🔐 Per-worker fleet keys
CashPilot no longer relies on a single shared key for day-to-day fleet auth. Each worker now gets its own key. The shared CASHPILOT_API_KEY becomes an enrollment-only bootstrap credential.
- Enrollment is automatic. A worker's first heartbeat uses the shared key; the UI issues it a unique key (stored encrypted on the UI, handed back once), which the worker persists to its own
/data. - After enrollment, the worker authenticates every heartbeat with its own key, and the UI calls that worker with the same key. Once a worker confirms its key, the shared key is refused for it — in both directions.
- Why: a leaked worker key is now scoped to a single worker, and no worker can impersonate another.
A dropped enrollment response can't lock a worker out — the UI re-delivers the same key until the worker confirms it.
⚠️ Breaking change — action required for existing fleets
Upgrade both the UI and all worker images to 1.0.0, keep CASHPILOT_API_KEY as-is, and restart. Workers re-enroll automatically on their first heartbeat (no manual key handling). An old worker image can't heartbeat once its UI-side record is confirmed, so don't leave 0.x workers running against a 1.0.0 UI.
📖 Full upgrade guide (steps, recovery, rollback): docs/upgrade-v1.md
Note:
CASHPILOT_API_KEYremains sensitive — it can still enroll a new worker that receives deploy specs. Keep protecting it.
What's Changed
Full Changelog: v0.6.22...v1.0.0