Download Latest Version apra-fleet-v0.1.9.0_227c99.tar.gz (288.5 kB)
Email in envelope

Get an email when there's a new version of apra-fleet

Home / v0.1.7.0
Name Modified Size InfoDownloads / Week
Parent folder
apra-fleet-installer-darwin-arm64 2026-04-22 115.0 MB
0
apra-fleet-installer-linux-x64 2026-04-22 127.0 MB
0
apra-fleet-installer-win-x64.exe 2026-04-22 89.5 MB
0
apra-fleet-v0.1.7_e67566.tar.gz 2026-04-22 235.0 kB
0
README.md 2026-04-21 3.2 kB
0
v0.1.7 -- Credential Store _ Secure OOB Input source code.tar.gz 2026-04-21 476.6 kB
0
v0.1.7 -- Credential Store _ Secure OOB Input source code.zip 2026-04-21 596.9 kB
0
Totals: 7 Items   332.8 MB 0

What's new in v0.1.7

Credential store & {{secure.NAME}} token resolution

Secrets can now be stored out-of-band and referenced by name — they never appear in prompts, logs, or chat history.

  • credential_store_set — prompts for a secret value in a separate terminal window (OOB), stores it encrypted at ~/.apra-fleet/data/credentials.enc
  • credential_store_list — lists stored credential names (values never shown)
  • credential_store_delete — removes a credential from both session and persistent tiers
  • {{secure.NAME}} token resolution — use credential handles in execute_command, register_member, update_member, provision_vcs_auth, provision_auth, and setup_git_app; the server resolves and redacts values before the LLM sees any output
  • execute_prompt guard — prompts containing {{secure.NAME}} tokens are rejected with an error; secrets must never reach LLM context
  • setup_git_app{{secure.NAME}} tokens now resolve as PEM content for private key fields
  • OOB fallback for provision_vcs_auth and provision_auth — when no token is provided, triggers secure out-of-band collection automatically

OOB secure input improvements

  • Replaced raw-mode terminal input with @inquirer/password masked input for secure value entry
  • OOB prompt header changed from "Member: X" to "Enter secure value for: X" — accurate for both member auth and credential store use
  • Generic secure-input message on the OOB collection window (no longer labels as "API key")

Bug fixes

  • OOB retry hang (#164) — after a cancel or fallback, hasPendingAuth() was returning true and blocking re-entry; fixed by cleaning up pendingRequests and passwordWaiters in all exit paths
  • Credential name shown as member name (#165) — credential_store_set was passing the credential name as memberName to the OOB prompt; now shows "Enter secure value for: MY_CRED" instead of "Member: MY_CRED"
  • ESM __dirname incompatibility (#33) — __dirname used in ESM context replaced with fileURLToPath(import.meta.url) across affected modules
  • cloud_activity_command blocked empty string (#5) — removed .min(1) Zod validation that prevented clearing the custom activity command
  • Headless OOB hint (#106) — when the OOB terminal can't open (headless / CI environment), the error message now includes a hint to use credential_store_set pre-flight

CI & deliverable fixes

  • update-llms-full workflow now checks out by commit SHA rather than branch name — survives branch deletion after PR merge
  • CLAUDE.md and AGENTS.md are now restored from origin/main by the cleanup command rather than deleted — preserves them as project deliverables
  • paths-ignore added for llms-full.txt on main push — prevents auto-commit loops
  • Refuse-to-commit guard added: update-llms-full will not auto-commit directly to main

Documentation

  • Comprehensive credential store documentation added to README, fleet skill, and PM skill
  • PM skill documents {{secure.NAME}} usage rules, OOB workflow, and mid-sprint credential rotation
  • llms-full.txt regenerated
Source: README.md, updated 2026-04-21