New features

• Added Kerberos ticket management (--kerberos) for Linux and macOS — Px
  acquires and renews Kerberos tickets automatically using kinit with the
  configured --username and password from PX_PASSWORD or keyring. No keytab
  file is created. Addresses #252 and #258.

Bug fixes

• Fixed auth failure recovery when a Kerberos ticket becomes available after Px
  startup — clearing MCURL.failed allows previously-blocked proxies to be
  retried (#258).
• Fixed --verbose output not appearing in non-TTY environments (e.g. Docker
  with workers=1) due to Python block-buffering stdout.

Docker

• Added BUILDER build arg and local builder stage to Dockerfile to support
  both CI (pre-built wheel) and local (source tree) builds.
• The full Docker image now requires --cap-add IPC_LOCK — gnome-keyring 48+
  (Alpine 3.23+) links libcap-ng which aborts without the IPC_LOCK capability.

Improvements

• Replaced synchronous http.server + threading with asyncio + h11.
  CONNECT tunnels now use zero-thread bidirectional relays: TunnelRelay
  (FD watchers via add_reader/add_writer) on Linux, and
  _async_tunnel_relay (asyncio StreamReader/StreamWriter for the
  client side, IOCP-backed sock_recv/sock_sendall for the upstream
  libcurl socket) on Windows. Thread count stays bounded at the thread
  pool size regardless of active tunnel count.
• Changed --workers default from 2 to 1 — the async event loop handles
  concurrency without multiple processes.
• Reduced per-request overhead: double-checked locking in reload_proxy(),
  cached get_curl_features() and noproxy_hosts, shallow copy for proxy
  server lists, tuples for hot-path membership checks.
• Optimized --verbose logging: skipped file I/O overhead and
  process/thread name lookup when --workers=1. Log output is more
  compact (timestamp + call tree + message) while retaining diagnostic value.
• Added Winget package support — Px can now be installed on Windows via
  winget install genotrance.px. Manifests are submitted automatically on
  release via vedantmgoyal9/winget-releaser. Addresses #115, PR #264.
• Documented WinSW service account and environment variable options for
  running Px as a Windows service with SSPI or explicit credentials (#259).

Internal

• Added h11 runtime dependency, psutil dev dependency.
• Wired --threads to asyncio default executor pool size.
• Dynamic xdist worker count (-n auto) — auto-scales to hardware via a
  platform-aware pytest_xdist_auto_num_workers hook in conftest.py.
• Switched test fixtures and helpers from --debug (file logging) to
  --verbose (stdout logging), reducing test suite runtime by ~58%.
• Added concurrency benchmark tests (make benchmark) covering HTTP
  throughput, CONNECT tunnel throughput, thread pool saturation, active data
  exchange, thread count bounds, and memory bounds. Benchmarks now test up to
  1 000–1 024 concurrent connections with sliding success thresholds for
  barrier-synchronised active tunnel tests.
• Added large data transfer reliability tests (make test-large-data) with
  SHA-256 integrity verification for concurrent multi-MB GET/POST over HTTP
  and HTTPS. CI jobs run these on both Linux and Windows.

Bug fixes

• Fixed #248 — check install cmd if modified.
• Fixed #255 — handle Python v3.13 runtime context on startup.
• Fixed set_client_auth() mutating the global AUTH_SUPPORTED list when
  called with ANY or ANYSAFE — now copies the list.
• Fixed cfg_int_init()/cfg_float_init() passing invalid string values to
  callbacks when config values fail to parse — now falls back to default.
• Fixed send_html() in handler inserting a tuple instead of a string into
  the error page explain field.
• Fixed file_url_to_local_path() returning None for non-Windows file URLs.
• Fixed --hostonly and --quit failing in emulated/virtualized environments
  (QEMU, Docker on ARM) by adding a fallback when psutil.net_if_stats() is
  unavailable (psutil#2693).

Improvements

• Replaced quickjs dependency with quickjs-ng.
• Dropped Python 3.8 and 3.9 support; minimum is now Python 3.10.
• Added Python 3.14 classifier.
• Restructured README.md with basic install/config/usage info and full
  github.com links (for PyPI/Docker Hub display).
• Made docs/configuration.md a complete user-facing reference with all CLI
  flags, environment variables, INI keys, defaults, and auth types.
• Split detailed documentation into user-facing (docs/installation.md,
  docs/usage.md, docs/configuration.md) and developer (docs/architecture.md,
  docs/build.md, docs/testing.md) sections.

