Changelog¶

Release notes for EnforceGate vX.

2026.35.0 (EA) June 21, 2026¶

• Cert-pinned destinations are handled by policy — new pin: attribute on .policy rules picks the SslBump peek-step verdict per destination: splice (pass through, hostname-only — for Windows Update, Apple MDM, mobile banking and other clients that break under bump), bump (inspect as normal), or terminate (refuse at the TLS handshake). Pin rules use the same match-domain-list: shape as block / permit rules and live in the same rules.d/ — pin decisions are reloaded, snapshotted, git-tracked, and visible in show policy list alongside every other rule. Replaces the historical static bypass file outside the policy system. See Pinned destinations.
• [ssl_bump_acl].fail_action controls engine-unreachable behaviour — new connector config knob with splice (default; pinned apps keep working through an engine blip), bump (inspection-first), or terminate (fail-closed). See [ssl_bump_acl].
• Pin rules are introspectable through the same verbs as action: rules — show policy match <host> adds a TLS pin: line when the host matches a pin rule; show policy list shows pin rules with Type: pin and the verdict in the Action column; show policy summary adds a + N pin tally and (when present) a Pinned hosts: H across M pin rule(s) line.
• show policy list column renamed Match-kind → Type — accommodates the new pin rule kind alongside the existing match-attribute kinds. Operator scripts that parse the table header need a one-line update; column ordering and field meanings are unchanged for action: rules.
• Sub-second connector failover under engine drops — the connector now stays resident across engine restarts and policy reloads, and falls back to the configured [ssl_bump_acl].fail_action within ~1 second instead of stalling until the upstream TCP timeout. Pinned destinations continue with the configured fallback verdict during the engine-reload window; the same guarantee covers the url_rewrite path for non-pinned traffic. Operators see no client-visible interruption during routine reloads.

2026.34.0 (EA) June 18, 2026¶

• eghost version warns on a host-CLI ↔ stack mismatch — the host eghost binary's compiled release: line and the live per-container image versions should agree, but docker compose pull && up -d swaps the images without touching the host binary. The verb now prints an explicit warning when they disagree and points the operator at the fix: re-run the appliance installer to refresh /usr/local/bin/eghost. See Host-CLI ↔ stack version mismatch warning.
• Engine startup uses significantly less memory at scale — multi-million-rule policy deployments that could run at steady state but failed to boot due to a startup memory spike now start up cleanly on the same hardware. No operator action required; the improvement applies to every deployment automatically.
• eghost toolbox shell opens bash — line editing, command history, and tab completion at the toolbox shell prompt.
• eghost toolbox repo is quiet by default — only the human status line prints on repo add / pull / run / remove. The machine-readable JSON event record ({"ts":…,"event":"repo-pull",…}) is now opt-in via -v / --verbose on any repo subcommand. Operator entrypoint scripts that emit their own JSON to docker logs are unaffected. See Git-repo script delivery.
• Bundled toolbox example script retired — the toolbox skel no longer ships scripts/example-squidblacklist.py. The skel README and cron template still document the helper-library workflow (lists.write(...) → engine.reload()) for operators writing their own scripts; the Community page lists open-source script bundles (e.g. EGGuard) that drop in as a eghost toolbox repo add source.

2026.33.1 (EA) June 17, 2026¶

• Toolbox now authenticates with a least-privilege reload-only service account — replaces the Administrator credential the toolbox previously read from .env. The standalone bundle auto-provisions a level-3 Service account on first boot (enforcegate-toolbox-svc, scoped to request policy reload and the show status family), drops its credential into the shared volume, and the toolbox picks it up automatically. A stolen .creds now buys an attacker a policy reload at worst — not engine admin. No operator action; against an older engine the toolbox falls back to the previous ENFORCEGATE_ADMIN_* path. See Engine authentication.

2026.33.0 (EA) June 17, 2026¶

• show policy summary — new one-glance overview of the loaded policy: the engine-synthesised default action, total rules with regex / domain-list split, aggregate domain-host count, the operator-vs-toolbox source split, time-gated rule count, and resolved policy directories. The first thing to look at on a fresh login to confirm the engine is enforcing what you expect. See Policy introspection.
• show policy list gains a File column + default-action footer — every row now reports the source .policy file alongside id / name / action / window / source, so "which file do I edit" is one column right rather than a round-trip through show policy detail. The table footers Default action (no rule matched): <verdict> so the no-match posture is visible at the bottom of the listing.
• Reload-scoped service account — new least-privilege account type. Can call request policy reload and the show status family, and nothing else (no user management, license, neighbor, or reboot ops). Created from the R) Service account (policy-reload only) entry in request user add. The intended use is automation that only needs to refresh policy — notably the toolbox sidecar's reload helper — without handing it an Administrator credential. See Privilege model.

