byn 0.3.1

Changelog

• 34877c7: Fix privsep setup and daemon runtime; portal auth rework WIP (@sandeepbaynes)
• 63e3422: Merge pull request #12 from sandeepbaynes/fix-docs-section-separators (@sandeepbaynes)
• 890dcd2: Merge pull request #13 from sandeepbaynes/fix-footer-releases (@sandeepbaynes)
• a7fb091: Merge pull request #14 from sandeepbaynes/privsep-rework (@sandeepbaynes)
• 164b54c: Merge pull request #16 from sandeepbaynes/release-v0.3.1 (@sandeepbaynes)
• 63c1576: cli: store session tokens in an owner-writable dir under privsep (@sandeepbaynes)
• 0ded5a0: daemon: capture + seal the exec capability at trust grant (S2c-3) (@sandeepbaynes)
• a812bbd: daemon: correct readBynFile/stat comments for the privsep model (@sandeepbaynes)
• 45723b1: daemon: exec surfaces the TCC/FDA cause instead of "untrusted" (@sandeepbaynes)
• 8805bb4: daemon: trusted exec runs autonomously via the capability (S3) (@sandeepbaynes)
• ddacb75: docs site: footer version + releases links, and a release-notes page (@sandeepbaynes)
• bdec350: exec: auto-grant _byn-exec access to tool-state dirs (@sandeepbaynes)
• 8b92966: exec: terminal-anchored privsep spawn + debug modes (@sandeepbaynes)
• 599b444: macos: actionable TCC error + Full Disk Access guidance in setup (@sandeepbaynes)
• d49bb81: macos: surface TCC/FDA fix + free code-signing across error, help, man, docs (@sandeepbaynes)
• 2b1e6fc: privsep: add GrantBynReadACL — owner grants _byn read on a .byn (@sandeepbaynes)
• 873dde4: privsep: non-recursive _byn-exec project ACL (S4) (@sandeepbaynes)
• d65abcb: privsep: pass the Seatbelt profile inline (-p), not via a temp file (macOS) (@sandeepbaynes)
• 4eb2ee8: privsep: sandbox the target AFTER the setuid drop, not before (macOS) (@sandeepbaynes)
• 982e19c: privsep: traverse all ancestors for _byn-exec too; keep shared on revoke (@sandeepbaynes)
• 7ee8209: trust: add ExecCapability to the record, MAC-bound (S2c-1) (@sandeepbaynes)
• 4b233ba: trust: don't run the recursive exec ACL at trust time (hang fix) (@sandeepbaynes)
• fe4cd5d: trust: fix privsep gating + traverse all ancestors for daemon read (@sandeepbaynes)
• a09138a: trust: owner CLI grants daemon read ACL before granting trust (@sandeepbaynes)
• 6d0fbea: trust: re-wire the (non-recursive) _byn-exec project ACL into grant (@sandeepbaynes)
• 6953631: vault/crypto: add DeriveRowKey — per-row encryption keys (S1a) (@sandeepbaynes)
• 815b7e0: vault/crypto: capability seal/open under a machine-fingerprint K_cap (S2a) (@sandeepbaynes)
• 4abcf5f: vault: CaptureRowKeys — collect a .byn's row keys + migrate to v2 (S2b) (@sandeepbaynes)
• 01fa943: vault: OpenEnvVarWithRowKey — autonomous decrypt with a capability key (S2c-2) (@sandeepbaynes)
• fc010fd: vault: seal entries with per-row keys; read v1+v2 (S1b) (@sandeepbaynes)