Internal

• Modernised project tooling: ruff, mypy, pre-commit, Makefile, docs/ folder.
• CI workflow (ci.yml) now triggers on devel push and PRs only (not
  master). Test matrix expanded to 9 jobs: Ubuntu on Python 3.10–3.14, macOS
  on 3.10 and 3.14, Windows on 3.10 and 3.14.
• Build workflow (build.yml) now triggers on master push and
  workflow_dispatch only. Docker build and push steps merged into the
  release job (separate docker job removed).
• Added Dependabot configuration for monthly pip and GitHub Actions updates.
• tools.py: all sys.exit() calls changed to sys.exit(1) for proper error
  propagation. Docker function updated to accept --push flag and
  --wheels-dir option for CI usage.
• build.sh: added build_local function for end-to-end local build and test
  using Docker containers (musl or glibc). Added auditwheel to pip install in
  build_binary for both musl and glibc. Added error checking (|| return 1)
  to build_local steps.
• Added test-musl and test-glibc Makefile targets for local container
  testing.
• Updated GitHub Actions to Node 24: actions/setup-python v6,
  astral-sh/setup-uv v7, Docker actions v4.
• Fixed build workflow: Linux musl Nuitka builds now use Alpine containers
  (both x86_64 and aarch64) since musllinux containers lack Python dev headers
  needed by Nuitka. Linux glibc builds use Python 3.13 from the manylinux
  container (/opt/python/cp313-cp313/). All Linux container builds install
  uv via curl consistently.
• Fixed test-binary workflow: release archives from the binary job are now
  extracted before testing. The PXBIN environment variable is now properly
  exported to tox so the binary tox environment actually tests the compiled
  Nuitka/embedded binary.
• Resolved ruff violations in px/ package — reduced suppressed rules to
  minimal intentional set.
• Ported HISTORY.txt to docs/changelog.md and removed the original file.
• Expanded docs/architecture.md with State singleton, request handling, spnego
  monkey-patching, PAC evaluation, proxy reload, and error handling details.
• Expanded pytest suite: added test_debug.py, test_wproxy.py, test_pac.py,
  test_network.py; expanded test_config.py with unit tests for utility
  functions and defaults. Deleted legacy test.py.
• Updated tox configuration to run all test files.
• Added ./mcurllib as local wheel index to Makefile install for testing with
  unreleased mcurl versions.
• Cleaned up tools.py: removed obsolete functions (get_curl, pyinstaller,
  scoop, and all GitHub API release management). Remaining targets are
  --wheel, --nuitka, --embed, --deps, --depspkg, and --docker.
• Removed old build.sh and build.ps1 monolithic build scripts — replaced
  by GitHub Actions workflows and the new build.sh function library.
• Added GitHub Actions CI workflow (ci.yml) with quality checks and test
  matrix across Python 3.10–3.14 on ubuntu, macos, and windows.
• Added GitHub Actions build workflow (build.yml) for wheels, Nuitka/embedded
  binaries, multi-distro testing, GitHub release posting, and PyPI publishing.
  Platform matrix covers all targets where both pymcurl and quickjs-ng
  provide wheels.
• Added shared .github/actions/setup-python-env composite action.
• Added build.sh as a shell function library sourced by build.yml. It
  consolidates repeated CI scaffolding (uv installation, Python discovery,
  wheel building, binary building, archive extraction, test execution) into
  reusable functions, keeping build.yml concise.
• Refactored tools.py: made pymcurl import lazy so the script can run
  without it installed (guards in curl() and nuitka()). Added
  make_archive_with_hash() helper to deduplicate archive+hash blocks.
  Added --history flag to print the latest changelog section (used by the
  release job). Made version import resilient with a pyproject.toml
  fallback when px-proxy is not installed as a package.

