Releases: trustabl/trustabl
Releases · trustabl/trustabl
Release list
v0.1.5
Changelog
- f85a043: Merge branch 'main' into feat/claude-code-plugin-and-agent (@ericksondelacruz)
- 81e84b2: Merge pull request #62 from trustabl/feat/claude-code-plugin-and-agent (@trustabl)
- 78ad884: Merge pull request #63 from ivanpaghubasan/feature/skills-body-parsing (@sairenchristianbuerano)
- c9bd146: Merge pull request #64 from trustabl/feat/enrich-support-gemini-and-openai (@trustabl)
- 4578850: Merge pull request #65 from trustabl/cf/nifty-wiles-bd1e73 (@trustabl)
- 11445e3: Merge pull request #66 from trustabl/feat/gemini-cli-and-open-ai-codex-plugin-support (@trustabl)
- 79eda16: Merge pull request #67 from trustabl/feat/codex-plugin-marketplace (@trustabl)
- b58bb03: Merge pull request #68 from trustabl/feat/codex-marketplace-catalog (@trustabl)
- c312ffa: Merge pull request #69 from trustabl/feat/codex-marketplace-catalog (@trustabl)
- cc7f9e7: Merge pull request #70 from trustabl/cf/amazing-cerf-0c3008 (@trustabl)
- 533a7b3: Merge pull request #71 from trustabl/add-downloads-badge (@sairenchristianbuerano)
- 57aa3bc: Merge pull request #72 from trustabl/cf/beautiful-lalande-192038 (@trustabl)
- 7ebbb0a: Merge remote-tracking branch 'origin' into feat/claude-code-plugin-and-agent (@ericksondelacruz)
- 85f2666: Merge remote-tracking branch 'origin/main' into cf/amazing-cerf-0c3008 (@jhumel-code)
- 9ba469a: Merge remote-tracking branch 'origin/main' into cf/nifty-wiles-bd1e73 (@jhumel-code)
- d35c514: Merge remote-tracking branch 'origin/main' into feat/claude-code-plugin-and-agent (@ericksondelacruz)
- 9e25375: Merge remote-tracking branch origin/main into feat/claude-code-plugin-and-agent (@ericksondelacruz)
- 400ac0c: chore(plugin): update Claude Code plugin + skills to trustabl 0.1.4 (#61) (@jhumel-code)
- e654a89: docs(langchain): reconcile docs with audit; drop dead TS langgraph gate clause (@jhumel-code)
- 1d5377d: feat(agent): inline enrichment — replace CLI enrich call with Read/Edit loop (@ericksondelacruz)
- d598aa9: feat(codex): add marketplace catalog for plugin discovery (@ericksondelacruz)
- 56841c5: feat(enrich): ANTHROPIC_API_KEY env var fallback + Claude Code subagent (@ericksondelacruz)
- 11a95ce: feat(enrich): support openai and google providers; remove anthropic-only gate (@ericksondelacruz)
- cbb8f29: feat(enrichment): add OpenAI and Google Gemini backends; factory dispatch on provider (@ericksondelacruz)
- 36af0f1: feat(langchain): LC-101 fires on raw StateGraph wiring a code-exec/shell tool (@jhumel-code)
- b00b3d3: feat(langchain): discover raw LangGraph StateGraph graphs (@jhumel-code)
- a58c035: feat(llm): add OPENAI_API_KEY and GOOGLE_API_KEY env-var shortcuts in Load() (@ericksondelacruz)
- 12f121d: feat(llm): add openai and google key validation patterns (@ericksondelacruz)
- 56738ad: feat(rules): complete v2 distribution gaps from definitive audit (@jhumel-code)
- 386e498: feat(rules): signed v2 distribution — producer tooling, --rules-source, audit hardening (@jhumel-code)
- 7d02b54: feat: add Gemini CLI extension and OpenAI Codex plugin support (@ericksondelacruz)
- 2e9d777: feat: extend skills.go to parse SKILL.md body content (@ivanpaghubasan)
- 753fe1c: fix(codex): add interface marketplace metadata to plugin.json (@ericksondelacruz)
- 45106f2: fix(codex): move marketplace.json to .agents/plugins/ (@ericksondelacruz)
- 528bb9f: fix(codex): use url source in marketplace.json to avoid empty-path bug (@ericksondelacruz)
- 548691c: fix(langchain): capture from_function positional name/desc, resolve coroutine= tools (@jhumel-code)
- 2c30305: fix(langchain): import-bind constructors + correct decorator routing (audit) (@jhumel-code)
- 19a8419: fix(llm): correct google key pattern to 35-char suffix (39 chars total) (@ericksondelacruz)
- 6ae5be6: fix(rules): definitive-audit hardening for signed v2 distribution (@jhumel-code)
