v0.39.0
v0.39.0
⚠️ BREAKING — Kit installs now default to signed-by-allowlist
The daemon's kit trust gate no longer defaults to permissive. With no trust:
block in daemon.yaml, only kits whose sigstore signature verifies and whose
signer (Fulcio SAN) appears in trust.issuerSet will install. Unsigned or
unverified kits are rejected (HTTP 403) with an error spelling out every
remediation path. A signed-by-allowlist mode with an empty issuerSet
fail-closes installs (the kit surface stays readable) rather than silently
accepting any validly-signed kit.
Overrides for operators who knowingly accept unsigned-kit risk:
- Per install:
donmai kit install --allow-unsigned(audit-logged). - Globally:
trust.mode: permissiveindaemon.yaml, or
DONMAI_KIT_TRUST_MODE=permissive(logs a prominent warning per gated install).
Also fixed: SAN-only trust.issuerSet entries were dropped as malformed (so a
configured allowlist could never match) — entries now match the SAN exactly with
the OIDC issuer wildcarded; and a verifier construction failure now keeps the
configured trust mode (fail-closed) instead of downgrading to permissive. Closes
the "operator installs attacker kit → arbitrary shell execution" gap (CWE-494).
See daemon/README.md § "Kit install trust gate".
Features
- Durable CI wait — runner half. The runner captures the worktree's head
commit at envelope-build time intoResult.CommitSHA, and the terminal status
post now carries additivecommitSha+pullRequestUrlfields so the
orchestration layer can correlate CI completion events to the session's pushed
head. The development prompt contract is redefined:WORK_RESULT:passedmeans
local verification green (tests/typecheck/lint) + branch pushed + PR open —
remote CI is explicitly excluded. Additive wire fields; old consumers ignore
them.
Security
- Machine-token claim link moves the token to the URL fragment. The dashboard
claim link printed ondaemon installnow carries the token in the URL fragment
(<dashboard>/claim#token=…) instead of a query string, keeping the secret out
of server access logs, proxy logs, and Referer headers. Requires the paired
dashboard release that serves the/claimfragment-exchange page.
Fixes
- Daemon runtime-token churn is now quiet. A proactive token refresher
re-mints the runtime JWT before expiry; refreshes fan fresh credentials to both
the heartbeat and poll loops;daemon runrotatesdaemon.log/daemon-error.log
at 10 MiB at boot and every 6h. - Activity toolOutput truncation no longer drops trailing PR URLs. The
forwarded tool-output cap is raised 500 → 2000 chars with middle-elision
truncation (head + tail survive), and is now overridable per poster. arch assessexplains diff-fetch degrades. When the GitHub CLI is missing
(or the PR diff fetch fails), the metadata-only fallback now prints why to
stderr instead of silently emitting zero observations.
Changes
- Arch-drift seam is contract-only. Removed the
LaneAdapterreference
implementation fromafclient/codeintel— the execution layer ships the
ModelAdapterinterface, request/response types, andDriftVerdictSchemaonly. - Governor queue legacy dual-write/dual-read removed.
Enqueuewrites only
the canonicaldonmai:governor:queuekey;Peekno longer falls back to the
legacy key.
Plus a large source-hygiene sweep, provider routing/MCP-bridge fixes, sigstore
auto-update verification, and SHA-pinned third-party CI actions.