First release to ship prebuilt binaries (#432/#435) — no more mandatory from-source build. Assets (lite static musl + full, with SHA-256 sums) are attached by the release workflow shortly after this is published.
Security / Hardening
- Audit chain binds the workspace (#438): a journal entry can no longer be moved between workspaces without breaking
verify_audit_chain. Ships a v11→v12 migration that re-hashes existing chains (so pre-upgrade chains still verify); purge redaction preservesworkspace_hashas a hashed field. - Keyfile 0600 at creation on Unix (#434) — closes the world-readable window.
rememberinput bounds (category/key/body caps) — DoS-via-huge-key (#434).- File-watcher rejects symlinks — no escaping the watch root (#434).
Added
- Prebuilt release binaries:
perseus-vault-lite(static musl, linux x86_64/aarch64) + fullperseus-vault(linux-gnu x86_64, macOS x86_64/arm64) (#432/#435). perseus-vault doctorfreshness line — surfaces a stale vault (#434).
Changed
- Default on-disk paths →
~/.perseus-vault/(precedence-only, no data moved;~/.mimir/still works); addsPERSEUS_VAULT_DB_PATH(#437). - MCP-registry name →
io.github.Perseus-Computing-LLC/perseus-vault(#436).
Full detail in CHANGELOG.md.