===== CHANGELOG.md ===== # Changelog [中文版](CHANGELOG_zh.md) All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [1.0] - 2026-07-06 ### Component Versions | Component | Version | |-----------|--------| | copilot-shell | 2.6.1 | | agent-sec-core | 0.7.0 | | agentsight | 0.7.1 | | tokenless | 0.6.1 | | agent-memory | 0.2.1 | | os-skills | 0.6.1 | | anolisa | 0.1.20 | | skillfs | 0.3.2 | | ws-ckpt | 0.4.1 | | cosh-ng | 0.11.0 | ### Highlights - **anolisa**: Updated to v0.1.20, delivered unified CLI gateway with full component lifecycle and adapter orchestration, users can install/update/diagnose all components with a single command - **cosh-ng**: Updated to v0.11.0, completed Core/Shell separation and AI-augmented terminal, Agent can execute structured OS operations deterministically across distros - **agent-memory**: Updated to v0.2.1, added user data sovereignty and 4-type memory classification, users can query/forget/control auto-captured memories - **tokenless**: Updated to v0.6.1, added compression toggle with A/B testing and QwenCode adapter, users can quantify Token savings per strategy without affecting task execution ### New Components - **anolisa**: First release v0.1.16, built unified CLI gateway managing component install/update/uninstall with dual-backend (RPM + Raw), users can deploy the entire ANOLISA stack with `anolisa install --all` - **cosh-ng**: First release v0.11.0, implemented deterministic Agent-OS interface with 5-crate workspace, Agent can execute cross-distro structured system operations via stable API - **skillfs**: First release v0.3.2, built FUSE virtual filesystem for agent skills with view-based SKILL.md exposure, Agent can discover and load skills from a mounted directory ### Updated - **agent-memory**: Updated to v0.2.1, added sovereignty tools (about/forget/consent), AMA export/import, 4-type classification, and incremental consolidation resilient to SIGKILL, users can control memory retention and migrate memories across agents - **tokenless**: Updated to v0.6.1, added compression on/off toggle with dry-run mode, SLS JSONL telemetry default-on, and QwenCode adapter, developers can A/B test compression strategies and monitor Token savings in SLS dashboard - **agentsight**: Updated to v0.7.1, added Token saving visualization (strategy pie chart + line-level diff), security dashboard, and container/K8s full support, users can visually assess which optimization saves the most Tokens - **copilot-shell**: Updated to v2.6.1, added `/model` dialog for multi-provider switching and SLS session telemetry (32-field JSONL), users can freely switch LLM providers without losing configuration - **agent-sec-core**: Updated to v0.7.0, added Skill Ledger integrity chain with GPG signing workflow and Prompt Scanner, users can audit skill security status and get confirmation prompts before risky operations - **os-skills**: Updated to v0.6.1, added ANOLISA Guide knowledge skill (13 official docs) and OpenClaw pre-check with bootstrap, Agent can reference accurate product documentation in responses - **ws-ckpt**: Updated to v0.4.1, added auto-cleanup scheduling and TOML config hot-reload, users can set retention policies that take effect without restarting the daemon ### Changed - Documentation governance established via `specs/documentation-standard.md` - Bilingual naming convention unified to `_zh.md` (migrated from legacy `_CN.md`) ## [0.6] - 2026-06-12 ### Component Versions | Component | Version | |-----------|--------| | copilot-shell | 2.4.1 | | agent-sec-core | 0.5.0 | | agentsight | 0.5.0 | | tokenless | 0.4.1 | | agent-memory | 0.1.0 | | os-skills | 0.5.0 | | cosh-ng | 0.1.0 (MVP) | ### Highlights - **agent-memory**: First release v0.1.0, delivered sandboxed filesystem MCP memory server, Agent can persistently store and retrieve context across sessions via BM25 search - **tokenless**: Updated to v0.4.1, added Hermes Agent plugin and Tool Ready 4-stage pre-check, Agent environments are automatically validated before tool execution to avoid wasted retries - **agentsight**: Updated to v0.5.0, added Skill-level Token metrics and Hermes support, users can pinpoint which Skills consume the most Tokens ### New Components - **agent-memory**: First release v0.1.0, built 19-tool MCP server with namespace isolation and BM25 background index, Agent can read/write/search persistent memory in a sandboxed filesystem - **cosh-ng**: First release (MVP), completed production-ready functionality for deterministic OS operations, Agent can execute structured commands with predictable output format ### Updated - **tokenless**: Updated to v0.4.1, added Hermes adapter runner and Tool Ready mechanism (4-stage env pre-check as cosh extension), Agent tool calls are pre-validated reducing Token waste from environment failures - **agentsight**: Updated to v0.5.0, added Skill-dimension Token/call metrics and Hermes matcher with SSL support, users can see per-Skill Token breakdown in the dashboard - **agent-sec-core**: Updated to v0.5.0, added PIIChecker (output PII detection + desensitization) and Skill Scanner (text/code scan + lifecycle trigger), Agent output containing sensitive information is automatically intercepted - **copilot-shell**: Updated to v2.4.1, added cross-session auto memory extraction and hook reason visibility in UI, users can see exactly why a security hook blocked an operation ## [0.5] - 2026-05-28 ### Component Versions | Component | Version | |-----------|--------| | copilot-shell | 2.4.0 | | agent-sec-core | 0.4.0 | | agentsight | 0.4.0 | | tokenless | 0.4.0 | | os-skills | 0.4.0 | ### Highlights - **tokenless**: Updated to v0.4.0, added Hermes plugin and Tool Ready environment mechanism, Agent tool execution failures due to missing dependencies are prevented before Token consumption - **agent-sec-core**: Updated to v0.4.0, delivered PIIChecker and Skill Scanner first version, Agent output is scanned for sensitive information leakage ### Updated - **tokenless**: Updated to v0.4.0, developed Hermes Agent plugin with Tool Ready 4-stage env pre-check and history compression, Agent runtime dependencies are auto-verified before execution - **agent-sec-core**: Updated to v0.4.0, added PIIChecker for output PII detection and Skill Scanner baseline capabilities, users are protected from unintentional sensitive data exposure - **agentsight**: Updated to v0.4.0, added Skill-level metrics display, users can view Token consumption grouped by Skill - **os-skills**: Updated to v0.4.0, added Nightly automated test coverage, skill quality is continuously validated ## [0.4] - 2026-05-13 ### Component Versions | Component | Version | |-----------|--------| | copilot-shell | 2.3.0 | | agent-sec-core | 0.4.1 | | agentsight | 0.4.0 | | tokenless | 0.3.0 | | os-skills | 0.3.0 | | ws-ckpt | 0.2.0 | ### Highlights - **agent-sec-core**: Updated to v0.4.1, established Skill security full lifecycle with Prompt Scanner ask policy, users receive confirmation prompts before Agent executes risky instructions - **tokenless**: Updated to v0.3.0, built 4-suite Benchmark comparison baselines, developers can quantify Token savings across different Skill/OS environments - **ws-ckpt**: Updated to v0.2.0, expanded snapshot management commands, users can auto-clean historical snapshots by count or age policy ### Updated - **agent-sec-core**: Updated to v0.4.1, integrated Prompt Scanner into cosh hook and OpenClaw plugin with ask strategy, users get interactive confirmation before dangerous operations - **tokenless**: Updated to v0.3.0, built batch-concurrent Benchmark platform with comparison reports, developers can one-click benchmark and compare Token savings across configurations - **agentsight**: Updated to v0.4.0, optimized resident process memory footprint, 2C2G small-spec instances can run observability stably - **copilot-shell**: Updated to v2.3.0, adapted SWEBench evaluation framework, developers can execute code-fix tasks and verify pass rates via cosh - **ws-ckpt**: Updated to v0.2.0, enriched snapshot CRUD capabilities, users can manage workspace checkpoints with flexible retention policies ## [0.3] - 2026-04-30 ### Component Versions | Component | Version | |-----------|--------| | copilot-shell | 2.2.1 | | agent-sec-core | 0.3.0 | | agentsight | 0.3.1 | | tokenless | 0.2.0 | | os-skills | 0.3.0 | | ws-ckpt | 0.1.0 | ### Highlights - **tokenless**: Updated to v0.2.0, delivered command rewriting and TOON context compression, CLI output Token consumption reduced by 60–90% - **agentsight**: Updated to v0.3.1, added Token saving Dashboard and Agent anomaly diagnostics, users can visualize savings and detect Agent interruptions - **agent-sec-core**: Updated to v0.3.0, added Skill Ledger integrity tracking and Prompt Scanner, every Skill's signature chain is auditable end-to-end ### New Components - **ws-ckpt**: First release v0.1.0, built btrfs-based workspace checkpoint daemon, Agent can create sub-millisecond snapshots and instantly rollback filesystem state ### Updated - **tokenless**: Updated to v0.2.0, added command rewriting via RTK and TOON context compression, Agent CLI interactions consume 60–90% fewer Tokens - **agentsight**: Updated to v0.3.1, added Token saving Dashboard (session/time-range stats) and Agent interrupt detection with drain mechanism, users can monitor savings trends and get alerted on Agent failures - **agent-sec-core**: Updated to v0.3.0, added Skill Ledger full lifecycle (check/certify/bypass/status/audit) and Prompt Scanner with jailbreak detection, users can track and enforce Skill integrity policies - **copilot-shell**: Updated to v2.2.1, added extension architecture (command extension + system Hook + instant activation), Skill marketplace integration, and session export (Markdown/HTML/JSON), users can extend cosh capabilities via plugins and export conversation history - **os-skills**: Updated to v0.3.0, added Skill marketplace listing, Hermes install skill, and utility skills (xlsx/pdf-reader/image-gen/humanizer), users can discover and install skills from a marketplace ## [0.2] - 2026-04-15 ### Component Versions | Component | Version | |-----------|--------| | copilot-shell | 2.0.4 | | agent-sec-core | 0.2.0 | | agentsight | 0.2.2 | | os-skills | 0.2.2 | | tokenless | 0.1.0 | ### Updated - **agentsight**: Updated to v0.2.2, added Token consumption observability with precise Tokenizer counting, users can view per-message Token breakdown in real time - **copilot-shell**: Updated to v2.0.4, added independent auth (STS/ECS RAM Role) and Skill marketplace browsing, users can authenticate without AK/SK and discover available skills - **os-skills**: Updated to v0.2.2, added SysAdmin skills (Linux IO/network/load diagnostics), Agent can independently diagnose common OS performance issues - **tokenless**: First release v0.1.0, built Skills-level benchmark test cases, developers can compare Token consumption across different Skills quantitatively ## [0.1] - 2026-03-30 ### Component Versions | Component | Version | |-----------|--------| | copilot-shell | 2.0.1 | | agent-sec-core | 0.1 | | agentsight | 0.1 | | os-skills | 0.1 | ### New Components - **copilot-shell**: First release v2.0.1, built AI-powered terminal assistant with Tab completion, /bash mode, sudo support, and hook security, users get an AI-native CLI experience on first login - **agent-sec-core**: First release v0.1, delivered Skill signature verification, security sandbox, and system hardening, Agent operations run in a controlled least-privilege environment - **agentsight**: First release v0.1, built eBPF-based zero-intrusion observability probe, users can monitor LLM API calls and Token consumption without modifying Agent code - **os-skills**: First release v0.1, curated system administration, SysOM, DevOps, and cloud skills, Agent can autonomously perform common OS operations ### Security - Skill full-link encryption with digital signatures - Hardware-level security sandbox for risk isolation - Identity authentication and integrity verification for Skill calls --- For detailed changelogs of individual components, see: **User Entrypoint** - [copilot-shell](src/copilot-shell/CHANGELOG.md) - [cosh-ng](src/cosh-ng/CHANGELOG.md) - [anolisa](src/anolisa/CHANGELOG.md) - [os-skills](src/os-skills/CHANGELOG.md) **Token Saving** - [tokenless](src/tokenless/CHANGELOG.md) **Runtime** - [agent-memory](src/agent-memory/CHANGELOG.md) - [skillfs](src/skillfs/CHANGELOG.md) - [ws-ckpt](src/ws-ckpt/CHANGELOG.md) **Agent Observability** - [agentsight](src/agentsight/CHANGELOG.md) **Agent Security** - [agent-sec-core](src/agent-sec-core/CHANGELOG.md) ===== src/agent-memory/CHANGELOG.md ===== # Changelog ## 0.2.1 - fix vector/hybrid search panic and empty index when an embedding provider is configured: the index worker ran on a std::thread with no tokio Handle so embeddings were never produced, and memory_search mode=vector|hybrid called Handle::block_on from a worker thread; the runtime handle is now captured at spawn and threaded through to the worker, and the search path uses block_in_place - fix memory_get_context leaking .git internals (e.g. .git/logs/HEAD) into agent context by extending the reserved-path filter to cover .git/ via a shared is_under_git predicate in safe_fs - fix full_scan (startup