• Fixed #246 - resolved crash caused by PAC hostname resolution
• Added gui script pxw.exe to run Px in the background on Windows, addressing
  #203, #213 and #235 by providing correct path for px.ini and logs.
• Enhanced px --install to write --config=path into the registry to support
  non-standard locations for px.ini
• Fixed #217 - updated px --install to write pxw into the registry to run
  Px in the background on Windows startup
• Added support to read and write px.ini from the user config directory
• Fixed #218 - improved config load order to cwd, user config or script path
  if file already exists. If --save, the file should be writable, otherwise use
  the user config directory.

• Fixed docker image to work correctly with command line flags, include kerberos
  packages
• Merged PR #233 - force flag to overwrite existing installation of Px in the
  Windows registry
• Merged PR #237 - handle pid reuse and support for pwsh
• Fixed #225, #245 - better handling of PAC file failures and fallback to DIRECT
  mode when they happen
• Replaced quickjs Context with Function as recommended in #206 to avoid thread
  safety issues in PAC handling
• Proxy reload support also for MODE_CONFIG_PAC if loading a PAC URL
• Fixed #208 - try GSS-API authentication on all OS if supported by libcurl

• Replaced ctypes based libcurl backend with pymcurl which uses cffi and includes
  the latest libcurl binaries
• Fixed #219, #224 - pymcurl uses libcurl with schannel on Windows which loads
  certs from the OS
• Fixed #214 - handle case where no headers are received from client
• Fixed issue curl/discussions/15700 where POST was failing in auth=NONE mode for
  NTLM proxies
• Fixed issue in the Px docker container that would not stop unless it was killed

• Fixed issue with libcurl binary on Windows - #212

• Fixed issue with logging not working when set from px.ini - #204
• Fixed issue with environment variables not propagating to all processes in Linux
• Documented how to install binary version of Px on Windows without running in a
  console window - #203
• Fixed issue with quickjs crashing in PAC mode with multiple threads - #198 / #206

• Added support for domains in noproxy - #2
• Expanded noproxy to work in all proxy modes - #177
• Added --test to verify Px configuration
• Windows binary now created with embeddable Python to avoid being flagged
  by virus scanners - #182 #197
• Added support for Python 3.11 and 3.12, removed Python 2.7
• Fixed #183 - keyring import on OSX
• Fixed #187 - removed dependency on keyring_jeepney which is deprecated
• Fixed #188 - removed keyrings.alt and added docs for leveraging third
  party keyring backends
• Added support to load Px flags from environment variables and dotenv files
• Changed loading order of px.ini - from CLI flag first, environment next,
  working directory and finally from the Px directory
• Fixed #200 - print debug messages when --gateway or --hostonly overrides
  listen and allow rules
• Fixed #199 - cache auth mechanism that libcurl discovers and uses with
  upstream proxy - speeds up transactions and avoids POST/PUT rewind issue
• Added support to log to the working directory - #189. Logging destination now
  configurable via CLI, env and px.ini.
• Added --restart to quit Px and start a new instance - #185
• Fixed #184 - PAC proxy list was including blank entries
• Fixed #152 - increased number of default threads from 5 to 32
• Fixed issue leading to connection reuse by client after HTTPS connection was
  closed by server
• Mapped additional libcurl errors to HTTP errors to inform client
• Added support to listen on multiple interfaces - #195
• Added support for --auth=NONE which defers all authentication to the client,
  allowing multiple instances of Px to be chained together to access an upstream
  proxy that is not directly connected
• Fixed issue with getting all interfaces correctly for --hostonly
• Fixed issue with HTTP PUT not working in some scenarios
• Added support for client authentication - support for NEGOTIATE, NTLM, DIGEST
  and BASIC auth with SSPI when available - #117
• Refined --quit to directly communicate with running instances instead of looking
  for process matches - fixed issue on OSX where Px was not quitting in script and
  pip modes

• Support for specifying PAC file encoding - #167
• Fixed #164 - PAC function myIpAddress() was broken
• Fixed #161 - PAC regex search was failing
• Fixed #171 - Verbose output implies --foreground

• Fixed #157 - libcurl wrapper was missing socket definitions for OSX
• Fixed #158 - win32ctypes was not being included in Windows binary
• Fixed #160 - need to convert PAC return values into CURLOPT_PROXY schemes