kobako 0.11.0-aarch64-linux → 0.11.1-aarch64-linux

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8a44a6f91fb5e57a8cc4cfca97e501fab889eef17961c8088b736625e0a06983
-  data.tar.gz: 5ce894137c6df04ddf48b4bbd821bf76764a06663d7552624539e6a6ffa88242
+  metadata.gz: ea2898e0ad1df3bcda9f6b71f7c811890f248c8bf8203c8114a271aa97dd234b
+  data.tar.gz: 59faa2b92a0f751b7fe13c339c1bf47502d1560577a0d74ea77cfb72d68eb0aa
 SHA512:
-  metadata.gz: 8d28583de8802ed0dcab2cb1138d671674cf9ca11823a766ec9a46a075c73aa24d40da121273da0c506fddebea1a6fa1cd75e1041aff4a2929391b7b97d5e064
-  data.tar.gz: c6aea42ae6d840cee738ee3306e2963d4ad4e60f6e640835e9f38ef98a323a267f04986d27afb08ee6bb21665a245bee97e05eaba13596220dbbd914f2325b56
+  metadata.gz: f125e8a66ce7b03dc9608f30cc10b6ea3dd6d41115104c39852725c09e2fd0f0f3df2c07c8b4801f4f57f27e80485548d591281f972f30151a9ac8d7001b5856
+  data.tar.gz: 35ae1f7b98347be2a7b7f9e28173d8ffad8ea0129784c507530c11227a29585805a774b541be6e5e59d501304ee6325a3cf9206b48318e643eb3e0edc800f483

data/.release-please-manifest.json

@@ -1 +1 @@
-{".":"0.11.0","wasm/kobako-core":"0.5.0","wasm/kobako":"0.5.0","wasm/kobako-io":"0.5.0","wasm/kobako-regexp":"0.5.0","wasm/kobako-baker":"0.5.0"}
+{".":"0.11.1","wasm/kobako-core":"0.5.1","wasm/kobako":"0.5.1","wasm/kobako-io":"0.5.1","wasm/kobako-regexp":"0.5.1","wasm/kobako-baker":"0.5.1"}

data/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## [0.11.1](https://github.com/elct9620/kobako/compare/v0.11.0...v0.11.1) (2026-06-14)
+
+
+### Bug Fixes
+
+* **guest:** adopt beni 0.7.0 protected dispatch (B-51) ([c61655b](https://github.com/elct9620/kobako/commit/c61655bcead336d32a4b6ff7ff1b34c21cdfccd9))
+
 ## [0.11.0](https://github.com/elct9620/kobako/compare/v0.10.0...v0.11.0) (2026-06-13)
 
 

data/README.md

@@ -329,7 +329,7 @@ forwards to another Service but never reads — while a named subset becomes an
 
 Guest code can name any `<Namespace>::<Member>` path, but a forged name only resolves to
 something you bound — the real authorization gate is this host-side allowlist. Give each
-trust context its own Sandbox, and see [`docs/security.md`](docs/security.md) for the rest
+trust context its own Sandbox, and see [`docs/security-model.md`](docs/security-model.md) for the rest
 as security-design concerns: validating untrusted input, default-deny external effects,
 and controlling the return surface.
 

data/SECURITY.md

@@ -0,0 +1,35 @@
+# Security Policy
+
+kobako runs untrusted guest code inside an in-process Wasm sandbox, so a break in
+its isolation boundary is treated as a security issue. This file is about **reporting
+such an issue**; for how the boundary is meant to work and where your
+responsibilities as a host begin, see [`docs/security-model.md`](docs/security-model.md).
+
+## Supported versions
+
+kobako is pre-1.0. Security fixes land on the latest released `0.x` version only;
+upgrade to it before reporting.
+
+## Reporting a vulnerability
+
+Report privately through GitHub's **[Report a vulnerability](https://github.com/elct9620/kobako/security/advisories/new)**
+flow — please do not open a public issue or pull request for a suspected vulnerability.
+
+Include the affected version, a minimal guest script or host setup that reproduces the
+issue, and what boundary you expected to hold. You can expect an initial acknowledgement
+within a few days; once a fix or mitigation is agreed, disclosure is coordinated through
+a GitHub Security Advisory. Reporters are credited in the published advisory unless you
+ask to stay anonymous.
+
+## Scope
+
+In scope is anything that lets guest code cross the isolation boundary it should not:
+reaching host memory, the filesystem, the network, or `ENV`; obtaining ambient time or
+entropy the host froze; reaching a `Namespace::Member` you never bound; or a
+memory-safety fault in the host codec or wasmtime driver.
+
+Out of scope is what a bound Service is *designed* to expose: if guest code reaches a
+method because you bound an object carrying it, that is a host-side authorization
+choice, not a sandbox escape — narrow the bound surface as described in the security
+model. Resource exhaustion that stays within the limits you configured is likewise
+expected behaviour, not a vulnerability.

data/lib/kobako/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Kobako
-  VERSION = "0.11.0"
+  VERSION = "0.11.1"
 end

data/release-please-config.json

@@ -2,6 +2,7 @@
   "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
   "release-type": "ruby",
   "last-release-sha": "5694da60b08931ea260e13025689b8d8c47d767a",
+  "group-pull-request-title-pattern": "chore${scope}: release${component} ${version}",
   "packages": {
     ".": {
       "component": "kobako",

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kobako
 version: !ruby/object:Gem::Version
-  version: 0.11.0
+  version: 0.11.1
 platform: aarch64-linux
 authors:
 - Aotokitsuruya
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2026-06-13 00:00:00.000000000 Z
+date: 2026-06-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: msgpack
@@ -37,6 +37,7 @@ files:
 - CHANGELOG.md
 - LICENSE
 - README.md
+- SECURITY.md
 - data/kobako.wasm
 - lib/kobako.rb
 - lib/kobako/3.3/kobako.so