github agent-sh/agnix v0.37.3

latest releases: v0.37.5, v0.37.4
5 hours ago

Added

  • Release provenance attestations. Release archive builds now generate GitHub artifact attestations with job-scoped OIDC and attestation permissions, while release publishing keeps write access isolated to the release job.

Fixed

  • Markdown import scanner performance. Avoided repeated prefix rescans when extracting @import references from large non-code spans, keeping dense-at-sign inputs linear while preserving UTF-8 behavior.
  • Rule suppression config warnings. Recognized every shipped rule-prefix namespace in .agnix.toml validation, avoiding spurious core.config.unknown_rule warnings when disabling valid rules.
  • Windows checkout line endings. Added repository attributes that keep source files LF-normalized across platforms while preserving CRLF for Windows command and PowerShell scripts.
  • npm installer checksum verification. The npm postinstall downloader now verifies release archive SHA-256 sidecars before extraction, binds sidecar entries to the expected archive filename, streams archive hashing, and cleans temporary artifacts after failed installs.
  • Stale version references in documentation. Updated project instructions and configuration docs to consistently reference the current release version, so release guidance and user-facing docs match the published version.
  • Security follow-ups (closes #1149, #1150, #1154, #1155, #1156, #1157, #1158). Hardened MCP validation against handler panics and absolute-path disclosure, extended panic isolation to project-level checks, bound shell checksum parsing to the selected artifact filename, added VS Code release-download redirect host validation, corrected the YAML parser safety comment, and documented the remaining deprecated transitive serde_yaml dependency from rust-i18n.
  • CLI config and autofix safety followups (closes #1152, #1153, #1165, #1166, #1167). The CLI now fails non-zero when a discovered or explicitly passed .agnix.toml cannot be parsed instead of validating with defaults, skill frontmatter now reports duplicate top-level YAML keys instead of silently applying last-wins parsing, telemetry storage failures are logged at debug level, agnix-lsp initializes stderr tracing for startup/config-load visibility, bare agnix --fix / --dry-run now apply or preview only safe fixes unless --fix-unsafe is explicitly selected, and the rule-doc parity test now catches stale inline/table rule IDs such as the removed AS-010 and AS-014 references.

Don't miss a new agnix release

NewReleases is sending notifications on new releases.