v0.5.0

libmutton v0.5.0
February 17, 2026

This release adds password age-tracking support and features large refactors that improve the robustness of core functionality. Many breaking changes are present. Highlights are listed below.

Breaking (for users+developers)

• USERS: These changes require updating your copy of libmuttonserver; additionally, you must re-generate your config file however your client allows (e.g. mutn init)
• (50d51f9) Password age tracking support
  • libmutton now tracks when passwords were last updated
  • Clients can use this information to warn users when passwords should be changed
  • Random (within the last year) age data can be added to existing password entries
    • This allows easing into this feature, rather than having all your passwords expire on the same day
  • Developers: see the new age package
• (e355c81) (f16078f) (4e6c18d) (2ab777f) (941a2dc) (35db3bf) (5e5a7c5) (07571a6) (d0e8640) (3b4e75b) Massive sync refactor
  • Sync info is now passed from the server to the client using rigidly defined JSON types
    • This greatly improves code maintainability and reduces potential for bugs
  • Sync now supports password age tracking data
• (b591e2e) (571bc0a) New config file format
  • libmutton.ini is now libmuttoncfg.json
    • This format change was made since the JSON package was being adopted for the sync refactor (the gopkg.in/ini.v1 dependency can now be dropped)
  • Developers: see the new config package, replacing the old cfg package
• (6d3e3cd) Dropped built-in Termux support to simplify builds (clients can still implement this on their own)

Breaking (for developers)

• (bf1399c) (9703790) (a0f21b3) (80cf657) (8d1dd48) (c63dff4) (336dc5c) (04e1b0d) (d2a6ed5) (fdce036) (6004a94) Massive clipboard refactor
  • Added new clip package
  • Non-continuous TOTP copy must use core.GenTOTP directly
    • The typical copy workflow now only supports continuous copy
  • Dropped mobile clipboard support
    • This can/should be handled by the GUI toolkit
• (2828678) (a18c3ea) (5e5a7c5) (4467a8c) core.LibmuttonInit overhaul
  • Now supports non-destructive append
  • Now supports custom device ID prefixes

New (non-breaking)

• (cb3a554) Mass entry verification
• (d7242fe) (1351360) Native iOS support

Fixes

• (2054f5b) Reduced clipboard latency on Windows
• (f82b35b) Fixed background processes dying w/terminal on Windows

Dependencies (direct/replaced)

• Dropped
  • golang.design/x/clipboard
  • gopkg.in/ini.v1
• Bumped
  • Go: v1.25.4 => v1.26.0
  • github.com/rwinkhart/go-boilerplate: v0.1.0 => v0.3.1
  • github.com/rwinkhart/rcw: v0.2.4 => v0.3.0
  • golang.org/x/crypto: v0.45.0 => v0.48.0
  • github.com/rwinkhart/sys: v0.38.0 => v0.41.0

v0.4.4

libmutton v0.4.4
November 23, 2025

This release fixes a minor bug and dependency-derived security issues.

Fixes

• (711515f) Fix subprocesses being killed prematurely when the main process is force quit
  • Fixes issues with master password caching and clipboard clearing

Dependencies

• Bumped (direct/replaced)
  • golang.org/x/crypto: v0.43.0 => v0.45.0
    • Addresses CVE-2025-58181 and CVE-2025-47914
  • github.com/rwinkhart/rcw: v0.2.3 => v0.2.4

v0.4.2

libmutton v0.4.2
November 09, 2025

This is purely a dependency bump release.

Dependencies

• Bumped (direct/replaced)
  • Go: v1.25.3 => v1.25.4
  • github.com/rwinkhart/rcw: v0.2.2 => v0.2.3
  • github.com/rwinkhart/peercred-mini: v0.1.1 => v0.1.2
  • github.com/rwinkhart/sys: v0.37.0 => v0.38.0
  • github.com/rwinkhart/go-winio-easy-pipe-handles: switched to tagged v0.1.0 of github.com/rwinkhart/go-winio

v0.4.1

libmutton v0.4.1
October 26, 2025

This is a dependency bump release with only minor changes for developers.

