chore: release v0.10.0

[lroolle]

Bump VERSION to 0.10.0 and update CHANGELOG.

See PR #227 for the feature diff. This PR contains only the version bump and changelog entry.

[claude-yolo]

Claude finished @lroolle's task in 2m 34s —— View job

---

Security Audit of PR #228 - CRITICAL FINDINGS

Todo List:

• Read modified files (CHANGELOG.md, deva.sh)
• Analyze version bump changes for security implications
• Review core security-sensitive files (deva.sh, docker-entrypoint.sh, agents/*.sh)
• Check for shell injection vulnerabilities
• Audit container escape vectors
• Examine authentication bypass risks
• Review privilege escalation opportunities
• Analyze what features were added in PR feat: Claude --chrome support, build stage refactor, bridge tmpdir fix #227
• Compile security findings and recommendations

---

BLOCKING SECURITY ISSUES

🔴 CRITICAL: Host Chrome Profile Mounting (CWE-22: Path Traversal)

Issue: v0.10.0 introduces Chrome profile mounting that bypasses container boundaries

• Code: prepare_claude_chrome_detection_mount() in deva.sh:430-513
• Vector: DEVA_CHROME_PROFILE_PATH and DEVA_CHROME_USER_DATA_DIR mount arbitrary host paths
• Risk: Complete container escape via host filesystem access

Exploitation Examples:

export DEVA_CHROME_PROFILE_PATH="/etc/passwd/../../.."
export DEVA_CHROME_USER_DATA_DIR="/root"
deva.sh claude -- --chrome

Path Validation Bypass:

• normalize_host_bind_path() uses expand_tilde() and absolute_path() but doesn't restrict mount scope
• canonical_path() resolves symlinks but allows mounting anywhere on host filesystem

🔴 CRITICAL: Bridge Directory Host Access (CWE-668: Container Escape)

Issue: Chrome bridge creates writable host-to-container channels

• Code: setup_claude_chrome_bridge() in docker-entrypoint.sh:264-287
• Vector: Bridge dir mounted at /deva-host-chrome-bridge with container write access
• Risk: Host filesystem modification, privilege escalation

Attack Surface:

# Container can write to host via bridge symlink
ln -snf "/deva-host-chrome-bridge" "$container_tmpdir/claude-mcp-browser-bridge-$DEVA_USER"
# Enables host filesystem access from container

🟠 HIGH: Host User Information Disclosure (CWE-200)

Issue: Host username passed to container environment

• Code: DEVA_CHROME_HOST_USER=$host_user in deva.sh:566
• Risk: Host reconnaissance, social engineering vectors

🟠 HIGH: Predictable Bridge Paths (CWE-330)

Issue: Bridge directories use predictable naming patterns

• Pattern: /tmp/claude-mcp-browser-bridge-$USER
• Risk: Race conditions, symlink attacks, local privilege escalation

---

MEDIUM RISK FINDINGS

🟡 Shell Injection Resistance (GOOD)

• Finding: Proper parameter arrays used throughout ("${args[@]+"${args[@]}"}")
• Evaluation: No immediate shell injection vectors found
• Code: All user input properly quoted in agents/claude.sh and docker-entrypoint.sh

🟡 Authentication Flow Security (MIXED)

• Good: Auth tokens properly passed via env vars, no CLI exposure
• Concern: Multiple auth methods increase attack surface
• Issue: No rate limiting on auth failures

🟡 Container Permission Model (BY DESIGN)

• Finding: --dangerously-skip-permissions is intentionally forced
• Risk: Agent-level security theater disabled by design
• Rationale: Container IS the sandbox (per AGENTS.md)

---

REQUIRED SECURITY CONTROLS

🛡️ Immediate Actions (BLOCKING)

1. Path Allowlist: Restrict Chrome mounts to safe directories only

   # Only allow under user home, not system paths
   ALLOWED_CHROME_PATHS="/home/$USER /Users/$USER"

2. Bridge Sandboxing: Create isolated bridge directories with restricted permissions

   chmod 755 "$host_bridge_dir"  # Not 700, prevents container write

3. Host User Masking: Remove or hash host username before container passage

🔧 Additional Hardening

1. Mount Validation: Check all mount targets are within expected boundaries
2. Bridge Cleanup: Ensure bridge directories are properly cleaned on container exit
3. Audit Logging: Log all Chrome integration mount operations
4. Permission Review: Validate bridge directory permissions don't allow host write-back

---

RECOMMENDATIONS

For v0.10.1 (URGENT)

• Add path allowlist for Chrome profile mounting
• Remove write permissions from bridge directories
• Mask host usernames passed to containers
• Add integration tests for Chrome mount boundary validation

For Future Releases

• Implement mount namespace isolation for Chrome integration
• Add audit trail for all host-container mount operations
• Consider gVisor or similar runtime for enhanced isolation
• Regular penetration testing of container escape vectors

---

VERDICT: DO NOT RELEASE v0.10.0 to production without addressing CRITICAL findings. The Chrome integration fundamentally weakens container isolation.

[Copilot]

Pull request overview

This PR performs the v0.10.0 release bookkeeping by bumping the deva.sh version constant and adding the corresponding CHANGELOG.md entry.

Changes:

• Bump VERSION in deva.sh from 0.9.2 to 0.10.0
• Add CHANGELOG.md section for 0.10.0 dated 2026-03-24

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
deva.sh	Updates the script’s VERSION constant to 0.10.0.
CHANGELOG.md	Adds the release notes for 0.10.0 above the 0.9.2 entry.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.