v2.33.0

• Tmux-aware SSH: new window instead of TUI suspend
• When purple runs inside a tmux session, pressing Enter on a host opens SSH in a new tmux window named after the alias. The purple TUI stays alive in the original window so you can switch between sessions with prefix + n/p and keep navigating other hosts
• Detection via $TMUX env var. No tmux means the current suspend-and-restore behavior is unchanged
• Hosts with an askpass source (keychain, 1Password, Bitwarden, Vault KV, pass, cmd) keep the suspend-TUI flow because the askpass relay needs inherited stdin
• Vault SSH cert signing still runs before the tmux window opens, so short-lived certs are refreshed exactly as before. Signing status messages surface via the purple status bar
• Resolves #18

v2.32.1

• Remove vault sign from host list footer to reduce clutter

v2.32.0

• Structured logging to ~/.purple/purple.log
• --verbose flag enables debug-level logging. PURPLE_LOG env var for finer control (trace/debug/info/warn/error/off)
• purple logs subcommand: --tail to follow in real time, --clear to delete
• Log entries carry fault domain prefixes: [external] for remote/tool errors, [config] for local config issues, [purple] for internal errors
• Startup banner records purple version, SSH version, terminal, providers and askpass sources for diagnostics
• Automatic log rotation at 5 MB

v2.31.0

• HashiCorp Vault SSH certificate signing
• Short-lived SSH certificates signed via the HashiCorp Vault SSH secrets engine. Per-host role in # purple:vault-ssh <mount>/sign/<role>, per-provider default in vault_role=. Host overrides win over provider defaults
• V key bulk-signs every host needing renewal. Press V again to cancel. Detail panel shows cert TTL under the VAULT SSH section with a "(press V to sign)" affordance when missing, expired or invalid
• Automatic renewal on connect via ensure_vault_ssh_if_needed, so an expired cert is re-signed before the SSH session starts
• Cert cache under ~/.purple/certs/<alias>-cert.pub. Background status checks with 5 minute TTL, shorter 30 second backoff on errors
• Detail panel reflects external purple vault sign runs (CLI or another purple instance) within one render frame via mtime-based cache invalidation
• Vault SSH address configurable per host (# purple:vault-addr), per provider (vault_addr=) or per CLI invocation (purple vault sign --vault-addr). Purple exports the resolved value as VAULT_ADDR on the vault subprocess, so you no longer need to export it in every shell you launch purple from
• New "Vault SSH Role" and "Vault SSH Address" fields in the host and provider forms. Progressive disclosure: Address appears when Role is set, with provider inheritance hint
• CLI: purple vault sign <alias> and purple vault sign --all, both accepting --vault-addr <url>. Shells out to vault write -field=signed_key so existing Vault authentication (VAULT_TOKEN, token helpers, OIDC, etc.) applies
• Bulk sign detects concurrent external ~/.ssh/config edits via mtime and merges instead of overwriting, so edits in another editor are preserved
• Virtual tags vault-ssh (any host with a resolved role) and vault-kv (any host using the vault: askpass prefix) for filtering
• Distinct from the HashiCorp Vault KV secrets engine used as a password source via the vault: askpass prefix. UI, CLI and docs keep the two engines strictly separated
• Vault SSH address normalization: bare IP or hostname auto-expands to https://IP:8200. Explicit http:// for dev-mode Vault servers
• 30 second timeout on vault CLI subprocess. Previously hung indefinitely when the Vault server was unreachable
• Friendly error messages for common Vault SSH failures: connection refused, connection timed out, host not found, TLS mismatch (HTTP vs HTTPS), permission denied, token expired
• Signing progress shows animated spinner. Error messages stay visible until the next action (sticky status)
• Pre-check on V: warns immediately when no Vault address is configured instead of failing silently after the confirm dialog
• Detail panel Vault SSH section: shows role name instead of full mount path. Address moved to edit form (e) to save space
• 1000+ new tests covering the Vault SSH write paths, wildcard safety invariants (proptest across 512 random configs), Match block inertness, CRLF preservation, rollback on write failure, mtime cache staleness, subprocess env propagation and CLI flag parsing

v2.30.1

• Fix pattern tags missing from tag grouping tabs and counts
• Fix tag picker showing (0) for tags that only exist on patterns
• Fix generic search not matching pattern tags
• Fix group-by-tag clearing when tag only exists on a pattern

v2.30.0

• Color themes. 11 built-in themes with live preview (m key)
• Custom themes from ~/.purple/themes/*.toml
• CLI: purple theme list, purple theme set <name> and --theme <name> session override
• Pattern inheritance: ProxyJump, User and IdentityFile from pattern blocks (e.g. Host *, Host web-*) now inherited by matching hosts. ↗ indicator and ping logic reflect inherited ProxyJump
• Edit form shows inherited values as dimmed placeholders with source pattern (e.g. gateway ← *)
• Self-referencing ProxyJump loop detection: ↗ in error color, ROUTE warning in detail panel and fix hint in edit form when a pattern assigns a host as its own jump host
• Fix detail panel PATTERN MATCH section no longer shows hostname-matched patterns that SSH would not apply
• Fix error messages now show in overlay footers instead of behind dimmed background
• Fix editing multi-host patterns (e.g. Host web-* db-*) failing with false "no longer exists" error

v2.29.0

• Progressive disclosure in host and provider forms. Required fields shown first, arrow down reveals optional fields
• Demo mode (purple --demo) with synthetic data for screenshots and recordings

v2.28.0

• Animation state separated from App into dedicated AnimationState module
• Animated braille spinner for ping checking status

v2.27.3

• New welcome screen logo (ANSI Shadow style)
• Lowercase README badges

v2.27.2

• Record connection history when running snippets on hosts via TUI