Changelog
# Changelog
All notable changes to Transit are documented in this file.
The format is based on Keep a Changelog,
and Transit adheres to Semantic Versioning.
How this file feeds the release pipeline:
- Versions map 1:1 to git tags (
vX.Y.Z) and to the per-version folders
published at <https://downloads.transitai.app>.
- When a
vX.Y.Ztag is pushed,release-prod.ymlruns
scripts/extract-changelog.mjs X.Y.Z to pull the matching ## [X.Y.Z]
section verbatim into the GitHub Release body and the download page's
release notes. A missing or empty section fails the release — so move
items out of [Unreleased] into a dated ## [X.Y.Z] section *before*
tagging. scripts/bump-version.mjs X.Y.Z is the companion that bumps the
version files in lockstep.
[Unreleased]
[2.8.1] - 2026-07-15
Added
- Multi-select + "Launch all" in the sessions sidebar. Select
several connections with Shift-click (range) or Cmd/Ctrl-click
(toggle), then right-click → Launch all (N devices); or
right-click a group folder → Launch all in group to open every
connection under it, subgroups included. Tabs appear as each device
connects, a *Connecting… X of N* banner with a Stop button
tracks progress, and one failed device doesn't stop the rest —
failures roll up into a single summary toast. Connects run
sequentially so first-contact host-key prompts and legacy-crypto
approvals appear one at a time.
[2.8.0] - 2026-07-12
Added
- Transit Classic theme — the previous default color scheme,
preserved unchanged as a selectable theme (Settings → Appearance)
for anyone who prefers the original neutral look.
Changed
- New default look — Transit brand colors. The built-in Transit
Default theme now wears the Transit AI brand palette: ink-black
surfaces with subtly raised panels, teal primary buttons, electric-
blue focus rings, and matching terminal accents (teal cursor, brand
blue/cyan ANSI colors). Applies only to the default theme — if you
picked any other theme it is untouched, and the old default lives on
as Transit Classic. The Max-tier account badge also trades
violet for teal (the brand retired purple).
- Editing an SSH-key auth profile now prefills the private-key file
path, so changing the username or passphrase no longer forces
re-browsing for a key file the profile already points at.
[2.7.0] - 2026-07-10
Added
- Multiple button bars — keep separate named button sets (say, a
VOIP bar and a routers-and-switches bar) and flip between them with
the new up/down arrows on the left of the button bar, or jump
straight to one by clicking the bar's name. Right-click the bar for
New / Rename / Delete bar. Your existing buttons carry over
automatically into a "Default" bar; with a single bar the strip
looks exactly as before.
- Per-chat device scope — a new picker in the AI chat header
(next to the model picker) restricts that chat's AI to the devices
you check, the same way the broadcast bar's target list works.
Scope a chat to the two switches you're debugging and the AI can't
see, read, or propose commands against anything else — enforcement
is in the Rust core, not just the UI, and a device you untick mid-
run is cut off immediately (even if an approval dialog was already
open). Default is unchanged: new chats see all devices. Pairs
nicely with multi-chat tabs — one chat per project, each scoped to
its own gear.
- GPT-5.6 family in the model picker (cloud rollout 2026-07-10):
GPT-5.6 Luna (Easy), GPT-5.6 Terra (Medium), and GPT-5.6 Sol
(Advanced). Sol is included on Pro and Max; on Operator it unlocks with
your own OpenAI key (BYOK), the same way Opus 4.8 does with an Anthropic
key. GPT-5.5 and GPT-5.4 mini retired — existing chats and stale
selections are served transparently by the closest 5.6 successor, and
the picker refreshes automatically.
[2.6.3] - 2026-07-09
Added
- The multi-line paste dialog's editor grew a Find & Replace row for
adapting pasted config templates before they're sent — swap a hostname,
VLAN, or IP across dozens of lines without leaving the confirm step.
Open it with the Find & replace button or Cmd/Ctrl+F while the
dialog is up. Matching is literal (no regex), with a live "2 of 17"
match counter, Match case and Whole word toggles (whole-word
treats / . : - as boundaries, so replacing 0/0/1 doesn't also
hit 0/0/10), Enter / Shift+Enter (or F3 / Shift+F3) to step through
matches, and Replace / Replace all with a one-click Undo.
Escape closes the find row first, the dialog second. The dialog is
wider and the editor no longer soft-wraps long config lines (it scrolls
horizontally instead). The safety property is unchanged: what you paste
is exactly what's sent — edits, replacements and all.
[2.6.2] - 2026-07-07
Added
- Host-key rotation is now handled in-app. When a device's SSH host key
changes since the last connect (re-image, RMA, firmware re-key), Transit
shows a changed-key warning dialog with the pinned and new fingerprints
side by side instead of a dead-end error that pointed at hand-editing
known_hosts.toml. Replacing the pin takes two deliberate steps — tick
"I've verified this key change is legitimate", then the red
Replace & connect — and the pin is rewritten only after the
connection also authenticates, so a failed login never displaces a
good pin. Declining (or any attempt to dismiss the dialog) leaves the
old pin untouched and fails the connect with the familiar mismatch
error. There is intentionally no "remember" shortcut: every key change
gets its own confirmation.
