v0.28.6

What's Changed

• Release v0.28.6 — fix exqlite NIF (real fix: clean _build + musl-NIF CI guard) by @foobarto in #91

Full Changelog: v0.28.5...v0.28.6

v0.28.5

⚠️ Broken — do not install. The bundled SQLite NIF (exqlite) fails to load (Exqlite.Sqlite3NIF is not available), so the binary won't start. Superseded by v0.28.6. Marked pre-release.

What's Changed

• Release v0.28.5 — exqlite musl-NIF startup fix + landing-page CDN pin by @foobarto in #90

Full Changelog: v0.28.4...v0.28.5

v0.28.4

What's Changed

• Reject non-scalar memory frontmatter before write (codex L94) by @foobarto in #88
• chore(release): cut v0.28.4 by @foobarto in #89

Full Changelog: v0.28.3...v0.28.4

v0.28.3

What's Changed

• chore(release): cut v0.28.3 by @foobarto in #87

Full Changelog: v0.28.2...v0.28.3

v0.28.2

What's Changed

• fix(channels): stamp write-time provenance for trusted badges (codex L45) by @foobarto in #81
• chore(release): cut v0.28.2 by @foobarto in #82

Full Changelog: v0.28.1...v0.28.2

v0.28.1

What's Changed

• fix(ollama): managers survive abnormal child exits + reject newline model names (GEP-67) by @foobarto in #76
• fix(security): reserve director slug + restore staging 0700 (codex L57/L118) by @foobarto in #78
• fix(release): rebase + retry Homebrew tap push on shared-tap race by @foobarto in #79
• fix(security): chmod providers.toml 0600 on Enable append (codex L3) by @foobarto in #77
• chore(release): cut v0.28.1 by @foobarto in #80

Full Changelog: v0.28.0...v0.28.1

v0.28.0

What's Changed

• Release v0.28.0 — chat-drawer channel switching + Ollama local-model backend (GEP-67 Phases 1–3 + knobs) by @foobarto in #75

Full Changelog: v0.27.1...v0.28.0

v0.27.1

What's Changed

• Release v0.27.1 — browser-UAT bug fixes + embedder hardening by @foobarto in #74

Full Changelog: v0.27.0...v0.27.1

v0.27.0

What's Changed

• fix(security): resolve code-scanning alerts (nav guard + pinned npm) by @foobarto in #51
• ci: run tests on PRs, builds on tags only by @foobarto in #53
• feat(geps): implement GEPs 0056-0059 (odysseus cross-pollination) by @foobarto in #52
• fix(lifecycle): recover from orphaned EPMD registration after a crash by @foobarto in #54
• feat(config): consolidate provider config + credentials under ~/.config/glorbo (GEP-61) by @foobarto in #55
• feat(lifecycle): multi-instance support via per-instance node identity (GEP-62) by @foobarto in #57
• docs: drift quality pass — version, toolchain, GEP-61 paths by @foobarto in #56
• test(web): close 11 E2E coverage gaps found in browser UAT sweep by @foobarto in #58
• feat(goals): goal/v1 files as the canonical goal store (GEP-63) by @foobarto in #59
• docs(workflow): strict rule — keep the GEP in lockstep with the code by @foobarto in #60
• docs(gep): flip 8 stale GEP statuses to Implemented (status-drift sweep) by @foobarto in #61
• docs: reconcile DESIGN/README/moduledocs with shipped code by @foobarto in #62
• fix(review): require a reason for block/revise peer-review verdicts (GEP-41) by @foobarto in #65
• docs(gep): GEPs for the 4 orphaned subsystems (backup/restore, e-stop, ops) by @foobarto in #64
• feat(actions): Actions.Tasks.move/4 — kanban status flips through the single write channel (GEP-36) by @foobarto in #66
• feat(memory): persist the semantic-recall opt-in to disk (GEP-3/GEP-58) by @foobarto in #69
• fix(security): restore the GLORBO_CREDENTIALS_DIR absolute/no-.. guard (GEP-61) by @foobarto in #68
• feat(validate): implement the GEP-25 :type_filename_mismatch check by @foobarto in #67
• docs(gep): append Implementation-reconciliation notes to 39 drifted GEPs by @foobarto in #63
• fix(file-spec): peer-review sentinels no longer shadowed by InboxMessageMd (GEP-42) by @foobarto in #70
• feat(validate): implement GEP-47 task.dependency_missing validator finding by @foobarto in #71
• docs(session): 2026-06-14 GEP↔code gap-implementation log by @foobarto in #72
• Release v0.27.0 — atomic-distro config fix (GEP-0060) + reconciliation batch by @foobarto in #73

