v0.10.0 — Security hardening + opt-in cloud models
v0.10.0 is a security-critical release: repo-wide hardening, opt-in cloud models behind an explicit consent boundary, richer workflow skills, and UI polish. Local-first by default — nothing leaves your machine unless you opt into a cloud model and consent per session.
Security hardening
- Command-classifier read-path tightened: path-qualified executables, non-benign
gitglobals, andpytestnow require approval; reader execs honor the workspace boundary and sensitive-read gates. - Terminal output sanitized for control/ANSI sequences at every sink; model-controlled fields (plan goal/steps) sanitized.
- Two-tier egress/safety config invariant: structural keys (
model.options,skills.enabled) are config-file-only; egress/safety keys (tools.web,model.base_url,runtime.security_profile,model.allow_cloud) are high-stakes — settable viaconfig.tomlor a confirm-gated/config set, never via an env var. - Project
AGENTS.mdgated behind trust-on-first-use (re-prompts on content change). - DNS-rebinding SSRF defence in
web_fetch(resolve-and-validate every address, every redirect hop). - Model + web egress redaction and audit at the chokepoints; session and audit-log files created at mode
0600.
Opt-in cloud models
- Off by default behind
[model] allow_cloud. A per-session consent gate states plainly what leaves the device; fail-closed on non-TTY and whenallow_cloudis off — no egress without explicit consent. - An unmistakable active-cloud indicator (amber
☁ CLOUDstatus bar + amber model name +/statuslocality), harness-rendered and unspoofable;cloud_consent_grantedandmodel_requestaudit events.
Approvals & control
- Reject-and-steer: approval prompts are
[y]es / [e]dit / [n]o.[e]drops the proposed action without running it and feeds your instruction back to the model, which re-proposes a corrected action through the full classify→decide→approve gate. High-risk commands still require typing the literalrun. - The path shown at the approval gate is the resolved action path, so a model can't spoof an approval with a misleading argument.
Workflow skills
Four opt-in builtins via progressive disclosure (skill_read): debugging, verification, code-review, git-workflow.
UI / UX
- Redesigned boot banner (sectioned layout, commands + tips + workflow-skills + recent-sessions); streamlined one-key model picker.
- Persistent status bar pinned at the input:
dir · model · profile · locality + ctx%. - Approval diffs reveal with a bounded scrolling animation; changed lines render as full-width red/green bars; long diffs window with a
… (+N more)footer. !<cmd>one-shot manual-shell escape;/config editwrites a commented starterconfig.tomlwhen none exists.
Validation
Phase gate green (ruff + ruff format + mypy --strict + 1157 tests); CI green on Python 3.11 and 3.14.
Next: v0.10.1 — a full-screen TUI input dock (framed input box, queueable input, completion-menu integration).