v2.4.0 — M10 post-audit hardening
M10 — post-audit hardening. The follow-up to a full post-v2.3.0 repository audit: correctness, security, and documentation hardening. No breaking changes, no new user-facing features.
🔒 Security
- Installer tar-slip guard (#129).
setup.sh/setup.ps1now refuse any symlink/hardlink entry in a downloaded bundle before extracting — defeating a path-escape via a malicious link target — and the guard runs even under--no-verify.
🐛 Fixed
- UTF-8 stdio on Windows (#128). Every CLI tool forces UTF-8 on stdout/stderr, so non-ASCII output no longer mojibakes and the central self-lint no longer crashes on a
cp1252console. - Defensive hardening of latent edge cases (#131). Fail-safe guards in
risk_score,cleanup_installer, andeados_lint(gate-coverage), plus clean errors instead of tracebacks on bad input across thedoctor/eados/phase_runner/traceability/rfc_checkCLIs. - Docs accuracy sweep (#130). SECURITY.md version, a 404
USAGE.mdlink in the translated READMEs, thecontributionOS-spec index row, the RFC roadmap pointer (M1→M9), and thetemplates/.githubsummary.
📝 Changed
- ADR-0009 addendum (#132). Records that generated-repo profile CI actions stay version-tag-pinned (Dependabot-managed) by design — an apparent inconsistency surfaced on re-audit, not a design gap.
Full detail in CHANGELOG.md. The factory bundle, SHA256SUMS, and the setup.* installers attach automatically when this release is published.