- Build static musl binaries (work on any Linux distro)
- Redesign ostp-guard with weighted scoring system (threshold: 4 points)
- HIGH (2pts): Analysis tools (gdb/ida/ghidra), sandbox artifacts
- MEDIUM (1pt): Low resources (<1GB RAM), suspicious env vars
- Production VPS safe (1-2 points), sandbox blocked (4+ points)
- Anti-debug: Windows (IsDebuggerPresent), Linux (/proc/self/status)
- Deployment packages for Linux + Windows with SHA256 checksums
- osds: Added system DNS forwarder on 127.0.0.1:53
- SystemDnsManager for Windows/Linux DNS configuration
- Auto-restore original DNS on exit
- *.ospab.internal routing to master node
- Encrypted DNS forwarding through OSTP tunnel
- oncp: Implemented node enrollment system
- EnrollmentRegistry with state machine (Pending->Approved->Active)
- SQLite-backed enrollment storage
- Node PSK generation on approval
- REST API endpoints for enrollment workflow
- oncp-master: Added enrollment CLI commands
- 'node pending' - List pending enrollment requests
- 'node approve <id>' - Approve and generate PSK
- 'node reject <id>' - Reject enrollment
- ostp-server: Auto-registration on startup
- Submits enrollment request to master node
- Exits if PSK='AUTO' and awaits approval
- Integrates with ONCP enrollment API
- oncp API: Enhanced CDN steering
- Best nodes by country_code with fallback
- Steering metadata (matched, fallback status)
- Load-based node selection
