github agent-sh/agnix v0.25.0
on GitHub

9 hours ago

Added

  • CC-SET-003: Invalid worktree.baseRef value (closes #883). Claude Code 2.1.133 added the worktree nested object with a baseRef enum. Allowed values: "fresh" (branch from origin/<default>, the v2.1.133 default) or "head" (branch from local HEAD, the pre-v2.1.133 EnterWorktree behavior). Any other string value silently falls back to the default with no warning. CC-SET-003 (MEDIUM, WARNING) parses .claude/settings.json / .local.json / managed-settings.json, walks worktree.baseRef, and flags non-enum string values and non-string types. Missing field, missing worktree, and baseRef: null are not flagged. Case-sensitive ("FRESH" is not accepted). Non-object worktree is intentionally not flagged to avoid false-positiving on future schema extensions. Covered by 8 unit tests including case-sensitivity, null handling, disabled-rule path, and line-position pinning.
  • CC-SET-004: Invalid sandbox path setting (closes #883). Claude Code 2.1.133 added sandbox.bwrapPath and sandbox.socatPath managed settings (Linux/WSL) so admins can point the sandbox at custom bubblewrap/socat binaries. CC-SET-004 (MEDIUM, WARNING) walks both fields under sandbox, flags empty strings and non-string values independently (both fields fire their own diagnostic when both are wrong), and does not stat the path (agnix validates files, not filesystem state). null and absent are not flagged. Non-object sandbox is intentionally tolerated. Covered by 9 unit tests including independent-firing and managed-settings-path coverage.
  • CC-SET-005: Invalid parentSettingsBehavior value (closes #883). Claude Code 2.1.133 added this admin-tier top-level key to let admins opt SDK managedSettings (parent tier) into the policy merge. Allowed values: "first-wins" (preserve existing behavior) or "merge". CC-SET-005 (MEDIUM, WARNING) flags non-enum strings, non-string types. null and absent are not flagged. Case-sensitive. Covered by 9 unit tests. Also rounds out the CC-SET family to five rules covering the full v2.1.133 settings-schema additions.
  • MCP-026: Reserved MCP server name (workspace) (closes #869). Claude Code 2.1.128 reserved the server name workspace for internal use - existing mcpServers.workspace entries are silently skipped at startup with only a log warning that users can easily miss. MCP-026 (HIGH) walks the top-level keys of mcpServers and flags any match against a reserved list (currently just workspace). Case-sensitive (JSON keys are case-sensitive and so is Claude Code's comparison), string-literal-safe (shares the JSON-key walker with MCP-023's duplicate detector so mentions inside prose values are ignored), and emits one diagnostic per reserved occurrence without suppressing siblings. Covered by 6 unit tests plus a fixture at tests/fixtures/mcp/reserved-server-name.mcp.json.
  • CC-SET-002: Non-boolean channelsEnabled setting (closes #869). Claude Code 2.1.128 added --channels support for console (API-key) authentication and requires console orgs with managed settings to opt in via channelsEnabled: true. A quoted "true" or numeric value leaves Channels silently disabled - same footgun shape as MCP-025 alwaysLoad. CC-SET-002 (MEDIUM, WARNING) parses .claude/settings.json / .local.json / managed-settings.json and flags non-boolean values of channelsEnabled; missing, explicit null, and explicit false are not flagged. Covered by 11 unit tests including coexistence with CC-SET-001 on the same file. Validates across all three Claude Code settings paths - if a user misplaces the key, the mis-typed value is still wrong.
  • Rule count: 416 -> 421 across all derived locations (rules.json, CLAUDE.md, AGENTS.md, README.md, plugin.json, SKILL.md files, website docs) via scripts/sync-rule-bookkeeping.js. The 2 -> 5 jump in the CC-SET family adds a new CC-SET- prefix to the config/schema.rs validated-prefix allowlist so the disable_rule("CC-SET-00X") pattern stops warning on build().

