Skip to content

Releases: numikel/kprun

v0.4.1

Choose a tag to compare

@github-actions github-actions released this 09 Jul 18:27

Changelog v0.4.1

All notable changes to kprun are documented in this file.

The format is based on Keep a Changelog,
and this project adheres to Semantic Versioning.

[0.4.1] - 2026-07-09

Changed

  • Core refactored to insulate kprun-core from keepass types via owned newtypes
    (VaultKey, EntryHandle), preventing API churn breakage on future keepass
    version bumps.
  • Extracted shared keyring-attempt helper in unlock flow for DRY principle.

Fixed

  • DatabaseSaveError matching now handles structured enum variants instead of
    string matching, preventing silent error classification on keepass rewording.
  • VaultKey Debug trait redacted to prevent accidental plaintext password leaks
    in debug output (the wrapped keepass::DatabaseKey prints passwords as-is).

Security

  • Redacted VaultKey Debug impl prevents leaking master password through stray
    {:?} formatting in logs or panic messages.

Full commit list
  • refactor(core): insulate kprun-core from keepass types
  • fix(core): match structured DatabaseSaveError variants instead of string
  • refactor(core): extract shared keyring-attempt helper in unlock.rs
  • fix(core): redact VaultKey Debug impl instead of deriving it

v0.4.0

Choose a tag to compare

@github-actions github-actions released this 08 Jul 16:48

Changelog v0.4.0

All notable changes to kprun are documented in this file.

The format is based on Keep a Changelog,
and this project adheres to Semantic Versioning.

[0.4.0] - 2026-07-08

Added

  • Core utility function vault_id extracts a stable, non-identifying digest
    from the vault database path. Used internally for audit logging and OS
    keyring account naming.

Security

  • Audit log no longer records the vault path. The db field (full resolved
    path, which embedded the OS username on default installs) is replaced by
    db_id — the first 16 hex chars of the SHA-256 of the canonicalized db
    path, the same digest the OS keyring account name uses. Migration:
    consumers parsing db must switch to db_id. Lines written by older
    versions are left untouched; rotate or delete old logs if the embedded
    path matters to you.
  • Hardened MCP transport and Windows ACL enforcement to prevent unauthorized
    access to the vault via side-channel attacks.

Full commit list
  • fix(security): harden audit log, MCP transport, and Windows ACLs
  • fix(security): log non-identifying db_id instead of vault path
  • feat(core): extract shared vault_id derivation from db path
  • docs: enumerate audit record fields; note db_id migration

v0.3.1

Choose a tag to compare

@github-actions github-actions released this 07 Jul 22:38

Changelog v0.3.1

All notable changes to kprun are documented in this file.

The format is based on Keep a Changelog,
and this project adheres to Semantic Versioning.

[0.3.1] - 2026-07-07

Fixed

  • Security: block dangerous env var families by prefix (LD_*, DYLD_*,
    GIT_*, BASH_FUNC_*) in addition to exact-match blocklist, preventing
    injection of critical environment variables during kprun run (#49)
  • Security: resolve CodeQL code scanning alerts to eliminate potential
    security issues (#48)
  • kprun init now uses Argon2id with 64 MiB KDF parameters for improved vault
    security (#46)

Changed

  • Documentation clarified that Superpowers workflow skills (brainstorming,
    writing-plans, executing-plans) are invoked manually, not automatically
    chained (#47)

Full commit list
  • fix(security): block dangerous env var families by prefix (#49)
  • fix(security): resolve CodeQL code scanning alerts (#48)
  • fix(core): create vaults with Argon2id 64 MiB KDF (#46)
  • docs(claude): note manual superpowers workflow invocation (#47)
  • chore(deps): bump keyring from 4.1.2 to 4.1.4 (#45)
  • chore(deps): bump rand from 0.10.1 to 0.10.2 (#44)
  • chore(deps): bump keepass from 0.13.11 to 0.13.14 (#43)
  • chore(deps): bump taiki-e/install-action from 2.82.6 to 2.82.9 (#42)
  • chore(deps): bump dorny/paths-filter from 4.0.1 to 4.0.2 (#41)

v0.3.0

Choose a tag to compare

@github-actions github-actions released this 04 Jul 11:45

Changelog v0.3.0

All notable changes to kprun are documented in this file.

The format is based on Keep a Changelog,
and this project adheres to Semantic Versioning.