byn 0.3.0

Changelog

• ceb9b55: Add GitHub Pages deploy workflow (gensite build) (@sandeepbaynes)
• d725022: Add ImportSource seam with a local-FS vault source (@sandeepbaynes)
• 0b17276: Add Linux systemd unit + sysusers install for the daemon (@sandeepbaynes)
• 4ec3ad4: Add Spawner: daemon spawns exec child via privileged helper (@sandeepbaynes)
• 8775723: Add byn migrate relocate/import; drop trust+passkeys on import (@sandeepbaynes)
• 6abcc16: Add byn setup: provision service users + install spawn helper (@sandeepbaynes)
• 6737e40: Add docs-site generator (markdown to themed HTML) (@sandeepbaynes)
• de4b70b: Add exec.spawn op: server-side privsep spawn, shared auth gate (@sandeepbaynes)
• 8637112: Add fd-passing transport + exec.spawn config/env wiring (@sandeepbaynes)
• 76e8c81: Add hardened SCM_RIGHTS fd send/recv for exec stdio (@sandeepbaynes)
• 6e9bcb8: Add macOS LaunchDaemon + role accounts for the daemon (@sandeepbaynes)
• 17605d9: Add migrate Adopt: verify then atomically adopt a vault (@sandeepbaynes)
• f0b10c7: Add privileged exec-child spawn helper (drop to _byn-exec) (@sandeepbaynes)
• a22f8a9: Add privsep cred-leak integration test (root-gated) (@sandeepbaynes)
• 30a6d36: Add privsep package: service-UID lookup + provisioning state (@sandeepbaynes)
• ef2d047: Add root CI job for privsep integration (@sandeepbaynes)
• 4d9ea29: Add root-gated daemon-privsep posture integration test (@sandeepbaynes)
• e0dccfa: Allowlist recorded owner UID and relocate socket when provisioned (@sandeepbaynes)
• 4a452d8: Bring gh-pages site source into the branch (single source) (@sandeepbaynes)
• a9b8512: Bump version to v0.3.0 across docs, site, and packaging (@sandeepbaynes)
• 59dd59e: Confine exec child: macOS Seatbelt profile + Linux Setsid (@sandeepbaynes)
• b356f6d: Document privsep posture and honest ceiling (@sandeepbaynes)
• 938e463: Document privsep posture, migration, and honest ceiling (@sandeepbaynes)
• 5217af1: Dup stdio fds in Spawner; guard NUL in env (@sandeepbaynes)
• 66b7337: Fix CI failures: unit-test assertion, UID bound, exec PATH (@sandeepbaynes)
• 2b42826: Fix Linux-only lint + provision test assertion (@sandeepbaynes)
• e2e16f4: Fix data root to system path; remove BYN_DIR override (@sandeepbaynes)
• d8d213b: Fix docs site: don't indent inside

   code blocks (@sandeepbaynes)

• 33c5b2c: Fix docs site: give the first h2 the same top spacing as the rest (@sandeepbaynes)
• 11863ab: Grant ACL on bulk trust; remove default ACL on revoke (@sandeepbaynes)
• 442abaa: Grant _byn-exec project-dir ACL at trust, revoke at untrust (@sandeepbaynes)
• 211309f: Harden ci.yml perms; run NU-6 privsep test in root job (@sandeepbaynes)
• 831d301: Harden helper: self-contained env, absolute-path exec, fstat config (@sandeepbaynes)
• 538821d: Harden memory: PR_SET_DUMPABLE + macOS hardened-runtime note (@sandeepbaynes)
• c297ced: Make byn setup fully provision privsep; add --uninstall (@sandeepbaynes)
• 6b28583: Merge pull request #10 from sandeepbaynes/fix-h2-top-margin (@sandeepbaynes)
• 893e0e4: Merge pull request #11 from sandeepbaynes/fix-docs-v030-correctness (@sandeepbaynes)
• f3f37dd: Merge pull request #7 from sandeepbaynes/nu-5-privsep (@sandeepbaynes)
• 5ff6be1: Merge pull request #8 from sandeepbaynes/pages-deploy (@sandeepbaynes)
• 629ce49: Merge pull request #9 from sandeepbaynes/fix-site-codeblock-indent (@sandeepbaynes)
• 1a70720: Pass --allow-root in NU-5 privsep test (NU-6 root refusal) (@sandeepbaynes)
• 3533a43: Refuse to run the daemon as root unless --allow-root (@sandeepbaynes)
• 8202cfd: Remove EE/premium/open-core framing from docs (no-EE model) (@sandeepbaynes)
• 7b5f503: Resolve data root: system path if provisioned, else legacy ~/.byn (@sandeepbaynes)
• f8e755a: Route byn exec through privsep spawn (opt-in) (@sandeepbaynes)
• ae65b0c: Run internal/paths untagged in CI to cover the no-override test (@sandeepbaynes)
• 25215f7: Set close-on-exec on received fds; check truncation (@sandeepbaynes)
• d599000: Ship byn-exec-helper in release artifacts (privsep) (@sandeepbaynes)
• ae27455: Skip trust password prompt for uninitialized vaults (@sandeepbaynes)
• 4246b34: Test darwin provisioning; simplify Setup; minor polish (@sandeepbaynes)
• 54965a8: Trust by .byn scope vault; never force the default vault (@sandeepbaynes)
• 605d37b: Update docs + landing for NU privsep; expand site manifest (@sandeepbaynes)
• f766ac0: Wait for exec.spawn fds via netpoller; fix EAGAIN race (@sandeepbaynes)

