github JuliusBrussee/caveman v1.9.0
v1.9.0 — Rock pinned. Rock verified. opencode rock work now.
on GitHub

5 hours ago

Security

  • Installs now pinned + integrity-checked (#261, #262)
    curl|bash and detached installs no longer fetch hook files from the moving
    main branch — they download from the immutable v1.9.0 tag and verify
    every hook against src/hooks/checksums.sha256 (SHA-256) before anything
    executes. Mismatch aborts the install. This is the first tag shipping the
    manifest, so enforcement is fully active as of this release.

  • fix(docs): escape user input in the demo terminal (#438)
    The docs site demo interpolated user input via innerHTML — a real
    reflected DOM XSS. Nodes are built with textContent now.

opencode actually works now

Smoke-tested against a real opencode runtime for the first time — and the
plugin turned out to never load: opencode runs plugins inside a compiled Bun
binary where both require() of on-disk files and await import() of CJS
silently fail. Fixed by evaluating the shared config as CommonJS by hand.
Also fixed in the same pass, all verified end-to-end against opencode 1.4.0:

  • Real lifecycle hooks: event dispatcher for session init, chat.message
    for mode parsing, experimental.chat.system.transform for per-turn
    reinforcement — the old hook keys never existed and were silently ignored (#418, #421)
  • Session-init flag write no longer misses one-shot opencode run sessions
  • /caveman <level> works both through the TUI command template expansion
    and the quoted non-interactive run path
  • /caveman-compress command file now ships (was gitignored) (#398, #426, #451, #464)

Features

  • Repo-local config (#429) — check in .caveman/config.json (or
    .caveman.json) to pin a per-project default mode for the whole team.
    Resolution order: env var → repo config → user config → full.
  • Natural-language brevity triggers (#248) — "less tokens", "be brief",
    "be terse" now activate caveman mode.

Fixes

  • Installer: Copilot detection via extension dirs (#437), npx skills add
    honors the agent profile again (#395), orphaned managed hooks pruned from
    settings.json (#472), no double hook-wiring when the plugin manifest
    already wires them (#393), MCP-shrink is opt-in and requires an upstream
    (#380), opencode config dir corrected to ~/.config/opencode on Windows
    (#376), PowerShell $Args collision (#414), cavecrew agent copies strip
    tools: for opencode (#443)
  • caveman-compress: UTF-8 pinned subprocess (fixes Windows cp1252 crash,
    #388/#152), claude.cmd resolution on Windows (#435), YAML frontmatter
    preserved (#424), backups written outside the source tree (#420)
  • Skill: replies preserve the user's language (#446), no self-reference
    (#469), full-mode output guardrails (#322), fixed corrupted wenyan example
  • Stats: Opus 4.5+ output price corrected $75 → $25/M (#466), statusline
    pickaxe renders on Windows (#459)
  • MCP-shrink: npx/.cmd upstream resolution on Windows (#387)

Maintenance

  • Sponsors section (welcome, Atlas Cloud), caveman-code + cavegemma in the
    ecosystem table, stale pre-cleanup dotdir mirrors removed, init tests no
    longer touch the developer's real ~/.openclaw workspace.

Upgrade

curl -fsSL https://raw.githubusercontent.com/JuliusBrussee/caveman/main/install.sh | bash

Existing installs: re-run the same one-liner — idempotent. opencode users
should re-run with --force to pick up the fixed plugin:
npx -y github:JuliusBrussee/caveman -- --only opencode --force

🤖 Generated with Claude Code

Check out latest releases or
releases around JuliusBrussee/caveman v1.9.0

Don't miss a new caveman release

NewReleases is sending notifications on new releases.

Get notifications