Changed

  • Tool baseline: claude-code bumped from v2.1.128 to v2.1.133 (closes #883). Five upstream releases span the jump (v2.1.129, v2.1.130, v2.1.131, v2.1.132, v2.1.133); the bulk of config-affecting changes arrive in v2.1.133, which ships three new settings-schema additions that land as CC-SET-003/004/005 above.
    • Config-affecting (all in v2.1.133): worktree.baseRef nested enum, sandbox.bwrapPath / sandbox.socatPath Linux/WSL managed settings, parentSettingsBehavior admin-tier key. All three are now validated.
    • Runtime-only (v2.1.129-132): hook effort-level metadata (effort.level JSON input / $CLAUDE_EFFORT env var) - behavior-only, no schema change; parallel-session credential race fix; Edit/Write allow-rule matching fix for drive-root and POSIX / scopes; file-lock ECOMPROMISED unhandled-rejection fix; compaction Esc notification fix; MCP OAuth proxy HTTP(S)_PROXY / NO_PROXY / mTLS plumbing fix; network-drive --add-dir fix; Remote Control stop/interrupt cancellation fix; cross-session /effort leakage fix; subagent skill-discovery fix via the Skill tool; claude --help listing --remote-control; VSCode extension unsupported-platform fix; memory improvements releasing warm-spare background workers under memory pressure; focus mode polish.
    • No ToolVersions or SpecRevisions update required. .github/tool-release-baselines.json and knowledge-base/RESEARCH-TRACKING.md ("Last Reviewed" for Claude Code) updated.
  • Tool baseline: codex bumped from rust-v0.128.0 to rust-v0.129.0 (closes #888). Diffed upstream codex-rs/core/config.schema.json@rust-v0.129.0 against our KNOWN_TOP_LEVEL_KEYS / KNOWN_TABLE_KEYS and added the one new table (debug) to KNOWN_TABLE_KEYS to prevent CDX-004 false-positives on valid v0.129 configs.
    • Schema additions (config-surface relevant):
      • [debug] top-level table with nested [debug.config_lockfile] sub-table carrying allow_codex_version_mismatch, export_dir, load_path, save_fields_resolved_from_model_catalog. Added to KNOWN_TABLE_KEYS. Regression-tested in test_codex_0_129_0_new_table_keys_not_flagged.
      • HookStateToml.trusted_hash string field (hook trust metadata, openai/codex#20321). Nested inside the already-known [hooks] table, so does not trigger CDX-004; no validator change required.
      • HooksToml.PreCompact / HooksToml.PostCompact hook events (compact lifecycle hooks, openai/codex#19905). These event names were already recognized by schemas/hooks.rs for the Claude Code hooks validator; Codex does not have a hook-event enum validator, so the new events surface through existing hook shape checks without modification.
      • Tui.raw_output_mode / Tui.session_picker_view / Tui.status_line_use_colors / Tui.vim_mode_default, plus TuiEditorKeymap.kill_whole_line, TuiGlobalKeymap.toggle_fast_mode / .toggle_raw_output / .toggle_vim_mode, TuiKeymap.vim_normal / .vim_operator, and the new ProfileTui nested inside ConfigProfile. All TUI-layer - nested inside the already-known [tui] table and explicitly listed as irrelevant in the codex changes_of_interest.irrelevant list ("TUI keyboard shortcuts and display tweaks"). No validator action.
    • Runtime-only changes (not validated):
      • Large TUI / plugin-sharing / plugin-marketplace refactor (openai/codex#20278, #21124, #21419, #20560, #19843, #20478, #20268, #20298); goals lifecycle polish (#20083, #20790, #20746, #20558); hooks browser (#19882) and hooks PreToolUse additionalContext (#20692); Codex Apps auth + eligible MCP elicitations through TUI/Guardian flows (#19193, #19431); /copy in tmux (#20207); Windows paste/typing latency (#18914); Linux sandbox bundled bwrap + bubblewrap 0.11.2 (#21255-21257, #21312, #21285, #21389); large paste / Ctrl+C drafts / /clear resilience (#21091, #21190, #21351, #21397); TUI startup and accessibility tightening (#20654, #21450, #20564); Windows sandbox ConPTY / git safe.directory / heredoc redirects / dangerous project-config keys / unbounded MCP output growth fixes (#20270, #20685, #20336, #21409, #21275, #20676, #20275, #20098, #20113, #20260, #21069); analytics and diagnostics expansion across tool lifecycles / goals / plugins / thread sources / service tiers / PR labeling (#17089, #17090, #20799, #20923, #20949, #20969, #20893); app-server and protocol internal decomposition (#20324-20325, #20348, #20545, #21251, #21278, #21395); Bazel Windows CI cross-compile (#20585, #20701, #21057).
    • Docs: embedded OpenAI Docs sample skill alignment (#21263); generated git-commit-attribution doc gated by codex_git_commit inside [features] (nested, no CDX-004 impact) (#21379); local planning/spec docs removed (#20896).
    • No ToolVersions or SpecRevisions update required; no new CDX- or CDX-CFG- rule needed. .github/tool-release-baselines.json and knowledge-base/RESEARCH-TRACKING.md ("Last Reviewed" for Codex CLI) updated.
  • Tool baseline: cursor bumped from 3.2.21 to 3.3.27 (closes #884). The api2.cursor.sh stable-update endpoint only exposes a version marker; spot-checked cursor.com/changelog for the 3.3 line.
