v5.12.0

Propagated upstream releases

• agent-core v0.4.4 (fixer.js symlink + TOCTOU) -> v0.4.5 (client-side SLSA verification + sync allowlist) synced into all 13 consumers.
• agent-analyzer v0.8.0 -> v0.8.1 (cargo-deny CI).
• prepare-delivery v0.1.2, audit-project v1.0.2 (reviewer-contract markers + orchestrator blocked handling).

v5.11.0

Changed

• Upgraded marketplace sub-plugin pins from SHA-only to tag+SHA after each downstream plugin cut security releases. Post-run totals: 12 pinned to tags, 8 fell back to default-branch SHA (up from 7/13 in v5.10.0). New tag pins in this wave: prepare-delivery v0.1.1, audit-project v1.0.1, next-task v1.1.2, ship v1.1.2, skillers v0.2.1, onboard v0.1.1, can-i-help v0.1.1, perf v1.0.1, debate v1.0.1. Consumers now install from verifiable release tags for these plugins.

Propagated upstream security fixes

• agent-core v0.4.4 synced into all 13 consumers via lib/: fixer.js symlink + TOCTOU guards (#14 agent-core), earlier v0.4.3 code-point-safe truncate + sync-workflow test-file exclusion, v0.4.2 additive sync + upstreamed workflow-state/queries, v0.4.1 binary SHA-256 + zip-slip defenses.
• prepare-delivery + audit-project: falsePositive review-bypass cap (50% ratio + required reason).
• next-task: worktree-manager TASK_ID/BASE_BRANCH validation.
• ship: platform-API health checks instead of log-grep rollback DoS.
• skillers: transcript redaction pipeline (ported from consult).
• onboard + can-i-help: explicit argv arrays in collector git invocations.
• perf: command-parser error message accuracy.
• debate: SKILL.md routes AI CLI invocations through consult's hardened ACP transport.

v5.10.0

Security

• Marketplace supply-chain hardening (#347) - pin every source: "url" sub-plugin entry in .claude-plugin/marketplace.json to an immutable commit SHA (plus release tag when one exists) instead of tracking default branches. Unpinned source: "url" entries previously let claude plugin install follow the remote's default branch, meaning any sub-plugin compromise would ship code to every user on their next install. New scripts/pin-marketplace.js resolves v<version> tags to commit SHAs via gh api repos/.../git/ref/tags/<tag> (annotated tags are dereferenced to the underlying commit), rejects ambiguous array responses, and falls back to default-branch HEAD SHA when the desired tag does not yet exist. Covered by __tests__/pin-marketplace.test.js.
• Reusable CI workflow SHA-pinned (#347) - agent-sh/.github/.github/workflows/agnix.yml@main pinned to an explicit commit SHA so a compromise of the shared workflows repo cannot silently change agentsys's CI behavior.
• Release workflow shell injection hardening (#347) - replaced 5 shell blocks that interpolated ${{ inputs.version }} / ${{ github.event.inputs.* }} directly into bash with env: block wiring; values are now read as shell variables so a malicious tag/input cannot break out of the command string.
• Removed self-referential npm dependency (#347) - the "agentsys": "^5.0.0" entry in package.json / package-lock.json had no functional purpose and could confuse resolvers.
• agent-analyzer binary downloader security (#350, synced from agent-core) - lib/binary/index.js now requires a matching .sha256 sidecar, computes and verifies SHA-256 before extraction (with an explicit skipChecksum escape hatch for local dev), and extracts into an isolated scratch directory with archive-path-traversal defenses: reject absolute paths, UNC paths, drive letters, .. segments, and symlinks; copy only the expected binary into the final install location; scrub the scratch tree afterward. Windows extraction moved from Expand-Archive command strings to a -File PowerShell script with env-var argument passing so paths containing spaces are handled safely. Covered by lib/binary/index.test.js.

Changed

• Marketplace pins upgraded to release tags - post-#347, re-ran scripts/pin-marketplace.js after the downstream plugins cut tagged releases:
  • agnix: default-branch SHA -> v0.22.1 (tag + commit)
  • web-ctl: default-branch SHA -> v1.1.0 (tag + commit)
  • ship: default-branch SHA -> v1.1.1 (tag + commit)
  • Running totals: 7 plugins pinned to tag + SHA, 13 still on default-branch SHA pending their first release tag.
• Bumped version fields in marketplace.json for agnix, web-ctl, and ship to match the latest published tags so future pin-marketplace.js runs resolve to the correct refs.

v5.9.1

Changed

• agnix marketplace entry - bumped from 1.0.0 to 1.1.0 and updated description from "385 rules" to "414 rules" to reflect agnix v0.22.0 (414 validation rules, additive schema --fix and tools check/detect subcommands). Updated site/content.json version highlight to match.

v5.9.0

Added

• zig-lsp plugin - Zig language server (ZLS) integration for Claude Code's LSP tool. Maps .zig and .zon to language zig; enables enable_build_on_save so post-edit diagnostics surface real type errors (not just parser errors); 30 s startup timeout, restart-on-crash with cap. Plugin is config-only - no slash commands, no agents, no skills - the harness's built-in LSP tool dispatches automatically once zls is on PATH. Marketplace entry under category development. Source: https://github.com/agent-sh/zig-lsp
• Marketplace plugin count 19 -> 20 in .claude-plugin/marketplace.json description, scripts/plugins.txt, and site/content.json stats.

