Skip to content

Releases: OpenNHP/opennhp

v1.0.0

16 May 20:44
@opennhp-release-please opennhp-release-please
Immutable release. Only release title and notes can be modified.
v1.0.0
535e49e
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.0.0 Latest
Latest

1.0.0 (2026-05-15)

⚠ BREAKING CHANGES

  • relay: remove legacy POST /relay; tighten routing contract

Features

  • js-agent: add EN/zh-cn language switcher to demo page (5a7f89d)
  • js-agent: add EN/zh-cn language switcher to demo page (ca4604e)
  • js-agent: expose NHPAgent.version + bump VERSION to 0.7.3 (e9ba4a4)
  • js-agent: expose NHPAgent.version sourced from nhp/version/VERSION (0616094)
  • js-agent: scope perf metric to network round trip; demo form polish (1f5408d)
  • js-agent: scope perf metric to network round trip; demo form polish (8b4c869)
  • relay: support multiple nhp-server clusters via pubkey-derived id (eef8b56)
  • relay: support multiple nhp-server clusters via pubkey-derived id (d083653)

Bug Fixes

  • js-agent: prevent protected server section from wrapping to two lines (fbc4ae1)
  • js-agent: prevent protected server section from wrapping to two lines (ca398f4)
  • js-agent: shorten protected server text to prevent wrapping (6a9d475)
  • js-agent: shorten protected server text to prevent wrapping (d282fae)
  • js-agent: sync package-lock.json version with package.json (811f1cf)
  • js-agent: update i18n strings to match shortened text (0daaba2)
  • js-agent: update i18n strings to match shortened text (1000647)
  • relay: spell "behavior" the American way to satisfy misspell linter (768725a)

Code Refactoring

  • relay: remove legacy POST /relay; tighten routing contract (bda88e1)
Assets 3
Loading

v0.7.3

08 May 06:26
@opennhp-release-please opennhp-release-please
Immutable release. Only release title and notes can be modified.
v0.7.3
b53e079
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.7.3

0.7.3 (2026-05-08)

Bug Fixes

  • js-agent: always load demo config from server, drop localStorage cache (7f80de1)
  • js-agent: always load demo config from server, drop localStorage… (f1eb543)
  • plugins: align shared deps with endpoints to fix plugin.Open (a4acc5f)
  • plugins: align shared deps with endpoints to fix plugin.Open (5390ffa)
Loading

v0.7.2

07 May 19:22
@opennhp-release-please opennhp-release-please
Immutable release. Only release title and notes can be modified.
v0.7.2
4ba1c86
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.7.2

0.7.2 (2026-05-07)

Features

  • js-agent: success overlay, IP footer, and code panel polish (bd38ed7)
  • js-agent: success overlay, IP footer, and code panel polish (b55f14c)
  • server-plugin: polish basic auth-plugin demo page (2b7a3f9)
  • server-plugin: polish basic auth-plugin demo page (599eb8c)

Miscellaneous Chores

Loading

v0.7.1

07 May 06:22
@github-actions github-actions
Immutable release. Only release title and notes can be modified.
v0.7.1
This tag was signed with the committer’s verified signature.
fengyily F1
GPG key ID: 32A0CA9EB26E2939
Verified
Learn about vigilant mode.
a94b0e4
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.7.1

OpenNHP v0.7.1

OpenNHP v0.7.1 expands the project beyond the original three daemons into a fuller Zero Trust platform: a new TCP relay component for cross-network reachability, a browser-native JavaScript agent, an OIDC authentication plugin for enterprise SSO, and the public AWS demo infrastructure that ties them together at opennhp.org.

This release ships 420 commits since v0.6.0.

Note on versioning: v0.7.0 was tagged but never published as a Release due to a tooling lock during artifact upload. v0.7.1 is the first cleanly published release in the 0.7.x line and contains everything intended for v0.7.0 plus a handful of demo/UX fixes that landed since.