    • Notable 3.3 features: parallel "Build in Parallel" execution via async subagents, Explore subagent behavior controls (model: opus and similar generic model names), Security Reviewer and Vulnerability Scanner agents for PR checks / scheduled codebase scans, context-usage breakdown across rules/skills/MCPs/subagents, enterprise model-access and spend controls.
    • Triage: none of these changes touch validated config surfaces - .cursor/rules/**/*.{md,mdc} frontmatter (CUR-001-009), .cursor/hooks.json schema (CUR-010-013, CUR-017-019), .cursor/agents/**/*.md subagent frontmatter (CUR-014-015, which already accepts generic model names like opus via the alphanumeric id validator), .cursor/environment.json (CUR-016), or .cursor/mcp.json.
    • No validator, ToolVersions, or SpecRevisions update required. .github/tool-release-baselines.json and knowledge-base/RESEARCH-TRACKING.md ("Last Reviewed" for Cursor) updated.
  • Tool baseline: amp bumped from gpt-5.5 to neo (closes #882). Major upstream "Neo" rebuild of the Amp CLI.
    • New: Plugin system (.amp/plugins/*.ts), remote control from ampcode.com, auto-compaction (replacing Handoff), queuing/steering, large performance improvements.
    • Changed: Default permission model no longer prompts before tool calls; users who opt back in via amp.permissions, amp.dangerouslyAllowAll: false, or amp.guardedFiles.allowlist keep the old behavior via a built-in permissions plugin.
    • Removed: Handoff, rollback on message edit, built-in skill-management CLI commands (Agent Skills still supported via external tools like vercel-labs/skills), custom themes, manual $/$$ bash invocation.
    • Triage: agnix-irrelevant. None of this changes the config surfaces agnix validates: .amp/settings.json top-level keys (AMP-004), .agents/checks/*.md frontmatter (AMP-001/002), or AGENTS.md glob parsing (AMP-003). Plugin files live in .amp/plugins/*.ts which agnix does not validate - they are user TypeScript code executed by the Amp runtime. AMP-SK-001 (amp Agent Skills) is currently unreachable without explicit Amp-specific config context (the .agents/ directory defaults to Codex in per_client_skill::ClientRegistry - see the code comment at crates/agnix-core/src/rules/per_client_skill.rs:83), so the removal of the skill-management CLI doesn't change any reachable validator path.
    • No AMP / AMP-SK validator, ToolVersions, or SpecRevisions update required. .github/tool-release-baselines.json and knowledge-base/RESEARCH-TRACKING.md ("Last Reviewed" for amp) updated.
  • Tool baseline: opencode bumped from v1.14.37 to v1.14.41 (closes #886). Four upstream releases span the jump (v1.14.38, v1.14.39, v1.14.40, v1.14.41).
    • Runtime bugfixes: reasoning-block preservation, missing-session errors, CORS-before-auth ordering, ACP/serve/web re-entry, web-terminal CSP, surrogate sanitization, Cloudflare AI Gateway provider options, /new workspace handling, editor selection stability, server-overload retries, Mistral Medium 3.5 restoration, compaction-summary ordering.
    • New .well-known/opencode config-discovery mechanism (pointer to a remote config file - does not change OpenCode's config schema, only how the file is located).
    • TUI fixes: model-refresh selection, /agent -> /agents path, /connect custom provider setup.
    • Desktop polish: clipboard permission, EPIPE logging, no-auto-install on quit, Sentry noise, sync bootstrap, macOS Settings menu, utility-process server split, uncommitted-changes carry on warp.
    • ACP clients now restore last model/mode/effort on session load.
    • Triage: agnix-irrelevant. None touch the config surfaces agnix validates (.opencode/config.json top-level keys, permission config, LSP config, MCP server definition shape, AGENTS.md grammar).
    • No OC / AGM / XP validator, ToolVersions, or SpecRevisions update required. .github/tool-release-baselines.json and knowledge-base/RESEARCH-TRACKING.md ("Last Reviewed" for OpenCode) updated.
  • Tool baseline: claude-code bumped from v2.1.126 to v2.1.128 (closes #869). Upstream v2.1.127 was skipped; v2.1.128 is the single bridge release. Ships two config-affecting items that land as MCP-026 and CC-SET-002 above (both documented via upstream release notes at https://github.com/anthropics/claude-code/releases/tag/v2.1.128). The other 35 items in the release notes are triaged as agnix-irrelevant: UI/display fixes, CLI flag extensions that do not touch settings.json, model picker changes, OTEL env handling at subprocess spawn, piping/resume/vim/clipboard/progress/crashes, error message wording, streaming output. Also refreshes Claude Code "Last Reviewed" in knowledge-base/RESEARCH-TRACKING.md to 2026-05-06 and adds the CC-SET rule prefix to the row (was missing - pre-existing gap now that CC-SET is a two-rule family).
  • MCP-023 / MCP-026 shared JSON-key walker. Extracted collect_mcp_server_name_offsets as a single top-level mcpServers key walker, then had MCP-023 (duplicates) and MCP-026 (reserved names) consume it via different predicates. One JSON walk per file regardless of how many name-based rules exist; further server-name rules can reuse the same iterator.