[0.3.0] - 2026-07-04

Added

  • kprun mcp — native stdio↔HTTP bridge for hosted MCP servers: vault-backed
    {{FIELD}} auth headers, Streamable HTTP with session management, automatic
    fallback to the deprecated HTTP+SSE transport (#25)
  • {{FIELD}} template substitution in vault entry fields (e.g. bearer tokens and custom headers)
  • Non-interactive vault unlock for automation (KPRUN_KEYFILE or OS keyring only; no stdin prompt)

Changed

  • README documents kprun mcp bridge, transport options (auto, streamable-http, sse), and client config examples
  • README documents kprun mcp caveats found during manual testing

Fixed

  • GET stream survives session re-init: shared session id with retry on 404 instead of exiting permanently
  • JSON-RPC: no duplicate -32603 error when an SSE stream errors after a result was already forwarded
  • SSE reader-thread failures log the underlying error to stderr instead of failing silently

Security

  • Bumped keepass to 0.13.11, pulling quick-xml 0.41.0 and fixing RUSTSEC-2026-0194
    and RUSTSEC-2026-0195 (high-severity memory-exhaustion DoS in NsReader)

Full commit list
  • fix(mcp): survive session re-init on GET stream
  • docs: fix --transport sse value in README
  • docs: document kprun mcp bridge
  • feat(mcp): legacy HTTP+SSE transport with auto fallback
  • feat(mcp): session re-init, error frames, GET stream
  • feat(mcp): add streamable HTTP bridge
  • test(mcp): add scriptable mock MCP HTTP server
  • feat(mcp): add shared SSE parser
  • feat(cli): add kprun mcp subcommand surface
  • feat(core): add non-interactive vault unlock
  • feat(core): add {{FIELD}} template substitution
  • docs(readme): add mcp caveats from manual test findings (#39)
  • chore(deps): bump keepass to 0.13.11 to fix quick-xml advisories (#40)

v0.2.4

Choose a tag to compare

@github-actions github-actions released this 27 Jun 22:22
e5bdf0f

Changelog v0.2.4

All notable changes to kprun are documented in this file.

The format is based on Keep a Changelog,
and this project adheres to Semantic Versioning.

[0.2.4] - 2026-06-28

Changed

  • README clarifies scripts and automation features

Fixed

  • Integration tests that spawn kprun with KPRUN_TEST_MASTER declare test-hooks as a required feature so cargo test --all skips them instead of hanging on stdin
  • Removed duplicate license-file from the kprun crate manifest; Cargo no longer warns about duplicated license metadata

Full commit list
  • docs: add CLAUDE.md with CI-aligned dev instructions
  • fix(test): require test-hooks for vault-unlock integration tests (#28)
  • fix(manifest): remove duplicate license-file (Fixes #24) (#27)
  • docs: update README to enhance clarity on scripts and automation features

v0.2.3

Choose a tag to compare

@github-actions github-actions released this 26 Jun 17:43

Changelog v0.2.3

All notable changes to kprun are documented in this file.

The format is based on Keep a Changelog,
and this project adheres to Semantic Versioning.

[0.2.3] - 2026-06-26

Added

  • README section on using kprun with OpenRouter coding agents

Changed

  • Unified vault unlock paths across run, doctor, and other commands (no CLI behavior change)
  • Consolidated CLI command boilerplate (run_command, mutate_vault, audit helpers)
  • Dotenv import parsing refactored to a state machine; core import logic moved to kprun-core
  • Removed unused internal APIs (database_mut, save_with_key, unsupported helper)
  • Integration and unit tests share common vault fixtures and helpers

Fixed

  • Legacy KDBX4.0 vaults are normalized before save, preventing save failures on older databases

Full commit list
  • refactor: code simplification phase 5 (import refactor)
  • refactor(core): extract apply_import from CLI import command
  • refactor(cli): replace dotenv import closure with state machine parser
  • refactor: code simplification phase 4 (unlock unification)
  • refactor(cli): use unlock_vault_readonly in doctor diagnostics
  • refactor(cli): use unlock_vault_readonly in run command
  • refactor(cli): simplify unlock_vault return type to 3-tuple
  • refactor: code simplification phase 3 (test consolidation + KDBX4 fix)
  • test: allow dead_code in shared integration test helpers
  • test: use common helpers in remaining integration tests
  • test: use common helpers in export_import integration tests
  • test: use common helpers in manage integration tests
  • test: add shared kprun_cmd, test_env, create_vault_with_entries
  • refactor(core): consolidate unit test vault fixtures
  • fix(core): normalize legacy KDBX4.0 before save
  • refactor: code simplification phase 2 (DRY CLI layer)
  • style(cli): apply rustfmt to import.rs
  • refactor(cli): add warn_secret_display and audit_access helpers
  • refactor(cli): add mutate_vault for RW commands
  • refactor(cli): migrate deinit to run_command
  • refactor(cli): migrate commands to run_command
  • refactor(cli): add run_command helper, migrate list
  • refactor: code simplification phase 1 (quick wins)
  • test: derive version assertion from CARGO_PKG_VERSION
  • refactor(cli): deduplicate build_database_key in unlock_vault
  • refactor(core): remove save_with_key alias, use save directly
  • refactor(core): remove unused secure_fs unsupported helper
  • refactor(core): remove unused database_mut
  • docs: add OpenRouter coding agents section to readme
  • chore: remove internal dev docs and agent configs from repo

