Skip to content

Releases: nself-org/cli

@nself/sdk v1.2.5

Choose a tag to compare

@github-actions github-actions released this 06 Jul 18:50
fa599b8

Published @nself/sdk v1.2.5 to npm.

v1.2.4

Choose a tag to compare

@github-actions github-actions released this 03 Jul 22:07
e5225fe

nSelf CLI v1.2.4

Channel: stable

Changelog

[1.2.4] — 2026-07-03

Fixed

  • License signature verification enabled in released binaries (CRITICAL) — the release workflow read the NSELF_LICENSE_PUBKEY_HEX secret to embed the Ed25519 license-verification key at build time, but the secret was never set in the repository, so every published binary shipped as a "dev build" with license signature verification disabled and printed a dev-build warning from nself version. The secret is now configured; binaries from this release on verify license signatures.
  • bundle info sentry alias miss — the sentrynsentry alias added in 1.2.3 resolved for bundle install and bundle remove but not bundle info, which used a separate command-layer lookup. bundle info sentry now resolves to ɳSentry; listings and error hints still show only the canonical nsentry slug.
  • gofmt drift — three files merged unformatted; formatted so the CI gofmt gate stays green.

Commits since previous release

  • fix(bundle): info alias + gofmt + v1.2.4 bump (license-verify enabled release) (#175) (e5225fe)

Install

brew install nself-org/nself/nself
# or download a tarball below for your platform

Verify (Sigstore keyless)

cosign verify-blob \
  --bundle <tarball>.tar.gz.sig \
  --certificate-identity-regexp '^https://github.com/nself-org/cli/\.github/workflows/release\.yml@refs/tags/v1.2.4$' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  <tarball>.tar.gz

Full signing + verification details: release-signing.md

Artifacts

  • Platform tarballs (linux/darwin × amd64/arm64) + Windows zips (amd64/arm64)
  • checksums.txt — SHA-256 of all tarballs
  • sbom.spdx.json + per-tarball SBOMs — SPDX software bill of materials
  • provenance.intoto.jsonl — SLSA v1.0 provenance attestation
  • *.sig — Sigstore cosign signature bundles for every artifact above

v1.2.3

Choose a tag to compare

@github-actions github-actions released this 03 Jul 20:44
7c792e3

nSelf CLI v1.2.3

Channel: stable

Changelog

[1.2.3] — 2026-07-03

Added

  • sentry bundle install aliasnself bundle install sentry now resolves to the canonical ɳSentry bundle. The alias is a fallback lookup only; nself bundle list and shell completions continue to show the canonical nsentry slug. (#171)

Commits since previous release

  • chore(release): bump v1.2.2 -> v1.2.3 + changelog (#172) (7c792e3)
  • feat(bundle): add sentry -> nsentry slug alias for bundle install (#171) (eea61c2)
  • docs(wiki): v1.2.2 doc-sync for the P0 build/start fix batch (#170) (b5608a8)

Install

brew install nself-org/nself/nself
# or download a tarball below for your platform

Verify (Sigstore keyless)

cosign verify-blob \
  --bundle <tarball>.tar.gz.sig \
  --certificate-identity-regexp '^https://github.com/nself-org/cli/\.github/workflows/release\.yml@refs/tags/v1.2.3$' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  <tarball>.tar.gz

Full signing + verification details: release-signing.md

Artifacts

  • Platform tarballs (linux/darwin × amd64/arm64) + Windows zips (amd64/arm64)
  • checksums.txt — SHA-256 of all tarballs
  • sbom.spdx.json + per-tarball SBOMs — SPDX software bill of materials
  • provenance.intoto.jsonl — SLSA v1.0 provenance attestation
  • *.sig — Sigstore cosign signature bundles for every artifact above

v1.2.2 — manifest plugin injection + compose secret templating (P0 build/start fixes)

