Skip to content

Releases: alphaonedev/grok-cli

grok cli v1.7.0

28 Apr 18:38
@github-actions github-actions
grok-dev@1.7.0
9287a7d

Choose a tag to compare

View all tags
grok cli v1.7.0 Latest
Latest

Full-spectrum security, performance, release-engineering, and DX hardening based on a six-agent code review of the entire codebase.

281 tests pass. tsc --noEmit clean. Zero new lint warnings. 25 unused dependencies removed.

macOS signing status. The macOS binary in this release is ad-hoc signed by the release workflow (codesign --force --sign -). That satisfies the Apple Silicon kernel's "must be signed" requirement, so the binary launches normally. It is not yet a Developer ID signature and is not notarized. Browser-downloaded copies will hit a Gatekeeper "cannot verify developer" warning on first run; right-click → Open once to dismiss it, or run xattr -d com.apple.quarantine ~/.grok/bin/grok. The install.sh curl-pipe path strips the quarantine attribute automatically. Full Developer ID + notarization will land in a follow-up release once the GitHub Actions secrets are configured — the workflow is already wired for it.

Security

  • Wallet private keys are now AES-256-GCM encrypted at rest. Existing plaintext wallets are migrated transparently on first read. Encryption key derives from GROK_STORAGE_KEY (preferred) or a per-machine fallback.
  • Schedule daemon spawn no longer leaks unrelated env secrets. Replaced ...process.env spread with an explicit allowlist plus a blocklist for TELEGRAM_BOT_TOKEN, OPENAI_API_KEY, ANTHROPIC_API_KEY, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN.
  • Schedule directory traversal hardened. validateScheduleDirectory() realpath-resolves the target, requires isDirectory, rejects sensitive system roots (/etc, /usr, /sbin, /bin, /boot, /proc, /sys, /dev, /root, /System, /Library, /Applications, /private/* mirrors).
  • Per-user Telegram rate limit. Default 10 messages / 60s, env-tunable.
  • Sandbox-off warning banner. Yellow stderr banner when --sandbox is off; suppressible via GROK_SUPPRESS_SANDBOX_WARNING=1.

Release engineering

  • Atomic, size-verified install path. install.sh and install-manager.ts HEAD-probe Content-Length, verify post-download size, retry transient failures with exponential backoff, refuse empty checksums.txt, write to .new / .part staging then atomic rename. Roots out the truncated-binary failure mode where an interrupted curl could leave a corrupt 21MB binary in place of a 71MB release.
  • macOS ad-hoc signing in CI unconditionally — kernel-acceptable, no SIGKILL on launch.
  • install.sh strips com.apple.quarantine post-install (defensive against --binary flag installing a browser-quarantined file).
  • Vitest now runs in CI between typecheck and binary build.
  • Optional macOS Developer ID + notarytool scaffold in .github/workflows/release.yml, gated on five GitHub Actions secrets (see docs/RELEASE_SIGNING.md).
  • Stale superagent-ai/grok-cli reference fixed; auto-updates resolve to alphaonedev/grok-cli.

Performance

  • OpenTUI subsystem and 25 unused packages removed. src/ui/ (12 files, 7,541 LOC) was unmaintained; only src/ui-ink/ is wired. Dropped @opentui/core, @opentui/react, web-tree-sitter, every tree-sitter-* dep, the brittle postinstall hook, and patches/.
  • Markdown re-parse storm fixed. MarkdownView debounces parses to 120ms during streaming (~8/sec instead of ~50/sec).
  • Tool-result lookup is O(1). Replaced tools.find with a Map<string, entry>.

Code quality

  • noUncheckedIndexedAccess enabled. All 82 surfaced violations resolved across 17 files.
  • Silent fire-and-forget .catch(() => {}) replaced with logger breadcrumbs. New src/utils/debug-log.ts writes to ~/.grok/debug.log only when GROK_DEBUG=1.
  • Crash log writer. Sanitized snapshots to ~/.grok/crash.log (mode 0600). Secrets like GROK_API_KEY, TELEGRAM_BOT_TOKEN, sk-*, xai-*, ghp_*, Telegram bot-token shapes redacted.
  • Differentiated exit codes: 0/1/2/3/4 (success / user error / transient / agent error / panic). Documented in docs/HEADLESS_JSON_SPEC.md.

UX

Documentation

  • New docs/HEADLESS_JSON_SPEC.md: full schema for --format json.
  • New docs/RELEASE_SIGNING.md: macOS Developer ID setup.
  • README + GitHub Pages now credit React Ink (Vadim Demedes' React renderer for terminal UIs), Bun, marked, marked-terminal, chalk, Vercel AI SDK, zod, grammY, Vitest, Biome.

Tests

49 test files / 281 tests (was 47 / 257). New coverage: src/storage/migrations.test.ts (4), src/hooks/config.test.ts (12), src/payments/service.test.ts (8).

Install / update

curl -fsSL https://raw.githubusercontent.com/alphaonedev/grok-cli/main/install.sh | bash

Or if already installed: grok update

Full changelog: PR #94 · CHANGELOG.md

Assets 6
Loading