john/secure_agent_envs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
secure_agent_envs/CHANGELOG.md
guessthepw 2fb83ada34 Updates documentation for Windows security features 
README.md:
- Add skip parameters example (-SkipVNC, -SkipOllama)
- Document VNC password prompt and minimum length
- Update requirements to show ISO creation fallbacks

CLAUDE.md:
- Add Windows script editing section
- Add Windows security patterns section
- Add Windows testing instructions
- Update VNC password minimum from 6 to 8 chars
- Document checksum verification for Windows

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-25 13:36:00 -05:00

6.4 KiB
Raw Blame History

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[0.14.1] - 2025-01-25

Changed

  • Updated README.md with Windows skip parameters and VNC password info
  • Updated CLAUDE.md with Windows script documentation and security patterns
  • Fixed VNC password minimum documentation (6 → 8 chars)

[0.14.0] - 2025-01-25

Security

  • Add SHA256 checksum verification for Ubuntu cloud image downloads (prevents MITM attacks)
  • Add strict input validation for git name, email, VM password, and VNC password
  • Validate loaded config.env values to detect tampering
  • VNC password minimum increased from 6 to 8 characters
  • Block shell metacharacters in all user inputs to prevent injection
  • Config file created with restricted ACL from the start (no race condition window)
  • Add security reminder to remove cloud-init ISO after first boot (contains passwords)

Added

  • ARM64 architecture detection for Windows on ARM devices
  • Log file creation at $env:TEMP\setup_env_windows_<timestamp>.log
  • Cleanup on failure: automatically removes partial VM, disk, and ISO on error
  • Hosts file backup before modification (removed on success, kept on failure)
  • Input validation functions: Test-GitName, Test-GitEmail, Test-VMPassword, Test-VNCPassword
  • Checksum caching to avoid re-downloading verification data

Changed

  • Ubuntu image URL now uses detected architecture instead of hardcoded amd64
  • All major operations now log to file for troubleshooting
  • VM creation wrapped in try/catch with automatic cleanup on failure

[0.13.0] - 2025-01-25

Changed

  • Rewrote setup_env_windows.ps1 to fully implement WINDOWS_PLAN.md
  • Password handling uses cloud-init chpasswd with plaintext (type: text) instead of broken hash generation
  • Multiple ISO creation methods with fallback chain: oscdimg → WSL genisoimage → IMAPI2 COM
  • Downloads use BITS transfer for reliability with progress reporting
  • SSH readiness checking with timeout before displaying connection info

Added

  • Component skip parameters: -SkipVNC, -SkipPostgreSQL, -SkipOllama, -SkipPlaywright
  • VNC password support via base64 encoding in cloud-init
  • Automatic hosts file cleanup when VM is deleted with -Force
  • Proper prerequisite checking for Hyper-V, Windows edition, and admin privileges

Fixed

  • Cloud-init password configuration (was using bash syntax in PowerShell)
  • ISO creation now works without Windows ADK by using WSL or IMAPI2 fallbacks
  • Hosts file handling with proper admin privilege elevation

[0.12.0] - 2025-01-25

Added

  • Python runtime management via mise (alongside Node.js, Erlang, Elixir)
  • WINDOWS_PLAN.md documenting Hyper-V implementation strategy and security rationale

Fixed

  • Tidewave CLI download URL (now uses correct tidewave_app repo with musl binaries)

Changed

  • Python is now a selectable component managed by mise instead of system apt

[0.11.0] - 2025-01-25

Added

  • Windows support via Hyper-V for maximum security isolation
  • setup_env_windows.ps1 PowerShell script with full VM provisioning
  • Ubuntu cloud image support with cloud-init automation
  • SSH key generation for passwordless VM access on Windows
  • Hosts file integration for easy <vmname>.local access

Security

  • Hyper-V provides stronger isolation than WSL2 (separate kernel, network, filesystem)
  • No host integration services enabled by default

[0.10.0] - 2025-01-25

Added

  • OpenCode: Open-source AI coding assistant with multi-provider support
  • Tidewave CLI: Elixir/Phoenix MCP server for AI-powered development
  • New component selection options for OpenCode and Tidewave

[0.9.1] - 2025-01-25

Fixed

  • Add error checking for base64 decode operations in VM provisioning
  • Add set -e to VM bootstrap script for early failure detection

[0.9.0] - 2025-01-25

Security

  • Fix rustup pipe-to-shell vulnerability: now downloads to temp file with validation before execution
  • Fix SKIP_EXPORTS command injection risk: refactored to use base64-encoded list instead of shell command string
  • Fix Playwright symlink path validation: validates executable and path prefix before creating symlinks

[0.8.0] - 2025-01-25

Added

  • Project memory system using CLAUDE.md, CHANGELOG.md, and README.md
  • Versioning rules and documentation update guidelines in CLAUDE.md

[0.7.0] - 2025-01-25

Added

  • CHANGELOG.md with version history following Keep a Changelog format

[0.6.0] - 2025-01-25

Changed

  • All tools now use latest versions by default instead of pinning specific versions
  • PostgreSQL authentication uses scram-sha-256 for all TCP connections
  • Simplified tool installation by removing version pinning constraints

Security

  • VNC passwords are never stored and must be entered each time
  • Added documentation for input validation patterns and safe config loading

[0.5.0] - 2025-01-25

Security

  • Prevents shell injection through input validation and safe parameter passing
  • Replaces direct sourcing with manual config parsing to avoid code execution
  • Downloads and validates install scripts before execution instead of piping
  • Uses base64 encoding for secure VM parameter transmission
  • Adds checksum verification for binary downloads
  • Creates secure temporary directories and files with proper permissions

[0.4.0] - 2025-01-25

Changed

  • Replaces sequential installation with parallel step execution
  • Introduces real-time progress dashboard with spinner and status
  • Removes color variables to improve terminal compatibility
  • Restructures logging with per-step files for better debugging

Performance

  • Significantly reduces total setup time by running independent steps concurrently

[0.3.0] - 2025-01-25

Added

  • Dual-mode operation: orchestration on macOS, provisioning on Linux
  • Interactive component selection with visual menu interface
  • VNC desktop access for OAuth workflows and browser-based tasks

Security

  • Secure VM creation with disabled host filesystem access

[0.2.0] - 2025-01-25

Added

  • OrbStack development sandbox setup script
  • mise version manager with Node.js, Erlang, and Elixir support
  • PostgreSQL 16 with remote access configuration
  • Claude Code integration with multiple plugin marketplaces
  • Chromium browser and Playwright for automation tasks

[0.1.0] - 2025-01-25

Added

  • Initial project structure