Skip to content

v0.2.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 01 May 12:09
· 1253 commits to main since this release
v0.2.0
This tag was signed with the committer’s verified signature.
vincentkoc Vincent Koc
SSH Key Fingerprint: MS6JWpdE8rcWraHlnuxuwDIkCUZtPKIf1QNa5ZJf3FY
Verified
Learn about vigilant mode.
b28674d
This commit was signed with the committer’s verified signature.
vincentkoc Vincent Koc
SSH Key Fingerprint: MS6JWpdE8rcWraHlnuxuwDIkCUZtPKIf1QNa5ZJf3FY
Verified
Learn about vigilant mode.

Crabbox 0.2.0 hardens the brokered runner path after real AWS and Blacksmith Testbox use: browser login is safer, AWS SSH ingress is no longer world-open by default, SSH readiness waits for the Crabbox bootstrap marker, and fallback SSH ports are configurable instead of being hidden port-22 magic.

Added

  • Added GitHub browser login for crabbox login, including signed user tokens, polling-based CLI completion, --no-browser, and JSON output support.
  • Added coordinator OAuth routes for GitHub login: /v1/auth/github/start, /v1/auth/github/callback, and /v1/auth/github/poll.
  • Added signed non-admin user-token auth in the Worker while keeping the shared operator token for admin routes.
  • Added GitHub org membership enforcement before minting browser-login tokens.
  • Added the canonical coordinator endpoint configured for OAuth callback generation.
  • Added Blacksmith Testbox workflow flags for crabbox warmup and crabbox run, enabling one-command Testbox runs without repo YAML or environment variables.
  • Added configurable SSH fallback ports via ssh.fallbackPorts and CRABBOX_SSH_FALLBACK_PORTS.

Changed

  • Updated CLI defaults, docs, examples, and auth guidance to prefer https://crabbox.openclaw.ai.
  • Clarified that Cloudflare Access OAuth and Crabbox CLI OAuth are separate GitHub OAuth apps with separate callback URLs.
  • Scoped normal GitHub-login users to their own leases, run history, logs, and usage; shared-token admin auth remains required for pool and fleet-wide operator views.
  • AWS coordinator-created security groups now allow SSH only from configured CIDRs, the CLI-detected outbound IPv4 CIDR, or the request source IP instead of adding world-open SSH ingress.
  • Direct AWS security groups now honor the configured AWS SSH source CIDRs when creating managed SSH ingress.
  • Direct and brokered AWS now open the same configured SSH port candidates that the CLI will try.

Fixed

  • Cleaned up Blacksmith Testbox local lease claims and per-lease SSH keys after failed warmups, explicit stops, and one-shot runs.
  • Fixed status and inspect readiness reporting so active leases with a host are not marked ready until SSH and crabbox-ready actually respond.
  • Fixed remote sync sanity failures to include the remote deletion count and sample paths instead of hiding the useful stderr behind exit status 66.
  • Restricted Worker admin routes to shared-token admin auth so GitHub browser-login users cannot call admin endpoints.
  • Fixed whoami reporting for GitHub browser-login tokens.
  • Fixed exact cbx_... lookups bypassing owner-scoped slug authorization checks.
  • Added cleanup and a pending-login cap for unauthenticated GitHub OAuth login starts.
Assets 9
Loading