chore: release v4.6.1#296
Conversation
Patch release rolling up the three post-4.6.0 correctness/security fixes: - Security: aiCommand is honored only from SPECSYNC_AI_COMMAND (malicious-repo RCE closed) — #294 - Fixed: non-UTF-8 source files no longer pass validation silently — #293 - Fixed: incremental check re-validates on schema/config change — #295 Bumps Cargo.toml + Cargo.lock and adds the dated CHANGELOG section. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01KDJxU4R8hUEuq1Y5jzft5m
There was a problem hiding this comment.
Code Review
This pull request bumps the version of specsync to 4.6.1 in Cargo.toml and Cargo.lock, and updates the CHANGELOG.md to document security improvements and bug fixes. Specifically, the aiCommand is now restricted to the SPECSYNC_AI_COMMAND environment variable to prevent arbitrary code execution, non-UTF-8 source files are now properly validated with errors reported, and incremental checks now correctly re-validate when schema or config files change. There are no review comments, so no feedback is provided.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
There was a problem hiding this comment.
✅ Corvin says...
_
<(^\ .oO(Caw! ^v^)
|/(\
\(\\
" "\\
"Looking sharp! Like a beak should be."
CI Summary
| Check | Status |
|---|---|
| Validate action.yml | ✅ Passed |
| Dependency Audit | ✅ Passed |
| Code Coverage | ✅ Passed |
| Format Check | ✅ Passed |
| Docs Site | ✅ Passed |
| Spec Validation | ✅ Passed |
| Tests (build, test, clippy) | ✅ Passed |
| VS Code Extension | ✅ Passed |
📋 Spec Validation Details
✅ SpecSync: Passed
| Metric | Value |
|---|---|
| Specs checked | 60 |
| Passed | 60 |
| Errors | 0 |
| Warnings | 0 |
| File coverage | 100% (76/76) |
| LOC coverage | 100% (34734/34734) |
Generated by specsync · Run specsync check --format github to reproduce
Powered by corvid-pet
Kyntrin
left a comment
There was a problem hiding this comment.
Reviewed the release bump and changelog update. No issues found.
0xGaspar
left a comment
There was a problem hiding this comment.
Version is consistent across Cargo.toml and Cargo.lock, and the changelog cleanly maps each entry to its PR. The aiCommand config-to-env breaking change is prominently flagged under Security, which is right. Clean release PR. LGTM.
The release now includes the two fixes merged after this branch was cut: #298 (files: path-escape / info disclosure, Security) and #297 (merge data-loss, Fixed). Merged main in so the release tag ships the actual code. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01KDJxU4R8hUEuq1Y5jzft5m
29a24ff
There was a problem hiding this comment.
❌ Corvin says...
_
<(;\ .oO(oh no...)
|/(\
\(\\
" "\\
"I'm pecking through the errors..."
CI Summary
| Check | Status |
|---|---|
| Validate action.yml | ✅ Passed |
| Dependency Audit | ✅ Passed |
| Code Coverage | ✅ Passed |
| Format Check | ✅ Passed |
| Docs Site | ✅ Passed |
| Spec Validation | ✅ Passed |
| Tests (build, test, clippy) | ❌ failure |
| VS Code Extension | ✅ Passed |
📋 Spec Validation Details
✅ SpecSync: Passed
| Metric | Value |
|---|---|
| Specs checked | 60 |
| Passed | 60 |
| Errors | 0 |
| Warnings | 0 |
| File coverage | 100% (76/76) |
| LOC coverage | 100% (35336/35336) |
Generated by specsync · Run specsync check --format github to reproduce
Powered by corvid-pet
`resolve_ai_provider` reads the process-global `SPECSYNC_AI_COMMAND` env var above
the config `ai_command` tier. Two unit tests exercised those two tiers:
`resolve_with_env_var` set the env var while `resolve_with_ai_command_in_config`
assumed it unset. Env vars are shared across test threads, so when the two ran
concurrently the config test could observe the leaked `env-ai-tool` value and
fail `assert_eq!("env-ai-tool", "my-custom-ai")`. It passed locally and on main by
scheduling luck but failed deterministically often enough to block CI on all three
platforms.
Serialize every test that touches the var through a shared `ENV_LOCK` mutex
(poison-tolerant) and have the config test clear the var before asserting, so the
two tiers are exercised in isolation regardless of thread interleaving. Verified:
2 env tests pass 25/25 in isolation and the full 666-test binary passes 6/6 under
full parallelism.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01KDJxU4R8hUEuq1Y5jzft5m
There was a problem hiding this comment.
✅ Corvin says...
_
<(^\ .oO(Caw! ^v^)
|/(\
\(\\
" "\\
"That's a nice looking export you've got there."
CI Summary
| Check | Status |
|---|---|
| Validate action.yml | ✅ Passed |
| Dependency Audit | ✅ Passed |
| Code Coverage | ✅ Passed |
| Format Check | ✅ Passed |
| Docs Site | ✅ Passed |
| Spec Validation | ✅ Passed |
| Tests (build, test, clippy) | ✅ Passed |
| VS Code Extension | ✅ Passed |
📋 Spec Validation Details
✅ SpecSync: Passed
| Metric | Value |
|---|---|
| Specs checked | 60 |
| Passed | 60 |
| Errors | 0 |
| Warnings | 0 |
| File coverage | 100% (76/76) |
| LOC coverage | 100% (35351/35351) |
Generated by specsync · Run specsync check --format github to reproduce
Powered by corvid-pet
Summary
Patch release v4.6.1 — five fixes from a security review + a dogfooding pass on v4.6.0. Bumps
Cargo.toml/Cargo.lockand updatesCHANGELOG.md. No new features; all fixes, three with user-visible behavior changes (called out below).Fixes in this release
aiCommandhonored only fromSPECSYNC_AI_COMMANDenv var — never from any config file (malicious-repo RCE)files:entries resolving outside the project root are rejected (hostile-repo info disclosure)checkre-validates when schema/config files changemergeno longer corrupts or silently drops spec content (7 content-loss paths closed)Behavior changes to note
aiCommandis no longer read from config files — exportSPECSYNC_AI_COMMANDinstead.files:paths outside the project root are now an error (were silently read).mergenow defers more conflict shapes to manual resolution rather than risk data loss (common cases still auto-resolve).Release steps (after merge)
git tag v4.6.1 && git push origin v4.6.1(triggers the GitHub release/binary build)cargo publish(needs the crates.io token)🤖 Generated with Claude Code