Skip to content

Changelog

All notable changes to this project are documented below. This project uses Semantic Versioning and Conventional Commits. This page is generated from the repository CHANGELOG.md.

0.2.0 (2026-06-06)

⚠ BREAKING CHANGES

  • config: restructure schema, env-driven loader, generated env-var reference
  • node-metrics series now carry the scraped node's identity on the tailscale_node label instead of instance (which on Grafana Cloud always held the collector host); update node-metrics dashboards/queries accordingly. The per-device posture log now defaults to on-change; set

Features

  • admin: add status landing page, JSON API endpoint, and opt-in profiling (pprof + Pyroscope) (282a333)
  • admin: authenticate status page + pprof with a shared token (bbfea01)
  • admin: per-collector info tooltip on status page (5bfd025)
  • alerts: add Grafana-managed alert + recording rules (a49dab0)
  • app: derive overall health + enrich collector status rows (e3f86b8)
  • app: redesign admin status page — health, sparklines, API panel, live tables (e7a26d5)
  • app: sample runtime/cardinality trends for status sparklines (b03d4a1)
  • app: start the series.active cardinality reporter, gated by self-obs (a9db840)
  • app: surface per-endpoint API health and window checkpoint state (66359f6)
  • app: tag subsystem loggers with component for per-subsystem filtering (da75818)
  • app: wire dynamic node-metrics discovery from the devices API (3900f89)
  • app: wire node-metrics passthrough filters into nodeMetricsOptions (1c42f81)
  • bounded top-N flow-metric rollups (default) with other + unique counts (d8bcbb8)
  • cardinality cap, stream feature.enabled, posture metric, node-label fix (d3e5494)
  • cardinality: per-entity gauge toggles for devices/users/keys (389352f)
  • collector: track per-collector run history and consecutive failures (4f7e5ca)
  • config: add node_metrics.discovery schema (7b29868)
  • config: document new collectors + cardinality toggles (config + Helm chart) (fb55c8c)
  • config: redact credential fields via a Secret type (987de8f)
  • config: restructure schema, env-driven loader, generated env-var reference (0891d26)
  • config: warn on undefined ${ENV} references at load (d10b3cb)
  • contacts: add tailnet contact verification collector (9ddbc66)
  • devices: add tailnet-lock errors + per-DERP-region rollup (dbbcd19)
  • devices: add tailscale.tags label to per-device gauges (3c8c5d1)
  • devices: expose MDM/posture attributes as queryable metrics (e3eb199)
  • flow-log service-name mapping, independent port toggles, external reverse-DNS (0835122)
  • grafana: add Cardinality & Cost tab (1a93a1e)
  • grafana: add comprehensive v2-schema multi-tab dashboard (generated) (843f1e0)
  • grafana: add DERP-vs-direct connection-path row to Node Metrics tab (0a47685)
  • grafana: add Security & Audit tab (027c9fb)
  • grafana: add tag filter and Devices-by-tag panel to Fleet tab (ce86f71)
  • grafana: dashboard coverage for new collectors (3131e672+) (ec527f6)
  • grafana: surface alloc churn, heap objects, GC next-target in Diagnostics (e4c52f1)
  • helm: expose collectors.devices.attribute_namespaces (1dfa89e)
  • logstream: add log-stream delivery-health collector (a0b259b)
  • nodemetrics: add metric_allow/metric_deny/drop_labels passthrough filters (603790c)
  • nodemetrics: emit discovery-health gauges (cbb4831)
  • nodemetrics: support dynamic target discovery (1b86831)
  • posture: add device-posture integration sync-health collector (3131e67)
  • rdns: observability, purge control, and larger defaults for the PTR cache (a8b8867)
  • ringbuf: add generic thread-safe bounded ring buffer (14c01c7)
  • selfobs: add runtime, dedup, and component-error self-observability metrics (b0fa95f)
  • services: add Tailscale Services (VIP) collector (30900f4)
  • settings: surface httpsEnabled, aclsExternallyManaged & external-tailnets role (667e4e7)
  • telemetry: add tailscale2otel.series.active cardinality self-metric (918ca76)
  • tsapi: add equal-jitter to retry backoff (62f73ca)
  • tsapi: decode per-device tags from /devices?fields=all (6e7906a)
  • tsapi: honor HTTP-date form of Retry-After (8e0ce6e)
  • tsapi: per-attempt timeout so long Retry-After is honored (85c3584)
  • tsapi: rate-limit retries, not just first attempt (87107a1)
  • tsapi: status-aware retry logging (429 INFO, 5xx DEBUG, 401 ERROR) (65403c8)
  • tsapi: widen request hook to RequestInfo (latency + error) (4d89430)
  • webhooks: add webhook-endpoint inventory collector (8931eb9)