- 718d126: fix(sarif): tag finding scope from the authoritative Scope field (@jhumel-code)
- 66ba8ad: refactor(codex): move marketplace.json into .codex-plugin/ (@ericksondelacruz)
- d6cbab6: test(llm): isolate llm key-store tests from the developer's real API key (@jhumel-code)
- 6d8879f: test(rules): lock transport size/entry caps + rulesctl producer round-trip (@jhumel-code)
v0.1.4
Changelog
- de0bc1a: Merge branch 'main' into feat/trustabl-enrich-command (@trustabl)
- f9a0ac5: Merge pull request #24 from trustabl/feat/plugin-binary-check-hook (@jhumel-code)
- bdc56aa: Merge pull request #25 from trustabl/fix/rule-recalibration (@jhumel-code)
- 013b7be: Merge pull request #26 from trustabl/feat/forward-compat-loader (@jhumel-code)
- 9ea25d0: Merge pull request #27 from trustabl/feat/verbose-debug-flags (@jhumel-code)
- 17027db: Merge pull request #28 from trustabl/feat/verbose-debug-flags (@jhumel-code)
- d3b724f: Merge pull request #29 from trustabl/feat/javascript-discovery (@jhumel-code)
- 84bc679: Merge pull request #33 from trustabl/feat/rust-mcp-discovery (@jhumel-code)
- 1a907e8: Merge pull request #34 from trustabl/feat/cli-help-expansion (@jhumel-code)
- 3b3f98f: Merge pull request #35 from trustabl/fix/forward-compat-language (@jhumel-code)
- 73dcc7e: Merge pull request #36 from trustabl/feat/capability-descriptor (@jhumel-code)
- b2891b1: Merge pull request #37 from trustabl/feat/loud-skips (@jhumel-code)
- c5b5e74: Merge pull request #39 from trustabl/feat/trustabl-enrich-command (@trustabl)
- d3b2650: Merge pull request #40 from trustabl/tr/optimistic-matsumoto-db48f0 (@jhumel-code)
- 4dfbad7: Merge pull request #41 from trustabl/feat/agent-skill-security-scanning (@jhumel-code)
- 60d0e5e: Merge pull request #42 from trustabl/feat/skill-hardcoded-secret (@jhumel-code)
- 2ce19ea: Merge pull request #43 from trustabl/feat/skill-owasp-cskill060 (@jhumel-code)
- 4bdbaa0: Merge remote-tracking branch 'origin/main' into HEAD (@ericksondelacruz)
- ef6249b: Merge remote-tracking branch 'origin/main' into feat/capability-descriptor (@jhumel-code)
- fbd90eb: Merge remote-tracking branch 'origin/main' into feat/javascript-discovery (@jhumel-code)
- fcafa39: Merge remote-tracking branch 'origin/main' into feat/loud-skips (@jhumel-code)
- 762bfae: Merge remote-tracking branch 'origin/main' into feat/rust-mcp-discovery (@jhumel-code)
- 33d8994: chore(engine): pre-release cleanup — tidy, dead code, docs, manifest sort (#45) (@jhumel-code)
- 9b43667: chore(plugin): add author to the plugin manifest (@jhumel-code)
- 7b0d26b: chore(rules-fixture): mirror severity/rationale recalibration from trustabl-rules (@jhumel-code)
- bba0e30: docs(cli): expand -h help for the root command and all subcommands (@jhumel-code)
- cfeb7e7: docs(cli): show how to save diagnostics via stderr redirection (@jhumel-code)
- 59c327e: docs(readme): add Agent Skill security scan examples + fix stale rules ref (#49) (@jhumel-code)
- bc0983c: docs(readme): add status badges to README header (#51) (@jhumel-code)
- 52fd8da: feat(analysis): add C# MCP tool discovery (official ModelContextProtocol SDK) (@jhumel-code)
- 530735c: feat(analysis): add Go MCP tool discovery (mark3labs + official go-sdk) (@jhumel-code)
- d9f88db: feat(analysis): add PHP MCP tool discovery (mcp/sdk + php-mcp/server) (@jhumel-code)
- 857e0d5: feat(analysis): add Rust MCP tool discovery (official rmcp crate) (@jhumel-code)
- a66a365: feat(analysis): capture SKILL.md body facts in skill discovery (@jhumel-code)
- cfb5f56: feat(analysis): discover and audit plain JavaScript via the TS pipeline (@jhumel-code)
- 4701269: feat(analysis): gate CommonJS require() imports for JavaScript discovery (@jhumel-code)
- f8c7abd: feat(analysis): inventory bundled files and high-signal skill frontmatter (@jhumel-code)
- 1823c33: feat(cli): add 'rules validate' to strict-load a rule-pack directory (@jhumel-code)
