This needs to go into the docs, together with practical examples:
Bundle server access_rules can now accept new constraints for each
entry: "admit_ips", "admit_hostnames", "admit_keys". Previous generic
"admit" constraint is deprecated, and the new ones do not accept generic
regular expression like it used to be the case.
The new thing is mostly in admit_keys. We can restrict specific files to
be accessible to specific hosts, not based on their IP address or
hostname, but based on their RSA key.
If the resource_type is "path" (default) then the promiser can now be a
path containing the special string "$(connection.ip)"
"$(connection.fqdn)" "$(connection.key)". By writing an access rule like
that, we can allow host-specific filenames to be accessible only to the
relevant hosts. Example:
shortcut => "me.json",
Moreover, notice the new "shortcut" constraint. This allows the agent to
request a file by its shortcut, and expansion is taking place on the
server according to this constraint in bundle server access_rules. This
is only for ease of use, a file can always be requested with its
The server tries to find an expansion for the first part of every
non-absolute (a.k.a. relative...) request path. E.g. the source file
"masterdir/failsafe.cf" will be served by the server, only if you have
defined an ACL entry with shortcut=>"masterdir".