This release includes breaking changes for platform teams planning a safe upgrade.
✓ No known CVEs patched in this version
Topics
+2 more
Summary
AI summaryFixed publish pipeline bug that prevented v0.9.9 and v0.10.0 from being published to npm.
Full changelog
Patch release — unblock publish pipeline
This patch ships v0.10.0's refactor + security work to npm. The functional source code is unchanged from v0.10.0; the bump exists solely to push a new artifact through the now-fixed publish workflow.
Fix
- publish.yml — removed
npm install -g npm@lateststep that crashed withCannot find module 'promise-retry'on the Node 22 runner image. This bug had silently blocked v0.9.9 and v0.10.0 from reaching npm (both were tagged + GitHub-released but never published). - publish.yml — added
workflow_dispatchtrigger with optionalrefinput so a stuck release can be manually re-published from the Actions tab without re-tagging.
Highlights from v0.10.0 (now actually shipping)
- CLI decomposed into nine themed modules under
src/cli/commands/. - MCP tools decomposed into ten focused modules under
src/mcp/tools/plus shared_shared.ts. - Grouped
qring --helpwith nine glyph-prefixed sections. - Approval HMAC widened to cover
workspaceandsessionId. - JIT HTTP SSRF fails closed on DNS errors.
- Teleport AES-GCM uses 12-byte IVs.
- 164 tests across 24 files.
Installation
npm install -g @i4ctime/q-ring
brew install i4ctime/tap/qring # via the auto-update workflow
Full changelog: https://github.com/I4cTime/quantum_ring/blob/main/CHANGELOG.md
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About I4cTime/quantum_ring
Quantum-inspired keyring for AI coding agents. Secure secrets with superposition, entanglement, tunneling, and teleportation.
Related context
Related tools
Beta — feedback welcome: [email protected]