unredacted · lunarthegrey · May 5, 2026 · May 5, 2026 · May 5, 2026 · May 5, 2026
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -23,7 +23,7 @@ exclude = [
 # detach pacing for bridge members, integrity-check Total-line parse
 # fix). See SPEC.md §11.14 for the rollout history and
 # `docs/runbooks/custom-fib.md` for operations.
-version = "0.2.4"
+version = "0.2.5"
 edition = "2021"
 # MSRV. Deliberately behind the rust-toolchain.toml pin (which is the
 # latest stable) so a contributor with a slightly older toolchain still

diff --git a/README.md b/README.md
@@ -71,8 +71,9 @@ PacketFrame complements existing routing daemons rather than replacing them. The
 | Connected-destination fast-path (`local-prefix`) | Production (v0.2.1+) |
 | `fallback-default` synthesis | Production (v0.2.1+) |
 | `block-prefix` XDP-time drop | Production (v0.2.1+) |
-| `mss-clamp` directive (fast-path) | Production (v0.2.4+) |
+| `mss-clamp` directive (fast-path) | Production (v0.2.4+; per-prefix loads on stricter kernels in v0.2.5+) |
 | `packetframe reconfigure` / `systemctl reload packetframe` | Production (v0.2.4+) |
+| Two-stage BPF datapath (`fast_path` + `finalize` via `bpf_tail_call`) | Production (v0.2.5+) — see [docs/runbooks/tail-call-architecture.md](docs/runbooks/tail-call-architecture.md) |
 | `probe` module — diagnostic XDP | Production |
 | `ddos` module — XDP-time SYN-flood + amplification filter | Future — sketched in SPEC §5.2 (priority 0–999, security/admission) |
 | `sampler` module — per-flow ringbuf observability | Future — sketched in SPEC §5.3 (priority 2000–2999, observation) |
@@ -86,7 +87,7 @@ Releases are published on the [GitHub releases page](https://github.com/unredact
 ### Debian / Ubuntu (.deb)
 
 ```sh
-VERSION=v0.2.4
+VERSION=v0.2.5
 ARCH=$(dpkg --print-architecture)   # amd64 or arm64
 
 curl -LO "https://github.com/unredacted/packetframe/releases/download/${VERSION}/packetframe_${VERSION#v}_${ARCH}.deb"
@@ -103,7 +104,7 @@ Installs `/usr/bin/packetframe`, the systemd unit at `/lib/systemd/system/packet
 For musl-static deployments, non-Debian distros, or anything else:
 
 ```sh
-VERSION=v0.2.4
+VERSION=v0.2.5
 TARGET=aarch64-unknown-linux-gnu     # or: x86_64-unknown-linux-{gnu,musl}, aarch64-unknown-linux-musl
 
 curl -LO "https://github.com/unredacted/packetframe/releases/download/${VERSION}/packetframe-${VERSION}-${TARGET}.tar.gz"

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-0.2.4
+0.2.5
diff --git a/crates/cli/src/loader.rs b/crates/cli/src/loader.rs
@@ -747,6 +747,14 @@ pub fn status(config_path: &Path) -> Result<(), String> {
             Err(e) => return Err(format!("registry read: {e}")),
         }
 
+        // v0.2.5+ tail-call chain summary. Confirms MUTATION_PROGS[0]
+        // is populated with the `finalize` program FD; if empty,
+        // fast_path's tail_call hits ErrTailCall and traffic falls
+        // through to kernel slow-path. Operators see this immediately
+        // in the status output rather than chasing it via err counter.
+        #[cfg(target_os = "linux")]
+        print_tail_call_chain(&config.global.bpffs_root);
+
         // Live counter readback from the pinned STATS map. Works
         // whether or not the loader is running — the pin survives
         // process exit (§8.5).
@@ -757,14 +765,32 @@ pub fn status(config_path: &Path) -> Result<(), String> {
     Ok(())
 }
 
+#[cfg(all(target_os = "linux", feature = "fast-path"))]
+fn print_tail_call_chain(bpffs_root: &Path) {
+    use packetframe_fast_path::tail_call_chain_from_pin;
+    println!();
+    println!("tail-call chain (from {}):", bpffs_root.display());
+    match tail_call_chain_from_pin(bpffs_root) {
+        Ok(true) => println!(
+            "  MUTATION_PROGS[0]: populated (finalize) — \
+             confirm prog_id via `bpftool prog show name finalize`"
+        ),
+        Ok(false) => println!(
+            "  MUTATION_PROGS[0]: <EMPTY> — fast_path's tail_call will fail; traffic \
+             falls to kernel slow-path. Restart packetframe to repopulate."
+        ),
+        Err(e) => eprintln!("  MUTATION_PROGS pin unavailable ({e}); loader may not be attached"),
+    }
+}
+
 #[cfg(all(target_os = "linux", feature = "fast-path"))]
 fn print_stats(bpffs_root: &Path) {
     // §4.6 counter names, indexed by `StatIdx` discriminants. Order
     // matches `crates/modules/fast-path/bpf/src/maps.rs::StatIdx`.
     // Append-only — adding new entries at the end is fine; renumbering
     // breaks dashboards. Indices 0-19 are the kernel-fib counter set;
     // 20-31 were appended in the Option F custom-FIB rollout (§4.11).
-    const NAMES: [&str; 33] = [
+    const NAMES: [&str; 37] = [
         "rx_total",
         "matched_v4",
         "matched_v6",
@@ -799,6 +825,12 @@ fn print_stats(bpffs_root: &Path) {
         "nexthop_seq_retry",
         "bmp_peer_down",
         "bogon_dropped",
+        // --- v0.2.4: mss-clamp ---
+        "mss_clamp_applied",
+        "mss_clamp_skipped",
+        // --- v0.2.5: two-stage datapath ---
+        "err_tail_call",
+        "err_mutation_ctx",
     ];
 
     print_fib_status(bpffs_root);