Changelog

Release notes for every version. Based on Keep a Changelog.

v0.3.3

Fixed
  • Device ID derivation mismatchinvite and listen derived device IDs with raw base64url(pubkey) while init used SHA-256(pubkey) per the protocol spec. The relay could never match the controller's allow list entry to the agent's registration. Existing pairings need re-pairing.
  • Compiled binary brokensea.ts entry point restored with all 8 commands.

v0.3.1

Fixed
  • macOS Keychain stale key accumulationSecItemDelete only removes one Keychain item per call; multiple amesh init --force runs accumulated stale keys, causing selfSig verification failed on remote peers during pairing and shell handshakes.
Added
  • Key Storage doc page — explains the 3-tier fallback: Secure Enclave → macOS Keychain → TPM 2.0 → encrypted file.
  • macOS Keychain driver tests — sign/verify round-trip, stale key regression test, key overwrite verification.
Changed
  • Security claims softened — "replay-proof" → "replay protection", "MITM-proof" → "MITM-resistant", "hardware-bound" → "protected by Keychain, TPM, or encrypted file".
  • Footer disclaimer added — clarifies security claims describe design goals, not guarantees.

v0.3.0

Added
  • Auto-generated passphrase for encrypted-file backend — --passphrase flag removed; a 256-bit random passphrase is generated and stored in identity.json automatically.
  • Detection verbosityamesh init now shows which backend tiers were checked and which was selected.
  • Identity info in amesh list — new "This device" section at top showing device ID, friendly name, backend, and created date.
  • Docs sidebar — persistent left navigation on all doc pages.
  • ADR-010 — documents the passphrase-colocation security decision and threat analysis.
Security
  • Passphrase stripped from memory after KeyStore creation at all 6 call sites.
  • Atomic write for identity.json in SDK bootstrap (tmp + rename pattern).
  • Bun runtime guard added to relay start — clear error message when run on Node.js.

v0.1.3

Fixed
  • macOS Keychain not detected in Homebrew installs — the Swift Secure Enclave helper (amesh-se-helper) was not bundled in release tarballs, causing silent fallback to the encrypted-file backend on macOS.
Changed
  • Swift helper bundled in macOS releasesamesh-se-helper is now compiled and included in darwin tarballs.

v0.1.2

Changed
  • CLI binary migrated from Node.js SEA to Bun compile — binary size reduced from 123MB to 61MB (~50%), fixes segfault on macOS.
  • WebSocket client switched from ws to native WebSocket API — works in both Bun and Node.js, removes a runtime dependency.
  • Release pipeline simplified — 4-step SEA build replaced with single bun build --compile.

v0.1.1

Security
  • AllowList HMAC now derived from private key material or a stored random secret, not the public key which was publicly known.
  • Bootstrap token embeds controller public key — signature verified against trusted embedded key, not untrusted relay message.
  • ECDH shared secret returns raw 32-byte x-coordinate per NIST SP 800-56A.
  • File permissions: all sensitive files written with 0o600/0o700.
  • Relay hardening: per-OTC brute-force tracking (max 5 per OTC), maxPayload 64KB, connection limit 10K, bootstrap watcher TTL + cleanup.
  • Nonce store bounded at 1M entries to prevent memory exhaustion.
  • Canonical string rejects newlines in fields to prevent injection.
  • Error responses no longer leak allow_list_integrity_failure to clients.

v0.1.0

Initial release
  • Core crypto — P-256 ECDSA signing/verification, canonical request strings, nonce-based replay detection, HMAC integrity, HKDF key derivation, ECDH key exchange. 84 tests including adversarial scenarios (replay, tamper, MITM, clock boundary, body swap).
  • Key storage — Secure Enclave (macOS), TPM 2.0 (Linux), OS keyring, and AES-256-GCM + Argon2id encrypted-file fallback.
  • SDKamesh.fetch() signing client and amesh.verify() Express/Connect middleware.
  • CLIinit, listen, invite, list, revoke, provision commands via oclif v4.
  • Relay — WebSocket pairing relay with OTC session management, IP-based rate limiting.
  • Protocol specification v2.0.0 with full wire format, crypto details, and security model.

For the raw source, see CHANGELOG.md on GitHub.

Reference
Troubleshooting
Related
Doc What is amesh
Start here if you're new
Doc Quickstart
Install, pair, and sign your first request