Skip to content

nSelf CLI v1.0.14

Choose a tag to compare

View all tags
@acamarata acamarata released this 03 May 16:59
· 108 commits to main since this release
v1.0.14
aeb718f

nSelf CLI v1.0.14

Channel: stable

Changelog

[Unreleased] — v1.0.14

P98 Batch 1. Performance hardening and operational documentation.

Added

  • Redis connection-pool tuning (P98-T01). REDIS_POOL_SIZE, REDIS_MIN_IDLE, REDIS_CONNECT_TIMEOUT_MS, REDIS_READ_TIMEOUT_MS, REDIS_WRITE_TIMEOUT_MS env vars. Pool defaults to runtime.NumCPU() * 2 with a min-idle of 2. Backoff on failed pool acquisition. Docs: [[operations/redis-tuning]].
  • MeiliSearch index warm-up (P98-T02). MEILISEARCH_WARMUP_ENABLED + MEILISEARCH_WARMUP_INDEXES env vars. Warm-up runs on nself start after service health check passes; re-runs on config change detected by the watchdog. Docs: [[operations/meilisearch-warmup]].
  • JWT key rotation operations page (P98-T03). Documents the zero-downtime dual-key rotation flow (already shipped v1.0.10). Includes env var reference, rotation runbook, and rollback steps. Docs: [[operations/jwt-rotation]].
  • docker-compose.yml header audit (P98-T05). 108 generated compose files across the ecosystem now carry the # GENERATED BY nself build — DO NOT HAND EDIT header. nSelf-First Doctrine CI gate enforces this on every PR.
  • SPORT F02 sync — pentest-kit (P98-T06). nself pentest-kit added to the command inventory (F02-COMMAND-INVENTORY.md). Command count: 83.
  • Bus-factor D9 backup-admin deferrals (P98-T07). D9 deferred for 9 external accounts (Apple Developer, Google Play, LiveKit, HubSpot, Email-on-Acid, GitHub Sponsors). Documented in bus-factor.md with deferred-until date and re-evaluation trigger.

Notes

  • No new CLI commands added to the binary in this batch (pentest-kit existed; F02 was stale).
  • No version bump yet. v1.0.14 tag pending user approval.

Added (Batch 2)

  • Hasura metadata backup cron (P98-T13). Daily 02:00 UTC backup via cli/internal/backup/hasura_metadata.go and cli/internal/maintenance/hasura_metadata_cron.go. Systemd timer + macOS LaunchDaemon (TZ=UTC enforced). New BACKUP-METADATA-01 doctor check in --deep. File mode 0600. Docs: [[operations/hasura-metadata-backup]].
  • SSRF guard partial — claw DNS-rebinding hotfix (P98-T12 partial). Closes a TOCTOU bug in claw browser client. Multi-service migration to a unified shared SSRF package (notify, mux, browser, ai) deferred to v1.1.0 per Opus CR-C findings.
  • JWT key rotation hardening (P98-T11 fixes from CR-C). 11 follow-on fixes from the security review: flock(2) on rotation log to prevent concurrent races, XDG_STATE_HOME fallback for log path, --to-file and --no-print flags on nself self-heal --jwt, escalate-to-fail in JWT-ROT-01 doctor check, tighter dir perms (0700), strconv.Atoi for env parsing. 14 new tests covering concurrency, crypto round-trip, dry-run, error paths.
  • Multi-tenant convention wall — web docs (P98-T08). web/docs/src/content/multi-tenancy/conventions.mdx documents the source_account_id (multi-app) vs tenant_id (Cloud) distinction with a decision tree. Companion to the PERM-RLS-01 doctor check.
  • AGPL/SSPL warn-gate uniform across 5 repos (P98-T04). Workflows standardized in cli, plugins (license-gate.yml), plugins-pro, admin (license-gate.yml), web. All warn-only through 2026-05-20 triage window, then flips to fail-PR.
  • Bus-factor D9 deferrals (P98-T05). 9 critical vendor accounts marked DEFERRED to P99 per the D9 escape hatch, awaiting user backup-admin nominations.
  • Secondary-domain Namecheap verification (P98-T07). clawde.io / clawde.net / claw-de.com confirmed registered at Namecheap (expiry 2027-02-16). Transfer-lock OFF flagged to user as T1-28.
  • CLI gap catalog T1 mappings (P98-T02). G-001..G-008 in nself-first-cli-gaps.md now have explicit T1 user-decision blocks (T1-23..T1-26).

Changed (Batch 2)

  • ntask now nSelf-First (P98-T14). The ntask/ reference app no longer uses docker-compose up directly. make up and make down delegate to nself start / nself stop. The D6 "any-stack" exception is superseded.
  • Compose audit doc reconciled (P98-T01 follow-up). The 130-file ecosystem inventory at .claude/docs/doctrines/nself-first-compose-audit.md had per-category counts corrected.

Security (Batch 2)

  • claw DNS-rebinding TOCTOU closed (P98-T12 hotfix). The claw browser http.Client now uses a Transport with DialContext that re-validates resolved IPs at dial time, blocking RFC1918, link-local, loopback, and metadata IPs.
  • Doctor SSRF-01 honesty fix. The check no longer passes vacuously on file-stat alone. It now verifies guard packages reference DialContext and IsBlockedIP-style guard symbols. Three states: PASS, WARN, FAIL.
  • Secret-scrub runbook published. .claude/docs/operations/secret-scrub-runbook.md documents triage, rotation, and (when authorized) git-history scrub procedures. Cross-references bus-factor and destructive-deny-list rules.

Notes (Batch 2)

  • 02.T11 CRIT-1 (JWT dual-key grace period not implemented in code despite documentation) is escalated to T1-27. User must choose: implement real JWKS dual-key support (defer to v1.1.0) or strip grace-period language from code and docs (XS effort, ship-ready).
  • 02.T12 multi-service SSRF migration captured in .claude/ideas/p99-ssrf-shared-migration.md for v1.1.0.
  • 8 qa/bugs closed by the STORM rigor pass on 2026-04-30: BUG-16dd1758, BUG-52c481a1, Chain-fcc4ef6e, chain-50e9faf5, Chain-48771a51, admin-lockstep-drift, og-package-untracked, trivy-action-kev-cve.

Commits since previous release

  • fix(scripts): replace unsupported gh api -w/--timeout flags in admin-merge.sh (fccd8e6)
  • feat(P98): CI green rate fixes, doctor checks, JWT rotation, Hasura backup, SDK scaffolding (110498c)
  • fix(version): bump .github/VERSION to 1.0.13 (#79) (a336d5f)

Install

brew install nself-org/nself/nself
# or download a tarball below for your platform

Verify (Sigstore keyless)

cosign verify-blob \
  --bundle <tarball>.tar.gz.sig \
  --certificate-identity-regexp '^https://github.com/nself-org/cli/\.github/workflows/release\.yml@refs/tags/v1.0.14$' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  <tarball>.tar.gz

Full signing + verification details: release-signing.md

Artifacts

  • Platform tarballs (linux/darwin × amd64/arm64) + Windows zips (amd64/arm64)
  • checksums.txt — SHA-256 of all tarballs
  • sbom.spdx.json + per-tarball SBOMs — SPDX software bill of materials
  • provenance.intoto.jsonl — SLSA v1.0 provenance attestation
  • *.sig — Sigstore cosign signature bundles for every artifact above
Assets 24
Loading