Skip to content

0.2.5 - 2026-05-30

Choose a tag to compare

View all tags
@github-actions github-actions released this 30 May 09:49
v0.2.5
99a0831
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Release Notes

Added

  • OAuth 2.1 authentication for the HTTP and SSE transports, in a new tribal-auth crate. Tribal now runs as an OAuth authorisation server: Dynamic Client Registration (RFC 7591), PKCE, an authorisation-code flow with an explicit consent step, the RFC 8414 and RFC 9728 discovery metadata endpoints, and audience-bound bearer tokens. An OAuth-capable harness registers and authenticates itself on first connect, so the loopback wire-up carries no token to copy.

Changed

  • tribal bootstrap and tribal mcp-config choose the wire-up shape from the deployment's onboarding mode rather than always emitting a token. A loopback deployment with dynamic registration enabled advertises a URL-only OAuth snippet with nothing to copy; every other surface (reachable beyond loopback, or with registration disabled) embeds the persisted static token. Pass --static-token to force that token for a harness that authenticates with a bearer header only.
  • tribal check's token check follows the same onboarding mode: it skips on a URL-only surface, where clients authenticate over OAuth, and fails when a surface that depends on a static token has none.
  • A missing bearer token on a network request now logs at DEBUG rather than WARN, so a steady-state healthcheck cycle no longer emits misleading authentication warnings.

Security

  • The unauthenticated Dynamic Client Registration endpoint is refused whenever the OAuth surface is reachable beyond loopback. With no explicit advertised URL, a wildcard bind (0.0.0.0 or [::]) is treated as routable and fails closed; a loopback server.public_mcp_url is the trusted-exposure override for the container host-port-mapping shape. server.public_mcp_url is validated at load as an http(s) endpoint with a host and no fragment, and the same check guards the non-validating tribal mcp-config renderer.

Install tribal 0.2.5

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/tribal-memory/tribal/releases/download/v0.2.5/tribal-installer.sh | sh

Install prebuilt binaries via Homebrew

brew install tribal-memory/tap/tribal

Download tribal 0.2.5

File Platform Checksum
tribal-aarch64-apple-darwin.tar.xz Apple Silicon macOS checksum
tribal-x86_64-apple-darwin.tar.xz Intel macOS checksum
tribal-aarch64-unknown-linux-gnu.tar.xz ARM64 Linux checksum
tribal-x86_64-unknown-linux-gnu.tar.xz x64 Linux checksum
tribal-x86_64-unknown-linux-musl.tar.xz x64 MUSL Linux checksum
Assets 18
Loading