Choose a tag to compare

@github-actions github-actions released this 03 Jul 19:06
294bb45

nSelf CLI v1.2.2

Channel: stable

Changelog

[1.2.2] — 2026-07-03

Fixed

  • Declared plugins silently dropped (CRITICAL)nself build ignored the project's nself.yaml manifest entirely: plugins declared under plugins: (flat or free:/pro: tiers) or via bundle:/bundles: never materialized as containers because the only injection path was discovery over the plugin install dir. The build now parses the manifest, expands bundles through the canonical bundle catalog, best-effort auto-installs missing plugins (60s per-plugin timeout; disable with NSELF_AUTO_INSTALL_PLUGINS=false), and reports any plugin it cannot wire with a per-plugin warning, a BuildResult.MissingPlugins entry, and a printed nself plugin install ... fix command. A declared plugin is never silently dropped. Core services (auth, storage) satisfy their declared names. NSELF_PLUGIN_DIR overrides the plugin directory for hermetic CI and per-project plugin sets. (#168)
  • Literal secrets in generated docker-compose.yml (HIGH)nself build baked literal secret values (Postgres password, Hasura admin secret, JWT blobs, MinIO root credentials, SMTP password) into the generated compose file, so editing .env post-build was a silent no-op and committing the generated file leaked credentials. Secrets are now emitted as ${VAR} references; interpolation values are written to .nself/compose.env (mode 0600) and passed to docker compose via --env-file by start/stop/restart/health. Legacy projects without compose.env keep default .env discovery. A safety-net scan warns if any known secret value still appears literally. (#168)
  • False "unknown env var" warnings — app-owned vars (NODE_ENV, JWT_SECRET, SSL_AUTO_TRUST, COOKIE_SECRET, ENABLE_DEBUG, LOG_LEVEL, NSELF_PROJECT_NAME) are now known; new ENV_ALLOWLIST accepts comma-separated exact names or PREFIX_* patterns for project-specific passthrough vars. (#168)
  • Unreachable ready URLs from nself start — with a default local domain, nself start printed *.local.nself.org URLs that 502 without DNS setup. It now prints direct http://localhost:<port> endpoints (GraphQL, Hasura console, Auth, Storage, Mail UI, Admin) plus a nself dns-setup hint for the domain routes; custom domains keep nginx-routed URLs. (#168)
  • Hash-prefixed leftover containers — interrupted docker compose recreates leave the old container renamed with a hex-id prefix (e.g. b6d7b59a1c78_myapp_hasura) that holds ports and shadows the clean <project>_<service> name. Start now removes rename-leftovers before and after compose up. (#168)

Commits since previous release

  • chore(release): bump v1.2.1 -> v1.2.2 + changelog (#169) (294bb45)
  • fix(build): P0 batch — manifest plugin injection, secret templating, env allowlist, localhost URLs, leftover cleanup (#168) (5c33a18)

Install

brew install nself-org/nself/nself
# or download a tarball below for your platform

Verify (Sigstore keyless)

cosign verify-blob \
  --bundle <tarball>.tar.gz.sig \
  --certificate-identity-regexp '^https://github.com/nself-org/cli/\.github/workflows/release\.yml@refs/tags/v1.2.2$' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  <tarball>.tar.gz

Full signing + verification details: release-signing.md

Artifacts

  • Platform tarballs (linux/darwin × amd64/arm64) + Windows zips (amd64/arm64)
  • checksums.txt — SHA-256 of all tarballs
  • sbom.spdx.json + per-tarball SBOMs — SPDX software bill of materials
  • provenance.intoto.jsonl — SLSA v1.0 provenance attestation
  • *.sig — Sigstore cosign signature bundles for every artifact above

v1.2.0 — nSentry bundle + status-page theming + self-hosted CI

Choose a tag to compare

@acamarata acamarata released this 01 Jul 13:20
55a6d14

nSelf CLI v1.2.0

Channel: stable

Changelog

[Unreleased] — v1.2.0

Changed

  • TypeScript SDK canary upgrade to TS6cli/sdk/ts (@nself/plugin-sdk v2.0.0) bumped from TypeScript ^5.4.5 to ^6.0.0 (S06 canary). tsconfig.json updated: modulenode16, moduleResolutionnode16 (node10 alias deprecated in TS6). Added tsconfig.test.json for ts-jest with isolatedModules: true. Jest config migrated to flat transform syntax (removes deprecated globals.ts-jest). Added eslint, @typescript-eslint/parser, @typescript-eslint/eslint-plugin devDeps and eslint.config.mjs (ESLint 10 flat config). All 18 tests pass. Type-check and build clean.

