Keesan12/Martin-Loop

v0.1.5 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 23d AI Agents & Assistants

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

agent-runtime ai-agent-runtime ai-coding-agents ai-control-plane ai-governance ai-safety

+13 more

audit-trail budget-enforcement claude-code codex coding-agents control-plane governed-runtime llmops mcp model-context-protocol observability policy-as-code rollback

Affected surfaces

rce_ssrf

ReleasePort's take

Light signal

editorial:auto 13d

v0.1.5 hardens subprocess stdin lifecycle addressing a security vulnerability; also switches npm release to trusted publishing and repairs release version automation.

Why it matters: v0.1.5 fixes a subprocess stdin security vulnerability and hardens npm publishing. Patch immediately if subprocess operations are in production use.

Summary

AI summary

Harden subprocess stdin lifecycle to fix a security vulnerability.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Switch npm release to trusted publishing Switch npm release to trusted publishing Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Harden subprocess stdin lifecycle Harden subprocess stdin lifecycle Source: llm_adapter@2026-05-21 Confidence: high	—
Bugfix	Medium	Repair release version step Repair release version step Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

What changed since v0.1.4

Merge pull request #32 from Keesan12/codex/trusted-publishing-setup
ci: switch npm release to trusted publishing
Merge pull request #31 from Keesan12/codex/root-cleanup-2026-05-12
Merge pull request #30 from Keesan12/codex/release-hotfix
chore: remove stray draft posts from repo root
fix: harden subprocess stdin lifecycle
fix: repair release version step
Merge pull request #29 from Keesan12/codex/distribution-push

Install or quick try

npm install -g martin-loop
npx martin-loop demo

Benchmark challenge

Try the public challenge: https://github.com/Keesan12/martin-loop/blob/main/docs/distribution/UNDER-3-CHALLENGE.md

GitHub discussions

Verification and provenance

npm publication runs before the GitHub release job and skips duplicate publishes when the tagged version already exists on npm.
Release assets are built from the tagged source and packed in CI before the release is published.
The public smoke path covers the root SDK import, CLI help, and the packaged martin-loop demo sandbox flow.
The benchmark challenge numbers stay tied to the public repo-backed benchmark story and reproduction commands.

Full Changelog: https://github.com/Keesan12/martin-loop/compare/v0.1.4...v0.1.5

Security Fixes

Harden subprocess stdin lifecycle — fixes a vulnerability in the subprocess handling

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Keesan12/Martin-Loop

Get notified when new releases ship.

About Keesan12/Martin-Loop

All releases →

Related context

Related tools

Earlier breaking changes

vmcp-v0.1.3 martin_status uses oneOf for selector exclusivity, latest as const.
vmcp-v0.1.3 maxIterations and maxTokens modeled as integers in tool schemas.
vmcp-v0.1.3 Tool schemas enforce additionalProperties: false on public contracts.
vmcp-v0.1.3 Packaged artifacts now require and ship server.json alongside package.json.