Skip to content

v2.4.5

Choose a tag to compare

View all tags
@redf0x1 redf0x1 released this 25 May 05:06
· 2 commits to main since this release
v2.4.5
32023fd

What changed

  • Added CAMOFOX_AUTH_MODE=auto|required|disabled.
  • auto preserves the existing secure default: loopback can run without an API key, while non-loopback binds require CAMOFOX_API_KEY.
  • required forces CAMOFOX_API_KEY for every bind, including loopback.
  • disabled explicitly disables API-key auth for trusted private agent networks whose clients cannot send bearer tokens, including Hermes/OpenClaw/GoClaw-style deployments.

Guardrails

  • CAMOFOX_AUTH_MODE=disabled must run without CAMOFOX_API_KEY to avoid a false sense of protection.
  • Non-loopback disabled-auth deployments keep private-network navigation blocked by default.
  • Startup fails if CAMOFOX_AUTH_MODE=disabled is combined with CAMOFOX_ALLOW_PRIVATE_NETWORK=true on a non-loopback bind.
  • Use disabled mode only on trusted private networks and do not publish the service to untrusted networks.

Verification

  • npm test: 63 suites passed, 2 skipped; 494 tests passed.
  • npm run build passed.
  • npm audit --audit-level=moderate found 0 vulnerabilities.
  • npm pack --dry-run produced shasum fc3ba6b90f96694f481c125c870ebb2d57d4b17b.

Resolves #20.

Assets 2
Loading