release: prepare v1.3.2

[gaelic-ghost]

Release

• prepares v1.3.2 from branch docs/security-audit-2026-05-11
• keeps protected main updates behind pull request review and CI
• release tag v1.3.2 was created locally before this PR so the reviewed release candidate is preserved exactly

Review Loop

Before merge, scripts/repo-maintenance/release.sh watches CI and stops on review comments unless the maintainer has already addressed or resolved them and reruns with --review-comments-addressed.

Summary by CodeRabbit

• Chores

  • Bumped release version to v1.3.2.

• Documentation

  • Updated README and roadmap to v1.3.2 and added release history entry.
  • Published a comprehensive security audit bundle: threat model, findings, validation report, attack-path analysis, runtime inventory, coverage ledger, checklist, and follow-up backlog items.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates release documentation from v1.3.1 to v1.3.2 across README, ROADMAP, and maintainer audit documents, and introduces a comprehensive security audit report bundle covering threat model, runtime inventory, findings discovery, validation, coverage tracking, and attack path analysis. Two medium-severity findings (JSON-RPC ID narrowing and network-policy amendment fail-open behavior) and three deferred review areas are documented.

Changes

Version Milestone and Security Audit Documentation

Layer / File(s)	Summary
Version Milestone Update README.md, ROADMAP.md, docs/maintainers/v1-public-api-audit.md	Version references updated from v1.3.1 to v1.3.2 across release status text, Quick Start dependency example, API baseline documentation, and milestone tracking.
Security Audit Follow-up Planning ROADMAP.md	Roadmap includes new "Security Audit Follow-Up" section with tracked hardening tasks (JSON-RPC ID narrowing, network-policy fail-closed mapping, stdio framing review, history store audit, generated-wire parser review), backlog items for security findings, and 2026-05-11 history entry documenting the audit bundle.
Threat Model and Runtime Inventory docs/security-audits/.../threat_model.md, docs/security-audits/.../runtime_inventory.md, docs/security-audits/.../seed_research.md	Threat model defines SwiftASB security boundary, trusted actors, assumptions, and severity calibration. Runtime inventory enumerates shipped surfaces and privileged boundaries. Seed research documents repository-specific high-impact areas targeted without external advisory lookup.
Security Findings Discovery and Validation docs/security-audits/.../finding_discovery_report.md, docs/security-audits/.../validation_report.md	Finding discovery documents two promoted findings (C1: numeric JSON-RPC ID narrowing, C2: network-policy amendment fail-open) and five suppressed candidates with validation evidence. Validation report assesses five findings (V1–V5) with severity, disposition, and evidence for each.
Coverage Tracking and Analysis docs/security-audits/.../exhaustive-file-checklist.md, docs/security-audits/.../repository_coverage_ledger.md, docs/security-audits/.../attack_path_analysis_report.md	Exhaustive checklist tracks file-by-file review coverage with subagent assistance markers. Coverage ledger enumerates 14 audit items (R1–R14) with boundaries, files, and dispositions. Attack path analysis details failure modes and non-reportable paths for the two findings.
Audit Report Summary docs/security-audits/.../report.md	Final security audit report documents scan metadata, two medium-severity findings with CWE/location/fixes, suppressed/deferred items, evidence artifacts, reviewed areas with subagent breakdown, and next steps (focused fix branches, targeted tests, follow-up audit slices).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

enhancement

Poem

🐰 Security audits hop with care, through every corner, everywhere,
From threat to fix, findings declared, a roadmap for hardening shared.
v1.3.2 now guards the way, as two Medium-severity flaws we weigh!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'release: prepare v1.3.2' directly and clearly summarizes the main change: preparing the v1.3.2 release, which encompasses updating version references and adding comprehensive security audit documentation across multiple files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/security-audit-2026-05-11

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@docs/security-audits/82ea49d_20260511T213956-0400/artifacts/finding_discovery_report.md`:
- Around line 25-26: The two references for the same finding point to different
line numbers (instance key referencing :229 while affected location references
:226); update the finding metadata so both the instance key and the affected
location reference the single verified source line in
CodexAppServer+ProtocolPayloads.swift (e.g., pick the correct line after
verifying the exact code using git blame/grep) and ensure the instance
identifier string
(fail-open-policy:Sources/SwiftASB/Public/CodexAppServer+ProtocolPayloads.swift:229)
and the affected location entry are made identical and accurate so triage links
remain stable.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 1d4d1289-3149-4069-86ff-39716eed3f20

📥 Commits

Reviewing files that changed from the base of the PR and between 82ea49d and df075b7.

