CHANGELOG.md

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

Added

Changed

Fixed

0.9.0 - 2025-12-12

Added

• token:get command
  • Retrieve a machine token without running the authorization flow

Changed

• SDK Update: runbeam-sdk 0.8.0 → 0.9.1

  • Updated to runbeam-sdk 0.9.1 which includes harmony-dsl 1.9.0
  • ⚠️ Breaking Change: JWT validation API updated
    • validate_jwt_token() now requires &JwtValidationOptions parameter instead of integer leeway timeout
    • Use JwtValidationOptions::default() for standard validation behavior
    • See runbeam-sdk 0.9.0 release notes for migration details

• Harmony DSL 1.9.0 alignment

  • Updated all JWT token validation calls to use new JwtValidationOptions API
  • Full compatibility with runbeam-sdk 0.9.1 (includes harmony-dsl 1.9.0)

0.8.0 - 2025-11-20

Added

• harmony:install Command
  • New command to download and install the Harmony binary
  • Automatically detects platform and architecture
  • Installs to standard locations (~/.local/bin on Unix/macOS, %APPDATA%\runbeam\bin on Windows)
  • Support for installing specific versions with --version
  • Support for custom installation directories with --dir

[0.7.6] - 2025-11-19

Changed

• SDK Update: runbeam-sdk 0.6.2 → 0.7.2
  • ⚠️ Breaking Change: Removed OS keyring storage (macOS Keychain, Linux Secret Service, Windows Credential Manager)
  • All tokens now stored using encrypted filesystem storage at ~/.runbeam/<instance_id>/auth.json
  • Encryption uses age encryption with keys from RUNBEAM_ENCRYPTION_KEY env var or auto-generated at ~/.runbeam/<instance_id>/encryption.key
  • Migration required: Users must re-authenticate after upgrading (runbeam login)
  • Fixed: Runbeam configuration synchronization issues

Benefits

• Simplified Dependencies: Removed system dependencies (dbus, libdbus-sys, openssl, openssl-sys)
• Better Cross-Platform Support: Pure Rust implementation with no platform-specific FFI
• Improved Deployment: Better support for headless systems, CI/CD pipelines, Docker, Kubernetes, cloud VMs
• Smaller Binary Size: Faster compilation and reduced binary footprint

Migration Guide

1. Upgrade to version 0.7.0
2. Run runbeam login to re-authenticate (existing keyring tokens will not be migrated)
3. Re-authorize Harmony instances with runbeam harmony:authorize --label <name>

Note: Machine tokens expire after 30 days anyway, so losing keyring-stored tokens has minimal long-term impact.

[0.6.1] - 2025-11-16

• Dependencies updated
• Tests deprecations fixed

[0.6.0] - 2025-11-10

Added

• harmony:reload Command

  • New command to reload Harmony instance configuration
  • Triggers a reload of the Harmony proxy without restarting the service
  • Useful for applying configuration changes dynamically

• harmony:update Command

  • New command to push configuration updates to Runbeam Cloud
  • Synchronizes local Harmony configuration with the cloud platform
  • Enables centralized configuration management
  • Includes comprehensive integration tests

• Gateway ID Tracking

  • CLI now tracks and persists gateway IDs from Runbeam authorization responses
  • Gateway IDs stored alongside Harmony instance configuration
  • Enables better correlation between local instances and cloud resources
  • Backward compatible with instances without gateway IDs

• Runbeam Disabled Handling

  • Improved error handling when Runbeam integration is disabled in Harmony
  • Provides clear feedback when attempting operations on instances without Runbeam enabled
  • Clippy lint fixes for code quality

Changed

• SDK Update: runbeam-sdk 0.4.0 → 0.5.0
  • ⚠️ Breaking Change: Change Management API endpoints updated from /gateway/* to /api/changes/*
  • Added support for pushing configuration to Runbeam Cloud (used by harmony:update)
  • Added transform resource retrieval functionality
  • Requires Runbeam API v1.2 or later

Fixed

• macOS Keyring Compatibility
  • Fixed keyring storage compatibility issues on macOS (via SDK update)
  • Improved reliability of secure token storage on macOS Keychain

Dependencies

• Updated runbeam-sdk from 0.4.0 to 0.5.0

[0.5.0] - 2024-11-01

Added

• Secure User Token Storage

  • User authentication tokens now stored securely via runbeam-sdk v0.3.2
  • Primary: OS keyring (Keychain/Secret Service/Credential Manager)
  • Fallback: Encrypted filesystem storage with ChaCha20-Poly1305 AEAD
  • Automatic encryption key generation and secure storage
  • Token isolation from machine tokens

• Automatic Migration

  • Automatic migration from legacy plaintext ~/.runbeam/auth.json to secure storage
  • Migration happens transparently on first run after upgrade
  • Legacy plaintext file removed after successful migration
  • No user action required

