v0.9.1 — Onboarding Wizard, Security Updates

New

• Onboarding wizard — New users see a role-scoped welcome tour on first login covering navigation, credential variables, connect vs login, clipboard shortcuts, file transfer, ad-hoc sessions, and admin features. Dismissable with "Don't show again" or replay via Settings > Welcome Tour.
• Settings menu now shows "⚙ Settings" label instead of just the gear icon.

Security

• russh 0.57 → 0.58.1 — drops vulnerable libcrux-sha3 dependency (RUSTSEC-2026-0074)
• aws-lc-sys 0.38 → 0.39 (RUSTSEC-2026-0044, RUSTSEC-2026-0048)
• rustls-webpki 0.103.9 → 0.103.10 (RUSTSEC-2026-0049)

Fixes

• systemd EnvironmentFile — Service file now includes EnvironmentFile=-/opt/rustguac/env so Vault and OIDC secrets survive package upgrades. The - prefix silently skips the file if it doesn't exist.

Full Changelog: v0.9.0...v0.9.1

v0.9.0 — RDP Audio, GFX Pipeline, Video Performance

RDP Audio

RDP audio output now works through rustguac. Audio from the remote session (e.g. YouTube, media players) is streamed to the browser in real-time.

• Advertises audio/L16 and audio/L8 raw PCM mimetypes in the guacd handshake
• Browser AudioContext automatically resumed on first user interaction (autoplay policy)
• For Linux xrdp targets: contrib/setup-xrdp-audio.sh builds and installs the required PulseAudio module from source (not packaged on Debian 13)

Note: RDP audio has ~300-500ms inherent latency. Audio-video sync is approximate.

RDP Video Performance

Per-entry video settings in the address book (RDP entries → Video Performance section):

• Enable Graphics Pipeline (GFX) — Activates RDPGFX with RemoteFX codec for better video compression
• Enable Desktop Composition — Enables DWM compositing for smooth video overlays and transparency
• Force Lossless — PNG-only encoding for text-heavy workloads

WebSocket proxy buffer increased from 8 KB to 64 KB, reducing fragmentation for large image instructions.

Server Tuning Scripts

Helper scripts in contrib/ for configuring RDP targets:

Script	Platform	What it does
setup-rdp-performance.ps1	Windows Server 2022+	AVC444, 60fps, DWM, RemoteFX, audio. Use -EnableGPU for hardware encoding.
setup-xrdp-gfx.sh	Debian 13 (xrdp)	Xorg backend, GFX pipeline, H.264 via x264, 60fps
setup-xrdp-audio.sh	Debian 13 (xrdp)	Builds and installs pulseaudio-module-xrdp from source

Documentation

New RDP Video Performance guide in the built-in docs covering:

• Address book video settings
• Windows server tuning (AVC444, 60fps, GPU encoding, verification via Event Viewer)
• Linux xrdp tuning (Xorg backend, gfx.toml, H.264, NVIDIA NVENC)
• Audio setup (PulseAudio module build)
• Network bandwidth estimates

Full Changelog: v0.8.5...v0.9.0

v0.8.5 — Reports, Session History, Enriched Recordings

New Features

Reports Page (poweruser+ only)

• Summary dashboard — Total sessions, total hours, unique users, active now
• Session history table — Sortable, filterable, paginated. Columns: User, Entry, Folder, Type, Hostname, Started, Duration, Status
• Top Connections leaderboard — Most-used entries by session count and total hours
• Top Users leaderboard — Most active users by session count and total hours
• CSV export — Download filtered session history as CSV via the UI or API (GET /api/reports/sessions/csv)

Session History

• All sessions are now persisted to SQLite with full metadata (user, entry, folder, hostname, duration, recording file, status)
• Configurable retention: session_history_retention_days = 90 (default). Set to 0 to keep forever. Cleaned up hourly.
• Automatic migration — the session_history table is created on first startup, no manual steps needed

Enriched Recordings

• Recording .meta sidecar files now include user, folder, entry display name, and session type
• Recordings API returns enriched metadata
• Recordings page shows User, Entry, Folder columns (addresses #67)

Onboarding Wizard

• New users see a role-scoped welcome tour on first login
• Covers navigation, credential variables, connect vs login, clipboard, file transfer, admin features
• Dismissable with "Don't show again" or re-trigger via Settings → Welcome Tour
• Settings menu now shows "⚙ Settings" label instead of just the icon

API Endpoints

Endpoint	Description
GET /api/reports/summary	Dashboard statistics
GET /api/reports/sessions	Paginated session history with filters
GET /api/reports/sessions/csv	CSV export with filters
GET /api/reports/top-connections	Most-used connections
GET /api/reports/top-users	Most active users

All report endpoints require poweruser or admin role.

