Skip to content

v0.18.0

Choose a tag to compare

View all tags
@airut-app airut-app released this 21 Mar 04:37
· 227 commits to main since this release
v0.18.0
eee7a21
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Highlights

GitHub App credential support — The proxy can now authenticate as a GitHub App instead of using classic PATs. It holds the App's RSA private key, generates JWTs, exchanges them for short-lived installation tokens (1-hour expiry), and caches/rotates them transparently. This closes an exfiltration vector where a sandboxed session could leak small amounts of data by creating repositories via the GraphQL API — encoding secrets in the repo name or other fields. App installation tokens lack the repository-creation scope, eliminating this channel entirely. Includes a new setup guide, server config template example, and updated git identity for commits authored by the App bot. (#320, #326, #328, #332)

Bug Fixes

  • SSL socket leak during IMAP shutdown — Fixed a leaked SSL socket when stop() interrupts an IMAP fetch mid-flight, plus socket leaks when login fails after a successful connection. (#333)
  • Duplicate prompt on actions page — Fixed a race condition where stale pending_request_text duplicated a completed reply's prompt during an active conversation. (#330)

Other Changes

  • Integration test stability — Fixed dashboard socket and event loop race leaks in integration tests. (#323, #327)
  • Documentation — Documented read:org scope requirement for classic PATs on org repos; added release notes guidance to sandbox-action workflow. (#324, #329)
Assets 2
Loading