates

• b73e952: build(deps): bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (#453) (@dependabot[bot])
• dcbe9e6: build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc (#450) (@dependabot[bot])
• 1915e2b: build(deps): bump tailscale.com from 1.98.3 to 1.98.4 (#459) (@dependabot[bot])
• a953688: build(deps): bump tailscale.com/client/tailscale/v2 (#464) (@dependabot[bot])
• f6bd190: build(deps): bump tailscale.com/client/tailscale/v2 from 2.9.0 to 2.10.0 (#460) (@dependabot[bot])

Other work

• f947b10: ci: push dev Docker images after snapshot build (@almeidapaulopt)
• e3c99d5: docs(core,dashboard): add AGENTS.md for core infrastructure and dashboard subsystems (@almeidapaulopt)
• 3084be9: refactor(dashboard): extract port entry and health formatting helpers (@almeidapaulopt)
• e67f81a: refactor(dashboard): replace inline filter radio buttons with select dropdowns (@almeidapaulopt)
• 102c3ec: refactor(e2e): rename env vars to TSDPROXY_E2E_* convention (@almeidapaulopt)
• 0047c56: refactor(proxymanager): extract UDP relay helpers to reduce complexity (@almeidapaulopt)
• 102984a: refactor(tailscale): cache TLS certs and deduplicate exposure getters (@almeidapaulopt)
• 73dc680: refactor(tailscale): decompose provider into lifecycle, auth, state, and status modules (@almeidapaulopt)
• f50891e: refactor(tailscale): extract backend state constants in status watcher (@almeidapaulopt)
• 1be43f7: refactor(tailscale): extract event-loop helpers to reduce complexity (@almeidapaulopt)
• c794aa9: refactor(tailscale): extract shared event loop and reconcile stale devices before VIP service creation (@almeidapaulopt)
• 1039810: refactor(tailscale): migrate from deprecated Tailscale v2 client APIs (@almeidapaulopt)
• 5cafe90: refactor(tailscale): reorder context.Context to first parameter (@almeidapaulopt)
• 27af2a6: refactor(tailscale): simplify preventDuplicates from tri-state to boolean (@almeidapaulopt)
• a6cbe36: refactor(tailscale): unified startup retry, reconcile, and device conflict handling (@almeidapaulopt)
• e034b04: refactor: reduce cyclomatic complexity in config validator and target providers (@almeidapaulopt)
• ad82a45: refactor: replace interface{} with any (@almeidapaulopt)
• efedb1d: style: align struct fields in config and exposure types (@almeidapaulopt)
• c73689f: test(tailscale): add tests for AuthFailed, DeviceConflict, Reconciling statuses (@almeidapaulopt)
• d6fd556: test(tailscale): update tests for event loop and lifecycle provider refactor (@almeidapaulopt)

tsdproxy-v2.3.4

Changelog

Bug fixes

• 963f9d3: fix(dashboard): trust Tailscale CGNAT addresses in IsTrustedSource (@almeidapaulopt)

tsdproxy-v2.3.3

Changelog

Bug fixes

• ed287fd: fix(proxymanager): show proxies in dashboard during Tailscale auth (@almeidapaulopt)

tsdproxy-v2.3.2

Changelog

Bug fixes

• 0ef268c: fix(ci): pass LATEST_TAG and DISABLE_PACKAGE_MANAGERS env vars to GoReleaser (@almeidapaulopt)
• fc3e4d9: fix(config): use server proxyAccessLog setting as default for Docker and List providers (@almeidapaulopt)

Documentation updates

• 2e6fdcc: docs: add v2.3.1 and v2.3.2 changelog entries (@almeidapaulopt)

tsdproxy-v2.3.1

Changelog

Bug fixes

• 17683a1: fix(docker): auto-enable adminAllowLocalhost inside containers and improve 403 guidance (@almeidapaulopt)

tsdproxy-v2.3.0

Changelog

New Features

• 21b2b19: feat(health): add health_check_enabled config option (#448) (@almeidapaulopt)

Bug fixes

• d560283: fix(ci): pre-release bug (@almeidapaulopt)
• d8cbc01: fix(ci): use snapshot mode for dev release in GoReleaser v2 (@almeidapaulopt)

Documentation updates

• fc42e6d: docs: add v2.3.0 changelog and healthCheckEnabled documentation (@almeidapaulopt)