Skip to content

Releases: AFAuthHQ/cli

v0.6.1

Choose a tag to compare

@github-actions github-actions released this 04 Jun 03:53

afauth v0.6.1 — security patch

Two High-severity hardening fixes to how the agent runtime handles redirects and attestation audiences. Upgrading is recommended for anyone running afauth against untrusted or third-party services.

Fixes

  • Cross-origin redirect credential leak. The signed-request, discovery, and trust-attestor HTTP clients followed cross-host redirects, and Go's default redirect policy does not strip custom headers on a host change — so a service (or on-path attacker) that returned a 30x to another origin would receive the live AFAuth-Attestation JWT and Signature header. All three clients now refuse cross-origin redirects.
  • Attestation audience confused-deputy. Auto-attest minted an attestation audience-bound to service_did taken verbatim from an unauthenticated discovery document — a host advertising service_did=did:web:bank.com could harvest a token replayable against the real bank.com. Auto-attest now requires a did:web service DID to be anchored at the host that served its discovery document before minting; non-did:web audiences (which carry no DNS anchor) emit a warning instead.

No CLI flags or commands changed — existing identities, links, and config carry over unchanged.

Install

brew install AFAuthHQ/tap/afauth   # or: brew upgrade afauth

Prebuilt binaries for macOS / Linux / Windows × amd64 / arm64 are attached below.

v0.6.0

Choose a tag to compare

@github-actions github-actions released this 03 Jun 06:41

Keyless trust mint (§3.1)

afauth now authenticates to the trust attestor by signing each /v1/token mint with the agent's account key (RFC 9421 / §5) instead of storing and presenting a bearer binding_token. The agent's keypair is the sole credential — there is no standing secret to leak.

Changed

  • afauth trust token, afauth signup (discovery-driven auto-attest), and afauth call --attest (§10.7 refresh-on-challenge) now sign the mint request with the agent key.
  • ~/.afauth/trust.json no longer stores a binding_token — only the binding id and its expiry. Existing trust.json files keep working: the old field is ignored on load, so upgrading needs no re-link.

Compatibility

  • Requires a trust attestor that accepts §5-signed mints. The default trust.afauth.org does as of this release. An older attestor that still expects a bearer token will reject v0.6.0 — re-link is not needed, but the attestor must be on the keyless build.

Binaries for macOS / Linux / Windows × amd64 / arm64 are attached below; brew upgrade afauth updates the Homebrew cask.

v0.5.0

Choose a tag to compare

@github-actions github-actions released this 02 Jun 15:37

afauth v0.5.0 keeps long-lived agent access alive on its own, adds an afauth status command, and makes key rotation safer.

New

  • afauth call --attest — stay signed in automatically (§10.7). When a service needs a fresh attestation, call gets one and retries for you, so an agent keeps working without re-running afauth signup. If the human has revoked the link, it stops and tells you to re-link rather than looping.
  • afauth status — see at a glance who your agent is and whether it's linked to a human at trust.afauth.org, and how it was verified.
  • Safer key rotation. Rotation now keeps automatic key backups and warns you before a change could leave you locked out of an account.

Fixed

  • afauth trust link now works over SSH / headless machines — linking finishes in the background, so you don't need a local browser.
  • Fixed the trust.json path shown in --help.

Install

brew upgrade afauthhq/tap/afauth      # or: brew install afauthhq/tap/afauth

Or grab a binary below — macOS / Linux / Windows × amd64 / arm64; verify against checksums.txt.

Full commit log: v0.4.0...v0.5.0

v0.4.0

Choose a tag to compare

@github-actions github-actions released this 29 May 09:00

Changelog

  • f3f0102 ci(e2e): reuse HOMEBREW_TAP_GITHUB_TOKEN, drop probe
  • d5f8173 ci: add e2e interop workflow
  • 58e8ba7 ci: one-shot probe of HOMEBREW_TAP_GITHUB_TOKEN scope
  • f3b0700 fix(discovery): default to https for scheme-less service URLs
  • 6756aa2 release: bump README status to v0.4.0
  • d5b61a7 signup: auto-mint trust attestation when service requires it

v0.3.1

Choose a tag to compare

@github-actions github-actions released this 28 May 08:21

Changelog

  • 33811e1 cmd/afauth: auto-open browser on trust link
  • b81594a cmd/afauth: first-time signup hint + phase-aware waiting line
  • f2269a4 release: v0.3.1 — trust link UX polish (auto-open browser, phase prompt, signup hint)

v0.3.0

Choose a tag to compare

@github-actions github-actions released this 28 May 07:11

Changelog

  • 476bda8 ci: strip macOS quarantine xattr in cask postflight
  • 286ac7a cmd/afauth: add trust subcommand for AFAP-0006 attestor
  • 8bbfb2e cmd/afauth: drop unused mu field from stubTrust
  • b69f1de release: v0.3.0 — afauth trust subcommand (AFAP-0006)

v0.2.1

Choose a tag to compare

@github-actions github-actions released this 27 May 09:05

Changelog

  • bc76acc ci: clear goreleaser v2 deprecation warnings
  • bca65bc ci: forward HOMEBREW_TAP_GITHUB_TOKEN to goreleaser
  • c111b0e ci: gate on cross-package coverage (floor 75%)
  • dbe9994 ci: homebrew_casks.binary → binaries (list form)
  • fe5303b cmd/afauth: add end-to-end CLI test harness

v0.2.0

Choose a tag to compare

@github-actions github-actions released this 23 May 03:13

Changelog

  • ff5e2ab main: rewrite -help and -version to POSIX form
  • b74001d release: wire homebrew tap auto-publish
  • 736026d remove afauth probe subcommand

v0.1.0-alpha.0

Choose a tag to compare

@github-actions github-actions released this 21 May 09:14

Changelog

  • 63fe70d Add go.sum and indirect dep declarations from go mod tidy
  • 1755c91 Align signing.go docstring to current spec (§5.2)
  • 2ef6884 Drop afauth mcp subcommand from v0.1 scaffolding
  • 701ff0e Fix .gitignore: anchor afauth binary patterns to repo root
  • a93c46e G1: implement v0.1 wire primitives + init/whoami
  • 0c0007e G2: discovery validator + AFAuth-signed HTTP client + discover/call
  • 1e89665 G3: account lifecycle — signup, invite, accounts list/show
  • aea998e G4: keys rotate / export / import
  • 0b5a634 G5: probe — conformance harness against a live AFAuth service
  • e0d5a6d Initial scaffold
  • 144ba12 Move module path and refs to AFAuthHQ org
  • 3e3ceb3 ci: add goreleaser release workflow + drop brews stanza
  • 9d0e500 probe_test: drop fmt.Sscanf return values explicitly (errcheck lint)

v0.1.0

Choose a tag to compare

@github-actions github-actions released this 21 May 09:38

Changelog