# Unreleased > The agent pivots to bearer-token auth with sealed credentials. The control plane grows a verification pipeline and an alerts module. URL: https://bkpdb.com/changelog/unreleased/ Date: 2026-05-19 --- ## Agent ### Added - Bearer-token authentication. The agent loads a token and a wrapping key from the environment, persists the wrapping key locally, and unseals the credentials envelope with AES-GCM at use time. - `db_probe` command handler: live database-connectivity checks dispatched through the same lifecycle as backup and restore. The probe result is reported back over `PostProbe`. - Bounded-concurrency worker pool with durable lifecycle. Inflight rows are reconciled on startup by the recoverer, and the daemon drains the pool on shutdown. - End-to-end command handlers: `BackupHandler`, `RestoreHandler`, and the probe handler all run their respective `run_*` flows through the worker pool. - Heartbeat dispatch. Pending jobs are parsed from the heartbeat response and run through the worker pool. No long-poll, no side channel. - Halt-on-401 in `Daemon.Tick`: the daemon refuses to keep talking to a control plane that has revoked its token. - SFTP fingerprint mode in the credentials wire shape, aligned with the server's expectations. - OSS-prep: `LICENSE`, `SECURITY.md`, a bearer-aware HTTP client, and daemon entrypoint polish for the first public release. ### Changed - Credentials wire shape aligned with the server's sealed-envelope format. `crl_cache` table dropped via a v1 to v2 state migration. - Binary registry. Published Postgres binaries are now sourced from a static-musl bash matrix. - CI: race-detector step runs with CGO enabled, golangci-lint upgraded to v2 with the real lint debt cleared, and the licensed gitleaks action replaced with a binary install. ## Control plane ### Added - Verification module, server-side. A dedicated `bkpdb-verification` q-cluster runs a Docker-based pipeline against the latest backup. Trigger on successful upload, on-demand verify-now from the backup detail page, per-result detail page, and a policy config tab on the database detail. - Boolean-returning SQL checks in the verification policy. `statement_timeout` is set via `PGOPTIONS` so a runaway query does not block the worker. - Alerts module. Events with dedup, incidents with recovery, channel CRUD with address verification, per-database channel scope, and a policy/events/incidents dashboard. - Alert channels: email via `QueuedEmailBackend`, Slack via incoming webhook. A handler registry routes events to the right one with retry and backoff. - Alert wiring: backup, verification, and retention modules fire `failed` and `recovered` events. A still-failing reminder cron fires for incidents that have not recovered. - Restore from backup detail page, and adhoc-target restore with cancel and polling. - Containerised dev stack with separate `webapp` and `worker` services. ### Changed - Agent auth: mTLS replaced with bearer tokens and sealed credentials. The operator picks `agent_name` at token issue, not on the agent host. - `/agent/v1/` and `/api/v1/` surfaces force JSON responses. - Heartbeat `pending_jobs` entries include `attempt` so the agent can distinguish retries from first runs. - Environment variables renamed from `DBCRATE_*` to `BKPDB_*`. ### Fixed - Alerts: `record_event` enqueues fan-out reliably, and the reconnect recoverer no longer crashes on an unparsable agent primary key.