Release v0.8.8

2026-03-07

Added

• Proxy throughput benchmark (capsem-bench throughput): downloads 100 MB through the full MITM proxy pipeline and reports MB/s — baseline ~35 MB/s on Apple Silicon
• capsem-bench repacked into initrd on every just run for instant iteration
• ash-speed.hetzner.com added to default allow list for throughput benchmarks
• Rust integration test mitm_proxy_download_throughput for host-level proxy validation
• test_proxy_download_throughput in capsem-doctor for end-to-end in-VM throughput verification
• docs/performance.md: benchmark modes, baseline numbers, proxy data path
• just run now kills any existing Capsem instance before booting
• Notarization credential verification in CI preflight and scripts/preflight.sh

Fixed

• capsem-init aborts boot (kernel panic) if tmpfs mount for overlay upper layer fails
• capsem-init creates /mnt/b before mounting tmpfs (missing mkdir -p caused boot failure on fresh initrds)
• CI release no longer hangs on first-time notarization (--skip-stapling)

Security

• Boot invariant enforcement: capsem-init fatal-exits on tmpfs or overlayfs mount failure rather than continuing with a wrong upper layer