dent8 v0.7.1
Install: cargo install dent8-cli --locked · pip install dent8 · npm install dent8 · prebuilt archives below. Docs: https://xyzzylabs.github.io/dent8/
Added
- Linux and Windows backends for keychain-backed identity keys —
keychain:<account>
now works on all three platforms, same contract as the macOS backend shipped in 0.7.0
(keygen refuses to overwrite an existing item; the public key derives from the private
item):- Linux: through
secret-tool(libsecret) against any Secret Service implementation
— GNOME Keyring, KWallet 5.97+ — with the secret passed over stdin, never argv. Needs
secret-toolonPATH(libsecret-toolson Debian/Ubuntu) and a running, unlocked
Secret Service; missing pieces produce pointed errors. - Windows: through the Credential Manager. Windows is the one platform with no
preinstalled CLI able to read a secret back, so this backend uses thekeyringcrate
(windows-native only, a Windows-only dependency — macOS/Linux stay subprocess-based and
dependency-free). Awindows-keychainCI job lints the CLI for the platform and runs a
real Credential Manager round trip.
- Linux: through
- Team identity playbook (roadmap: the key-distribution story):
what to commit (trust registry, signed grants, active-grant index, grant log — all public
by construction) versus what never leaves a machine (private keys, ideally
keychain-backed); onboarding a remote teammate with only their public key traveling;
rotation, revocation-as-a-PR, CI-bot keys, and clone-side verification. Every command in
it is exercised against the real binary.
Fixed
identity repair-envnow works for keys that are not bundle files: after
grant-issuefor a remote teammate (their key never left their machine) or for a
keychain-backed key, repair-env restores the missing active-grant registry entry from the
signed grant and honestly skips the env rewrite (it used to hard-fail trying to stat the
absent key file, leaving no way to register the grant).
Full changelog: https://github.com/xyzzylabs/dent8/blob/main/CHANGELOG.md