Skip to content

v2026.2.17

Latest
Latest

Choose a tag to compare

View all tags
@github-actions github-actions released this 16 Feb 22:09
v2026.2.17
2e140c8

leak now supports multi-artifact hosting from one machine, stronger access-mode security, and cleaner buyer/seller flows.

Highlights

  • Added leak host for multi-file hosting with one shared proxy and path-prefix routing.
    • One worker per route (artifact), e.g. /leak/lolboy/*, /leak/peter/*
    • Route-scoped config, including per-route price and payTo
    • New example config: examples/multi-host.example.json
  • Added host public ingress modes:
    • Local-only by default
    • --public starts one shared Cloudflare quick tunnel automatically
    • Optional publicOrigin for named/manual ingress (takes precedence over quick tunnel)
  • Added host safety parity with single-file publish:
    • Non-interactive public runs require --public-confirm I_UNDERSTAND_PUBLIC_EXPOSURE
  • Improved host startup UX:
    • Consolidated Public Tunnel URL summary
    • Reduced noisy startup logs
    • Public URLs print after worker startup banners

Access Modes and Download-Code Security

  • Unified access-mode model:
    • no-download-code-no-payment
    • download-code-only-no-payment
    • payment-only-no-download-code (default)
    • download-code-and-payment
  • Replaced legacy access-secret terminology with download-code naming across CLI/docs/runtime.
  • Added hash-only download-code handling (DOWNLOAD_CODE_HASH), with timing-safe verification.
  • Added explicit /download gate ordering:
    • download-code check first (401)
    • payment check second (402) when enabled

Buyer/Seller Flow Improvements

  • Buyer CLI now supports:
    • --download-code / --download-code-stdin
    • payment flow triggered only when a 402 challenge is returned
  • Added interactive publish wizard via leak publish:
    • guided basic + optional advanced steps
    • explicit launch confirmation
    • optional save defaults to ~/.leak/config.json
  • Publish runs are supervised and auto-restarted with fixed sale deadlines.

Discovery and Skill Changes

  • Switched discovery/install guidance to leak-buy (hard switch).
  • Legacy /.well-known/skills/leak/* endpoints removed.
  • Scoped skills model:
    • leak-buy (buy/download)
    • leak-publish (publish/sell)

Security Hardening

  • Stronger buyer key handling and safer CLI flag usage.
  • Hardened publish artifact-path checks and sensitive-path protections.
  • Added release checks for terminology, skill security, and path hygiene.

Upgrade Notes

  • For multi-host public mode, install cloudflared.
  • If upgrading existing automation/docs, migrate to new access-mode names and download-code terminology.
  • If using skill discovery, migrate consumers from leak endpoints to leak-buy.

Full Changelog: v2026.2.16...v2026.2.17

Assets 2
Loading