Skip to content

Tandem v0.7.0

Choose a tag to compare

View all tags
@bloknayrb bloknayrb released this 20 Apr 18:20
· 1326 commits to master since this release
v0.7.0
7611a2d

v0.7.0 — Cowork Foundation Auth

Added

  • Auth token storage — on first boot the server generates a 32-byte base64url token and persists it to the platform data directory. Subsequent boots reuse the token. O_EXCL protects the first-boot race. Tauri mode receives the token via TANDEM_AUTH_TOKEN env before sidecar spawn.
  • Auth middleware — non-loopback MCP and API requests require Authorization: Bearer <token>. Loopback connections remain exempt, preserving zero-config Claude Code usage. Token comparison uses SHA-256 + timingSafeEqual. Rate-limiting (5 attempts / 60 s) per IP with LRU eviction; Authorization headers are redacted from rejection logs.
  • TANDEM_BIND_HOST bind-mode selection — MCP HTTP server binds to 127.0.0.1 by default; set TANDEM_BIND_HOST=0.0.0.0 to expose on LAN. Hocuspocus WebSocket always stays loopback. Non-loopback bind without a token file exits 1. TANDEM_ALLOW_UNAUTHENTICATED_LAN=1 is the escape hatch.
  • tandem rotate-token — atomically regenerates the auth token, opens a 60-second grace window, and re-runs tandem setup across all detected MCP config files. Prints old and new token fingerprints.
  • Token forwardingtandem mcp-stdio, tandem monitor, and the channel sidecar forward TANDEM_AUTH_TOKEN as Authorization: Bearer.
  • OAuth protected-resource metadata/.well-known/oauth-protected-resource/mcp declares bearer_methods_supported: ["header"] per RFC 9728.

Security

  • Loopback detection keys off req.socket.remoteAddress exclusively.
  • Fail-closed on LAN bind without a token file.
  • crypto.randomBytes failure → server exits 1; no silent fallback.

See the assets to download and install Tandem, or npm install -g tandem-editor for the CLI.

Assets 19
Loading