Skip to content

Spool 0.5.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 28 May 07:26
· 37 commits to main since this release
v0.5.0
5004fbc
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Spool v0.5.0 — Security Scan

This release introduces Security Scan, an always-on local scanner that surfaces credentials, API keys, and PII that have leaked into your coding-agent sessions. Everything runs on-device — Spool never sends your session data anywhere.

What's new

Security Scan (default on)

  • 30+ secret patterns — vendor API keys (OpenAI, Anthropic, Stripe, AWS, GitHub, Slack, ...), private keys, kubeconfig tokens, connection strings, env-var leaks, basic-auth, bearer tokens, JWTs, cloud credential blobs.
  • Optional ML-powered PII detection — Privacy Filter, opt-in under Settings → Security → Experimental. A local ONNX model catches structured PII the regex layer misses, class-mapping tuned for precision over recall.
  • Cross-session blast radius — see every place a leaked value occurs across your archive, not just the one session you're looking at.
  • One-click rotate-at-source — Stripe, OpenAI, Anthropic, AWS, GitHub, Slack and more: deep-link straight to the rotation surface in the provider's dashboard.
  • Purge everywhere — destructively rewrite a leaked value out of every message that contains it, with a preserved audit row.
  • Allowlist review surface — per-kind and per-value, with bulk dismiss / undismiss.

Other improvements

  • OpenCode session indexing — sessions captured by OpenCode CLI are now indexed alongside Claude Code, codex, and gemini.
  • CLI — new spool projects, spool pin, spool unpin, spool pinned commands.
  • OpenTelemetry instrumentation — pretty traces in dev, JSONL exporter in prod.
  • Settings modal — larger surface; stacked sub-modals scrim correctly.
  • Native menu — adapted properly on non-macOS platforms.
  • npm packages@spool-lab/redact, @spool-lab/core, @spool-lab/cli auto-publish on every release.

Behavior on upgrade from v0.4.x

When the auto-updater applies v0.5.0:

  1. ~/.spool/agents.json gets "securityEnabled": true seeded automatically. Opt out any time at Settings → Labs → Security Scan.
  2. A background backfill rescans every previously-indexed session with the new detector profile (regex@1regex@2). Worker runs in a separate thread; foreground UI stays responsive.
  3. No database schema change — user_version stays at 13. The upgrade is non-destructive: downgrading back to v0.4.x is safe.

Privacy

All scanning is local. Nothing about your sessions, findings, or values leaves your device. The optional Privacy Filter ML model runs entirely on-device in a hidden inference window via onnxruntime-node.

Install

macOS (Apple Silicon)

Download Spool-0.5.0-arm64.dmg from the assets below, drag to /Applications.

Linux (x86_64)

Download the AppImage from the assets below.

Reporting issues

This is an early release. Please report false positives, missed leaks, or any unexpected behavior via Issues. The CJK env-var false-positive someone reported on day one (#334) is exactly the kind of feedback that improves the detector.

Assets 7
Loading