Release v0.8.0

Bifrost v0.8.0

This release is the supply-chain hardening cut: signed source releases, signed container images, hash-pinned Python deps, and OpenSSF Best Practices Baseline Level 1. It also closes two long-running E2E flakes (#101, #102) and migrates the backend from requirements.txt to pyproject.toml. 196 commits since v0.7.2.

Security & Supply-Chain Hardening

• Release artifacts are now signed with Sigstore/cosign keyless OIDC, plus a SLSA build-provenance attestation per release (#111). Verify with cosign verify-blob ... --bundle <asset>.sigstore — see the "Signed artifacts" section below.
• Published GHCR container images (ghcr.io/jackmusick/bifrost-api, bifrost-client) are also cosign-signed with keyless OIDC (#114).
• Earned OpenSSF Best Practices Baseline Level 1; badge added to README (#124).
• Pip dependencies are now hash-pinned (requirements.lock) so reproducible installs verify upstream signatures (#112), with remaining ad-hoc pip install calls in CI hardened the same way (#125).
• Transitive Python deps pinned to silence OSV-Scanner false positives and shrink the actual exposure window (#109).
• All GitHub Actions workflow tokens scoped to the minimum permissions Scorecard requires (#110); workflow_dispatch added to Scorecard + CodeQL so they can be re-run on demand (#108).
• New auto-merge driver for Dependabot PRs and an auto-regen workflow for requirements.lock on Dependabot bumps (#113).
• Docker base images pinned by digest, GHCR token permissions narrowed (#78).

Bug Fixes

• LocalBackend._resolve_path no longer admits sibling-prefix path traversal (/sandbox vs /sandbox_evil) — replaced the byte-level startswith check with Path.relative_to() (#80, closes CodeQL alerts #138–#142).
• py/log-injection sweep across the API: all user-controlled values funneled through log_safe() (#82, #98, #103).
• Persistent CodeQL findings closed: SSRF allowlist tightening, explicit Jinja autoescape, residual style cleanups (#85, #105).
• tarfile.extractall calls in tests now use filter='data' (Python 3.12+ tarslip defense-in-depth) (#81).
• Mechanical CodeQL cleanups: py/test-equals-none, unused imports, trivial conditionals (#97).
• Workflows now honor timeout_seconds=0 (disable timeout) as documented, instead of always applying the default (#27 by @MTG-Thomas).
• Narrower empty except clauses across the API + new debug logging at the previously-swallowed sites (#84).
• Readiness health probes added for K8s deployments (#37 by @MTG-Thomas).
• test.sh no longer races on stack readiness — waits for the API to actually serve traffic before declaring the test stack ready (#92, #104).

Reliability

• Closed two intermittent E2E flakes that were thrashing CI (#101 fail 5x / #102 fail 11x in the prior 48h) — root cause was test isolation, fixed via partial unique index on system_configs plus an autouse reset fixture (#122).
• Frontend test sweep: vitest coverage added for chat, integrations, events, jsx-app, agents, users, tables, roles surfaces.
• pyright / ruff / tsc / eslint are now CI gates with the preexisting backlog cleared.

Developer Experience

• Backend deps migrated from requirements.txt to pyproject.toml (#126). The legacy requirements.txt is gone; reproducible installs use requirements.lock (hash-pinned, generated from pyproject.toml). Editable installs: pip install -e . from api/.
• CI skips on more non-code path changes (markdown-only commits, plan docs, etc.) (#128).
• New developer skill: bifrost-documentation — automated docs screenshot pipeline for the integrations docs site (#96).
• New security skills: bifrost-secaudit and bifrost-secupdate for snapshotting / draining the GitHub Security tab (#75).
• CODEOWNERS narrowed to human-authored paths so generated/migration files don't trigger review noise (#88).

Features (carried forward from in-flight work)

• Deferred / scheduled workflow executions: schedule a workflow to run at a future time, cancel scheduled runs, plus UI for the schedule controls (DateTimePicker, Scheduled badge, Scheduled filter on history).
• Agent management M1: rebuilt FleetPage / AgentDetailPage / AgentTuneWorkbench, per-flag tuning conversations, dry-run impact pane, prompt version history, post-completion run summarization with cost tracking, summary backfill admin endpoint + UI.
• Forms: new multi_select field type.
• Embed: explicit hmac_scheme per secret (shopify | halopsa) (#23 by @sdc53).
• OAuth refresh-token exchange now sends the documented scope (#26 by @MTG-Thomas).