Configuration

# Session history retention in days (default: 90, 0 = keep forever)
session_history_retention_days = 90

Bug Fixes

• Fixed stale credential variable test (hyphen support from v0.8.0)

Full Changelog: v0.8.1...v0.8.5

v0.8.1 — Security Fixes, Dependency Updates

Security Fixes

• aws-lc-sys 0.38.0 → 0.39.0
  • RUSTSEC-2026-0044 — X.509 Name Constraints bypass via wildcard/unicode CN
  • RUSTSEC-2026-0048 — CRL Distribution Point scope check logic error
• rustls-webpki 0.103.9 → 0.103.10
  • RUSTSEC-2026-0049 — CRL matching logic error

Dependency Updates

• rusqlite 0.38.0 → 0.39.0 (bundled SQLite 3.51.3)
• russh 0.57.1 → 0.58.0 (21% SSH throughput improvement)
• clap 4.5.60 → 4.6.0
• toml 1.0.4 → 1.0.7
• tracing-subscriber 0.3.22 → 0.3.23
• libc 0.2.182 → 0.2.183

New

• Onboarding wizard — New users see a role-scoped welcome tour after first login covering navigation, credential variables, clipboard shortcuts, and key features. Dismissable with "Don't show again" or via Settings → Welcome Tour to replay.
• Settings label — The gear icon now reads "⚙ Settings" for better discoverability.
• Clipboard diagnostic logging — WebSocket proxy logs clipboard instructions in both directions for troubleshooting.

Full Changelog: v0.8.0...v0.8.1

What's Changed

• deps: bump toml from 1.0.4+spec-1.1.0 to 1.0.7+spec-1.1.0 by @dependabot[bot] in #76
• deps: bump tracing-subscriber from 0.3.22 to 0.3.23 by @dependabot[bot] in #75
• deps: bump libc from 0.2.182 to 0.2.183 by @dependabot[bot] in #70
• deps: bump russh from 0.57.1 to 0.58.0 by @dependabot[bot] in #74
• deps: bump clap from 4.5.60 to 4.6.0 by @dependabot[bot] in #68
• deps: bump rusqlite from 0.38.0 to 0.39.0 by @dependabot[bot] in #77

Full Changelog: v0.8.0...v0.8.1

v0.8.0 — Credential Variables, Seamless Clipboard, Bug Fixes

New Features

• Credential variables — Address book entries can use $domain_username / $domain_password placeholders that are resolved per-user at session launch. Users set their credentials via the "My Credentials" dialog in the address book. Credentials are stored in Vault KV v2 under per-user paths. Supports hyphenated domain names (e.g. $sol1-cloud_password). See the built-in docs page for full documentation.
• Seamless clipboard paste — Ctrl+V now syncs the browser clipboard to the remote session automatically. Firefox shows a one-time permission popup; Chrome works immediately. Clipboard also auto-syncs when the tab regains focus. The Ctrl+Alt+Shift clipboard panel remains available as a fallback.
• Drive config warning — Address book UI warns when drive redirection is enabled on an entry but the server has no [drive] section configured.
• Credential variable docs — New section in the built-in documentation covering variable naming, My Credentials dialog, Vault storage, and API endpoints.

Fixes

• Rate limiting opt-in (#62) — Rate limiting is now off by default (rate_limit = true to enable). The previous default caused issues for users behind shared proxies where all requests shared a single rate-limit bucket.
• Docker drive mapping (#64) — FreeRDP plugins (libguac-common-svc-client.so) are now copied from the builder to the runtime stage so drive redirection works in Docker.
• Chromium sandbox in Docker (#61) — chromium-sandbox package added to Dockerfile and install.sh, fixing web sessions that broke after switching to the non-root rustguac user.
• Logo flash on navigation (#65) — initTheme() no longer re-sets img.src when server-side branding has already applied the correct logo, eliminating the flash on page transitions.
• Sessions page stale buttons (#63) — Open/Share buttons are now hidden for non-active sessions.
• Password visibility toggle — Address book password fields now have a show/hide toggle button.
• My Credentials ordering — Username fields always appear before password fields in the My Credentials dialog.
• Nav bar spacing — Consistent separator line and spacing between header and navigation across all pages.

Configuration

New config option:

rate_limit = true  # default: false — opt-in to rate limiting

Full Changelog: v0.7.2...v0.8.0

v0.7.2 — Fix theme branding flash, Docker writable paths

Fixes

• Theme branding flash (#59) — server-side HTML rewriting replaces the default site title, heading, and logo URL at startup so the first paint already shows configured branding. No more flash-of-default-theme on page load.
• Docker writable paths (#57) — ensure recording directory and other runtime paths are writable by the non-root rustguac user in Docker containers.

v0.7.1 — Guacamole Import CLI

What's new

• Guacamole import CLI — rustguac import-guacamole --file dump.sql parses a Guacamole MySQL dump and imports connections into the Vault address book. Supports --folder, --scope, and --dry-run flags.
• Migration docs — new docs/migration.md with step-by-step guide for migrating from Apache Guacamole

Fixes

• Lossy UTF-8 handling for SQL dumps with non-UTF-8 characters
• Security dependency update: quinn-proto 0.11.13 → 0.11.14 (RUSTSEC-2026-0037)

v0.7.0

v0.7.0

Feature release with UI improvements, Docker fixes, and a critical fix for login script automation.

