chore: release v0.12.0

[lroolle]

Summary

• deva status: Docker-native workspace inspection (containers, mounts, agent homes, health)
• Agent context injection: container-awareness to .claude/CLAUDE.md + AGENTS.md before agent start
• Replace atlas-cli with ccx (thevibeworks/ccx v0.7.0)
• 47 new tests

Test plan

• bash scripts/test-workspace-context.sh (25/25)
• bash scripts/test-status-helpers.sh (22/22)
• bash scripts/test-container-slug.sh (59/59)
• bash tests/test_release_utils.sh (55/55)
• deva status / deva status -g / deva status --verbose
• ccx binary verified in rebuilt image (v0.7.0)
• Context injection verified in live workspace

[claude-yolo]

Claude finished @lroolle's task in 3m 3s —— View job

---

🔒 Security Audit: deva v0.12.0

Status: ⚠️ CONDITIONAL APPROVAL with critical fixes required

---

🚨 BLOCKING Security Issues

1. Shell Injection in Config Processing (CRITICAL)

Location: process_volume_config() lines 2485-2487, process_var_config() lines 2548-2549

value="${value//\$(pwd)/$PWD}"    # Direct PWD expansion without escaping
value="${value/#\~/$HOME}"        # HOME expansion without validation

Attack Vector: Malicious .deva files with crafted paths containing shell metacharacters
Impact: Code execution during container launch
Fix: Fix this →

2. Path Traversal in dangerous_directory() (HIGH)

Location: Lines 444-456

bad_dirs=("$HOME" "/" "/etc" "/usr" "/var" "/bin" "/sbin" "/lib" "/lib64" "/boot" "/dev" "/proc" "/sys" "/tmp" "/root" "/mnt" "/media" "/srv")

Gaps: Missing /opt, /usr/local, .git/, Docker data dirs, symlink resolution
Attack Vector: Symlinks to sensitive dirs, relative path traversal
Impact: Host filesystem exposure
Fix: Fix this →

⚠️ High-Risk Design Decisions

3. Container Root Access (BY DESIGN)

Location: Dockerfile lines 172-174, docker-entrypoint.sh line 249

echo "$DEVA_USER ALL=(ALL) NOPASSWD: ALL" > "/etc/sudoers.d/$DEVA_USER"
chmod 666 /var/run/docker.sock  # Full Docker control

Impact: Complete container+host escape capability
Status: ✅ Documented as intentional for dev environments

4. Authentication Bypass Enforcement (BY DESIGN)

Location: docker-entrypoint.sh lines 345-368

claude --dangerously-skip-permissions  # Always injected
codex --dangerously-bypass-approvals-and-sandbox

Impact: Bypasses agent-level security controls
Status: ✅ Core architectural decision - container IS the sandbox

---

🔍 Security Assessment: New Features

✅ Context Injection (inject_workspace_context())

• Security: Input sanitization via HTML comment markers
• Risk: Low - controlled content injection
• Validation: Proper marker-based replacement prevents accumulation

✅ Status Command (cmd_status())

• Security: Implements credential redaction for env vars
• Info Disclosure: Minimal - only shows container metadata
• Validation: Proper masking of *KEY*|*TOKEN*|*SECRET*|*PASSWORD*|*CREDENTIALS*

✅ CCX Binary Replacement

• Security: SHA256 verification for releases, pinned versions
• Supply Chain: Uses GitHub releases with checksums
• Validation: Binary verification via --help execution

---

📋 Required Tests Before Merge

• Shell Injection Test: Verify config with VOLUME=$(whoami) fails safely
• Path Traversal Test: Verify symlinks to /etc are rejected
• Mount Validation: Test duplicate mount detection with edge cases
• Credential Redaction: Verify secrets masked in logs/status output

🛡️ Security Hardening Recommendations

1. Config Validation: Implement stricter regex validation for paths/env vars
2. Mount Restrictions: Canonical path resolution before mount checks
3. Audit Logging: Log mount attempts from dangerous directories
4. Binary Verification: Consider GPG signature verification for ccx downloads

---

Recommendation: 🔴 BLOCK MERGE until shell injection and path traversal fixes applied.

The container-escape-by-design model is acceptable for development environments, but config processing vulnerabilities create uncontrolled attack surface.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ee46f05da3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Update fake installer to produce ccx

In the CI smoke path, bash scripts/test-install-agent-tooling.sh now exits before this assertion because the fake go install above still writes $GOBIN/atl, while install_ccx verifies $DEVA_HOME/.local/bin/ccx --help; the captured output never reaches ccx installed. Updating the fake binary and final executable check from atl to ccx is needed to keep the smoke test green.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Fix stale ccx version expectation

The version-upgrade unit test still expects the old atlas pin after the switch to ccx; running bash tests/version-upgrade.sh fails with main build missing expected arg: --build-arg CCX_VERSION=v0.1.4 because the fake current image and new ccx pin are v0.7.0. This assertion should match the ccx version the test setup now advertises, or CI's Unit tests (version-upgrade.sh) job remains red.

Useful? React with 👍 / 👎.

[Copilot]

Pull request overview

Release bump to v0.12.0 introducing Docker-native workspace inspection (deva status), runtime agent context injection into workspace instruction files, and replacing atlas-cli with ccx across build/pin/label plumbing.

Changes:

• Add deva status implementation backed by docker inspect, plus helper/test scripts for status formatting and mount categorization.
• Inject container-awareness context into .claude/CLAUDE.md and AGENTS.md on startup (idempotent, replace semantics).
• Replace atlas-cli with ccx throughout version pins, tool registry, Docker build args/labels, and installer logic.

Reviewed changes

Copilot reviewed 21 out of 21 changed files in this pull request and generated 13 comments.

Show a summary per file

File	Description
versions.env	Replace ATLAS_CLI_VERSION pin with CCX_VERSION.
tests/version-upgrade.sh	Update fake docker/gh expectations for ccx version upgrade flow.
tests/test_release_utils.sh	Update tool registry expectations from atlas-cli to ccx.
scripts/version-upgrade.sh	Replace atlas env wiring with ccx and add build manifest output.
scripts/version-pins.sh	Update pinned environment variable list to include CCX_VERSION.
scripts/update-version-pins.sh	Refresh pins from thevibeworks/ccx instead of atlas-cli.
scripts/toolchain-report.sh	Report CCX version instead of Atlas CLI.
scripts/test-workspace-context.sh	New test script validating workspace context injection behavior.
scripts/test-version-targets.sh	Update version override expectations to CCX_VERSION.
scripts/test-status-helpers.sh	New tests for status helper functions extracted from deva.sh.
scripts/test-install-agent-tooling.sh	Adjust installer test to look for ccx install output/version var.
scripts/resolve-tool-versions.sh	Resolve ccx_version instead of atlas_cli_version.
scripts/release-utils.sh	Replace tool registry entry and display-name mapping for ccx.
scripts/install-agent-tooling.sh	Replace atlas installer with ccx release/go-install + skill install.
scripts/agent-context.md	New reference content for container context injected into workspace files.
Makefile	Replace atlas build arg/version override plumbing with ccx equivalents.
docs/devlog/20260524-status-and-agent-context.org	New devlog describing status + context injection design.
Dockerfile.rust	Replace atlas ARG/LABEL with ccx ARG/LABEL.
Dockerfile	Replace atlas ARG/LABEL with ccx ARG/LABEL.
deva.sh	Bump version, replace old status with docker-native cmd_status, and inject workspace context before agent start.
CHANGELOG.md	Add v0.12.0 release notes covering status, context injection, and ccx switch.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.