Skip to content

v0.10.0 — Security hardening + opt-in cloud models

Choose a tag to compare

@lavindeep lavindeep released this 25 Jun 18:52
4c1a68a

v0.10.0 is a security-critical release: repo-wide hardening, opt-in cloud models behind an explicit consent boundary, richer workflow skills, and UI polish. Local-first by default — nothing leaves your machine unless you opt into a cloud model and consent per session.

Security hardening

  • Command-classifier read-path tightened: path-qualified executables, non-benign git globals, and pytest now require approval; reader execs honor the workspace boundary and sensitive-read gates.
  • Terminal output sanitized for control/ANSI sequences at every sink; model-controlled fields (plan goal/steps) sanitized.
  • Two-tier egress/safety config invariant: structural keys (model.options, skills.enabled) are config-file-only; egress/safety keys (tools.web, model.base_url, runtime.security_profile, model.allow_cloud) are high-stakes — settable via config.toml or a confirm-gated /config set, never via an env var.
  • Project AGENTS.md gated behind trust-on-first-use (re-prompts on content change).
  • DNS-rebinding SSRF defence in web_fetch (resolve-and-validate every address, every redirect hop).
  • Model + web egress redaction and audit at the chokepoints; session and audit-log files created at mode 0600.

Opt-in cloud models

  • Off by default behind [model] allow_cloud. A per-session consent gate states plainly what leaves the device; fail-closed on non-TTY and when allow_cloud is off — no egress without explicit consent.
  • An unmistakable active-cloud indicator (amber ☁ CLOUD status bar + amber model name + /status locality), harness-rendered and unspoofable; cloud_consent_granted and model_request audit events.

Approvals & control

  • Reject-and-steer: approval prompts are [y]es / [e]dit / [n]o. [e] drops the proposed action without running it and feeds your instruction back to the model, which re-proposes a corrected action through the full classify→decide→approve gate. High-risk commands still require typing the literal run.
  • The path shown at the approval gate is the resolved action path, so a model can't spoof an approval with a misleading argument.

Workflow skills

Four opt-in builtins via progressive disclosure (skill_read): debugging, verification, code-review, git-workflow.

UI / UX

  • Redesigned boot banner (sectioned layout, commands + tips + workflow-skills + recent-sessions); streamlined one-key model picker.
  • Persistent status bar pinned at the input: dir · model · profile · locality + ctx%.
  • Approval diffs reveal with a bounded scrolling animation; changed lines render as full-width red/green bars; long diffs window with a … (+N more) footer.
  • !<cmd> one-shot manual-shell escape; /config edit writes a commented starter config.toml when none exists.

Validation

Phase gate green (ruff + ruff format + mypy --strict + 1157 tests); CI green on Python 3.11 and 3.14.

Next: v0.10.1 — a full-screen TUI input dock (framed input box, queueable input, completion-menu integration).