[2.6.1] - 2026-07-07
Added
- Operator tier can now use Claude Opus 4.8 when BYOK is on with an
Anthropic key enrolled — the model runs on your own key, so it's
available without upgrading. The chat model picker shows Opus only
when BYOK is active for Anthropic; a hint points at Settings → BYOK
otherwise. Turning BYOK off (or clearing the key) mid-chat switches
the chat back to Sonnet with a notice, and a cloud rejection now
reads "Opus needs your own Anthropic key" instead of a generic
plan error. Requires the matching cloud release.
[2.6.0] - 2026-07-07
Added
- Free-trial support (dormant until the cloud launch flip):
/menow decodes
the cloud's trial block; a bottom-left banner shows "N days left in your
trial" with an Upgrade Now action, and Settings → Billing gains a trial row +
Upgrade Now. Inert while the cloud's TRIAL_ENABLED flag is off — no UI
change for current users.
Changed
- The bottom-left cards (update prompt, customer notice, trial countdown) now
stack in a single column that packs toward the corner — no more floating
gaps when one of them is dismissed or snoozed.
[2.5.0] - 2026-07-06
Added
- Multiple concurrent AI chat tabs. The chat panel now supports several
chats at once — a tab strip with a + button (also ⌘/Ctrl+T or the
command palette's "New chat"), each tab its own conversation running its own
agent loop. Double-click a tab to rename it; the model picker is per-chat.
Chats keep running in the background — a long agent task in one tab keeps
going while you work in another, or even while the chat panel is collapsed.
- Cross-chat notifications. A chat that isn't the one you're looking at
surfaces a stacking, clickable card (bottom-right) and a tab dot —
amber when it needs command approval, green when its task finishes. Click
the card to jump straight to that chat. Approval always happens in that
chat's own modal (never a stolen pop-up), so two chats needing approval at
once can't collide.
- A setting (on by default) controls whether a completed prompt in an
unfocused tab raises a notification card.
[2.4.0] - 2026-07-06
Added
- Broadcast input bar — send a command to all sessions at once
(SecureCRT-style). Enable it from View → Broadcast Input: a bar appears
at the bottom where a line you type is sent to every open session
simultaneously (press Enter). It targets all live sessions by default, with
a selector to exclude specific ones (e.g. a production box) and a live
"Sending to N of M" device count. A mouse-only Interrupt all (^C) button
sends Ctrl-C to every target — normal Ctrl+C in a terminal still goes only
to that one session. The bar is deliberately loud and red: it's human input
going to many devices at once, so the visible count is your confirmation.
Fixed
- **App content no longer shifts left / clips its first column when the tab
strip scrolls.** After opening enough sessions for the scrollable tab
strip's arrows to show (v2.3.4), the whole workspace could shift a few
pixels left — clipping the first character of the sidebar entries, the tab
labels, and the terminal prompt (e.g. AZ104-SW06-22> showed as
Z104-SW06-22>). Cause: the tab strip's "keep the active tab visible"
logic used scrollIntoView, which scrolls *every* scrollable ancestor;
combined with a stray pixel of horizontal overflow in the shell layout, it
nudged the entire app sideways. The reveal now scrolls only the tab strip
itself, and the layout is hardened so nothing but the tab strip can scroll
horizontally. (Previously the only workaround was toggling the button bar
off and on, which reset the scroll.)
[2.3.5] - 2026-07-05
Changed
- Clearer error when a device sends a malformed SSH handshake. Some
switch firmware builds emit a key-exchange field that isn't valid
ASCII/UTF-8 (which the SSH standard doesn't permit), causing the
handshake to fail before any connection can be negotiated. Transit now
reports this as an actionable message pointing at a device firmware
update, instead of a cryptic low-level "character encoding invalid"
error. There is no in-app workaround — the malformed data arrives before
Transit can act — so a firmware update on the device is the resolution.
[2.3.4] - 2026-07-05
Added
- Close all sessions. A "Close all tabs" item on the tab right-click
menu disconnects every open session and clears the strip in one action,
with a single confirmation summarizing how many are still connected (or
no dialog at all when every tab has already ended). Requested by a user
running dozens of switch sessions at once.
- Scrollable tab strip. When open tabs overflow the window, left/right
chevron buttons appear (MTPuTTY-style) to page through them; the active
tab always scrolls into view, and trackpad/horizontal-wheel scrolling
works too. Previously the strip clipped tabs off the right edge.
- Scrollable button bar. The SecureCRT-style button bar is now a single
horizontally scrollable row with the same chevron affordance, instead of
wrapping into extra rows that ate terminal height.
[2.3.3] - 2026-07-04
Fixed
- **Legacy SSH: group-exchange-only switches connect after the weak-crypto
opt-in.** The legacy (weak-crypto) path now requests Diffie-Hellman
group-exchange bounds a 2048-bit-era server can satisfy (min/preferred
2048; previously russh's default min 3072). BDCOM-based FS.com campus
switches that offer only diffie-hellman-group-exchange-sha1 answered
the old request by disconnecting mid-handshake — the same error as
before the opt-in, so "Connect Anyway" appeared to do nothing. 2048-bit
GEX matches the group14-sha1 strength the legacy list already
accepts; the strict path keeps russh's defaults.
