github GeiserX/CashPilot v1.0.0

one hour ago

🔐 Per-worker fleet keys

CashPilot no longer relies on a single shared key for day-to-day fleet auth. Each worker now gets its own key. The shared CASHPILOT_API_KEY becomes an enrollment-only bootstrap credential.

  • Enrollment is automatic. A worker's first heartbeat uses the shared key; the UI issues it a unique key (stored encrypted on the UI, handed back once), which the worker persists to its own /data.
  • After enrollment, the worker authenticates every heartbeat with its own key, and the UI calls that worker with the same key. Once a worker confirms its key, the shared key is refused for it — in both directions.
  • Why: a leaked worker key is now scoped to a single worker, and no worker can impersonate another.

A dropped enrollment response can't lock a worker out — the UI re-delivers the same key until the worker confirms it.

⚠️ Breaking change — action required for existing fleets

Upgrade both the UI and all worker images to 1.0.0, keep CASHPILOT_API_KEY as-is, and restart. Workers re-enroll automatically on their first heartbeat (no manual key handling). An old worker image can't heartbeat once its UI-side record is confirmed, so don't leave 0.x workers running against a 1.0.0 UI.

📖 Full upgrade guide (steps, recovery, rollback): docs/upgrade-v1.md

Note: CASHPILOT_API_KEY remains sensitive — it can still enroll a new worker that receives deploy specs. Keep protecting it.


What's Changed

  • feat(fleet)!: per-worker fleet keys (full cutover, v1.0.0) by @GeiserX in #101

Full Changelog: v0.6.22...v1.0.0

Don't miss a new CashPilot release

NewReleases is sending notifications on new releases.