Skip to content

Releases: no42-org/packyard

v0.2.0 — Component Visibility

14 Apr 23:53
@indigo423 indigo423
v0.2.0
This tag was signed with the committer’s verified signature. The key has expired.
indigo423 Ronny Trommer
GPG key ID: DF46656388B1B316
Expired
Verified
Learn about vigilant mode.
3b1473f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.2.0 — Component Visibility Latest
Latest

What's new

Component visibility

Components in config/packyard.yml now support a visibility field. Public components allow any request through without credentials; private components (the default) continue to require a valid scoped key.

components:
  - name: core
    visibility: private   # default — credentials required
  - name: community
    visibility: public    # no credentials required

The component_visibility field is now included in all key API responses (GET /api/v1/keys, GET /api/v1/keys/{id}, POST /api/v1/keys), reflecting the current config state at response time.

Anti-enumeration hardening

Unauthenticated requests to unknown component paths now return 401 instead of 404. Only authenticated callers can receive a 404 for a non-existent component, preventing unauthenticated actors from enumerating valid component names.

Key validation tightened

The auth service now rejects keys that are 64 characters long but contain non-hexadecimal characters before reaching the store, returning a clean 401 instead of a potential 503.

Config validation

Duplicate component names in packyard.yml are now detected at startup and cause the service to refuse to start with a clear error message.

Safer handler construction

NewForwardAuthHandler and NewKeysHandler constructors coerce nil component maps to empty maps, preventing silent misbehaviour when handlers are constructed without all fields set.

verify.sh improvements

  • --public-component <name> flag: enables a dedicated public-access test section that asserts unauthenticated and invalid-credential requests to a public component return 200, and that private components still enforce auth
  • -h / --help flag
  • Shell injection fix: public component name is now safely passed to curl via jq --arg instead of direct string interpolation
  • Test key cleanup: keys created during verification are revoked in the teardown phase

Upgrade notes

No breaking changes. Existing configs with no visibility field default to private — behaviour is unchanged.

To expose a component publicly, add visibility: public to its entry in config/packyard.yml and restart the auth service:

docker compose restart auth

Changelog

  • feat: component visibility — public components bypass auth (#73)
  • feat: components config-driven via packyard.yml
  • feat: verify.sh --help and --public-component flags
  • fix: anti-enumeration — 404 gated behind credential verification (#74)
  • fix: non-hex 64-char keys now return 401 (not 503)
  • fix: duplicate component names rejected at startup
  • fix: nil component map guards in handler constructors
Assets 2
Loading

v0.1.0

14 Apr 14:23
@indigo423 indigo423
v0.1.0
This tag was signed with the committer’s verified signature. The key has expired.
indigo423 Ronny Trommer
GPG key ID: DF46656388B1B316
Expired
Verified
Learn about vigilant mode.
cc3ba3d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.1.0

What's Changed

  • docs: merge Quick Start and Local Development into Getting Started by @indigo423 in #54
  • fix: correct PKG_DOMAIN variable name and ACME challenge type by @indigo423 in #55
  • docs(ops): add Troubleshooting page by @indigo423 in #56
  • ci: skip image and docs builds when source paths unchanged by @indigo423 in #57
  • docs(ops): move manual test plan into docs by @indigo423 in #58
  • docs(ops): add release runbook by @indigo423 in #59
  • chore: bump versions to 0.1.0 for release by @indigo423 in #60
  • chore: update compose.yml image tags to 0.1.0 by @indigo423 in #61
  • chore: bump versions to 0.1.1-rc post v0.1.0 release by @indigo423 in #62
  • fix(docs): admin API uses HTTP not HTTPS on port 8443 by @indigo423 in #63
  • fix: change admin entrypoint port from 8443 to 8088 by @indigo423 in #64
  • chore: replace real GPG key in lts.asc with placeholder by @indigo423 in #65
  • chore: move verify.sh to repo root, remove local-testing/ by @indigo423 in #66
  • chore: bump versions to 0.1.0 for re-release by @indigo423 in #67

Full Changelog: v0.0.2...v0.1.0

Contributors

indigo423
Loading

v0.0.2

14 Apr 12:16
@indigo423 indigo423
v0.0.2
71c9cd2
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.0.2

What's Changed

Documentation

  • Migrated all README content into versioned MkDocs site at https://no42-org.github.io/packyard/
  • Added Getting Started, Reference, and Operations sections
  • Slimmed README from 366 to 73 lines
  • Added release-triggered publish pipeline (docs.yml)
  • Disabled GitHub Wiki (content was empty)

CI / Build

  • Added mkdocs build --strict to CI for PR validation
  • Added Makefile with docs-install, docs-serve, docs-build, docs-clean targets
  • Bumped actions/setup-python to v6.2.0

Tests

  • Expanded local-testing/verify.sh to cover full TEST-PLAN.md scope
  • Added remote smoke mode (--base-url, --test-key)

Full Changelog: v0.0.1...v0.0.2

Loading