- a6a7978: feat(cli): add --verbose and --debug diagnostics (@jhumel-code)
- 8618fcb: feat(cli): add
trustabl capabilitiesdescriptor command (@jhumel-code) - eb65d48: feat(cyclonedx): emit --vuln-scan matches as CycloneDX VEX vulnerabilities (#54) (@jhumel-code)
- 21d89c5: feat(deps): repo-wide dependency BOM across supported package managers (#50) (@jhumel-code)
- 87bc1f5: feat(enrich): add --diff flag to preview proposed replacements as a unified diff (@ericksondelacruz)
- 6f2f682: feat(enrich): add trustabl enrich command with two-layer LLM enrichment pipeline (@ericksondelacruz)
- 048e48a: feat(findings)!: give findings and dependencies line ranges (#56) (@jhumel-code)
- d1b89a0: feat(mcp): add opt-in vuln_scan arg to the scan tool (#57) (@jhumel-code)
- 41eb144: feat(plugin): add SessionStart hook to check for the trustabl binary (@jhumel-code)
- e87f5b7: feat(plugin): add a marketplace manifest so the plugin is installable (@jhumel-code)
- 5f7bee4: feat(plugin): auto-install the recommended trustabl binary on session start (@jhumel-code)
- e8585da: feat(plugin): scan via a bundled trustabl MCP server (@jhumel-code)
- f44f4f2: feat(progress): show per-package progress during the dependency scan (#59) (@jhumel-code)
- 983c8b4: feat(report): surface skipped rules as a first-class degraded-scan signal (@jhumel-code)
- cdbf84c: feat(rules): add the skill rule scope (mirror subagent) (@jhumel-code)
- c5b7c1f: feat(rules): ship the claude_skill CSKILL-* rule pack (v1) (@jhumel-code)
- 0fd1a2b: feat(rules): skip unknown scope/applies_to leniently + META-005 finding (@jhumel-code)
- cd43678: feat(rules): surface stale cached rules as a warning (#46) (@jhumel-code)
- 687741a: feat(rulesign): add the trust core — digest, keyring, signed statements (@jhumel-code)
- b42d5b2: feat(rulesource): resolve rules from signed channels via a Source interface (@jhumel-code)
- ee7ab57: feat(scan): watermark rule provenance and fold it into ScanID; wire --channel (@jhumel-code)
- 39b7a46: feat(scanner): emit skill dependency BOM + --bom-out CycloneDX export (#44) (@jhumel-code)
- 29719cd: feat(skill): bundled-script content analysis + hidden-Unicode detection (@jhumel-code)
- d8cccca: feat(skill): description-vs-tools mismatch rule (CSKILL-060) (@jhumel-code)
- 809df25: feat(skill): flag hardcoded secrets in bundled files (CSKILL-030) (@jhumel-code)
- 5623207: feat(vulndb): add opt-in OSV vulnerability scanning (--vuln-scan) (#52) (@jhumel-code)
- 8b1ed44: feat(vulndb): show per-ecosystem progress while pulling the OSV database (#53) (@jhumel-code)
- a0e68af: fix(cli): let --detectors target every recognized SDK category (@jhumel-code)
- bad68eb: fix(discovery): tighten MCP/Claude false-positive & false-negative matches (#47) (@jhumel-code)
- 943b1f4: fix(enrich): harden --apply against wrong-line overwrites + add LLM timeout (#48) (@jhumel-code)
- 4cf6827: fix(progress): drop the useless step bar for cached vuln-db resolution (#60) (@jhumel-code)
- 83bc3ff: fix(progress): smooth byte-driven bar for the --vuln-scan OSV download (#58) (@jhumel-code)
- 6f24282: fix(rules): make an unknown rule language forward-compatible, not a hard fail (@jhumel-code)
- 19497de: fix(rulesource): isolate the signed-bundle cache in a sibling dir (@jhumel-code)
- fe38454: fix(scoring): fold skill findings into the readiness score (@jhumel-code)
- e6aaae7: fix(vulndb): make OSV snapshot resolution cache-first (#55) (@jhumel-code)
- ababb0c: merge: land skill-security detection (claude_skill pack) (@jhumel-code)
- 60efa0f: refactor(cli): descriptor reports hard_fail_dimensions, not a coarse bool (@jhumel-code)
- 9d72997: test(analysis): add synthetic skill corpus + enriched-discovery test (@jhumel-code)
- 0a9c3e7: test(rules): assert skill in the required-scope error message (@jhumel-code)
- ea46018: test(scanner): lock the degraded-n...