Breaking (for developers)

• (b9175d7) Standardized on "password" rather than a mix of "passphrase"/"password"
  • Some function names changed as a result
• (aa10016) Developers using LibmuttonInit can now force clients into offline mode programmatically
  • This means LibmuttonInit now requires an extra parameter

Dependencies

• Bumped (direct/replaced)
  • Go: v1.24.6 => v1.25.3
  • github.com/pkg/sftp: v1.13.9 => v1.13.10
  • golang.org/x/crypto: v0.41.0 => v0.43.0
  • github.com/rwinkhart/sys: v0.35.0 => v0.37.0

v0.4.0

libmutton v0.4.0
August 17, 2025

This is the largest update to libmutton yet, and as such, these patch notes are non-exhaustive.
Many minor changes and fixes to features mentioned in these patch notes have been made.
Please see the commit history for a more complete list of changes.

Breaking (for users)

• GPG has been entirely replaced with RCW
  • All entries created in previous versions must be converted using this conversion program
• Steam TOTP keys now must be in base32 format
• (3c5db78) Release binaries of libmuttonserver now target x86_64_v2 and arm64v8.7
• (3dd07e7) Offline mode is now manually specified in libmutton.ini

Breaking (for developers)

• libmutton has been further modularized
  • The core package has been split into core, global, crypt, and cfg
  • The sync package has been split into syncclient, syncserver, synccommon, and synccycles
  • This decreases the size of the server binary and allows for more modular clients
• (40f0f35) Errors are now returned, rather than printed

Features

• (111324c) Deletions (server-side) now follow the client through device ID changes
• (ca277ba) Added the EntryRefresh() function for re-encrypting entries with a new passphrase/optimizing bloated entries
• (74b8261) Added the LibmuttonInit() function to ensure clients initialize libmutton as intended
• (bed23e9) (41a12c6) Added iOS clipboard support
• (3fdcc9e) (1a66a30) (d023058) Support one-time TOTP copy
• (fb2120c) Support custom device ID prefixes

Fixes

• (50ab27c) libmutton.ini is now always created with 0600 permissions on *nix platforms
• (4a0e0f8) Old devices IDs are no longer removed from clients when registration of a new device ID fails

Dependencies

• Dropped
  • github.com/fortis/go-steam-totp (functionality now covered by github.com/pquerna/otp)
• Bumped (direct)
  • Go: v1.24.2 => v1.24.6
  • github.com/pquerna/otp: v1.4.1-0.20231130234153-3357de7c0481 => v1.5.0
  • golang.design/x/clipboard: v0.7.0 => v0.7.1
  • golang.org/x/crypto: v0.37.0 => v0.41.0
• Added (direct)
  • github.com/rwinkhart/go-boilerplate v0.1.0
  • github.com/rwinkhart/rcw v0.2.2

v0.3.1

libmutton v0.3.1
April 21, 2025

Features

• (da95ede) Added EntryAddPrecheck() utility function for ensuring the target locations for new entries are valid
• (1722375) (4492473) (0f90e82) Added initial native Android support
• (51bb67f) Split device ID retrieval into dedicated exported function, GetCurrentDeviceID
• (4ed816c) Allow more control over string generation to improve generated password compatibility

Fixes

• (51bb67f) Fixed clients having multiple device IDs after failed registrations
• (451d695) Fixed inability to add a folder on the server if the folder was already created on a client that failed to sync

