TTP 0.3.0

v0.3.5 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 12d Network Security

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

anonimity cli security cybersecurity-tools devops linux

+11 more

networking nftables privacy privacy-tools proxy python research systemd tor traffic-routing transparent-proxy

Affected surfaces

auth rbac breaking_upgrade

ReleasePort's take

Light signal

editorial:auto 12d

Release v0.3.5 introduces a proactive integrity watchdog, auto‑healing, an emergency killswitch, LAN bypass control, DNS leak mitigation, and default Tor routing for root processes.

Why it matters: These new security‑focused features (watchdog daemon, killswitch, DNS leak prevention, root‑process Tor routing) affect core network and process integrity; operators should evaluate the optional disable flags and opt‑out settings before deployment.

Summary

AI summary

Added proactive integrity watchdog, auto-healing, emergency killswitch, LAN bypass control, DoH/DoT leak mitigation, and selective root routing.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Mitigates DNS leaks by blocking DoT traffic and mapping canary domain to 0.0.0.0 Mitigates DNS leaks by blocking DoT traffic and mapping canary domain to 0.0.0.0 Source: llm_adapter@2026-05-22 Confidence: high	—
Feature
Feature	Medium	Adds Watchdog Daemon & Emergency Killswitch (Proactive Integrity) Adds Watchdog Daemon & Emergency Killswitch (Proactive Integrity) Source: llm_adapter@2026-05-22 Confidence: high	—
Feature	Medium	Adds Proactive Auto-Healing capability Adds Proactive Auto-Healing capability Source: llm_adapter@2026-05-22 Confidence: high	—
Feature	Medium	Adds Hard Network Lockout function `apply_emergency_killswitch()` Adds Hard Network Lockout function `apply_emergency_killswitch()` Source: llm_adapter@2026-05-22 Confidence: high	—
Feature	Medium	Adds LAN Bypass Automatic Control with optional disable flag Adds LAN Bypass Automatic Control with optional disable flag Source: llm_adapter@2026-05-22 Confidence: high	—
Feature	Medium	Routes all root processes through Tor by default with opt‑out flag `--allow-root` Routes all root processes through Tor by default with opt‑out flag `--allow-root` Source: llm_adapter@2026-05-22 Confidence: high	—
Feature	Medium	Adds Watchdog CLI command group `ttp watchdog` with start/stop/status/run and flags in start/restart Adds Watchdog CLI command group `ttp watchdog` with start/stop/status/run and flags in start/restart Source: llm_adapter@2026-05-22 Confidence: high	—

Full changelog

[0.3.5] - 2026-05-22

Added

Watchdog Daemon & Emergency Killswitch (Proactive Integrity): Introduced a background monitoring watchdog service (ttp-watchdog.service) that continuously verifies session integrity (Tor socket connection or systemd service status, nftables 'inet ttp' table and 'filter_out' chain presence, and DNS overlay mount).
Proactive Auto-Healing: Added capability to dynamically attempt single-strike repair (re-applying rules, restarting Tor, or re-mounting DNS resolv.conf) before taking drastic actions.
Hard Network Lockout: Implemented apply_emergency_killswitch() which drops all incoming, outgoing, and forwarding network traffic (except lo) in case of a persistent two-strike integrity failure, sending system-wide alerts via wall and desktop notifications via notify-send.
LAN Bypass Automatic Control: Integrated automatic LAN bypass (--no-lan-bypass to disable) which dynamically injects nftables rules to accept traffic destined for RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and Link-Local (169.254.0.0/16) networks.
DoH/DoT DNS Leak Mitigation: Mitigated DNS leaks by blocking outgoing DoT traffic (tcp dport 853 reject in the firewall) and forcing browser-level DoH to disable by mapping Mozilla's canary domain (use-application-dns.net) to 0.0.0.0 inside torrc via MapAddress.
Selective Root Routing: Enhanced default security by routing all root processes (including sudo commands) through Tor. Added --allow-root to the CLI to explicitly opt-out and allow root processes to bypass Tor.
Watchdog CLI Commands: Added Typer command group ttp watchdog (start, stop, status, run) and optional --watchdog / -w flags in start and restart commands.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track TTP 0.3.0

Get notified when new releases ship.

About TTP 0.3.0

All releases →