A Release About Trusting the Release
v0.4.21 closes a set of security and distribution gaps found during the latest weekly audit. The detection engine remains one binary with sixteen modules and no new runtime dependencies, but the path from source code to downloadable artifact is substantially stricter.
The release fixes boundary handling in profile names, Unicode and Punycode decoding, PCM parsing, and archive size validation. It also makes high-severity Gosec findings, Govulncheck, OSV, Rust Clippy, tests, and cargo audit blocking conditions for CI and releases instead of advisory checks. A release now stops when those gates fail.
Application Boundary Hardening
The profile command now accepts only letters, numbers, hyphens, and underscores before resolving a profile path. That closes traversal and surprising file-operation cases across create, show, use, and delete. Invalid names fail before they reach the filesystem.
Injection Shield now rejects non-ASCII characters masquerading as hexadecimal HTML entity digits, and its byte conversions are explicitly bounded before narrowing. Deepfake Guard's Punycode decoder rejects values outside the Unicode scalar range, including surrogate code points, instead of allowing an out-of-range conversion. PCM16 decoding is centralized around the format's defined two's-complement representation.
File Sentinel also replaces overflow-prone archive-size arithmetic with a wide calculation. Crafted DOCX ZIP and JPEG 2000 headers can no longer wrap a 32-bit size comparison and slip through the plausibility check.
Security Scans Now Block the Build
The previous workflow allowed several vulnerability tools to fail without failing CI. That is no longer acceptable for a security product. Gosec now runs as a blocking high-severity, medium-confidence gate across the command and internal packages. Govulncheck, OSV Scanner, and cargo audit are blocking as well.
The hardened policy was validated against the full codebase with zero qualifying Gosec issues, zero reachable Go vulnerabilities, and zero known affected packages in OSV after the repository's documented Rust advisory policy is applied. Go build, vet, Staticcheck, formatting, race tests, and Rust formatting, Clippy with warnings denied, build, and all 189 Rust tests must also pass before a tag can publish assets.
The Rust Engine Finally Reports the Release It Belongs To
The v0.4.18 Rust engine artifact identified itself as 0.1.0 because its CLI version came from stale package metadata. v0.4.21 fixes that at the build boundary. Release builds receive the Git tag as their compiled version, while local builds fall back to the Cargo package version. The startup log and --version output now use the same source of truth.
A dedicated regression test checks the version exposed by the CLI command, and the published Windows amd64 engine was executed after download to confirm it reports 1sec-engine v0.4.21.
Native Windows ARM64 Engine Downloads
The Rust sidecar now ships for Windows ARM64 alongside Windows amd64, Linux amd64 and ARM64, and macOS amd64 and ARM64. The release workflow configures Microsoft's ARM64 cross tools directly on the hosted Windows runner, builds the aarch64-pc-windows-msvc target, audits it, and publishes it with the other engines.
We validated the downloaded executable's PE header after publication. Windows amd64 reports machine type 0x8664 and Windows ARM64 reports 0xAA64. The Go release archives were checked the same way, so both the primary 1-SEC binary and the optional Rust engine are available with the correct native architecture markers.
Checksums, Signatures, SBOMs, and Provenance
The v0.4.21 release contains 22 assets: Go archives for five platform targets, six Rust engine binaries, SBOMs, checksum manifests, and Sigstore bundles. Every asset named by the Go and Rust manifests was downloaded again and hashed independently after publication. All checksums matched.
Both checksum manifests passed Cosign verification against the release workflow's GitHub Actions identity. GitHub artifact attestations were also verified for the Windows amd64 and ARM64 Go archives and Rust engines. This checks more than whether an upload completed: it connects each tested file back to the repository and workflow that produced it.
A Warning-Free, Reproducible Release Workflow
GitHub's Node 20 action runtime is being retired, so the workflow now uses the current Node 24 generations of checkout, setup-go, cache, artifact upload, artifact download, and GoReleaser actions. The Rust audit bootstrap works consistently across Bash and PowerShell runners, including images where cargo-audit is already installed.
The macOS ARM64 build is pinned to the stable macOS 15 label instead of following macos-latest into an automatic macOS 26 migration. The Intel build remains pinned to macos-15-intel. This keeps future weekly releases reproducible while toolchain images continue to move underneath hosted CI.
No New Modules, No New Runtime Dependencies
This work expands existing ownership boundaries rather than inventing new ones. The architecture remains capped at sixteen security modules. The parser, file sentinel, profile, sidecar, and workflow changes live where those responsibilities already belong.
The only local tooling added during verification was build tooling needed to exercise race-enabled Go tests and Windows cross-compilation paths. Nothing new is linked into or required by the shipped 1-SEC binaries.
Upgrade to v0.4.21
curl -fsSL https://1-sec.dev/get | sh
Windows and manual-install users can download the signed archives and native Rust engines from https://github.com/cutmob/1-SEC/releases/tag/v0.4.21. Existing configurations remain compatible. No new service, module, database, or API key is required.