v0.1.3
Changelog
- dd02d8f: Merge pull request #10 from trustabl/chore/gofmt-ts-handler-facts (@jhumel-code)
- c5d815a: Merge pull request #11 from trustabl/feat/trustabl-enrich-skill (@trustabl)
- 81eab86: Merge pull request #12 from trustabl/fix/mcp-category-support (@jhumel-code)
- 1d18794: Merge pull request #13 from trustabl/fix/cli-output-and-llm-guards (@jhumel-code)
- 8e0d94f: Merge pull request #14 from trustabl/refactor/split-cmd-commands (@jhumel-code)
- 4cb911c: Merge pull request #15 from trustabl/feat/claude-code-plugin-documentation (@trustabl)
- 0320813: Merge pull request #16 from trustabl/cf/happy-blackwell-f29ef2 (@trustabl)
- e32d930: Merge pull request #17 from trustabl/docs/drop-code-scanning-example (@jhumel-code)
- 47203a2: Merge pull request #18 from trustabl/cf/loving-haibt-58c27c (@jhumel-code)
- 3bbb8e1: Merge pull request #19 from trustabl/docs/coverage-next-moves (@jhumel-code)
- 22d99b8: Merge pull request #2 from moisesdelacruz-tr/add-discord-server-invite (@trustabl)
- d0c8d6a: Merge pull request #20 from trustabl/cf/new-sdk-coverage (@jhumel-code)
- ec16b65: Merge pull request #21 from trustabl/cf/frosty-curie-e45239 (@jhumel-code)
- 4f8d81f: Merge pull request #22 from trustabl/cf/engine-hardening (@jhumel-code)
- dbe8fb0: Merge pull request #23 from trustabl/cf/forward-compat-category (@jhumel-code)
- 502a546: Merge pull request #3 from trustabl/feat/mcp-python-ts-detection (@jhumel-code)
- bec0568: Merge pull request #4 from trustabl/feat/llm-config (@trustabl)
- 0e84809: Merge pull request #5 from trustabl/feat/sarif-code-scanning (@jhumel-code)
- 6fee227: Merge pull request #6 from trustabl/feat/mcp-server (@jhumel-code)
- 14faa87: Merge pull request #7 from trustabl/feat/agent-skill (@jhumel-code)
- 450d3ba: Merge pull request #8 from trustabl/feat/extend-llm-provider-support (@trustabl)
- 37a16c2: Merge pull request #9 from trustabl/feat/sarif-dual-output-projected-scores (@jhumel-code)
- 431f9d6: Merge remote-tracking branch 'origin/main' into feat/mcp-server ( <>)
- 03cd447: Merge remote-tracking branch 'origin/main' into feat/mcp-server (@jhumel-code)
- e05d154: Merge remote-tracking branch 'origin/main' into feat/sarif-code-scanning (@jhumel-code)
- e5934ab: ci(rules-sync): check trustabl-rules at the PR branch, fall back to main (@jhumel-code)
- 80ab373: ci: make rules-sync category discovery dynamic (@jhumel-code)
- de92ab0: docs(ci): document GitHub Code Scanning integration ( <>)
- 924086a: docs(coverage): refresh recommended-next-moves for LangChain + TS MCP (@jhumel-code)
- a6f2ee5: docs(llm): update ARCHITECTURE, README, CHANGELOG for llm config command (@ericksondelacruz)
- 20e1afd: docs(plugin): add trustabl-enrich to Claude Code plugin documentation (@ericksondelacruz)
- 68b6447: docs(readme): added a discord server invitation link to the README.md (@moisesdelacruz-tr)
- 87f2c23: feat(analysis): add CrewAI, AutoGen, Vercel AI, and Pydantic AI coverage (@jhumel-code)
- 34c6f48: feat(analysis): add LangChain / LangGraph SDK coverage (@jhumel-code)
- 0b47a9f: feat(analysis,rules): MCP TypeScript server discovery + rule pack (@jhumel-code)
- dfe1e0c: feat(cli): add --output flag to write the report to a file ( <>)
- a0cab4f: feat(llm): add trustabl llm config command (@ericksondelacruz)
- 2042b0f: feat(llm): add trustabl llm provider set and provider list (@ericksondelacruz)
- 78aa2ac: feat(mcp): add stdio MCP server frontend over the scanner core ( <>)
- cf5e7a3: feat(plugin): add Claude Code plugin and self-audit skill (@jhumel-code)
- 92b5b3a: feat(rules): add MCP detection pack (Python) with clean mcp_tool separation (@jhumel-code)
- 522dbaf: feat(rules): forward-compatible loading + TS http-timeout predicate (@jhumel-code)