Changed
- Connect errors now carry the device's own disconnect reason. When a
device refuses the SSH handshake with a protocol-level disconnect
message, Transit surfaces that text (sanitized, length-capped) in the
connect error instead of a bare "server disconnected during handshake"
— so the error names the algorithm slot the device couldn't match,
whenever the device says so.
- Honest error when the opt-in isn't enough. The handshake-interrupted
error no longer advises "allow weak crypto when prompted" (it can only
appear after weak crypto was already allowed); it now explains that the
device refused even the legacy algorithm set and points at device SSH
settings/firmware or a firewall/ACL.
[2.3.2] - 2026-07-04
Fixed
- Legacy switches now actually connect after "Connect Anyway." v2.3.0
started showing the weak-crypto prompt for switches that drop the SSH
handshake (Cisco SG300/SG500, FS.com S5500), but the retry still failed with
"handshake … interrupted before algorithm negotiation completed (key exchange
init failed)." The cause was key-exchange preference: the legacy algorithm
list offered Diffie-Hellman group-exchange before the fixed groups,
and these switches answer a group-exchange request with a 1024-bit modulus —
below the 2048-bit floor our SSH library enforces — so the exchange failed (or
the switch dropped the connection) every time. Transit now prefers the
fixed-group group14-sha1/group1-sha1 exchanges (which these switches also
advertise) over group-exchange on the legacy path, so the opt-in completes the
handshake. Weak crypto is still never used without the explicit per-device
prompt, and the strict default handshake is unchanged.
[2.3.1] - 2026-07-03
Fixed
- Windows: "Hide" no longer makes the window disappear with no way back.
The Transit menu carried macOS-only Hide / Hide Others / Show All items on
Windows and Linux, where they have no equivalent — on Windows, "Hide" hid the
window with no Dock, tray, or "Show All" to restore it, so Transit kept
running invisibly and only Task Manager → End task recovered it. Those three
items are now macOS-only; on Windows/Linux the Transit menu is **About +
Exit**, and you minimize/restore the window the normal way. (Thanks to the
customer who reported this on Windows Server 2019.)
[2.3.0] - 2026-07-03
Added
- Export your sessions to CSV. Right-click anywhere in the sessions
sidebar — the empty area, a device, or a group folder — and choose
Export sessions… to save every connection to a CSV. The file uses the
same columns Transit imports (`name,host,port,username,vendor,group,
key_path`), so it round-trips: export from one machine, import on another
(or back up your inventory). As with import, **secrets are never
exported** — the CSV carries only usernames and key-file paths, never a
password or key passphrase.
Fixed
- **Connecting to legacy switches that require older SSH algorithms now
works.** Some older gear — Cisco SG300/SG500 small-business switches,
FS.com S5500 switches — drops the SSH connection during the handshake
instead of negotiating, because it offers only SHA-1 key exchange
(diffie-hellman-group1-sha1, diffie-hellman-group-exchange-sha1) or
ssh-rsa host keys. Transit used to surface this as a dead-end "Key
exchange init failed" / "Disconnected" error with no way forward. It now
recognizes it as a possible legacy-crypto requirement and shows the same
per-device weak-crypto opt-in prompt used for other legacy devices —
approve it (optionally "remember for this device") and the connection
retries with the legacy algorithm set. Weak crypto is still never enabled
silently, and a genuinely unrelated failure surfaces its real error after
the retry rather than being masked.
- "About Transit" now works on Windows. The App → About Transit menu
item did nothing on Windows (it worked fine on macOS). It now opens the
About page (Settings → About) with the version and license. macOS keeps
its native About panel.
[2.2.7] - 2026-07-02
Added
- Import your MTPuTTY and MobaXterm connections. The Import wizard
(sidebar → Import, or ⌘K → "Import connections…") now reads MTPuTTY
server lists (mtputty.xml) and MobaXterm bookmarks (MobaXterm.ini
or a .mxtsessions export) alongside SecureCRT, OpenSSH ssh_config,
and CSV. Hosts, ports, usernames, folder hierarchy, and key-file paths
come across; SSH sessions import, and anything else (telnet/RDP/VNC/
serial, or MTPuTTY entries whose details live in a PuTTY saved session
in the Windows registry) is listed in the preview as skipped so nothing
disappears silently. As with every import source, **stored passwords are
never read or decrypted** — they stay in the source app, and you map
each deduped login to a Transit auth profile once.
Changed
- **The terminal is free — signing in without a subscription no longer hides
the workspace.** Previously, a signed-in account with no active plan saw a
full-screen "Subscribe to use Transit AI" panel in place of the entire app.
The workspace (terminal, sessions, inventory) now always renders; the
subscribe prompt lives inside the chat panel, since only the AI assistant
requires a plan. Use Transit as a standard SSH/serial terminal at no cost.
[2.2.5] - 2026-07-01
Security
- Policy gate hardening (defense-in-depth). Strengthened the per-vendor
read-only command gate: it now denies native output redirection
(> / >>), catches a blocked pipe stage even when it is hidden behind
a quote (network CLIs don't parse shell quoting the way the gate's
allow-matcher does), tightens NX-OS | sort (write/exec flags),
backports the Cisco/Arista show tech-support <destination> block from
IOS-XR, and blocks Junos monitor … write-file. Every agent-proposed
command already requires explicit per-command user approval (Rule 3);
these refinements harden the automated gate that runs ahead of it.