byn 0.2.0

Changelog

• 270b0d0: NU security re-architecture (no universal unlock) + portal studio — v0.2.0 (#6) (@sandeepbaynes)

byn 0.0.1

Changelog

• 7b22d66: Fix LICENSE attribution: Licensor is Sandeep Baynes (Sandeep Baynes sandeep.baynes@gmail.com)
• 3c911c2: Relicense to BUSL-1.1; replace CLA with DCO (Sandeep Baynes sandeep.baynes@gmail.com)
• 1e4b4d2: byn — local-first secrets vault: daemon, CLI, TUI, browser portal (Sandeep Baynes sandeep.baynes@gmail.com)

byn 0.1.0

The first feature release after v0.0.1 — per-project .byn workspaces, a richer browser portal, tamper-evident trust, and broader daemon ergonomics.

Features

• Trust-store tamper hardening — every trusted .byn is bound with a machine-fingerprint and a vault-key MAC, verified at use-time. A trust store copied or forged from another machine is rejected.
• [exec] env allowlist — byn exec injects only the env-vars a project declares in its .byn. "*" injects all (with a loud warning); empty/absent injects none. Env-vars only — there is no command allowlist yet.
• Portal "Create .byn" generator — pick a project directory (daemon-backed picker), multi-select which scope vars go in [exec] env, and trust on the spot — passkey-first, falling back to the master password.
• Bulk trust / untrust — byn trust and byn untrust accept multiple paths, --paths "a,b,c", and --recursive. Files are grouped by their target vault, so each vault's password is asked once (one KDF for the whole group).
• Top-level daemon lifecycle — byn start / stop / restart / reload (the old byn daemon <verb> forms still work). New byn daemon install / uninstall register a launchd (macOS) / systemd-user (Linux) auto-start service.
• byn env clear — delete every var in an env in a single, password-gated op.
• Exec-authorization audit — the audit log records which .byn authorized which command (ok/denied), surfaced in both the CLI and portal audit views.

Fixes

• Portal: double-clicking an entry name no longer spawns a phantom row; rename/edit are blocked with a clear message while the vault is locked.
• Fixed a data race in the portal server's Serve/Close during config reload.
• Bulk trust now sends absolute paths to the daemon, so byn trust --recursive works from any project directory.

Docs & CI

• New 5-minute quickstart; README, man page, and .byn format docs updated for the new commands and allowlist rules.
• CI workflows forced onto Node 24; retired the superseded hand-written Homebrew formula.

Install

brew install sandeepbaynes/tap/byn
curl -fsSL https://raw.githubusercontent.com/sandeepbaynes/byn/main/install.sh | sh
go install github.com/sandeepbaynes/byn/cmd/byn@latest

Full Changelog: v0.0.1...v0.1.0