What Changed

This release is a focused security hardening pass across the installer, TUI self-update, and MCP tool layer. No new features — every change here reduces attack surface or tightens correctness.

Security Fixes

• install.sh: atomic binary installation — binary is now downloaded to a temp file inside INSTALL_DIR before checksum verification, then moved atomically into place. Previously a failed or interrupted install could leave a partial binary at the destination. An EXIT trap guarantees temp file cleanup on any failure path.
• TUI: command injection prevention in self-update — runSelfUpdate previously interpolated the release tag directly into a bash -c string. The tag is now validated against a strict allowlist (^[0-9A-Za-z._-]+$) and passed as a positional argument ($1) so it is never evaluated as shell code.
• TUI: self-update checksum verification — runSelfUpdate now downloads install.sh from the versioned release tag and verifies its SHA-256 against checksums.txt before executing. The previous implementation fetched from main and executed immediately with no integrity check.
• TUI: self-update error diagnostics — script output is now captured and included in the returned error, so failures surface actionable detail rather than a generic exit code.
• MCP: input size limits — all five tool string inputs in tools/mcp/server.mjs now cap at 500,000 characters via Zod .max(). Unbounded inputs could exhaust memory on the Ollama host.

Infrastructure

• install.sh included in release checksums — goreleaser now ships install.sh as a release artifact, so checksums.txt covers it. The self-update checksum path was always broken without this.
• Demo GIF workflow removed — demo.yml is deleted. GIFs are generated locally with VHS and committed manually when the TUI visually changes. Removes the GIF_TOKEN PAT dependency entirely.
• Documentation paths corrected — updated ollama-delegate.sh reference in core/NEXUS.md and core/kiro-nexus-steering.md from tools/automation/ to tools/utilities/.

Hardware Benchmarks

• ⏳ Low tier — pending
• ⏳ Mid tier — pending
• ⏳ High tier — pending

Benchmark infrastructure is tracked in #75. Results will be added to these notes as they become available.

Full Changelog: v0.1.6...v0.1.7

What Changed

This release repositions NEXUS as a unified AI toolkit layer — one config for every AI CLI you use — and ships foundational features for the v0.2.0 observability milestone.

New Features

• TUI: Task Log screen — view MCP tool invocations with model, latency, and pass/fail status. Access from the main menu → Task Log.
• TUI: GPU auto-detection — Health Check now detects your GPU (NVIDIA, AMD, Apple Silicon) and recommends the right model band for your hardware.
• MCP: Fast-path routing — commit messages for trivial diffs (renames, version bumps, lock files, deletions) are generated instantly without calling Ollama.
• MCP: Structured output — commit message generation uses Ollama's native JSON schema support for more reliable output.
• MCP: Task logging — all tool invocations are logged to ~/.config/nexus/logs/mcp-tasks.jsonl with timing and status data.
• Onboarding Guide persona — new persona that walks users through hardware detection, model selection, and setup verification. See personas/onboarding-guide.md.

Documentation

• README rewritten — subtitle, Philosophy, and "What NEXUS Does" sections reframed around config unification and subtraction-first messaging.
• Cloud Billing Guide — new guide explaining cost optimization through local model routing, with links to official API pricing pages. See docs/cloud-billing-guide.md.

Fixes

• Close HTTP response body in health check (connection leak)
• Handle Intel Macs in Apple Silicon detection (no false positives)
• Handle multi-GPU NVIDIA systems (parse first GPU, split by last comma)
• Truncate long tool/model names in Task Log to preserve column alignment
• Safe .env update in onboarding persona (no destructive overwrite)
• Secure-by-default Ollama install recommendation (inspect-first)

Infrastructure

• CI parallelized — test-install-cycle no longer waits for build-and-test, cutting wall-clock CI time roughly in half.
• macOS added to CI build and install test matrix (v0.1.5).
• Windows binaries removed from releases until #18 ships.

Hardware Benchmarks

• ⏳ Low tier — pending
• ⏳ Mid tier — pending
• ⏳ High tier — pending

Benchmark infrastructure is tracked in #75. Results will be added to these notes as they become available.

Full Changelog: v0.1.5...v0.1.6

Changelog

• 1f3eb6d fix(install): prefer shasum on macOS to avoid BSD sha256sum incompatibility (#34)

Changelog

• 5249ac1 fix(install): use awk for checksum lookup to handle double-space separator

Changelog

• da8eb9d Merge branch 'main' into feature/v0.1.3-security-hardening
• 6687021 Merge pull request #21 from mvanhorn/osc/8-localhost-default
• 8fe1724 Merge pull request #27 from anakinMango/feature/v0.1.3-security-hardening
• ac8a88a ci: retrigger checks after force-push
• 76b548c fix(ci): fetch full git history in demo workflow for version tag
• 7c1eb36 fix(issue-manager): default OLLAMA_HOST_URL to localhost (#8)
• bf568dd fix: use portable quote stripping in _load_env for Bash 3.2 compat
• fad8bfb security: add checksum verification and safe .env parser
• 1c9b5b2 security: address PR review feedback
• 1040f27 security: fail closed when no checksum tool is available

Changelog

• 3c93f08 ci: add GitHub Actions workflow to generate demo.gif via VHS
• db4affc ci: use GIF_TOKEN for automatic demo.gif commits to main
• da014c9 feat(tui): custom color theme, version check, and self-update
• dc183f1 feat: add NEXUS ASCII art to README header and TUI menu
• df5b0d4 fix(ci): correct VHS module path and ttyd download URL
• 9a5793f fix(ci): install VHS manually instead of broken vhs-action
• 578346e fix(ci): upload demo.gif as artifact, handle branch protection
• 46bfbee fix(tui): enable AltScreen for proper full-screen rendering
• 210dc38 fix: pre-release security and bug fixes

Changelog

• 7ae7d1d feat: open-source scaffolding for public release

Changelog

• e5030cf Merge pull request #4 from canoo/feat/nexus-tui
• 74bd537 chore(tui): improve findNexusDir robustness and fix module path
• cc9eeb8 ci: add PR checks — build, vet, install cycle test, shellcheck
• ea41398 feat: add hardware-specific model configuration and env var routing
• 3481a60 feat: add local AI toggle to install wizard and configure screen
• 8104204 feat: add nexus TUI, bubbletea agent, and single-command installer
• 097a53d fix(tui): UX improvements — uninstall confirm, save feedback, labels, responsive layout
• 394063c fix(tui): fix JSON injection, .env Ollama URL, and saveEnv error handling
• e230c40 fix: handle read-only Go module cache in test cleanup
• 766f931 fix: replace placeholder org with canoo
• cb00ce0 fix: set goreleaser build dir to tools/tui