vssh 4.2.1__tar.gz → 4.3.1__tar.gz

vssh-4.3.1/CHANGELOG.md

@@ -0,0 +1,858 @@
+# Changelog
+
+## [Unreleased]
+
+- Docs (README/HELP/SECURITY + ko) updated to the key-only model (no shared
+  secret in quickstart, auth via `~/.vssh/authorized_keys`). pip `vssh` 4.3.1
+  fetches the 0.7.38 binary.
+
+### Security/cleanup (2026-06-14) — P4 finish: secret-free daemon, dead HMAC code removed (v0.7.38)
+
+- `vssh server` no longer requires (or reads) a shared secret to start — auth is
+  purely per-node Ed25519 keys. Removed the secret-required startup gate and the
+  `VSSH_INSECURE_ALLOW_EMPTY_SECRET` escape hatch from `cmd/vssh`.
+- Deleted the now-dead HMAC code: `server.ValidateAuthToken`,
+  `server.GenerateAuthToken`, the legacy HMAC-authenticated client transfer
+  functions (`SendFileCompressed/SendFileResume/ParallelDownload/PipeUp/PipeDown/
+  MultiPut/SyncFile` + helpers), and the HMAC token unit tests. The modern
+  `dialAuth`/`Handle*` (VAUTH1) paths are unaffected.
+- `scripts/enroll.sh` is now key-only: it installs the daemon unit WITHOUT
+  `VSSH_SECRET` and verifies via VAUTH1 (no shared secret anywhere in onboarding).
+- `go vet`/`go test` green (incl. `TestServerRejectsLegacyHMACAuth`).
+
+### Security (2026-06-14) — P4: key-only auth (legacy shared-secret HMAC removed)
+
+- The daemon now accepts **only per-node Ed25519 VAUTH1**. The legacy shared-secret
+  (HMAC) authentication path was removed from `internal/server/server.go`: any
+  non-VAUTH1 auth line — including a *valid* HMAC token for the configured secret —
+  is rejected (`AUTH_FAILED`). This removes the entire class of risk where one
+  fleet-wide shared secret, if leaked, grants access, and eliminates the secret
+  that could be hardcoded or re-leaked.
+- `dialAuth` (the canonical client path) has been VAUTH1-only since 0.7.25; the
+  remaining `GenerateAuthToken` callers (`transfer_advanced.go` / `sync.go`) are
+  legacy client functions not wired to any CLI command. The HMAC helpers remain
+  for now but are unreachable by the daemon.
+- New regression test `TestServerRejectsLegacyHMACAuth`; `go vet`/`go test` green.
+- Operational: the live fleet already enforces VAUTH at runtime
+  (`VSSH_REQUIRE_VAUTH=1`, incl. the m1 controller as of 2026-06-14); this makes
+  key-only the built-in default. Rollout (build → d1 canary → deploy_fleet → drop
+  `VSSH_SECRET` from units + retire legacy HMAC helpers) is deferred until all
+  nodes are reachable. **Not yet deployed.**
+
+### Distribution (2026-06-14) — P1 one-line install pipeline (v0.7.36)
+
+- **Makefile version single-sourced** from `cmd/vssh/main.go` (was hardcoded
+  `0.7.5`, 6 minors behind the binary). `make release` now always labels the
+  4-arch binaries with the real version; `checksums` globs binaries only (was
+  sweeping stale Python wheels into `checksums.txt`).
+- **`install.sh` hardened**: SHA-256 verification against the release
+  `checksums.txt` (fail-closed), `VSSH_VERSION=` pinning (default latest),
+  `INSTALL_DIR=` override, atomic temp-dir install, clearer PATH/next-step output.
+- **`pip install vssh` unified (CLI + SDK)**: the `vssh` wheel ships a
+  console-script that downloads the matching Go release binary to `~/.vssh/bin`
+  on first use (stdlib-only, checksum-verified, `VSSH_BIN`/`VSSH_VERSION`/`VSSH_HOME`
+  overrides, atomic cache write) AND keeps `from vssh import VSSH` importable.
+  Package version (`src/vssh/_version.py:__version__`) stays on PyPI's existing
+  `vssh` 4.x line (4.3.0) so `pip install vssh` resolves to it (highest wins); the
+  launcher downloads the decoupled `BINARY_VERSION` (0.7.36) GitHub release asset.
+  `python -m vssh` works.
+- Verified on m1: `go vet`/`go test` green, Python SDK 8/8, `make release`
+  4-arch + checksums, wheel/sdist build, fresh-venv install (SDK import +
+  console-script exec), and an adversarial download test (happy path +
+  tampered-checksum rejection fail-closed + `VSSH_BIN` override).
+- PUBLISHED 2026-06-14: pushed `main` + tag `v0.7.36`; GitHub release (CI-built
+  4 binaries + `checksums.txt`, marked Latest); PyPI `vssh` **4.3.0**. Verified
+  live on m1: one-line `install.sh` (checksum-verified -> `vssh 0.7.36`) and
+  `pip install vssh` -> import SDK + `vssh --version` downloads 0.7.36 binary.
+
+### Tooling (2026-06-13) — P1a one-command node onboarding
+
+- New `scripts/enroll.sh <node>`: idempotent end-to-end enrollment from the
+  controller — detect OS/arch, install/upgrade the binary (atomic), install +
+  enable the daemon service with strict VAUTH if missing (systemd `vsshd` /
+  launchd `ai.meshclaw.vsshd`, `VSSH_REQUIRE_VAUTH=1`), cross-authorize
+  node<->controller keys, TOFU-pin the node key into `~/.vssh/known_hosts`, then
+  verify (TLS+VAUTH1 `AUTH_OK` + `agent_suite` ALL GREEN). `DRY_RUN=1` prints the
+  plan without changing anything. Collapses install + cross_authorize + pin +
+  strict-mode + verify into one command (DESIGN_RATIONALE §4 item 4).
+- Validated idempotently against d1 (converges, ENROLLED OK). Fresh-node
+  service-creation paths await the return of an un-enrolled node (n1/s1/s2) for
+  live validation; a native `vssh enroll` subcommand wrapper is a follow-up.
+
+### Tooling (2026-06-13) — §5.3 transport stabilization gate scanner
+
+- New `scripts/audit_transport_scan.sh`: scans every fleet node's vssh audit log
+  and counts authenticated connections by `transport` (tls vs plain), reading the
+  right path per OS (linux root daemon → `sudo /var/log/vssh/audit.log`; darwin
+  user daemon → `~/.vssh/audit.log`). Reports plaintext-auth sources by
+  `key_name`, supports a `SINCE=<RFC3339>` window, and exits non-zero if any
+  plaintext-auth record is present — the measurable go/no-go for flipping
+  `VSSH_REQUIRE_TLS=1` fleet-wide in 0.7.27. `NODES=` overrides the host list.
