v0.2.0
Changelog v0.2.0
All notable changes to kprun are documented in this file.
The format is based on Keep a Changelog,
and this project adheres to Semantic Versioning.
[0.2.0] - 2026-06-24
Added
- Owner-only file permissions for vault databases, keyfiles, audit logs, and export files (
0600on Unix; inheritance removed and current-user-only on Windows) - Protected (in-memory encrypted) storage for custom secret fields in KeePass instead of plaintext
kprun deinitto remove the stored master password for the current vault from the OS keychainkprun run --clean-envto run the child with a minimal safe environment plus injected secretskprun export --output <path>to write exports to a chosen path- Audit log entry for
kprun get --keys(key names only, no values) - Rejection of duplicate KeePass entry titles during lookup
- Refusal to inject vault keys named like dangerous environment variables (
PATH,LD_PRELOAD,DYLD_*,NODE_OPTIONS, and others) - Minimum master password length of 12 characters on
kprun initfor new vaults - Release checksum signing with minisign; install scripts verify the signature when
minisignand a configured public key are available - CI job that fails when GitHub Actions are not pinned to commit SHAs
Changed
- BREAKING: OS keychain entries are now keyed per vault path (
kprun/master:<sha256(db_path)>) instead of a single sharedmasteraccount. After upgrading, runkprun initonce per vault to re-store the master password (or enter it when prompted) - BREAKING: new vaults created with
kprun initrequire a master password of at least 12 characters - dotenv export quotes and escapes values containing newlines and backslashes
- Quoted dotenv values are preserved on import (including escaped newlines)
doctor --mcp githubsuggests a version-pinned@modelcontextprotocol/server-github@2025.4.8and warns about npx supply-chain riskFixedUnlocktest helper is available only with thetest-hooksfeature (excluded from release binaries)KPRUN_SKIP_CHECKSUMnow requiresKPRUN_DEV=1(developer-only bypass)contents: writeGitHub Actions permission is scoped to the release job only- Missing-vault diagnostics avoid printing full filesystem paths in error output
- Removed a redundant clone of database key material in command dispatch
- README documents that
KPRUN_TEST_MASTERrequires--features test-hooksand is absent from GitHub Release binaries - SECURITY.md documents file permissions, keychain storage, process environment exposure, and minisign release verification
Fixed
- Key/value parse errors no longer echo the user-supplied input
- Warning when the master password is read from a non-terminal pipe
- Warning when exporting plaintext secrets to a file with
--reveal
Security
- Per-vault keychain account derivation prevents multiple vaults from overwriting each other's stored master password
- Supply-chain hardening: pinned GitHub Actions, signed release checksums, and gated checksum skip in installers
Full commit list
- fix: low-priority hardening & docs
- docs: finalize v0.2.0 changelog (low-priority hardening)
- docs: document security model and release verification (L-4)
- fix(cli): preserve quoted dotenv values on import (L-1)
- refactor(core): gate FixedUnlock behind test-hooks feature (code-review)
- fix(cli): pin npx MCP server version in doctor suggestion (L-2)
- feat(cli): record audit entry for get --keys (Bugbot)
- feat(cli): keychain lifecycle (BREAKING)
- docs: document keychain keying migration (M-2, L-5)
- feat(cli): add deinit to clear stored master from keychain (L-5)
- feat(core)!: derive keychain account per vault path (M-2)
- feat(core): env injection safety
- feat(cli): add --clean-env to drop inherited environment (code-review)
- feat(core): refuse to inject dangerous environment variables (Bugbot)
- feat(cli): input validation & secret exposure UX
- feat(cli): enforce minimum master password length (M-3)
- feat(cli): add export --output and warn on reveal-to-file (M-1)
- fix(cli): escape newlines/backslashes in dotenv export (Bugbot)
- feat(core): reject duplicate entry titles in lookup (Bugbot)
- fix(core): stop echoing user input in key/value parse errors (Bugbot)
- ci(security): supply-chain hardening
- ci(install): verify minisign signature and gate checksum skip behind dev flag (H-4, M-5)
- ci: pin all GitHub Actions to commit SHAs (H-3)
- refactor(cli): derive caller key from master instead of cloning DatabaseKey (M-6)
- feat(core): store custom field values as protected (H-2)
- feat(cli): write export file with owner-only permissions
- feat(core): append audit log with owner-only permissions
- feat(core): generate keyfile with owner-only permissions
- feat(core): create and save vault with owner-only permissions
- feat(core): add persist_restricted for atomic vault saves
- feat(core): add secure_fs windows owner-only via icacls
- feat(core): add secure_fs unix owner-only file helpers