v0.8.64 security and release integration#3373
Merged
Merged
Conversation
Refs #3303. Adds /config audit so users can see which documented controls are session-only, runtime-persistable, restart-only, or file-only, with current values for high-impact runtime controls. Also makes /config approval_mode <value> --save persist the canonical top-level approval_policy value, giving the audit a durable enum edit path beyond the existing boolean and numeric settings. Verified with: - cargo test -p codewhale-tui --bin codewhale-tui config_command_audit --locked - cargo test -p codewhale-tui --bin codewhale-tui config_approval_mode_save_persists_top_level_policy --locked - cargo test -p codewhale-tui --bin codewhale-tui config_command --locked - cargo test -p codewhale-tui --bin codewhale-tui config_approval_mode --locked - cargo fmt --all -- --check - git diff --check - ./scripts/release/check-versions.sh - python3 scripts/check-provider-registry.py - cargo test -p codewhale-config --locked - cargo test -p codewhale-tui --bin codewhale-tui saved_default_provider_syncs_back_to_runtime_config --locked
Replace the fixed 30ms sleep in launch_gate_queues_extra_direct_children with a timeout-bounded wait for the semaphore permit to be acquired before spawning the queued child. Verified with: cargo test -p codewhale-tui --bin codewhale-tui --locked launch_gate_queues_extra_direct_children
Preserve the existing local benchmark drift by making Debian installs noninteractive, raising direct-agent default tool timeouts for long build/test steps, classifying more verifier/environment failures, and adding a Pier adapter for local CodeWhale artifacts. Verified with: python3 -m py_compile scripts/benchmarks/pier_codewhale_local_agent.py scripts/benchmarks/harbor/codewhale_local_agent.py scripts/benchmarks/harbor/deepseek_direct_agent.py scripts/benchmarks/run-codewhale-terminal-bench.py scripts/benchmarks/run-deepseek-direct-terminal-bench.py Verified with: python3 -m pytest scripts/benchmarks/test_run_codewhale_terminal_bench.py
Remove public benchmark docs/scripts and the shipped SWE-bench CLI surface from the CodeWhale repo; benchmark work belongs outside this release repo. Trim public docs that routed users into private maintainer runbooks, remove stale deleted-doc links, tone down release-facing copy, update CodeWhale crate descriptions, and expose the residue ledger as /debt while keeping quiet legacy dispatch compatibility. Verification:\n- cargo fmt --all -- --check\n- git diff --check\n- ./scripts/release/check-versions.sh\n- cargo check -p codewhale-tui --bin codewhale-tui --locked\n- cargo test -p codewhale-tui --bin codewhale-tui --locked command_registry\n- cargo test -p codewhale-tui --bin codewhale-tui --locked every_command_alias_dispatches_to_a_handler\n- cargo test -p codewhale-cli --locked
Move the current codewhale-config inline test module into crates/config/src/tests.rs and leave crates/config/src/lib.rs with a small #[cfg(test)] module declaration. No production logic changed. Harvested from PR #3345 by @cyq1017; the PR branch was stale against this integration branch, so this commit re-applies the same extraction to the current test body instead of cherry-picking outdated content. Verification:\n- cargo fmt --all -- --check\n- git diff --check\n- cargo test -p codewhale-config --locked Signed-off-by: cyq <15000851237@163.com>
Move the current crates/tui/src/config.rs inline test module into crates/tui/src/config/tests.rs. This is a mechanical #3307 extraction and does not change production logic or assertions. Verification:\n- cargo fmt --all -- --check\n- git diff --check\n- cargo test -p codewhale-tui --bin codewhale-tui --locked config::tests
Move the current crates/tui/src/runtime_api.rs inline test module into crates/tui/src/runtime_api/tests.rs. This is a mechanical #3307 extraction and does not change production logic or assertions. Verification:\n- cargo fmt --all -- --check\n- git diff --check\n- cargo test -p codewhale-tui --bin codewhale-tui --locked runtime_api::tests
Move the current crates/tui/src/runtime_threads.rs inline test module into crates/tui/src/runtime_threads/tests.rs. This is a mechanical #3307 extraction and does not change production logic or assertions. Verification:\n- cargo fmt --all -- --check\n- git diff --check\n- cargo test -p codewhale-tui --bin codewhale-tui --locked runtime_threads::tests
Move the current crates/tui/src/tui/history.rs inline test module into crates/tui/src/tui/history/tests.rs. This is a mechanical #3307 extraction and does not change production logic or assertions. Verification:\n- cargo fmt --all -- --check\n- git diff --check\n- cargo test -p codewhale-tui --bin codewhale-tui --locked tui::history::tests
Move the current crates/tui/src/tui/app.rs inline test module into crates/tui/src/tui/app/tests.rs. This is a mechanical #3307 extraction and does not change production logic or assertions. Verification:\n- cargo fmt --all -- --check\n- git diff --check\n- cargo test -p codewhale-tui --bin codewhale-tui --locked tui::app::tests
Move the current crates/tui/src/mcp.rs inline test module into crates/tui/src/mcp/tests.rs. This is a mechanical #3307 extraction and does not change production logic or assertions. Verification:\n- cargo fmt --all -- --check\n- git diff --check\n- cargo test -p codewhale-tui --bin codewhale-tui --locked mcp::tests
Split tool-run detection and summary helpers out of the large history renderer into history/tool_run.rs while keeping the crate::tui::history re-exports stable for existing call sites. Refs #3308.