+- Clarification: exec **is** audited with the transport marker (EXEJ →
+  `auditLog`, transfer.go:290/525). An earlier note claiming exec was unaudited
+  was a permissions misread — the linux audit.log is root-owned 0700, so the
+  command's drop-priv user (e.g. uid 1000) gets EACCES; it must be read as root.
+- First scan: the only plaintext-auth source fleet-wide is `m1-controller`
+  (the still-0.7.25 in-memory `vssh mcp` process); a Claude Desktop restart moves
+  it to 0.7.26 TLS-first.
+
+### Docs (2026-06-13) — P0 transport security migration design
+
+- New `docs/SECURITY_TRANSPORT_MIGRATION.md` (design only, no code):
+  threat model of the plaintext wire (no post-auth encryption/MAC, no server
+  authentication/channel binding, client-side legacy-HMAC downgrade in
+  dialAuth, no signature domain separation) and the decided fix — TLS 1.3
+  (Go stdlib) with Ed25519 self-signed certs from the existing node identity,
+  raw-pubkey pinning against authorized_keys / new known_hosts, same-port
+  first-byte sniff, `VSSH_REQUIRE_TLS` kill-switch, staged rollout
+  0.7.25→0.7.27 with external review after the client flips to TLS.
+- Same doc §6: P1(b) unattended-automation whitelist design —
+  `policy=<name>` key tag + JSON policy files (anchored exec allow/deny,
+  path scopes, forward targets, rate bounds, `danger_preapproved`),
+  fail-closed, typed `policy_denied`, MCP auto-approve profiles generated
+  from the same policy file. Templates: readonly/backup/ci/deploy.
+- Recorded decisions: no interactive TTY over MCP; `vssh_tunnel` MCP tool is
+  P2 after the TLS transport lands.
+
+### Ops (2026-06-13) — legacy tunnel path retirement plan + macmini stray resolved
+
+- **macmini stray binary resolved.** /usr/local/bin/vssh (ancient 0.1.0) could
+  not be moved (no passwordless sudo, directory not writable by odt) but the
+  file itself is odt-owned — overwritten in place with the current 0.7.24
+  binary and codesigned. No more version confusion; no sudo required.
+- **Decision: legacy FWD/RFWD/RDATA removal in two releases, gated on a
+  stabilization window.** Trigger criteria (all must hold):
+  (a) 7 consecutive daily conformance runs green on 0.7.24,
+  (b) zero non-fmux FWD/RFWD audit records fleet-wide in that window
+      (legacy records lack the "(fmux)" tag — `grep 'FWD' audit.log | grep -v
+      fmux` per node),
+  (c) n1/s1/s2 redeployed to 0.7.24 + strict + caps on return (or formally
+      retired from the roster).
+  Then: **step 1 (0.7.25)** remove the client-side legacy fallbacks
+  (fwdOpenTunnel legacy branch, forwardRemoteLegacy); **step 2 (0.7.26)**
+  remove the daemon's top-level FWD/RFWD/RDATA verbs (typed
+  unsupported_method). FMUX stream headers (FWD/RFWD/UDP/RCONN inside a
+  session) are a separate namespace and stay. Rollback = revert the step's
+  commit.
+
+## [v0.7.35] - 2026-06-13
+
+### Resolver: exclude local/self IPs from remote peer candidates
+
+Root fix for the misroute class: `CandidateHosts`/`ResolveHost` now drop any
+candidate equal to one of THIS machine's own non-loopback interface IPs, so a
+remote peer can never resolve to the controller's own daemon when its real
+address is down. If every candidate is local, the target IS this machine ->
+loopback (127.0.0.1) fallback (self-targeting preserved). Verified: d1 runs,
+m1/self via loopback, d2 (down) now fails cleanly (i/o timeout to its real IP)
+instead of silently reaching the controller. Host-identity verification (0.7.33)
+remains the post-connect backstop. go vet + go test green.
+
+## [v0.7.34] - 2026-06-13
+
+### MCP self-bootstrap: `vssh_setup` tool
+
+Any model on any client (Claude/Cursor/Codex/AI Studio) configures vssh by calling
+ONE tool. `vssh_setup` auto-detects peers, builds the trusted node-key registry
+(`~/.vssh/node_keys`) via loopback handshakes (enabling host-identity
+verification), runs the doctor, and reports the one remaining manual gate
+(REQUIRE_TLS). Idempotent and merge-preserving (keeps a node's prior key if a
+refresh can't reach it). `vssh_doctor` now warns on an empty registry and points
+to `vssh_setup`. Verified end-to-end over the MCP protocol. (The binary itself
+still installs via pip/github/install.sh — only that prerequisite is not
+self-bootstrapping.)
+
+## [v0.7.33] - 2026-06-13
+
+### Security: host-identity verification DEFAULT-ON (anti-misroute, resolved)
+
+Root-causes and resolves the v0.7.31 misroute risk.
+- Why daemon `server_key` != on-disk `vssh_id`: `vsshConfigDir()` falls back to
+  `/etc/vssh` when `$HOME` is unset (systemd daemon), so the daemon's identity is
+  `/etc/vssh/vssh_id` (the TLS key) while `sudo vssh pubkey` reads `/root/.vssh`
+  (HOME=/root). authorized_keys (collected from the latter) was the wrong source.
+- `scripts/build_node_registry.sh` captures each node's authoritative daemon TLS
+  key via a LOOPBACK handshake on the node (`handshake-test --tls 127.0.0.1` —
+  its own daemon, unmisroutable) into `~/.vssh/node_keys`.
+- `server.NodeKey(name)` reads that registry; the client host-identity check
+  sources expected keys from it. Flipped to **default-ON** (opt-out:
+  `VSSH_NO_HOSTKEY_VERIFY=1`).
+- Validated live: legit nodes run; a wrong registry key hard-fails ("refusing to
+  run on the wrong host"); unknown nodes (no entry) skip safely. go test green.
+
+Operational: keep `~/.vssh/node_keys` fresh (run build_node_registry.sh after
+enroll/key changes); the `d2` Tailscale device collision that triggers the
+intermittent misroute should be cleaned up at the tailnet level.
+
+## [v0.7.32] - 2026-06-13
+
+### P1b complete: MCP danger_preapproved auto-approve (step 2)
+
+- Daemon: new conn-aware `policy_check` RPC (read-only, no execution) returns the
+  policy decision (`none|allow|preapproved|deny`) for the authenticated key and a
+  command. Handled in `HandleRPCCommand` (where the connection identity is known),
+  not the connectionless `HandleRPC`.
+- MCP: `toolExec`, before blocking a heuristically-"dangerous" command, asks the
+  target daemon via `policy_check`; if the key's policy allows/pre-approves it the
+  exec proceeds with no `allow_dangerous` flag — unattended automation works while
+  the daemon stays authoritative. Single source of truth: the same policy file.
+- Test: `TestPolicyCheckRPC` (deny / preapproved / allow). go vet + go test green.
