ghantoos · amirimatin · Jun 15, 2026 · Jun 15, 2026 · Jun 16, 2026 · Jun 16, 2026
diff --git a/.gitignore b/.gitignore
@@ -9,4 +9,8 @@ dist/
 test.lsh
 .pylint_cache/
 .pylint.d/
-.hypothesis/
+.hypothesis/
+.venv/
+local-docs/
+.vscode/
+.idea/
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,7 +3,7 @@
 Contact: [ghantoos@ghantoos.org](mailto:ghantoos@ghantoos.org)  
 [https://github.com/ghantoos/lshell](https://github.com/ghantoos/lshell)
 
-### v0.12.0 (UNRELEASED)
+### v0.12.0 17/06/2026
 - Packaging/CI: Raised minimum supported Python version to 3.10 (`requires-python >=3.10`), removed EOL Python versions from CI, and aligned docs/package metadata with the new baseline; CI/classifiers now track active CPython release branches 3.10-3.14 (Python 3.6 reached EOL on 23/12/2021).
 - Security: Removed regex-driven shell parsing from the authorization flow.
 - Engine: Migrated security parsing to a deterministic scanner.

diff --git a/README.md b/README.md
@@ -153,6 +153,14 @@ Key settings to review:
 - `umask`
 - runtime containment: `max_sessions_per_user`, `max_background_jobs`, `command_timeout`, `max_processes`
 
+Security note:
+`path` restrictions apply to commands parsed by `lshell`, but they do not inspect
+individual file requests handled inside the SFTP protocol itself. If you enable
+legacy `sftp`, `lshell` now refuses the passthrough by default unless you set
+`sftp_unsafe_legacy=1`. Treat OpenSSH `ChrootDirectory` plus `ForceCommand internal-sftp` as the
+real filesystem boundary, and use SSH-side controls such as `DisableForwarding`
+or read-only SFTP modes when needed.
+
 CLI overrides are supported, for example:
 
 ```bash
@@ -219,7 +227,8 @@ timer           : 0
 path            : ['/etc', '/usr']
 env_path        : '/sbin:/usr/foo'
 scp             : 1
-sftp            : 1
+sftp            : 0
+sftp_unsafe_legacy : 0
 overssh         : ['rsync','ls']
 aliases         : {'ls':'ls --color=auto','ll':'ls -l'}
 

diff --git a/debian/changelog b/debian/changelog
@@ -1,4 +1,4 @@
-lshell (0.11.1rc2-1) UNRELEASED; urgency=medium
+lshell (0.12.0-1) UNRELEASED; urgency=medium
 
   * debian/watch:
     - Corrected to work with lshell versioning on github.