2026.32.0 (EA) June 16, 2026¶

• Default posture is a one-line config flip — new [policy].default_action knob in engine.conf sets the no-match verdict (permit default; deny / warn / aup for stricter postures). Replaces shipping a catch-all .policy rule. Flipping a deployment from default-permit to default-deny is now a single line in engine.conf and a reload — no policy-file surgery. See [policy].default_action and the default-deny recipe.
• Catch-all 99-default-permit.policy retired — the shipped catch-all rule and the placeholder 99-noop-placeholder.policy are gone. The no-match verdict is now engine-synthesised, so it occupies no rule id and can no longer shadow lower-precedence rules under [policy].shared_path. Operators who hand-added a catch-all permit rule should remove it and rely on default_action — see troubleshooting.
• Toolbox / shared-path rules finally enforce on stock appliances — with the catch-all gone, a shared deny rule actually denies (previously it was silently shadowed by the operator-side catch-all permit). No-op for deployments that never used [policy].shared_path; immediately visible for anyone running the toolbox sidecar.
• CLI polish — show policy is back in ? and tab-completion (it had silently dropped out of the listing in a mid-June rename); edit policy <rule-name> in Configuration mode now opens the file that actually contains the rule instead of a stub <rule-name>.policy.
• Toolbox sidecar runs Debian (glibc) — operator pip install --user is first-class, manylinux Python wheels load directly, and third-party prebuilt binaries run without extra packaging work. No operator action required. See Toolbox.
• Shared policy directory renamed to rules.d/ — the toolbox handoff path under /etc/enforcegate-shared/ is now rules.d/ (was policies/), matching the operator-side [policy].path convention. The engine's [policy].shared_path default reflects this, and the enforcegate_toolbox.policies.write helper writes to the new path automatically. Operator scripts that bypass the helper and hard-code /etc/enforcegate-shared/policies/ need a one-line update.

2026.31.0 (EA) June 14, 2026¶

• Time-scheduled policy rules — any rule can now carry a time-window: attribute and only match during a recurring weekly window (time-window: weekdays 08:00-18:00, time-window: daily 22:00-06:00, time-window: mon,wed,fri 09:00-17:00). Outside the window the rule falls through to the next rule, so a time-limited permit placed above a broad deny gives "allow during these hours, deny the rest of the time" with no extra rules. See Time-scheduled rules.
• Operator-controlled timezone — new [policy].time_window_tz knob picks the clock the engine evaluates windows against. local (default) follows the engine host's local time; utc evaluates against UTC for deployments with operators in multiple timezones. Confirm what "local" means on the box with show clock.
• show policy list gains a Window column — rules with no schedule render as —; scheduled rules show the normalised window (weekdays 08:00-18:00, daily 22:00-06:00). Makes "which of my rules are time-limited and when do they fire" answerable at a glance.
• Strict validation on operator rules — a malformed time-window: under [policy].path fails the reload loudly, naming the file and the rule; the previous good policy stays live. Toolbox-generated rules under [policy].shared_path are isolated — the bad rule loads always-active with a Warning, the rest of the load proceeds.

2026.30.0 (EA) June 13, 2026¶

Maintenance release. No operator-visible changes beyond minor bug fixes and stability improvements; the operator surface is identical to 2026.29.0 (EA).

2026.29.0 (EA) June 12, 2026¶

• Policy precedence is now consistent and visible — the lowest rule id wins on every match path, controlled by the conventional two-digit filename prefix (lower prefix = lower id = wins conflicts). show policy list gains a Source column showing whether each rule was hand-authored or generated by the toolbox sidecar, and a warning above the table when a catch-all permit rule would shadow your operator rules.
• Super Administrator can create another Super Administrator — request user add's "Available User types" menu now only lists the types the current operator is allowed to create, and adds an S) Super Administrator entry for operators authorised to use it. Previously the only Super Administrator possible was the bootstrap admin.
• One-command git audit setup — new request policy git-init enables per-rule policy audit and history from the REPL (writes the auto-managed .gitignore, baseline-commits the current rules). Replaces the previous shell-out-to-git init flow. See Policy history.
• Stronger password hashing — new and changed passwords use PBKDF2; existing accounts continue to authenticate and migrate automatically the next time their password changes. No operator action required.
• Upgrade note — the engine ↔ connector wire protocol bumped at 2026.28.0. The standalone bundle rolls them together automatically; multi-image or separately-upgraded deployments need to upgrade engine and connector as a unit. See engine ↔ connector co-upgrade.

