Search⌘KSign inStart free
Changelog

Every shipped commit,
in human English.

We ship every Tuesday and Thursday. Patch releases land whenever. Subscribe to the RSS feed or follow @tgate/changelog.

  1. v3.7.0FeatureApr 24, 2026

    Replay buffer for unstable links

    Edge agents now hold up to 5 minutes of outbound traffic when the upstream tunnel drops. Configurable via policy.

    • + Addedpolicy.replay { window = 300s }
    • + AddedPer-device replay metrics in dashboard
    • × FixedEdge agents on Alpine 3.19 panicked on resume from sleep
    • × FixedmacOS daemon failed to renew tokens on Wi-Fi switch
  2. v3.6.4PatchApr 17, 2026

    Edge cache invalidation fixes

    Three reported issues with stale cache after policy reload, all resolved.

    • × FixedCache key collision when two policies overlapped on path
    • × FixedStripe webhook deduplication window off-by-one
    • × FixedTLS cert renewal raced with policy reload (low risk)
  3. v3.6.0FeatureApr 03, 2026

    Policy-as-code v2

    Brand-new policy DSL with type checking, autocomplete, and a CLI dry-run mode. Old policies keep working.

    • + AddedType checker: tgate policy check ./policy.tg
    • + AddedImports: import "./shared/auth.tg"
    • + AddedDry run with traffic replay: tgate policy run --replay 1h
    • ~ Changedpolicy.allow renamed to policy.permit (alias kept)
  4. v3.5.2SecurityMar 28, 2026

    CVE-2026-3104 patched

    Privilege escalation in self-hosted control plane (tgate-control v3.4.0–v3.5.1). Cloud users unaffected.

    • × FixedAudit log entry tampering via crafted JWT (severity: high)
    • + AddedAudit log integrity now signed per-entry with workspace key
  5. v3.5.0FeatureMar 12, 2026

    SCIM 2.0 + 4 new edge regions

    Provision users from Okta, Azure AD, Google Workspace. New PoPs in São Paulo, Cape Town, Mumbai, and Jakarta.

    • + AddedSCIM 2.0 endpoint at /scim/v2/
    • + AddedEdge: sa-gru-01, af-cpt-01, ap-bom-02, ap-jkt-01
    • + AddedPer-region health to status page
  6. v3.4.7PatchFeb 28, 2026

    Dashboard performance

    Tunnel list loads 4.2× faster on accounts with >500 tunnels.

    • ~ ChangedTunnel list now paginates server-side
    • × FixedAudit log search hit timeout on large date ranges
  7. v3.4.0FeatureFeb 11, 2026

    Wildcard domain support

    Bind *.acme.dev to a tunnel. Each subdomain gets its own TLS cert, lazily provisioned.

    • + AddedWildcard host matching in policy
    • + AddedLazy TLS issuance (first request triggers cert)
    • + AddedPer-subdomain analytics
  8. v3.3.0FeatureJan 21, 2026

    Realtime live tail

    Stream every request through your tunnels in the dashboard, with filters for status, method, and policy match.

    • + AddedLive tail tab on every tunnel
    • + AddedSaved filters and shareable links

Older releases

v3.2 — Jan 2026v3.1 — Dec 2025v3.0 — Nov 2025v2.9 — Oct 2025v2.8 — Sep 2025v2.7 — Aug 2025v2.6 — Jul 2025v2.5 — Jun 2025