v8.8.0
Summary
This release introduces secure ArcaneOS node-to-node authentication, improves backup/restore stability, and includes several quality-of-life fixes.
Changes
ArcaneOS Authentication System
- Added new arcaneAuthService.js with challenge-response authentication for ArcaneOS nodes
- GET /arcane/authchallenge — generates time-limited authentication challenges (30s TTL) via flux-configd
- POST /arcane/configsync — validates authentication and syncs configuration with cryptographic verification
- Added fluxConfigdClient.js WebSocket RPC client for secure communication with flux-configd over Unix socket (JSON-RPC 2.0)
- Added requireHttps middleware enforcing HTTPS-only access for authentication endpoints
- Per-IP challenge limits (max 16) with auto-cleanup timers
- Signature verification and input validation (16KB max config data)
- Returns 501 on non-ArcaneOS nodes
- Comprehensive unit test suite with 25+ test cases
Backup/Restore Stability
- Stopped containers actively undergoing backup or restore operations are now included in listRunningApps with "running" state, preventing FDM from
triggering premature master switches during these operations
File Download Enhancement
- Hidden files (dotfiles like .env, .rcon-cli.env) can now be downloaded by setting dotfiles: 'allow' in Express.js static file serving
Search Engine Indexing Fix
- Removed hardcoded /robots.txt route that returned Disallow: /, which blocked all search engine crawling
- Static files like robots.txt and sitemap.xml from CloudUI are now served directly via express.static
Spawner Pipeline Fix
- Default instances to 3 in the spawner pipeline projection using $ifNull, preventing uncontrolled instance spawning for v2 apps missing the
instances field
Code Quality
- Moved messageHelper import to top-level in routes.js for better performance