Fixed

  • CC-HK-008 false-positive on ~-prefixed hook paths (closes #894, reported by @philipstancil). Claude Code passes hook commands to the shell, which expands a leading ~/ to $HOME/... at runtime. resolve_script_path now expands these paths via dirs::home_dir() before the existence check, and has_unresolved_env_vars treats ~user/... forms as unresolved to avoid false-positives on arbitrary user home lookups. Existing $CLAUDE_PROJECT_DIR / $FOO semantics preserved via regression tests. Covered by 8 unit tests plus 2 integration regression tests for the reported reproduction.
  • kiro.validators drift in tool-release-baselines.json (closes #880). The kiro.validators array listed five validators (kiro_steering, kiro_power, kiro_agent, kiro_hook, kiro_mcp) but crates/agnix-core/src/rules/kiro_settings.rs (shipped in v0.21.0 with KR-SET-001/002/003) was absent. The array is consumed by .github/workflows/tool-release-watch.yml to classify changes of interest per tool; with kiro_settings missing, upstream changes to .kiro/settings.json parsing or schema would not be correctly attributed. Added kiro_settings to the array. Pairs with #879 (RESEARCH-TRACKING Kiro row drift).
  • RESEARCH-TRACKING.md Kiro row drift (closes #875). The Kiro CLI row's Config Format column was missing .kiro/settings.json and .kiro/skills/*/SKILL.md, and the Rule Prefix column was missing KR-SET - both of which are present in .github/tool-release-baselines.json kiro.changes_of_interest.config_surfaces and in crates/agnix-core/src/rules/kiro_settings.rs (KR-SET-001/002/003, shipped in v0.21.0). Per the CLAUDE.md rules.json source-of-truth principle, RESEARCH-TRACKING is the derived view and must match; both omissions are now filled. Observed during #874 (Kiro 2.2.0 triage) review.
  • Codex config schema drift at rust-v0.128.0 (closes #851). Diffed upstream codex-rs/core/config.schema.json@rust-v0.128.0 against KNOWN_TOP_LEVEL_KEYS / KNOWN_TABLE_KEYS (used by CDX-004 unknown-config-key detection) and added the 30 keys Codex now accepts but agnix was still flagging: 14 new [section] tables (agents, analytics, apps, audio, auto_review, approvals_reviewer, experimental_thread_store, ghost_snapshot, hooks, memories, permissions, plugins, tools, windows) and 16 new scalars (allow_login_shell, background_terminal_max_timeout, commit_attribution, default_permissions, three experimental_realtime_ws_*, experimental_thread_config_endpoint, mcp_oauth_callback_url, model_catalog_json, openai_base_url, plan_mode_reasoning_effort, service_tier, sqlite_home, suppress_unstable_features_warning, zsh_path). Two new regression tests pin both the scalar and table form. Also refreshed CDX-CFG-029 evidence metadata - the rule was briefly removed by openai/codex#19733 and reinstated by openai/codex#19792 (which moved the thread cap into features.multi_agent_v2.max_concurrent_threads_per_session); citations now cover all three upstream PRs and the tag-pinned source URL. Baseline last_known_version bumped rust-v0.125.0 -> rust-v0.128.0.

Changed

  • Tool baseline: gemini-cli bumped from v0.40.1 to v0.41.1 (closes #873). The span covers v0.41.0 (substantial minor release) and v0.41.1 (single cherry-pick patch). No existing GM rule (GM-004 tools allow/deny schema, GM-009 unknown-keys, GM-010 memoryManager-without-autoMemory) is broken by any v0.41.0 change - verified by reading the upstream diff against the validator. Three v0.41.0 items are potential future rule candidates if Gemini CLI escalates above Tier C (community fixes only):

    1. google-gemini/gemini-cli#26118 adds boolean/number casting for env vars in .gemini/settings.json - analogous shape to MCP-025 where a typoed quoted value becomes a silent footgun.
    2. google-gemini/gemini-cli#25873 persists an auto-memory scratchpad, which validates GM-010's existing premise (memoryManager and autoMemory are genuinely independent surfaces) and doesn't require a rule change.
    3. google-gemini/gemini-cli#24174 introduces real-time voice mode with cloud/local backends - may add new settings keys in a future release worth watching.

    No validator, ToolVersions, or SpecRevisions update in this release. .github/tool-release-baselines.json and knowledge-base/RESEARCH-TRACKING.md ("Last Reviewed" for gemini cli) updated.

  • Tool baseline: opencode bumped from v1.14.33 to v1.14.37 (closes #871). Four upstream releases span the jump (v1.14.34, v1.14.35, v1.14.37 - v1.14.36 was skipped upstream) and every change is agnix-irrelevant: HTTP/auth/PTY server internals, v2 session rendering and failure events, diff-boundary preservation, task-cancellation cascade to subtasks, workspace-warp, Azure/Codex OAuth model resolution, web-UI proxy fixes, and desktop migration/titlebar fixes. None touch the OpenCode config surfaces agnix validates (.opencode/config.json top-level keys, permission config, LSP config, MCP server definition shape, AGENTS.md grammar). No OC / AGM / XP validator, ToolVersions, or SpecRevisions update required. .github/tool-release-baselines.json and knowledge-base/RESEARCH-TRACKING.md ("Last Reviewed" for OpenCode) updated.

  • Tool baseline: kiro bumped from 2.1.1 to 2.2.0 (closes #870). Upstream release ships two changes - adaptive thinking/reasoning preserved across multi-turn conversations, and a runtime bug fix for silent failures in subagent tool dispatch when MCP servers update tool specs mid-execution. Neither touches a validated surface: the first is inference-layer state, the second is a Kiro-internal dispatch path. No KIRO / KR-AG / KR-HK / KR-MCP / KR-PW / KR-SK validator, ToolVersions, or SpecRevisions update required. .github/tool-release-baselines.json and knowledge-base/RESEARCH-TRACKING.md ("Last Reviewed" for Kiro CLI) updated.

  • Tool baseline: cline bumped from v3.81.0 to v3.82.0 (closes #859). Upstream release is UI/model/docs/runtime-fix oriented (VS Code terminal restore, new OpenAI/SAP AI Core/Z AI models, hook template JSON-escape fix, ripgrep error handling, hardcoded-model-list docs cleanup) and does not change any validated surface - no Cline validator, ToolVersions, or SpecRevisions update required. .github/tool-release-baselines.json and knowledge-base/RESEARCH-TRACKING.md ("Last Reviewed" for Cline) updated.

  • Internal: Gated XP-004/005/006 schema helpers in agnix-core behind the filesystem feature (#848). These helpers are only consumed by rules::project_level, which is itself feature-gated, but they were unconditionally compiled - which made every agnix-wasm build (no default features) emit 29 dead_code warnings. Mirrors the gate on 28 items in schemas/cross_platform.rs and check_agents_md_hierarchy in schemas/agents_md.rs, plus the corresponding std::path::Path imports and the unit tests that exercise them. No behavior or rule changes; the default (filesystem) build path is unchanged. Non-breaking for the default cargo build; --no-default-features consumers lose access to the XP-004/005/006 helper API (which was already unreachable through any public entry point in that configuration since rules::project_level was already gated).

Check out latest releases or
releases around agent-sh/agnix v0.25.0

Don't miss a new agnix release

NewReleases is sending notifications on new releases.

Get notifications