Node v0.1.0-alpha.5 — Polish + ops ergonomics
Pre-release
Pre-release
·
87 commits
to main
since this release
Polish + ops ergonomics on top of the alpha.4 security fix. No wire-format changes — files sealed by 0.1.0-alpha.4 decrypt cleanly on 0.1.0-alpha.5 and vice versa.
Added
sealed-env exec --file <path> -- <command>— decrypt the sealed file in memory and run a command with eachKEY=valueinjected into its environment. Plaintext never lands on disk. Forwards Ctrl+C, propagates exit code. Replaces the fragiledecrypt > .env && cmd && rm .envrecipe.sealed-env exec --file .env.sealed -- node server.js sealed-env exec --file .env.sealed -- npm start
sealed-env rotate <file>— re-seal with a fresh salt and nonce without changing any value. Invalidates any unseal token previously minted for this file. Use after suspected token leak, on a cadence, or after operator offboarding.sealed-env doctor [<file>]— non-destructive diagnostic that validates env vars + file + decrypt roundtrip without printing any secret values. Each env var reports byte length and a short SHA-256 fingerprint. Safe to paste into CI logs.- Shell-aware
MISSING_KEYerrors — when an env var is missing, the error includes the correct syntax for the user's shell (PowerShell, cmd, bash, Git Bash). Includes a note about the classic Windows footgun whereset X=Yin PowerShell creates a PS variable, not an env var.
Changed
qrcode-terminalis now lazy-loaded viacreateRequireonly wheninit --mode enterpriseactually renders a QR. Restores the "core has zero third-party imports" property forseal/unseal/decryptand all operational commands.- CI:
npm audit --audit-level=high --omit=devruns in Node CI. - Workflow
permissions:blocks added explicitly tonode-ci.ymlandnode-release.yml(CodeQL).
Fixed
- CodeQL: incomplete regex escaping in
init's.gitignoremembership check. Replaced regex with a Set lookup over trimmed lines.
Documentation
- THREAT_MODEL.md gained a new section ("Token-payload exposure") and matrix entry T13 documenting the
0.1.0-alpha.{1,2,3}JWS-payload TOTP-secret leak (GHSA-x3r2-fj3r-g5mv). Captures three lessons:- JWT/JWS payloads are public — signature attests to integrity, not confidentiality.
- Carry derived material in tokens, never raw secrets.
- Use negative regression assertions to surface design regressions.
Dependencies
bouncycastle1.78.1 → 1.84 (CVE-2026-5598 + CVE-2026-0636 — neither affects sealed-env code paths)assertj-core3.26.3 → 3.27.7 (CVE-2026-24400 — test-only, never called)
Full changelog: CHANGELOG.md