release: v0.6.0 — security audit fixes + 7 new features
All checks were successful
PR Check / check (pull_request) Successful in 57s
All checks were successful
PR Check / check (pull_request) Successful in 57s
Audit corrections (security, concurrency, stability): - chat_engine: bound resp.Choices[0] access, release tool slot per-iteration - conversation_multi: synchronous save under existing lock (was racy fire-and-forget) - workflow/engine: short-circuit on failed deps (no more infinite busy-wait); track failed/skipped status - handlers_workflow: rune-aware truncate for plan goal (UTF-8 safe) - server: CORS limited to localhost origins (was wildcard) - handlers_info / terminal: mask API keys and SSH passwords as "***" in GET responses; preserve stored secret if "***" sent on update - terminal: sshpass uses -e + SSHPASS env var (was both -p and -e) - handlers_chat: MaxBytesReader 50 MB on /api/chat - image_cache: 10 MB cap per image - handlers_config: font size <= 72; profile-save unmarshal errors propagated - handlers_info: /lsp/auto-install ProjectDir restricted to user home - Shell.jsx: parenthesized resize-condition (operator precedence) - orchestrator_test: CleanAIResponse capitalization (fixes failing vet) New features: - platform: detect OS name (Debian, Ubuntu, Windows 11, macOS X.Y) and inject in Studio system prompt next to the date - agents: default timeout 30 min for crush_run/claude_run (cap also 30 min) - agents: new cwd, wsl_distro, wsl_user params; on Windows hosts launch via "wsl -d <distro> -u <user> --cd <cwd> --" - agents: new claude_run tool (mirror of crush_run for Claude Code CLI) - terminal: list installed WSL distros individually in new-tab menu (Windows only) - studio: system prompt rewritten around BMAD-METHOD personas + mandatory delegation template - studio: "Réflexion avancée" toggle — inactive provider produces a preliminary report injected as [RAPPORT PRÉALABLE] context for the active provider - studio: "Historique compressé" toggle — collapses past tool calls to last action only, with "Tout afficher" expansion
This commit is contained in:
Muyue
35
CHANGELOG.md
35
CHANGELOG.md
@@ -4,6 +4,41 @@ All notable changes to this project will be documented in this file.
|
||||
|
||||
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
|
||||
|
||||
## v0.6.0
|
||||
|
||||
### Audit & corrections (sécurité, concurrence, stabilité)
|
||||
|
||||
- fix(api): empty `resp.Choices[0]` panic in chat engine — bounded check
|
||||
- fix(api): `defer release()` accumulating inside tool-call loop — release immediately after each tool call
|
||||
- fix(api): race in `ConversationStoreMulti.Add` (fire-and-forget save under released lock) — synchronous save under existing lock
|
||||
- fix(workflow): infinite busy-wait in `engine.Execute` when a dependency fails — propagate `StatusFailed`/`StatusSkipped` and short-circuit
|
||||
- fix(workflow): UTF-8-unsafe slicing of plan goal — rune-aware truncate
|
||||
- fix(security): CORS `Access-Control-Allow-Origin: *` — restricted to localhost origins
|
||||
- fix(security): API key disclosure in `/api/providers` — masked as `"***"`; saving handler ignores `"***"` placeholder
|
||||
- fix(security): SSH password disclosure in `/api/terminal/sessions` — masked; update handler preserves stored password if `"***"` is sent
|
||||
- fix(security): sshpass `-p` + `-e` mutually-exclusive flags — use only `-e` with `SSHPASS` env var
|
||||
- fix(security): unbounded chat request body — `MaxBytesReader` 50 MB
|
||||
- fix(security): unbounded image upload — 10 MB cap in `saveImage`
|
||||
- fix(security): font size unbounded — capped at 72
|
||||
- fix(security): `LSP /auto-install` accepted arbitrary `project_dir` — restricted to user home subtree
|
||||
- fix(api): silent `json.Unmarshal` errors in profile save — propagated
|
||||
- fix(ui): operator-precedence bug in `Shell.jsx` resize check — parenthesized
|
||||
|
||||
### Nouvelles fonctionnalités
|
||||
|
||||
- feat(ai): inject OS name (e.g. `Debian 12`, `Windows 11`, `macOS 14.5`) alongside date in Studio system prompt
|
||||
- feat(agents): default timeout raised to 30 minutes for `crush_run` and `claude_run`; max also 30 min
|
||||
- feat(agents): new optional params `cwd`, `wsl_distro`, `wsl_user` — agents can be launched in a specific directory, and on Windows hosts inside a specific WSL distribution under a specific user
|
||||
- feat(agents): new `claude_run` tool (mirrors `crush_run` for the Claude Code CLI)
|
||||
- feat(terminal): WSL distros listed individually as quick-launch entries in the new-tab menu (Windows hosts only)
|
||||
- feat(studio): system prompt rewritten around the BMAD-METHOD (Analyst/PM/Architect/SM/Dev/QA personas + mandatory `[OBJECTIF]/[CONTEXTE]/[CONTRAINTES]/[LIVRABLE]/[CRITÈRE D'ACCEPTATION]` template for any agent delegation)
|
||||
- feat(studio): "Réflexion avancée" toggle — when enabled, the inactive AI provider produces a preliminary report that is injected as `[RAPPORT PRÉALABLE]` context into the active provider's prompt
|
||||
- feat(studio): "Historique compressé" toggle — collapses past tool calls and keeps only the last visible action per assistant message, with `Tout afficher` to expand
|
||||
|
||||
### Bug fix CI
|
||||
|
||||
- fix(test): `cleanAIResponse` → `CleanAIResponse` in `orchestrator_test.go` (was failing `go vet`)
|
||||
|
||||
## v0.4.0
|
||||
|
||||
### Changes since v0.3.5
|
||||
|
||||
Reference in New Issue
Block a user