v0.7.0

Third security round of the day. The guard shifts from "Bash-only, allowlist-first" to an authoritative layer: block rules run before the allowlist, and a new hook covers Write, Edit, and MultiEdit. Four PRs (#139, #140, #141, #142) closed all seven findings from the round 3 audit.

Guard becomes authoritative

• Block before allowlist. Binaries on the allowlist (find, cat, head, tail) no longer short-circuit past block rules. find . -delete, find . -exec rm -rf {} +, cat .env, head .env, tail secrets.pem now return exit 1 with the matching block rule. G-005, G-006, G-030 are effective again.
• Write and Edit covered. New guard/bin/check-write.sh PreToolUse hook. Denies secrets by basename (.env and variants, *.pem, *.key, *.p12, *.pfx, SSH keys including id_rsa/id_ed25519/authorized_keys, shell history) and by path prefix (/etc, /var, /usr/bin, /usr/sbin, /usr/lib, /System, /private/etc, ~/.ssh, ~/.gnupg, ~/.aws, ~/.gcp, ~/.config/gcloud, ~/.kube).
• Fresh installs wire both hooks. init-project.sh writes a hooks.PreToolUse block alongside permissions, with matchers for Bash (check-dangerous.sh) and Write|Edit|MultiEdit (check-write.sh). Existing installs are not modified; manual wire-up is in SECURITY.md.
• git push --force-with-lease passes. G-007 tightened from git push --force to git push.*--force([[:space:]]|$) so the guard's own recommended alternative stops tripping the block.

/nano-doctor reports the full model

Five rows across permissions and hook presence:

• rm_scope, write_scope, allowlist_scope — cross-reference the relevant hook.
• bash_guard, write_guard — report hook presence directly.

A broad Write(*) with the hook wired now reads as pass with a note that the hook covers secrets and system paths. Without the hook it warns with concrete remediation pointing at SECURITY.md.

CI coverage

• Guard regression matrix expanded from 12 to 21 cases. New cases cover the allowlist-bypass class (find . -delete, cat .env, etc.) plus the --force-with-lease positive.
• New write-guard-regression job: 19 cases plus two JSON-on-stdin contract checks so a Claude Code protocol drift surfaces on every PR.

Portability and integrity

• feature/bin/enforce-sprint.sh uses BSD stat with a GNU stat fallback, mirroring the pattern in guard/bin/phase-gate.sh. Gates run on Linux agents, not just macOS.
• bin/resolve.sh passes --verify to find-artifact.sh. Tampered artifacts no longer feed downstream phases (gates, review context, conflict precedence).

Compatibility

No breaking changes to the wire telemetry schema. Existing .claude/settings.json files are not modified. The Write/Edit hook is only wired automatically for fresh installs; existing installs opt in via the copy-paste block in SECURITY.md.

Install

npx create-nanostack

Run /nano-doctor in your project to see the honest state of your permission and hook surface.

Full diff

v0.6.0...v0.7.0

v0.6.0

Six weeks of work since the v0.1.0 baseline. This is the first tag since the VERSION file was introduced, and it reflects the features, skills, and hardening that landed along the way.

New surface

• /nano-doctor — install health-check skill. Ten checks across deps, install integrity, home directory permissions, telemetry config, pre-V5 detection, and Worker reachability. Exit code maps to severity: 0 healthy, 1 warnings, 2 critical. Flags: --json, --offline, --fix.
• Observational feedback in /think — optional ## What I noticed block when a coaching pattern fires (jump-to-solution, scope drift, strong pain observation, surprising synthesis). Silence beats a forced observation. Target firing rate under 30% of sessions.
• observational_fired v1 telemetry field — measures firing rate of the feedback block without any content leaving the machine. Additive, nullable; only /think sets it.
• NANOSTACK_DEBUG=1 — surfaces the pre-V5 detection decision (marker-present, pre-V5, or fresh-install) so future silent bugs surface on first run.
• Latent-vs-deterministic reference — linked from /think (Phase 4 Premise Challenge) and /nano (Architecture Checkpoint). Names when to trust the model versus when to build infrastructure.

Internal security round (all findings closed)

• Guard block rules run before the in-project shortcut so recursive operations that resolve inside the repo cannot bypass.
• setup --rename input validated via strict regex plus path_is_under guard before any rm.
• Audit log records built via jq -cn --arg so quoted, backslashed, or newline-laden fields cannot inject extra keys.
• Session lock records owner PID and uses kill -0 to tell stale from live; fails closed at 30s.
• Wrangler bumped from 3.60 to 4.85; bun audit went from 6 vulnerabilities to 0.
• Guard audit trail lands in .nanostack/audit.log regardless of NANOSTACK_STORE state.
• CI adds bun install --frozen-lockfile, bun audit, tsc --noEmit, and a 12-case guard regression matrix.
• Default rm scope narrowed to .nanostack/** and /tmp/**. Existing installs untouched; /nano-doctor surfaces broad legacy entries with an opt-in migration path.
• Permission model documented in SECURITY.md.

Compatibility

No breaking changes to the wire telemetry schema. observational_fired is additive and nullable. Existing opt-in installations continue to send events that pass Worker validation.

init-project.sh never removes entries from an existing .claude/settings.json; pre-v0.6 installs keep whatever they had and can migrate on their own timeline.

Install

npx create-nanostack

See README for the full set of skills and TROUBLESHOOTING.md if you hit anything.

Full diff

v0.1.0...v0.6.0