Release LoadGen Api, Appliance and MCP Server: 1.0.0.11871

Updated June 11, 2026 09:02

LoadGen General

The customer-facing Appliance Not Available message is now one short non-technical sentence per recovery class instead of operator-grade diagnostic text. The 401-during-rotation case reads "the appliance rejected the current admin token — normal for up to a minute after a token rotation — refresh the page shortly", with separate sentences for transport-refused, transport-timed-out, and DNS-resolution failures. Full forensic detail (token-parity check, restart instructions, internal paths) moves to the API host log, never the browser.

POST /appliance/security/tokens now rejects unsafe characters at the API boundary. Tokens must match the RFC 3986 unreserved alphabet (A-Z, a-z, 0-9, ., _, ~, -) with a length between 16 and 256. Machine-generated tokens already comply; a non-conforming manually-typed token is rejected with 400 Bad Request listing the allowed set and the reason.

The agent now performs a read-back verification after writing the new admin token to all of its storage locations. If any copy diverges, the service restart is suppressed — preventing the persistent-401 state where the API container booted with the new environment while the agent process still held the old in-memory token. Old tokens stay in effect on running services until the operator resolves the underlying write failure and rotates again.

The agent applies the same [A-Za-z0-9._~-]{16,256} safe-character gate as defence-in-depth, so even if a future regression slips past the API boundary, the storage layer cannot be fed unsafe input.