Dependencies

• Bumps (direct and indirect)
  • Go: v1.24.0 => v1.24.2
  • github.com/pkg/sftp: v1.13.7 => v1.13.9
  • golang.org/x/crypto: v0.34.0 => v0.37.0
  • golang.org/x/sys: v0.30.0 => v0.32.0
• New
  • Android builds only
    • golang.design/x/clipboard v0.7.0
      • golang.org/x/exp/shiny v0.0.0-20250408133849-7e4ce0ab07d0
      • golang.org/x/image v0.26.0
      • golang.org/x/mobile v0.0.0-20250408133729-978277e7eaf7

v0.3.0

libmutton v0.3.0
February 22, 2025

Features

• (f9aa2fc) (d2034b4) (81b7806) (e9d0c37) core.LaunchClipClearProcess, core.WriteToStdin, core.ExpandPathWithHome, and core.PrintError are now exported utility functions for direct use by clients
• (c28d45c) One-off sync functions can now be forced to run in offline mode
• (5028fb2) SSH connection attempts now have a 3-second timeout
• (89b74ce) Individual keys can now be removed from the config file
• Many features for building interactive (GUI/TUI) clients
  • (619e422) Clipboard clearing can now be handled much more sensibly by interactive clients
  • (3b57d59) (55be8a3) The clipboard can now be cleared instantly (no timer); useful for clearing on client exit
  • (2feeeb7) core.ParseConfig now returns errors for proper handling in interactive clients
  • (68e3108) sync.RunJob can now return lists of synchronized entries for display in interactive clients

Fixes

• (eb2b349) Deletions are now synchronized before folders to avoid sync failures under unlikely conditions
• (fc1cd34) Double-space line breaks with Markdown formatting are now preserved when saving an entry
• (4689cae) Sheared folder names now always end in a trailing slash for clarity and reduced duplicate entries in the deletions directory
• Many fixes for building interactive (GUI/TUI) clients
  • (1cebb39) The soft exit function now specifies a return value
  • (a4a39a3) Passphrase-protected SSH identity files are no longer broken for interactive clients
  • (1c650d4) (0162b73) Interactive clients will no longer crash on SSH dialing failures
  • (173574e) Error messages not making sense for interactive clients have been addressed

Optimizations

• (f2f9c52) An unnecessary variable declaration was removed in core.DecryptGPG
• (fb5449c) A redundant (and late) check for the pre-existence of a new entry has been removed
• (e9d0c37) core.PrintError can be used to decrease the overall size of client binaries through code re-use

Dependencies

• Bumps (direct and indirect)
  • Go: v1.23.4 => v1.24.0
  • golang.org/x/crypto: v0.31.0 => v0.34.0
  • golang.org/x/sys: v0.28.0 => v0.30.0

v0.2.4

libmutton v0.2.4
December 13, 2024

IMPORTANT

• This release includes a dependency bump to address a high-severity CVE (CVE-2024-45337) - Please update as soon as possible!

Changes

• (91fdeb5) The MIME type of data copied to the clipboard on UNIX-like systems (X11 and Wayland) is now statically set to "text/plain" to avoid potential issues with type inference

Dependencies

• Bumps (direct and indirect)
  • Go: v1.23.2 => v1.23.4
  • github.com/pkg/sftp: v1.13.6 => v1.13.7
  • golang.org/x/crypto: v0.28.0 => v0.31.0
    • Addresses CVE-2024-45337
  • golang.org/x/sys: v0.26.0 => v0.28.0
  • golang.org/x/term: v0.25.0 => v0.27.0

v0.2.3

libmutton v0.2.3
October 19, 2024

Fixes

• (1fb2834) Fixed renaming/moving an entry/folder to an invalid path still having clients request the operation on the server

Dependencies

• Bumps (direct and indirect)
  • Go: v1.22.6 => v1.23.2
  • golang.org/x/crypto: v0.26.0 => v0.28.0
  • golang.org/x/sys: v0.24.0 => v0.26.0
  • golang.org/x/term: v0.23.0 => v0.25.0

v0.2.2

libmutton v0.2.2
August 20, 2024

Fixes

• (de508d1) Fixed a regression from v0.2.1 where edited entries are improperly synced if their line count is reduced