Releases: iicky/murk
Releases · iicky/murk
v0.6.0
[0.6.0] - 2026-04-21
Added
- add doctor command for repo hygiene
Changed
- bump rustls-webpki to 0.103.12 for RUSTSEC-2026-0098 and 0099
- bump version to 0.6.0
Other
- kill .env runtime fallback and route info through hardened loader
- faster dev builds via unpacked debuginfo
- turn verify into a real safety check
- reject ssh-rsa recipients by default, add --allow-ssh-rsa override
- exclude rust/cleartext-logging from codeql, false positive for a local cli
v0.5.11
[0.5.11] - 2026-04-14
Changed
- bump version to 0.5.11
Other
- draft: switch npm publish to trusted publishing (OIDC)
- walk up parent dirs to discover .murk vault
v0.5.10
[0.5.10] - 2026-04-13
Fixed
- fix crates.io publish via OIDC auth action and bump to 0.5.10
v0.5.9
[0.5.9] - 2026-04-13
Added
- add vault purple diamond logo to README
- add rust to codeql analysis matrix
Changed
- use O_NOFOLLOW on secret-file writes to close symlink TOCTOU windows
- bump version to 0.5.9
Other
- harden file writes, sanitize metadata, tighten CI and release governance
- switch crates.io publish to trusted publishing, add pin verification tests
- show self marker and key source in murk info
- split carol-leaving narration into two lines for readability
- reject symlinked vaults and stop canonicalizing for key lookup
- fail closed on provenance attestation when gh cli is available
- remove em-dashes from tape narration, parallelize vhs recording
- record all 9 tapes in vhs matrix
- install direnv in the vhs-git docker image
v0.5.8
[0.5.8] - 2026-04-06
Changed
- bump version to 0.5.8
Fixed
- fix npm publish: remove registry-url to allow OIDC auth
- fix npm publish: add NPM_TOKEN for auth
v0.5.7
[0.5.7] - 2026-04-06
Changed
- bump version to 0.5.7
Fixed
- fix npm publish: commit index files, remove prepublishOnly
v0.5.6
[0.5.6] - 2026-04-06
Added
- add completion install subcommand
- add tests for completion install subcommand
Changed
- bump version to 0.5.6
Fixed
- fix npm publish: use napi-rs v3 pre-publish command
v0.5.5
[0.5.5] - 2026-04-05
Changed
- bump version to 0.5.5
Fixed
- fix npm publish: use OIDC auth, remove broken NPM_TOKEN references
- fix clippy for python feature, expand CI to lint and test all features
- fix biome lint: break chained calls onto separate lines
- fix remaining biome lint, add multi-language pre-commit hook
- fix musl build: install Node 22 for napi-rs/cli v3 compatibility
- fix musl build: install xz for node tarball extraction
Other
- combine install+publish into single step to preserve npm auth context
- integrity-protect schema in MAC, shell-escape .env/.envrc output
- make integration tests hermetic: isolate HOME, strip quotes from .env paths
- harden install script: fail on missing hash tool, verify attestation when gh available
- strip shell quotes from .env values in Python test fixture
- upgrade napi and napi-derive to v3
- upgrade @napi-rs/cli to v3 to match napi crate v3
- migrate napi config to v3 format: binaryName, explicit targets
- strip shell quotes from .env values in Node test fixture
v0.5.4
[0.5.4] - 2026-03-30
Added
- add 40+ tests: edit parse/diff, error display, vault lock/write, env symlink/perms, tarpaulin binary coverage
- add github key parsing tests, Debug for MurkRecipient, cache tarpaulin/audit installs
- add merge, recovery, info, env tests; fix duplicate test names; total 383 tests
- add 20 adversarial tests: malformed vaults, symlink attacks, permission checks, tampered integrity, hostile imports, merge driver abuse
- add TOFU pinning for github:username key fetch
Changed
- extract scan logic to lib, add scan unit tests, fix npm publish lifecycle scripts
- extract edit parse/diff logic to lib, configure tarpaulin for binary coverage
- bump to v0.5.4
Fixed
- fix npm publish: skip lifecycle scripts during ci, add GITHUB_TOKEN for napi
- fix tarpaulin: use --run-types Tests (Bins is not a valid option)
Other
- switch from tarpaulin to cargo-llvm-cov for binary + library coverage
- expand adversarial tests: invalid keys, edge cases, revoke/authorize abuse, import collisions (31 total)
v0.5.3
[0.5.3] - 2026-03-29
Added
- add CodeQL scanning for actions, python, and JS/TS
- add OpenSSF Scorecard workflow and cargo-audit to lint job
- add fuzz targets, symlink checks on all write paths, sharpen security docs
- add community standards files, prefer tmpfs for edit, warn on ssh-rsa authorize
- add permissions: read-all to all workflows, pin codeql-action to SHA
- add LICENSE pointer file for OpenSSF badge detection
- add OpenSSF Best Practices badge to README
- add SLSA Level 2 badge and document provenance in THREAT_MODEL
- add DCO reference to CONTRIBUTING.md
- add public roadmap
- add per-key timestamps, murk scan, exec --only/--clean-env, quick-start guide
Changed
- use npm ci instead of npm install in node workflow (pinned dependencies)
- bump to v0.5.3
Fixed
- fix scorecard action SHA
Other
- soften absolute claims in README and THREAT_MODEL, fix BIP39 key derivation docs
- rename hmac_key to mac_key (BLAKE3 keyed hash, not HMAC); accept old field via serde alias
- ignore RUSTSEC-2023-0071 in cargo-audit (already suppressed in deny.toml)
- race-safe lock opens via O_NOFOLLOW, reject world-readable key files, deprecate inline .env keys
- extend vulnerability response SLA to 14 days
- require tests for new features (was should, now must)
- make LICENSE a valid MIT license file (fixes GitHub unknown detection)
- scope dependabot permissions to job level, dismiss CodeQL test false positives