VibeLign v2.1.8 Release Notes

VibeLign v2.1.8 is a hotfix for API-key settings sync, recovery AI recommendation reliability, and key-leak hardening.

What changed

  • GUI and CLI API-key settings now share the same api_keys.json semantics more consistently.
  • Deleting a key in either GUI or CLI records a VibeLign-level disabled override, so stale external environment variables no longer make deleted keys appear active.
  • Newly saved Gemini keys now take precedence over old GEMINI_API_KEY environment values.
  • The GUI recovery recommendation card now passes saved AI keys into vib recover --recommend, matching other AI-enabled GUI cards.
  • Windows GUI key storage now falls back to %USERPROFILE%\AppData\Roaming\vibelign\api_keys.json when %APPDATA% is unavailable, matching the CLI fallback.

Security hardening

  • vib config no longer prints raw temporary export / $env: commands containing full API keys.
  • Legacy GUI key copies are scrubbed from gui_config.json after successful migration to api_keys.json.
  • Settings no longer displays even partial key prefixes; saved keys are shown as hidden values only.

Recovery UX

  • Recovery candidate cards show AI confidence when Gemini/OpenAI/Anthropic review succeeds.
  • If AI review fails, the fallback reason is shown in plain language while deterministic recommendations remain available.
  • Candidate text now explains safety evidence instead of exposing internal checkpoint identifiers first.

Verified

  • Focused key/recovery tests passed locally.
  • GUI production build passed locally.
  • Tauri key-command compile check passed locally.
  • Staged and full-diff secret scans found no real API keys.