derptun 0.8.1 → 0.10.0

package/README.md

@@ -152,39 +152,45 @@ npx -y derphole@latest open <token> 127.0.0.1:8080
 
 ### Durable SSH Tunnels with `derptun`
 
-`derptun` is the durable TCP tunnel companion to `derphole`. Use it when a host is behind NAT and you want a stable token you can reuse for days instead of a one-hour, session-scoped share token.
+`derptun` is the durable TCP tunnel companion to `derphole`. Use it when `serverhost` is behind NAT and you want a stable server credential that can survive process restarts.
 
-On the target host:
+On `serverhost`:
 
 ```bash
-npx -y derptun@latest token --days 7 > alpha.token
-npx -y derptun@latest serve --token "$(cat alpha.token)" --tcp 127.0.0.1:22
+npx -y derptun@latest token server > server.dts
+npx -y derptun@latest token client --token-file server.dts > client.dtc
+npx -y derptun@latest serve --token-file server.dts --tcp 127.0.0.1:22
 ```
 
-On the client:
+Copy only `client.dtc` to `clienthost`.
+
+On `clienthost`:
 
 ```bash
-npx -y derptun@latest open --token "$(cat alpha.token)" --listen 127.0.0.1:2222
-ssh -p 2222 foo@127.0.0.1
+npx -y derptun@latest open --token-file client.dtc --listen 127.0.0.1:2222
+ssh -p 2222 user@127.0.0.1
 ```
 
 For SSH without a separate local listener, use `ProxyCommand`:
 
 ```sshconfig
-Host alpha-derptun
-  HostName alpha
+Host serverhost-derptun
+  HostName serverhost
   User foo
-  ProxyCommand derptun connect --token ~/.config/derptun/alpha.token --stdio
+  ProxyCommand derptun connect --token-file ~/.config/derptun/client.dtc --stdio
 ```
 
-`derptun` keeps trying when the network path drops, and it can reconnect while both `derptun` processes stay alive. If either process exits, the token can bring the tunnel back, but an already-open TCP session is gone. Use `tmux` or `screen` on the remote host when shell continuity matters.
+The server token is secret serving authority. Keep it on the serving machine or in its secret manager. The client token can connect until it expires, but it cannot serve or mint more tokens.
 
-Tokens default to seven days. Set a relative lifetime with `--days`, or use an absolute expiry:
+Server tokens default to 180 days. Client tokens default to 90 days and cannot outlive their server token. Set a relative lifetime with `--days`, or use an absolute expiry:
 
 ```bash
-npx -y derptun@latest token --expires 2026-05-01T00:00:00Z
+npx -y derptun@latest token server --expires 2026-05-01T00:00:00Z > server.dts
+npx -y derptun@latest token client --token-file server.dts --expires 2026-04-25T00:00:00Z > client.dtc
 ```
 
+`--token TOKEN` still works for quick one-off commands. Prefer `--token-file PATH` for durable tokens. `--token-stdin` reads the token from the first stdin line when a pipe is more convenient.
+
 The first `derptun` release is TCP-only. UDP forwarding is planned for use cases like Minecraft Bedrock servers, but it is not part of this release.
 
 ### Useful Extras
@@ -268,7 +274,7 @@ In practice: move bytes early, keep them moving through relay if needed, then sh
 
 ## Security Model
 
-Tokens are **bearer capabilities**. Anyone with a token can claim the matching session or tunnel until it expires, so share tokens over a trusted channel. `derphole` session tokens expire after one hour. `derptun` tokens default to seven days and can be shortened or extended with `--days` or `--expires`.
+Tokens are **bearer capabilities**. Anyone with a token can claim the matching session or tunnel until it expires, so share tokens over a trusted channel. `derphole` session tokens expire after one hour. `derptun` server tokens default to 180 days and can mint shorter-lived client tokens; client tokens default to 90 days and cannot serve.
 
 DERP relays do **not** get the secret material needed to read or impersonate the session:
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "derptun",
-  "version": "0.8.1",
+  "version": "0.10.0",
   "license": "BSD-3-Clause",
   "bin": {
     "derptun": "bin/derptun.js"