+
+This completes the P1b whitelist (DESIGN_RATIONALE §1 roadmap + SECURITY_TRANSPORT
+_MIGRATION §6): daemon-side exec_allow/deny + file_paths + fwd_targets + rate, and
+MCP-side danger_preapproved — all behind per-key opt-in (`policy=` tag).
+
+## [v0.7.31] - 2026-06-13
+
+### Security: opt-in host-identity verification (anti-misroute)
+
+Defends against the name->wrong-host misroute class. Observed live: a node name
+(d2) transiently resolved to the controller (m1) via a stale/colliding Tailscale
+address; because the TLS pin is keyed by IP, the wrong host's pin still matched
+and the command ran on m1 instead of d2.
+
+- The client records, per dial address, the daemon key it EXPECTS for the logical
+  target — the pin of the target's canonical config IP (`ConfigNodeIP` +
+  `KnownHostPub`), set in `resolveNativeHost`/`resolveReachableHost` and the MCP
+  exec path. `dialAuth` hard-fails after the TLS handshake when the reached
+  daemon key differs. Gated by `VSSH_VERIFY_HOST_IDENTITY=1` (default OFF — no
+  behavior change until enabled).
+- Source is `known_hosts` (correct IP->TLS-key), deliberately NOT
+  `authorized_keys`: verified the latter stores `vssh_id` pubkeys that differ
+  from the TLS daemon cert key, so verifying against it would falsely reject
+  every node.
+- Validated: opt-in ON does not break legit nodes (d1/c1/d2 live); a deterministic
+  unit/e2e test (`TestHostIdentityVerification`) confirms mismatch -> hard fail,
+  cleared -> success. go vet + go test ./... green; rolled out fleet-wide.
+
+To enable fleet-wide: pin every node's canonical config IP (so each has an
+expected key), then set `VSSH_VERIFY_HOST_IDENTITY=1`. vssh must run well over
+both Wire and Tailscale — this hardens the Tailscale-resolution path.
+
+## [v0.7.30] - 2026-06-13
+
+### MCP cross-client robustness
+
+- `cmdMcp` raises the stdin scanner buffer (64KB default -> 1MB initial / 16MB
+  max) so a strict MCP client (Cursor, Codex, or a custom JSON-RPC client) that
+  sends a >64KB `tools/call` request line (large file/script arguments) is not
+  silently dropped (which would end the stdio session). Mirrors `run-batch`.
+- A cross-client compliance audit (Claude Desktop, Cursor, Codex CLI, custom
+  "AI Studio") found the MCP server otherwise spec-compliant: newline-delimited
+  JSON-RPC 2.0 over stdio, correct `initialize`/`tools/list`/`tools/call` shapes,
+  graceful notifications + unknown-method handling, clean stdout. No protocol
+  changes required. Ready-to-paste client configs: see `VSSH_MCP_CLIENTS.md`.
+- Resynced the stale `/opt/homebrew/bin/vssh` CLI (was 0.7.26) to current.
+
+## [v0.7.29] - 2026-06-13
+
+### Security (P1b step 3): fwd_targets allow-list + per-key exec rate limit
+
+Completes the daemon-side P1b enforcement surface (exec + file_paths +
+fwd_targets + rate).
+
+- FWD checks the requested target `host:port` against the policy `fwd_targets`
+  allow-list (`fwdTargetMatch`: host exact or CIDR membership for IPs; port exact
+  or `*`). A policied key with empty `fwd_targets` denies all forwards
+  (fail-closed). RFWD remains fail-closed for policied keys (no reverse-bind
+  axis in the schema). Typed `policy_denied` + audit (`fwd_ok`|`fwd_denied`).
+- Per-key exec rate limit: `rate.exec_per_min` enforced via a 60s sliding window
+  keyed by the connection pubkey; over-limit execs get `policy_denied`
+  (`policy_rule: rate_exceeded`). 0 = unlimited.
+
+Unit tests for `fwdTargetMatch` + `rateExceeded`; go vet + go test ./... green;
+d1 canary agent_suite 10/10 (opt-in, no regression); rolled out fleet-wide.
+Remaining P1b: MCP-side `danger_preapproved` auto-approve (step 2).
+
+## [v0.7.28] - 2026-06-13
+
+### Security (P1b): file_paths scope on PUT/GET + fail-closed unscoped verbs
+
+Completes the daemon-side file scoping of the policy engine and closes the
+verb-bypass so a policied key cannot dodge its scope through an unguarded verb.
+
+- PUT/GET enforce the policy `file_paths` scope via `Policy.PathAllowed`
+  (symlinks/.. resolved on the longest existing ancestor before the glob check).
+  Out-of-scope or fail-closed paths return typed `policy_denied` + audit
+  (`policy_rule: file_path_denied|file_path_ok`).
+- Every file/forward verb the engine does not yet scope (PUTZ, RESUME, MPUT,
+  GETM, GETC, PIPE_UP/DOWN, SYNC, FWD, RFWD, RDAT, FMUX, RELAY) now **fails
+  closed** for a policied key (`policyBlockUnscoped`) instead of running
+  unscoped. Net effect: a policied key may only exec (command-scoped) and
+  PUT/GET (path-scoped). Keys with no `policy=` tag are unaffected (opt-in).
+
+Remaining P1b (step 3): `fwd_targets` allow-list + per-key `rate` enforcement
+(currently parsed only; forwards are denied for policied keys until then), and
+the MCP-side `danger_preapproved` auto-approve reading the same policy file.
+
+Note: `VSSH_REQUIRE_TLS=1` fleet drop-in (transport §5 step 4) is an env/config
+change, not a code release — gated on the §5.3 stabilization window.
+
+go vet + go test ./... green; d1 canary agent_suite 10/10 (non-policied file/exec
+unaffected); rolled out fleet-wide.
+
+## [v0.7.27] - 2026-06-13
+
+### Security (P1b step 1): per-key command/path policy engine (opt-in)
+
+Implements DESIGN_RATIONALE §1 roadmap item 1 (per-key command allow/deny) and
+SECURITY_TRANSPORT_MIGRATION §6. Lands behind a per-key opt-in: a key with no
+`policy=` tag keeps current behavior, so the fleet is untouched until policies
+are assigned.
+
+- `authorized_keys` gains an optional `policy=<name>` tag (`KeyPolicy`); caps
+  verbs stay the hard floor, the policy narrows what an exec-capable key may run.
+- `internal/server/policy.go`: loads `<cfg>/policies/<name>.json` or
+  `/etc/vssh/policies/<name>.json` (mtime-cached, hot-reloaded). Evaluation is
+  deny-first, then `danger_preapproved`, then `exec_allow`; no match = refuse,
+  typed `error_code: policy_denied` with the matched rule id and (for
+  preapproved) a `preapproved` flag in the audit record.
+- Anchored (`^...$`) full-command matching defeats metachar/newline smuggling
+  inside an allowed prefix; load-time lint warns on unanchored rules. `file_paths`
+  scoping resolves symlinks/.. (longest existing ancestor) before the glob check.
