Skip to content

chore: release v4.6.1#296

Merged
0xLeif merged 4 commits into
mainfrom
chore/release-4.6.1
Jul 2, 2026
Merged

chore: release v4.6.1#296
0xLeif merged 4 commits into
mainfrom
chore/release-4.6.1

Conversation

@0xLeif

@0xLeif 0xLeif commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

Patch release v4.6.1 — five fixes from a security review + a dogfooding pass on v4.6.0. Bumps Cargo.toml/Cargo.lock and updates CHANGELOG.md. No new features; all fixes, three with user-visible behavior changes (called out below).

Fixes in this release

PR Class Fix
#294 Security aiCommand honored only from SPECSYNC_AI_COMMAND env var — never from any config file (malicious-repo RCE)
#298 Security files: entries resolving outside the project root are rejected (hostile-repo info disclosure)
#293 Fixed Non-UTF-8 source files no longer pass validation silently
#295 Fixed Incremental check re-validates when schema/config files change
#297 Fixed merge no longer corrupts or silently drops spec content (7 content-loss paths closed)

Behavior changes to note

  • aiCommand is no longer read from config files — export SPECSYNC_AI_COMMAND instead.
  • files: paths outside the project root are now an error (were silently read).
  • merge now defers more conflict shapes to manual resolution rather than risk data loss (common cases still auto-resolve).

Release steps (after merge)

  • git tag v4.6.1 && git push origin v4.6.1 (triggers the GitHub release/binary build)
  • cargo publish (needs the crates.io token)

🤖 Generated with Claude Code

Patch release rolling up the three post-4.6.0 correctness/security fixes:

- Security: aiCommand is honored only from SPECSYNC_AI_COMMAND (malicious-repo
  RCE closed) — #294
- Fixed: non-UTF-8 source files no longer pass validation silently — #293
- Fixed: incremental check re-validates on schema/config change — #295

Bumps Cargo.toml + Cargo.lock and adds the dated CHANGELOG section.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01KDJxU4R8hUEuq1Y5jzft5m
@0xLeif 0xLeif requested a review from a team as a code owner July 2, 2026 06:51
@0xLeif 0xLeif requested review from 0xGaspar, Kyntrin and tofu-ux July 2, 2026 06:51

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request bumps the version of specsync to 4.6.1 in Cargo.toml and Cargo.lock, and updates the CHANGELOG.md to document security improvements and bug fixes. Specifically, the aiCommand is now restricted to the SPECSYNC_AI_COMMAND environment variable to prevent arbitrary code execution, non-UTF-8 source files are now properly validated with errors reported, and incremental checks now correctly re-validate when schema or config files change. There are no review comments, so no feedback is provided.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

github-actions[bot]
github-actions Bot previously approved these changes Jul 2, 2026

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Corvin says...

      _
    <(^\  .oO(Caw! ^v^)
     |/(\
      \(\\
      " "\\

"Looking sharp! Like a beak should be."

CI Summary

Check Status
Validate action.yml ✅ Passed
Dependency Audit ✅ Passed
Code Coverage ✅ Passed
Format Check ✅ Passed
Docs Site ✅ Passed
Spec Validation ✅ Passed
Tests (build, test, clippy) ✅ Passed
VS Code Extension ✅ Passed
📋 Spec Validation Details

✅ SpecSync: Passed

Metric Value
Specs checked 60
Passed 60
Errors 0
Warnings 0
File coverage 100% (76/76)
LOC coverage 100% (34734/34734)

Generated by specsync · Run specsync check --format github to reproduce


Powered by corvid-pet

Kyntrin
Kyntrin previously approved these changes Jul 2, 2026

@Kyntrin Kyntrin left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed the release bump and changelog update. No issues found.

0xGaspar
0xGaspar previously approved these changes Jul 2, 2026

@0xGaspar 0xGaspar left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Version is consistent across Cargo.toml and Cargo.lock, and the changelog cleanly maps each entry to its PR. The aiCommand config-to-env breaking change is prominently flagged under Security, which is right. Clean release PR. LGTM.

0xLeif and others added 2 commits July 2, 2026 14:04
The release now includes the two fixes merged after this branch was cut:
#298 (files: path-escape / info disclosure, Security) and #297 (merge data-loss,
Fixed). Merged main in so the release tag ships the actual code.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01KDJxU4R8hUEuq1Y5jzft5m
@0xLeif 0xLeif dismissed stale reviews from 0xGaspar, Kyntrin, and github-actions[bot] via 29a24ff July 2, 2026 20:05

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❌ Corvin says...

      _
    <(;\  .oO(oh no...)
     |/(\
      \(\\
      " "\\

"I'm pecking through the errors..."

CI Summary

Check Status
Validate action.yml ✅ Passed
Dependency Audit ✅ Passed
Code Coverage ✅ Passed
Format Check ✅ Passed
Docs Site ✅ Passed
Spec Validation ✅ Passed
Tests (build, test, clippy) ❌ failure
VS Code Extension ✅ Passed
📋 Spec Validation Details

✅ SpecSync: Passed

Metric Value
Specs checked 60
Passed 60
Errors 0
Warnings 0
File coverage 100% (76/76)
LOC coverage 100% (35336/35336)

Generated by specsync · Run specsync check --format github to reproduce


Powered by corvid-pet

`resolve_ai_provider` reads the process-global `SPECSYNC_AI_COMMAND` env var above
the config `ai_command` tier. Two unit tests exercised those two tiers:
`resolve_with_env_var` set the env var while `resolve_with_ai_command_in_config`
assumed it unset. Env vars are shared across test threads, so when the two ran
concurrently the config test could observe the leaked `env-ai-tool` value and
fail `assert_eq!("env-ai-tool", "my-custom-ai")`. It passed locally and on main by
scheduling luck but failed deterministically often enough to block CI on all three
platforms.

Serialize every test that touches the var through a shared `ENV_LOCK` mutex
(poison-tolerant) and have the config test clear the var before asserting, so the
two tiers are exercised in isolation regardless of thread interleaving. Verified:
2 env tests pass 25/25 in isolation and the full 666-test binary passes 6/6 under
full parallelism.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01KDJxU4R8hUEuq1Y5jzft5m
@github-actions github-actions Bot dismissed their stale review July 2, 2026 20:18

Superseded by updated review.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Corvin says...

      _
    <(^\  .oO(Caw! ^v^)
     |/(\
      \(\\
      " "\\

"That's a nice looking export you've got there."

CI Summary

Check Status
Validate action.yml ✅ Passed
Dependency Audit ✅ Passed
Code Coverage ✅ Passed
Format Check ✅ Passed
Docs Site ✅ Passed
Spec Validation ✅ Passed
Tests (build, test, clippy) ✅ Passed
VS Code Extension ✅ Passed
📋 Spec Validation Details

✅ SpecSync: Passed

Metric Value
Specs checked 60
Passed 60
Errors 0
Warnings 0
File coverage 100% (76/76)
LOC coverage 100% (35351/35351)

Generated by specsync · Run specsync check --format github to reproduce


Powered by corvid-pet

@0xLeif 0xLeif merged commit 44ca8f0 into main Jul 2, 2026
16 checks passed
@0xLeif 0xLeif deleted the chore/release-4.6.1 branch July 2, 2026 20:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants