• Feat: progressive-disclosure skill files. The per-host SKILL.md is now a lean core (~615 lines, down from the ~1156-line monolith, about 47% less always-loaded context) that carries the full default code-build pipeline inline and links to an on-demand references/ sidecar (extraction-spec, query, update, exports, transcribe, github-and-merge, add-watch, hooks); an agent reads a reference only when that path is actually taken, so a normal build needs none. 18 hosts go progressive (claude, codex, opencode, kilo, copilot, claw, droid, trae, trae-cn, hermes, kiro, pi, antigravity, antigravity-windows, windows, kimi, amp, gemini); aider and devin stay monolithic by design. All 15 skill bodies + sidecars are generated from one source under tools/skillgen/, with CI guards (--check, --audit-coverage, --monolith-roundtrip, --always-on-roundtrip) proving the references are byte-identical slices of the old monolith so nothing is lost (#1121).
• Fix: graphify install --platform gemini shipped a SKILL.md with 8 dead references/ pointers. gemini installs claude's lean progressive core but the installer never copied claude's references sidecar; it now does, so every on-demand reference resolves (regression from the progressive-disclosure split).
• Security (F1): a project-local ./.graphify/providers.json (which travels with a cloned or shared repo) is no longer loaded automatically, since a custom provider's base_url is where your corpus and API key are sent. Set GRAPHIFY_ALLOW_LOCAL_PROVIDERS=1 to opt in; the user's own ~/.graphify/providers.json is still trusted. Non-http(s) base_urls are rejected on load and on provider add, and plaintext-http egress warns. Behavior change: if you relied on an auto-loaded project-local providers file, set the opt-in env var.
• Security (F2): untrusted office/PDF files are screened before parsing (on-disk size cap, plus a bounded streaming-decompression ceiling for .docx/.xlsx zip containers) so a zip-bomb in a scanned corpus can no longer exhaust memory.
• Security (F3): OLLAMA_BASE_URL pointing at a link-local or cloud-metadata address (169.254.x, metadata.google.*, or any host that resolves to one) now fails closed with a clean error instead of sending the corpus there. Trusted LAN hosts still warn-and-allow.
• Security (F5): the Fortran C-preprocessor step passes an absolute path so an attacker-named corpus file cannot be interpreted as a cpp option.