chore: version 2.0.0-alpha.7 — security hardening + Yerin security agent

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-02 00:24:34 +10:00
parent 806e21cb13
commit 28e66c6946
3 changed files with 29 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,33 @@
 All notable changes to Void 2.0 are documented here.
 Format: [Keep a Changelog](https://keepachangelog.com).

+## [2.0.0-alpha.7] — 2026-06-02
+
+### Security & hardening
+
+- **`pending_changes.action` CHECK fix** (migration 009): `upsert` is now a valid
+  suggestion action (approval dispatches to `refsRepo.upsertByExternal`); resource
+  dependency mutations (`add_dependency`/`remove_dependency`) are now owner-only.
+- **Constant-time owner-token comparison** (`lib/auth/safe_compare.js`) — replaces
+  `===`, closing a timing side-channel on `OWNER_TOKEN`.
+- **O(1) token verification** (migration 010): selector+verifier split replaces the
+  O(n) bcrypt scan over all tokens. New format `vk_<selector>.<verifier>`; legacy
+  tokens still verify. Dropped the useless `idx_agent_tokens_hash`.
+- **`pool.js` error handler** — an idle pooled-client error no longer crashes the
+  process.
+- **`context` tool** projects a safe column allow-list for resources (no
+  `monitoring`/`metadata` blobs); now also handles `resource` views.
+- **`applyPendingChange`** guards the `upsert` arm (clear `ValidationError`).
+
+### Added (Yerin — security agent)
+
+- Read-only `securityRegistry` (`lib/ai/agent/tools/security/`) with five tools:
+  `audit_log`, `agent_inventory`, `pending_review`, `resource_exposure`,
+  `token_audit` — no secret material in any output.
+- Migration 011 seeds the read-only `yerin` agent.
+- The stdio MCP server selects its toolset via `VOID_TOOL_REGISTRY`
+  (`security` → Yerin's tools; default → Dross's companion tools).
+
 ## [2.0.0-alpha.6] — 2026-06-01

 ### Changed (Plan 5b: companion backend → Claude CLI subprocess)
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "void-server",
-  "version": "2.0.0-alpha.6",
+  "version": "2.0.0-alpha.7",
  "type": "module",
  "private": true,
  "scripts": {
--- a/server.js
+++ b/server.js
@@ -8,7 +8,7 @@ import { registerWorkers } from './lib/jobs/index.js';
 import { router as ingestRouter } from './lib/api/routes/ingest.js';
 import { startCron } from './lib/cron/index.js';

-const VERSION = '2.0.0-alpha.6';
+const VERSION = '2.0.0-alpha.7';

 export function createApp() {
  const app = express();