Bug Fixes

  • app: don't log receiver clean shutdown as ERROR (0db54c8)
  • ci: authenticate cosign to ghcr.io before signing the chart (c363142)
  • ci: bump Go to 1.26.4 to clear govulncheck stdlib findings (5345bce)
  • ci: bump tool modules to go 1.26.4 to match root module (50cb7db)
  • ci: clear govulncheck stdlib findings + fix broken action versions (62ace00)
  • ci: cosign snapshot image digest (#12) (5bf2fa0)
  • ci: make snapshot chart prerelease version valid SemVer (ba12049)
  • ci: pin cosign installer action (#10) (8ae03eb)
  • ci: pin cosign-installer to @v3 (no moving v4 tag exists) (37c9f7f)
  • ci: pin cosign-installer to @v4.1.2 (required for cosign v3+) (0bf6156)
  • ci: rename helm-values-schema-json input -> values (0a0b900)
  • ci: use correct losisin/helm-docs-github-action@v2 repo (2680758)
  • collector: run first collector tick promptly at startup (2c72ee3)
  • config: scope the undefined-${ENV} advisory to active config values (d6809f8)
  • deps: update github.com/tailscale/hujson digest to ecc657c (d9843a0)
  • docker: copy per-platform binary in dockers_v2 multi-arch build (f780ca5)
  • docs: redact live tailnet recon details from tracked files (5ded0e6)
  • flowlog: bound rollup accumulator memory between flushes (629b111)
  • grafana: correct policy/config, network & diagnostics panels (4bfd717)
  • grafana: show 0 not "No data" for empty audit-count stats (a0c26a2)
  • grafana: stabilize panels across redeploys (strip service_version) (2224bce)
  • guard main snapshot publishing (44ee52e)
  • helm: disable ServiceAccount token automount by default (289a0fd)
  • nodemetrics: bound discovered scrape work (2770030)
  • nodemetrics: unique short MagicDNS instance labels + collision guard (f578e54)
  • reserve node metrics identity label (#16) (d439c38)
  • restrict main snapshot publishing to main ref (1e58858)
  • security: harden receivers, scraper, TLS, and Helm from security review (b743858)
  • selfobs: guard cardinality reporter against non-positive interval to prevent panic (cf1d7f4)
  • stream: cap zstd decoder back-reference window at the body limit (bfde16b)
  • telemetry: drop OTLP→Prometheus colliding labels and log export errors (874cf1b)
  • telemetry: stop emitting redundant service.version on build_info (d82d71d)
  • webhook: bound request bodies pre-auth and add server timeouts (92348f4)
  • webhook: stop user cross-dedup over-suppressing distinct changes (D11) (75a2c98)
  • webhook: wire replay-protection tolerance from config (default 5m) (7ce9cf6)

Performance

  • telemetry: disable unused metric exemplars, add GC tuning knobs (5e6fce3)

Refactoring

  • config: remove dead oauth token_url field (d21f11c)
  • config: remove legacy cardinality.flow_include_ports toggle (6bc1a56)
  • tsapi: use min() in computeBackoff (3e58f5f)

Miscellaneous

  • release: make 0.2.0 the first complete release (ec62fb1)
  • release: set initial release version to 0.1.0 (8f1a18e)