+- **Fail-closed**: a key tagged `policy=<name>` whose file is missing/invalid is
+  unusable (never unrestricted).
+- Enforced on every exec path (single EXEJ, mux EXEJ, legacy EXE).
+- Templates `policies/{readonly,backup,ci,deploy}.json` + README; `deploy`
+  carries `danger_preapproved` (systemctl restart) — the unattended list.
+
+Note: REQUIRE_TLS (migration §5 step 4) moves to 0.7.28 — it is gated on the
+§5.3 stabilization window (7 days zero plaintext-auth), which P1b does not block.
+
+Tests: unit (EvalExec deny-first/anchoring/no-match, PathAllowed escape,
+fail-closed, template compile+anchor) + in-process e2e (real daemon on loopback:
+allow / deny / no-match / smuggle-blocked / danger / mux / fail-closed + audit
+rule ids). go vet + go test ./... green; d1 canary agent_suite 10/10 (opt-in, no
+regression); rolled out to 14 online nodes.
+
+## [v0.7.26] - 2026-06-13
+
+### Security (P0 step 2): client TLS-first by default
+
+- `dialAuth` now attempts **TLS 1.3 (VTLS1) first on every connection** instead
+  of only under `VSSH_PREFER_TLS=1`. The connection is wrapped in TLS, the
+  daemon's Ed25519 raw pubkey is pinned via `~/.vssh/known_hosts` (TOFU on
+  first contact), and VAUTH1 runs inside the channel.
+- **Downgrade-resistant:** a pinned-key (known_hosts) mismatch is a *hard
+  failure*, never a plaintext fallback — an attacker presenting a wrong cert
+  cannot force the client onto the plaintext wire.
+- `VSSH_REQUIRE_TLS=1` (client) = no plaintext fallback at all; wins over the
+  `VSSH_NO_TLS=1` debug-only escape hatch.
+- Pre-0.7.25 / non-TLS daemons: a loud stderr WARNING is printed, then a
+  plaintext-VAUTH1 fallback on a fresh connection. These warnings are the
+  fleet-upgrade TODO list and disappear once `REQUIRE_TLS` flips in 0.7.27.
+- Refactored the Ed25519 challenge–response into a shared `vauth1()` used by
+  both the TLS and plaintext paths.
+- **Audit transport marker:** the daemon tags each authenticated connection
+  `transport=tls|plain` and records it in the audit log, so the §5.3
+  stabilization gate (zero plaintext-auth records fleet-wide) is measurable
+  with `grep '"transport":"plain"' audit.log`. (Note: exec is not yet audited —
+  only forward ops are; wiring exec through auditLog is the gate prerequisite.)
+- `scripts/pin_fleet_keys.sh`: pre-seed `~/.vssh/known_hosts` pins fleet-wide.
+
+Validation: d1 canary `agent_suite` 10/10 ×3 (old-client / new-plaintext /
+new-TLS); fleet `agent_suite` 38/38 GREEN over the new TLS client across
+`d1 g1 c1 v1 macmini` (linux + darwin); `handshake-test --tls` AUTH_OK against
+both a 0.7.26 (d1) and a 0.7.25 (c1) daemon; rolled out to 14 online nodes
+(`deploy_fleet.sh`), `n1 s1 s2` offline/skipped. m1 coordinator binary was on 0.7.25 during rollout, then upgraded to 0.7.26 the
+same day via the safe bootout/bootstrap procedure (internal release note).
+
+## [v0.7.25] - 2026-06-13
+
+### Security (P0 step 1): VTLS1 — the native protocol now runs inside TLS 1.3
+
+Implements step 1 of `docs/SECURITY_TRANSPORT_MIGRATION.md` §5.
+
+- **Daemon accepts TLS 1.3 on the same port.** A first-byte sniff (TLS record
+  `0x16` vs the ASCII auth line) routes the connection through Go stdlib
+  `tls.Server`; the unchanged line protocol (VAUTH1 → verbs → FMUX) runs
+  inside the channel. Identity = the existing Ed25519 `~/.vssh/vssh_id`
+  wrapped in an in-memory self-signed cert; trust = **raw-pubkey pinning**,
+  not PKI (new `internal/server/tlsident.go`). TLS 1.3 only, session tickets
+  off, ALPN `vssh/1`. If a TLS client presents a client cert, its key must
+  match the in-band VAUTH1 key (no cross-layer identity confusion).
+- **`VSSH_REQUIRE_TLS=1` daemon kill-switch** (mirror of REQUIRE_VAUTH):
+  plaintext connections are refused outright. Default OFF until the fleet
+  stabilization window passes (flip planned for 0.7.27).
+- **Client legacy shared-HMAC fallback removed (design finding F3).**
+  `dialAuth` no longer retries with the replayable HMAC token when VAUTH1 is
+  refused — with the fleet 100% strict, the only remaining "caller" of that
+  path was an attacker harvesting tokens by rejecting VAUTH1. VAUTH1 is now
+  the only client auth method; the `secret` parameter is dead.
+- **Opt-in client TLS: `VSSH_PREFER_TLS=1`** wraps the dial in TLS 1.3 with
+  the daemon key pinned via new `~/.vssh/known_hosts` (`<host> <pubB64>`,
+  TOFU on first contact, hard fail on mismatch). Foreign-format lines in the
+  file (e.g. OpenSSH-style entries from other tools) are ignored, not
+  misread. Becomes the default in 0.7.26 per the migration plan.
+- **`vssh handshake-test --tls <host>`** proves the full VTLS1 path and
+  reports ALPN, server key, and pin status in the JSON result.
+- Verified: isolated daemon matrix 11/11 (plaintext, TLS TOFU, pinned
+  reconnect, PREFER_TLS exec, plaintext exec, 0.7.24-CLI compat, REQUIRE_TLS
+  refusing plaintext + accepting TLS, poisoned-pin rejection); d1 canary
+  handshake-test --tls AUTH_OK + `(fmux)`-era agent_suite 10/10 × {0.7.24
+  client, 0.7.25 plaintext, 0.7.25 PREFER_TLS}; new-client → 0.7.24-daemon
+  (v1) compat OK; fleet rollout via deploy_fleet (d1 canary first).
+- Known limitation: known_hosts pins are keyed by the resolved address the
+  dialer used (IP), not the friendly node name — acceptable for 0.7.25,
+  consolidating pins by node name lands with `vssh enroll` (P1a).
+
+## [v0.7.24] - 2026-06-13
+
+### Phase B: reverse forwarding (`-R`) over FMUX — full -L/-R/-D parity on one session
+
+- **`-R` now rides the shared FMUX session.** The client opens a control stream
+  (`RFWD <bind> <port>`); the daemon listens and pushes every accepted
+  connection back as a daemon-initiated `RCONN` stream. Gone: the
+  per-connection authenticated RDATA dial, the id pairing table, and the 15s
+  unclaimed-accept reaper. The listener lives exactly as long as the control
+  stream; if the session breaks the client re-establishes it automatically
+  (2s backoff). Bind refusals are fatal (no retry loop on a taken port).
