Releases: AFAuthHQ/cli
Release list
v0.6.1
afauth v0.6.1 — security patch
Two High-severity hardening fixes to how the agent runtime handles redirects and attestation audiences. Upgrading is recommended for anyone running afauth against untrusted or third-party services.
Fixes
- Cross-origin redirect credential leak. The signed-request, discovery, and trust-attestor HTTP clients followed cross-host redirects, and Go's default redirect policy does not strip custom headers on a host change — so a service (or on-path attacker) that returned a
30xto another origin would receive the liveAFAuth-AttestationJWT andSignatureheader. All three clients now refuse cross-origin redirects. - Attestation audience confused-deputy. Auto-attest minted an attestation audience-bound to
service_didtaken verbatim from an unauthenticated discovery document — a host advertisingservice_did=did:web:bank.comcould harvest a token replayable against the realbank.com. Auto-attest now requires adid:webservice DID to be anchored at the host that served its discovery document before minting; non-did:webaudiences (which carry no DNS anchor) emit a warning instead.
No CLI flags or commands changed — existing identities, links, and config carry over unchanged.
Install
brew install AFAuthHQ/tap/afauth # or: brew upgrade afauthPrebuilt binaries for macOS / Linux / Windows × amd64 / arm64 are attached below.
v0.6.0
Keyless trust mint (§3.1)
afauth now authenticates to the trust attestor by signing each /v1/token mint with the agent's account key (RFC 9421 / §5) instead of storing and presenting a bearer binding_token. The agent's keypair is the sole credential — there is no standing secret to leak.
Changed
afauth trust token,afauth signup(discovery-driven auto-attest), andafauth call --attest(§10.7 refresh-on-challenge) now sign the mint request with the agent key.~/.afauth/trust.jsonno longer stores abinding_token— only the binding id and its expiry. Existingtrust.jsonfiles keep working: the old field is ignored on load, so upgrading needs no re-link.
Compatibility
- Requires a trust attestor that accepts §5-signed mints. The default
trust.afauth.orgdoes as of this release. An older attestor that still expects a bearer token will rejectv0.6.0— re-link is not needed, but the attestor must be on the keyless build.
Binaries for macOS / Linux / Windows × amd64 / arm64 are attached below; brew upgrade afauth updates the Homebrew cask.
v0.5.0
afauth v0.5.0 keeps long-lived agent access alive on its own, adds an afauth status command, and makes key rotation safer.
New
afauth call --attest— stay signed in automatically (§10.7). When a service needs a fresh attestation,callgets one and retries for you, so an agent keeps working without re-runningafauth signup. If the human has revoked the link, it stops and tells you to re-link rather than looping.afauth status— see at a glance who your agent is and whether it's linked to a human at trust.afauth.org, and how it was verified.- Safer key rotation. Rotation now keeps automatic key backups and warns you before a change could leave you locked out of an account.
Fixed
afauth trust linknow works over SSH / headless machines — linking finishes in the background, so you don't need a local browser.- Fixed the
trust.jsonpath shown in--help.
Install
brew upgrade afauthhq/tap/afauth # or: brew install afauthhq/tap/afauthOr grab a binary below — macOS / Linux / Windows × amd64 / arm64; verify against checksums.txt.
Full commit log: v0.4.0...v0.5.0
v0.4.0
Changelog
- f3f0102 ci(e2e): reuse HOMEBREW_TAP_GITHUB_TOKEN, drop probe
- d5f8173 ci: add e2e interop workflow
- 58e8ba7 ci: one-shot probe of HOMEBREW_TAP_GITHUB_TOKEN scope
- f3b0700 fix(discovery): default to https for scheme-less service URLs
- 6756aa2 release: bump README status to v0.4.0
- d5b61a7 signup: auto-mint trust attestation when service requires it
v0.3.1
v0.3.0
v0.2.1
v0.2.0
v0.1.0-alpha.0
Changelog
- 63fe70d Add go.sum and indirect dep declarations from go mod tidy
- 1755c91 Align signing.go docstring to current spec (§5.2)
- 2ef6884 Drop
afauth mcpsubcommand from v0.1 scaffolding - 701ff0e Fix .gitignore: anchor afauth binary patterns to repo root
- a93c46e G1: implement v0.1 wire primitives + init/whoami
- 0c0007e G2: discovery validator + AFAuth-signed HTTP client + discover/call
- 1e89665 G3: account lifecycle — signup, invite, accounts list/show
- aea998e G4: keys rotate / export / import
- 0b5a634 G5: probe — conformance harness against a live AFAuth service
- e0d5a6d Initial scaffold
- 144ba12 Move module path and refs to AFAuthHQ org
- 3e3ceb3 ci: add goreleaser release workflow + drop brews stanza
- 9d0e500 probe_test: drop fmt.Sscanf return values explicitly (errcheck lint)
v0.1.0
Changelog
- 7701393 release: stable v0.1.0