2026.26.0 (EA) June 7, 2026¶

• Per-rule policy audit and history — optional, opt-in. When the policy directory is a git repo, the engine records every reload as a commit (authored as <user>@<engine-host>) and exposes the history through show policy log, show policy blame <rule>, show policy commit <N>, show policy diff rollback <N> (preview before rollback), show policy fingerprint, show policy tags, and request policy tag for naming baselines. Snapshot-only deployments are unchanged. See policy audit and history.
• Auto-managed .gitignore — when git audit is enabled, the engine writes (or merges) a .gitignore that keeps certificates, keys, license, and password files out of any commit.

2026.24.6 (EA) June 6, 2026¶

• Engine scales to 150 million rules per engine — large category-based filtering corpora, threat-intel domain feeds, and combined allow / deny lists all run on a single engine without sharding. See sizing.
• New toolbox container — sandboxed companion sidecar with bash, Python, and the standard EnforceGate CLI tooling pre-installed. Canonical use case is scheduled category-list refresh. See Toolbox.
• Faster support ticketing — new show tech-support aggregates ten of the most-asked-for show * outputs into one paste-into-ticket bundle. Run it first when opening a ticket — see collecting a support bundle.
• Engine reboot from the CLI — new request system reboot (Cisco alias reload) does a graceful engine shutdown; the container orchestrator restarts it per its configured restart policy. Super-Administrator only. See Engine reboot.
• CLI polish — Cisco IOS / Junos aliases (reload, clear neighbor, show clock, show calendar), exit / quit reliable in every mode, the request * namespace hidden from ? until you enable. Old verb forms continue to dispatch as hidden aliases.

2026.24.0 (EA) June 5, 2026¶

• show system * introspection family — seven new read-only verbs for engine internals: uri-engine, memory, uptime, version, threads, listeners, logs. Use when sizing container memory, performance-triaging, or assembling support context. See System introspection.
• Cisco-style show version — multi-line show ver-style block replaces the bare three-line format. The third row carries an inline License summary so operators get edition + active-of-cap connector count without a separate show license.
• CLI polish — the REPL prompt now carries the host name (host>, host#, host(config)#); configure is a short alias for configure terminal; edit policy <name> accepts a rule name (resolves to the file containing it); bad credentials at REPL entry fail fast with a clear error instead of opening a broken shell.
• Domain backend tunable — new [policy].domain_backend knob for very-large-scale deployments. The default auto fits every shipped sizing-table workload.

2026.21.0 (EA) June 4, 2026¶

• Cisco-style interactive CLI modes — Operational (>), Privileged (#), and Configuration ((config)#). Raising to Privileged requires Administrator privileges. See Modes.
• Staged policy editing inside the REPL — configure terminal opens an edit session; edit policy <name> opens the file in $EDITOR; show policy diff previews against the entry-time baseline; commit atomically applies, revert discards. See Staged edits.
• Policy introspection — five new show policy * verbs (list, detail <name>, files, file <name>, domain-lists) let operators see what the engine is enforcing without dumping .policy files by hand. See Policy introspection.

2026.20.2 (EA) June 3, 2026¶

• Multi-million-rule blocklists just work — loading large domain-list blocklists no longer needs special tuning, tighter cgroup limits, or extra memory headroom. A reference workload that previously needed minutes now finishes in seconds under the shipped defaults. Inspect the live policy with show policy match — see Inspecting the live policy.
• No external lookups in the request path — category-based filtering against local lists stays local. No cloud-side resolver, no per-request external dependency. Important for air-gapped, regulated, and privacy-sensitive deployments.

2026.17.0 (EA) June 1, 2026¶

• User management — on a fresh deployment, the built-in admin account can now create additional administrator accounts via the documented workflow directly. Previous releases required a workaround.
• Editions — the documentation now describes the three editions (Lite, Pro, Enterprise) with feature mapping, sizing guidance, and the edition-upgrade workflow. See editions and sizing.
• Support tiers — base tier renamed from "Standard" to "Direct" — direct contact with an Exosys support engineer, not a community channel. See support tiers.

2026.14.0 (EA) May 29, 2026¶

• New operator CLI — eghost is the single entry point for day-to-day management: starting and stopping the stack, viewing status, editing policies, managing users, and creating support bundles. egctl and egpolicy are still available through it.
• Virtual appliance — ships as a single OVA / qcow2 / vhdx for VMware, KVM and Hyper-V. A console wizard guides first-boot configuration.
• Captive portal — block, warn and AUP verdicts render in-product explanation pages, with a self-service CA install page for unmanaged devices. See captive portal.
• SSL/TLS inspection — three configurable modes with an explicit operator opt-in for the full-decryption mode. See SSL inspection.
• Hardware-anchored release signing + seamless upgrades — every release image is signed by a hardware-held key; operator state (configuration, license activation, policies, audit log) is preserved across image upgrades.