+- **Compat fallbacks verified:** a 0.7.23 daemon (FMUX without RFWD streams)
+  answers bad_request → client falls back to the legacy RFWD/RDATA path
+  (real payload verified against pre-upgrade d1); pre-FMUX daemons use the
+  same legacy path via the existing FMUX-unsupported detection.
+- Audited as `RFWD <bind>:<port> (fmux)` with key attribution; chain intact.
+- Verified: isolated strict daemon (-R x2 reverse fetches over one session),
+  0.7.23-d1 legacy fallback, 0.7.24-d1 canary -R x2 with `(fmux)` audit +
+  chain verified:true, agent_suite 10/10, fleet 14/14 = 0.7.24, m1 CLI +
+  daemon binaries updated (codesigned).
+- All three tunnel modes (-L/-R/-D incl. SOCKS UDP) now share one
+  authenticated FMUX session per daemon.
+
+## [v0.7.23] - 2026-06-13
+
+### Phase B: tunnels over one authenticated session (FMUX) + SOCKS5 UDP
+
+- **`FMUX` verb — many tunnels, one VAUTH1 handshake.** After auth the client
+  sends `FMUX`; the connection becomes a hashicorp/yamux session and every
+  tunneled connection is a stream opened with a one-line header. `-L` and `-D`
+  now share a single authenticated session (lazily created, transparently
+  re-dialed if it breaks) instead of paying one VAUTH1 round trip per tunneled
+  connection. Old daemons reply `unsupported_method`, and the client falls back
+  to the per-connection FWD path automatically (verified against a 0.7.22 d1).
+  Gated by the `forward` capability; every stream audited (`FWD h:p (fmux)`)
+  against the control connection's key identity.
+- **SOCKS5 UDP ASSOCIATE (`-D` is now TCP+UDP).** A `UDP` FMUX stream relays
+  length-prefixed datagram frames (SOCKS5-style ATYP/ADDR/PORT + payload) to a
+  daemon-side UDP socket, so UDP egresses from the node like CONNECT does.
+  Datagram fragmentation is not supported (FRAG must be 0); the association
+  lives exactly as long as the SOCKS TCP control connection. Audited as
+  `UDPA (fmux)`.
+- `halfPipe` now half-closes via a `CloseWrite() error` interface (TCP conns
+  and yamux streams alike). New dependency: github.com/hashicorp/yamux v0.1.2.
+- Verified: isolated strict daemon — two -L fetches over ONE control connection
+  (same remote port in both audit records), SOCKS CONNECT, and a full SOCKS5
+  UDP ASSOCIATE echo round trip; m1→d1 canary -L x2 over one FMUX session with
+  chained `(fmux)` audit records attributed to m1-controller; agent_suite
+  10/10; fleet 14/14 = 0.7.23; m1 CLI + daemon binary updated (codesigned).
+- Not yet over FMUX: `-R` (reverse) still uses the RFWD/RDATA per-accept path.
+
+## [v0.7.22] - 2026-06-13
+
+### Security (daemon — audit attribution + legacy auth client removed)
+
+- **Audit records now carry the authenticated identity.** After a successful
+  handshake the daemon registers the connection's identity (VAUTH1 pubkey +
+  its authorized_keys comment via new `KeyName()`, or `legacy-hmac`) and every
+  audit record gains `key` / `key_name` fields — the audit trail attributes
+  each command to a key, not just a source IP. This closes the gap found while
+  designing the caps policy (records previously had only `remote`).
+  Chain format is unchanged; `audit-verify` passes over mixed old+new logs.
+- **Dead legacy client removed.** `ExecCommand` (plain shared-HMAC EXEC, the
+  last pre-dialAuth client helper) had zero callers — deleted. Every remaining
+  client path authenticates through `dialAuth()` (VAUTH1 preferred).
+- Verified: local isolated strict daemon (record carries key+key_name,
+  audit-verify true), d1 canary (key_name attribution live in
+  /var/log/vssh/audit.log, chain verified:true, agent_suite 10/10), fleet
+  deploy 14/14 = 0.7.22.
+- Note: macmini has a stray ancient `/usr/local/bin/vssh` (0.1.0) — the daemon
+  uses `~/.local/bin/vssh`; clean up the stray someday.
+
+### Ops (2026-06-13) — per-key caps policy live fleet-wide (least privilege)
+
+- **Audit-driven policy.** Aggregated every node's hash-chained audit log by
+  client IP x verb: the only real users are m1 (EXEC everywhere + FWD) and each
+  node's own key over loopback (EXEC only, daily conformance). Zero node-to-node
+  usage, so node keys lost everything except exec.
+- **Policy applied to authorized_keys on all 15 hosts** (14 nodes /etc/vssh or
+  ~odt/.vssh + m1's own ~/.vssh): `m1-controller` stays unrestricted, all 14
+  node keys now carry `caps=exec`. Backups `authorized_keys.bak.caps.*`. No
+  daemon restart needed (file is read per handshake).
+- Verified: d1 canary then fleet — node self-key loopback exec OK, put/rpc
+  refused with typed `capability_denied` (required_capability file/rpc, nothing
+  written); m1 key full agent_suite 10/10 on d1 and real put/get round trip to
+  v1; 14/14 vssh_exec green; d1 audit chain still verified:true.
+- Gotcha fixed: m1's own authorized_keys names its key `m1` (not
+  `m1-controller`), so the first pass restricted the controller key on m1
+  itself - reverted that one line to unrestricted.
+- **Audit gap found:** audit records carry no key identity (only remote IP), so
+  per-key attribution leaned on IPs. Follow-up: include the authenticated
+  pubkey/comment in each audit record.
+
+### Ops (2026-06-13) — legacy-HMAC kill switch fleet-wide
+
+- **`VSSH_REQUIRE_VAUTH=1` enabled on all 14 online nodes** (was d1-only canary):
+  v1-v5, c1, c2, g1-g4, d2 via systemd drop-in
+  `/etc/systemd/system/vsshd.service.d/require_vauth.conf` (mkdir+tee+daemon-reload,
+  restart detached via `systemd-run --on-active=2` so the controlling connection
+  survives); macmini via `EnvironmentVariables.VSSH_REQUIRE_VAUTH` in the
+  `ai.meshclaw.vsshd` launchd plist (backup `*.plist.bak.require_vauth`).
+- Verified per node before moving on: running-process env shows
+  VSSH_REQUIRE_VAUTH=1 (`/proc/<pid>/environ` / `launchctl print`), vssh_exec
+  (VAUTH1) green, agent_suite 10/10 on v1-v5, c1, c2, g3, g4, d2. g1/g2/macmini
+  asserted via vssh_exec + loopback `handshake-test` AUTH_OK instead (their m1
+  CLI path still resolves through the stale /etc/hosts WIRE block - pre-existing,
+  unrelated to auth).
