v0.8.6
v0.8.6 — security & correctness hardening
Remediation of the 2026-06-02 multi-agent roast (GitHub / crates.io / local code). No breaking API changes.
🔒 Security
- Credential read denylist — the read tools refuse
~/.ssh,~/.aws,~/.gnupg,~/.config/gcloud,~/.claudette/secrets, and*.pem/*.key/*.tokenfiles, so a prompt-injected model can't read keys to exfiltrate them (override:CLAUDETTE_ALLOW_SECRET_READS=1). - SSRF guard on
web_fetch— blocks loopback / RFC1918 / link-local targets incl. the169.254.169.254cloud-metadata endpoint, resolving hostnames too (override:CLAUDETTE_WEB_FETCH_ALLOW_PRIVATE=1). - Network egress now prompts by default (
web_fetch,tg_send), closing the silent read → exfiltrate chain.CLAUDETTE_AUTO_APPROVEstill passes them through. git_checkoutrejects--prefixed targets (option-injection).
🐛 Fixed
- CRLF / byte-boundary cluster (#26): correct byte offsets in codet fuzzy-match,
apply_patchpreserves the file's line endings (no more CRLF→LF whole-file diffs), and char-boundary-safe slicing in recall / doctor / URL-probe (no morepanic=abortcrashes on >8 KB multibyte input). - Forge brownfield (#23):
mission_submitaccepts an already-committed tree, making the clone → edit → PR happy-path satisfiable.
🔧 Internal
- Release pipeline is idempotent and the GitHub Release is decoupled from
cargo publish— a crates.io hiccup no longer silently drops the prebuilt binaries. cargo auditreplaces the deprecated Node-20 audit action.- crates.io metadata + README accuracy fixes;
bench/tui::typewriterscaffolds feature-gated.
Full details: CHANGELOG