Highlights

New components

  • NHP-Relay — a new TCP relay daemon (endpoints/relay/) that lets agents reach servers across NAT'd or otherwise unreachable networks. Hardened with TLS 1.3-only, bounded channel sends to prevent goroutine leaks, X-Real-IP-based client identification, and an O(1) per-relay connection cap. (#1502, bf92704)
  • JS-Agent — a browser-native NHP agent (endpoints/js-agent/) implementing the full protocol in TypeScript, including both Curve25519+AES-GCM and SM2/SM3/SM4 cipher suites. Supports UDP, WebSocket, and Relay transports. (#1517, 6709d00)
  • OIDC plugin — server-side authentication plugin that delegates to any OIDC provider (Auth0, Okta, etc.), with automatic redirect-to-resource on successful auth. (f71277b, 31206cc)

Public demo infrastructure

  • Terraform demo stack for AWS us-east-2 provisioning nhp-server, nhp-ac, and nhp-relay behind nginx + Let's Encrypt, with Cloudflare DNS-01 cert renewal. (0a881b3, cb7291e)
  • Live demo at agent.opennhp.org hosting the JS-Agent demo page. (5cf6184)
  • All deploy automation lives in .github/workflows/deploy-demo-v2.yml and infra-demo.yml.

Login & authentication UX

  • New login page with SSO support, QR code login, OTP code login, multi-language UI, and dual IP display. (9abcd93, 086a437, 2170368)

Tooling & CLI

  • --json output flag on the CLI for scriptable integration. (#1346, 634e3d8)
  • Build Binaries workflow is now manual-only with platform checkboxes (Linux / Windows / macOS) and an explicit "create release" toggle. (b205fce, fcb4cc6)
  • Plugin build pipeline now auto-discovers all plugins in server_plugin/, supports nested directory layouts, and can pull external plugin repos via JSON config. (cdabbb1, b6cf9d0, cac6f52)
  • All daemons now print version banners on startup. (c25d138)

Documentation

  • New Protocol Reference and Glossary pages (English + Simplified Chinese), plus llms.txt for AI agent consumption.
  • README translations for zh-cn, zh-tw, de, ja, fr, es.
  • New Vision section, refreshed badges, and an animated SVG protocol-flow diagram.
  • Stated thesis added to README: "Visibility = Vulnerability."

Notable fixes

  • Security review pass addressing state handling, MITM exposure, DoS surface, and account ID leakage. (e2c5336)
  • OIDC redirect hardeningRedirectUrl validated before server-side redirect; HTML error fallback and nil-safety added. (55db41f, 63552e0)
  • Session cookies now carry the Secure flag. (#1319)
  • KGC master key file permissions tightened. (#1337)
  • IPv6 support — multiple critical bugs fixed in the IPv6 implementation.
  • Crypto error handling — proper error propagation across all crypto operations; panics in crypto/peer/compression code paths fixed via fuzz testing. (#1338, 6534cf6)
  • GOPROXY is now configurable instead of hardcoded in Docker. (#1345, closes #1314)
  • Default cipher scheme aligned between code defaults and Docker quick-start config.
  • errcheck linter enabled across the codebase; all unchecked errors fixed.

Performance

  • Per-relay connection cap is now O(1) under a dedicated lock instead of scanning the full session map. (e7b74e6)
  • Go build cache enabled in deploy-demo-v2 for faster CI runs. (0eb1cf0)

Removals

  • WebRTC transport removed from the server. (757c647)

Upgrade notes

  • The [webrtc] section in server/etc/config.toml is now deprecated; the server logs a warning if it is still present and otherwise ignores it.
  • New optional configs: relay.toml on nhp-server (peer table for relays), db.toml (now optional, was previously required).

Compatibility

Built and tested with Go 1.25. Plugins must be built with the same Go version as the daemon they load into.

Full Changelog: v0.6.0...v0.7.1

Loading