v0.3.9

Paneflow v0.3.9

This release rebuilds the native terminal engine on upstream alacritty_terminal and lands a deep hardening pass over the whole codebase: two full security and correctness audits remediated, a hardened self-update path, bounded IPC and subprocesses, and blocking work moved off the render thread.

Terminal

• Native terminal engine rebuilt on upstream alacritty_terminal with rendering parity: OSC 8 hyperlinks, configurable cursor shapes, and a live scrollbar.
• Faithful cursor and alt-screen input handling, with PTY teardown and exit-status reporting so a closed shell reports how it ended.
• A new Terminal settings tab plus a terminal block in the config schema and loader.
• Golden snapshot tests lock terminal rendering against regressions.

Self-update and trust

• The self-update path is hardened end to end: the downloaded candidate is verified before it can replace the live binary, updates swap in atomically with crash recovery, and integrity diagnostics are surfaced instead of swallowed.
• Per-platform verification was added: macOS codesign and spctl gating with Team ID pinning, Windows Authenticode through WinVerifyTrust, hardened tar.gz and AppImage extraction, and native host architecture detection for Rosetta and WOW64.
• The release pipeline gained an in-CI minisign signing step and a dual-key rotation runbook, so artifacts can be verified against a public key embedded in the binary once the key is provisioned.

Reliability and security

• Panics on untrusted input are eliminated across session restore, config parsing, IPC, date handling, and layout, with fail-safe accessors replacing defensive indexing.
• Every external surface is bounded against resource exhaustion: the IPC server caps line size, concurrency, and idle time; external subprocesses run under a timeout with a watchdog; ingress and DoS caps live in one module.
• Untrusted content is sanitized: markdown strips bidi and zero-width characters, git refs lose control bytes before they reach agent prompts, and session ids are validated to block argument injection.
• Persisted config and session input is validated and clamped, with atomic write-and-rename for paneflow.json and symmetric bounds across session, IPC, and the schema.
• Terminal and shim lifecycle hardening: PID-reuse guards, an environment deny-list and scrollback sanitization on restore, codex flock serialization, and correct orphan cleanup under systemd.

Performance

• Blocking work moved off the render thread: session saves, git diff stats, config loads, font enumeration, and the recursive file watcher run in the background, with a cached config feeding every frame.
• Lower per-frame allocations in terminal paint, sidebar recompute, and layout, with memoized derivations and zero-allocation leaf lookups.

Cross-platform

• Windows portability work in the code: portable shell launches, correct LOCALAPPDATA casing, Git for Windows PATH augmentation, and dirs-based home resolution.
• Non-US keyboard input fixed, Alt-on-arrows decoupled from the option-as-meta setting, and the keybindings editor reworked to be action-indexed with collision detection.

Install

• macOS (Homebrew, Apple Silicon): brew install --cask paneflow (the cask auto-updates to 0.3.9). The .dmg is Developer ID signed and notarized.
• Linux (.deb / .rpm / AppImage / .tar.gz, x86_64 and aarch64) and macOS Apple Silicon (.dmg) direct downloads are attached below, each with a SHA-256 sidecar.

Full Changelog: https://github.com/ArthurDEV44/paneflow/compare/v0.3.8...v0.3.9