v0.5.0 - Backend Testing & Security Hardening
What's Changed
Backend Fixes
- Fix auth refresh token validation for login-generated tokens vs SDK tokens
- Fix user org assignment during admin approval (users join admin's org)
- Fix MCP server verification returning 500 on DNS failures (now returns structured 200)
- Fix nil-panic in trust score update handler
- Fix MCP GetAgents route conflict with PQC middleware
- Add missing
mcp_server_keysdatabase table migration
New: OAuth 2.0 Token Endpoint
- Implement
POST /api/v1/oauth/tokenper RFC 6749 / RFC 7523 (jwt-bearer grant) - Ed25519 signature verification against agent's registered public key
- Full error handling: invalid grant type, missing fields, malformed assertions, signature failures
Security Hardening
- CRITICAL: OAuth token endpoint now cryptographically verifies JWT signatures (was accepting unsigned JWTs)
- HIGH: Docker-compose default
KEYVAULT_MASTER_KEYadded to insecure secrets deny list - MEDIUM: Hardened refresh token revocation — deleted SDK tokens can no longer be refreshed
- MEDIUM: MCP verification error messages sanitized to prevent infrastructure detail leakage
- MEDIUM: Restored cross-organization access denial test with real multi-org isolation
- LOW: Startup warning when rate limits are elevated due to
ENVIRONMENT=development/test
Integration Tests
- Resolved all 18 previously skipped integration tests
- 459 PASS, 0 FAIL, 0 SKIP
- OAuth tests use real Ed25519 cryptographic signatures
- Cross-org test creates users in separate organizations and verifies access denial
Documentation
- Updated README with Recent Updates section
- Rewrote Quick Start guide
Full Changelog: v0.4.0...v0.5.0