hub 0.6.4 — fresh-install onboarding overhaul
The 0.6.4-rc chain (rc.1–rc.10) promoted to stable. This release combines a multi-user/account security wave with an end-to-end overhaul of the fresh-install experience, driven by real field transcripts.
Security & multi-user
- Per-request force-change-password enforcement (#469) — a signed-in user on an admin-set temp password can no longer navigate around the change gate and operate indefinitely
- First-claim bootstrap token: on a public expose with no admin yet, init prints a one-time token the wizard requires before creating the first admin — whoever finds your URL first can no longer claim your hub (#576)
- One-time expiring invite links that provision an account + its own vault (#553); cross-tenant invite assignment rejected (#557)
- 2FA recommended (with enrollment pointers) whenever you expose publicly (#554)
- Pre-multi-user hardening across mint-token / layer detection / scribe auth (#550); scope-guard retries JWKS on rotation-class failures (#549)
- deleteUser no longer 500s on OAuth-authorized users (#559)
Install & init
parachute initnever dead-ends: expose failures warn and continue to the wizard URL instead of aborting (#565); the Cloudflare flow no longer requires a vault to route (#564)- Inline
cloudflaredinstall offer on macOS (brew) and Linux (static binary,sudo -nfail-fast) (#566); typed hostnames persist across retries (#567) parachute install <svc>is light: install → register → start → "manage it in the admin UI." Interactive interview opt-in via--interactive(#579)- The "Blocked 1 postinstall" warning on
bun add -gis gone (#568)
Lifecycle robustness
- Dual-lifecycle race closed: install sweeps stale per-module units; the supervisor names port squatters with pid + command instead of crash-looping (#580)
- init/expose version-check the running hub and restart the unit when it's stale — no more wiring a tunnel to a months-old zombie process (#590)
- Deterministic OAuth issuer via expose-state fallback (#531); supervisor restarts rebuild spawn env (#532); canonical services.json port wins over stale
.envPORT (#537); hub binds its port before booting modules (#536); structured errors from module-ops (#536); launchd hubs find operator tools via enriched PATH (#546); status reports run-state for non-curated modules (#539); one broken command module can't take down the whole CLI (#533) expose off --cloudflareclears the propagated hub origin, ending the post-teardown iss-mismatch class (#503)
Account & connect UX
/accountis a first-run onboarding checklist (account → connect your AI → vault) (#561), consolidated owner home (#571), self-serve vault-admin-token unlock + per-vault usage (#551)- "You're connected" no longer false-positives on a Notes browser sign-in, and a "Connect another AI" expander stays available once you are connected (#583)
- POSTs to a bare
/vault/<name>URL 308-redirect to/vault/<name>/mcp— pasting the URL without the suffix into an MCP client just works (#525) - Phantom
defaultvault row removed from discovery on fresh boxes (#577)
Upgrading from ≤0.6.2 (please read)
If your box ever ran vault as its own daemon (pre-supervisor installs), the old unit can race the supervisor for vault's port (EADDRINUSE crash-loops, "unexpected iss" errors). One-time cleanup:
# macOS
launchctl bootout gui/$(id -u)/computer.parachute.vault 2>/dev/null
rm -f ~/Library/LaunchAgents/computer.parachute.vault.plist
# Linux
systemctl disable --now computer.parachute.vault.service 2>/dev/null
parachute restart vaultAlso note: if you reset with rm -rf ~/.parachute, restart the hub unit too (launchctl kickstart -k gui/$(id -u)/computer.parachute.hub / systemctl restart parachute-hub) — a running hub holds its database open and will serve errors against the deleted file (#594 tracks making this self-heal).
🤖 Generated with Claude Code