Contributors

External contributors whose PRs landed in this release — thank you!

• #23 by @sdc53 — embed: explicit hmac_scheme per secret
• #26 by @MTG-Thomas — fix missing OAuth scope on authorization-code and refresh-token exchanges
• #27 by @MTG-Thomas — fix(workflows): honor documented timeout range
• #37 by @MTG-Thomas — add readiness health probes

Fixed CVEs

The following CVEs / GHSAs were closed by dependency bumps in this release:

• aiohttp (>=3.13.4, then >=3.13.5) — closes ~20 CVEs including CVSS 9.1 request-smuggling and header-parsing issues (#106, #117).
• asyncpg (>=0.30.0, then >=0.31.0) — closes CVE-2024-25737 (RCE, CVSS 9.8) (#106, #116).
• GitPython (>=3.1.41, then >=3.1.47) — closes CVE-2023-40590 and CVE-2024-22190 (RCE-class, CVSS 9.8) plus 3 lower-severity GHSAs (#106, #118).
• python-multipart (>=0.0.26) — closes 3 DoS CVEs from malformed boundaries (#106).
• dompurify (^3.4.1 via overrides) — closes 8 medium-severity advisories (monaco-editor was pulling 3.2.7 transitively); also removed the unused @azure/static-web-apps-cli devDependency, which dropped 332 transitive packages and was the only remaining source of the open uuid (GHSA-w5hq-g745-h8pq) and tmp (GHSA-52f5-9888-hmc6) advisories (#123).
• webauthn (>=2.7.1) — pulled forward to current line (#52).
• mcp (>=1.27.0), fastmcp (>=3.2.4,<4) — pulled forward (#53, #55).
• Frontend Dependabot bumps: axios, vite, postcss, node-forge, follow-redirects, lodash, minimatch, dompurify interim bumps — multiple Dependabot security advisories closed via dep bumps; see commit log for the full list.
• GitHub Actions bumps (codeql-action v4, checkout v6, setup-node v6, codecov v6, docker/* family, softprops/action-gh-release v3, sigstore/cosign-installer v4, etc.) — pulls in upstream fixes.

Multiple additional Dependabot security advisories were closed via routine dep bumps; the full list is reachable via git log v0.7.2..v0.8.0 -- '**/requirements*.txt' '**/pyproject.toml' '**/package*.json'.

Breaking Changes

• requirements.txt removed. If you were installing the backend from requirements.txt (e.g. building from source for local dev outside Docker), switch to pip install -e . from the api/ directory, or pip install -r requirements.lock for a hash-verified install. Container image users are unaffected — the Dockerfile already uses the new flow (#126).

Docker Images

API:

docker pull jackmusick/bifrost-api:v0.8.0

Client:

docker pull jackmusick/bifrost-client:v0.8.0

Both images are cosign-signed (keyless OIDC). Verify with:

cosign verify ghcr.io/jackmusick/bifrost-api:v0.8.0 \
  --certificate-identity-regexp 'https://github\.com/jackmusick/bifrost/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

Type Stubs for IDEs

Download bifrost.pyi from the assets below and place it in your workspace directory for IDE autocomplete and type checking support.

See DISTRIBUTION.md for instructions.

Signed Artifacts (Sigstore / cosign — keyless)

Each release asset has a matching .sigstore bundle (Sigstore's self-contained signature + Fulcio cert + Rekor inclusion proof, produced via keyless OIDC — no maintainer-held keys involved).

Verify with cosign (>= v2.4):

cosign verify-blob \
  --bundle bifrost-v0.8.0-source.tar.gz.sigstore \
  --certificate-identity-regexp 'https://github\.com/jackmusick/bifrost/.*' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  bifrost-v0.8.0-source.tar.gz

Verify the SLSA build provenance:

gh attestation verify bifrost-v0.8.0-source.tar.gz --owner jackmusick