Skip to content

Releases: amarbel-llc/papi

release v0.2.9

Choose a tag to compare

@friedenberg friedenberg released this 12 Jul 20:13
v0.2.9
47999d5

release v0.2.9

  • fmt: switch Go formatter from gofmt to goimports+gofumpt (eng-go preset)
  • bump flake inputs: conformist, piggy, purse-first
  • bump flake inputs: conformist, piggy, purse-first
  • bump flake inputs: conformist, igloo, piggy (+1 more)
  • bump flake inputs: conformist, igloo, piggy (+1 more)

release v0.2.8

Choose a tag to compare

@friedenberg friedenberg released this 05 Jul 21:16
v0.2.8
c97cfc1

release v0.2.8

  • docs(rfc): Amendment 21 — §8 resolution follows subdomains only
  • bump flake inputs: piggy, purse-first
  • docs(rfc): Amendment 20 — §8.1 fallback base is the serving base
  • feat(validate): reconcile /papi/repos ⟷ /papi/forges projections (FDR-0011)
  • docs(fdr): FDR-0012 — one-shot authentication (papi auth)
  • docs(fdr): FDR-0011 — PAPI resources as consistent projections of one model
  • feat(forge): papi forge check — reconcile declared vs verified anonymous visibility
  • docs(repos): correct --url help — it covers organization-hosted repos too
  • fix(repos): --url sources the flattened /papi/repos, joins clone channels by forge id
  • feat(sign-challenge): add --from-response to read the challenge from the §4.2 envelope
  • fix(signchallenge): strict §4.2 envelope in the /login broker response decode
  • fix(auth): read §5 handshake fields from the §4.2 data envelope; strict DecodeEnvelope
  • bump flake inputs: piggy, purse-first
  • expose the conformist hook pair (pre-commit + repair) — eng tier-B
  • bump flake inputs: piggy
  • bump flake inputs: piggy

release v0.2.7

Choose a tag to compare

@friedenberg friedenberg released this 03 Jul 21:46
v0.2.7
ea45471

release v0.2.7

  • fix(cli): authed fetch speaks sign-challenge per served auth.scheme; repos --url owner from forge identity

release v0.2.6

Choose a tag to compare

@friedenberg friedenberg released this 03 Jul 16:24
v0.2.6
703fc63

release v0.2.6

  • feat(cli): --recipient authed navigation for profiles/piggy-ids/ssh-keys/query
  • feat(cli): repos --url emits directly-clonable git urls (synthesized)
  • feat(cli): authed enumeration for repos + a new forges command
  • refresh flake.lock
  • feat(nix): deploy + verify /auth/verify-signature via the NixOS module
  • feat(authproxy): POST /auth/verify-signature app-native verify oracle (FDR-0013)

release v0.2.5

Choose a tag to compare

@friedenberg friedenberg released this 03 Jul 13:45
v0.2.5
798cc1f

release v0.2.5

  • release v0.2.4
  • feat(authproxy): hot-reload the verifier registry on fragment change (closes #41)
  • feat: homeManagerModules.papi-oracle + authorize-only oracle mode (closes #44)
  • refresh flake.lock
  • fix(authproxy): registry accepts the canonical /papi/ssh-authorized-keys format
  • feat: card-direct forward-auth verifier (no software signing key)
  • feat: oracle /authorize attest flow + papi-auth-verifier NixOS module (FDR-0014)
  • feat(authproxy): PAPI-session forward-auth verifier (FDR-0014)
  • refresh flake.lock
  • refresh flake.lock
  • feat(cli): productionize sign-challenge-serve — logging, timeouts, --config

release v0.2.4

Choose a tag to compare

@friedenberg friedenberg released this 29 Jun 14:11
v0.2.4
3b10417

release v0.2.4

  • docs(fdr): FDR-0009 → testing; correct eng adoption details
  • feat(cli): papi sign-challenge-serve — browser §5 card oracle + SSH-agent signer
  • feat: papi identity get/domain — local identity.toml reader (closes #38)
  • docs(fdr): FDR-0009 papi identity.toml reader (refs #38)
  • release v0.2.3
  • refresh flake.lock

release v0.2.3

Choose a tag to compare

@friedenberg friedenberg released this 26 Jun 11:18
v0.2.3
42bf9fd

release v0.2.3

  • docs(rfc): RFC-0001 Amendment 17 — discovery advertises only non-empty public projections
  • feat: RFC-0001 §9.6 key co-location proofs + validator (refs #30)
  • refresh flake.lock
  • refresh flake.lock
  • docs(fdr): FDR-0003 amendment — the iter-2 binary-fetching /papi/bootstrap shim
  • feat(installer): cmd/papi-installer — RFC-0003 phase engine + binary (FDR-0006 ph.1)
  • refresh flake.lock
  • bump nixpkgs-master: d233902 → 567a49d
  • feat(cli): papi sign-challenge — §5.2 slot-9A auth response (closes #31)
  • docs(fdr): FDR-0008 installer signing strategy; FDR-0003 self-re-exec precision
  • test(wasm): TS §10 verify of a real signed /papi fixture; FDR-0007 -> experimental
  • feat(wasm): packages.papi-client-ts zero-dep flake bundle (FDR-0007 ph.3)
  • feat(wasm): retarget papi-client-wasm to js/wasm + TS wrapper (FDR-0007 ph.3)
  • refresh flake.lock
  • feat(wasm): papi-client-wasm §10 document verify (FDR-0007 ph.2)
  • feat(wasm): papi-client-wasm decode core + shared pure decoders (FDR-0007 ph.1)
  • docs(rfc): RFC-0001 Amendment 15 — §5.3 session transport, header preferred
  • docs(fdr): FDR-0007 — papi client as a WASM core + TypeScript wrapper
  • docs: reconcile dropped iter-1 (retire bash cold-E2E; un-gate the binary)
  • feat(profiles): client Profiles() + papi profiles CLI for GET /papi/profiles
  • docs(rfc): RFC-0001 Amendment 14 — sign-challenge §5 scheme (slot-9A signature)
  • docs(rfc,fdr): cardless SSH-cert §5 auth + installer auth/tailnet/resume refinements
  • docs(rfc,fdr): rename installer "framework"→"installer"; warm-cache caveat
  • docs(rfc,fdr): no eng build before the gated cache (stage-model correction)
  • docs(rfc,fdr): fold eng line-level review + early caches into installer design
  • docs(rfc): profiles[] (RFC-0001 Amendment 11) + RFC-0003 staged-installer phase contract
  • refresh flake.lock
  • refresh flake.lock
  • feat(ssh-sync): sync authorized_keys from a PAPI domain via CLI + home-manager
  • docs(bootstrap): reconcile shim naming to canonical provision.sh