Extract archived-context parsing and rendering from the main history renderer into history/archived_context.rs while keeping history_cells_from_message and rendering behavior unchanged. Refs #3308.
Extract the plan-update transcript renderer from history.rs into history/plan.rs while preserving the existing PlanUpdateCell re-export and exact rendering behavior. Refs #3308.
Extract checklist/todo snapshot parsing and compact transcript rendering from history.rs into history/checklist.rs while preserving the existing test-facing helper surface. Refs #3308.
Extract reasoning/thinking summary extraction, rendering, glyph constants, and color-depth cache from history.rs into history/thinking.rs while preserving the existing history API and test surface. Refs #3308.
Extract compact agent launch rendering, activity-group rendering, and agent id parsing from history.rs into history/agent_activity.rs while preserving live and transcript behavior. Refs #3308.
Extract shared transcript renderer constants from history.rs into history/constants.rs while preserving the existing parent-module import surface for tests and child modules. Refs #3308.
Workspace-write sandbox policies now derive the linked worktree gitdir and shared commondir from a workspace .git pointer and add only those Git metadata roots to the writable set. Fixes #3355. Harvested from PR #3356 by @cyq1017; thanks @linletian for the worktree repro and diagnostics.
Keep history split helper imports used only by the moved tests behind cfg(test), avoiding package-test warnings while preserving the test surface. Refs #3308.
Extract user, assistant, and system message rendering plus copy metadata helpers from history.rs into history/message.rs while preserving the existing history API and test surface. Refs #3308.
Extract preserved tool-output rendering, output row selection, and output wrapping helpers from history.rs into history/tool_output.rs while keeping OutputRow re-exported for the cache API. Refs #3308.
Move tool argument, tool output, MCP output, image, and diff summary helpers from history.rs into history/tool_output.rs while preserving the existing history re-export paths used by routing and UI callers. Refs #3308.
Harvested from PR #3346 by @hongqitai. This carries the non-benchmark cleanup onto codex/v0.8.64-integration and intentionally excludes crates/tui/src/tui/tab/benches.rs so benchmark material can be handled separately from the release repo. Verification: cargo fmt --all -- --check; cargo test -p codewhale-tui --bin codewhale-tui --locked six_worker_progress_storm_keeps_input_render_and_cancel_live
Remove timing-style benchmark tests from the public CodeWhale release repo. The extracted source fragments are parked in arcee-ai/codewhale-bench on local branch codex/codewhale-tui-source-harnesses at a5a7fdd. Verification: cargo fmt --all -- --check; cargo test -p codewhale-tui --bin codewhale-tui --locked tui::tab; cargo test -p codewhale-tui --bin codewhale-tui --locked ghost_text_renders_when_suggestion_set_and_input_empty
Follow-up to PR #3317 by @wuisabel-gif and issue #3259. Set PR_SET_PDEATHSIG(SIGTERM) on Linux before spawning delegated serve/app-server children, so the kernel tears down the listener child if the dispatcher dies before the graceful supervisor can run. Windows Job Object coverage remains a separate cross-platform follow-up for #3259. Verification: cargo fmt --all -- --check; cargo test -p codewhale-cli --locked server_teardown_tests; cargo clippy -p codewhale-cli --locked --all-targets --all-features -- -D warnings; cargo check -p codewhale-cli --locked; ./scripts/release/check-versions.sh
Add a per-session file read tracker and make edit_file reject unread or stale files before performing narrow search/replace edits. Exact and fuzzy non-unique matches now fail with recovery guidance instead of replacing multiple locations. Tests cover unread edit rejection, stale-read rejection, non-unique exact matches, and successful read-before-edit behavior.