- Broader redaction coverage. Expanded the device-output → AI
redaction filter to more credential shapes: IPsec pre-shared keys
carrying an encryption-type token (`pre-shared-key local|remote 0|6
<psk>), modern OpenAI project keys (sk-proj-…`), SNMP community strings
on snmp-server host trap targets, credentials embedded in
connection-string / URL userinfo (scheme://user:PASSWORD@host), HTTP
Basic Authorization headers, and wireless/WPA pre-shared keys.
- Terminal paste review. The multi-line paste confirmation dialog now
reliably intercepts keyboard paste (Cmd/Ctrl+V), so multi-line content is
always reviewed before it reaches the device.
- Additional hardening. On-disk SSH private-key material is zeroized
from memory after use; the inventory loader rejects plaintext secrets
regardless of TOML key spelling (bare, quoted, or dotted); the SSH
connection's compile-time thread-safety assertion now covers its full
captured set; and the release build's symbol scan fails closed on a
stripped binary.
[2.2.4] - 2026-07-01
Changed
- Higher limits for importing large connection sets. Raised the
connection-import file cap (SecureCRT SCRTConfig.xml / OpenSSH
ssh_config / CSV) from 8 MiB to 64 MiB, and the inventory file cap
from 256 KiB to 4 MiB (~10k+ devices). Importing hundreds-to-thousands
of sessions no longer trips a "file is too large to import" error or an
inventory-size ceiling.
[2.2.3] - 2026-07-01
Security
- Further enhancements to modern secret redactions. Extends the
device-output → AI redaction filter beyond device credentials to
cover common cloud/SaaS API tokens (GitHub, Stripe, Slack, OpenAI,
GitLab, and Google API keys), plus cleartext line/console and VTP
passwords and modern password-hash formats, so more secret material
is masked before it can reach the AI. Redaction remains one layer of
defense-in-depth alongside the per-command policy gate and approval
modal.
[2.2.2] - 2026-06-30
Security
- Enhanced vendor-specific redaction filter. Broader, more reliable
redaction of platform-specific credential formats in device output
before it reaches the AI — covering password hashes, VPN pre-shared
keys, and BGP/OSPF/IS-IS/EIGRP routing-authentication secrets across
all supported platforms (Cisco IOS/IOS-XE/IOS-XR/NX-OS, Juniper Junos,
Arista EOS, and Palo Alto PAN-OS), plus a vendor-agnostic catch-all for
standard password-hash formats regardless of the surrounding command.
[2.2.1] - 2026-06-30
Fixed
- You can now install an update from Settings → Updates. "Check for
updates" there correctly detected new versions but offered no way to
install one — it now shows a Download & Install button (with inline
download/install progress) whenever an update is available, matching the
bottom-left prompt.
- The update prompt no longer disappears forever after "Later." "Later"
now means "not right now, maybe next launch" — the prompt re-appears the
next time you open the app while the update is still available. A new
Skip this version action permanently dismisses one specific version
(and only that one — a newer release still notifies you).
[2.2.0] - 2026-06-30
Added
- Claude Sonnet 5. Transit now offers Claude Sonnet 5 — the new default
Sonnet for new chats across all plans. It's priced the same as Sonnet 4.6,
with a newer knowledge cutoff (January 2026) and the same 1M-token context.
Claude Sonnet 4.6 remains available in the model picker, and existing chats
keep whatever model you selected.
Changed
- Agent auto-approve is now chat-scoped, with a clearer approval modal.
The "auto-approve a matching regex" affordance in the command-approval
modal now persists for the life of the chat (cleared when the chat
closes) instead of resetting after every message — approve ^show once
and it holds for the rest of the investigation. It sits behind a
clearly-labeled, collapsed **"Auto-approve matching commands? Expand
here"** disclosure with its own dedicated button — kept deliberately
separate from the primary Approve so it can't be armed by a reflex click
(modal-fatigue mitigation, threat-model T18) — and the regex field is
pre-filled with ^show. The per-vendor policy gate still runs on every command
regardless, and the affordance stays hidden/refused for generic-Linux
(unrestricted) and custom (BYOP) vendors, which require a per-command
click. Also closes a gap where a custom-vendor auto-approve was silently
ignored backend-side.
[2.1.0] - 2026-06-29
Added
- Cisco IOS-XR command policy — seventh gated vendor. Read-only gate for
Cisco's carrier-grade OS (ASR 9000 / NCS / CRS / XRv), with XR-specific
shell-escape blocks: run (classic 32-bit/QNX task shell), bash (64-bit
eXR Linux root shell), tclsh, script (XR-7.x script run on-box
Python/bash automation), admin (System Admin VM), and attach
(per-node shell). Encodes the two-stage commit config model (configure /
commit blocked; XR has no write verb), hardens show tech-support
against its file-writing forms, and pipe-blocks the write/escape stages
(| file, | redirect, | utility, | tee, | append). Select it per
device via the inventory vendor cisco_ios_xr. Verified by an
allowed/blocked corpus, a no-bypass proptest, and cargo-mutants on the gate.
