release: v0.5.19

anandgupta42 · anandgupta42 · commit 0203b6a88ace · 2026-04-04T21:21:15.000-07:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,25 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.5.19] - 2026-04-04
+
+### Added
+
+- **`${VAR}` environment variable interpolation in configs** — use shell/dotenv-style `${DB_PASSWORD}`, `${MODE:-production}` (with defaults), or `$${VAR}` (literal escape) anywhere in `altimate.json` and MCP server configs. Values are JSON-escape-safe so passwords containing quotes or backslashes can't corrupt your config structure. The existing `{env:VAR}` syntax continues to work for raw text injection. (#655, closes #635)
+
+### Fixed
+
+- **Plan agent warns when the model refuses to tool-call** — if the plan agent's model returns text without invoking any tools, altimate-code now surfaces a one-shot TUI warning suggesting you switch models via `/model` instead of silently hanging. Telemetry event `plan_no_tool_generation` emitted for session-level diagnosis. (#653)
+- **GitLab MR review: large-diff guard & prompt-injection hardening** — MRs exceeding 50 files or 200 KB of diff text are truncated upfront with a user-visible warning, and the review prompt explicitly frames MR content as untrusted input. (#648)
+- **Atomic trace file writes** — `FileExporter` now writes to a temp file and renames, preventing partial/corrupt trace JSON on crash or SIGKILL. Stale `.tmp.*` artifacts older than 1 hour are swept during prune. (#646)
+- **15s timeout on credential validation** — `AltimateApi.validateCredentials()` no longer hangs indefinitely if the auth endpoint stalls. (#648)
+- **Shadow-mode SQL pre-validation telemetry** — measures catch-rate for structural errors (missing columns, tables) against cached schema before enabling user-visible blocking in a future release. Fire-and-forget, zero impact on the `sql_execute` hot path. No raw SQL, schema identifiers, or validator error text transmitted. (#643, #651)
+- **GitLab docs rewrite** — replaced "work in progress" warning with a complete guide: quick-start, authentication, self-hosted instances, model selection, CI example. (#648)
+
+### Testing
+
+- 25 new adversarial tests covering env-var interpolation (JSON-escape safety, single-pass substitution, ReDoS, escape hatch, defaults), atomic write hygiene (race conditions, tmp sweep, sessionId sanitization), and telemetry identifier-leak guards. New ClickHouse finops/profiles/registry coverage. (#624)
+
 ## [0.5.18] - 2026-04-04
 
 ### Added
diff --git a/packages/opencode/src/altimate/observability/tracing.ts b/packages/opencode/src/altimate/observability/tracing.ts
@@ -201,6 +201,18 @@ export class FileExporter implements TraceExporter {
 
   private async pruneOldTraces() {
     const entries = await fs.readdir(this.dir, { withFileTypes: true })
+    // Sweep stale temp files (crashes between writeFile and rename leave .tmp.*
+    // artifacts). Older than 1 hour = definitely abandoned.
+    const staleCutoff = Date.now() - 60 * 60 * 1000
+    const tmpFiles = entries.filter((e) => e.isFile() && /\.json\.tmp\.[0-9]+\./.test(e.name))
+    await Promise.allSettled(
+      tmpFiles.map(async (e) => {
+        const p = path.join(this.dir, e.name)
+        const stat = await fs.stat(p).catch(() => undefined)
+        if (stat && stat.mtimeMs < staleCutoff) await fs.unlink(p).catch(() => undefined)
+      }),
+    )
+
     const jsonFiles = entries
       .filter((e) => e.isFile() && e.name.endsWith(".json"))
       .map((e) => e.name)
diff --git a/packages/opencode/src/altimate/telemetry/index.ts b/packages/opencode/src/altimate/telemetry/index.ts
@@ -656,7 +656,6 @@ export namespace Telemetry {
         /** true when schema scan hit the column-scan cap — flags samples biased by large-warehouse truncation */
         schema_truncated: boolean
         duration_ms: number
-        error_message?: string
       }
     // altimate_change end
     // altimate_change start — config env-var interpolation telemetry
diff --git a/packages/opencode/src/altimate/tools/sql-execute.ts b/packages/opencode/src/altimate/tools/sql-execute.ts
@@ -205,8 +205,7 @@ async function preValidateSql(sql: string, warehouse: string | undefined, queryT
 
     // If the dispatcher itself failed, don't treat missing data as "valid".
     if (!validationResult.success) {
-      const errMsg = typeof validationResult.error === "string" ? validationResult.error : undefined
-      trackPreValidation("error", "dispatcher_failed", 0, Date.now() - startTime, false, ctx, errMsg)
+      trackPreValidation("error", "dispatcher_failed", 0, Date.now() - startTime, false, ctx)
       return { blocked: false }
     }
 
@@ -231,8 +230,7 @@ async function preValidateSql(sql: string, warehouse: string | undefined, queryT
       return { blocked: false }
     }
 
-    const errorMsgs = structuralErrors.map((e: any) => e.message).join("\n")
-    trackPreValidation("blocked", "structural_error", columns.length, Date.now() - startTime, schemaTruncated, ctx, errorMsgs)
+    trackPreValidation("blocked", "structural_error", columns.length, Date.now() - startTime, schemaTruncated, ctx)
     // Shadow mode: caller discards the result. When blocking is enabled in the
     // future, build errorOutput here with the structural errors and
     // schemaContext keys for user-facing guidance.
@@ -258,12 +256,12 @@ function trackPreValidation(
   duration_ms: number,
   schema_truncated: boolean,
   ctx: TrackCtx,
-  error_message?: string,
 ) {
-  // Mask schema identifiers (table / column names, paths, user IDs) from the
-  // validator error BEFORE it leaves the process — these are PII-adjacent and
-  // must not land in App Insights as raw strings.
-  const masked = error_message ? Telemetry.maskString(error_message).slice(0, 500) : undefined
+  // Validator errors often embed raw schema identifiers (table / column names)
+  // and paths that are PII-adjacent. maskString() only strips string literals,
+  // not identifiers, so we intentionally drop the error text entirely from the
+  // shadow telemetry payload. The `reason` + `masked_sql_hash` fields are
+  // sufficient to correlate events with local logs for diagnosis.
   Telemetry.track({
     type: "sql_pre_validation",
     timestamp: Date.now(),
@@ -276,7 +274,6 @@ function trackPreValidation(
     schema_columns,
     schema_truncated,
     duration_ms,
-    ...(masked && { error_message: masked }),
   })
 }
 // altimate_change end
diff --git a/packages/opencode/test/skill/release-v0.5.19-adversarial.test.ts b/packages/opencode/test/skill/release-v0.5.19-adversarial.test.ts
diff --git a/packages/opencode/test/telemetry/telemetry.test.ts b/packages/opencode/test/telemetry/telemetry.test.ts

Original file line number	Diff line number	Diff line change
`@@ -656,7 +656,6 @@ export namespace Telemetry {`
`656`	`656`	`/** true when schema scan hit the column-scan cap — flags samples biased by large-warehouse truncation */`
`657`	`657`	`schema_truncated: boolean`
`658`	`658`	`duration_ms: number`
`659`		`- error_message?: string`
`660`	`659`	`}`
`661`	`660`	`// altimate_change end`
`662`	`661`	`// altimate_change start — config env-var interpolation telemetry`