and inotify-overflow recovery) only building the BM25 index and never dense embeddings, so preexisting files were invisible to vector search until modified; a paths_without_vec query plus a backfill pass now embeds them, centralised in an embed_sync helper shared with flush - fix memory_search returning zero hits for short CJK query terms (< 3 chars, e.g. "花名"/"小云"): the trigram tokenizer emits no tokens for terms shorter than 3 characters, so such queries now fall back to a `body LIKE '%term%'` substring scan that preserves recall, agent-scope filtering, and cold/superseded exclusion - resolve embedding dimensions from the first real response instead of hardcoding 1536 (DashScope text-embedding-v3 is 1024): dimensionality is stored in an AtomicUsize seeded with the estimate and overwritten on first embed - add anolisa-cli adapter contract via .anolisa/component.toml so the CLI adapter manager can discover the openclaw plugin bundle through the [[adapters]] TOML schema ## 0.2.0 - add prompt-injection safety module (looksLikePromptInjection + escapeMemoryForPrompt) mirrored between Rust core and TS adapter - add secret detection and PII redaction to the safety module - add auto-recall before_prompt_build hook injecting relevant memories each turn - add auto-capture agent_end hook with trigger filtering, SHA256 dedup and injection rejection - add dense-vector semantic search via pluggable EmbeddingProvider (OpenAI /v1/embeddings, Ollama /api/embed) - add files_vec table (schema v2) for per-file dense embeddings alongside FTS5 BM25 - add hybrid search with reciprocal rank fusion (RRF, k=60) of BM25 + vector scores - add memory_search mode parameter (bm25/vector/hybrid) with graceful fallback to BM25 - add per-agent memory isolation via [memory].agent_scope (shared/isolated/filter), schema v5 - add memory sovereignty tools (memory_about/forget/auto_created/consent) with consent.toml preferences - add 4-type closed memory classification (user/feedback/project/reference) to memory_observe - add mem_export and mem_import for cross-agent memory migration (AMA archive format) - add memory_summary tool for memory overview and source tracking - add memory_session_context tool - add memory_sessions and memory_timeline session history query tools - add MEMORY.md index file and mem_index_refresh tool - add user profile synthesis (Dreaming V3 mem_dream) - add memory consolidation: auto-extract L1 atomic facts from session audit logs on shutdown - add episodic memory extraction from coherent tool-call chains - add cross-session task persistence and incremental consolidation - add consolidation quality filters (mutual exclusion, non-derivable, date normalization) - add time-decay ranking (exp(-λ×age_days)) applied to BM25/vector/hybrid scores - add cold archival of old never-accessed files with mem_compact tool - add conflict detection via BM25 similarity before writing new facts - add category subdirectories (facts//) with memory_search category filter - add token tracking (tokens field in AuditEntry) - add mem_consolidate tool for manual consolidation trigger - add corpus supplement registration for memory_search corpus=all - add EmbeddingConfig (None/OpenAI/Ollama) with TOML parsing and env overrides - extend memory_search signature with optional mode and category parameters - cap memory_search query at 1024 characters to prevent FTS5 resource exhaustion - truncate embedding error response bodies to 200 chars to prevent API key leakage - distinguish CJK vs ASCII token estimation in ConsolidatedFact - hold FactWriter JSONL file handle under mutex to prevent line interleaving - derive BM25Store mount root from db path with canonicalize + starts_with traversal guard - compute Episode duration from entry timestamps instead of chain length - propagate session_id to extracted episodic facts - return fact count from consolidate() for mem_consolidate reporting - fix effectiveMode in search response to reflect actual mode used - fix embedding API empty-response handling to return zero vector of correct dimensionality ## 0.1.0 - introduce filesystem memory MCP server for AI agents (Linux only) with 21 tools over stdio JSON-RPC 2.0 in three tiers (Tier A file ops, Tier B BM25 search, Tier C governance) - add per-namespace mount under ~/.anolisa/memory// with optional user-namespace + private tmpfs isolation (auto/userland/userns strategies) - enforce path sandbox via openat2(RESOLVE_BENEATH | RESOLVE_NO_SYMLINKS) on every Tier A file open - add SQLite FTS5 BM25 background index with transactional upsert, schema migrations, trigram CJK tokenizer and inotify-driven debounced flush - add optional git versioning with auto-commit serialized under a per-handle mutex - add tar.gz snapshots with strict id whitelist, atomic rename swap on restore and rollback entries under .anolisa/trash/ - add optional cgroup v2 memory.max self-limit applied before the tokio runtime starts - add JSONL audit log (O_NOFOLLOW | O_CLOEXEC, Mutex) with optional systemd-journald fan-out - enforce profile gating (basic/advanced/expert) at both tools/list and tools/call with deny_unknown_fields on config structs - add per-session scratch and log under /run/anolisa/sessions// (0700) with tmpfiles.d snippet - add systemd user template anolisa-memory@.service with hardening (ProtectKernelTunables/Modules/Logs, SystemCallFilter, MemoryDenyWriteExecute, RestrictNamespaces, RestrictAddressFamilies=AF_UNIX) - add RPM packaging with offline vendor tarball and single statically-linked binary (bundled SQLite + vendored libgit2) - add OpenClaw plugin memory-anolisa with install/detect/uninstall lifecycle and 4 memory contract tools routed to the MCP server as a stdio child - add single-source version sync from Cargo.toml into manifest/package/openclaw/mcp JSON and the bundle - add mcp-harness example and 140 automated tests across 12 integration suites ===== src/agent-sec-core/CHANGELOG.md ===== # Changelog ## 0.8.0 **Build & Packaging** - Installed the Codex plugin during source builds so source deployments include the same Codex integration as packaged installs. (#1302) - Updated source build scripts for the sec-core install flow. (#1348) - Fixed system-mode source builds by placing uv-managed Python under the shared sec-core library directory and adding a system install smoke check. (#1400) **Code Scanner** - Added sensitive file path rules for common agent credentials to block API key exposure. (#1401) **OpenClaw Plugin** - Hardened OpenClaw deploy compatibility handling and covered deployment edge cases with unit tests. (#1358) - Added an OpenClaw plugin cross-version E2E matrix that validates packaged plugin loading, Gateway flows, policy behavior, and observability across supported OpenClaw hosts. (#1372) **Documentation** - Added bilingual agent-sec-core user guide documentation and documentation maintenance rules. (#1311) - Documented OpenClaw plugin deployment, compatibility, and upgrade guidance. (#1370) ## 0.7.1 **Prompt Scanner** - Degraded scan-prompt to fast mode when model unready; rewrote DENY to WARN and enriched degraded reason with diagnostics. (#1258) **Skill Ledger** - Clarified skill ledger fallback warnings and sanitized finding summaries. (#1240) - Tamed ledger reconcile noise and typed live-root skip errors. (#1232) **Security Observability** - Added observability mapping for new pii_scan at before_tool_call & after_tool_call. (#1229) ## 0.7.0 **Codex Plugin — Full security integration for OpenAI Codex** - Added codex-plugin with code scanning, prompt scanning, skill ledger, and PII checking hooks. (#1074) - Supported packaging codex-plugin into RPM. (#1138) - Fixed codex-plugin paths in Makefile and CI for correct RPM install verification. (#1165) **Code Scanner** - Added code-scanner LLM mode for AI-assisted security analysis. (#1108) - Added code-scanner static rules for expanded coverage. (#1033) **Prompt Scanner** - Added L4 multi-turn intent detection with ollama model service. (#1060) - Routed prompt scan to daemon and added prompt model preload for reduced latency. (#786) - Controlled prompt scan call to use daemon by env variable. (#933) **Skill Ledger — Activation daemon and policy engine** - Added Skill Ledger activation daemon for background integrity monitoring. (#857) - Added runtime activation resolver for skill trust decisions. (#826) - Added skill ledger activation policy for configurable enforcement. (#944) - Updated skill ledger activation and event contracts. (#983) - Updated Skill Ledger hook defaults and reconcile notify behavior. (#1086) - Aligned skill ledger hooks across all agent platforms. (#1135) - Resolved Skill Ledger FUSE and unmanaged roots handling. (#1141) - Fail-open unsupported Hermes skill ledger scenarios. (#1155) **Daemon & Telemetry** - Added daemon service with systemd integration and RPM build support. (#1090) - Exposed SQL query endpoint at daemon for observability queries. (#1042) - Enhanced daemon logging including requests and jobs. (#871) - Added telemetry schema definition and SLS JSONL writer. (#977, #1008) - Passed agent_name to telemetry data for multi-agent identification. (#1032) - Added logging system for structured agent-sec-cli output. (#651) - Added security daemon socket fallback under `/run/user/` for user-scoped deployments. (#1129) **PII Scanner** - Extended PII scanning coverage with additional pattern detectors. (#925) **Security Observability** - Added session report command for post-session security summaries. (#703) **Sandbox** - Converged sandbox trigger rules for consistent enforcement. (#979) **Adapter & Build** - Added ANOLISA CLI component.toml for adapter manifest integration. (#1067) - Added systemd-rpm-macros as RPM build dependency. (#1156) ## 0.6.0 **Self-Protection — Tamper-resistance for agent-sec-core itself** - Added self-protect code-scan rules that block disabling/uninstalling agent-sec plugins on OpenClaw and Hermes. (#692) - Optimized self-protect rules in code-scan to eliminate false positives on prefix-matched plugin names and cover Hermes uninstall/rm patterns. (#710) **Prompt Scanner** - Unified prompt-scan warning format across cosh-extension, hermes-plugin, and openclaw-plugin with structured fields (threat type, risk level, interception stage, model confidence). (#709) **Agent-Sec-CLI** - Added daemon process for agent-sec-cli to amortize startup latency across hook invocations. (#677) **Adapter & Manifest** - Added standalone ANOLISA adapter entry `anolisa-for-openclaw` to package sec-core OpenClaw adapter scripts and drive install/detect/uninstall via the adapter manifest. (#549) - Added Hermes adapter runner: refactored the OpenClaw entry into a target-agnostic `anolisa-adapter-runner` and added `anolisa-for-hermes` wrapper, with per-agent adapter directory layout under sec-core. (#617) - Centralized sec-core adapter manifest parsing across adapter scripts and moved the manifest under the cli package. (#617) **OpenClaw Integration** - Normalized OpenClaw state directory handling: use `OPENCLAW_STATE_DIR` for adapter filesystem state, unset `OPENCLAW_HOME` when invoking the OpenClaw CLI, and aligned plugin install/list/uninstall handling. (#641) ## 0.5.0 **PII Scanner — Personal information leak detection** - Added PIIChecker scan CLI with text/file input, regex/validator-based detection, redaction, and security middleware integration. (#525) - Added PIIChecker hooks for cosh and OpenClaw with stdin-based input passing. (#539) - Added Hermes PII checker hook. (#556) - Fixed scan-pii module mode detection via subprocess. (#540) **Security Observability — Agent run metrics & posture insights** - Added security observability schema, metrics definition, and CLI with jsonl writer for agent runs. (#488) - Added openclaw plugin for security observability. (#515) - Added cosh hook for security observability. (#528) - Persisted observability records to sqldb with CLI review command. (#544) - Added observability plugin for hermes. (#553) - Correlated security events with observability events and supported batch query. (#578) - Respected trace-id filter in count queries. (#595) **Hermes Plugin — AI Agent integration framework** - Added hermes-plugin framework with abstract hook class and code scan capability. (#536) - Added Hermes prompt-scan capability. (#579) - Added Hermes PII checker hook. (#556) - Added Hermes skill ledger hook. (#565) - Added observability plugin for hermes. (#553) - Supported correlation context in hermes agent plugin. (#590) - Added hermes plugin install for rpmbuild and build from scratch. (#577) - Stabilized Hermes skill-ledger warning delivery for non-pass skill checks. (#600) **Correlation & Tracing Context** - Unified caller tracing context across CLI, OpenClaw, and cosh with `--trace-context` JSON and SQLite schema v2. (#569) - Supported correlation context in hermes agent plugin. (#590) - Correlated security events with observability events. (#578) **Skill Ledger** - Integrated code-scanner with skill-ledger for unified security assessment. (#505) - Updated skill ledger security interactions. (#529) - Made openclaw skill ledger approval configurable. (#575) - Added Hermes skill ledger hook. (#565) - Refined skill ledger scan workflow and aligned documentation. (#529) - Included skill-ledger