v0.3.0 — Scope-down tickets, owner-only secrets, adopted site docs
The custody release: tickets gain a second capability tier without a second paste, secret files become owner-only on disk, and the docs-site pages for the /node section now live in this repository so they version with the node.
Features
- Scope-down ticket exchange (#4):
POST /t/<secret>/derive-sync-ticketlets a provision-scoped ticket mint a complete, parent-linked sync ticket. Revoking the parent revokes everything derived from it — live derived sockets close with4001— andticket listshows lineage revocation. Sync-scoped and unknown secrets get the standard non-enumerable401;tickets.jsonstays v1 (additiveparentId). This is what lets a lofi app persist transport-only credential material and custody the provision original behind the user's passkey.
Security
- Owner-only secret files (#3):
config.json(holding the backend and admin secrets) is written0600inside a0700data directory, and installs created before modes were set are healed on every load —config.json,iroh.key, and the directory alike. POSIX only; mode assertions in tests, skipped on Windows.
Documentation
- The 13 site-voice pages for lofi.host's /node section are adopted under
docs/site/, gated by this repo's CI and consumed by the lofi site at a pinned checkout (#6) - Ticket custody is stated as the app actually ships it — sealed at rest, provision capability passkey-gated, password manager as the durable copy (#5, #8)
- Browser convergence is recorded as validated against lofi-node, with the benign boot-time warning named (#7)
- Operator hardening: proxy-log redaction with concrete Caddy and nginx configs, the secret-in-URL rationale, and app-shell weight/precompression guidance (#8)
Full Changelog: v0.2.1...v0.3.0