+- Gotchas hit: exec runs as unprivileged user on most nodes (sudo -n required);
+  macmini `launchctl bootout` killed the detached restart script before
+  bootstrap, daemon restored over ssh from m1 (`launchctl bootstrap`); d2 path
+  showed transient MCP timeouts - apply was split into conf/reload then restart.
+- Offline n1/s1/s2: apply the same drop-in when they return (they are also still
+  on an older binary - deploy first).
+- Rollback per node: delete the drop-in (or plist key) and restart the daemon.
+
+## [v0.7.21] - 2026-06-12
+
+### Phase B: tunneling completed — reverse (`-R`) and dynamic/SOCKS (`-D`)
+
+- **`vssh fwd <host> -D [bind:]<port>` — SOCKS5 dynamic forwarding (ssh -D).**
+  A local SOCKS5 proxy whose every CONNECT is tunneled through the node's daemon
+  via the existing `FWD` verb (client-only; CONNECT with IPv4/IPv6/domain
+  address types). Point a browser or `curl --socks5-hostname` at it to reach
+  anything the node can reach.
+- **`vssh fwd <host> -R [bind:]<rport>:<lhost>:<lport>` — reverse forwarding
+  (ssh -R).** New daemon verbs `RFWD` (control: bind a port on the node, push an
+  `ACCEPT <id>` per incoming connection back over the control connection) and
+  `RDATA` (per-connection data channel the client pulls back and splices to its
+  local target). Listener lifetime is tied to the control connection; unclaimed
+  accepts are reaped after 15s. Both gated by the `forward` capability and
+  audited (`RFWD <bind>:<port>`).
+- Shared proxy helpers (`halfPipe`/`bidiPipe`) with TCP half-close propagation.
+- Verified locally for all three modes (-L/-D/-R) with real HTTP payloads and
+  SOCKS by-IP + by-hostname; on the d1 canary, an `-L` tunnel to d1's own daemon
+  port completed a VAUTH1 handshake end-to-end, FWD/RFWD records are present, and
+  the hash-chained audit log still verifies (177 records). agent_suite 10/10.
+- Remaining Phase B nice-to-haves: carry tunnels over a single MUX connection
+  (today each tunneled connection pays one auth round trip); UDP associate.
+
+
+## [v0.7.20] - 2026-06-12
+
+### Phase B begins: tunneling (daemon + CLI)
+
+- **`FWD` verb + `vssh fwd` — the `ssh -L` replacement.** New
+  `vssh fwd <host> -L [bind:]<lport>:<rhost>:<rport>` listens locally and pipes
+  every accepted connection through the node's daemon to a target the *node*
+  can reach. Each tunneled connection is individually authenticated (VAUTH1
+  preferred, one daemon connection per tunnel — a dead tunnel never wedges the
+  listener), gated by the new `forward` capability, and server-side audited as
+  `FWD <host>:<port>` in the hash chain. Daemon side: `HandleForward`
+  (internal/server/forward.go) dials the target, replies `FWD_OK` or a typed
+  error (`bad_request`/`unreachable`/`capability_denied`), then proxies with
+  half-close propagation (TCP CloseWrite) in both directions.
+- Verified: HTTP round trip through a local tunnel chain; real-world m1:15610 →
+  d1 → d1-localhost:18124 fetch; `caps=exec` key refused with typed
+  `capability_denied`; FWD audit record present and chained on d1.
+- Remaining Phase B: `-R` (reverse) and `-D` (SOCKS) modes, tunnels over MUX
+  (today each tunneled connection pays one auth round trip).
+
+### Ops
+
+- **Kill-switch canary live on d1:** `VSSH_REQUIRE_VAUTH=1` set in d1's unit
+  (`/etc/systemd/system/vsshd.service.d/require_vauth.conf`). CLI paths all
+  green via VAUTH1 (run/put/get/run-batch, agent_suite 10/10); legacy-only
+  clients are refused with typed `auth_failed` — including currently-running
+  pre-0.7.17 vssh MCP server processes, whose `vssh_exec → d1` is auth-blocked
+  until they restart on the 0.7.17+ binary. ssh and CLI control paths are
+  unaffected, so rollback (delete the override, restart) stays available.
+- `deploy_fleet.sh` verify now runs as root on Linux nodes (`verify_newline`
+  prefix arg) so it keeps working on REQUIRE_VAUTH nodes where the plain ssh
+  user's key is not authorized.
+
+
+## [v0.7.19] - 2026-06-12
+
+### Security (daemon — Phase A extension: capability scoping + tamper-evident audit)
+
+- **Capability scoping on authorized_keys.** A key line may now carry a
+  `caps=` tag — `<pubB64> caps=exec,file,rpc,shell [comment]` — and the daemon
+  enforces it per verb: `EXEC/EXEJ`→exec, `PUT/GET/PUTZ/SYNC/RESUME/MPUT/GETM/
+  GETC/PIPE`→file, `RPC`→rpc, `MUX`→exec, interactive PTY→shell. `INFO` stays
+  open to any authenticated key. No tag (or `caps=all`) = unrestricted, so every
+  existing key keeps working. Violations get a typed
+  `{"error_code":"capability_denied","required_capability":...}` reply.
+  Legacy-HMAC connections remain unrestricted (the shared secret already
+  implies full trust; it is on its way out via VSSH_REQUIRE_VAUTH).
+- **Hash-chained audit log.** Every audit record now carries
+  `prev` = SHA-256 of the previous line, so any in-place edit, deletion, or
+  reordering breaks the chain. New CLI `vssh audit-verify [path]` walks the log
+  and reports `{verified, records, chained_records, violations[]}` (exit 1 on
+  violation). Head-trimming (rotation) is tolerated; chain seeds from the last
+  pre-chain line, so mixed old+new logs verify cleanly. Assumes the single-
+  daemon-writer model (true on every node).
+- Verified locally (isolated-HOME server): caps=exec key can run but is denied
+  put/rpc with typed errors while facts/INFO still work; tampering with a
+  middle audit line flips audit-verify to verified:false with a chain-break
+  violation. d1 canary: agent_suite 10/10, live audit chain confirmed.
+
+## [v0.7.18] - 2026-06-12
+
+### Security (daemon — legacy-HMAC kill switch)
+
+- **`VSSH_REQUIRE_VAUTH=1`** (daemon env): rejects the legacy shared-HMAC token
+  so only VAUTH1 per-node keys authenticate. Default off — enable per node once
+  its clients all hold authorized keys. Tested both ways on an isolated pair of
+  local daemons: strict daemon accepts VAUTH1 / rejects legacy with typed
+  `auth_failed`; permissive daemon still accepts the legacy fallback.
+
+### Ops (same day, no daemon change)
+
+- **`scripts/cross_authorize_fleet.sh`** — full-mesh VAUTH1 trust: collects
+  every online node's Ed25519 pubkey (root daemon identity on Linux, user
+  identity on macmini, plus m1) and merges all 15 keys into every node's
+  authorized_keys (idempotent, additive). Verified 14/14: every node completes
+  a loopback VAUTH1 handshake with its own key against its own daemon
+  (node-to-node TCP paths are not universally open in the tailnet, so loopback
+  + controller-to-node is the meaningful proof). This satisfies the
+  precondition for VSSH_REQUIRE_VAUTH=1.
