Skip to content

Latest commit

 

History

History
112 lines (78 loc) · 4.36 KB

File metadata and controls

112 lines (78 loc) · 4.36 KB

Changelog

All notable changes to this project will be documented in this file.

This changelog is automatically generated by git-cliff from conventional commits.

[0.2.1] - 2026-04-04

Bug Fixes

  • Fix publish workflow: pass --repo to gh release upload in asset upload job
  • Fix org reusable build workflow: cyclonedx-bom 4.7.0 does not exist, pin to 4.6.1

[0.2.0] - 2026-04-04

Features

  • Replace deepcopy + recursive walk() with single-pass iterative walker (boltons remap pattern) — no recursion, no stack overflow, handles cycles and shared substructures via identity tracking
  • Add max_depth parameter to walk() (default 128) — warns on excessive nesting but continues sanitizing; never crashes on data shape
  • Strip C0/C1 control characters — terminal injection defense (BS, ESC, ANSI sequences)
  • Strip 19 high-confidence invisible chars (math invisible operators, deprecated format controls, braille blank, ogham space, hangul fillers, mongolian FVS, arabic letter mark)
  • Expand homoglyph map — 12 new pairs (Greek lowercase, Cyrillic extended, Latin dotless i)
  • Add SLSA Level 3 build provenance and unified badge header
  • Add dual SBOMs, build provenance attestation, and release assets

Bug Fixes

  • NFD decompose before homoglyph scan to defeat NFKC composition bypass

Documentation

  • Document escaper trust boundary in clean() docstring, README, and CLAUDE.md
  • Sync all docs with iterative walker architecture (no deepcopy references)
  • Migrate wiki content to Diataxis docs site
  • Update counts across all docs — invisible chars 411 to 492, homoglyphs 54 to 66, tests 382 to 405

CI/CD

  • Add Grippy code review workflow (updated to grippy-mcp)
  • Restructure workflows to match org ruleset contract
  • Expand fuzz matrix to run both fuzz_clean and fuzz_walk targets

Testing

  • Add 23 Hypothesis property-based tests for all public API invariants (clean safety, walk mutation/depth/cycles, escaper safety, script detection, decode robustness)
  • Overhaul Atheris fuzzer — resurrect dead fuzz_walk target, add NFKC-stability and homoglyph-free invariants, add --target= CLI flag
  • Add 48 adversarial tests for invisible char gaps, NFKC composition bypass, and new homoglyph pairs
  • Add depth limit, cycle safety, shared substructure, and DAG edge case tests

[0.1.1] - 2026-03-02

Documentation

  • Add whitepaper v1.0 with pipeline diagram (#3)
  • Fix stale stage count in CHANGELOG
  • Update CLAUDE.md for 6-stage pipeline and 8 exports
  • Document re-NFKC stage in pipeline

Miscellaneous

  • Add CODEOWNERS for scorecard branch-protection check

[0.1.0] - 2026-03-01

Bug Fixes

  • Resolve concurrency group collision in CI reusable workflow
  • Use branch-specific codecov badge URL
  • Re-normalize after homoglyph replacement for idempotency
  • Use uv pip install in smoke test (uv venv lacks pip)
  • Close bypass vectors from adversarial audit and harden pipeline
  • Close 18 bypass vectors found in penetration testing

CI/CD

  • Add Codecov coverage reporting with dynamic badge
  • Scope down token permissions and add Atheris fuzz harness
  • Add PyPI trusted publishing workflow
  • Bump the actions group with 2 updates (#1)

Documentation

  • Add framework integration snippets and threat model blurb
  • Add Why This Matters and comparison sections to README
  • Add coverage badge to README
  • Add fuzz workflow badge to README
  • Finalize README with benchmarks and API examples

Features

  • Add decode_evasion, detect_scripts, is_mixed_script (#2)
  • Add jinja2 and path escapers
  • Core pipeline — clean() with 4 universal stages
  • Add homoglyph mapping data (42 pairs)
  • Add invisible character data module and first test skeleton

Miscellaneous

  • Update security contact email to security@projectnavi.ai
  • Add CONTRIBUTING, GOVERNANCE, CODE_OF_CONDUCT, and auto-generated CHANGELOG
  • Harden CI with Semgrep, CodeQL, pip-audit, SHA-pinned actions, and contributor tooling
  • Add README badges, OpenSSF Scorecard workflow, and security policy
  • Add pre-commit hooks and GitHub Actions CI
  • Scaffold navi-sanitize package

Testing

  • Add benchmark suite — clean() and walk() perf baselines
  • Add Unicode Tag smuggling and bidi override attack tests
  • Port adversarial suite from navi-bootstrap (37+ attack vectors)
  • Add walk() tests — nested structures, deep copy, edge cases