chernistry/bernstein

v1.9.1 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 1mo AI Agents & Assistants

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

agent-framework agent-orchestrator agentic-ai ai-agents ai-coding aider

+14 more

anthropic claude-code cli-tool codex-cli coding-agent deterministic-scheduler hmac-audit llm mcp-server model-context-protocol multi-agent parallel-worktrees python swe-bench

Affected surfaces

auth deps

Summary

AI summary

Catalog matching is stricter and log‑injection sanitisation prevents unsafe approval_id logging.

Full changelog

v1.9.1 — catalog matching fixes + log-injection sanitisation

A small follow-up to v1.9.0 that smooths a few rough edges from the v1.9 train.

Catalog matching is less greedy and less paranoid

Two related fixes in _match_exact_role:

Reject weak matches. _match_exact_role previously returned the first catalog agent for a role even when capability and keyword scores were zero. That caused irrelevant personas (e.g. "Mobile App Builder" matched against "implement add and subtract") to be injected into agent prompts. Now exact matches require at least one cap-word overlap with the task description.
Drop the description-keyword fallback. Matching task words against agent marketing text produced false positives for common English words like "with", "fill", "that". Removed.

(A follow-up in v1.9.2 splits the threshold so legacy no-cap agents still match — see those release notes.)

Log-injection sanitisation in approval routes (#960)

User-controlled approval_id now goes through sanitize_log() before being written to logs. Closes three py/log-injection CodeQL alerts (#119, #120, #121).

Dependency hardening (#960)

npm uuid bumped via overrides to >=14.0.0, clearing GHSA-w5hq-g745-h8pq (the dev-only transitive that came in via @vscode/vsce → @azure/msal-node).
Three py/log-injection alerts cleared.

Other fixes

orchestrator: _EVENT_* constants moved before first use; fixes a NameError under specific import orders.
adapters: opencode and aider added to _VALID_CLIS.

Documentation

reference: v1.9 commands surfaced in glossary, feature matrix, and the what's-new page.
blog: v1.9 product narrative — four commands that close the last-mile gap.
readme: v1.8.15 highlights swapped out for v1.9 (acp / autofix / vault / preview).

Install / upgrade

pipx install --upgrade bernstein

Full changelog: https://github.com/sipyourdrink-ltd/bernstein/compare/v1.9.0...v1.9.1

Security Fixes

User‑controlled `approval_id` sanitized via `sanitize_log()` to prevent log injection (closes py/log-injection alerts #119‑#121)
dep: npm `uuid` bumped to >=14.0.0, clearing GHSA-w5hq-g745-h8pq

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track chernistry/bernstein

Get notified when new releases ship.

About chernistry/bernstein

Deterministic multi-agent orchestrator for 18 CLI coding agents (Claude Code, Codex, Cursor, Aider, Gemini CLI, OpenAI Agents SDK, and more). MCP server mode (stdio + HTTP/SSE) exposes the orchestrator to any MCP client. Git worktree isolation per agent, HMAC-chained audit trail, cost-aware model routing via contextual bandit. ~11K monthly PyPI downloads, Apache 2.0.

All releases →