+
+
+## [v0.7.17] - 2026-06-12
+
+### Security (client — Phase A: VAUTH1 becomes the default for every verb)
+
+- **All seven client auth sites now use VAUTH1 first.** `ExecCommandStructuredTimeout`,
+  `SendFile`, `RecvFile`, `CallRPC`, `GetInfo`, `RunMux` (transfer.go) and `Connect`
+  (client.go) authenticate through a new shared `dialAuth()` helper: VAUTH1 Ed25519
+  challenge–response preferred, legacy shared-HMAC token as a fallback on a *fresh*
+  connection when VAUTH1 is rejected/unsupported. Until now only `handshake-test`
+  spoke VAUTH1; every real command now uses per-node keys (no shared secret, no
+  replay) wherever the client key is authorized.
+- Canary proof on d1: run/put/get/rpc/facts/run-batch all succeed with a deliberately
+  **wrong shared secret** (VAUTH1-only path), succeed with an **unauthorized fresh
+  identity + correct secret** (HMAC fallback path), and fail with a typed
+  `auth_failed` when both are wrong. agent_suite 10/10 green.
+- `dialAuth` returns the handshake's buffered reader and all callers now read daemon
+  output from it (closes a buffered-byte-loss window in `GetInfo`/`Connect`).
+- `test/agent_suite.sh`: the auth-failure asserts now force a fresh unauthorized
+  identity (`HOME=$(mktemp -d)`), since a bad secret alone no longer fails by design.
+- Remaining for full Phase A: cross-distribute per-node pubkeys (today only m1's key
+  is in fleet authorized_keys), `VSSH_REQUIRE_VAUTH=1` to disable legacy HMAC,
+  capability scoping. Legacy plain-`EXEC` helper (`ExecCommand`) intentionally left
+  on HMAC until its callers are audited.
+
+
+## [v0.7.16] - 2026-06-12
+
+### Security (daemon — requires redeploy) — Phase A core
+
+- **Per-node Ed25519 identity + challenge–response auth (`VAUTH1`).** The daemon now
+  accepts asymmetric per-node keys: client sends its public key, daemon checks it
+  against `authorized_keys` (`~/.vssh` or `/etc/vssh`), issues a random nonce, and the
+  client must sign it — **no shared secret, no replay** (the legacy `ts:HMAC(secret)`
+  token has a 30s replay window and one key for the whole fleet). Identity auto-creates
+  at `~/.vssh/vssh_id`. New CLI `vssh pubkey` and `vssh handshake-test <host>`.
+- **Dual-auth migration:** the legacy HMAC token is still accepted, so nothing breaks
+  until keys are distributed and the legacy path is turned off. New `identity.go`
+  (`LoadOrCreateIdentity`, `SignChallenge`, `VerifyChallenge`, `IsAuthorizedKey`).
+
+## [v0.7.15] - 2026-06-12
+
+### Runtime (daemon — requires redeploy)
+
+- **Connection multiplexing.** New `MUX` session: authenticate once, then run many
+  commands over a single connection (newline-delimited JSON per result, idle timeout).
+  CLI `vssh run-batch <host>` reads commands from stdin (one per line) and runs them
+  over one connection. Measured: 10 commands in 249ms (~25ms each) vs 671ms for 10
+  separate runs — 2.7x, approaching ssh ControlMaster territory. Foundation for an
+  MCP connection pool (next) and port forwarding. Server-side `HandleMux`, client
+  `RunMux`.
+
+## [v0.7.14] - 2026-06-12
+
+### Performance (daemon — requires redeploy)
+
+- **Command exec ~3.8x faster.** The root daemon ran every command through a login
+  shell (`sudo -u user bash -lc`) which re-sourced the user's whole profile (nvm,
+  cargo, …) — ~350ms per command, measured. Now it runs a non-login `bash -c` and
+  injects the user's login `$PATH`, computed once and cached. `vssh run <node> true`
+  dropped from ~441ms to ~117ms while preserving embedded newlines and full PATH.
+- **GET single-pass.** Download stopped double-reading the file (a separate checksum
+  pass + send pass introduced in 0.7.7); it now streams once while hashing and sends
+  the MD5 as a trailing line. Integrity preserved, GET disk I/O halved.
+
+## [v0.7.13] - 2026-06-12
+
+### Runtime (daemon — requires redeploy)
+
+- Server-side audit log: every command the daemon executes (the `EXEJ` path) is
+  appended as a JSONL record `{ts, remote, command, success, exit_code, duration_ms}`
+  to `/var/log/vssh/audit.log` (root) or `~/.vssh/audit.log` (user). Unconditional and
+  server-side, so a client cannot suppress it — the compliance/audit backbone a plain
+  ssh wrapper can't provide. Best-effort: write failures never affect execution.
+
+## [v0.7.12] - 2026-06-12
+
+### Runtime (daemon — requires redeploy)
+
+- No more silent PTY fallthrough on an unknown verb. When a client sends a
+  protocol-shaped token (two or more leading uppercase ASCII letters) that matches
+  no handler, the daemon now replies with a typed
+  `{"success":false,"error_code":"unsupported_method","proto_version":"1"}` and
+  closes — instead of dropping into an interactive login shell that hangs an agent.
+  Interactive `vssh shell` clients send an ESC window-size sequence first (never an
+  uppercase token), so real shells are unaffected (verified).
+- Introduced `ProtoVersion` ("1"), surfaced in the unsupported-verb reply as the
+  first step toward explicit version negotiation.
+
+## [v0.7.11] - 2026-06-12
+
+### Runtime
+
+- New `vssh run-async <host> <cmd> [--wait <s>]`: runs the command as a daemon job and
+  waits up to `<s>` seconds. If it finishes in time the full result is returned inline
+  (short commands still feel synchronous); otherwise it returns `{promoted:true, job_id,
+  status:"running", poll:...}` for the caller to poll. The command runs **exactly once**
+  (as a job) — this dodges fixed call-timeout ceilings (e.g. an MCP client's ~60s cap)
+  without abandoning or double-running work.
+- `rpc`/`facts`/job/`run-async` now use the reachability-aware resolver too, so they no
+  longer stall on a node whose preferred IP has moved.
+
+## [v0.7.10] - 2026-06-12
+
+### Runtime
+
+- Reachability-aware host resolution for `run` and `deploy-binary`: candidate
+  endpoints (Tailscale → VPN → LAN → Public) are now probed concurrently with a short
+  (1.5s) deadline and the highest-preference *reachable* one is chosen, instead of
+  blindly dialing the preferred IP and stalling for the full timeout when it has moved.