[2.0.1] - 2026-06-28
Added
- ITInspired themes — new light and dark color schemes (Settings →
Appearance) based on the itinspired.com brand:
leaf-green (#74b843) primary with cyan (#00baff) focus accents — light
on warm white, dark on charcoal.
[2.0.0] - 2026-06-28
This release adds a version-aware Terms & Privacy consent gate. Signed-in
users who have not affirmatively accepted the current Terms of Service and
Privacy Policy — anyone who signed up before the sign-up consent checkbox
existed, and everyone after a future Terms change — are shown a one-time
blocking screen and must click I Agree before using the app. Acceptance is
recorded server-side as an auditable consent record.
Added
- Terms & Privacy consent gate. A blocking, non-dismissible screen replaces
the workspace when the signed-in account hasn't accepted the current
Terms/Privacy version. It links to the live Terms and Privacy pages and
records an affirmative "I Agree" before the app unlocks. New accounts that
accept at sign-up never see it; a future Terms revision re-shows it to
everyone exactly once.
[1.6.5] - 2026-06-26
This release rolls up the work versioned 1.6.4 (which was never tagged for
production) together with the multi-line-paste focus fix.
Fixed
- **Clear-terminal shortcut (⌘⇧K / Ctrl+Shift+K) now works on Windows and
Linux.** It previously only fired on macOS: the keystroke was wired solely to
the native menu accelerator, which the focused terminal swallows on
Windows/Linux (only macOS's global menu bar intercepts it first). Worse, when
the terminal had focus the chord was sent to the device as a Ctrl+K
kill-line instead of clearing. The shortcut is now handled in the app itself,
so it clears the active session on every platform — and no longer leaks a
keystroke to the remote device.
- The terminal cursor no longer disappears after a multi-line paste.
Confirming (or cancelling) the multi-line paste dialog left keyboard focus
on nothing, so the cursor went hollow and you had to click back into the
terminal before you could type or press Enter. Focus now returns to the
active terminal on every way of closing that dialog.
[1.6.3] - 2026-06-25
Changed
- The "Approve command?" dialog now identifies the session by its tab name
(e.g. vEX1, or your custom rename) instead of an internal identifier, so
it's clear which open session the agent wants to run a command in. The full
session id remains available on hover.
[1.6.2] - 2026-06-25
Added
- A keyboard shortcut to clear the terminal. Press ⌘⇧K (Ctrl+Shift+K
on Windows/Linux), or use the new View → Clear Terminal menu item, to clear
the active session's screen and scrollback — the same action already on the
tab's right-click menu.
Changed
- A clearer notice when AI is paused by the usage safety limit. If a burst of
unusually high usage trips Transit's safety limit, the chat now shows a calm
banner that explains it's a protective pause (not an outage), counts down to the
automatic unlock (~15 minutes), and offers a one-click Resume now — replacing
the old generic "Transit Cloud is temporarily paused" error. Heavy Operator/Pro
users also see a hint that a higher plan includes more headroom.
[1.6.1] - 2026-06-25
Added
- Bulk import now sets up your key-based logins for you. When you
import from SecureCRT / ssh_config / CSV, every login that uses an
on-disk SSH key or an SSH agent can become a working auth profile in one
click. Transit checks each referenced key file (read-only) and, for
encrypted keys, asks for the passphrase right in the credential step —
saving it to your OS keychain (never the inventory file). Creating a
profile by hand is prefilled too: + New opens already set to "SSH key
file" with the detected path and username filled in.
Fixed
- The import "Map credentials" step now fills the window instead of a
narrow centered column, so long SSH key paths are fully visible (no more
truncated /Users/…/id_ed25519).
[1.6.0] - 2026-06-24
Added
- Sign in with an SSH key file (SecureCRT-style). Create an auth
profile that points at a private key on disk — pick it with a file
browser, no ssh-agent setup required (a relief on Windows
especially). OpenSSH, PEM, and PuTTY .ppk keys all work; if the key
has a passphrase, enter it once and it's saved to your OS keychain
(never the inventory file). The key file stays where it is — Transit
stores only its path.
[1.5.1] - 2026-06-24
Fixed
- **A half-typed command is no longer garbled when you switch session
tabs.** Typing a line without pressing Enter, switching to another
tab, and switching back could leave the prompt text and cursor
corrupted (e.g. R1#This is a line came back as R1#This i). Hidden
tabs are no longer re-measured while collapsed, so the in-progress
input line survives the round trip.
[1.5.0] - 2026-06-23
Added
- Works behind corporate TLS inspection. Transit's connection to Transit
Cloud now trusts your operating system's certificate store by default, so it
keeps working on networks that inspect TLS traffic — a firewall's CA installed
in your system keychain/store is honored. A new Settings → Network tab adds
a Strict TLS toggle (off by default) that, when on, trusts only the
built-in public certificate authorities and refuses any inspected connection.
Takes effect on the next launch. SSH device connections use a separate trust
model and are unaffected.
- Actionable certificate errors. When the server certificate can't be
verified, the account area now shows a clear message that deep-links to
Settings → Network, instead of an opaque transport error.
Changed
- Settings is now a gear in the sidebar. Opening Settings is a one-click
gear next to the account chip, rather than hidden inside the account popover.