Project-local config may still tighten shell access, but it no longer enables shell or replaces user-owned instruction file lists. This keeps workspace defaults under user control while preserving the existing conservative overlay behavior.
Reject empty, option-shaped, or control-character revisions before invoking git history helpers. The focused tests cover show and blame inputs at the tool boundary.
Wire typed ask-only permissions.toml file-path rules into the TUI tool approval planning path. Matching file ask rules now force approval when approval is available and block under AskForApproval::Never, while preserving existing allow/deny command behavior. This is a narrow follow-up slice from the persistent permissions reference branch: it does not add typed allow/deny, glob expansion, or approval UI persistence for file rules. (cherry picked from commit 857a9b5)
(cherry picked from commit b96d126)
Update the release version-drift guard to require the CodeWhale security contact now listed in SECURITY.md, matching the v0.8.64 security contact harvest.
Follow up on the delegated server teardown harvest from PR #3378 by @wuisabel-gif: Tokio child handles expose raw_handle() on Windows, returning None if the child has already exited before the job object can be attached.
Bumps [windows](https://github.com/microsoft/windows-rs) from 0.60.0 to 0.62.2. - [Release notes](https://github.com/microsoft/windows-rs/releases) - [Commits](https://github.com/microsoft/windows-rs/commits) --- updated-dependencies: - dependency-name: windows dependency-version: 0.62.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> (cherry picked from commit 0dcc733)
Bumps [toml](https://github.com/toml-rs/toml) from 0.9.11+spec-1.1.0 to 1.0.6+spec-1.1.0. - [Commits](toml-rs/toml@toml-v0.9.11...toml-v1.0.6) --- updated-dependencies: - dependency-name: toml dependency-version: 1.0.6+spec-1.1.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> (cherry picked from commit 0bb3aee)
Bumps [tokio](https://github.com/tokio-rs/tokio) from 1.50.0 to 1.52.3. - [Release notes](https://github.com/tokio-rs/tokio/releases) - [Commits](tokio-rs/tokio@tokio-1.50.0...tokio-1.52.3) --- updated-dependencies: - dependency-name: tokio dependency-version: 1.50.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> (cherry picked from commit ea5a9c1)
Follow up on Dependabot PR #3339 after the delegated-server teardown guard added a CLI-side Windows API dependency. Align the CLI crate with windows 0.62 so the integration branch does not keep parallel windows 0.60 and 0.62 dependency trees.
Harvest the useful model shortcut slice from PR #3350 by @KUK4 while preserving existing case-sensitive model ID behavior. The CLI now accepts model set pro or flash, and config normalization maps the short aliases to the current DeepSeek v4 IDs without rewriting already-valid model IDs. Harvested from PR #3350 by @KUK4 Co-authored-by: KUK4 <246008043+KUK4@users.noreply.github.com>
Bumps [lru](https://github.com/jeromefroe/lru-rs) from 0.16.4 to 0.18.0. - [Changelog](https://github.com/jeromefroe/lru-rs/blob/master/CHANGELOG.md) - [Commits](jeromefroe/lru-rs@0.16.4...0.18.0) --- updated-dependencies: - dependency-name: lru dependency-version: 0.18.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> (cherry picked from commit 505683c)
Bumps [similar](https://github.com/mitsuhiko/similar) from 2.7.0 to 3.1.1. - [Changelog](https://github.com/mitsuhiko/similar/blob/main/CHANGELOG.md) - [Commits](mitsuhiko/similar@2.7.0...3.1.1) --- updated-dependencies: - dependency-name: similar dependency-version: 3.1.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> (cherry picked from commit 730e149)
This was referenced Jun 22, 2026
Update the focused sidebar render-state test to assert the 64-column boundary introduced by the sidebar visibility threshold change. Follow-up to PR #3371 by @donglovejava. Verification: - cargo fmt --all -- --check - git diff --check - cargo test -p codewhale-tui --bin codewhale-tui --locked sidebar_width_gate_uses_sixty_four_column_boundary
Bump workspace and npm wrapper versions to 0.8.64, add the v0.8.64 changelog entry, refresh generated release facts, and update install tag examples. Verification: - ./scripts/release/check-versions.sh - cargo metadata --locked --no-deps >/tmp/codew-metadata-0.8.64.json - cargo fmt --all -- --check - scripts/sync-changelog.sh --check - git diff --check - cargo build --release -p codewhale-cli -p codewhale-tui --locked - target/release/codewhale --version - target/release/codewhale-tui --version
…hale.net SECURITY.md pointed disclosures at security@codewhale.com, a domain the project does not own (the project owns codewhale.net, and the website footer already uses security@codewhale.net). Reports were being sent to a dead address. Align SECURITY.md and the check-versions.sh release guard on security@codewhale.net.
