Releases: nself-org/cli
Release list
@nself/sdk v1.2.5
Published @nself/sdk v1.2.5 to npm.
v1.2.4
nSelf CLI v1.2.4
Channel: stable
Changelog
[1.2.4] — 2026-07-03
Fixed
- License signature verification enabled in released binaries (CRITICAL) — the release workflow read the
NSELF_LICENSE_PUBKEY_HEXsecret to embed the Ed25519 license-verification key at build time, but the secret was never set in the repository, so every published binary shipped as a "dev build" with license signature verification disabled and printed a dev-build warning fromnself version. The secret is now configured; binaries from this release on verify license signatures. bundle info sentryalias miss — thesentry→nsentryalias added in 1.2.3 resolved forbundle installandbundle removebut notbundle info, which used a separate command-layer lookup.bundle info sentrynow resolves to ɳSentry; listings and error hints still show only the canonicalnsentryslug.- gofmt drift — three files merged unformatted; formatted so the CI gofmt gate stays green.
Commits since previous release
Install
brew install nself-org/nself/nself
# or download a tarball below for your platformVerify (Sigstore keyless)
cosign verify-blob \
--bundle <tarball>.tar.gz.sig \
--certificate-identity-regexp '^https://github.com/nself-org/cli/\.github/workflows/release\.yml@refs/tags/v1.2.4$' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
<tarball>.tar.gzFull signing + verification details: release-signing.md
Artifacts
- Platform tarballs (linux/darwin × amd64/arm64) + Windows zips (amd64/arm64)
checksums.txt— SHA-256 of all tarballssbom.spdx.json+ per-tarball SBOMs — SPDX software bill of materialsprovenance.intoto.jsonl— SLSA v1.0 provenance attestation*.sig— Sigstore cosign signature bundles for every artifact above
v1.2.3
nSelf CLI v1.2.3
Channel: stable
Changelog
[1.2.3] — 2026-07-03
Added
sentrybundle install alias —nself bundle install sentrynow resolves to the canonicalɳSentrybundle. The alias is a fallback lookup only;nself bundle listand shell completions continue to show the canonicalnsentryslug. (#171)
Commits since previous release
- chore(release): bump v1.2.2 -> v1.2.3 + changelog (#172) (7c792e3)
- feat(bundle): add sentry -> nsentry slug alias for bundle install (#171) (eea61c2)
- docs(wiki): v1.2.2 doc-sync for the P0 build/start fix batch (#170) (b5608a8)
Install
brew install nself-org/nself/nself
# or download a tarball below for your platformVerify (Sigstore keyless)
cosign verify-blob \
--bundle <tarball>.tar.gz.sig \
--certificate-identity-regexp '^https://github.com/nself-org/cli/\.github/workflows/release\.yml@refs/tags/v1.2.3$' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
<tarball>.tar.gzFull signing + verification details: release-signing.md
Artifacts
- Platform tarballs (linux/darwin × amd64/arm64) + Windows zips (amd64/arm64)
checksums.txt— SHA-256 of all tarballssbom.spdx.json+ per-tarball SBOMs — SPDX software bill of materialsprovenance.intoto.jsonl— SLSA v1.0 provenance attestation*.sig— Sigstore cosign signature bundles for every artifact above
v1.2.2 — manifest plugin injection + compose secret templating (P0 build/start fixes)
nSelf CLI v1.2.2
Channel: stable
Changelog
[1.2.2] — 2026-07-03
Fixed
- Declared plugins silently dropped (CRITICAL) —
nself buildignored the project'snself.yamlmanifest entirely: plugins declared underplugins:(flat orfree:/pro:tiers) or viabundle:/bundles:never materialized as containers because the only injection path was discovery over the plugin install dir. The build now parses the manifest, expands bundles through the canonical bundle catalog, best-effort auto-installs missing plugins (60s per-plugin timeout; disable withNSELF_AUTO_INSTALL_PLUGINS=false), and reports any plugin it cannot wire with a per-plugin warning, aBuildResult.MissingPluginsentry, and a printednself plugin install ...fix command. A declared plugin is never silently dropped. Core services (auth,storage) satisfy their declared names.NSELF_PLUGIN_DIRoverrides the plugin directory for hermetic CI and per-project plugin sets. (#168) - Literal secrets in generated docker-compose.yml (HIGH) —
nself buildbaked literal secret values (Postgres password, Hasura admin secret, JWT blobs, MinIO root credentials, SMTP password) into the generated compose file, so editing.envpost-build was a silent no-op and committing the generated file leaked credentials. Secrets are now emitted as${VAR}references; interpolation values are written to.nself/compose.env(mode 0600) and passed to docker compose via--env-fileby start/stop/restart/health. Legacy projects withoutcompose.envkeep default.envdiscovery. A safety-net scan warns if any known secret value still appears literally. (#168) - False "unknown env var" warnings — app-owned vars (
NODE_ENV,JWT_SECRET,SSL_AUTO_TRUST,COOKIE_SECRET,ENABLE_DEBUG,LOG_LEVEL,NSELF_PROJECT_NAME) are now known; newENV_ALLOWLISTaccepts comma-separated exact names orPREFIX_*patterns for project-specific passthrough vars. (#168) - Unreachable ready URLs from