- 9810e48: feat(rules): forward-compatible unknown category (skip, not hard-fail) (@jhumel-code)
- f7bb930: feat(sarif,cli,scoring): Code-Scanning-valid SARIF, dual-output flags, projected_scores (@jhumel-code)
- 5add407: feat(skill): add trustabl-enrich skill for scan-guided source enrichment (@ericksondelacruz)
- 7212ec4: fix(cli): reject colliding output paths and unknown llm providers (@jhumel-code)
- 51e91e4: fix(engine): harden hostile-input handling and fix the TTY deadlock (@jhumel-code)
- 36fd37c: fix(rules): accept the mcp policy category (@jhumel-code)
- 9c8f759: refactor(cmd): split each command into its own file (@jhumel-code)
- 02ef715: style(analysis): gofmt-clean ts_handler_facts.go (@jhumel-code)
v0.1.2
Changelog
- 206fdae: Merge pull request #1 from nickyeager/feat/exclude-self-cls-typed-params (@trustabl)
- cef707d: TR-146 Resolve Python OpenAI handoffs= edges into HandoffRefs (@jhumel-code)
- c9aeba6: TR-147 Recognize Zod parameters schema in TS OpenAI/ADK tool discovery (@jhumel-code)
- 460c1d6: TR-148 Hard-fail when a resolved rule pack contains zero rules (@jhumel-code)
- 4174bec: TR-149 Spare recently-modified packs from cache pruning to avoid concurrent-scan races (@jhumel-code)
- 9aadf93: TR-150 Flatten nested-object kwargs into TS OpenAI/ADK tool Config (@jhumel-code)
- 4237e84: TR-151 Fold a stable identity label into ScanID instead of the absolute path (@jhumel-code)
- 26feabb: TR-152 Name skipped files in Coverage instead of dropping them silently (@jhumel-code)
- 9b5d267: TR-153 Classify module-qualified hosted-tool and MCP-server calls (@jhumel-code)
- 6b65bbd: TR-154 Run scope-independent rule checks unconditionally; list subagent in scope-required message (@jhumel-code)
- bfce9f6: TR-155 Require both fire and silent test cases per shipped rule (@jhumel-code)
- 0be7b6b: TR-156 Emit a SARIF warning notification when files were skipped (@jhumel-code)
- 7360fb9: TR-157 Distinguish float literals from int in TS and Python expr classification (@jhumel-code)
- 427807e: TR-158 Mark TS agents Opaque when tools contains an inline/unresolvable tool (@jhumel-code)
- 1a94516: TR-159 Gate cached-pack reuse on a completeness sentinel to reject partial packs (@jhumel-code)
- 98e1cac: TR-160 Clamp NodeText byte offsets to avoid panicking on mismatched source (@jhumel-code)
- 7e978d7: assets: add 48x48 favicon for the docs site (@jhumel-code)
- 0c750d3: assets: add white logo for the docs site header (@jhumel-code)
- 3c139a4: ci: guard against rules fixture drifting from production pack (@jhumel-code)
- da203ac: ci: invoke rules-sync script via bash + mark executable (@jhumel-code)
- 0d06b12: docs(CLAUDE): three-repo rule model + rule grounding lives in rulebook (@jhumel-code)
- 5186da1: docs(changelog): add the 0.1.1 release entry (@jhumel-code)
- 870bac3: docs(changelog): add the 0.1.2 release entry (@jhumel-code)
- 8d7478e: docs(rules): document None-only disabling semantics in call_without_kwarg (@jhumel-code)
- 0309215: docs(rules): reconcile singleton/scope docs with strict loader (@jhumel-code)
- d74b395: feat(analysis): compute dynamic_url handler-fact for TS HTTP calls (@jhumel-code)
- 4fa78c3: feat(findings): record scope on every finding (@jhumel-code)
- 5a9abe3: feat(rules): Batch A TypeScript rules across Claude/OpenAI/ADK packs (@jhumel-code)
- a137231: feat(rules): Claude SDK TS SSRF rule CSDK-013 (dynamic_url) (@jhumel-code)
- 710451e: feat(rules): Claude SDK TS agent rule CSDK-120 (permission bypass) (@jhumel-code)
- 468bda0: feat(rules): Claude SDK TS tool rules CSDK-010/011/012 (shell, eval, fs-write) (@jhumel-code)
- 0891828: feat(rules): add SSRF and ADK shell/code-exec rules (@jhumel-code)