Fixed
- Terminal focus when switching session tabs. Clicking another session's tab
(e.g. R1 → R2) now puts the cursor in that terminal immediately, instead of
requiring a second click into the pane. The v1.4.1 fix focused the pane the
moment it activated — before it was laid out and before the tab click released
DOM focus — so the focus didn't land; it's now deferred a frame so it sticks.
(The v1.4.1 button-bar focus hand-back was unaffected and keeps working.)
[1.4.1] - 2026-06-22
Fixed
- Terminal focus on tab click. Clicking a session tab now puts the cursor
in that terminal immediately, so you can type without a second click into the
pane.
- Terminal focus after a button-bar press. Sending a macro from the button
bar now returns focus to the active terminal (the button click no longer
leaves the cursor on the button).
- "New device in this group" now pre-fills the group. Choosing *New device
in this group…* from a group's context menu correctly seeds the Group/Folder
field. Previously the field came up blank because the dialog stayed mounted
and ignored the group on reopen.
Changed
- Clearer New/Edit device dialog labels. *ID* → Friendly Name (hint
*Router1*), *Port* → SSH Port (Transit is SSH-only), *Vendor* → **Vendor
— Policy Gate** (it selects the command policy gate, not just a label), and
*Group* → Group/Folder.
[1.4.0] - 2026-06-19
Added
- Clear terminal. Right-click a session tab → Clear terminal wipes the
visible terminal output and resets that session's backend scrollback ring, so
the embedded agent's read_scrollback returns only post-clear output. Works
for both SSH and serial-console sessions. (A keyboard shortcut may follow.)
- Confirm before disconnecting a live session. The pane's Disconnect
button now asks first when the session is still connected, so a misclick can't
silently drop the connection. An already-ended tab's Close button is
unchanged (no prompt).
- Warn before quitting with an active session. Quitting Transit — via
Cmd+Q or the window-close button — while an SSH/console session is still
connected pops a "Quit anyway?" confirm instead of silently dropping the
connection. Anchored to true liveness: a tab you logout/exit-ed from (its
channel is dead, even if the tab lingers) is safe and does not prompt.
- Button bar (SecureCRT-style). A configurable toolbar of command buttons,
toggled from the new View → Button Bar menu. Each button sends a string to
the active session with SecureCRT's "Send String" escape codes — \r (Enter),
\n (newline), \p (1-second pause), \v (paste clipboard), \e/\###
(ESC/octal), \\ (literal backslash) — so one button can fire a full command
plus Enter, or a multi-step macro. Right-click the bar to add a button or hide
it; right-click a button to edit or delete. Buttons persist locally. (v1 ships
a single shared bar; multiple named bars may follow.)
- Native application menu. Transit gains a proper menu bar (App · Edit ·
View · Window) — primarily to host View → Button Bar, with the standard
Quit / Copy / Paste / Undo / Hide items so the usual keyboard shortcuts keep
working.
[1.3.3] - 2026-06-18
Changed
- Clearer labels in the New/Edit Auth Profile dialog. Renamed fields
and dropdown options for plain-language clarity — "Transit Friendly
Name", "OS keychain (passwords)", "SSH agent (ssh-agent, 1Password,
etc.)", "OS Keyring Friendly Name", "Password Value" — and the username
placeholder now shows root. Display-only; no change to stored
credentials or transit.toml.
[1.3.2] - 2026-06-18
Fixed
- **1Password SSH keys now work without manual
SSH_AUTH_SOCKsetup on
macOS.** When a connection pins a key fingerprint and that key isn't in
the agent SSH_AUTH_SOCK points at — on macOS that's Apple's built-in
agent by default, which shadows 1Password — Transit now also checks
1Password's well-known agent socket automatically. The private key never
leaves 1Password, and every signature is still gated by 1Password's
approval. When a key still can't be found, the error now pinpoints the
cause (agent not enabled vs. 1Password locked vs. fingerprint mismatch)
instead of a generic "not available."
[1.3.1] - 2026-06-18
Fixed
- Connect to SSH hosts that require keyboard-interactive authentication —
notably VMware ESXi, and any host configured with the SSH password
method disabled (PasswordAuthentication no + `KbdInteractiveAuthentication
yes`). Transit now answers the server's keyboard-interactive prompts with
your saved password — exactly as the OpenSSH command-line client does —
instead of failing with "authentication failed … server rejected the
credential." Public-key (SSH agent) connections are unchanged.
[1.3.0] - 2026-06-16
Added
- Import connections from other clients. Bring an existing fleet into
Transit in one pass instead of re-entering it by hand. The Import button
in the sidebar header (and on the welcome screen, or ⌘K → Import) reads
SecureCRT (an exported SCRTConfig.xml), an OpenSSH ~/.ssh/config,
or a CSV, then walks you through three steps: it groups your saved logins
so you map each shared credential once — reuse an auth profile you already
made, or create one (the secret goes straight to your OS keychain) — then
shows every connection in an editable grid where you can bulk-assign vendor
and group, rename, and exclude rows before importing. Transit reads host,
port, username, folder structure, and key-file paths; it never reads or
decrypts your stored passwords. Devices that collide with an existing name are
flagged and skipped until you rename them, and the whole import is atomic —
if anything is wrong, nothing is written.