nself start— with a default local domain,nself startprinted*.local.nself.orgURLs that 502 without DNS setup. It now prints directhttp://localhost:<port>endpoints (GraphQL, Hasura console, Auth, Storage, Mail UI, Admin) plus anself dns-setuphint for the domain routes; custom domains keep nginx-routed URLs. (#168) - Hash-prefixed leftover containers — interrupted
docker composerecreates leave the old container renamed with a hex-id prefix (e.g.b6d7b59a1c78_myapp_hasura) that holds ports and shadows the clean<project>_<service>name. Start now removes rename-leftovers before and aftercompose up. (#168)
Commits since previous release
- chore(release): bump v1.2.1 -> v1.2.2 + changelog (#169) (294bb45)
- fix(build): P0 batch — manifest plugin injection, secret templating, env allowlist, localhost URLs, leftover cleanup (#168) (5c33a18)
Install
brew install nself-org/nself/nself
# or download a tarball below for your platformVerify (Sigstore keyless)
cosign verify-blob \
--bundle <tarball>.tar.gz.sig \
--certificate-identity-regexp '^https://github.com/nself-org/cli/\.github/workflows/release\.yml@refs/tags/v1.2.2$' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
<tarball>.tar.gzFull signing + verification details: release-signing.md
Artifacts
- Platform tarballs (linux/darwin × amd64/arm64) + Windows zips (amd64/arm64)
checksums.txt— SHA-256 of all tarballssbom.spdx.json+ per-tarball SBOMs — SPDX software bill of materialsprovenance.intoto.jsonl— SLSA v1.0 provenance attestation*.sig— Sigstore cosign signature bundles for every artifact above
v1.2.0 — nSentry bundle + status-page theming + self-hosted CI
nSelf CLI v1.2.0
Channel: stable
Changelog
[Unreleased] — v1.2.0
Changed
- TypeScript SDK canary upgrade to TS6 —
cli/sdk/ts(@nself/plugin-sdk v2.0.0) bumped from TypeScript^5.4.5to^6.0.0(S06 canary).tsconfig.jsonupdated:module→node16,moduleResolution→node16(node10 alias deprecated in TS6). Addedtsconfig.test.jsonfor ts-jest withisolatedModules: true. Jest config migrated to flattransformsyntax (removes deprecatedglobals.ts-jest). Addedeslint,@typescript-eslint/parser,@typescript-eslint/eslint-plugindevDeps andeslint.config.mjs(ESLint 10 flat config). All 18 tests pass. Type-check and build clean.
Added
- Embedded PostgreSQL via pglite/wasmtime (
--embedded-pg) —nself start --embedded-pgboots a full ɳSelf stack without a Docker postgres container. PostgreSQL runs as a pglite WebAssembly module inside wasmtime. A Unix-domain socket bridge proxies the Postgres wire protocol to Hasura and Auth. pgvector is included in pglite v0.2.17. Cold start compiles the WASM module to native code and caches it; warm starts typically take under 5 seconds. Backup vianself backuptargets the UDS socket (pg_dump --format=customprimary, SQL wire-protocol fallback). Enable persistently withNSELF_EMBEDDED_PG=truein.env.local. See [[Embedded-Postgres]].
Security
- CWE-214 Hasura secret exposure fixed —
hasuraMetadataExportCmd()ininternal/backup/create.gopreviously passed the Hasura admin secret as--admin-secret=<value>in argv. Any local user with access to/proc/<pid>/cmdlineorps auxcould read it during a backup run. The secret is now passed exclusively through the child process environment (cmd.Env). Docker exec receives-e HASURA_GRAPHQL_ADMIN_SECRET(no value on the command line). Severity: High. Chain ID: a83c99d6. Advisory:.github/SECURITY-ADVISORIES/2026-05-15-rce-and-secrets.md. - Supply-chain installer verification added — the Ollama installer previously piped
curloutput directly toshwithout content verification.DownloadAndVerify()in the newinternal/installer/verify.godownloads to a 0700 owner-only temp directory, opens the file withO_EXCL(closes TOCTOU window), caps the body at 2 MiB, and verifies SHA-256 against the pinned checksum fromExpectedOllamaInstallChecksum()before execution. Severity: High. Chain ID: a83c99d6. Advisory:.github/SECURITY-ADVISORIES/2026-05-15-rce-and-secrets.md.
Testing
- S42-sec security-critical coverage uplift (sprint a5e2b723) — targeted coverage pass across
internal/license,internal/auth,internal/trust,internal/crypto, SSRF guards, and RLS enforcement. Real uplift: license 76 → 91.1% (392 new tests), auth 85 → 92.5% (140 tests), trust 67 → 72.1% (4 timeout-panic test bugs fixed: brew/osascript/setupResolver had unconditional 30s–5 min blocking calls, nowt.Skipwith unreachable-doc comment), security 89.3%, truststate 96.0%. No security bugs discovered;go buildandgo vetclean. Accepted coverage debt:internal/trust/ssl49.4%,internal/secrets39.0%,internal/tenant48.4% — these packages rely on external binary execution (mkcert, openssl, age — no injection point to test safely), osascript admin-dialog invocation (untestable in CI without real macOS privileges), and live Postgres/Stripe/MinIO connections. Plausible integration-test class; further uplift deferred to S47 once an integration harness is in place.
