Skip to content

v0.39.0

Choose a tag to compare

@github-actions github-actions released this 11 Jun 17:35

v0.39.0

⚠️ BREAKING — Kit installs now default to signed-by-allowlist

The daemon's kit trust gate no longer defaults to permissive. With no trust:
block in daemon.yaml, only kits whose sigstore signature verifies and whose
signer (Fulcio SAN) appears in trust.issuerSet will install. Unsigned or
unverified kits are rejected (HTTP 403) with an error spelling out every
remediation path. A signed-by-allowlist mode with an empty issuerSet
fail-closes installs (the kit surface stays readable) rather than silently
accepting any validly-signed kit.

Overrides for operators who knowingly accept unsigned-kit risk:

  • Per install: donmai kit install --allow-unsigned (audit-logged).
  • Globally: trust.mode: permissive in daemon.yaml, or
    DONMAI_KIT_TRUST_MODE=permissive (logs a prominent warning per gated install).

Also fixed: SAN-only trust.issuerSet entries were dropped as malformed (so a
configured allowlist could never match) — entries now match the SAN exactly with
the OIDC issuer wildcarded; and a verifier construction failure now keeps the
configured trust mode (fail-closed) instead of downgrading to permissive. Closes
the "operator installs attacker kit → arbitrary shell execution" gap (CWE-494).
See daemon/README.md § "Kit install trust gate".

Features

  • Durable CI wait — runner half. The runner captures the worktree's head
    commit at envelope-build time into Result.CommitSHA, and the terminal status
    post now carries additive commitSha + pullRequestUrl fields so the
    orchestration layer can correlate CI completion events to the session's pushed
    head. The development prompt contract is redefined: WORK_RESULT:passed means
    local verification green (tests/typecheck/lint) + branch pushed + PR open —
    remote CI is explicitly excluded. Additive wire fields; old consumers ignore
    them.

Security

  • Machine-token claim link moves the token to the URL fragment. The dashboard
    claim link printed on daemon install now carries the token in the URL fragment
    (<dashboard>/claim#token=…) instead of a query string, keeping the secret out
    of server access logs, proxy logs, and Referer headers. Requires the paired
    dashboard release that serves the /claim fragment-exchange page.

Fixes

  • Daemon runtime-token churn is now quiet. A proactive token refresher
    re-mints the runtime JWT before expiry; refreshes fan fresh credentials to both
    the heartbeat and poll loops; daemon run rotates daemon.log / daemon-error.log
    at 10 MiB at boot and every 6h.
  • Activity toolOutput truncation no longer drops trailing PR URLs. The
    forwarded tool-output cap is raised 500 → 2000 chars with middle-elision
    truncation (head + tail survive), and is now overridable per poster.
  • arch assess explains diff-fetch degrades. When the GitHub CLI is missing
    (or the PR diff fetch fails), the metadata-only fallback now prints why to
    stderr instead of silently emitting zero observations.

Changes

  • Arch-drift seam is contract-only. Removed the LaneAdapter reference
    implementation from afclient/codeintel — the execution layer ships the
    ModelAdapter interface, request/response types, and DriftVerdictSchema only.
  • Governor queue legacy dual-write/dual-read removed. Enqueue writes only
    the canonical donmai:governor:queue key; Peek no longer falls back to the
    legacy key.

Plus a large source-hygiene sweep, provider routing/MCP-bridge fixes, sigstore
auto-update verification, and SHA-pinned third-party CI actions.