Skip to content

v0.2.0

Choose a tag to compare

@github-actions github-actions released this 24 Jun 21:49
96ad863

Changelog v0.2.0

All notable changes to kprun are documented in this file.

The format is based on Keep a Changelog,
and this project adheres to Semantic Versioning.

[0.2.0] - 2026-06-24

Added

  • Owner-only file permissions for vault databases, keyfiles, audit logs, and export files (0600 on Unix; inheritance removed and current-user-only on Windows)
  • Protected (in-memory encrypted) storage for custom secret fields in KeePass instead of plaintext
  • kprun deinit to remove the stored master password for the current vault from the OS keychain
  • kprun run --clean-env to run the child with a minimal safe environment plus injected secrets
  • kprun export --output <path> to write exports to a chosen path
  • Audit log entry for kprun get --keys (key names only, no values)
  • Rejection of duplicate KeePass entry titles during lookup
  • Refusal to inject vault keys named like dangerous environment variables (PATH, LD_PRELOAD, DYLD_*, NODE_OPTIONS, and others)
  • Minimum master password length of 12 characters on kprun init for new vaults
  • Release checksum signing with minisign; install scripts verify the signature when minisign and a configured public key are available
  • CI job that fails when GitHub Actions are not pinned to commit SHAs

Changed

  • BREAKING: OS keychain entries are now keyed per vault path (kprun / master:<sha256(db_path)>) instead of a single shared master account. After upgrading, run kprun init once per vault to re-store the master password (or enter it when prompted)
  • BREAKING: new vaults created with kprun init require a master password of at least 12 characters
  • dotenv export quotes and escapes values containing newlines and backslashes
  • Quoted dotenv values are preserved on import (including escaped newlines)
  • doctor --mcp github suggests a version-pinned @modelcontextprotocol/server-github@2025.4.8 and warns about npx supply-chain risk
  • FixedUnlock test helper is available only with the test-hooks feature (excluded from release binaries)
  • KPRUN_SKIP_CHECKSUM now requires KPRUN_DEV=1 (developer-only bypass)
  • contents: write GitHub Actions permission is scoped to the release job only
  • Missing-vault diagnostics avoid printing full filesystem paths in error output
  • Removed a redundant clone of database key material in command dispatch
  • README documents that KPRUN_TEST_MASTER requires --features test-hooks and is absent from GitHub Release binaries
  • SECURITY.md documents file permissions, keychain storage, process environment exposure, and minisign release verification

Fixed

  • Key/value parse errors no longer echo the user-supplied input
  • Warning when the master password is read from a non-terminal pipe
  • Warning when exporting plaintext secrets to a file with --reveal

Security

  • Per-vault keychain account derivation prevents multiple vaults from overwriting each other's stored master password
  • Supply-chain hardening: pinned GitHub Actions, signed release checksums, and gated checksum skip in installers

Full commit list
  • fix: low-priority hardening & docs
  • docs: finalize v0.2.0 changelog (low-priority hardening)
  • docs: document security model and release verification (L-4)
  • fix(cli): preserve quoted dotenv values on import (L-1)
  • refactor(core): gate FixedUnlock behind test-hooks feature (code-review)
  • fix(cli): pin npx MCP server version in doctor suggestion (L-2)
  • feat(cli): record audit entry for get --keys (Bugbot)
  • feat(cli): keychain lifecycle (BREAKING)
  • docs: document keychain keying migration (M-2, L-5)
  • feat(cli): add deinit to clear stored master from keychain (L-5)
  • feat(core)!: derive keychain account per vault path (M-2)
  • feat(core): env injection safety
  • feat(cli): add --clean-env to drop inherited environment (code-review)
  • feat(core): refuse to inject dangerous environment variables (Bugbot)
  • feat(cli): input validation & secret exposure UX
  • feat(cli): enforce minimum master password length (M-3)
  • feat(cli): add export --output and warn on reveal-to-file (M-1)
  • fix(cli): escape newlines/backslashes in dotenv export (Bugbot)
  • feat(core): reject duplicate entry titles in lookup (Bugbot)
  • fix(core): stop echoing user input in key/value parse errors (Bugbot)
  • ci(security): supply-chain hardening
  • ci(install): verify minisign signature and gate checksum skip behind dev flag (H-4, M-5)
  • ci: pin all GitHub Actions to commit SHAs (H-3)
  • refactor(cli): derive caller key from master instead of cloning DatabaseKey (M-6)
  • feat(core): store custom field values as protected (H-2)
  • feat(cli): write export file with owner-only permissions
  • feat(core): append audit log with owner-only permissions
  • feat(core): generate keyfile with owner-only permissions
  • feat(core): create and save vault with owner-only permissions
  • feat(core): add persist_restricted for atomic vault saves
  • feat(core): add secure_fs windows owner-only via icacls
  • feat(core): add secure_fs unix owner-only file helpers