chernistry/bernstein

what's in 1.10.4

chunk of security + orchestration work landed since 1.10.3.

security

• Ed25519 + JWS + JCS canonical signer for AgentIdentityCard (#1106). third-party A2A verifiers can finally verify the card itself, not only trust the internal sha256 anchor. signature is detached per RFC 7515 §A.5 so the existing card_hash stays stable through the transition.
• typ-header lock on the same signer (#1118). header now has to carry typ="agent-card+jws" or verify returns false. closes the gap where a key reused for some other internal JWS context could slip through.
• fast-uri override pinned to >=3.1.1 for CVE-2026-6321 (path traversal) (#1119). dependabot would have caught it eventually; the package.json override locks the floor so a future transitive bump can't regress it.

orchestration

• explicit human-approval gates (#1116). tasks can pause in pending_approval and only proceed once approved through the API or VS Code panel. shows up as a new task state in the tree view with inline approve/reject actions.
• fresh-context retry mode (#1113). on retry the agent restarts cold rather than inheriting the failed run's context bloat. opt-in via agent_restart_between_retries, off by default to keep behaviour stable.

tests / infra

• airgap mode now has real offline + real-cosign integration coverage (#1102). previously most of that surface was mocked.
• fake-CLI adapter harness with e2e coverage for the top-5 adapters (#1104). caught a few real bugs while landing.
• A2A delegation tested across actual processes (#1103). same-pid coverage was hiding a couple of issues.
• capability-matrix spawn-refusal end-to-end (#1105).
• agents.md dogfooded on bernstein itself + cross-CLI round-trip test (#1101).

docs

• README top-section rewrite for cold landings (#1115).
• agents.md _REDIRECT_MAP back-compat note (#1107).
• README conversion-pass: sponsor block, real-numbers anchor, who-it's-not-for section (03021d4).

ci

• release-drafter no longer fails on fork PRs (#1114). pull_request from forks gets a read-only GITHUB_TOKEN regardless of the workflow's permissions block, so the action errored out every time. now skipped explicitly on forks; the draft refreshes on the next push to main after merge.
• auto-release job bound to a pypi environment (#1100). green deploy marker actually shows up on the dashboard now.

note for anyone watching the actions tab: 1.10.4 took longer than usual because the auto-release bump-PR loop got wedged for a couple of hours. cancel-in-progress concurrency was killing every main CI run before it could mark itself success, and the workflow_run release gate only fires on success. unstuck by direct-pushing the bump after the queue cleared.

full diff: https://github.com/sipyourdrink-ltd/bernstein/compare/v1.10.3...v1.10.4