Skip to content

v0.1.46-rc.3

Pre-release
Pre-release

Choose a tag to compare

View all tags
@geoffbelknap geoffbelknap released this 10 Jun 07:35
· 334 commits to main since this release
v0.1.46-rc.3
e7d74d9
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Release candidate for v0.1.46. Validated on all three backends against this exact commit: full local macOS portable + live release checks (Apple VF), hosted Linux Firecracker full E2E on KVM, and hosted Windows Hyper-V parity smokes — plus both live suites re-run green as automated gates on this tag.

Security

  • model pull verifies downloads against the upstream Hugging Face LFS digest and fails closed on mismatch, non-LFS files, or unresolvable digests.
  • debugfs requests (cp, artifacts get) are built from validated, quoted arguments instead of raw string concatenation; remote paths are validated in the copy layer.
  • OCI layer extraction rejects backslash path separators in entry names and link targets; the Windows symlink marker writes through the os.Root sandbox.
  • Host state files are now created 0600 (state dirs 0700) — workspace topology and runtime config are no longer readable by other local users.

Fixes

  • Firecracker user networking works on stock Ubuntu 24.04: pasta is invoked with a -- option terminator so older getopt-permuting releases don't choke on the supervisor's flags.
  • doctor runs a live CLONE_NEWUSER probe and reports user networking unavailable (with a remediation hint) on hosts where AppArmor blocks unprivileged user namespaces.
  • Secret-access audit and Hyper-V event-log appends report close errors instead of silently dropping records.

Breaking (Go library)

  • workspace.ExecWithMetadata now returns (ExecResult, ExecRetryMetadata, error) — error last, per Go convention. CLI and MCP behavior unchanged.

Internals & CI

  • Backend differences centralized in a declarative vmkit.BackendCapabilities table (unknown backends fail closed); dispatch errors preserve the error chain for errors.Is/As.
  • golangci-lint + actionlint enforced in CI; ~1,000 lines of dead code removed; package docs added; coverage collected on the Linux job.
  • Live Linux (full E2E) and Windows Hyper-V (parity smokes) suites run on GitHub-hosted runners nightly, on every release tag, and on demand.

Install with brew install geoffbelknap/tap/microagent-rc. See CHANGELOG.md for full details.

Assets 2
Loading