Upgrade Guide: v0.6 to v0.7¶
v0.7.0 adds optional, default-off authentication and transport
encryption so a shed-server can be deployed on a public-internet VPS.
Tailscale / LAN stays the primary, unchanged path.
Most users: no action required
Every new control in this release is off by default. If you run
shed over a tailnet or trusted LAN, your existing
~/.shed/config.yaml and server config keep working byte-for-byte
after upgrading. Read on only if you intend to expose a server to the
public internet.
What changed (#198)¶
v0.7.0 introduces a layered, opt-in security model:
- SSH key allowlist — restrict the SSH control channel to specific
public keys, optionally seeded from GitHub (
github_users), with a fail-closed last-known-good cache. - Scoped HTTP bearer tokens —
control,credentials, andadminscopes minted withshed-server token new --scope, enforced deny-by-default whenauth.http.mode=enforce. - Native pinned TLS — the server self-signs an ECDSA P-256 cert;
clients pin it by SHA-256 fingerprint (
shed server add --https-port), the same trust model as the SSH host key. No CA, ACME, or domain required. - Credential-bus hardening — the plugin bus drops forged
/respondenvelopes and requires thecredentialsscope under enforcement. public_exposurepreflight — a startup guard that refuses to boot a public server unless the full bundle is present (SSH enforce + HTTP enforce + a strong token + TLS).
See Security for the full model and Public VPS Deployment for an end-to-end walkthrough.
The default-off guarantee¶
With none of the new keys set, v0.7.0 behaves exactly like v0.6.x: one plain-HTTP listener on all interfaces, no SSH key gate, no token required. Upgrading does not change your network surface until you opt in.
Opting in: the new configuration surface¶
Server config (only when exposing publicly):
| Key | Purpose |
|---|---|
public_exposure |
Refuse to start unless the full hardening bundle is present. |
https_port |
Enable the pinned-TLS listener. |
tls_names |
Extra cert SANs (localhost / 127.0.0.1 / ::1 always included). |
auth.ssh.mode |
off | warn | enforce for the SSH key allowlist. |
auth.ssh.github_users |
Seed the allowlist from github.com/<user>.keys. |
auth.http.mode |
off | enforce for HTTP bearer-token auth. |
auth.http.tokens |
Scoped tokens (control / credentials / admin). |
Client config (~/.shed/config.yaml) gains per-server api_url,
tls_cert_fingerprint, and control_token — populated automatically by
shed server add --https-port <host>. A complete example lives in the
VPS deployment guide.
Companion releases¶
The auth/transport work spans three repos. The shed-server release is self-contained; the others are only needed if your server enables auth or TLS:
| Component | Version | Needed when |
|---|---|---|
| shed-extensions host-agent | v0.4.1 | The credential bus runs over TLS + a credentials token (remote host-agent). |
| shed-desktop app | v0.0.8 | You connect the desktop app to a TLS-pinned / token-gated server. |
If your server stays default-off, the v0.6.x host-agent and desktop app continue to work unchanged.