v0.1.11

What's Changed

Other Changes

• fix(security): disable mcp action apply writes by @JSONbored in #45

Full Changelog: v0.1.10...v0.1.11

v0.1.10

What's Changed

Other Changes

• fix(release): stamp mcp registry metadata for npm by @JSONbored in #44

Full Changelog: v0.1.9...v0.1.10

v0.1.9

What's Changed

Other Changes

• fix(release): select host archive in release smoke by @JSONbored in #42
• feat(security): harden mcp and action surfaces by @JSONbored in #43

Full Changelog: v0.1.8...v0.1.9

v0.1.8

What's Changed

Other Changes

• fix(security): prevent provider timeout pipe hangs by @JSONbored in #41

Full Changelog: v0.1.7...v0.1.8

v0.1.7

What's Changed

Other Changes

• fix(redaction): fully redact whitespace-separated auth credentials by @JSONbored in #37
• fix(security): harden output and release verification by @JSONbored in #40

Full Changelog: v0.1.6...v0.1.7

v0.1.6

Full Changelog: v0.1.5...v0.1.6

v0.1.4

Nightward v0.1.4

First stable Nightward release. Use this release instead of the superseded v0.1.1-v0.1.3 prerelease attempts.

Highlights

• Added the nightward and nw Go CLIs for local-first audits of AI agent state, MCP config, and dotfiles backup safety.
• Added MCP security findings for unpinned package execution, sensitive env/header references, local endpoints, broad filesystem access, local credential paths, parse failures, symlinked config, and unknown server shapes.
• Added redacted JSON scan output, policy checks, SARIF output, Trunk integration metadata, plan-only remediation, and static HTML reports.
• Added TUI review flows and a read-only Raycast extension surface for dashboard, findings, analysis, provider doctor, fix-plan export, and menu-bar status.
• Added explicit optional provider execution with local providers and gated online-capable providers.
• Added release-gated GitHub artifacts, checksums, SBOMs, Cosign-signed checksum bundles, release smoke checks, and trusted-publishing support for the @jsonbored/nightward npm launcher.
• Added OpenSSF-oriented governance, security policy, threat model, DCO, CodeQL, Scorecard, coverage, and release snapshot gates.

Install

# GitHub Release archives are canonical.
# npm is a thin launcher for the GitHub Release binaries.
npx @jsonbored/nightward@0.1.4 --help
npm install -g @jsonbored/nightward@0.1.4
nw scan --json

Go install is also available:

go install github.com/jsonbored/nightward/cmd/nw@v0.1.4
go install github.com/jsonbored/nightward/cmd/nightward@v0.1.4

Verification

This release publishes platform archives, checksums.txt, per-archive SBOMs, and a keyless Cosign bundle for the checksum file.

cosign verify-blob \
  --bundle checksums.txt.sigstore.json \
  --certificate-identity-regexp 'https://github.com/JSONbored/nightward/.github/workflows/release.yml@refs/tags/v0.1.4$' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  checksums.txt

sha256sum -c checksums.txt --ignore-missing

Notes

• Nightward remains local-first: no telemetry, no default network calls, and no live config mutation.
• Remediation is plan-only in this release.
• v0.1.1, v0.1.2, and v0.1.3 are retained as prerelease history but are superseded by this release.

v0.1.3

Superseded by v0.1.4. GitHub/npm publishing and provenance worked, but the npm launcher symlink smoke gap was fixed in v0.1.4; use v0.1.4 or newer.

v0.1.2

Superseded by v0.1.4. This early immutable release attempt did not complete the final npm/install verification path; use v0.1.4 or newer.

v0.1.1

Superseded by v0.1.4. This early immutable release attempt did not complete the final npm/install verification path; use v0.1.4 or newer.