- 2bdcb3d: feat(rules): has_body_text line-span fallback so TS tools match (@jhumel-code)
- b0fa916: feat(rules): has_dynamic_url_call reads dynamic_url fact for TS tools (@jhumel-code)
- d4bda4d: feat(scoring): score all surfaces, aggregate with badness-weighted mean (@jhumel-code)
- 3055857: feat: ignore self/cls method parameters in typed parameter check (@nickyeager)
- 60a0d92: fix(analysis): avoid caller-slice mutation and per-sub-agent MCPServerRefs aliasing (@jhumel-code)
- bfb7c25: fix(analysis): exclude TEMPLATE.md scaffolding from subagent fallback (@jhumel-code)
- 72789f1: fix(analysis): match SDK imports and tool decorators by AST, not substring (@jhumel-code)
- 33062d5: fix(analysis): resolve agent handoff edges without var/name map collision (@jhumel-code)
- 07246b2: fix(analysis,sarif): strip self/cls in ADK tools; build SARIF descriptors from sorted findings (@jhumel-code)
- 140c82f: fix(cli): recover from a scan panic in TTY mode instead of crashing the process (@jhumel-code)
- 1db10c0: fix(cli,docs): actionable schema-incompatibility error + --rules-ref troubleshooting (@jhumel-code)
- 3d93e72: fix(discovery): capture *args/**kwargs splat params in FunctionParams (@jhumel-code)
- 990b60d: fix(discovery): set EndLine for TS Claude tools and agents (was 0 in JSON) (@jhumel-code)
- cdce7d1: fix(engine): determinism + interrupt cleanup, --strict floor, vendor-neutral repo-hygiene (schema v9) (@jhumel-code)
- 718c48f: fix(findings): uniform scope JSON tag + real Detect-level scope tests (@jhumel-code)
- 33cc492: fix(ingestion): classify file extensions case-insensitively (@jhumel-code)
- 6e857fd: fix(rules): CSDK-011 uses structural code_exec fact, kills eval( substring FP (@jhumel-code)
- d1151cd: fix(rules): align CSDK-120 framing/confidence with CSDK-103 peer (@jhumel-code)
- 6d84d74: fix(rules): reconcile engine fixture with production pack (72 rules) (@jhumel-code)
- d579e5b: fix(rules): reject empty match at per-instance scope (@jhumel-code)
- 17416ed: fix(rules): schema_version is a grammar contract, not a capability gate (@jhumel-code)
- b3787d9: fix(rules): structural detection over substring; agent shell reach; prune dead predicates; loader SDK lint (@jhumel-code)
- a9bdaf5: fix(rules): tighten CSDK-010 needle exec( -> execFile( to cut false positives (@jhumel-code)
- ff3213f: fix(rules,rulesource): keep .git out of loaded rules and cached packs (@jhumel-code)
- 9f73a2f: fix(scanner): avoid latent slice aliasing when combining parsed files (@jhumel-code)
- 6698a74: fix(scoring): correct stale renderer comments + pin blended overall in test (@jhumel-code)
- 463d595: fix(scoring): gofmt struct alignment + end-to-end multi-scope score regression test (@jhumel-code)
- ef9d94d: refactor(rules): remove unused repo_has_agent_class / repo_has_no_agent_class predicates (@jhumel-code)
- 9007cea: test(analysis): reuse parseTSForTest in dynamic_url test helper (@jhumel-code)
- 3d38029: test(rules): add parseTSTool harness helper for TS rule coverage (@jhumel-code)
- 5638fbc: test(rules): build CSDK-120 cases from real TS agent discovery (@jhumel-code)
- e89ba2b: test(rules): fire/silent cases for OAI-016/017/019 — TS machinery proven (@jhumel-code)
- b001b87: test(rules): route TS rule cases through parseTSTool, drop TS coverage exemption (@jhumel-code)
v0.1.1
Changelog
- ff38066: Merge: Google ADK TypeScript discovery (@jhumel-code)
- 2e58eea: Merge: OpenAI Agents SDK TypeScript discovery (@jhumel-code)
- 4d55668: Merge: README precedence cross-check for the markdown agent surface (@jhumel-code)
- 83cb12f: Merge: actionable risk-surfaces output (count, examples, why, fix) (@jhumel-code)
- 0d95871: Merge: determinism hardening (ScanID file-list coverage + TS ParamNames sort) (@jhumel-code)