e2e in install flows. (#573) - Fixed skill-ledger hook scope limitation. (#497) - Fixed managed skill dirs for discovery. (#510) - Expanded home paths for skill-ledger. (#596) - Hardened skill ledger recovery and key UX. (#575) **Code Scanner** - Added code-scan requireApproval config for openclaw. (#560) - Added OpenClaw enableBlock hook policies. (#586) **Security Middleware & Event System** - Fixed TOCTOU race condition at sqldb read path. (#546) - Made SQLAlchemy lazy import for non-DB subcommands. (#581) - Lowered frequency for SQL maintenance operations. (#546) **Prompt Scanner** - Added Hermes prompt-scan capability via hermes plugin. (#579) - Fixed warmup detection from error-string matching to file-based check. (#500) - Fixed prompt text passing via stdin instead of argv. (#579) **Toolchain & CI** - Added build-all support with local space install for sec-core. (#527) - Added hermes plugin install for rpmbuild and from-scratch build. (#577) - Included skill-ledger e2e in install flows. (#573) - Added adapter manifest for capability discovery. (#577) ## 0.4.0 **Prompt Scanner** - Prompt scanner hook now asks user on missing model instead of fail-open. (#463) - Added prompt injection detection benchmark dataset and evaluation toolkit. (#464) **Security Middleware & Event System** - Refactored security_events SQLite storage to SQLAlchemy ORM with multi-table extensibility and typed repositories. (#459) **Skill Ledger** - Fixed sign-skill auto-register config (exact awk match) and parse openclaw stdout unconditionally. (#445) - Unified XDG paths under `agent-sec/skill-ledger` vendor namespace. (#445) - Unified single-skill verify into structured result for consistent output. (#445) - Converted integration tests from subprocess to Typer CliRunner. (#445) **OpenClaw Integration** - Registered plugin at openclaw gateway explicitly to support Gateway startup planning. (#446) **Refactoring** - Removed deprecated agent-sec-core skill directory; aligned README and spec with agent-sec-cli workflow. (#454) **Toolchain & CI** - Added coverage report for sec-core CI. (#431) - Enabled rpmbuild and e2e test CI for main branch. (#432) ## 0.3.0 **Prompt Scanner — Multi-layer prompt injection & jailbreak detection** - Added prompt injection/jailbreak detection scanner architecture with L1 rule engine (YAML-based) and L2 ML classifier (Prompt Guard 2). (#253) - Integrated prompt scanner into cosh hook and openclaw plugin with security middleware lifecycle. (#261, #294) - Added `list-scanners` command, improved CLI help, and made `--scanner-version` optional. (#284) - Added prompt scan summary and backend tests. (#294) - Added prompt-scanner skill definition. (#256) - Added model warmup, audit logging, and comprehensive documentation. (#253) - Stabilized batch scanning and verdict logic with thread-safe model loading. (#253) - Unified prompt scanner response to use "ask" instead of "block". (#341) - Added prompt-scanner e2e test suite and Makefile target. (#352) **Code Scanner — Static code security analysis** - Added code scanner component with rule-based detection for obfuscation, permission abuse, and more. (#234) - Integrated code scanner into cosh hook (with ask decision support) and openclaw plugin adapter. (#234) - Added code scanner CLI entry, error codes, and unit tests. (#234) - Fixed code scan bugs and added e2e test. (#342) **Skill Ledger — Skill integrity tracking and signing** - Added skill-ledger CLI with middleware integration for skill integrity verification. (#252) - Added skill-ledger skill definition. (#266) - Added skill-ledger cosh hook for PreToolUse and openclaw-plugin capability. (#292, #281) - Improved skill-ledger CLI and cleaned up imports. (#284) - Restructured skill-ledger config defaults and documentation. (#296) - Aligned skill-ledger tool name and added path validation. (#317) - Reworked skill-ledger status, output, and check signing. (#335) - Skill-ledger hook hardening, e2e suite, and posture integration. (#339) - **Known limitation:** skill directory resolution assumes dir name matches SKILL.md `name` field; see #381. **Security Middleware & Event System** - Added security middleware framework with unified CLI entry point and metrics integration. (#121, #220) - Added sqldb writer & reader with query command at CLI interface for security event persistence. (#254) - Fixed cross-process event loss in SecurityEventWriter. (#226) - Applied corruption whitelist to stop false-positive DB rebuilds. (#338) - Added e2e test and fixed bugs revealed during testing. (#330) **Linux Sandbox** - Added sandbox guard and failure handler hooks. (#362) **OpenClaw Integration** - Added hook plugin for openclaw with integrated security scanning capabilities. (#242) - Added jq requires for openclaw hook package. (#370) **Cosh Extension Integration** - Integrated with new cosh extension API and added builtin commands. (#302) **Performance** - Lazy-load ML dependencies to speed up non-ML subcommands. (#318) **Toolchain & CI** - Migrated Python toolchain to uv package manager and pinned Python 3.11.6. (#227) - Added sec-core RPM build CI and adapted nightly build pipeline. (#295) - Initialized code format check CI with python-code-pretty. (#229) - Added e2e test in RPM build CI. (#369) **Bug Fixes** - Preserved seharden wrapper defaults. (#236) - Removed dynamic import at middleware router. (#277) - Improved missing loongshield guidance. (#289) - Fixed build errors. (#288) - Removed openclaw hook examples and fixed documentation. (#282) ## 0.2.0 - Added Hardened skill signing pipeline and added `.skill-meta` layout. (#129) - Added `Cargo.lock` to version control. (#149) - Added `make install-sandbox` target. (#68) - Fixed bubblewrap version compatibility for `--argv0` option. (#112) - Changed Refactor SKILL.md to executable protocol and align sub-skills. (#130) ===== src/agentsight/CHANGELOG.md ===== # Changelog ## 0.7.1 ### Fixes - Improve severity labels and agent sidebar UX. - Show all verdicts in the summary command. - Sync component.toml version with package version. ## 0.7.0 ### Features - Add Codex CLI adaptation with three-tier SSL probe attach (symbol table → byte pattern → offset table) and cross-chunk SSE continuation buffer. - Add security observability dashboard and server proxy for agent threat visibility. - Add memory optimization with bounded event buffers, feature flags (`features.*`) and configurable runtime limits (`runtime_limits.*`). - Add `container_id` to `AgentsightLLMData` for container-level attribution. - Derive `session_id` from process environment variables and request metadata instead of message content. - Add `call_kind` classification (chat / completion / embedding / tool_use) to GenAI semantic events. - Add `--exclude` filter to `agentsight audit` CLI for noise reduction, and show non-streaming LLM calls in audit output. - Add unified `agentsight summary` command for one-shot status overview. - Enhance token savings page with baseline comparison, strategy breakdown, line-level diff highlighting and optimization tips. - Upload skill metrics via SLS Logtail exporter. - Improve agent health UX: role badges (P1/P2), TTL-based cleanup, process-ancestry grouping, and Session ID help tooltip. - Filter client processes from health API to reduce dashboard noise. - Add anolisa component contract for RPM lifecycle integration. ### Fixes - Fix sslsniff BPF verifier rejection on kernel 5.15 and add BPF load tests. - Fix traced_processes BPF map leak causing uprobe attach failure after long runtime. - Prevent duplicate uprobe `Link`s by retaining inodes in `traced_files` on detach. - Decode compressed (zstd/brotli) SSE streams so Claude Code and similar agents are fully captured. - Harden compressed SSE decode against partial chunk boundaries. - Extract token usage from non-streaming and HTTP/2 responses. - Fix namespace PID usage in udpdns and tcpsniff probes. - Strip `/proc/{pid}/root` prefix for uprobe attach in containerized environments. - Implement tiered SSL and tcpsniff ring buffer reservations to reduce dropped events. - Clamp before mask in filewrite/udpdns BPF probes; cap stdout payload to `MAX-1`. - Change cgroup gate to OR semantics and add `trace_cgroup` FFI interface. - Tighten SSE truncation detection and write pending row for deferred GenAI calls. - Respect dynamic sysom path in SLS exporter mode selection; replace removed `sysom_logtail_path` with `logtail_path` filter. - Validate ring buffer size is power-of-two at startup. - Wire feature flags and runtime limits to actual runtime code paths. ### Refactoring - Split `genai/builder.rs` into 4 focused modules and `genai.rs` into 5 submodules. - Bundle shared BPF maps into `SharedMaps` for reduced duplication. - Extract background threads module with stop-signal support. - Replace remaining `unwrap()` calls with `if-let` / `?` patterns. ### CI & Quality - Add fmt, clippy, unit test coverage, and architecture boundary check CI gates. - Add `clippy.toml` + `cargo-deny` for lint and supply-chain auditing. - Add architecture boundary check script (`check-arch-boundary.py`). - Add scoped AGENTS.md for FFI, unified orchestrator, and storage modules. - Define Footprint Ladder for code surface growth control. - Add `agentsight-code-review` and `pr-body` develop-skills. ## 0.6.1 - Add real-time agent_crash detection in trace mode. - Add OOM crash detection. - Add cgroup-level event filtering with v1/v2 compatibility. - Support QwenCode skill discovery via per-user home scanning. - Support SLS Logtail activation reversible via dynamic path. - Support bridging ilogtail `SLS_LOG_PATH` into config via token-collector switch. - Default `traceEnabled` to false to drop conversation content from SLS by default. - Drop `gen_ai.system_instructions` from SLS uploads when `traceEnabled=false`. - Refactor session_id and conversation_id derivation from response_id instead of message content. - Fix CJK deadloop detection, `kill()` error check, and SIGKILL escalation. - Fix SQLite read/write contention via VACUUM optimization. - Fix rpm-build.sh agentsight build failures. - Fix allow log path re-init on repeated new+start. ## 0.6.0 - Add deadloop detection and auto-kill mechanism for runaway agent processes. - Add retry storm detection and `/metrics` interruption counters. - Add BPF-layer HTTP protocol filter and wildcard capture (`*`) for unknown IP/port targets. - Add client-side hybrid encryption for sensitive message fields. - Add `traceEnabled` configuration toggle with SLS upload layer enforcement. - Add HTTP domain rules resolved to tcpsniff BPF map via DNS. - Add default DashScope HTTPS rule and `anolisa_release` module. - Add FFI interface for `tcp_targets` and `input_delta` config. - Add CO-RE compatibility to UDP DNS probe for kernel 6.0+. - Support runtime SLS logtail path via config hot-reload. - Expand interruption types and add logtail export. - Restructure config to `https`/`http` rules. - Refactor query `stats.db` by `tool_use_id` and unify savings display. - Refactor load encryption public key from `agentsight.json`. - Fix decode HPACK Huffman headers. - Fix BoringSSL probe attachment, FFI event delivery, and chunked-body panic. - Fix preserve initial SSE chunk in event-stream responses. - Fix `c_char` / BPF comm portability (i8 vs u8). - Remove dead code and deprecated APIs. ## 0.5.0 - Add Claude Code support including SSL probe attach for BoringSSL, Anthropic SSE thinking/tool_use content blocks, and `message.id`-based session correlation. - Add tcpsniff probe for plain HTTP traffic capture with configurable IP/port filtering (disabled by default with empty `tcp_targets`). - Add User-Agent based agent detection with `comm` fallback for simplified agent matching. - Add UDP DNS probe for agent discovery (replacing TLS SNI probe) with QNAME parsing moved to userspace. - Add TLS SNI probe module and refactor discovery to config-driven rules. - Add connection scanner for pre-established LLM API connections. - Add `tools` field to `AgentsightLLMData` FFI struct, passed through as raw JSON. - Add container PID namespace support in BPF traced process filtering and event emission. - Add agent matching rules and reduce BPF ring buffer to 32MB. - Add `uid` field to SLS logs with `OnceLock` cache and startup validation. - Support profile-based installs. - Fix `duration_ns` calculation in LLM data. - Fix SSL probe cleanup of stale inodes on process exit. - Fix BPF verifier `-E2BIG` issues by removing nested `#pragma unroll` in `udpdns.bpf.c` and masking `payload_len` on older kernels. - Fix skill extraction for Hermes agent architecture. - Fix Node.js `process.title` change handling in OpenClaw matcher. ## 0.4.0 - Add HTTP/1.1 request body reassembly for fragmented SSL writes. - Add skill metrics analysis with cosh filesystem-based discovery. - Add SLS upload and Logtail file exporter for GenAI events. - Add hermes agent matcher for LLM process discovery. - Detect uv Python static OpenSSL in SSL sniffer. - Remove AK/SK-based SLS direct upload, keep Logtail file export. ## 0.3.1 - Fix simplify agent_crash detection and fix multi-process dedup. (#411) - Fix use SqliteConfig for audit CLI db path. (#399) - Fix hide Cosh from agent health UI and remove keepalive support. (#401) - Fix API endpoint