v0.6.0
Keyless trust mint (§3.1)
afauth now authenticates to the trust attestor by signing each /v1/token mint with the agent's account key (RFC 9421 / §5) instead of storing and presenting a bearer binding_token. The agent's keypair is the sole credential — there is no standing secret to leak.
Changed
afauth trust token,afauth signup(discovery-driven auto-attest), andafauth call --attest(§10.7 refresh-on-challenge) now sign the mint request with the agent key.~/.afauth/trust.jsonno longer stores abinding_token— only the binding id and its expiry. Existingtrust.jsonfiles keep working: the old field is ignored on load, so upgrading needs no re-link.
Compatibility
- Requires a trust attestor that accepts §5-signed mints. The default
trust.afauth.orgdoes as of this release. An older attestor that still expects a bearer token will rejectv0.6.0— re-link is not needed, but the attestor must be on the keyless build.
Binaries for macOS / Linux / Windows × amd64 / arm64 are attached below; brew upgrade afauth updates the Homebrew cask.