Skip to content

v0.2.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 12 Jun 21:00
· 9 commits to main since this release
v0.2.0
b657388

tokenleader v0.2.0 — multi-device

One handle, many machines.

Added

  • Multi-device support: a new user_devices table (one row per machine, sha256 of that machine's TOFU secret); /ingest authenticates against any active device.
  • Link codes: tokenleader link (or admin POST /admin/link) mints a one-time, 10-minute, single-use code. A new machine installs with --link=CODE and redeems it on first ingest (X-Tokenleader-Link).
  • Device management: tokenleader devices / tokenleader revoke, GET /devices, POST /devices/revoke, and a per-device fleet view.
  • TOKENLEADER_COMPANY_ALIASES: operator-defined rewrites for self-reported company headers at ingest.
  • README wired to the published Railway deploy template.

Security

  • Server-side handle charset validation (/^[a-z0-9._-]{1,64}$/) in validateEvent, closing a metacharacter-in-handle vector.
  • Durable revocation: a revoked device's secret is barred from auto-reclaim, so a kicked daemon can't resurrect.
  • Rollback-drift reconciliation on auth-success and at boot.

Fixed

  • The binary installs as anara-leaderboard but the CLI is invoked as tokenleader (command not found). The installer now drops a guarded tokenleader -> anara-leaderboard symlink, and the daemon self-heals one on boot — so auto-updated machines get it without reinstalling; the uninstaller removes it.
Assets 7
Loading