• Enhanced Security

  • All user tokens encrypted at rest (except in OS keyring)
  • Encryption keys stored securely in OS keyring, never on disk in plaintext
  • Transparent encryption/decryption with no user configuration needed
  • Per-token-type storage isolation (user tokens separate from machine tokens)

Changed

• Storage Module Refactoring

  • Refactored src/storage.rs to use SDK generic secure storage
  • save_user_token(), load_user_token(), clear_user_token() use SDK functions
  • Removed duplicate encryption key management code
  • Storage now handled entirely by SDK

• Encryption Key Management (Deprecated)

  • Harmony encryption key commands now show deprecation messages
  • harmony:set-key, harmony:show-key, harmony:delete-key deprecated
  • SDK handles all encryption keys automatically
  • User-facing encryption key management no longer needed

• Documentation

  • Updated README.md with secure storage information and migration notes
  • Updated WARP.md with secure storage architecture
  • Added migration guide for upgrading from v0.4.x
  • Documented automatic token migration process
  • Marked encryption key commands as deprecated

• Dependencies

  • Updated to runbeam-sdk = "0.3.2" with generic secure storage support
  • Removed unused encryption-related dependencies from CLI

Security

• Improved Token Protection
  • User tokens no longer stored in plaintext JSON files
  • Automatic encryption for filesystem fallback
  • OS-native credential storage used when available
  • Encryption keys managed securely by SDK

Backwards Compatibility

• Automatic migration from legacy plaintext storage
• No breaking changes to CLI commands
• Existing workflows continue to work without modification
• Legacy token files automatically cleaned up after migration

0.4.0 - 2025-10-28

Changed

• SDK Integration: Migrated JWT verification and authentication logic to runbeam-sdk v0.2.0
  • Removed 441 lines of duplicate JWT verification code from CLI
  • Authentication now uses SDK's AuthManager for token management
  • JWT verification now handled by SDK's verify_token() function
  • Simplified codebase maintenance by centralizing auth logic in SDK
• Dependencies: Updated to use runbeam-sdk = "0.2.0" with async runtime support
  • Added tokio runtime for SDK integration
  • Removed direct dependencies on jsonwebtoken, base64, and url (now via SDK)

Removed

• Local JWT verification module (src/jwt.rs) - functionality moved to SDK
• Direct JWKS fetching and caching logic - now handled by SDK

0.3.0 - 2025-10-26

Added

• JWT RS256 Verification: Local JWT token verification using RS256 asymmetric cryptography
  • Validates tokens using public keys from JWKS endpoint
  • Supports key rotation via Key ID (kid) in JWT header or payload
  • Automatic JWKS caching with 1-hour TTL (configurable via RUNBEAM_JWKS_TTL env var)
  • Graceful fallback to first RS256 key when kid is missing
• New Command: runbeam verify - Verify stored authentication token
  • Displays comprehensive token information (issuer, subject, expiration)
  • Shows user and team details from JWT claims
  • Calculates and displays time remaining until token expiry
  • Clear error messages with troubleshooting guidance
• Token Verification on Login: Automatically verifies tokens after successful authentication
  • Provides immediate feedback on token validity
  • Validates signature using RS256 with JWKS public key

Changed

• JWT Validation: Migrated from expecting HS256 (symmetric) to RS256 (asymmetric) tokens
• Issuer Validation: URL normalization for flexible issuer claim matching
• Error Handling: Enhanced error messages for JWT verification failures
  • Network errors (timeout, connection refused, DNS failures)
  • Invalid token signatures
  • Expired tokens
  • Missing required claims
• Dependencies: Added jsonwebtoken, base64, and url crates for JWT support

Fixed

• Improved error reporting for authentication polling
• Better handling of non-success HTTP responses during login flow
• Added debug logging for JWT verification troubleshooting

Security

• Asymmetric Token Verification: Tokens are now verified using public keys instead of shared secrets
• Key Rotation Support: Automatic key selection via kid enables seamless key rotation
• JWKS Caching: Reduces network calls while maintaining security with TTL-based refresh

Documentation

• Updated README with token verification examples
• Added comprehensive inline documentation for JWT module
• Updated WARP.md with verify command usage

0.2.0 - 2024-XX-XX

Added

• Initial CLI implementation
• Browser-based OAuth authentication
• Harmony instance management
• Configuration management (config:set, config:get, config:unset)
• Harmony authorization flow

Changed

• Improved logging and verbosity controls

0.1.0 - 2024-XX-XX

Added

• Initial release
• Basic CLI structure
• Authentication commands (login, logout)
• Harmony commands (harmony:add, harmony:list, harmony:remove)
• Harmony management API integration