[1.2.0] - 2026-06-15
Added
- In-app notices. Transit can now surface short announcements — a
changelog, a newly available model, or an important account or policy
notice — as a dismissible card in the bottom-left corner, fetched
alongside your account info. Only the highest-priority unread notice
shows at a time, and dismissing one is remembered. Notices are
delivered from Transit's service, so they reach installed builds
without waiting for an app update.
[1.1.0] - 2026-06-13
Added
- Connections pane group management. Organize the sidebar from the
GUI: right-click → New group (empty groups now persist), **New
subgroup, Rename, and Delete group** (its connections and
subgroups move up to the parent — nothing is deleted). **Drag a
connection** from one group into another, or onto the "Drop here to
ungroup" zone. Group expand/collapse state is remembered across
launches. Backed by a small groups registry in transit.toml (so a
device-less group survives) layered over the existing per-device group
path; pre-existing inventories load unchanged.
- Chat font size. Settings → General gains a chat font-size control
(+/− / value / Reset) alongside the terminal font-size row. It scales
the agent chat panel's message thread — prose, code blocks, and inline
code — independently of the terminal, defaulting to 14px (prose reads a
touch larger than the monospace terminal default). Persisted to
localStorage like the terminal preferences.
[1.0.2] - 2026-06-12
Added
- Terminal font picker. Settings → General's font field is now a
dropdown of the monospace fonts actually installed on your machine —
and filtered to the ones the terminal renderer can really use, so
families the OS ships but withholds from app web content (SF Mono)
no longer appear just to silently fall back. Each option previews in
its own face. Custom… keeps the previous free-text path for
hand-written fallback stacks and fonts that don't advertise fixed
pitch.
- Editable paste confirmation. The multi-line paste dialog now lets
you edit the pending text before sending — trim a stray trailing
newline, drop a line, fix a typo — instead of cancelling and
re-staging the whole paste. What you paste is exactly what's in the
box, the line count updates live, and emptying the box disables
Paste.
Changed
- Wider Settings dialog (672 → 896 px max) so the General and
Policies tabs stop crowding their controls.
Fixed
- Connections sidebar: host:port no longer clips. Two layers. The
real culprit: the sidebar's scroll viewport sized its content to the
widest row, so one long hostname pushed every row's right-aligned
address past the visible edge — the viewport's content wrapper is
now pinned to the sidebar width. Within a row, the address also
keeps a readable minimum width, truncates predictably, and both
fields show their full value on hover.
[1.0.1] - 2026-06-11
Added
- Terminal font setting. Settings → General gains a font-family field —
type the name of any monospace font installed on your machine (e.g.
JetBrains Mono) and every terminal pane switches live. Falls back to the
stock font stack when the field is empty or the font isn't installed.
- Per-vendor syntax-highlighting packs. When a device opts into syntax
highlighting, vendor-specific vocabulary now layers over the generic set:
Cisco IOS / IOS-XE / NX-OS / Arista EOS get syslog mnemonics colored by
severity (%SYS-2-… red, %LINK-3-… yellow, %SYS-5-… cyan) plus
connected / notconnect / err-disabled interface status; Juniper Junos
gets commit complete, the truncated BGP Establ state, and chassis-alarm
classes. Picked automatically from the device's vendor.
Fixed
- Terminal bottom row no longer clips after font zooming. Changing the
font size (⌘+ / ⌘− / ⌘0) or family re-fits the pane on the next frame, after
the renderer's cell metrics settle — previously repeated zooming could push
the prompt line below the visible area until the window was resized.
Changed
- Claude Opus 4.7 retired from the model picker — superseded by Claude
Opus 4.8 (same speed tier and price). Chats still set to Opus 4.7 are served
by Opus 4.8 automatically; no action needed.
Security
- PAN-OS policy: viewer commands grammar-anchored. The
less/tail/
find / grep allow-rules now require PAN-OS's own grammar (a …-log area
for the first three, the literal find command form), so their GNU
namesakes (less /etc/passwd, find / -exec …) can no longer satisfy the
allowlist on a mislabeled device. Defense-in-depth — such commands were
already subject to the approval modal.
[1.0.0] - 2026-06-10
First stable release. Headline features: Bring Your Own Policy, custom
vendors, connection-name-aware AI, and open-session-scoped policy briefing.
Added
- The AI assistant now knows your connections by name. Sessions surface
the connection name you gave the device (its inventory id, e.g. "R1")
instead of a host:port stand-in, so "what is R1's loopback IP?" resolves
to the right session. The session list the assistant sees also includes
each device's vendor.
- Bring Your Own Policy (BYOP). Supply your own command policies, layered
over the built-in ones: add read-only allowed commands to a shipped vendor,
or define an entirely new vendor (e.g. Fortinet, MikroTik) with its own
<vendor>.yaml. Point Transit at a policy directory (the Vendor field in
the device dialog accepts a custom name; set the directory via
TRANSIT_USER_POLICIES or the Settings → Policies tab). The directory can
live on a shared drive for team use. Your additions can never weaken the
built-in safety floor — a shipped block (config mode, write commands, shell
escapes) stays blocked no matter what a user policy says — and a custom
vendor still requires per-command approval for every command.