- 318e6f3: Merge: docs refresh for plugin layouts, polymorphic source, finding line, risk-surfaces (@jhumel-code)
- 4c288cf: Merge: honest wording for the openshell risk-surfaces line (@jhumel-code)
- 70396ac: Merge: loader rejects out-of-scope match predicates (@jhumel-code)
- 7efe84d: Merge: low-severity cleanup sweep (@jhumel-code)
- 6d00078: Merge: markdown agent surface (subagent/skill/command/plugin discovery + policy decoupling) (@jhumel-code)
- 9999f07: Merge: marketplace.json source as object (git-subdir) (@jhumel-code)
- 5d42a5e: Merge: per-tool readiness keyed by (FilePath, Name) (@jhumel-code)
- 71ca2d1: Merge: rulesource propagates local install faults instead of masking as cache (@jhumel-code)
- a7886a0: Merge: slash-command discovery in plugin layouts (@jhumel-code)
- e854fa5: Merge: subagent findings now carry real file:line (@jhumel-code)
- b99183c: docs(analysis): document HTML-escape caveat in permission-line walker (@jhumel-code)
- 93edc78: docs(analysis): explain 9-vs-11 hosted-tool count gap vs Python set (@jhumel-code)
- d8440d5: docs(analysis): explain TS OpenAI MCP server identifier-only and array-arg limits (@jhumel-code)
- 64fe04d: docs(analysis): fix stale alias re-resolution comment after index remap (@jhumel-code)
- 6516ad2: docs(analysis): fix stale re-resolution comment after Line-key change (@jhumel-code)
- 61e0951: docs(analysis): update tsHandlerFacts docstring to reflect shared TS use (@jhumel-code)
- b5e17f4: docs(architecture): document Location embed and EndLine contract (@jhumel-code)
- b7adbf4: docs(changelog): drop the empty Unreleased heading (@jhumel-code)
- 7f2ce99: docs(changelog): flesh out the 0.1.0 release entry (@jhumel-code)
- b71d5b1: docs(coverage): bump Last reviewed date (@jhumel-code)
- 9e9833b: docs(coverage): re-stamp review HEAD after Google ADK TS discovery (@jhumel-code)
- acf958e: docs(coverage): re-stamp review HEAD after OpenAI TS discovery (@jhumel-code)
- 758efcb: docs(coverage): re-stamp review HEAD after README precedence check (@jhumel-code)
- 518af90: docs(coverage): re-stamp review HEAD after doc refresh (@jhumel-code)
- a3acfd5: docs(coverage): stamp review date and HEAD for markdown agent surface (@jhumel-code)
- e933b37: docs(readme): reflect markdown agent surface, hybrid subagent discovery, actionable risk-surfaces (@jhumel-code)
- 81e82a5: docs(rules): document repo_claude_default_mode_is in schema.yaml (@jhumel-code)
- ed79262: docs+test: cover markdown agent surface; prove CSDK-110 fires on flat collections (@jhumel-code)
- 4c6906b: feat(analysis): DiscoverTSADKAgents for 5 ADK agent constructors (@jhumel-code)
- 88a9308: feat(analysis): DiscoverTSADKTools for new FunctionTool({...}) constructor (@jhumel-code)
- 08de875: feat(analysis): DiscoverTSOpenAIAgents for new Agent({...}) and Agent.create(...) (@jhumel-code)
- 2228506: feat(analysis): DiscoverTSOpenAIGuardrails for 4 defineX factories (@jhumel-code)
- 374cff7: feat(analysis): DiscoverTSOpenAIMCPServers for 4 MCP server classes (@jhumel-code)
- f4e675d: feat(analysis): DiscoverTSOpenAISessions for 3 classes + 1 factory (@jhumel-code)
- df501bb: feat(analysis): DiscoverTSOpenAITools for tool({...}) factory (@jhumel-code)
- 0b20fb0: feat(analysis): ResolveEdges resolves TS ADK subAgents + materializes ADK hosted tools (@jhumel-code)
- 4deb57a: feat(analysis): ResolveEdges resolves TS OpenAI tool/MCP/guardrail refs by VarName (@jhumel-code)
- b3e1afa: feat(analysis): TS ADK hosted-tool class set (13 classes) and classifier (@jhumel-code)
- 4428bd2: feat(analysis): TS OpenAI hosted-tool factory set (9 factories) and classifier (@jhumel-code)