table in AGENTS.md. (#397) ## 0.3.0 - Add interruption detection system with drain mechanism and dashboard integration. (#315) - Add token savings page and API endpoint for optimization visualization. (#310) - Add compounded token savings and request count tracking. (#320) - Add C FFI API with cbindgen header generation. (#306) - Add filewatch and filewrite eBPF probes for file access monitoring. (#308, #309) - Support SysOM AK/SK GenAI capture for cosh. (#305) - Use LLM API response_id as trace_id and add conversation_id field. (#304) - Resolve session_id from agent's own session via ResponseSessionMapper. (#303) - Fix interruption CLI and align conversation_id naming. (#318) - Fix cosh session_id recognition by supporting snake_case response_id. (#307) - Fix wrong tool call id in token savings compounding. (#316, #317) - Fix standardize call_id, add tool_call_ids column. (#319) - Fix session_id and response_id mapping in genai builder and storage. (#321) - Fix token savings display in conversation list. (#322) - Fix cache agent name by pid for dead process resolution. (#358) - Fix remove custom db path and use default paths. (#359) - Support nightly docker image build in CI. (#302) ## 0.2.2 - Support starting backend-server for dashboard with AgentSight service. - Fix dashboard frontend dynamic width for multiple display-size. ## 0.2.1 - Add `/usr/lib/copilot-shell` path to CoshMatcher for agent discovery. (#190) - Add 200MB size limit for `genai_events.db` to prevent unbounded growth. (#211) - Remove `/api/stats` endpoint returning incorrect data. (#197) - Extract audit from HttpRecord and filter non-LLM calls. (#196) - Always show comparison data when `--compare` flag is used in token queries. (#194) - Fix incorrect `discover` command in README documentation. (#191) - Remove breakdown command and keep token consumption commented. (#193) - Replace deprecated `MemoryLimit` with `MemoryMax` in systemd service file. (#181) ## 0.2.0 - AgentSight Dashboard web UI with real-time monitoring interface. (#74) - Agent health monitoring with offline alerting and hung process dashboard restart. (#158) - One-click navigation from dashboard to ATIF trace analysis page. (#116) - /metrics endpoint to expose standard Prometheus-format data. (#134) - Support for HTTP 2.0 protocol. (#147) - Support to build RPM package. (#166) ===== src/anolisa/CHANGELOG.md ===== # Changelog All notable changes to ANOLISA will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] ## [0.2.2] - 2026-07-09 ### Added - `anolisa update --check` now reports RPM upgrade opportunities without changing state. - `anolisa update --check --motd` now prints a short login-friendly upgrade summary. - `anolisa upgrade` now applies RPM image upgrades for RPM-managed toolchains. - `anolisa upgrade` now installs missing default components from the selected target profile. - `anolisa adapter scan` now marks enabled receipts with missing sources as orphaned. - `anolisa adapter status` now reports missing adapter sources as degraded receipts. ### Changed - `anolisa list` now shows component scope for visible user and system records. - `anolisa status` now shows scope, mutability, shadowing, and state path metadata. - `anolisa doctor` now includes readable system components in user-mode diagnostics. - `anolisa doctor` now suggests system-mode commands for read-only system records. - `anolisa update --check` now uses the latest target profile when `--target` is omitted. - `anolisa update --check --motd` now points users to `sudo anolisa upgrade` when action is needed. ### Fixed - `anolisa uninstall`, `forget`, and `update` now reject read-only system targets with system-mode guidance. - `anolisa upgrade` now reports unresolved target defaults as check errors. - `anolisa upgrade` now warns when refreshed RPM details are unavailable after an upgrade. ## [0.2.1] - 2026-07-08 ### Added - `anolisa adapter enable` now supports Tokenless adapters for cosh, Codex, and Claude Code. - `anolisa adapter enable` now supports Tokenless adapters for Qoder. ### Changed - Claude Code adapters now use per-component marketplaces to avoid affecting other ANOLISA plugins. - `anolisa adapter enable` now rejects invalid framework and `adapter_type` combinations before changing settings. ### Fixed - Codex adapters now work when component resources come from packaged data directories. - Qoder adapter enable now keeps malformed `settings.json` unchanged instead of replacing it. - Qoder adapter disable now removes only hook entries previously added by ANOLISA. - Qoder adapters now prefer stable qodercli releases over matching prereleases. ## [0.2.0] - 2026-07-07 ### Added - Raw components can now declare `conflicts` to block incompatible raw installs. ### Fixed - `anolisa install` now rejects raw component conflicts before changing the host. - `anolisa install --dry-run` now reports raw component conflicts instead of showing an invalid plan. ## [0.1.20] - 2026-07-03 ### Added - ANOLISA can now be distributed as `@anolisa/cli` with Linux x64 and arm64 binaries. - `repo.toml` now enables the npm backend for component distribution. ### Changed - `anolisa list` now shows local state, ownership, and next action for each component. - `anolisa list --json` now includes RPM package, version, architecture, and source repository details. ### Fixed - RPM installs and updates now keep system repositories available for dependencies. - Adapter commands now distinguish missing component manifests from invalid manifests. ## [0.1.19] - 2026-07-02 ### Fixed - `anolisa adapter disable --dry-run` now previews cleanup without removing adapter receipts or resources. - Read-only commands now use downloaded repo config when saving `repo.toml` fails. - Component commands now accept package aliases consistently when targeting installed components. - Ambiguous package aliases no longer choose an arbitrary installed component. - Unknown component names now report no match without querying packages. ## [0.1.18] - 2026-07-01 ### Added - `anolisa install` now auto-installs missing system packages for raw components in system mode. - `anolisa install --dry-run` now labels unresolved dependencies as auto-install or manual. - `anolisa install` now reports packages auto-installed during raw component installs. - `anolisa status --verbose` now shows packages auto-installed for each component. ### Changed - Commands that need repo access now download and validate `repo.toml` on first use. - Repo config dry-runs now fetch and validate without writing `repo.toml`. - RPM install and update now use only the `repo.toml` RPM repository. - User-mode raw installs now report missing dependencies with install commands before changing files. - Failed raw installs now list any auto-installed packages left on the system. - `anolisa update self` no longer fetches repo config before checking CLI updates. ### Fixed - `anolisa list --installed` now includes adopted RPM components. - `anolisa list` now shows adopted, failed, and disabled component statuses. - Adapter commands now prefer resources from the datadir that supplied the component contract. - RPM installs now fail before `dnf` when `[backends.rpm]` is missing. - RPM updates now explain missing `[backends.rpm]` instead of using host repositories. ## [0.1.17] - 2026-06-30 ### Added - Repository `components.toml` can now define component names, package aliases, and raw/RPM package mappings. - `anolisa list --installed` now filters installed components. ### Changed - `anolisa list` and `install --all` now read components from `components.toml` instead of `catalog.json`. - `anolisa list` now shows `NAME`, `SUMMARY`, `BACKENDS`, and `STATUS`. - `anolisa list --enabled` is now a hidden alias for `--installed`. - `ANOLISA_CATALOG_URL` no longer changes list sources; configure `repo.toml` instead. - `anolisa install`, `status`, `adopt`, and `repair` now resolve RPM package aliases from `components.toml`. - `anolisa status` now suggests `sudo anolisa adopt ` for untracked RPM components. ### Fixed - `anolisa status ` now reports the canonical component row when an alias is installed. - `anolisa repair ` now refreshes the canonical component row when an alias is used. - Non-root `anolisa osbase` mutations now reach the system helper instead of failing install-mode checks. - Commands now reject root `--install-mode user` before writing ambiguous user-mode state. - System-mode write commands now fail before changes when sudo is missing. - Existing installs with managed symlinks no longer show false symlink integrity failures after upgrade. - `anolisa status` now reports `referent_mismatch` when managed symlinks point elsewhere. ## [0.1.16] - 2026-06-29 ### Added - `anolisa osbase sandbox install runc` now installs runc, containerd, Docker, and Docker client. - `anolisa osbase sandbox install` now enables services declared by sandbox scenarios. - `anolisa osbase sandbox install` now runs scenario verification commands after installation. - `anolisa osbase sandbox install` now records sandbox scenarios in `installed.toml`. - `anolisa osbase sandbox install` now reports optional scenario packages as hints. - `rund`, `firecracker`, and `gvisor` sandbox scenarios now define post-install checks. - `anolisa adapter enable` now supports `adapter_type = "skill_bundle"` for OpenClaw and Hermes skills. - The RPM package now installs default `repo.toml` to `/etc/anolisa/repo.toml`. - ANOLISA telemetry setup now installs log rotation for ops `.jsonl` files. ### Changed - `anolisa osbase sandbox install --dry-run` now shows preflight, package, service, verify, and state phases. - `anolisa osbase sandbox install runc` now requires Linux kernel 4.18 or newer. - `anolisa osbase sandbox install` now reports verification failures as warnings when other phases succeed. - `repo.toml` now points RPM installs to the agentic-os repository path. - `anolisa update self --json` now reports apply mode, RPM package, and RPM version observations. - `anolisa adapter status` now treats skill bundles as healthy without plugin registration. - `anolisa adapter enable` now rejects skill bundles that declare framework config entries. ### Fixed - RPM-backed commands now use the component name as the default package name. - `anolisa update self` now delegates RPM-owned CLI updates to `dnf`. - Non-root sandbox installs now show package, service, verify, and state phases. - Telemetry setup now runs the ilogtail installer with bash-compatible script handling. - `anolisa adapter disable` now cleans skill bundles without plugin unregister errors. ## [0.1.15] - 2026-06-25 ### Added - `anolisa doctor` now reports component health, dependency status, and suggested fixes. - Raw components can now declare runtime dependencies for install and update preflight checks. - `anolisa install --dry-run` now previews runtime dependency status for raw components. ### Changed - `anolisa install` and `update ` now refuse raw components with missing runtime dependencies before changing files. - `anolisa restart ` now restarts service units shipped by RPM-backed components. - `anolisa restart ` now shows guidance for RPM-backed template services instead of failing. ### Fixed - `anolisa adapter enable` now expands `{datadir}` from the package that provided the adapter metadata. - After `anolisa uninstall` or `forget`, adapter commands no longer see stale component metadata. ## [0.1.14] - 2026-06-24 ### Added - Raw components can now place systemd unit files with `{unitdir}`. - Raw components can now place user service unit files with `{userunitdir}`. - User-mode `anolisa install` now activates declared user-scope services. ### Changed - User-mode `anolisa install` now resolves `%u` service templates to the current user. - System-mode `anolisa install` now preserves `%u` user service templates for later per-user activation. - `anolisa uninstall` now reloads systemd after removing declared service unit files. - `anolisa restart ` now restarts user-scope services from user-mode installs. ### Fixed - `anolisa install` now starts freshly installed service units without a manual systemd reload. - `anolisa uninstall` now deactivates user-scope services from user-mode installs. - `anolisa adapter enable` now finds `{datadir}` skills from the package directory that provides the adapter. ## [0.1.13] - 2026-06-23 ### Added - `anolisa adapter enable` now supports Hermes plugins. - `anolisa adapter enable` now installs declared OpenClaw skills. - `anolisa adapter enable` now applies declared OpenClaw config values. - `anolisa install` now starts declared services for raw components. - `anolisa install` now applies declared file capabilities for raw components. - `anolisa install` now runs declared hooks for raw components. - `anolisa update ` now restarts declared services for raw components. - `anolisa update ` now reapplies declared file capabilities for raw components. - `anolisa uninstall` now runs declared hooks for raw components. - `anolisa uninstall` now disables declared services after stopping them. ### Changed - `anolisa adapter scan` now honors declared adapter resource locations. - `anolisa adapter enable` now reads package-installed adapter resources. - `anolisa install --dry-run` now previews declared capabilities