Releases: sigilco/agentplugins
Releases · sigilco/agentplugins
Release list
v0.6.1
What's Changed
- fix(ci): single GitHub release, Windows .exe fix, resilient binary conditions by @espetro in #60
- chore(release): v0.6.1 — @agentplugins/cli bump for Windows binary by @espetro in #61
Full Changelog: v0.6.0...v0.6.1
v0.6.0
What's in v0.6.0
Architecture
@agentplugins/pipeline— new middleware kernel: composable install pipeline with typedPipelineContext, ordered execution, and abort support. Security gate migrated as a first-class pipeline plugin.defineConfigAPI — plugin bus + per-target overrides; custom-adapter extensibility via the pipeline.@agentplugins/contract,core,migrate,adapter-opencode— zod 4 migration.@agentplugins/store— GitHub tree-URL parsing for bare repo paths invalidateCloneUrl.
Adapters
adapter-opencode— emitsmcpServersasmcp.serversinopencode.json.adapter-claude/adapter-opencode— agentmodel+fallbackModelsfrontmatter support.adapter-copilot— universal hook-handler fix.
Tooling / Build
- tsup → tsdown for all adapters +
@agentplugins/pipeline. - cleye (replaces cac) + logtape structured logging (replaces chalk) in CLI.
- jiti v2 migration; pnpm catalog;
.nvmrc 22;engines.node >=22.
Docs / Site
- VitePress docs site: logo, sponsor CTA, reference landing, SEO/sitemap/OG.
- Capability-matrix restructured; porting guide added.
- Domain updated
agentplugins.dev → agentplugins.pages.dev.
CI / Project
- Community-health files, issue/PR templates, triage workflow.
- CI typecheck scoped to
packages/**; topological binary build inrelease.yml. adapter-codex/adapter-kimipeerDependenciesbumped^0.5.0 → ^0.6.0.
Packages published
All 17 packages at 0.6.0 on npm under the @agentplugins scope:
adapter-claude, adapter-codex, adapter-copilot, adapter-gemini, adapter-kimi, adapter-opencode, adapter-pimono, cli, compile, contract, core, ingest, migrate, pipeline, schema, security, store
Installation
npx @agentplugins/cli add user/your-pluginOr install the CLI globally:
curl -fsSL https://agentplugins.pages.dev/install.sh | bashOr via Homebrew (macOS/Linux):
brew install sigilco/tap-agentplugins/agentpluginsv0.5.0 — @agentplugins/store + Setup Scripts
v0.5.0 — @agentplugins/store + Setup Scripts
New package
@agentplugins/store— plugin install / link / update / detect lifecycle extracted fromcoreinto its own package.installPlugin,updatePlugin,detectAgents, symlink management (linkCompiledPlugin,linkPluginSkills,linkNativeArtifacts),validateCloneUrl, and the new setup-script runtime all live here.@agentplugins/corere-exports the public surface as a facade; existing imports through@agentplugins/coreare unaffected. (Registry logic stays incore— it owns adapter registration, not store state.)
Features
- Setup scripts (mossy-koala) — a plugin can declare a
setupcommand (single string) in its manifest. Afteragentplugins add, the CLI prompts for trust and runs it;agentplugins setup <name>re-runs it later.- Trust-on-first-use: the command plus the contents of any referenced script are hashed (sha256) and persisted in
.agentplugins-meta.json. A matching hash re-runs silently on subsequent invocations; a changed hash re-prompts. - Auto-detect fallback: when no
setupfield is declared, the CLI looks forinstall.sh→setup.sh→postinstall.mjs→postinstall.js(first hit) and treats it as lower-trust (source: 'detected'). - Hard denylist always blocks —
curl|sh,wget|sh,npx --yes,rm -rf /,chmod 777,eval,base64 -d|sh. Cannot be overridden by--yesor prior trust. - Flags & kill-switch:
--yesskips the prompt but still gates on the denylist;--no-setupskips setup entirely onadd;AGENTPLUGINS_SETUP_SCRIPTS=0is a hard kill-switch. - Schema: top-level
setup: z.string().min(1).optional()on the manifest. This is distinct from thehooks.setuplifecycle hook.
