Release ModelFaucet v1.1.0 · HiClawBot/modelfaucet

English

ModelFaucet v1.1.0 is a source GA auth hardening release.

Highlights:

Adds scoped developer API tokens with one-time raw token return, SHA-256 hash-only storage, token prefixes, scopes, expiry, revocation, and audit logging.
Adds developer token lifecycle APIs: POST /v1/developer/tokens, GET /v1/developer/tokens, DELETE /v1/developer/tokens/:tokenId.
Keeps DEVELOPER_ADMIN_TOKEN as a bootstrap/operator compatibility path.
Enforces developer_id tenant filters across developer apps, features, operations, tokens, and developer provider keys.
Keeps provider API keys server-side only, with encrypted storage and masked summaries.
Updates bilingual Developer Auth docs, README, roadmap, API spec, release checklist, and GA verifier.

Validation:

Local: pnpm lint, pnpm typecheck, pnpm test, pnpm ga:verify, pnpm verify:secrets, pnpm docs:build, pnpm security:audit, pnpm build, pnpm deps:review.
Database: temporary PostgreSQL migrate/seed, hosted tenant isolation, local smoke, and live developer-auth tenant smoke.
Remote: CI 27737709384 passed; docs 27737709381 passed.

ModelFaucet v1.1.0 是 source GA auth hardening 版本。

重点：

新增 scoped developer API tokens：raw token 只在创建时返回一次，数据库只保存 SHA-256 hash、token prefix、scopes、过期、撤销和 audit 信息。
新增 token 生命周期 API：POST /v1/developer/tokens、GET /v1/developer/tokens、DELETE /v1/developer/tokens/:tokenId。
保留 DEVELOPER_ADMIN_TOKEN 作为 bootstrap/operator 兼容路径。
在 developer apps、features、operations、tokens 和 developer provider keys 上强制 developer_id 租户过滤。
Provider API keys 仍只保存在服务端，只返回 masked summary。
更新双语 Developer Auth 文档、README、roadmap、API spec、release checklist 和 GA verifier。

验证：

本地通过：pnpm lint、pnpm typecheck、pnpm test、pnpm ga:verify、pnpm verify:secrets、pnpm docs:build、pnpm security:audit、pnpm build、pnpm deps:review。
数据库验证：临时 PostgreSQL migrate/seed、hosted tenant isolation、local smoke、live developer-auth tenant smoke。
远端通过：CI 27737709384；docs 27737709381。