Full Changelog: v0.26.0...v0.27.0

v0.26.0

[0.26.0] — 2026-06-12

Security

• Snyk Code (SAST) workflow (.github/workflows/snyk-security.yml).
  Runs Snyk Code over the JavaScript surface (assets/js + scripts/)
  and uploads SARIF to Security → Code scanning. Report-only and
  SNYK_TOKEN-guarded (green no-op without the secret); all actions
  SHA-pinned per repo policy. Snyk Code can't read Elixir, so Sobelow
  stays the Elixir/Phoenix SAST; no container/IaC steps (Glorbo ships no
  Dockerfile). Replaces the broken GitHub sample template.

• HTTP-client stack advisories — mint → 1.9.0, req → 0.6.1 (OSV /
  OpenSSF Scorecard). Six EEF advisories flagged against mix.lock,
  all in transitive dependencies (burrito → req → finch → mint) — none
  in Glorbo's own code, which does not call mint/req/finch directly on
  this release line:

  • mint < 1.9.0: HTTP/1 request-line CRLF injection
    (EEF-CVE-2026-48861), HTTP/1 response smuggling via lenient
    Content-Length parsing (EEF-CVE-2026-49753), unbounded HTTP/2
    PUSH_PROMISE growth (EEF-CVE-2026-48862), and an HTTP/2
    CONTINUATION flood (EEF-CVE-2026-49754) — all fixed in 1.9.0.
  • req < 0.6.1: decompression-bomb DoS via auto-decoded
    compressed/archive bodies (EEF-CVE-2026-49755, fixed 0.6.1) and
    multipart header injection via unescaped name/filename/content_type
    (EEF-CVE-2026-49756, fixed 0.6.0).

  Explicit floor pins {:mint, "~> 1.9"} and {:req, ">= 0.6.1"} added
  to mix.exs (finch only requires mint ~> 1.8 and burrito only
  req >= 0.5.0, both of which still admit the vulnerable versions).
  mix deps.audit clean.

• GEP-0055 inference-proxy hardening (PR #47 review — codex +
  Copilot): three fixes to Glorbo.OpenAIProxy, all on the sandbox
  egress path:

  • Inbound headers are no longer forwarded upstream. The shape
    adapters passed the inbound header map straight through, so the real
    provider received the proxy's loopback Host (misroute / CDN
    rejection) and — for Anthropic (adds x-api-key, never overwrites
    authorization) and Gemini (query-param auth, no-op attach_auth) —
    the per-dispatch proxy bearer token leaked upstream via the inbound
    Authorization. translate_request/2 now returns an empty
    allowlist; auth/host/content-type come from attach_auth/2 + Req.
  • 16 KiB header cap enforced on the terminated path. A complete
    header block arriving in one read (terminator already present)
    bypassed the cap; oversized heads now fail closed :head_too_large.
  • Socket-ownership race removed. The handler now waits for an
    explicit hand-off before touching the socket, eliminating the
    controlling_process/2 race that yielded intermittent :not_owner.
    Regression tests added (per-shape allowlist, oversized-header
    rejection, no-leak assertions on the round trip).

Fixed

• DM channel creation race + symlink follow (PR #42 review,
  Copilot): Glorbo.Actions.ensure_dm_channel/3 used a non-atomic
  exists? + write, letting two near-simultaneous first posts clobber
  a thread back to its header, and never lstat-gated the path. Now an
  O_CREAT|O_EXCL exclusive create (:eexist = idempotent success)
  behind the M03 AgentWritableFile guard.
• Zero-rounds PBKDF2 hash accepted as CONFIGURED (PR #42 review,
  Codex P2): a hand-edited/torn $pbkdf2-…$0$… value passed the
  structural check and would hang/crash /login inside
  Pbkdf2.verify_pass/2. The rounds segment now requires a positive
  integer with no leading zero; bad values fail closed as DEGRADED.
• Symlinked-path file opens mislabeled as "not found" (Elixir 1.20
  warning audit): GlorboWeb.AgentLive.read_workspace_file/2 dropped
  :symlink_in_path from its error pass-through, so opening a file
  through a symlinked directory surfaced "File no longer exists."
  instead of the symlink-refusal message. The H10 symlink enforcement
  was never affected — only the error label. Regression test added.