- Trust-on-first-use: the command plus the contents of any referenced script are hashed (sha256) and persisted in
Test coverage (B22)
- 51 new tests in
@agentplugins/store:linkPluginSkills(15),linkNativeArtifactsincl. the.mjs → .tsrename (20), multi-artifactlinkCompiledPlugin(16). - 9 new CLI e2e tests: setup flow (kill-switch, deny, TOFU silent re-run, hash-change re-prompt),
setupcommand,add --no-setup.
Internal
@agentplugins/coredepends on@agentplugins/store(workspace:*);@agentplugins/storedepends on@agentplugins/compile(forsanitizeName) and@agentplugins/security(for the denylist gate).adapter-codex/adapter-kimipeerDependenciesbumped^0.4.0→^0.5.0(kept in lockstep per the changeset quirk documented in.changeset/README.md).
Release notes backfilled for informational purposes; sourced from CHANGELOG.md.
Installation
npx @agentplugins/cli add user/your-pluginv0.4.0 — Architecture Re-shape + Hardening
v0.4.0 — Architecture Re-shape + Hardening
Architecture
@agentplugins/contract— new package: zod schema as single source of truth for the plugin manifest; TS types derived viaz.infer;manifest.schema.jsongenerated at build time viazod-to-json-schema. Eliminates the 4-copy drift class (previously:spec/v1/manifest.schema.json,packages/schema/src/types.ts,packages/core/src/types.ts, and inline zod).@agentplugins/compile— new shared codegen kernel with secure emit primitives (emitCommandHandler,emitInlineHandler,sanitizeName,sanitizeJoin,mapHook). All adapters route through this kernel — a capability now ships by editing one schema field + one kernel path, not 8 files.corefacade —@agentplugins/core/src/index.tsre-exports fromcontract/compile; public API unchanged; sibling repos (agentplugins-{goal,btw,flow,caveman,ponytail}) unaffected. (Store isolation into its own@agentplugins/storepackage is planned for v0.5.0.)ARCHITECTURE.mdat repo root documents the ports-&-adapters hexagonal compiler pipeline with mermaid diagrams: package dependency graph, compile pipeline (manifest→validate→IR→emit→files), distribute pipeline (source→fetch→install→link), and the adapter port contract.
Authoring primitives
continueWith— chained prompt injection via thestophook. OpenCode adapter usesctx.session.sendMessage; PiMono adapter usespi.sendUserMessage. Per-session iteration capped at 20 by default; lint rule (continueWithSafetyRule) inspects inline handler source at build time.nativeEntry/nativeCopies— native artifact passthrough for non-JS plugin artifacts. Build command resolves and writesnativeCopiesentries; adapters expose them in their output.adapterOverrides— runtime adapter override viamanifest.adapterOverrides.opencode/manifest.adapterOverrides.pimono. Paths are sanitized against the plugin root at compile time; a runtime trust warning is emitted.capabilities: ['subprocess']— gates the child-process lint block. ThehandlerSafetyRulelint rule scanscommandhandler strings for subprocess patterns; the gate only fires when the capability is absent.- Inline handlers auto-wrapped as command scripts for Codex and Kimi adapters.
Multi-artifact linking
- Multi-artifact
distlinking for OpenCode: multiple compiled artifacts per plugin. - Per-skill flat linking for Pi / Skills.sh compatibility.