Owner
Author
v0.8.64 release-candidate — verification & security sweepBranch: Candidate verification
Security contact fixFixed a real bug: CodeQL — all findings triaged and resolvedEvery finding was read at the source and classified. None were real exploitable vulnerabilities — all flagged the mitigation code itself or intended local-CLI behavior. All 22 open alerts are now dismissed with documented reasons; 0 open CodeQL alerts remain:
Community queueFive contributor PRs were already integrated into this branch in fuller form (verified at path:line) and acknowledged with credit:
StatusRelease-ready pending the maintainer publish go-ahead. No tag, release, or merge-to-main has been performed. |
Owner
Author
|
Takeover verification at Remote checks are green on the current PR head:
Fresh local verification from
No merge to |
4 tasks
Owner
Author
|
Follow-up on the CodeQL aggregate check: final sanity caught that the individual CodeQL jobs were green but the aggregate I inspected each alert before dismissal:
Fresh focused verification:
Dismissed alerts #73-#80 as false positives with per-alert comments. Rechecked after dismissal: PR #3373 now has no failing checks, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Draft integration PR for the v0.8.64 release train. This branch carries the local security/code-scanning hardening, auto-review/provenance rails, read-before-edit/apply_patch guardrails, CI workflow fixes, and focused community-credit harvests tracked through the v0.8.64 milestone.
Primary trackers:
Community PRs Carried Or Represented
Carried on this branch with contributor credit or original authorship preserved:
Rechecked but intentionally not mixed into this security stabilization branch:
Local Verification Already Run
Security/tooling slices were verified locally with focused tests recorded on the linked issues and commit bodies, including:
cargo test -p codewhale-config --lockedcargo test -p codewhale-tui --bin codewhale-tui --locked edit_file_cargo test -p codewhale-tui --bin codewhale-tui --locked apply_patchcargo test -p codewhale-tui --bin codewhale-tui --locked auto_reviewcargo test -p codewhale-tui --bin codewhale-tui --locked reviewcargo test -p codewhale-tui --bin codewhale-tui --locked provenancecargo test -p codewhale-tui --bin codewhale-tui --locked session_cargo test -p codewhale-tui --bin codewhale-tui --locked mcp_configcargo test -p codewhale-tui --bin codewhale-tui --locked symlinkedcargo test -p codewhale-tui --bin codewhale-tui --locked base_url_securitycargo test -p codewhale-app-server --locked auth_tokencargo test -p codewhale-app-server --locked non_loopbackcargo test -p codewhale-app-server --locked insecure_tls_skip_verify_is_rejectedcargo test -p codewhale-tui --bin codewhale-tui --locked sidebar_width_gate_uses_sixty_four_column_boundaryRUSTFLAGS=-Dwarnings cargo check -p codewhale-cli -p codewhale-tui --lockedRUSTFLAGS=-Dwarnings cargo check -p codewhale-tui --lockedpython3 scripts/check-provider-registry.pypython3 scripts/check-coauthor-trailers.py --author-map .github/AUTHOR_MAP --range origin/codex/v0.8.64-integration..HEAD --check-authors./scripts/release/check-versions.shcargo fmt --all -- --checkgit diff --checkcargo build --release -p codewhale-cli -p codewhale-tui --lockedtarget/release/codewhaleBoundaries
This is intentionally a draft PR for CI/CodeQL and review. It does not tag, publish, create a GitHub Release, merge to
main, or bump the package version to 0.8.64. Those remain separate explicit release steps.