📒 Files selected for processing (12)

• README.md
• ROADMAP.md
• docs/maintainers/v1-public-api-audit.md
• docs/security-audits/82ea49d_20260511T213956-0400/artifacts/attack_path_analysis_report.md
• docs/security-audits/82ea49d_20260511T213956-0400/artifacts/exhaustive-file-checklist.md
• docs/security-audits/82ea49d_20260511T213956-0400/artifacts/finding_discovery_report.md
• docs/security-audits/82ea49d_20260511T213956-0400/artifacts/repository_coverage_ledger.md
• docs/security-audits/82ea49d_20260511T213956-0400/artifacts/runtime_inventory.md
• docs/security-audits/82ea49d_20260511T213956-0400/artifacts/seed_research.md
• docs/security-audits/82ea49d_20260511T213956-0400/artifacts/threat_model.md
• docs/security-audits/82ea49d_20260511T213956-0400/artifacts/validation_report.md
• docs/security-audits/82ea49d_20260511T213956-0400/report.md

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/security-audits/82ea49d_20260511T213956-0400/report.md`:
- Line 81: The phrase "Turn lifecycle, approval, elicitation, and turn handle
files." is ambiguous; update that fragment (the sentence containing "turn handle
files") to a clearer compound modifier, e.g., change "turn handle files" to
"turn-handle files" or expand to "files handling turn lifecycle objects" so the
meaning is explicit and unambiguous.
- Line 95: Update the validation note that currently reads "`git diff --check`
should be run before commit if this docs artifact is committed." to clearer
release-facing wording by replacing "this docs artifact" with "this
documentation artifact" and optionally rephrasing the sentence for clarity
(e.g., "Run `git diff --check` before committing this documentation artifact.").
Locate the exact string to change to ensure the wording is tightened.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 0be9e789-061f-4c7b-a282-db4d7c65bf91

📥 Commits

Reviewing files that changed from the base of the PR and between df075b7 and 0b06f55.

📒 Files selected for processing (2)

• docs/security-audits/82ea49d_20260511T213956-0400/artifacts/finding_discovery_report.md
• docs/security-audits/82ea49d_20260511T213956-0400/report.md

✅ Files skipped from review due to trivial changes (1)

• docs/security-audits/82ea49d_20260511T213956-0400/artifacts/finding_discovery_report.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Clarify compound modifier for readability.

Line 81 (“turn handle files”) reads ambiguously; use a hyphenated or expanded form (for example, “turn-handle files” or “files handling turn lifecycle objects”) to avoid misreading.

🧰 Tools

🪛 LanguageTool

[grammar] ~81-~81: Use a hyphen to join words.
Context: ...fecycle, approval, elicitation, and turn handle files. - Library, loaded thread, ...

(QB_NEW_EN_HYPHEN)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/security-audits/82ea49d_20260511T213956-0400/report.md` at line 81, The
phrase "Turn lifecycle, approval, elicitation, and turn handle files." is
ambiguous; update that fragment (the sentence containing "turn handle files") to
a clearer compound modifier, e.g., change "turn handle files" to "turn-handle
files" or expand to "files handling turn lifecycle objects" so the meaning is
explicit and unambiguous.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Tighten phrasing in the validation note.

Line 95 is understandable but awkward (“this docs artifact”). Consider “this documentation artifact” for clearer release-facing wording.

🧰 Tools

🪛 LanguageTool

[style] ~95-~95: To form a complete sentence, be sure to include a subject.
Context: ... behavior changes. - git diff --check should be run before commit if this docs artif...

(MISSING_IT_THERE)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/security-audits/82ea49d_20260511T213956-0400/report.md` at line 95,
Update the validation note that currently reads "`git diff --check` should be
run before commit if this docs artifact is committed." to clearer release-facing
wording by replacing "this docs artifact" with "this documentation artifact" and
optionally rephrasing the sentence for clarity (e.g., "Run `git diff --check`
before committing this documentation artifact."). Locate the exact string to
change to ensure the wording is tightened.