Added

  • Embedded PostgreSQL via pglite/wasmtime (--embedded-pg) — nself start --embedded-pg boots a full ɳSelf stack without a Docker postgres container. PostgreSQL runs as a pglite WebAssembly module inside wasmtime. A Unix-domain socket bridge proxies the Postgres wire protocol to Hasura and Auth. pgvector is included in pglite v0.2.17. Cold start compiles the WASM module to native code and caches it; warm starts typically take under 5 seconds. Backup via nself backup targets the UDS socket (pg_dump --format=custom primary, SQL wire-protocol fallback). Enable persistently with NSELF_EMBEDDED_PG=true in .env.local. See [[Embedded-Postgres]].

Security

  • CWE-214 Hasura secret exposure fixedhasuraMetadataExportCmd() in internal/backup/create.go previously passed the Hasura admin secret as --admin-secret=<value> in argv. Any local user with access to /proc/<pid>/cmdline or ps aux could read it during a backup run. The secret is now passed exclusively through the child process environment (cmd.Env). Docker exec receives -e HASURA_GRAPHQL_ADMIN_SECRET (no value on the command line). Severity: High. Chain ID: a83c99d6. Advisory: .github/SECURITY-ADVISORIES/2026-05-15-rce-and-secrets.md.
  • Supply-chain installer verification added — the Ollama installer previously piped curl output directly to sh without content verification. DownloadAndVerify() in the new internal/installer/verify.go downloads to a 0700 owner-only temp directory, opens the file with O_EXCL (closes TOCTOU window), caps the body at 2 MiB, and verifies SHA-256 against the pinned checksum from ExpectedOllamaInstallChecksum() before execution. Severity: High. Chain ID: a83c99d6. Advisory: .github/SECURITY-ADVISORIES/2026-05-15-rce-and-secrets.md.

Testing

  • S42-sec security-critical coverage uplift (sprint a5e2b723) — targeted coverage pass across internal/license, internal/auth, internal/trust, internal/crypto, SSRF guards, and RLS enforcement. Real uplift: license 76 → 91.1% (392 new tests), auth 85 → 92.5% (140 tests), trust 67 → 72.1% (4 timeout-panic test bugs fixed: brew/osascript/setupResolver had unconditional 30s–5 min blocking calls, now t.Skip with unreachable-doc comment), security 89.3%, truststate 96.0%. No security bugs discovered; go build and go vet clean. Accepted coverage debt: internal/trust/ssl 49.4%, internal/secrets 39.0%, internal/tenant 48.4% — these packages rely on external binary execution (mkcert, openssl, age — no injection point to test safely), osascript admin-dialog invocation (untestable in CI without real macOS privileges), and live Postgres/Stripe/MinIO connections. Plausible integration-test class; further uplift deferred to S47 once an integration harness is in place.

Commits since previous release

  • ci(release): install build-essential on self-hosted runner if missing (#155) (55a6d14)

Install

brew install nself-org/nself/nself
# or download a tarball below for your platform

Verify (Sigstore keyless)

cosign verify-blob \
  --bundle <tarball>.tar.gz.sig \
  --certificate-identity-regexp '^https://github.com/nself-org/cli/\.github/workflows/release\.yml@refs/tags/v1.2.0$' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  <tarball>.tar.gz

Full signing + verification details: release-signing.md

Artifacts

  • Platform tarballs (linux/darwin × amd64/arm64) + Windows zips (amd64/arm64)
  • checksums.txt — SHA-256 of all tarballs
  • sbom.spdx.json + per-tarball SBOMs — SPDX software bill of materials
  • provenance.intoto.jsonl — SLSA v1.0 provenance attestation
  • *.sig — Sigstore cosign signature bundles for every artifact above

v1.1.12 — nself sentry status (EOP health gate)

Choose a tag to compare

@acamarata acamarata released this 29 Jun 21:13
a0d6fb0

Adds 'nself sentry status [--json]' — fetches the nSentry status aggregate and exits non-zero when systems are degraded/down, for use as an EOP/CI health gate. Token via --token or NSENTRY_PRIVATE_TOKEN/STATUS_PAGE_PRIVATE_TOKEN.

v1.1.11 — nSentry ops CLI

Choose a tag to compare

@acamarata acamarata released this 28 Jun 20:49
6c5fdae

nSentry bundle — code-complete milestone (not yet deployed to live servers).

