voice--v0.0.2
Changed
- security: in-band cert pinning — v2 pairing strings now include the dispatcher public cert PEM, and the plugin validates WSS using Bun's TLS
capath before sending the bearer token. This removes the previous two-connection fingerprint preflight and closes the token-leak TOCTOU window. - plugin: v2 config — secure
wss://configs now requiredispatcher_cert_pemplus matchingdispatcher_cert_sha256; legacy fingerprint-only configs fail closed with re-pair guidance. - dispatcher: auth failure logging — token rejection now logs the claimed agent ID so operators can diagnose misconfigured agents without enabling debug mode.
- plugin: permanent 4001 close — the plugin no longer retries after a
4001 Unauthorizedclose; it writes a clear error with fix instructions tostatus.jsonand exits cleanly, preventing reconnect storms on bad tokens.
Upgrade Instructions
Upgrade both dispatcher and plugin, then re-pair every agent with a fresh voicepair_... string from voice-dispatcher config rotate-token <id> or voice-dispatcher config add-agent <id> ....