v5.8.6

Added

• @agentsys/lib's repoIntel.queries module - typed wrappers over every agent-analyzer repo-intel query <type> subcommand (28 functions). Consumer plugins can now call require('@agentsys/lib').repoIntel.queries.hotspots(cwd, { limit: 20 }) instead of constructing raw CLI argv themselves. Functions returned in JSON match the binary's output shape per query.
• 4 new graph-derived query wrappers for the analyzer-graph crate landed in agent-analyzer v0.4.0:
  • communities(cwd) - lists Louvain-discovered file clusters (the natural feature areas, independent of directory layout)
  • boundaries(cwd, { limit }) - files bridging multiple communities by betweenness centrality (architectural seams - highest-leverage files for refactoring)
  • areaOf(cwd, file) - which community a file belongs to
  • communityHealth(cwd, id) - composite per-community roll-up (size, total/recent changes, bug-fix rate, AI ratio, stale-owner count)

Changed

• ANALYZER_MIN_VERSION bumped 0.3.0 -> 0.4.0 to match agent-analyzer v0.4.0 which adds the graph subcommands. Older binaries get auto-upgraded on first call by lib/binary.ensureBinary().

v5.8.5

Fixed

• Hardcoded developer paths in web-ctl skills (#333) - replaced 76 occurrences of /Users/avifen/.agentsys/plugins/web-ctl/scripts/web-ctl.js with ~/.agentsys/... across .kiro/skills/web-auth/SKILL.md (16 sites) and .kiro/skills/web-browse/SKILL.md (60 sites). The original absolute path only existed on the maintainer's machine, so every CLI example silently failed for any other user. The portable form matches the install path documented in meta/skills/maintain-cross-platform/SKILL.md and works for both shell copy-paste and agent execution (Bash tool's bash -c performs tilde expansion).
• prepare lifecycle hook auto-installed git hooks on every npm install (#334) - moved hook installation from npm's prepare script to an explicit setup-hooks script so consumers no longer get hooks injected as a side effect of npm install. Documented opt-in flow in CONTRIBUTING.md. Also removed the no-op pre-commit placeholder (it just wrote a comment file - lib/ sync is handled by agent-core CI now), so only the actually-active pre-push hook (preflight + /enhance reminder + release-tag validation) is installed.
• npm version lifecycle dropped downstream version stamps (#339, #342) - replaced git add -A (which would sweep unrelated working-tree changes into the version commit) with an explicit allowlist covering every file stamp-version.js writes plus npm's own lockfile and CHANGELOG.md: package.json, package-lock.json, .claude-plugin/plugin.json, .claude-plugin/marketplace.json, site/content.json, CHANGELOG.md. Preserves the original intent (no working-tree sweep) while keeping all version manifests consistent after npm version. (CHANGELOG.md added per gemini-code-assist review on #342 - the developer manually edits CHANGELOG before each release, so it must be in the allowlist or npm version's auto-commit drops the changelog entry.)

Changed

• js-yaml dependency range tightened from ^4.1.1 to ~4.1.1 (#335) - blocks unintended 4.x minor bumps while still allowing 4.1.x patch updates so runtime security fixes flow in automatically. Lockfile root entry synced to match.

v5.8.4

Fixed

• tasks.json atomic optimistic locking (#331) - Concurrent /next-task and /ship runs could silently lose claims or leave stale registry entries due to unguarded read-modify-write on tasks.json. Fix uses _version + per-write _writerId optimistic locking (mirrors existing flow.json pattern): write atomically via rename, re-read and verify both fields match before declaring success, retry up to 5× with jitter on mismatch.
• tasks.json schema unification - worktree-manager wrote { version, tasks[] } while workflow-state.js read { active }, causing claim exclusion in discover-tasks to always return an empty set. Unified schema is { active, tasks[], _version, _writerId } with on-read normalization of both legacy formats — no migration needed.
• Silent corruption risk - readTasks() now throws on corrupted JSON instead of returning a safe default, preventing updateTasks from silently overwriting potentially recoverable data.
• Agent prompt raw file writes - worktree-manager Phase 6 and Cleanup Reference replaced inline fs.writeFileSync with workflowState.claimTask() / workflowState.releaseTask() library calls that are atomic and retry-safe.

Added

• updateTasks(mutatorFn) - optimistic-lock loop for tasks.json mutations (mirrors updateFlow)
• claimTask(entry, projectPath) - atomic upsert into tasks[] registry for worktree-manager
• releaseTask(taskId, projectPath) - atomic removal from tasks[] registry for ship/abort; idempotent

v5.8.3

Fixed

• next-task v1.1.1 - SubagentStop hook now only fires during active /next-task workflows, not on every subagent stop (#325). Cross-platform guard script replaces unconditional prompt injection that wasted 136K+ tokens per unrelated agent.

Changed

• Bump next-task marketplace version to 1.1.1

v5.8.2

Added

• Codex CLI plugin manifest (.codex-plugin/plugin.json) for native Codex discovery

Fixed

• Flaky stale items test - use >= 99 threshold for date boundary tolerance