v0.1.1
Sooket v0.1.1 — Optional auth for the management surface.
What's new
- Shared-secret auth gate (opt-in): set
SOOKET_AUTH_TOKENto require a secret on the management API + dashboard. Programmatic callers sendAuthorization: Bearer <token>; the browser unlocks once at/unlock. Enforced centrally inproxy.ts; all token checks are constant-time. Public routes (/api/v1/*,/api/webhooks/*,/api/health,/unlock) stay open, and the management-key-gated admin backup is exempt. Unset = open (the historical default). - Exposure warning (always on): a loud startup banner now fires when the server binds to a non-loopback host without
SOOKET_AUTH_TOKEN, in both the Next.js and execution-server processes. - CI now runs on pushes to
devas well asmain.
Still no per-user accounts — this is a single shared secret for self-hosted exposure, not a multi-user auth system. Loopback bind remains the default security model.
License: source-available under FSL-1.1-MIT (converts to MIT two years after release).