chernistry/bernstein

v1.5.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 1mo AI Agents & Assistants

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

agent-framework agent-orchestrator agentic-ai ai-agents ai-coding aider

+14 more

anthropic claude-code cli-tool codex-cli coding-agent deterministic-scheduler hmac-audit llm mcp-server model-context-protocol multi-agent parallel-worktrees python swe-bench

Affected surfaces

rce_ssrf

Summary

AI summary

Atomic batch ticket ingestion prevents half‑claimed backlog on force‑stop.

Full changelog

v1.5.0 — atomic ingestion, crash-recovery groundwork, first community PRs

The release where Bernstein stopped losing state on force-stop and the first wave of outside contributors landed.

What's new

Atomic batch ticket ingestion. Tasks are claimed in groups; if the POST fails, no files move. Force-stop and partial-write races no longer leave a half-claimed backlog (#241-#244).
Parallelised, isolated test suite. A per-file runner replaces the single-process invocation that was OOM-killing CI across 2000+ tests. The legacy pytest tests/ path stays available, but scripts/run_tests.py is the sane default.
WAL groundwork for crash recovery. Idempotent task operations land first; the WAL writer that consumes them ships in v1.6.x. Restart-safety stops being aspirational.
Path-traversal fix. lstrip('/') was stripping absolute paths in the file-write validator, opening the very class of vulnerability the validator existed to close. Closed; regression test in place.
Budget enforcement under concurrency. A check-then-write race let two agents simultaneously cross a hard budget cap. Replaced with a CAS-style update; over-budget agents are now rejected deterministically.

Community contributions

Thanks to the contributors who shipped real surface area in this release:

--dry-run for bernstein compose — @forfreedomforrich-eng (#274)
bernstein config diff — @TheCodingDragon0 (#264)
Glossary of Bernstein-specific terms — @TheCodingDragon0 (#252)
Hardcoded-URL fix in triggers — @forfreedomforrich-eng (#568)
Skill-publish validation workflow — @internet-dot (#581)

Why we built this

Force-stop was the most common operator complaint after v1.4: "I hit Ctrl+C and now my backlog is in three different states." Atomic ingestion and the WAL groundwork are the structural fix — not a layer of retries on top. Everything else here is the contributor surface that grew once people could actually clone the repo and run the test suite without needing 64 GB of RAM.

Install

pipx install --upgrade bernstein

Full changelog: https://github.com/sipyourdrink-ltd/bernstein/compare/v1.4.16...v1.5.0

Security Fixes

Path‑traversal vulnerability fixed: `lstrip('/')` no longer strips absolute paths in the file‑write validator, closing the intended protection gap.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track chernistry/bernstein

Get notified when new releases ship.

About chernistry/bernstein

Deterministic multi-agent orchestrator for 18 CLI coding agents (Claude Code, Codex, Cursor, Aider, Gemini CLI, OpenAI Agents SDK, and more). MCP server mode (stdio + HTTP/SSE) exposes the orchestrator to any MCP client. Git worktree isolation per agent, HMAC-chained audit trail, cost-aware model routing via contextual bandit. ~11K monthly PyPI downloads, Apache 2.0.

All releases →