FOSS nself CLI gains ops-server setup: nself build --profile ops, nself sentry-server provision, nself ci serve, nself deploy web --prebuilt. nSentry = paid plugin bundle (13 monitoring plugins) + free Forgejo CI plugin. @nself/sentry SDK ready (pending @nself npm scope creation). Live deploy via nself sentry-server provision <project>.

v1.1.10 — P4 Foundation Complete

Choose a tag to compare

@acamarata acamarata released this 25 Jun 18:17

P4 — Foundation to 100%

268/268 tickets complete across 11 epics.

Highlights

  • E0 Security baseline: credential scanning, AGPL gate, gitignore hardening
  • E1 CLI: 84 commands, full Go implementation
  • E2 Admin GUI: localhost:3021 Docker companion
  • E3 29 free plugins: Hasura RLS + multi-app isolation
  • E4 124 paid plugins: all 6 bundles complete
  • E5 Security hardening: SSRF/path-traversal/DNS injection guards + nself-ci
  • E6 App features: auth, billing UI, subscriptions
  • E7 AI platform: BGE-M3 retrieval, Google OAuth, PTY relay, AI gateway
  • E8 Eval-gate: scorers, nself ci eval, CI integration
  • E9 libnclaw E2EE: X25519/XChaCha20-Poly1305 + intelligence gRPC
  • E10 clawde-proxy daemon + eval-regression CI gate
  • E11 DQA + SIEGE + doc-sync complete

v1.1.9

Choose a tag to compare

@github-actions github-actions released this 19 Jun 00:25
2e77397

nSelf CLI v1.1.9

Channel: stable

Commits since previous release

  • Merge pull request #133 from nself-org/chore/v1.1.9-bump (2e77397)
  • fix(deps): bump Go toolchain to 1.26.4 to patch stdlib CVEs (1d19230)
  • fix(cli): resolve P3 audit CRITICAL/HIGH resilience defects (087cf35)
  • test: cleanup gate QA test files (9ae506f)
  • test: add tracking ref (0d1d2a8)
  • test: stub in api path (a4f4654)
  • test: add exception comment (cde0762)
  • test: temp 301-line file for gate test (a9ea944)
  • chore(release): bump version to v1.1.9 (7b2a3ed)

Install

brew install nself-org/nself/nself
# or download a tarball below for your platform

Verify (Sigstore keyless)

cosign verify-blob \
  --bundle <tarball>.tar.gz.sig \
  --certificate-identity-regexp '^https://github.com/nself-org/cli/\.github/workflows/release\.yml@refs/tags/v1.1.9$' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  <tarball>.tar.gz

Full signing + verification details: release-signing.md

Artifacts

  • Platform tarballs (linux/darwin × amd64/arm64) + Windows zips (amd64/arm64)
  • checksums.txt — SHA-256 of all tarballs
  • sbom.spdx.json + per-tarball SBOMs — SPDX software bill of materials
  • provenance.intoto.jsonl — SLSA v1.0 provenance attestation
  • *.sig — Sigstore cosign signature bundles for every artifact above

ɳSelf CLI v1.1.8

Choose a tag to compare

@acamarata acamarata released this 15 Jun 22:26
1d8be53

What's in this release

P2 phase complete — all waves merged (E1–E7).

Highlights

  • OpenTelemetry observability: distributed tracing, metrics, structured logging across all CLI commands
  • Quality and performance wave: binary size optimization, benchmark improvements, i18n/a11y polish
  • Go scaffold template fix: escaped inner format verbs in generated service main.go (resolves go vet warning)
  • Full doc-sync: wiki, changelogs, and SDK versions aligned

Version lockstep

CLI v1.1.8 = Admin v1.1.8. SDK versions updated: Go, Python, TypeScript, Flutter.

Notes

  • 3 pre-existing test failures in TestBootstrapValidation (claw_keys_test.go) — present on main before P2, not a regression
  • No prod deploy in this release (staging-only)