release v0.2.2

Choose a tag to compare

@friedenberg friedenberg released this 22 Jun 21:44
v0.2.2
67447ce

release v0.2.2

  • feat(just): add debug-why-depends recipe for tracing devShell closure deps
  • docs(rfc): record piggy-mgmt/1 ask resolutions in RFC-0002
  • docs(rfc): papi's consumer constraints on piggy-mgmt/1 (RFC-0002)
  • feat(gh-check): make the domain the source of truth, gate orphans behind --show-orphans
  • feat(cli): papi gh-auth — grant gh the scopes papi's GitHub commands need
  • feat(cli): gh-check degrades on a missing scope + documents the scopes
  • feat(cli): papi gh-check — reconcile GitHub SSH keys against a domain
  • feat(enroll): register the new card's slot-9A key on GitHub (auth + signing)
  • docs(fdr): FDR-0004 (exploring) — card-gated tailnet join during bootstrap
  • docs(fdr): FDR-0003 proposed→experimental — /papi/bootstrap verified live
  • feat: GET /papi/bootstrap endpoint + papi bootstrap (papi#16)
  • feat(enroll): --cn-prefix to name the card's slot certs (#19)
  • feat(enroll): --allow-reprovision to reset + re-provision a provisioned card
  • feat(cli): present verify-receipt via the crap-TUI (#21)
  • fix(cli): ssh-copy-id SFTP fallback is a skip, not a failure
  • feat(cli): present ssh-copy-id via the crap-TUI
  • feat(cli): ssh-copy-id auto-falls back to SFTP when the host has no shell
  • fix(cli): make ssh-copy-id --sftp chmod best-effort
  • feat(cli): ssh-copy-id --sftp for shell-less hosts
  • fix(cli): make ssh-copy-id surface the remote failure instead of a bare exit code
  • docs(cli): frame ssh-copy-id's target as an ssh destination (resolves ~/.ssh/config)
  • feat(cli): add papi verified-recipients — receipt-gated encryption recipient set
  • feat(cli): add papi ssh-copy-id — install a domain's enrolled slot-9A keys on a host
  • docs(fdr): FDR-0002 composition with linenisgreat ADR-0006
  • feat(verify): network-free receipt verify + wasip1 WASM module
  • feat(enroll): announce which card each signing step is for
  • fix(enroll): make provisioned cards truly unselectable in the picker
  • chore(justfile): interim blank-card provisioning + two-card enroll recipes
  • build(flake): pin piggy + burn it onto papi's PATH (not ambient)
  • chore(enroll): smoke-test recipes + align parseCardList to piggy#193
  • test(enroll): use synthetic card serials in the provision fixture
  • docs: papi enroll gains the huh picker + blank-card provisioning
  • feat(enroll): blank-card provisioning + huh card picker (papi#17)
  • docs(readme): enroll attests via piggy sign-bytes, not pivy-tool
  • chore(justfile): add live-test debug recipes (cards/papi/age/pivy)
  • feat(enroll): sign via merged piggy sign-bytes (drop pivy-tool DER stopgap)
  • fix(client): follow .well-known discovery to the serving host (RFC §8.1)
  • docs(fdr): scope papi enroll v0 to post-init; defer blank-card generate
  • feat(cli): add papi enroll — emit + verify a new-YubiKey enrollment receipt
  • feat(enroll): add the pivy-tool/piggy card adapter (signer + readback)
  • test(enroll): add a committed sample enrollment receipt fixture
  • feat(enroll): add the receipt-assembly core for papi enroll (FDR-0001)
  • docs(fdr): make papi strictly downstream of piggy in FDR-0001
  • feat(cli): add papi verify-receipt + enrollment-receipt format (FDR-0001)
  • docs(fdr): add FDR-0001 for new-YubiKey enrollment
  • release v0.2.1
  • refresh flake.lock
  • add nixpkgs-master

release v0.2.1

Choose a tag to compare

@friedenberg friedenberg released this 20 Jun 17:21
v0.2.1
5d70310

release v0.2.1

  • docs(cli): list §9 proofs + §11 caches in papi validate --help
  • feat(cli): add papi repos + papi query (gojq) subcommands

release v0.2.0

Choose a tag to compare

@friedenberg friedenberg released this 20 Jun 16:46
v0.2.0
cc479f1

release v0.2.0