- 8e7427c: feat(analysis): add ToolGrant type and paren-aware tool-grant parser (@jhumel-code)
- 1de0757: feat(analysis): add lineForOffset helper for byte to line lookup (@jhumel-code)
- e78d79f: feat(analysis): capture subagent security frontmatter (permissionMode, disallowedTools, mcpServers, hooks) (@jhumel-code)
- b176f3c: feat(analysis): discover and parse SKILL.md skills (@jhumel-code)
- 72032ce: feat(analysis): discover flat-collection subagents by frontmatter shape (@jhumel-code)
- 2c77e93: feat(analysis): parse .claude-plugin plugin.json and marketplace.json (@jhumel-code)
- 3b80102: feat(analysis): parse slash-command frontmatter (allowed-tools, model) (@jhumel-code)
- 85f0d5f: feat(analysis): per-rule line numbers in ClaudeSettings permissions (@jhumel-code)
- befe36f: feat(analysis): populate EndLine on GuardrailDef and SessionUse (@jhumel-code)
- 7605fd5: feat(analysis): populate Line/EndLine on ClaudeSettings as whole-file range (@jhumel-code)
- 323e3e4: feat(analysis): populate Line/EndLine on SubagentDef from frontmatter markers (@jhumel-code)
- fd41f3c: feat(analysis): populate real Line/EndLine on HostedToolDef via Expr position (@jhumel-code)
- 57169cc: feat(analysis): populate real Line/EndLine on MCPServerDef via Expr position and node end (@jhumel-code)
- 3ffc581: feat(analysis): positional JSON walker for permission-rule line numbers (@jhumel-code)
- 1f2c9af: feat(astutil): TSImportAliasesAny union-gate helper for multi-module TS discovery (@jhumel-code)
- 9cadb95: feat(engine): E1 — capture hosted-tool kwargs + agent_hosted_tool_kwarg predicates (schema v6) (@jhumel-code)
- d75ea33: feat(engine): E2 — agent_uses_tool_kind scans HostedToolRefs (OAI-101/104 honesty) (@jhumel-code)
- c5b230c: feat(engine): E3 — discover ClaudeAgentOptions + CSDK-202 session bypass (schema v8) (@jhumel-code)
- c9d28ed: feat(engine): E4 — repo_claude_default_mode_is predicate + CSDK-201 (schema v7) (@jhumel-code)
- b6bfd7c: feat(ingestion): @google/adk dep needle for package.json (@jhumel-code)
- 043890b: feat(models): add VarName to ToolDef/MCPServerDef/GuardrailDef for TS edge resolution (@jhumel-code)
- 1710f49: feat(progress): harden terminal UI + plumbing-level clone progress (@jhumel-code)
- 1af7ba6: feat(review): print file:line-endline range in human format (@jhumel-code)
- c628338: feat(review): risk-surfaces line explains why and how to fix, with file:line examples (@jhumel-code)
- eca7352: feat(review): surface skills, slash commands, and plugins in the scan summary (@jhumel-code)
- 38c7032: feat(rules): ADK Tier-1 + fix ADK-105 (class-name mismatch, never fired) (@jhumel-code)
- ae125bc: feat(rules): ADK-008 (fixed via E1) + OAI-111 — hosted-tool approval/policy checks (@jhumel-code)
- df3c838: feat(rules): Claude Tier-1 + fix CSDK-102 (was never firing) (@jhumel-code)
- 6fcd19e: feat(rules): OpenAI Tier-1 — OAI-014 (needs_approval), OAI-015 (failure_error_function=None), OAI-110 (output_guardrails) (@jhumel-code)
- ac9f1ca: feat(rules): add has_code_exec_call predicate; extend has_shell_call to os.spawn* (@jhumel-code)
- a892b02: feat(rules): add has_print_call, migrate rules off has_body_text, restore mcp_tool (@jhumel-code)
- 0384f19: feat(rules): match subagent_grants_tool against parsed tool grants (@jhumel-code)
- a649b9a: feat(rules): mcp_tool on CSDK-004/005/006; expand OAI-111 to all privile...
v0.1.0
Changelog
- 6d2dcc7: fix(release): force GORELEASER_CURRENT_TAG to the triggering tag (@jhumel-code)
- 47dcd32: fix(release): gitignore .zig-cache to keep tree clean on CI (@jhumel-code)
v0.1.0-rc.3
Changelog
- 6d15f07: chore(ci): opt JS actions into Node 24 ahead of the 2026-06-02 cutoff (@jhumel-code)
- 0be2930: fix(release): skip brew/scoop upload for pre-releases (@jhumel-code)