- Sample policies for popular vendors (
policies/samples/): vetted
read-only starting points for Fortinet FortiOS and MikroTik RouterOS,
ready to drop into your BYOP policy directory and doubling as worked
examples of the policy schema.
Changed
- The AI assistant's policy briefing is now scoped to your open sessions.
The system prompt includes only the command policies for vendors you
currently have sessions to (plus an explicit default-deny note for devices
with no policy), instead of every shipped vendor's full policy on every
conversation. Cuts per-turn token overhead and clears the path to a much
larger vendor catalog; enforcement is unchanged — every proposed command
still runs the full policy gate and the approval modal (Rule 3).
[0.3.0] - 2026-06-09
Security-hardening release resolving the findings of an internal code review.
Security
- The AI command gate can no longer be tricked by multi-line commands. A
proposed command that tried to hide a second statement behind a newline (or
other control character) is now rejected before it is evaluated, the approval
modal shows the full command faithfully instead of collapsing hidden lines,
and the SSH/serial executors refuse to send control-character payloads.
Command matching is now case-insensitive, so block rules can't be sidestepped
with alternate capitalization.
- Stronger device-output redaction. Added high-entropy key/hash catch-alls
and coverage for key chain key-strings and PPP passwords, and redaction now
runs over the full buffer before any truncation — so a secret split across a
buffer boundary can no longer slip through to the AI.
- Sign-in tokens are no longer written to logs. The desktop stopped logging
the transit:// sign-in callback URL (which carried access/refresh tokens),
and the logging subsystem is now actually initialized.
Fixed
- More resilient cloud connections: requests now time out instead of hanging,
a transient server blip during token refresh no longer signs you out, and
simultaneous refreshes are coalesced.
- Out-of-quota, rate-limit, spend-pause, and unavailable-model responses now
show a clear message in chat instead of a generic status code.
- SSH sessions: a close signal could occasionally be missed (leaving a tab that
never showed as closed); one stuck session could freeze the others; and
carefully verifying a new host key no longer risks a spurious connect timeout.
- The inventory editor no longer errors on hand-written inline-table TOML,
editing a device preserves a remembered "allow weak crypto" choice, and
multibyte terminal output split across packets now renders correctly.
[0.2.2] - 2026-06-07
Added
- Claude Opus 4.8 in the chat model picker (under Advanced) —
Anthropic's most capable model, at the same speed tier and price as
Opus 4.7.
[0.2.1] - 2026-06-05
Added
- New color theme: Transit Twilight — an original dark scheme (deep
twilight indigo with teal and amber accents). Pick it in Settings →
General → Theme.
[0.2.0] - 2026-06-05
Added
- Automatic updates. Transit now checks for a new version on launch and
shows a small prompt in the bottom-left corner when one is available. Click
Install & Restart and Transit downloads the update, verifies its
signature, swaps itself in place, and relaunches — no manual reinstall.
Choose Later to be reminded at the next release. Settings → Updates shows
your current status and a manual Check for updates button. (macOS Apple
Silicon and Windows.)
Changed
- The AI investigation loop no longer stops every dozen rounds and makes
you type "continue". It now runs continuously through an investigation
and only pauses for a one-click Continue after a long autonomous
burst (~50 commands), with an always-visible Stop and a live activity
readout (commands run · elapsed · tokens). A per-turn timeout guards a
stalled model response. Large command / scrollback outputs are capped,
and older ones collapse to a re-readable note, so long log-parsing
sessions stay responsive instead of degrading.
[0.1.2] - 2026-06-01
Changed
- Upgraded the terminal to xterm.js 6 — rendering now uses the WebGL addon
(with an automatic fallback to the DOM renderer on GPU context loss).
- Migrated the styling pipeline to Tailwind CSS v4.
[0.1.1] - 2026-06-01
Changed
- Refreshed Rust dependencies (
age0.11,toml1.x,toml_edit0.25,
dirs 6, getrandom 0.4, tauri 2.11.2, and related transitive
updates). Encrypted session export migrated to age 0.11's API with no
change to the on-disk format — exported files stay decryptable with
age -d (scrypt KDF + ChaCha20-Poly1305).
- Refreshed frontend dependencies — notably TypeScript 6, lucide-react 1,
and lint-staged 17, plus minor TanStack Query, React Hook Form, ESLint,
Vite, and Vitest updates. No user-facing behavior change.
[0.1.0] - 2026-05-31
Added
- Cross-platform GUI SSH client (Apple Silicon macOS + Windows x64): xterm.js
terminal, multi-session tabs, host-key trust-on-first-use, a modern-crypto
handshake with a per-device legacy opt-in, and optional per-device syntax
highlighting and SecureCRT-style quick copy/paste.
- Embedded read-only AI investigation agent with a fixed four-tool surface, a
per-vendor command policy gate, and a device-output redaction filter on
everything the model sees.
- Shipped vendor policies: Juniper Junos; Cisco IOS, IOS-XE, NX-OS; Arista
EOS; Palo Alto PAN-OS; plus an unrestricted generic-Linux profile.
- Transit Cloud account flow: Clerk sign-in, subscription billing, and
bring-your-own-key (BYOK) support on paid tiers.
- Signed + notarized macOS
.dmgand Authenticode-signed Windows.msi/
NSIS -setup.exe installers, distributed via the dev and prod release
channels.