chore: release v0.11.0

[lroolle]

Summary

• bump deva.sh to 0.11.0
• promote changelog notes for tmux bridge, browser MCP, mount safety, slug naming, and version-upgrade fixes
• refresh README/docs index links and honest check coverage banner

Verification

• ./deva.sh --help
• ./deva.sh --version
• ./claude-yolo --help
• ./claude-yolo --version
• ./scripts/version-check.sh
• bash tests/test_release_utils.sh
• bash tests/version-upgrade.sh
• ./scripts/test-version-targets.sh
• ./scripts/test-mount-shape.sh
• bash scripts/test-container-slug.sh
• shellcheck -S error over repo shell scripts
• uv run --with mkdocs --with mkdocs-material --with pymdown-extensions mkdocs build --strict

Note: local tag v0.11.0 exists but was not pushed because main requires PR merge first.

[claude-yolo]

Claude finished @lroolle's task in 1m 27s —— View job

---

Security Audit Complete ⚠️

Performed paranoid security audit of v0.11.0 release focusing on container boundaries, auth flows, and privilege escalation vectors.

Security Audit Tasks

• Read and analyze all changed files
• Examine deva.sh version bump for security implications
• Review CHANGELOG.md for new features requiring security assessment
• Audit container boundary integrity
• Check for shell injection vectors in entrypoints
• Verify auth flow security and mount safety
• Assess privilege escalation risks
• Document blocking security issues
• Identify high-risk findings requiring immediate attention
• Specify required security tests before merge

🚨 BLOCKING SECURITY ISSUES

1. Command Injection in Config Validation (HIGH RISK)

• File: deva.sh:2097-2118
• Issue: Config validation allows $(pwd) but the regex check is insufficient
• Attack Vector: Malicious .deva config could inject arbitrary commands
• Fix Required: Whitelist exact $(pwd) pattern, reject all other $() constructs

2. Shell Injection in localhost Translation (HIGH RISK)

• File: deva.sh:476
• Issue: translate_localhost() uses unescaped sed on user input
• Attack Vector: Proxy URLs with special chars could escape sed and inject commands
• Fix Required: Properly escape input or use safer string replacement

⚠️ HIGH-RISK FINDINGS

3. Docker Socket Auto-Mount Default (CRITICAL DESIGN RISK)

• File: deva.sh:1276-1278
• Issue: /var/run/docker.sock mounted by default when present
• Risk: Container gets root access to host Docker daemon (host root equivalent)
• Recommendation: Change to opt-in via explicit flag, not opt-out

4. Insufficient Secret Masking Patterns

• File: deva.sh:3196-3208
• Issue: Regex *TOKEN*|*KEY*|*SECRET*|*PASSWORD*|*CREDENTIALS* may miss variants
• Risk: Secrets could leak in debug output
• Fix Required: Add more comprehensive patterns, case-insensitive matching

5. Container Name Injection Risk

• File: deva.sh:2829
• Issue: docker exec uses container name without validation in shell mode
• Risk: If container name contains shell metacharacters, potential injection
• Mitigation: Validate container names match expected format

🔍 REQUIRED SECURITY TESTS

Before merge, implement these tests:

1. Config Injection Test: Verify malicious .deva files with $(malicious) constructs are rejected
2. Proxy URL Test: Test localhost translation with URLs containing shell metacharacters
3. Docker Socket Isolation: Verify --no-docker properly prevents socket mount
4. Secret Masking Test: Verify debug output masks all credential variations
5. Container Name Validation: Test shell access with edge-case container names

📋 RELEASE SECURITY REQUIREMENTS

1. Fix config validation to prevent command injection
2. Fix localhost translation shell injection vector
3. Add test coverage for all identified injection points
4. Document security implications of Docker socket auto-mount
5. Review secret masking patterns for completeness

✅ SECURITY POSITIVES

• Mount validation prevents recursive bind mount attacks
• Auth credential overlay system prevents file corruption
• Proper UID/GID handling prevents privilege confusion
• Container isolation model is sound (when socket not mounted)
• Config home isolation properly implemented

🚨 VERDICT: MERGE BLOCKED

This release contains multiple HIGH-RISK security vulnerabilities that must be addressed before merge. The command injection vectors in config validation and localhost translation are particularly concerning as they could allow arbitrary code execution on the host.

Fix these issues →

[Copilot]

Pull request overview

Release prep for deva.sh v0.11.0 by bumping the launcher’s internal version, promoting release notes into the changelog, and refreshing the README/docs index to surface the new tmux-bridge documentation and expanded local check list.

Changes:

• Bump deva.sh internal VERSION to 0.11.0.
• Add a 0.11.0 section to CHANGELOG.md with the promoted release notes.
• Update README and docs index to link the tmux-bridge docs and reflect current “basic checks”.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File	Description
README.md	Adds “Checks” badge, links tmux-bridge docs, and expands the development check list.
docs/index.md	Adds tmux-bridge entry to the docs landing page index.
deva.sh	Updates the script’s VERSION constant to 0.11.0.
CHANGELOG.md	Promotes release notes into a new 0.11.0 section dated 2026-05-22.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.