v0.2.2

Choose a tag to compare

@github-actions github-actions released this 25 Jun 19:12

Changelog v0.2.2

All notable changes to kprun are documented in this file.

The format is based on Keep a Changelog,
and this project adheres to Semantic Versioning.

[0.2.2] - 2026-06-24

Added

  • Help descriptions for all CLI options and positional arguments (kprun <cmd> --help)
  • doctor --mcp <entry> -- <command> — append the MCP server command to get a complete JSON snippet instead of a placeholder ending at --
  • Dotenv import format documentation (kprun entry title comments; flat project .env migration example)
  • README demo GIF (docs/kprun.gif)

Changed

  • .gitignore tracks docs/kprun.gif and ignores alternate Cargo target directories (target-*/)

Full commit list
  • chore(release): prepare v0.2.2
  • docs: add demo gif to readme
  • feat(cli): add option help text and complete doctor --mcp snippets
  • docs(cli): document dotenv import format

v0.2.1

Choose a tag to compare

@github-actions github-actions released this 24 Jun 22:24

Changelog v0.2.1

All notable changes to kprun are documented in this file.

The format is based on Keep a Changelog,
and this project adheres to Semantic Versioning.

[0.2.1] - 2026-06-24

Added

  • ASCII banner on interactive management commands (TTY stderr, respects NO_COLOR)
  • Help descriptions for all CLI subcommands (kprun --help)
  • Success confirmations for set, unset, delete, import, export, and deinit (key names only, never values)
  • Guided init flow with numbered steps and a copy-pasteable Next steps block
  • Empty-vault hint on kprun list when no entries exist
  • Embedded minisign release public key in install scripts for checksum signature verification

Changed

  • init progress and hints use structured stderr output in interactive terminals; non-TTY and piped usage stays script-friendly
  • Banner is suppressed for run, list --json, doctor --mcp, export --stdout, and non-interactive sessions

Full commit list
  • chore(release): prepare v0.2.1
  • feat(cli): interactive stderr polish for vault management
  • ci(install): embed minisign release public key (H-4)

v0.2.0

Choose a tag to compare

@github-actions github-actions released this 24 Jun 21:49
96ad863

Changelog v0.2.0

All notable changes to kprun are documented in this file.

The format is based on Keep a Changelog,
and this project adheres to Semantic Versioning.

[0.2.0] - 2026-06-24

Added

  • Owner-only file permissions for vault databases, keyfiles, audit logs, and export files (0600 on Unix; inheritance removed and current-user-only on Windows)
  • Protected (in-memory encrypted) storage for custom secret fields in KeePass instead of plaintext
  • kprun deinit to remove the stored master password for the current vault from the OS keychain
  • kprun run --clean-env to run the child with a minimal safe environment plus injected secrets
  • kprun export --output <path> to write exports to a chosen path
  • Audit log entry for kprun get --keys (key names only, no values)
  • Rejection of duplicate KeePass entry titles during lookup
  • Refusal to inject vault keys named like dangerous environment variables (PATH, LD_PRELOAD, DYLD_*, NODE_OPTIONS, and others)
  • Minimum master password length of 12 characters on kprun init for new vaults
  • Release checksum signing with minisign; install scripts verify the signature when minisign and a configured public key are available
  • CI job that fails when GitHub Actions are not pinned to commit SHAs

Changed

  • BREAKING: OS keychain entries are now keyed per vault path (kprun / master:<sha256(db_path)>) instead of a single shared master account. After upgrading, run kprun init once per vault to re-store the master password (or enter it when prompted)
  • BREAKING: new vaults created with kprun init require a master password of at least 12 characters
  • dotenv export quotes and escapes values containing newlines and backslashes
  • Quoted dotenv values are preserved on import (including escaped newlines)
  • doctor --mcp github suggests a version-pinned @modelcontextprotocol/server-github@2025.4.8 and warns about npx supply-chain risk
  • FixedUnlock test helper is available only with the test-hooks feature (excluded from release binaries)
  • KPRUN_SKIP_CHECKSUM now requires KPRUN_DEV=1 (developer-only bypass)
  • contents: write GitHub Actions permission is scoped to the release job only
  • Missing-vault diagnostics avoid printing full filesystem paths in error output
  • Removed a redundant clone of database key material in command dispatch
  • README documents that KPRUN_TEST_MASTER requires --features test-hooks and is absent from GitHub Release binaries
  • SECURITY.md documents file permissions, keychain storage, process environment exposure, and minisign release verification