+  Fixes the d2 stall (`vssh run d2` went from a 30s+ hang to ~1s) caused by a stale
+  Tailscale IP whose port was closed. New `Connector.CandidateHosts`.
+
+## [v0.7.9] - 2026-06-12
+
+### Runtime
+
+- New first-class `vssh deploy-binary <local> <host> <remote-path>` verb: atomic +
+  checksum-verified upload (P1.1), privileged atomic install into the target path
+  (ETXTBSY-safe — replaces a running binary), optional `--service` restart
+  (systemd or launchd), and a `--verify` step — the deploy_fleet.sh dance collapsed
+  into one auditable call that returns a structured `{success, phase, verify_output,
+  error_code}` result. `phase` pinpoints where a failure happened (upload/install/verify).
+
+## [v0.7.8] - 2026-06-12
+
+### Runtime
+
+- Structured error codes on the exec result (`error_code` + `retryable`): client-side
+  failures are now machine-branchable instead of free text — `auth_failed` (secret
+  rejected), `unreachable` (refused/no-route), `timeout` (dial/read deadline),
+  `bad_response` (malformed reply), `remote_exit_nonzero` (command ran, exited non-zero).
+- CLI `run` prints the code (`Error [auth_failed]: …`) and the MCP `vssh_exec` error
+  object now propagates the specific code/retryable instead of a generic
+  `native_execution_failed`. Fields are additive (`omitempty`) — fully backward compatible.
+
+## [v0.7.7] - 2026-06-12
+
+### Runtime
+
+- Default `put`/`get` now use the robust transfer path: server stages uploads to a
+  temp file in the destination directory and `rename`s into place — **atomic and
+  ETXTBSY-safe** (a running binary can be replaced without "text file busy").
+- End-to-end **MD5 verification**: server reports the checksum (`OK <bytes> <md5>` on
+  PUT, `SIZE <bytes> <md5>` on GET) and the client verifies it; a mismatch errors
+  instead of silently delivering a corrupt file. Backward compatible — older clients
+  ignore the extra field, newer clients skip verification against older daemons.
+- `get` writes to a temp file and atomically renames on success, so an interrupted
+  download never leaves a half-written file at the target path.
+
+## [v0.7.6] - 2026-06-12
+
+### Runtime
+
+- Honor `timeout_seconds` in native exec (was a hardcoded 30s read deadline);
+  plumb through `ExecCommandStructuredTimeout`.
+- Fix newline stripping: root daemon ran commands via `sudo -u <user> -i <shell> -c`
+  whose login shell deleted embedded `\n`; switched to `sudo -u <user> <shell> -lc`.
+- Honest CLI exit code: `vssh rpc` now exits non-zero on a structured `success:false`
+  (e.g. `unknown method`) instead of exiting 0.
+
+### Ops & docs
+
+- `scripts/deploy_fleet.sh`: idempotent, arch-aware fleet deploy (dir-stage guard,
+  atomic `mv`, ETXTBSY-safe, per-node newline verification).
+- `test/agent_suite.sh`: live agent-contract conformance suite (exits non-zero on
+  regression; suitable for scheduled runs).
+- `docs/AGENT_READINESS_ROADMAP.md`, `docs/GAP_ANALYSIS.md`, `docs/DEV_STATUS_2026-06-12.md`:
+  agent-readiness plan, code audit, and session handoff.
+
+## [v0.7.5] - 2026-05-22
+
+### Runtime
+
+- Add `vssh doctor` / `vssh setup-check` for AI-operator setup diagnostics:
+  effective binary, stale binary conflicts, secret source, Wire config, and peer
+  counts.
+- Add MCP `vssh_doctor` so Codex, Claude, Cursor, and other MCP clients can
+  diagnose VSSH before attempting execution or facts calls.
+- Prefer MCP-safe underscore tool names and deduplicate exposed tools.
+- Read native secrets from `/etc/vssh/secret` and `~/.vssh/secret` before
+  falling back to Wire-derived secrets.
+
+### Python SDK
+
+- Add `VSSH.doctor()` to call `vssh doctor --json`.
+
+## [v0.7.4] - 2026-05-16
+
+### Runtime
+
+- Add `vssh.route.select` / `vssh_route_select` for capability, tag, and health-aware host routing.
+- Add `vssh.exec.routed` / `vssh_exec_routed` to route first, then execute with policy and evidence.
+- Return route decisions with selected host, score, reasons, missing capabilities, health, tags, and candidate host records.
+- Keep monitoring separate: `vssh.hosts.list`, `vssh.route.select`, and `vssh.exec.routed` can optionally merge live health from an external MeshClaw/mpop-style monitor endpoint using `monitor_url` or `monitor_port`.
+
+## [v0.7.3] - 2026-05-16
+
+### Runtime
+
+- Enrich `vssh.hosts.list` output with `addresses`, `tags`, `capabilities`, `health`, `stats`, `os`, `arch`, and metadata fields for agent routing.
+- Extend `~/.vssh/servers.json` support with optional `tags`, `capabilities`, `roles`, `os`, `arch`, `public_ip`, `lan_ip`, `port`, and `metadata`.
+- Infer basic capabilities from tags/roles/OS names, including `gpu`, `cuda`, `ollama`, `browser`, `controller`, `mail`, `docker`, `linux`, and `macos`.
+- Add health summaries based on provider online state, `last_seen`, and resource pressure.
+
+## [v0.7.2] - 2026-05-16
+
+### Runtime
+
+- Add agent-facing MCP tool aliases: `vssh.hosts.list`, `vssh.exec`, `vssh.exec.safe`, and `vssh.policy.check`.
+- Add a built-in safety policy that blocks destructive/service-impacting command patterns unless `allow_dangerous` is explicitly set.
+- Wrap MCP execution responses in evidence envelopes with timestamps, policy decision, target, command, timeout, and structured execution result.
+
+### Documentation
+
+- README / README.ko: link to canonical stack snapshot [`meshpop/wire` **docs/CURRENT_STATE.md**](https://github.com/meshpop/wire/blob/main/docs/CURRENT_STATE.md).
+- Document Codex/Runtime MCP usage in English and Korean.
+
+## [v0.7.1] - 2026-05-16
+
+### Runtime
+
+- Preserve MCP `vssh_exec` shell commands as one script instead of splitting with `strings.Fields`.
+- Return structured execution evidence with stdout, stderr, exit code, duration, attempts, transport, fallback, and typed retryable errors.
+- Fix root-run `vsshd` transfer ownership so PUT/PUTZ/RESUME/MPUT/PIPE_UP outputs are usable by the default non-root runtime user.
+
+## [v0.7.0] - 2026-05-14
+
+### Changed
+
+- Remove `mesh-event` dependency; standalone `go build`.
+- Document `internal/adapter` as **discovery-only**; `VSSHAdapter.Exec` remains unimplemented by design until explicitly specified.
+
+### Fixed
+
+- `go vet` cleanups (IPv6 literals) where applicable.
+
+## Earlier releases
+
+See Git tags and GitHub Releases.