for raw components. - `anolisa register status` now reports the latest registration after repeated changes. - Cancelled `anolisa register` and `unregister` prompts now exit successfully. ### Fixed - `anolisa adapter status` now detects OpenClaw plugins from wrapped table output. - `anolisa adapter status` now ignores bundled Hermes plugins during checks. - `anolisa adapter` commands now find metadata shipped by RPM-installed components. - `anolisa register status` now reports sysom console registrations as active. ## [0.1.12] - 2026-06-22 ### Added - `anolisa update ` can update raw-managed components from the raw backend. - `anolisa osbase sandbox list` shows scenarios from `sandbox.toml`. - `anolisa osbase sandbox uninstall ` can remove packages for a sandbox scenario. - `anolisa system setup` can install the helper service for non-root osbase commands. - `anolisa system status` can show helper health, version, uptime, and last operation. - `anolisa system teardown` can remove the helper service and sandbox config. - `anolisa env --json` includes distro identity fields. ### Changed - `anolisa osbase sandbox install ` now installs scenarios defined in `sandbox.toml`. - Omitting `--install-mode` now selects `system` for root and `user` otherwise. - `anolisa update --dry-run` now lists raw backend candidate versions. ### Fixed - Legacy `yum` backend names in `repo.toml` and `--backend` now resolve to `rpm`. - Raw components installed with `--package` now update from the same package name. - `anolisa update ` now refuses raw updates that would downgrade a component. - `anolisa update ` now refuses raw updates when versions cannot be safely compared. ## [0.1.11] - 2026-06-18 ### Added - `anolisa adopt ` can track a pre-installed system RPM without installing it. - `anolisa repair ` can refresh RPM component state after package details change. - `anolisa forget ` can stop tracking a component without removing packages or files. ### Changed - `anolisa status ` now reports drifted RPM components when system package details change. - `anolisa uninstall` now keeps observed system RPMs unless `--remove-system-package` is used. - `anolisa install` now preserves adapter package resources when adopting RPM components. ## [0.1.10] - 2026-06-17 ### Added - `anolisa install --backend rpm` can install missing RPM components through `dnf` and track them as managed. - `anolisa install` can adopt matching pre-installed system RPMs without downloading a raw package. - `anolisa update ` can update RPM-managed and RPM-observed components through `dnf`. - `anolisa status` now shows package, version, architecture, and source repo for RPM-backed components. - `anolisa status ` now reports matching untracked system RPMs as observed. ### Changed - `anolisa update runtime ` is now `anolisa update `; `self` and `all` stay subcommands. - `repo.toml` now uses `[backends.rpm]` instead of `[backends.yum]`. - `anolisa install --all` now lists adopted RPM components in the batch summary. ### Fixed - `anolisa install --all` now prints the reason for each failed component in human output. - `anolisa install` now refuses automatic RPM detection when `rpm` or `dnf` is missing, with a `--backend raw` hint. - `anolisa install` no longer replaces a raw install if another install finishes first. ## [0.1.9] - 2026-06-16 ### Added - `anolisa install --all` can install every available component from the catalog. - `anolisa install --all --fail-fast` can stop after the first failed component. - `anolisa install --all --json` returns one batch summary with per-component results. - `anolisa status` now shows adapter summaries for installed components. ### Changed - `installed.toml` now distinguishes ANOLISA-managed packages from observed system RPMs. ## [0.1.8] - 2026-06-15 ### Added - `anolisa adapter enable` can now register installed adapters with OpenClaw. - `anolisa adapter disable` can now remove OpenClaw adapter registrations. - `anolisa adapter status` can now report OpenClaw adapter health. - `anolisa adapter scan` can now show installed adapter resources. ### Changed - `anolisa install` now places adapter resources needed by later enablement. - `anolisa uninstall` now blocks components that still have enabled adapters. ## [0.1.7] - 2026-06-13 ### Changed - User-mode library paths now resolve to `~/.local/lib/anolisa`; other directories continue to follow `XDG_*` overrides. ### Fixed - `anolisa install` no longer requires a local catalog entry before downloading from the remote repository. - `anolisa install --dry-run` can preview files and services without downloading the full package. ## [0.1.6] - 2026-06-12 ### Added - `anolisa osbase sandbox install gvisor` now supports standalone, containerd, and substrate deployments. (#851) - `anolisa list` can derive the component catalog from `repo.toml` configuration. (#854) ### Changed - Replaced the legacy "capability" model with a unified component lifecycle; old state auto-migrates on next write. (#876) ### Fixed - `anolisa list --enabled` now correctly shows installed components instead of an empty list. (#872) - `anolisa list` no longer requires a separate local catalog file when `repo.toml` is configured. (#854) ## [0.1.5] - 2026-06-11 ### Added - `anolisa list` reads from a remote or local component catalog and returns structured JSON. (#850) - `anolisa install ` downloads, verifies, and installs components from the remote repository. (#852) - `anolisa uninstall` supports the new component model while preserving legacy fallback. (#852) ### Changed - Simplified CLI help around `list`, `install`, `uninstall`, `status`, `doctor`, `logs`, `restart`, `update`. (#850) ### Fixed - `anolisa list` returns an empty list with a config hint when no catalog is configured. (#850) - Failed installs now automatically roll back partially-written files. (#852) ## [0.1.4] - 2026-06-10 ### Added - `anolisa adapter scan` detects available framework integrations. (#808) - `anolisa adapter install` downloads verified packages and registers adapters with the target framework. - `anolisa adapter remove` safely removes only ANOLISA-managed files, with dry-run and JSON preview support. - `anolisa adapter install tokenless openclaw` wires up the tokenless adapter via the OpenClaw CLI. - `anolisa enable` fetches component metadata from the remote repository, with offline fallback. - `anolisa status` now includes component health check results. ### Changed - Renamed subscription commands to top-level `anolisa register` / `unregister`. ### Fixed - Adapter install/remove failures now roll back or preserve state for retry. ## [0.1.3] - 2026-06-09 ### Added - `anolisa --help` now groups commands by category (everyday vs. management). - `list` command shows its `ls` alias in help output. - `anolisa update self` prints a changelog link on success. ### Changed - Corrected package license metadata to Apache-2.0. ## [0.1.2] - 2026-06-08 ### Added - `anolisa bug` generates a local diagnostic report with environment info and recent error logs. - `anolisa self update` added as an alias for `anolisa update self`. ### Fixed - Restored the bug report issue template. ## [0.1.1] - 2026-06-07 ### Added - `anolisa osbase sandbox install` provisions sandbox environments (firecracker and e2b backends). - `anolisa register` / `unregister` manages data-upload consent with 30-day deferral. - `anolisa enable` can configure log upload (ilogtail) with automatic region detection. - `anolisa update self` downloads and applies CLI updates with integrity verification and rollback. - Real dnf/apt package manager backends replacing placeholder stubs. - GitHub Actions CI for the anolisa workspace. ### Fixed - Install script uses portable bash expansion instead of `sed`. ## [0.1.0] - 2026-06-04 Initial alpha release of the ANOLISA CLI. ### Added - CLI commands: `env`, `list`, `status`, `logs`, `enable`, `disable`, `uninstall`, `restart`, `update`, `info`, `doctor`. - Environment detection: OS, arch, kernel, distro, container runtime, user identity (graceful degradation). - Component lifecycle engine with preview-then-execute, integrity checks, and audit logging. - Configuration-driven feature gates for shipping new capabilities without code changes. - Declarative TOML component manifests with multi-architecture support. - `install-anolisa.sh` installer with three modes (local, checkout, URL), checksum verification, and `--dry-run`. - End-to-end smoke tests for agent-observability and token-optimization. ### Capabilities shipped | Capability | Status | |-----------|--------| | agent-observability | `enable` fully wired (dry-run + real-execute) | | Others (9 total) | Manifest-only; `enable` returns NOT_IMPLEMENTED | ### Known limitations - Real-execute paths are Linux-only (darwin hosts can `--dry-run` only). - No signature verification or rpm/deb backend yet. - `update` command returns NOT_IMPLEMENTED. --- # 变更日志 本文件记录 ANOLISA 的所有重要变更。 格式基于 [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), 版本号遵循 [语义化版本](https://semver.org/lang/zh-CN/)。 ## [未发布] ## [0.2.2] - 2026-07-09 ### 新增 - `anolisa update --check` 现可只读报告 RPM 升级机会。 - `anolisa update --check --motd` 现可输出简短登录升级提示。 - `anolisa upgrade` 现可应用 RPM 工具链升级。 - `anolisa upgrade` 现可安装目标配置缺失默认组件。 - `anolisa adapter scan` 现将缺失来源的启用记录标为 orphaned。 - `anolisa adapter status` 现将缺失适配器来源报告为降级。 ### 变更 - `anolisa list` 现显示可见用户和系统记录的 scope。 - `anolisa status` 现显示 scope、可变性、遮蔽和状态路径。 - `anolisa doctor` 现在用户模式诊断可读系统组件。 - `anolisa doctor` 现为只读系统记录建议系统模式命令。 - `anolisa update --check` 未指定 `--target` 时使用最新目标配置。 - `anolisa update --check --motd` 现提示用 `sudo anolisa upgrade`。 ### 修复 - `anolisa uninstall`、`forget`、`update` 现拒绝只读系统目标。 - `anolisa upgrade` 现将未解析默认组件报告为检查错误。 - `anolisa upgrade` 刷新 RPM 详情失败时现会提示。 ## [0.2.1] - 2026-07-08 ### 新增 - `anolisa adapter enable` 现支持 cosh、Codex、Claude Code 的 Tokenless 适配器。 - `anolisa adapter enable` 现支持 Qoder Tokenless 适配器。 ### 变更 - Claude Code 适配器现使用组件专属 marketplace。 - `anolisa adapter enable` 现先拒绝无效适配器类型。 ### 修复 - Codex 适配器现可使用已打包数据目录资源。 - Qoder 启用遇到损坏 `settings.json` 时不再覆盖。 - Qoder 禁用现只移除 ANOLISA 添加的 hook。 - Qoder 适配器现优先使用稳定版 qodercli。 ## [0.2.0] - 2026-07-07 ### 新增 - Raw 组件现可声明 `conflicts` 阻止不兼容安装。 ### 修复 - `anolisa install` 现会在变更主机前拒绝 Raw 组件冲突。 - `anolisa install --dry-run` 现报告 Raw 组件冲突,不再显示无效计划。 ## [0.1.20] - 2026-07-03 ### 新增 - ANOLISA 现可通过 `@anolisa/cli` 发布 Linux x64 和 arm64 二进制。 - `repo.toml` 现启用 npm 后端用于组件分发。 ### 变更 - `anolisa list` 现显示本地状态、归属和下一步操作。 - `anolisa list --json` 现包含 RPM 包名、版本、架构和来源。 ### 修复 - RPM 安装和更新现可继续使用系统软件源解析依赖。 - Adapter 命令现区分缺失清单和无效清单。 ## [0.1.19] - 2026-07-02 ### 修复 - `anolisa adapter disable --dry-run` 现只预览清理。 - 只读命令保存 `repo.toml` 失败时仍可使用已下载配置。 - 组件命令现可一致接受软件包别名。 - 模糊软件包别名不再误选已安装组件。 - 未知组件名不再先查询软件包。 ## [0.1.18] - 2026-07-01 ### 新增 - `anolisa install` 系统模式现自动安装缺失系统包。 - `anolisa install --dry-run` 现标出依赖处理方式。 - `anolisa install` 现显示自动安装的系统包。 - `anolisa status --verbose` 现显示组件自动安装包。 ### 变更 - 需要仓库的命令现首次使用会下载 `repo.toml`。 - 仓库配置 dry-run 现只校验不写入。 - RPM 安装和更新现只使用 `repo.toml` 源。 - 用户模式 raw 安装现先提示缺失依赖。 - raw 安装失败现提示已保留的自动安装包。 - `anolisa update self` 不再预先获取仓库配置。 ### 修复 - `anolisa list --installed` 现包含已收编 RPM。 - `anolisa list` 现显示 adopted、failed、disabled 状态。 - Adapter 命令现优先使用契约所在数据目录资源。 - 缺少 `[backends.rpm]` 时 RPM 安装不再调用 `dnf`。 - RPM 更新缺少 `[backends.rpm]` 时不再使用主机源。 ## [0.1.17] - 2026-06-30 ### 新增 - 仓库 `components.toml` 现可声明组件与包名映射。 - `anolisa list --installed` 现过滤已安装组件。 ### 变更 - `anolisa list` 和 `install --all` 现读取 `components.toml`。 - `anolisa list` 现显示 NAME、SUMMARY、BACKENDS、STATUS。 - `anolisa list --enabled` 现作为隐藏别名保留。 - `ANOLISA_CATALOG_URL` 不再控制列表来源。 - `install`、`status`、`adopt`、`repair` 现解析 RPM 包别名。 - `anolisa status` 现提示用 `sudo anolisa adopt` 收编 RPM。 ### 修复 - `status ` 现显示规范组件行。 - `repair ` 现刷新规范组件行。 - 非 root `osbase` 变更命令现可进入系统 helper。 - root 用户模式现会在写入前被拒绝。 - 缺少 sudo 的系统模式写入现提前失败。 - 旧符号链接安装不再误报完整性失败。 - `status` 现报告符号链接目标不匹配。 ## [0.1.16] - 2026-06-29 ### 新增 - `anolisa osbase sandbox install runc` 现安装 runc、containerd、Docker 和客户端。 - `anolisa osbase sandbox install` 现启用场景声明的服务。 - `anolisa osbase sandbox install` 现执行场景安装校验。 - `anolisa osbase sandbox install` 现记录沙箱安装状态。 - `anolisa osbase sandbox install` 现提示可选场景包。 - `rund`、`firecracker`、`gvisor` 场景现声明安装校验。 - `anolisa adapter enable` 现支持 `adapter_type = "skill_bundle"`。 - RPM 包现安装默认 `/etc/anolisa/repo.toml`。 - ANOLISA 遥测现为 `.jsonl` 运维日志配置轮转。 ### 变更 - `anolisa osbase sandbox install --dry-run` 现显示五个安装阶段。 - `anolisa osbase sandbox install runc` 现要求 Linux 4.18 及以上。 - `anolisa osbase sandbox install` 校验失败现作为警告报告。 - `repo.toml` 默认 RPM 源现指向 agentic-os 路径。 - `anolisa update self --json` 现包含 RPM 包和版本信息。 - `anolisa adapter status` 现不要求技能包注册插件。 - `anolisa adapter enable` 现拒绝带配置的技能包。 ### 修复 - RPM 相关命令现默认用组件名作为包名。 - `anolisa update self` 现通过 `dnf` 更新 RPM 安装。 - 非 root 沙箱安装现显示完整阶段结果。 - ilogtail 安装脚本需 bash 时现能正常运行。 - `anolisa adapter disable` 清理技能包时不再报插件卸载错误。 ## [0.1.15] - 2026-06-25 ### 新增 - `anolisa doctor` 现输出组件健康、依赖和修复建议。 - raw 组件现可声明运行依赖供安装和更新检查。 - `anolisa install --dry-run` 现预览 raw 组件依赖状态。 ### 变更 - `anolisa install` 和 `update ` 缺依赖时先停止。 - `anolisa restart ` 现重启 RPM 组件服务。 - `anolisa restart ` 遇到 RPM 模板服务时给出指引。 ### 修复 - `anolisa adapter enable` 现按包内元数据展开 `{datadir}`。 - `anolisa uninstall` 和 `forget` 后 adapter 不再见旧元数据。 ## [0.1.14] - 2026-06-24 ### 新增 - raw 组件现可用 `{unitdir}` 放置系统单元。 - raw 组件现可用 `{userunitdir}` 放置用户单元。 - 用户模式 `anolisa install` 现会激活用户服务。 ### 变更 - 用户模式 `anolisa install` 现将 `%u` 展开为当前用户。 - 系统模式 `anolisa install` 现保留 `%u` 用户模板。 - `anolisa uninstall` 删除单元文件后现会重载 systemd。 - `anolisa restart ` 现会重启用户服务。 ### 修复 - `anolisa install` 现无需手动重载即可启动新单元。 - `anolisa uninstall` 现会停用用户模式安装的服务。 - `anolisa adapter enable` 现从包目录查找 `{datadir}` 技能。 ## [0.1.13] - 2026-06-23 ### 新增 - `anolisa adapter enable` 现支持 Hermes 插件。 - `anolisa adapter enable` 现安装声明的 OpenClaw 技能。 - `anolisa adapter enable` 现写入声明的 OpenClaw 配置。 - `anolisa install` 现启动 raw 组件声明的服务。 - `anolisa install` 现设置 raw 组件声明的文件能力。 - `anolisa install` 现执行 raw 组件声明的钩子。 - `anolisa update ` 现重启 raw 组件声明的服务。 - `anolisa update ` 现重设 raw 组件声明的文件能力。 - `anolisa uninstall` 现执行 raw 组件卸载钩子。 - `anolisa uninstall` 现停用已停止的声明服务。 ### 变更 - `anolisa adapter scan` 现按声明位置查找资源。 - `anolisa adapter enable` 现读取包内适配器资源。 - `anolisa install --dry-run` 现预览 raw 文件能力。 - `anolisa register status` 现显示最新注册记录。 - 取消 `anolisa register` 或 `unregister` 不再报错。 ### 修复 - `anolisa adapter status` 现能识别换行的 OpenClaw 表格。 - `anolisa adapter status` 检查 Hermes 时忽略内置插件。 - `anolisa adapter` 现能找到 RPM 组件附带的元数据。 - `anolisa register status` 现显示 sysom 控制台注册。 ## [0.1.12] - 2026-06-22 ### 新增 - `anolisa update ` 可更新 raw 组件。 - `anolisa osbase sandbox list` 可显示 `sandbox.toml` 场景。 - `anolisa osbase sandbox uninstall ` 可移除场景软件包。 - `anolisa system setup` 可为非 root osbase 命令安装助手服务。 - `anolisa system status` 可显示助手健康状态。 - `anolisa system teardown` 可移除助手服务和沙箱配置。 - `anolisa env --json` 现包含发行版身份字段。 ### 变更 - `anolisa osbase sandbox install ` 现按 `sandbox.toml` 安装场景。 - 未指定 `--install-mode` 时,root 用 `system`,普通用户用 `user`。 - `anolisa update --dry-run` 现显示 raw 候选版本。 ### 修复 - 旧 `yum` 后端名现会作为 `rpm` 处理。 - 用 `--package` 安装的 raw 组件更新时复用包名。 - `anolisa update ` 不再允许 raw 降级。 - `anolisa update ` 无法比较版本时不再替换文件。 ## [0.1.11] - 2026-06-18 ### 新增 - `anolisa adopt ` 可接管预装 RPM。 - `anolisa repair ` 可刷新漂移的 RPM 状态。 - `anolisa forget ` 可停止跟踪组件。 ### 变更 - `anolisa status ` 现报告 RPM 状态漂移。 - `anolisa uninstall` 默认保留观察到的系统 RPM。 - `anolisa install` 接管 RPM 时保留适配器资源。 ## [0.1.10] - 2026-06-17 ### 新增 - `anolisa install --backend rpm` 可通过 `dnf` 安装缺失 RPM 组件。 - `anolisa install` 可接管匹配的预装系统 RPM。 - `anolisa update ` 可通过 `dnf` 更新 RPM 组件。 - `anolisa status` 现显示 RPM 组件的软件包来源。 - `anolisa status ` 现显示匹配的未跟踪系统 RPM。 ### 变更 - `anolisa update runtime ` 改为 `anolisa update `。 - `repo.toml` 现使用 `[backends.rpm]` 替代 `[backends.yum]`。 - `anolisa install --all` 现在批量摘要列出接管的 RPM。 ### 修复 - `anolisa install --all` 现在普通输出显示各组件失败原因。 - `anolisa install` 在缺少 `rpm` 或 `dnf` 时提示 `--backend raw`。 - `anolisa install` 不再覆盖先完成的 raw 安装。 ## [0.1.9] - 2026-06-16 ### 新增 - `anolisa install --all` 可安装目录中的所有可用组件。 - `anolisa install --all --fail-fast` 可在首个失败组件后停止。 - `anolisa install --all --json` 现返回按组件汇总的批量结果。 - `anolisa status` 现显示已安装组件的适配器摘要。 ### 变更 - `installed.toml` 现区分 ANOLISA 管理包和只观察的系统 RPM。 ## [0.1.8] - 2026-06-15 ### 新增 - `anolisa adapter enable` 现可将已安装适配器注册到 OpenClaw。 - `anolisa adapter disable` 现可移除 OpenClaw 适配器注册。 - `anolisa adapter status` 现可报告 OpenClaw 适配器健康状态。 - `anolisa adapter scan` 现可显示已安装适配器资源。 ### 变更 - `anolisa install` 现会放置后续启用所需的适配器资源。 - `anolisa uninstall` 现会阻止移除仍有启用适配器的组件。 ## [0.1.7] - 2026-06-13 ### 变更 - 用户态库路径调整为 `~/.local/lib/anolisa`;其余目录继续遵循 `XDG_*` 环境变量覆盖。 ### 修复 - `anolisa install` 不再要求本地已有组件目录条目即可从远程仓库下载安装。 - `anolisa install --dry-run` 无需下载完整安装包即可预览文件和服务列表。 ## [0.1.6] - 2026-06-12 ### 新增 - `anolisa osbase sandbox install gvisor` 支持 standalone、containerd 和 substrate 三种部署形态。(#851) - `anolisa list` 可从 `repo.toml` 配置自动发现组件目录。(#854) ### 变更 - 废弃旧版"能力"模型,统一为组件生命周期;旧状态在下次写入时自动迁移。(#876) ### 修复 - `anolisa list --enabled` 现在正确显示已安装组件,而非空列表。(#872) - `anolisa list` 在已配置 `repo.toml` 时不再要求额外的本地目录文件。(#854) ## [0.1.5] - 2026-06-11 ### 新增 - `anolisa list` 从远程或本地组件目录读取并返回结构化 JSON。(#850) - `anolisa install <组件>` 从远程仓库下载、校验并安装组件。(#852) - `anolisa uninstall` 支持新组件模型,同时保留旧版回退。(#852) ### 变更 - 简化 CLI 帮助输出,围绕 `list`、`install`、`uninstall`、`status`、`doctor`、`logs`、`restart`、`update` 重新分组。(#850) ### 修复 - 未配置组件目录时,`anolisa list` 返回空列表并提示配置方法。(#850) - 安装中途失败时自动回滚已写入的文件。(#852) ## [0.1.4] - 2026-06-10 ### 新增 - `anolisa adapter scan` 探测已安装的 Agent 框架集成。(#808) - `anolisa adapter install` 下载校验后的安装包并注册到目标框架。 - `anolisa adapter remove` 安全移除 ANOLISA 管理的文件,支持预览和 dry-run。 - `anolisa adapter install tokenless openclaw` 通过 OpenClaw CLI 注册 tokenless 适配器。 - `anolisa enable` 从远程仓库获取组件元数据,离线时降级到本地缓存。 - `anolisa status` 输出中新增组件健康检查结果。 ### 变更 - 订阅管理命令提升为顶层 `anolisa register` / `unregister`。 ### 修复 - adapter 安装或移除失败时自动回滚或保留状态以便重试。 ## [0.1.3] - 2026-06-09 ### 新增 - `anolisa --help` 按类别分组展示命令(日常操作 vs. 管理命令)。 - `list` 命令在帮助中展示 `ls` 别名。 - `anolisa update self` 成功后输出 changelog 链接。 ### 变更 - 修正包 license 元数据为 Apache-2.0。 ## [0.1.2] - 2026-06-08 ### 新增 - `anolisa bug` 生成本地诊断报告,包含环境信息和近期错误日志。 - `anolisa self update` 作为 `anolisa update self` 的别名。 ### 修复 - 恢复 bug report issue 模板。 ## [0.1.1] - 2026-06-07 ### 新增 - `anolisa osbase sandbox install` 一键部署沙箱环境(支持 firecracker 和 e2b 后端)。 - `anolisa register` / `unregister` 管理数据上传授权,支持 30 天延后。 - `anolisa enable` 可配置日志上传(ilogtail),自动探测地域。 - `anolisa update self` 下载并应用 CLI 更新,含完整性校验和失败回滚。 - 真实的 dnf/apt 包管理器后端,替换占位实现。 - anolisa 工作区 GitHub Actions CI。 ### 修复 - 安装脚本改用 bash 参数展开替代 `sed`,提升可移植性。 ## [0.1.0] - 2026-06-04 ANOLISA CLI 首个 alpha 版本。 ### 新增 - CLI 命令:`env`、`list`、`status`、`logs`、`enable`、`disable`、`uninstall`、`restart`、`update`、`info`、`doctor`。 - 环境探测:OS、架构、内核、发行版、容器运行时、用户身份(探测失败时优雅降级)。 - 组件生命周期引擎:先预览再执行,含完整性校验和操作日志。 - 配置驱动的上线门控,新能力无需改代码即可发布。 - 声明式 TOML 组件清单,支持多架构。 - `install-anolisa.sh` 安装器:三种模式(本地、checkout、URL),支持校验和 `--dry-run`。 - agent-observability 和 token-optimization 端到端冒烟测试。 ### 已交付能力 | 能力 | 状态 | |-----|------| | agent-observability | `enable` 完整链路(dry-run + 真实执行) | | 其余 9 个 | 仅清单;`enable` 返回 NOT_IMPLEMENTED | ### 已知限制 - 真实执行路径仅限 Linux(darwin 宿主只能 `--dry-run`)。 - 尚无签名校验和 rpm/deb 后端。 - `update` 命令返回 NOT_IMPLEMENTED。 ===== src/anvil/CHANGELOG.md ===== # Changelog All notable changes to ANOLISA Anvil will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] ## [0.2.0] - 2026-06-30 ### Added - FirecrackerSpawner: Firecracker microVM backend, daemon auto-detects and selects strongest isolation at startup. - TCP remote API: configurable `[listen].http_addr` enables TCP listener (port 14159) for platform calls. - Prioritized backend selection: `build_spawner()` auto-selects by firecracker → linux-sandbox → mock priority. - Storage section: `[storage].images_dir` unifies vmlinux/rootfs lookup path. - Packaging skeleton: `dist/anvil.service` (systemd unit) + `anvil.spec` (RPM) + `tmpfiles-anvil.conf`. - `[backends]` config section for direct backend binary path mapping. ## [0.1.3] - 2026-06-24 ### Changed - Sandbox processes now run with full namespace isolation (PID, network, filesystem). ## [0.1.2] - 2026-06-22 ### Added - Sandbox processes are now managed by the daemon: auto-spawn on create, auto-kill on destroy. - Daemon gracefully degrades when backend binary is unavailable (useful for dev environments). ## [0.1.1] - 2026-06-20 ### Added - Policy validation rejects unsafe configurations before sandbox starts. - Safe coordination with `osbase sandbox uninstall` (prevents removing in-use backends). ## [0.1.0] - 2026-06-18 Initial scaffold of ANOLISA Anvil per-host sandbox daemon. ### Added - Create, list, inspect, checkpoint (state-only), reset, and destroy sandboxes via HTTP API. - Policy-driven backend selection: assign workload class → get the right sandbox type automatically. - Warm pool: pre-created sandboxes ready for instant allocation, configurable min/target/max. - Template sharing: multiple sandboxes share one base memory image, reducing per-instance cost. - Prometheus metrics endpoint for monitoring. --- # 变更日志 本文件记录 ANOLISA Anvil 的所有重要变更。 格式基于 [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), 版本号遵循 [语义化版本](https://semver.org/lang/zh-CN/)。 ## [未发布] ## [0.2.0] - 2026-06-30 ### 新增 - FirecrackerSpawner:支持 Firecracker microVM 后端,daemon 启动时自动探测并选择最强隔离。 - TCP 远程 API:可配置 `[listen].http_addr` 开启 TCP 监听(端口 14159),供平台远程调用。 - 优先级后端选择:`build_spawner()` 按 firecracker → linux-sandbox → mock 优先级自动选型。 - Storage section:`[storage].images_dir` 统一管理 vmlinux/rootfs 查找路径。 - 打包骨架:`dist/anvil.service`(systemd unit)+ `anvil.spec`(RPM)+ `tmpfiles-anvil.conf`。 - `[backends]` 配置段,直接映射后端二进制路径。 ## [0.1.3] - 2026-06-24 ### 变更 - sandbox 进程现在运行在完整 namespace 隔离中(PID、网络、文件系统)。 ## [0.1.2] - 2026-06-22 ### 新增 - daemon 现在管理 sandbox 进程生命周期:创建时自动启动,销毁时自动终止。 - backend 二进制不可用时优雅降级(便于开发环境使用)。 ## [0.1.1] - 2026-06-20 ### 新增 - Policy 校验在 sandbox 启动前拒绝不安全的配置。 - 与 `osbase sandbox uninstall` 安全协调(防止移除正在使用的 backend)。 ## [0.1.0] - 2026-06-18 ANOLISA Anvil 首个骨架版本。 ### 新增 - 通过 HTTP API 创建、列出、查看、checkpoint(仅状态转换)、reset、销毁 sandbox。 - 策略驱动的 backend 选型:指定 workload class 即可自动匹配合适的 sandbox 类型。 - Warm pool:预创建 sandbox 随时分配,可配置 min/target/max 容量。 - 模板共享:多个 sandbox 共用一份 base 内存镜像,降低单实例内存开销。 - Prometheus metrics 端点,供监控系统采集。 ===== src/copilot-shell/CHANGELOG.md ===== # Changelog ## 2.6.1 - Added npm packaging support for CLI and cosh. (#1307) - Added multi-hook toggles support. (#1206) - Fixed tips banner to stay visible after initial login. (#1308) - Fixed Ctrl+O to prioritize error details over compact mode. (#1202) - Fixed system-profile BINDIR to follow PREFIX. (#1193) - Fixed AfterModel hook non-blocking notifications not surfacing. (#1182) - Updated component docs to migrate into user-guide and developer-guide. (#1295) - Added copilot-shell zh/en user and developer docs. (#1236) - Fixed CONTRIBUTING.md file mode from symlink to regular file. (65601f06) ## 2.6.0 - Added multi-hook enable and disable support to `/hooks`. (#1200) - Added cosh-ng compatibility with cosh-switch. (#1169) - Added instance_id to SysOM API request params. (#1160) - Added anolisa component contract. (#1128) - Added SLS JSONL session telemetry with expanded metrics. (#1057) - Added authenticated models display in /model dialog. (#1030) - Added kitty csi-u keys support with sequence timeout management. (#552) - Added large paste placeholder and fixed placeholder id reset on esc cancel. (#312) - Fixed SLS log write to skip when file does not exist or is not writable. (#1101) - Fixed useless sandbox guard and failure handler hooks by removing them. (#979) - Fixed missing keyboard shortcut hints in footer status bar. (#921) - Fixed response language and model identity rules. (#920) - Fixed sub-model refusal detection and byteLength display. (#895) - Fixed webfetch sub-model output validation to avoid silent refusals. (#895) - Fixed thinking output to be distinguished from user input with prefix and color. (#894) - Fixed custom model configuration to be preserved. (#887) - Fixed partial message finalization on API error. (#801) - Fixed API error reporting in all output formats, not only text. (#801) - Improved escape key handling by unifying it in appcontainer. (#437) ## 2.5.0 - Fixed missing esc hint in tool confirmation footer status bar (#732) - Fixed invisible cursor in provider/auth config inputs (#683) ## 2.4.1 - Fixed HookSystemMessage rendering as info and resolved Content/Thought duplication (#636) - Fixed prompt ids to remain monotonic after shell remount (#628) ## 2.4.0 - Added DashScope Token Plan provider entry to the OpenAI-compatible auth dialog. (#598) - Added UserPromptSubmit and PostToolUse hook reason surfacing in the UI. (#545) - Added run_id field to HookInput for per-run event correlation. (#482) - Fixed UserPromptSubmit hook decision merging to enforce safety priority over allow. (#597) - Fixed missing tool_use_id in PreToolUse hook input. (#559) - Fixed memory hooks lock takeover with atomic rename and async IO. (#550) - Fixed auto-memory workspace cleanup wiping user-added directories. (#548) - Fixed auto-memory session hook missing read_file events due to wrong arg key. (#547) - Fixed run_id ordering by setting it before UserPromptSubmit hook fires. (#537) - Fixed UserPromptSubmit hook firing on tool-result and Stop continuations. (#534) - Updated installer to support multiple install profiles. (#541) ## 2.3.0 - **BREAKING** Removed qwen-oauth authentication support. (#455) - Added auto memory background extraction system. (#465) - Added full shell command display in hook-ask and exec confirm dialogs. (#452) - Added esc key to cancel running slash commands. (#290) - Fixed JavaScript heap out of memory during long sessions. (#462) - Fixed missing allow decision reason in UI when systemMessage is absent. (#435) - Improved test coverage with standalone tests for ExecCommandPreview. (#460) - Updated hook docs to clarify difference between systemMessage and reason. (#436) ## 2.2.1 - Fixed initial chat being blocked during skill/subagent first-load discovery. (#418) - Fixed missing tool_use_id in PostToolUse hook event payload. (#414) - Fixed missing skill_context in PreToolUse hook input for resolved skill path. (#409) - Fixed missing auto-completion for `/statusline` subcommands. (#408) - Fixed unavailable agents appearing in the key sharing prompt. (#394) - Fixed bash option not being restored after canceling from the provider screen. (#393) - Fixed hook systemMessages to be concatenated with a `[name]` prefix for clarity. (#387) ## 2.2.0 - Added `ask` decision support for UserPromptSubmit hook. (#328) - Added new command for Clawhub CLI. (#313) - Added interactive Skills TUI Panel with enable/disable support. (#311) - Added variable substitution and display control for extension TOML commands. (#291) - Added immediate hook activation on extension install/uninstall. (#283) - Added `ask` decision support for PreToolUse hooks. (#276) - Added configurable status bar. (#251) - Added `/export` command for session history. (#245) - Fixed API key validation to skip non-Dashscope providers. (#337) - Fixed PreToolUse ask dialog by unifying it to info type with diff preview. (#345) - Fixed memory leak in memory management. (#309) - Fixed extension lifecycle reliability. (#298) - Fixed hook registry sync on extension enable/disable. (#298) - Fixed interface crash caused by leftBottomContent of Box nested in Text in Footer. (#293) - Fixed `/hooks install` command by removing it and adding default help. (#287) - Fixed extension examples installation and package configuration. (#271) ## 2.1.0 - Added startup bash entry and simplified manual auth dialog. (#217) - Added async fzf-based tab completion optimization. (#214) - Fixed OpenAI API key and model validation via /models endpoint on auth. (#243) - Fixed API key retention when navigating to apiKey field in auth dialog. (#241) - Fixed node-pty native binary bundling for both linux architectures. (#232) - Fixed stream redaction by replacing integer offset with committed text reference. (#210) - Fixed missing fields in hook system. (#188) ## 2.0.4 - Added STS authentication support via ECS RAM role. (#161) - Added BeforeModel, AfterModel, and BeforeToolSelection hooks. (#154) - Added sandbox usage summary on session exit. (#137) - Added Tab-completion for `!