Commits since previous release
Install
brew install nself-org/nself/nself
# or download a tarball below for your platformVerify (Sigstore keyless)
cosign verify-blob \
--bundle <tarball>.tar.gz.sig \
--certificate-identity-regexp '^https://github.com/nself-org/cli/\.github/workflows/release\.yml@refs/tags/v1.2.0$' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
<tarball>.tar.gzFull signing + verification details: release-signing.md
Artifacts
- Platform tarballs (linux/darwin × amd64/arm64) + Windows zips (amd64/arm64)
checksums.txt— SHA-256 of all tarballssbom.spdx.json+ per-tarball SBOMs — SPDX software bill of materialsprovenance.intoto.jsonl— SLSA v1.0 provenance attestation*.sig— Sigstore cosign signature bundles for every artifact above
v1.1.12 — nself sentry status (EOP health gate)
Adds 'nself sentry status [--json]' — fetches the nSentry status aggregate and exits non-zero when systems are degraded/down, for use as an EOP/CI health gate. Token via --token or NSENTRY_PRIVATE_TOKEN/STATUS_PAGE_PRIVATE_TOKEN.
v1.1.11 — nSentry ops CLI
nSentry bundle — code-complete milestone (not yet deployed to live servers).
FOSS nself CLI gains ops-server setup: nself build --profile ops, nself sentry-server provision, nself ci serve, nself deploy web --prebuilt. nSentry = paid plugin bundle (13 monitoring plugins) + free Forgejo CI plugin. @nself/sentry SDK ready (pending @nself npm scope creation). Live deploy via nself sentry-server provision <project>.
v1.1.10 — P4 Foundation Complete
P4 — Foundation to 100%
268/268 tickets complete across 11 epics.
Highlights
- E0 Security baseline: credential scanning, AGPL gate, gitignore hardening
- E1 CLI: 84 commands, full Go implementation
- E2 Admin GUI: localhost:3021 Docker companion
- E3 29 free plugins: Hasura RLS + multi-app isolation
- E4 124 paid plugins: all 6 bundles complete
- E5 Security hardening: SSRF/path-traversal/DNS injection guards + nself-ci
- E6 App features: auth, billing UI, subscriptions
- E7 AI platform: BGE-M3 retrieval, Google OAuth, PTY relay, AI gateway
- E8 Eval-gate: scorers,
nself ci eval, CI integration - E9 libnclaw E2EE: X25519/XChaCha20-Poly1305 + intelligence gRPC
- E10 clawde-proxy daemon + eval-regression CI gate
- E11 DQA + SIEGE + doc-sync complete
v1.1.9
nSelf CLI v1.1.9
Channel: stable
Commits since previous release
- Merge pull request #133 from nself-org/chore/v1.1.9-bump (2e77397)
- fix(deps): bump Go toolchain to 1.26.4 to patch stdlib CVEs (1d19230)
- fix(cli): resolve P3 audit CRITICAL/HIGH resilience defects (087cf35)
- test: cleanup gate QA test files (9ae506f)
- test: add tracking ref (0d1d2a8)
- test: stub in api path (a4f4654)
- test: add exception comment (cde0762)
- test: temp 301-line file for gate test (a9ea944)
- chore(release): bump version to v1.1.9 (7b2a3ed)
Install
brew install nself-org/nself/nself
# or download a tarball below for your platformVerify (Sigstore keyless)
cosign verify-blob \
--bundle <tarball>.tar.gz.sig \
--certificate-identity-regexp '^https://github.com/nself-org/cli/\.github/workflows/release\.yml@refs/tags/v1.1.9$' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
<tarball>.tar.gzFull signing + verification details: release-signing.md
Artifacts
- Platform tarballs (linux/darwin × amd64/arm64) + Windows zips (amd64/arm64)
checksums.txt— SHA-256 of all tarballssbom.spdx.json+ per-tarball SBOMs — SPDX software bill of materialsprovenance.intoto.jsonl— SLSA v1.0 provenance attestation*.sig— Sigstore cosign signature bundles for every artifact above
ɳSelf CLI v1.1.8
What's in this release
P2 phase complete — all waves merged (E1–E7).
Highlights
- OpenTelemetry observability: distributed tracing, metrics, structured logging across all CLI commands
- Quality and performance wave: binary size optimization, benchmark improvements, i18n/a11y polish
- Go scaffold template fix: escaped inner format verbs in generated service main.go (resolves go vet warning)
- Full doc-sync: wiki, changelogs, and SDK versions aligned
Version lockstep
CLI v1.1.8 = Admin v1.1.8. SDK versions updated: Go, Python, TypeScript, Flutter.
Notes
- 3 pre-existing test failures in TestBootstrapValidation (claw_keys_test.go) — present on main before P2, not a regression
- No prod deploy in this release (staging-only)