Security hardening
| Class | Fix |
|---|---|
| RCE (template-literal injection) | emitCommandHandler uses plain string + arg-array execSync; no shell template literals, no shell:true. Structurally eliminated — not patched per adapter. |
| Path traversal — plugin name | sanitizeName() rejects ../absolute/non-kebab at addPluginFromSource install time. |
Path traversal — nativeCopies from/to |
sanitizeJoin() validates both src and dst paths resolve inside the plugin root in build command. |
| Path traversal — SKILL.md frontmatter | sanitizeName() applied to name: field from SKILL.md frontmatter before any symlink/write. |
Path traversal — adapterOverrides / handler source |
sanitizeJoin(pluginRoot, path) applied at compile time; runtime trust warning emitted. |
| SSRF bypass | safe-fetch re-validates every redirect hop against allow-list + private-IP check. |
| Arbitrary script execution at install | evaluateScriptPolicy() runs on add / import --write; denylisted lifecycle scripts block the install. |
| Integrity never verified | verifyIntegrity() called on install when manifest.integrity is declared. |
| Git clone URL injection | cloneRepo validates https://github.com/... before URL interpolation. |
| Symlink clobber | unlinkSync only; rmSync never on user dirs; lstatSync guard. |
| Install idempotency | unlinkAll() factors pre-delete for compiled + skills + native + symlink artifacts; stale links never left behind. |
| Silent partial installs | Symlink failures collected, warned at summary, process.exitCode=1. |
Bug fixes
subagentStopcollision fixed; deadagentCommand/agentCwdpassthrough removed.sidecarmarked experimental (x-experimental) in schema and docs.recompile-installeddogfood script moved fromcli/src/commands/→scripts/.- Two OpenCode test failures (stale
Bun.$assertions) corrected toexecSync (curl). - Example logger
package.jsonno longer carries a version field in its internal manifest. - CLI version read from
package.jsoninstead of hardcoded string.
Breaking changes
spawnChildremoved from@agentplugins/compileand@agentplugins/core. It had zero callers; no adapter used it. Any external consumer importing it directly will break — the replacement is to usenode:child_process.spawndirectly with sandboxing.@agentplugins/contractis a new published package. Its API (PluginManifestzod schema, derived types,manifest.schema.json) is stable from this release.corere-exports remain the preferred consumer entry.
Release notes backfilled for informational purposes; sourced from CHANGELOG.md.
Installation
npx @agentplugins/cli add user/your-pluginv0.3.0 — Tier-1 Parity Wins + Compat Ingestor + Security
v0.3.0 — Tier-1 Parity Wins + Compat Ingestor + Security
Tier-1 parity wins (3.1–3.6)
- 3.1 — Subagent lifecycle parity: Pi
stop↔subagentStopcollision fixed; OpenCode emits a documented WARN for subagent hooks instead of silently dropping them (#33) - 3.2 —
mcpServersdocumented as the universal tool path;tools[]scoped to opencode/pimono, WARN on others (#34) - 3.3 — Schema sync:
HandlerTypefilerenamed toreference;settingsduplicate removed; dep pins updated (#35) - 3.4 — Tier-1 capability matrix published at
docs-site/reference/compat-matrix.md(#36) - 3.5 —
CommandandAgentDefinitiontypes added;agentplugins-cavemanandagentplugins-ponytailcommunity rewrites ship (#37) - 3.6 — Ecosystem page + tier-1 parity porting guide (#38)
Epic #24 — Compat ingestor + security guardrails
@agentplugins/ingest— claude-code, codex, and skills-sh format ingestors with structured warnings (#24)@agentplugins/migrate— MCP server with scan / convert / diff-manifest / verify-integrity / write-manifest tools@agentplugins/security— osv-scanner, Scorecard, npm provenance wrappers; safe-fetch SSRF guard; lifecycle script policyagentplugins import <format> <source>andagentplugins audit <source>CLI commands- Schema v1.1:
dependencies[],sidecar,integrityfields
Other
- Relicensed MIT → Apache-2.0
Release notes backfilled for informational purposes; sourced from CHANGELOG.md.
Installation
npx @agentplugins/cli add user/your-plugin