Features

• Login script dropdown (#52) — Login script field is now a dropdown populated from the server's scripts directory (GET /api/login-scripts). Filters to .js/.sh/.py files only.

• Banner field — Optional banner text on address book entries. When set, users see a message and must click "Continue" before the session starts. No longer auto-populates from display_name.

• Batch address book endpoint (#56) — GET /api/address-book/batch fetches multiple folders in a single request. Rate limits increased for address book operations.

• Clone address book entries (#56) — Clone button in the address book UI duplicates an entry for quick editing.

• Automation UI — Web entry form restructured: username, password, login script, and autofill are collapsed under a collapsible "Automation" section. Auto-expands when editing entries with automation configured.

Fixes

• Fix CDP/login scripts broken by Chromium policy — DeveloperToolsAvailability policy was set to 2 (fully disabled) in v0.6.0 security hardening, which silently blocked --remote-debugging-port and broke all login script automation. Changed to 0 (allowed). Users still cannot access DevTools UI — chrome://* is blocked by URLBlocklist. Fixed in Dockerfile, debian/postinst, and install.sh.

• Fix web entry edit/clone not working — authHeaders() (undefined) was called instead of apiHeaders() in the login scripts fetch, causing a JS ReferenceError that silently broke the web entry edit/clone modal.

• Docker: run as non-root user (#50) — Container now runs as the rustguac user instead of root. Fixes permission issues with mounted volumes.

• Docker: Chromium sandbox in containers (#50) — Automatically adds --no-sandbox when running as root (e.g. Docker without user remapping). Post-spawn liveness check captures Chromium stderr on immediate exit for better diagnostics.

Docs

• Document [theme] config section: presets, logo_url, colour overrides, branding example (#55)
• Document Vault KV v2 metadata policy requirement for entry deletes (#54)
• Clarify TLS config: no boolean toggle, field presence controls behaviour
• Update security docs: DevTools policy rationale, URLBlocklist as primary control

Full Changelog: v0.6.2...v0.7.0

v0.6.2

v0.6.2

Bug fix release addressing mTLS identity parsing and TLS config coupling reported by users deploying with OpenBao and reverse proxies.

Fixes

• Fix Vault/OpenBao mTLS identity parsing (#51) — Rewrote the mTLS client to build the rustls ClientConfig directly, bypassing reqwest::Identity::from_pem() which fails with the rustls backend for valid PKCS#8 keys from OpenBao/Vault PKI. Now handles PKCS#8, RSA PKCS#1, and EC private keys, plus fullchain cert files (leaf + issuing CA).

• Decouple server HTTPS from guacd TLS (#49) — cert_path and key_path in [tls] are now optional. You can configure guacd TLS (guacd_cert_path) without enabling server HTTPS — useful when running behind a TLS-terminating reverse proxy (Traefik, HAProxy, nginx). There is no boolean toggle; the presence of the fields controls behaviour.

Tests

• Added mTLS integration tests: PKCS#8 EC key, fullchain cert (leaf + CA), tls_skip_verify with custom certificate verifier
• 89 total tests across 9 modules

Dependencies

• Added webpki-roots as direct dependency (for building custom rustls TLS configs)

Docs

• Updated TLS configuration docs with examples for all combinations (HTTPS + guacd TLS, HTTP + guacd TLS, HTTPS only)
• Clarified that field presence controls TLS behaviour — no boolean toggle

Full Changelog: v0.6.1...v0.6.2

v0.6.1

What's new

Vault / OpenBao mTLS support (fixes #48)

Vault and OpenBao connections now support mutual TLS (client certificates) and custom CA certificates. Three new optional fields in [vault] config:

[vault]
addr = "https://openbao.example.com:8200"
role_id = "..."
ca_cert = "/opt/rustguac/certs/ca.pem"
client_cert = "/opt/rustguac/certs/client.pem"
client_key = "/opt/rustguac/certs/client-key.pem"

Field	Description
ca_cert	Custom CA certificate (PEM) for verifying the Vault server
client_cert	Client certificate (PEM) for mTLS
client_key	Client private key (PEM) — required when client_cert is set

Test suite (8 → 87 tests)

Comprehensive unit tests added across 9 modules:

• auth (11): role hierarchy, effective role capping, X-Forwarded-For / trusted proxy
• vault (13): TLS client builder, config deserialization, name validation
• session (12): CIDR network allowlist, autofill JSON parsing, placeholder substitution
• browser (8): Chromium password encryption, Login Data SQLite creation, RangeAllocator
• config (8): theme preset resolution, overrides, defaults
• db (7): SHA-256 hashing, key generation, user groups parsing
• api (6): HTML escaping, recording name path traversal protection
• import (12): SQL parsing (existing tests, now wired into module tree)
• protocol (8): wire format encode/decode (existing)

Security

• Updated quinn-proto 0.11.13 → 0.11.14 (RUSTSEC-2026-0037, high-severity DoS)

Full Changelog: v0.6.0...v0.6.1