Changed

• Toolchain → Elixir 1.20.1 + OTP 29.0.2 (latest stable, up from
  1.19.5 / 28.5). Elixir 1.20's set-theoretic type checker surfaced 36
  own-code warnings, all driven to zero (22 dead-code removals, 1 real
  bug fixed [above], 13 defensive-net cases preserved); 15 deprecated
  File.stream!(path, [], :line) sites updated to the :line-second
  arg order. OTP 28.5 → 29.0.2 lands now that Beam Machine publishes
  29.0.2 ERTS for every Burrito target (linux x86_64/aarch64 + macOS
  universal), so the release build resolves; supersedes the interim
  28.5.0.1 CI pin.

• Dependency bumps (folded from dependabot PRs #43/#44):
  earmark 1.4.49, phoenix_live_view 1.1.31, yaml_elixir 2.12.2,
  thousand_island 1.5.0 (transitive); GitHub Actions pins
  actions/checkout v6.0.3 and github/codeql-action v4.36.1.

• Latest in-range dependency bumps: phoenix 1.8.7 → 1.8.8,
  phoenix_live_view 1.1.31 → 1.2.1, bandit 1.11.1 → 1.12.0, credo
  1.7.18 → 1.7.19. All within existing ~> constraints; mix precommit
  green. Folds dependabot #46 (bandit + credo, already covered above)
  and #45 (github/codeql-action v4.36.1 → v4.36.2 in scorecard.yml).

Added

• In-process inference proxy for sandboxed agents (GEP-0055, slices
  1–4a). New Glorbo.OpenAIProxy — a per-company loopback listener
  that lets auth = "via_proxy" native providers keep their real API
  keys on the host: the sandbox only ever sees a per-dispatch token
  (GLORBO_PROXY_TOKEN) and a loopback base URL
  (OPENAI_BASE_URL/GLORBO_PROXY_BASE_URL); the proxy reads the
  upstream key from the host env var named by the new api_key_env
  provider field at request time and forwards the call. Includes the
  multi-shape Glorbo.OpenAIProxy.Shape behaviour (OpenAI v1,
  Anthropic Messages, Gemini routing), per-dispatch token mint/revoke
  in dispatch, a second pasta -T port forward so the netns admits
  the listener, a token-company cross-check + provider-auth check at
  the listener, and via_proxy support in the native harness and the
  model catalog. Not yet included (future slices): SSE streaming,
  Gemini request translation, claude-code settings.json injection,
  audit rows, and the usage.json write. CLI providers cannot opt in
  yet — the loader restricts via_proxy to kind = "native" until
  the per-CLI injection slice lands.

---

What's Changed

• fix(security): codex deep-dive follow-up — 5 findings + flake (bundled) by @foobarto in #33
• fix(security): codex + gemini round-2 deep-dive — 6 hardening fixes (bundled) by @foobarto in #34
• fix(security): codex + gemini round-3 deep-dive — 8 hardening fixes (bundled) by @foobarto in #35
• fix(security): codex + gemini round-4 deep-dive — 10 hardening fixes (bundled) by @foobarto in #36
• fix(security): codex + gemini round-5 deep-dive — 12 hardening fixes (bundled) by @foobarto in #37
• fix(security): codex + gemini round-6 deep-dive — 10 hardening fixes (bundled) by @foobarto in #38
• chore(deps): bump Elixir 1.18.4 → 1.19.5 + OTP 28.0.2 → 28.5 by @foobarto in #39
• ci: bump the github-actions group with 8 updates by @dependabot[bot] in #40
• deps: bump the hex-minor-patch group with 8 updates by @dependabot[bot] in #41
• v0.25.0 — director auth, paperclip import, minimax, 6 security rounds, Elixir 1.19 by @foobarto in #42
• fix(deps): mint 1.9.0 + req 0.6.1 — six EEF-CVE HTTP-stack advisories by @foobarto in #48
• Add Snyk Security analysis workflow by @foobarto in #49
• Elixir 1.20.1 + OTP 29.0.2 (zero-warning) + GEP-0055 inference proxy by @foobarto in #47
• chore(release): v0.26.0 by @foobarto in #50

New Contributors

• @dependabot[bot] made their first contribution in #40

Full Changelog: v0.25.0...v0.26.0