` shell mode. (#131) - Fixed config-dir source unification and prevented ~/.copilot creation on startup. (#171) - Fixed /bug command crash in headless environment. (#175) - Fixed undefined metrics.sandbox in StatsDisplay. (#171) - Supplement /hooks install step to post-installation guide. (#142) - Supplement hooks documentation (index, reference, writing-hooks). (#142) ## 2.0.3 - Migrated config directory from `~/.copilot` to `~/.copilot-shell`. (#78) - Added API key detection from configured agents with user approval on bootstrap. (#127) - Added support for configuring multiple custom model providers. (task#80737766) - Added global API endpoint support for Dashscope. (#133) - Added custom skill paths support via `settings.json`. (#128) - Added support for loading skills from extension directories with `cosh-extension.json` compatibility. (#54) - Added `/bug` command for submitting bug reports. (#122) - Added sandbox-guard install command with bypass approval flow. (#125) - Added secret redaction for model output and tool results. (#100) - Added extensible feature tip banner for first-launch guidance. (#113) - Added built-in `/dir cd` command for in-session directory navigation. (#19) - Added session renaming command. (task#80737766) - Added nvm-aware Node.js detection in `cosh` wrapper script. (#72) - Added system-level install via `Makefile` with FHS-compliant directory layout. (#72) - Fixed 24-item limit on `@` file completion menu. (#92) - Fixed TUI flicker on Qwen OAuth page in limited-height terminals. (#76) - Fixed left-arrow key not wrapping from line start to previous line end. (#53) - Fixed irrelevant info display in `/model` command. (#85) - Fixed credentials encryption support in `settings.json`. (#90) - Fixed test failure when running as `root` user. (#29) - Fixed pre-commit hook working directory for lint-staged. (#90) - Configured Husky hooks and documented pre-commit setup. (#65) ## 2.0.1 - Renamed OpenAI authentication label to "BaiLian (OpenAI Compatible)" for clarity. - Fixed login shell stdin drain to prevent unwanted input echo. - Removed ripgrep unavailable warning message. ## 2.0.0 - Synced upstream `qwen-code` to v0.9.0 and rebranded to **Copilot Shell**. - Bumped version directly to 2.0.0 (skipping 1.x, which was used by a previous `OS Copilot` release). - Integrated Skill-OS online remote skill discovery with priority-based fallback (Project > User > Extension > Remote). - Added `/skills remote` and `/skills cache clear` commands for remote skill management. - Added `/bash` interactive shell mode - Added `-c` argument support for inline bash commands. - Added PTY mode for `sudo` command support. - Added hooks system with PreToolUse event for intercepting tool calls before execution. - Added new model provider named Aliyun - Added nested startup detection warning banner. - Added system-wide skill path (`/usr/share`) support. - Removed original Gemini sandbox. - Fixed skill frontmatter parsing for YAML special characters (`|`, `&`, `>`). - Fixed login escaped character echo issue in ECS workbench. - Fixed Linux headless environment browser open failure when auth with Qwen OAuth. - Fixed Qwen OAuth authentication, replay, and UI rendering issues. - Fixed exception handling when adding workspace directories. - Fixed user query start with unix path being misidentified as command. - Fixed API key display explicitly. - Fixed Chinese i18n for `/resume` command. - Improved `?` hint visibility — hidden while user is typing. - Miscellaneous UI, branding, CI, and build improvements. ===== src/cosh-ng/CHANGELOG.md ===== # Changelog All notable changes to the cosh-ng project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [0.11.0] — 2026-06-28 ### Added - Aliyun authentication provider with ECS auto-detection, STS credentials, and QR code flow - SysOM Aliyun provider with ACS3 signing for LLM API access - Per-turn SLS JSONL logging for observability - SysOM request source identification headers - Structured tracing logging system across all crates - Sandbox bypass approval flow on PostToolUseFailure hook events - Startup health scan for environment diagnostics - Extension/hook/skill enable/disable commands (`/extensions`, `/hooks`, `/skills`) - Unified component state management module - Dedicated HOOK approval panel with simplified UI - UserPromptSubmit hook with Ask approval enforcement - Shell evidence read admission control in cosh-core - Tool activity rendering in cosh-shell - `cosh-switch` hint in startup banner for toggling between cosh-ng and copilot-shell ### Changed - **BREAKING**: Rename CLI binary from `cosh` to `cosh-cli`; remove dispatch_core - RPM spec: install cosh-cli binary, `/usr/bin/cosh` launcher, cosh-switch script, `Conflicts: copilot-shell` - Replace eprintln with structured tracing macros - Unify hook decision aggregation with fold_decision - Update workspace repository URL to github.com/alibaba/anolisa ### Fixed - Auth ECS flow and panel overlap on phase transitions - Auth QR code rendered without ANSI escape codes - Use SysomProvider for aliyun after auth success - Align hook input fields and AfterModel/wrap_tool_response with copilot-shell protocol - tool_result dedup guard and visibility - Restore prompt before shell handoff - Suppress duplicate evidence reads - Reduce failed-command auto analysis noise - Skill existence check and harden approval matching - Resolve clippy warnings across cosh-core and cosh-shell ## [0.10.0] — 2026-06-23 ### Added - Shell evidence protocol for capturing and replaying command execution context - Shell evidence control tool in cosh-core for evidence lifecycle management - Hook protocol aligned with copilot-shell for zero-change extension support - Per-hook decision propagation through notification protocol - Hook warnings rendered with per-hook decision color-coding in cosh-shell ### Changed - Share agent error display text across cosh-shell modules ### Tests - Cover shell evidence raw CLI flows ## [0.9.0] — 2026-06-22 ### Added - Hook notifications integrated into approval panel with ⚠ warning display - Hook ask decisions enforce user approval even in Trust/Auto modes - Extended hook system with tool_use_id association and new event types - Registry protocol for /extensions /skills /hooks slash commands ### Fixed - Show Registry group in /help output ### Changed - Remove dead skill management code ## [0.8.0] — 2026-06-18 ### Changed - Rename `cosh-tui` crate and binary to `cosh-core` across the entire workspace - Update adapter system: `CoshTuiAdapter` → `CoshCoreAdapter`, `AdapterKind::CoshTui` → `CoshCore` - Update environment variable `COSH_TUI_PATH` → `COSH_CORE_PATH` - Update RPM spec, documentation, and all test fixtures ### Fixed - Neutralize agent status text in streaming cards - Align streaming card widths in cosh-shell ## [0.7.0] — 2026-06-17 ### Added - Extension discovery and loading module with `cosh-extension.json` manifest support - Extension hooks integrated into startup lifecycle - Skill module with multi-level loading (built-in, user, project) and hot-reload - SkillManager integrated into tool registry and startup - Available skills injected into system prompt for LLM discovery ### Fixed - Infinite loop in `expand_env_vars` when environment variable is undefined - Warn on unsupported extension hook events (`PostToolUseFailure`, `BeforeModel`, `AfterModel`) instead of silently discarding - Align extension hooks format with copilot-shell nested group structure - Remove unused `args` parameter from skill tool schema to avoid misleading LLM - Show question free text answers in cosh-shell - Harden foreground shell handoffs - Share copilot shell config path and keep legacy config fallback ### Changed - Normalize cosh-shell config keys - Standardize cosh-shell code and test organization - Move user state under copilot shell scope ## [0.6.0] — 2026-06-16 ### Added - P0 hook system with 5 lifecycle events (`on_session_start`, `on_turn_start`, `on_turn_end`, `on_tool_call`, `on_session_end`) in cosh-tui - Shell approval classification and hook origin tracking in cosh-shell - Migrate current cosh shell into monorepo workspace ### Fixed - Address approval review findings in cosh-shell - Harden shell evidence continuation to prevent dropped context - Normalize tool call streaming protocol in cosh-tui - Fix passthrough for subcommands in cosh-shell ## [0.5.0] — 2026-06-15 ### Added - CoshTuiAdapter persistent process mode (spawn once, reuse across agent runs, auto-restart on death) - `ask_user` round-trip through control protocol (agent can ask inline questions routed to TUI) ### Changed - Split cosh-tui main into cli/headless/interactive modules - Rename binary from cosh-tui-core back to cosh-tui ## [0.4.1] — 2026-06-15 ### Added - settings.json → config.toml auto-migration with AES-256-GCM encrypted API key decryption - JSONL protocol and tool approval integration tests ### Fixed - Prepend precmd in PROMPT_COMMAND to capture real exit code (Alibaba Cloud Linux /etc/bashrc issue) ## [0.4.0] — 2026-06-15 ### Added - JSONL wire protocol (InputMessage / OutputMessage) for cosh-shell ↔ cosh-tui communication - Provider abstraction with OpenAI-compatible streaming (DashScope, OpenAI, DeepSeek, Generic profiles) - Tool execution framework with 7 built-in tools (shell, read_file, write_file, edit, grep, todo, skill) and approval control - Context window management, message truncation, loop detection, conversation compression - Lifecycle hooks framework - CoshCore agent loop engine - TOML-based multi-provider config with environment variable expansion ### Changed - **BREAKING**: Binary interface from ratatui interactive TUI to JSONL stdin/stdout backend - **BREAKING**: Config format from settings.json to config.toml - Rewrite session store with single-file JSON persistence ### Removed - Legacy ratatui-based TUI code (app, commands, llm, logger, theme, tools, ui modules) ## [0.3.0] — 2026-06-15 ### Added - **cosh-shell crate** — PTY-based AI-augmented shell host with OSC marker protocol - Claude, Qwen, Fake AI adapters with streaming support - Inline rendering engine (approval, question, recommendation, activity panels) - Governance layer with approval modes - Terminal recovery via signal handlers (SIGTERM/SIGHUP/SIGQUIT) and panic hook - Exit code classification with 8 categories (Smart/Auto/Manual analysis modes) - Tool display engine with per-tool-type parsing and ANSI color categories - Hook engine with built-in hooks (FailedCommandHook, TestFailureHook) and skill routing - External hook loading from ~/.config/cosh/hooks/ with subprocess execution - Native shell compatibility (rcfile loading, PS1, history, login shell detection) - Context window with sliding window (max commands, max age, token budget) - Prompt intent optimization (do → Bash tool, know → prose) - Natural language intercept with visual feedback - InputClassifier conservative mode for native mode - Analysis throttle (30s cooldown, max 3 consecutive) - Consultation card rendering with keyboard capture - Control protocol for tool approval round-trips - Startup banner with gradient ASCII art logo - `/mode` and `/hooks` slash commands - Architecture documentation ### Fixed - Native mode input rendering with powerlevel10k dual-line prompts - Slash/NL intercept via buffered-then-judge strategy in native mode - Zsh preexec intercept for command_not_found - CandidateRedraw line clearing for CJK input and backspace - Suppress cosh-osc$ prompt leak in native mode - Tool display label matching in bash tool executor - Wide character placeholder cell handling in buffer extraction ### Changed - Unified workspace version (0.3.0) for all crates (cosh-types, cosh-platform, cosh-cli, cosh-shell, cosh-tui) ## [0.2.0] - 2026-05-16 Hardening + audit-subsystem release. Workspace versions bumped to `0.2.0` together with the release profile and lockfile commit. ### Added - **`audit` subsystem** with PEP/PDP/log split: `cosh audit check` / `cosh audit log` for command-safety gating and per-session retrieval. - **Workspace release profile** (`opt-level = 3`, `lto = true`, `strip = true`, `codegen-units = 1`), committed `Cargo.lock`, workspace-level dependency pinning, and native CA cert support. - **Command timeouts, input validation, and panic-safe JSON output** across `cosh-cli` and `cosh-platform` so a panic still emits a `CoshResponse` envelope on stderr instead of an empty exit. - **`forbid(unsafe_code)`** on `cosh-cli` / `cosh-platform`, plus `svc list --state` filter validation against an allow-list. - **`pkg search` cross-references installed status** so results show which matches are already installed. - **`ResponseMeta.warning`** field for non-fatal warnings; `audit` responses are explicitly marked as stub via this field. - **LLM tool surface expansion** in cosh-tui: pkg / svc / checkpoint wrapper tools, plus `svc enable` / `svc disable --dry-run`. - **Timeouts + exponential-backoff retries** on LLM and external command tools in cosh-tui; 60 s shell-tool timeout. ### Changed - TUI `/help` aligned with the full command set; title bar version and markdown prefix stripping corrected. - Clippy warnings resolved across the workspace; dead-code allowances dropped; test code aligned with production lint level. - Build warnings eliminated and version detection improved across cosh-tui / cosh-platform. ### Fixed - **Shell safety check tokenized** to close tab / newline / redirect / chain bypasses; substring matching on raw command strings replaced with whitespace (incl. `\t` / `\n` / `\r`) tokenization and metacharacter rejection (`;` `|` `&` `>` `<` `$` `` ` `` `(` `)` `{` `}`) — `is_safe_command` in `crates/cosh-tui/src/tools/shell.rs`. - Forbidden tool calls are now blocked even under Yolo approval mode. - `cosh-cli` wrapper tool output is bounded so a chatty subcommand cannot blow the LLM context window. - Tool-call IDs synthesized via a process-wide counter to guarantee uniqueness across the agentic loop. - `settings.json` and session files written atomically with `0600` permissions. - Runtime bounds enforced for the agentic loop, history, config, and tool messages; scrollback bounded with UTF-8-safe truncation. - Panic hook installed in the TUI; history navigation recovered after panic. - ws-ckpt IPC response size bounded to 64 MiB. - Nonexistent systemd services detected via `LoadState=not-found` instead of misclassifying them as "inactive". ### Security - Audit-stub `recoverable` / `hint` semantics surface clearly to agents via the standard `CoshError` envelope. - Atomic-rename + `0600` perms on credential-bearing files. ## [0.1.0] - 2026-05-10 Initial public-shaped release after renaming the workspace from `agos-core` to `cosh-ng` and adding the interactive TUI crate. ### Added - **4-crate workspace**: `cosh-types`, `cosh-platform`, `cosh-cli`, `cosh-tui` with strict dependency direction `cosh-cli` / `cosh-tui` → `cosh-platform` → `cosh-types`. - **`cosh` CLI binary** with dual-mode dispatch: `cosh` (no args) execs into `cosh-tui`, `cosh ` returns structured JSON. - **Cross-distro `pkg` subsystem**: `install` / `remove` / `search` / `list` routed across `dnf` / `apt-get` (`apt-cache` for search) / `zypper` based on `Distro::detect()` reading `/etc/os-release`. - **`svc` subsystem** over `systemctl`: `status` / `start` / `stop` / `restart` / `enable` / `disable` / `list`, with uptime and corrected column mapping in `list`. - **`checkpoint` subsystem** talking to the `ws-ckpt` daemon over Unix-socket IPC; bincode wire format with 4-byte LE length prefix and explicit protocol versioning + error handling. Commands: `init` / `create` / `list` / `restore` / `recover` / `delete` / `diff` / `cleanup` / `status`. - **`cosh-tui`** interactive TUI on `ratatui` + `crossterm`: slash-command system with auto-complete, session management, theming, custom border set, echo-on-submit. - **Agentic loop with cosh-cli wrapper tools** in cosh-tui, bringing pkg / svc / checkpoint tooling to the LLM (initially shipped as `cosh-tui v0.4.0`). - **LLM chat integration** with config-driven providers and UI surfacing. - **Unified `settings.json` V2 config** consolidating prior scattered config files. - **AES-256-GCM decryption** for encrypted credentials. - **macOS detection + Homebrew backend** in `cosh-platform`, with unit tests. - **Unified JSON envelope** `CoshResponse` with `ok` / `data` / `error` / `meta`, classified `CoshError` carrying `recoverable` and `hint` for agent retry decisions. - **Integration tests** for `pkg` and `checkpoint` CLI commands. ### Changed - Workspace renamed from `agos-core` (with `agos-types` / `agos-platform` / `agos-cli`) to `cosh-ng` (with `cosh-*` crates); `agos-cli` and `agos-platform` removed in the same commit. - `cosh-tui` checkpoint tooling adapted to the new daemon protocol. ### Fixed - `cosh-cli` stdout validated as JSON before forwarding to the LLM, preventing parser confusion on malformed bytes. ## [pre-0.1.0] - 2026-05-03 → 2026-05-08 Pre-rename `agos-core` foundation. ### Added - Initial 2-crate workspace `agos-types` + `agos-platform`. - `agos-cli` cross-distro CLI prototype with `pkg`, `svc`, `checkpoint`, `audit` command shapes. - MVP v2 CLI Gateway architecture document and bilingual (English / Chinese) usage guide. ===== src/ktuner/CHANGELOG.md ===== # Changelog All notable changes to ktuner are documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] ### Added - Initial kernel-tuning engine: `check`/`tune`/`fix`/`why`/`rollback` commands evaluate 207 rules and output structured JSON tuning recommendations. ===== src/os-skills/CHANGELOG.md ===== # Changelog ## 0.6.1 - Rewrote `sysom-diagnosis` skill and removed legacy CLI. (#1241) - Fixed OpenClaw gateway write scope verification in `install-openclaw` skill. (#1205) ## 0.6.0 - Added anolisa component contract (component.toml, Makefile, RPM spec). (#1159) - Added OpenClaw bootstrap guidance to `install-openclaw` skill. (#1051) - Added model endpoint preflight before gateway startup in `install-openclaw` skill. (#1031) - Added static knowledge base update script for `anolisa-guide` skill. (#1010) - Added `anolisa-guide` skill. (#849) - Fixed Aliyun mirror fallback for uv and qwenpaw install. (#968) - Fixed dashscope proxy URL to new Anthropic endpoint in `install-claude-code` skill. (#858) - Renamed `copaw` to `qwenpaw` across os-skills. (#968) ## 0.5.0 - Added `anolisa-register` skill. (#829) ## 0.4.0 - Added auto-install tokenless plugin support for agent install skills. (#731) - Added OpenClaw dependency precheck. (#719) - Improved OpenClaw non-interactive setup. (#687) - Added Hermes adapter runner. (#617) - Added standalone ANOLISA adapter entry. (#549) - Fixed OpenClaw state dir handling normalization. (#641) - Improved Makefile install paths and contract. (#541) ## 0.3.0 - Added `hermes-agent-install` skill. (#353) - Added `clawhub-skill-mng` skill with npm install support and YAML description matching. (#315) - Fixed AgentSight custom db path issue, using default paths instead. (#366) - Fixed AgentSight token savings query support. (#355) - Fixed AgentSight interruption CLI and aligned `conversation_id` naming. (#334) ## 0.2.2 - Support enable AgentSight dashboard in `agentsight` skill. (#222) ## 0.2.1 - Upgraded `xlsx` skill with MiniMax open-source implementation. (#218) - Updated skill descriptions from "suitable for alinux4" to "rpm-base linux". (#182) ## 0.2 - Added `humanizer`, `image-gen`, `pdf-reader`, and `xlsx` skills. (#178) - Added `cosh-guide` skill. (#23) - Support net/io/load diagnostic capabilities to `sysom-diagnosis` skill. (#163) ===== src/skillfs/CHANGELOG.md ===== # Changelog All notable changes to SkillFS are documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] ## [0.3.3] - 2026-07-10 ### Added - Hermes workspace layout compatibility. SkillFS now recognizes Hermes hub markers, preserves management paths, and exposes nested `category/skill/SKILL.md` skills alongside top-level skills. - Nested Hermes skills now support activation state, installer lifecycle writes, notifications, audit attribution, fallback snapshots, and hidden visibility. ### Fixed - `skillfs validate --json` now includes source paths for warning and error entries so automation can locate invalid skills. - FUSE teardown now bounds failed unmount cleanup and prevents leaked test mounts from affecting later sessions. ## [0.3.2] - 2026-07-03 ### Fixed - CLI SLS ops logging now records SkillFS mount and runtime operations. - Runtime metrics now emit real-time deltas for SLS consumers. ## [0.3.1] - 2026-07-03 ### Added - Managed mount supervision can recover stale FUSE mounts and bound recovery retries during repeated starts. ### Changed - English and Chinese README guidance now covers managed mounts, in-place operation, security boundaries, and troubleshooting. ### Fixed - Post-publish grace reads fallback skill files from source paths after installers finish. - `skillfs validate` now reports parse failures in the status summary. - In-place authoring supports new skills and pending-install ownership changes. - Managed stop and runtime-dir handling avoid stale ownership and unbounded recovery retries. - Daemon-facing backing roots under PrivateTmp are rejected before mount startup. - FUSE smoke cleanup handles leftover mounts and temporary paths more reliably. ## [0.3.0] - 2026-06-26 ### Added - Runtime security integration for agent skill directories. SkillFS can now consume activation decisions from `.skill-meta/activation.json` or the `user.agent_sec.skill_ledger.activation` xattr, then expose each skill as current, hidden, or a trusted fallback snapshot. - File-change notification for external security daemons. With `--activation-mode file`, `--notify-socket`, `--activation-events-log`, and `--activation-reload-mode poll`, SkillFS reports skill mutations, reloads activation decisions, and keeps already-opened file handles pinned to their original target. - Trusted control socket for activation writes. A daemon verified with `SO_PEERCRED`, executable identity, and start-time checks can update activation JSON or activation xattr through a bounded request API instead of writing `.skill-meta` through the agent-visible mount path. - Installer compatibility for common skill installation flows. Staging directories, direct writes, quiet-timeout completion, and post-publish grace windows allow installers to finish writing a skill before SkillFS asks the security provider to scan and activate it. - In-place mount support for security daemons. Ledger backing roots are bind mounted privately and validated at startup so scanners read the real source tree rather than the agent-facing FUSE view. - Canonical skill identity based on the directory basename. Frontmatter `name:` remains display metadata and no longer changes the SkillFS store key or daemon-facing skill id. ### Changed - `.skill-meta/**` is hidden from ordinary agents and remains accessible only through trusted metadata paths or the control socket. - Skill mutation notify uses ordinary filesystem event kinds, including `create`, `write`, `rename`, `unlink`, `rmdir`, and truncate events, instead of a separate install-complete protocol event. - POSIX passthrough behavior was expanded for symlink, hardlink, FIFO, path length fallback, open-after-unlink, xattr, and inode consistency cases. ### Fixed - Prevented stale activation views by combining notify-triggered reload, polling, and activation watcher convergence. - Hardened trusted-writer and trusted-peer checks against process reuse and executable replacement with start-time and file-identity validation. - Avoided installer and daemon visibility bugs around hidden skills, fallback snapshots, staging paths, and backing-root propagation. ## [0.2.0] - 2026-05-09 ### Added - FUSE write passthrough for `write`, `create`, `mkdir`, `rename`, `unlink`, `rmdir`, and `setattr(size)` operations on skill directories. - Background sync worker that reparses `SKILL.md` on write and `upsert`s the entry back into `SharedSkillStore`. - Immediate visibility for newly created skill directories: `mkdir` inserts a `ParseStatus::Degraded` placeholder, then the sync worker overwrites it with the real entry once `SKILL.md` is written. - in-place mount mode that accesses the underlying source via `/proc/self/fd/{n}` to avoid the over-mount self-loop. - Integration suite `crates/skillfs-fuse/tests/write_guard_tests.rs` covering both normal and in-place write paths. ### Changed - Directory name is now the authoritative store key. After `rename`, stale frontmatter `name:` no longer revives the old key. - Read of `SKILL.md` still returns the compiled result; raw file is only used for writes and parsing. - Architecture docs refactored into `docs/specs/skillfs-spec.md`, `docs/specs/core-spec.md`, `docs/specs/fuse-spec.md`. ### Removed - Workspace-related code paths and the unused workspace config support from `skillfs-core` (commit 6d604c7). - