v0.5.0

⚠️ Important changes

The Composer dynamic module (Go-based extensions) now requires Envoy 1.38.0 or later.
This bump was necessary to take advantage of new dynamic module APIs introduced in that release, including the ability to make HTTP callouts at configuration time. If you are running Go-based extensions via Composer, make sure your Envoy is at least 1.38.0.

🚀 New Features

Run any Envoy binary with BOE
You can now pass --envoy-path to boe run to point at a custom or pre-release Envoy binary on disk. BOE will skip the automatic download and version selection and run that binary directly. This is particularly useful for testing against a locally-built or unreleased Envoy.

Compose native Envoy filters alongside your extensions
Extensions can now declare native Envoy HTTP filters to be injected immediately before or after themselves in the filter chain, directly from their manifest.yaml. For example, an extension can request that Envoy's MCP protocol filter runs before it. You can also override this at runtime via --native-http-filter-before / --native-http-filter-after flags in boe run and boe gen-config.

SAML: dynamic IdP metadata from a URL
The SAML extension can now be configured with an IdP metadata URL instead of requiring the metadata to be embedded at config time. On startup, it fetches the metadata via Envoy's internal HTTP callout mechanism (which routes through your declared Envoy clusters), caches it for subsequent requests, and retries automatically if the IdP is not immediately reachable.

Coraza WAF: improved buffering
The WAF body buffer now enlarges itself on demand, preventing failures when handling large request or response bodies.

Improved Go extension build mode (c-shared preferred)
Local Go extensions are now compiled as a standard c-shared library (.so) by default, rather than as a Go plugin. This resolves dependency compatibility issues that could occur in local development and improves startup performance. The generated scaffold code for new extensions has been updated accordingly, including helpful comments showing how to bundle other Composer extensions into your own dynamic module.

Upgraded Composer SDK for broader ABI exposure
The dynamic modules SDK used by the Composer module was upgraded to expose more of Envoy's ABI, unlocking additional capabilities for extension authors.

BOE-specific metric prefix for dynamic modules
Metrics emitted by dynamic modules (Go extensions) now use a builtonenvoy prefix instead of the generic Envoy default, making it straightforward to identify and filter BOE-specific metrics in your observability stack.

🐞 Bug Fixes

Coraza WAF improvements

• Fixed a buffering bug in ProcessPartial that could cause incorrect behaviour when processing partial request/response bodies.
• Removed the default generic error body from 403 responses — blocked requests now return a clean 403 Forbidden with no body.
• Improved the default SecDebugLog configuration.
• The WAF body buffer now enlarges itself on demand, preventing failures when handling large request or response bodies.

Dynamic modules SDK body buffer fixes
Bumped the dynamic modules SDK to pick up upstream fixes for body buffer handling in Go-based extensions.

🚨 Security

• Go updated to 1.26.3 to address several CVEs in the Go standard library.
• The BOE CLI Docker image now uses a security-hardened base image with no known CVEs, replacing the previous general-purpose image.
• Nightly CVE scanning has been added as a CI job for the BOE CLI image to catch new vulnerabilities going forward.

🧑‍💻 Developer Experience

macOS build improvements
Building and testing extensions locally on macOS (including with Colima) is now more reliable. The build tooling now correctly cross-compiles Linux .so artifacts when running on a Mac before mounting them into Docker-based Envoy containers, and integration tests properly route traffic to host services in container-based Docker environments.

Docker HEALTHCHECK
The BOE CLI Docker image now includes a HEALTHCHECK directive for better container lifecycle management.

🙌 Acknowledgements

Special thanks to @wbpcode, @codefromthecrypt, @sergicastro, @sjoukedv, @M4tteoP for their contributions in this release! ❤️

📊 Full Changelog

Take a look at the full changelog here: v0.4.0...v0.5.0

v0.4.0

This release brings several major improvements focused on flexibility, extensibility, and overall developer experience:

• Per-route configuration across all extensions
  You can now fine-tune behavior at the route level, giving you much more granular control.

• Coraza WAF upgrade
  The WAF extension has been updated to the latest Coraza version, along with dependency and rule improvements. The integration tests have also been upgraded and enhanced, to increase coverage of CRS tests.

• OpenFGA authorization support
  Added a new extension that enables seamless integration with OpenFGA for fine-grained authorization.

• Expanded Envoy filter support
  Added support for:

  • Network filters
  • Listener filters
  • ext_proc extensions

• Improved documentation for Go dynamic modules
  New guidance covering best practices and important caveats when building Go-based modules.

• Stronger and more consistent test coverage
  Testing has been consolidated and expanded across all extension types, and Rust and ext_proc extensions enforce minimum test coverage now in addition to the Go-based ones.

Beyond these highlights, this release includes numerous bug fixes, dependency updates, and general improvements across the project.

🙌 Acknowledgements

Special thanks to all contributors who made this release possible, including:

• @ovadiagal and @AntonKanug for driving the addition of Network and Listener filter support.
• @missBerg and @aaguiarz for the work on the OpenFGA extension.
• @sjoukedv for the continued dedication on the Coraza WAF extension.

Thank you all! 🚀

📊 Full Changelog

Take a look at the full changelog here: v0.3.0...v0.4.0

v0.3.0

This is mainly a bugfix release to address some issues when running local extensions for local development.

What's Changed

• extensions: bump go extensions to 0.5.0-dev by @nacx in #297
• build(deps): bump github.com/antchfx/xpath from 1.3.3 to 1.3.6 in /extensions/composer by @dependabot[bot] in #300
• build: fix go tags when building composer extensions by @nacx in #305
• build(deps): bump github.com/go-git/go-git/v5 from 5.16.5 to 5.17.1 in /cli/tools by @dependabot[bot] in #303
• build(deps): bump golang.org/x/image from 0.18.0 to 0.38.0 in /cli/tools by @dependabot[bot] in #302
• opa: add support for dynamic metadata by @nacx in #289
• extensions: add metadata support for the cedar-auth extension by @nacx in #306
• bump waf CRS to 4.25.0 by @sjoukedv in #299
• jwe-decrypt: default metadata namespace aligned with other boe extensions by @nacx in #308
• extensions: add a JSON schema for the extensions that accept configuration by @nacx in #298
• cli: properly resolve composer version from local tree by @nacx in #311

New Contributors

• @sjoukedv made their first contribution in #299

Full Changelog: v0.2.0...v0.3.0

v0.2.0

This release bumps the Go version to fix several CVEs.

It also bumps the Dynamic Modules SDK to the latest version. This version should be backwards compatible, meaning that the extensions compiled against this version of the SDK won't have to be recompiled to run on newer versions of Envoy.

It also adds some improvements when running extensions on Docker, to better align the image version being used to the version of the CLI.

What's Changed

• site: add demo video by @nacx in #261
• chore: bump checkout action to remove warning by @nacx in #258
• Bump Go to 1.26.1 to fix CVEs by @nacx in #263
• build(deps): bump devalue from 5.6.3 to 5.6.4 in /website by @dependabot[bot] in #264
• chore: fix leftover update to go 1.26.1 by @nacx in #265
• add new test upstream cluster support by @wbpcode in #270
• sdk: bump to the latest version of the dynamic modules sdk by @nacx in #219
• waf: add metrics and metadata with insights on blocked requests by @nacx in #271
• extensions: update default namespace for chat-completions-decoder by @nacx in #273
• extensions: add Anthropic messages API decoder by @nacx in #268
• run: when running in Docker use the image version that corresponds to the cli by @nacx in #269
• cli: add a command to download extension packages by @nacx in #272
• support additional algorithms and symmetric keys by @travisghansen in #262
• add more test to waf by @wbpcode in #274
• waf: more request/response body access tests, fix on response body processable by @M4tteoP in #275
• build(deps): bump github.com/russellhaering/goxmldsig from 1.4.0 to 1.6.0 in /extensions/composer by @dependabot[bot] in #276
• build(deps): bump h3 from 1.15.5 to 1.15.8 in /website by @dependabot[bot] in #277
• upgrade coraza and csr by @zhaohuabing in #279
• waf: readme by @M4tteoP in #282
• extension: add new llm-proxy extension by @wbpcode in #278
• release the latest dev composer images by @zhaohuabing in #280
• build(deps): bump h3 from 1.15.8 to 1.15.9 in /website by @dependabot[bot] in #283
• waf: build tags by @M4tteoP in #284
• waf: map rule severity to log severity by @zhaohuabing in #285
• chore: tag development versions and latest development together by @nacx in #287
• fix: run phase-2 request processing for header-only requests by @zhaohuabing in #290
• waf: integration test by @zhaohuabing in #286
• build(deps): bump smol-toml from 1.6.0 to 1.6.1 in /website by @dependabot[bot] in #291
• build(deps): bump yaml from 2.8.2 to 2.8.3 in /website by @dependabot[bot] in #292
• build(deps): bump picomatch in /website by @dependabot[bot] in #294
• build(deps): bump astro from 5.17.1 to 5.18.1 in /website by @dependabot[bot] in #295
• chore: add docs for waf mode by @zhaohuabing in #296
• extensions: go extensions 0.4.0 by @nacx in #288

New Contributors

• @travisghansen made their first contribution in #262

Full Changelog: v0.1.1...v0.2.0

v0.1.1

This is a bugfix release containing fixes for the config and extension export.

What's Changed

• add a command to print the version by @nacx in #249
• docs: add Homebrew install instructions and improve examples by @nacx in #251
• docs: add security consideration page by @nacx in #250
• remove slack link until we figure out what workspace/channel to use by @nacx in #252
• bump composer to start 0.4.0-dev cycle by @wbpcode in #253
• site: feedback comments by @nacx in #255
• gen-config: fix exported go config by @nacx in #256
• site: add back slack with the right invite link by @nacx in #257
• site: small nits by @nacx in #259
• site: space nits by @nacx in #260

Full Changelog: v0.1.0...v0.1.1

v0.1.0

The first release of Built on Envoy — a community-driven marketplace for Envoy Proxy extensions, providing a zero-friction developer experience for discovering, running, and building custom Envoy filters.

⭐ Highlights

The boe CLI

A single binary CLI tool to easily run and create Envoy extensions:

• boe list — Browse and discover available extensions.
• boe run — Run Envoy locally with any combination of extensions (remote or local) enabled.
• boe gen-config — Generate Envoy configuration with selected extensions.
• boe create — Scaffold new extension projects in Go or Rust.

For more information, check out the CLI reference docs.

Installation

curl -sL https://builtonenvoy.io/install.sh | sh

or

brew tap tetratelabs/boe
brew install boe

Available for Linux and macOS (amd64, arm64).

Extensions Marketplace

Ships with ready-to-use community extensions, including:

• AI/LLM safety — Azure Content Safety, AWS Bedrock Guardrails, Chat Completions Decoder.
• Authentication — SAML 2.0, JWE Decrypt, Token Exchange.
• Security Policies — OPA, Cedar Authorization, WAF (Coraza), IP Restriction.
• Traffic Management — OpenAPI Validator, File Server.

Check out the extension catalog to get started!

Local Extension Development

Full support for developing and testing extensions locally before publishing, with scaffolding templates for both Go and Rust.

📄 Documentation

• Website & docs: https://builtonenvoy.io
• Getting started: https://builtonenvoy.io/docs/getting-started/
• CLI reference: https://builtonenvoy.io/docs/cli/run/
• Writing Go extensions: https://builtonenvoy.io/docs/writing-go-extensions/
• Writing Rust extensions: https://builtonenvoy.io/docs/writing-rust-extensions/
• Extensions catalog: https://builtonenvoy.io/extensions/

🧑‍🤝‍🧑 Community

Join the Tetrate Community Slack if you're not already a member. Otherwise, use the #built-on-envoy channel to start collaborating with the community.