Fixed

  • Key/value parse errors no longer echo the user-supplied input
  • Warning when the master password is read from a non-terminal pipe
  • Warning when exporting plaintext secrets to a file with --reveal

Security

  • Per-vault keychain account derivation prevents multiple vaults from overwriting each other's stored master password
  • Supply-chain hardening: pinned GitHub Actions, signed release checksums, and gated checksum skip in installers

Full commit list
  • fix: low-priority hardening & docs
  • docs: finalize v0.2.0 changelog (low-priority hardening)
  • docs: document security model and release verification (L-4)
  • fix(cli): preserve quoted dotenv values on import (L-1)
  • refactor(core): gate FixedUnlock behind test-hooks feature (code-review)
  • fix(cli): pin npx MCP server version in doctor suggestion (L-2)
  • feat(cli): record audit entry for get --keys (Bugbot)
  • feat(cli): keychain lifecycle (BREAKING)
  • docs: document keychain keying migration (M-2, L-5)
  • feat(cli): add deinit to clear stored master from keychain (L-5)
  • feat(core)!: derive keychain account per vault path (M-2)
  • feat(core): env injection safety
  • feat(cli): add --clean-env to drop inherited environment (code-review)
  • feat(core): refuse to inject dangerous environment variables (Bugbot)
  • feat(cli): input validation & secret exposure UX
  • feat(cli): enforce minimum master password length (M-3)
  • feat(cli): add export --output and warn on reveal-to-file (M-1)
  • fix(cli): escape newlines/backslashes in dotenv export (Bugbot)
  • feat(core): reject duplicate entry titles in lookup (Bugbot)
  • fix(core): stop echoing user input in key/value parse errors (Bugbot)
  • ci(security): supply-chain hardening
  • ci(install): verify minisign signature and gate checksum skip behind dev flag (H-4, M-5)
  • ci: pin all GitHub Actions to commit SHAs (H-3)
  • refactor(cli): derive caller key from master instead of cloning DatabaseKey (M-6)
  • feat(core): store custom field values as protected (H-2)
  • feat(cli): write export file with owner-only permissions
  • feat(core): append audit log with owner-only permissions
  • feat(core): generate keyfile with owner-only permissions
  • feat(core): create and save vault with owner-only permissions
  • feat(core): add persist_restricted for atomic vault saves
  • feat(core): add secure_fs windows owner-only via icacls
  • feat(core): add secure_fs unix owner-only file helpers

v0.1.2

Choose a tag to compare

@github-actions github-actions released this 23 Jun 18:12

Changelog v0.1.2

All notable changes to kprun are documented in this file.

The format is based on Keep a Changelog,
and this project adheres to Semantic Versioning.

[0.1.2] - 2026-06-23

Added

  • test-hooks Cargo feature: KPRUN_TEST_MASTER and init test master env are available only when built with --features test-hooks (off by default in release binaries)
  • OpenMode require_rw guards on all vault write paths
  • Inject collision warnings when multiple entries set the same env key; deduplicated injected_keys in the audit trail
  • Alphabetically sorted custom field names in list output

Fixed

  • Single unlock on write commands when using --no-store (no double master password prompt)
  • Trim whitespace from dotenv import values

Changed

  • Narrow database_mut to pub(crate) in kprun-core
  • CI runs tests with --all-features so test-hooks code paths are covered in the matrix

Full commit list
  • ci: run tests with all features enabled
  • feat(core): add test-hooks feature flag
  • feat(core): gate KPRUN_TEST_MASTER behind test-hooks feature
  • feat(cli): gate init test master env behind test-hooks
  • feat(core): add require_rw guards on vault write paths
  • refactor(core): make database_mut pub(crate)
  • feat(core): warn on inject key collisions and dedupe injected_keys
  • fix(cli): single unlock on write commands via save_with_key
  • fix(cli): trim whitespace from dotenv import values
  • feat(core): sort custom field names alphabetically in list output
  • refactor(core): accept Path in generate_keyfile
  • fix(core): allow dead_code on narrowed database_mut
  • docs: add post-MVP hardening follow-ups plan
  • Merge pull request #9 from numikel/feat/post-mvp-hardening