v1.18.0
Highlights
Engram Cloud now supports principal-based user and token management end to end.
This release replaces the old single-token cloud model with managed human users, per-user managed tokens, project grants, first-admin bootstrap, dashboard administration, and runtime managed-token authentication while preserving the legacy ENGRAM_CLOUD_TOKEN path during migration.
Cloud user and token management
- Added managed principals, human users, per-user hashed tokens, and project grants backed by cloud storage.
- Enforced deny-by-default project access for managed principals on sync routes.
- Added managed-admin JSON API handlers for users, tokens, grants, enable/disable, and revoke flows.
- Added dashboard sessions for managed admins, first-admin bootstrap, and managed-user UI for tokens and grants.
- Added CLI bootstrap support for creating the first managed admin and optionally issuing the first managed token.
- Wired
engram cloud serveso managed tokens authenticate against real runtime storage whenENGRAM_CLOUD_TOKEN_PEPPERis configured.
Security and audit hardening
- Managed tokens are shown only once and stored as hashes using a dedicated token pepper.
- Disabled managed users cannot receive newly issued managed tokens.
- Revoked tokens and disabled users are rejected consistently by the runtime auth path.
- Token issuance and success audit insertion are atomic for admin API, dashboard, and bootstrap token issuance, so failed audit writes do not leave live unaudited credentials.
- Dashboard login, bootstrap, legacy recovery, deny, and admin mutation paths now record stronger audit events.
Dashboard and operator UX
- Added managed-user dashboard pages for listing users, inspecting details, issuing tokens, granting projects, revoking tokens/grants, and enabling/disabling users.
- Disabled users no longer show an active token creation affordance.
- Disabled-user token creation attempts render a dashboard-styled
409page instead of raw plain text. - Docker compose examples now document
ENGRAM_CLOUD_TOKEN_PEPPERfor managed-token auth testing.
Documentation
- Updated cloud quickstart and troubleshooting docs for managed-token bootstrap and token pepper configuration.
- Archived the OpenSpec change artifacts and promoted the cloud user token management spec.
Validation
- Local validation before release:
go test ./... - Tracker PR CI: Unit Tests and E2E Tests passed.
- Local Docker QA verified authenticated mode, managed-token sync, invalid-token rejection, user/token/grant flows, revocation, disabled-user rejection, and dashboard persistence.
Changelog
- 76cb9fe Merge cloud user token management
- 064c20a fix(cloud): make managed token issuance audit atomic
- 4b4a85a562cf291c6dc86e5b59f39f010e12c74d fix(cloud): polish disabled token dashboard UX
- 3c6c7ce fix(cloud): reject token issuance for disabled users
- 8babe577a28e3b91b2b6223282d30a83e3ae33e3 feat(cloud): wire managed-token auth into cloud runtime
- ee2ac819c807f9cba26bd7d5d57c94fde2a65b31 feat(cloud): add CLI admin bootstrap and sync contract tests
- 7587be0e4711e20de986e494fa8a98a24e9d4cc9 feat(cloud): add managed-user dashboard UX
- 4035ab5df370d5a96767324689f973dd89ffd523 feat(cloud): audit dashboard login and legacy recovery
- 4bd03db532567a27b95f53a3c8927e5c64c26aa5 feat(cloud): add dashboard principal sessions and bootstrap
- 7172b953b7231e7371ade07d00e2a0d25ec18c19 feat(cloud): add managed admin API handlers
- 2669f3bf7b7c0d2031acb74323850bf329f13168 feat(cloud): enforce principal sync grants
- 9defadf8177eae2780aa8a73f399c00ab143354a feat(cloud): add identity storage foundation
- d4c3b386c11389997468f9af13f4e674d1412637 feat(cloud): add auth principal foundation
- a6c473dc8b577598f628122d256a1d93d6d51143 docs(cloud): plan user token management
- 18890d0 docs: refresh codebase setup guide
- 6fc70fb26a08d9fb9b66dac29dd3a63173136133 fix(pi): clarify native Engram provider failures
- 44faeee5731a093fa4577bd81aec0f3f7dc3e52d fix(setup): update cursor post-install test after #522 (#524)