- do_deregister now accepts <project> <pubkey> and verifies the caller's
pubkey matches the stored pubkey before removing the registration
- Returns {"error":"pubkey mismatch"} on failure without revealing the
stored pubkey
- dispatch in main() updated to parse pubkey from deregister command args
- bin/disinto deregister subcommand reads tunnel_key.pub and sends it
as ownership proof over SSH
The user-facing CLI (disinto edge deregister <project>) is unchanged —
the pubkey is automatically sourced from secrets/tunnel_key.pub.
- register.sh parses --as <tag> from forced-command argv, stores as
registered_by in registry entries (defaults to "unknown")
- allocate_port() accepts optional registered_by parameter
- list output includes registered_by for each tunnel
- deregister response includes deregistered_by
- install.sh accepts --admin-tag <name> (defaults to "admin") and wires
it into the forced-command entry as --as <tag>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Every successful register/deregister appends one line to
/var/log/disinto/edge-register.log with space-separated key=value pairs:
2026-04-20T14:30:12Z register project=myproj port=20034 pubkey_fp=SHA256:… caller=alice
2026-04-20T14:31:55Z deregister project=myproj port=20034 pubkey_fp=SHA256:… caller=alice
- Log dir /var/log/disinto/ created by install.sh (root:disinto-register, 0750)
- Log file created at install time (0640, root:disinto-register)
- Logrotate: daily rotation, 30 days retention, copytruncate
- Write failures emit a warning but do not fail the operation
- Caller derived from SSH_USERNAME > SUDO_USER > USER env vars
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Fix .env write in edge register to use single grep -Ev + mv pattern (not three-pass append)
- Fix register.sh to source authorized_keys.sh and call rebuild_authorized_keys directly
- Fix caddy.sh remove_route to use jq to find route index by host match
- Fix authorized_keys.sh operator precedence: { [ -z ] || [ -z ]; } && continue
- Fix install.sh Caddyfile to use { admin localhost:2019 } global options
- Fix deregister and status SSH to use StrictHostKeyChecking=accept-new
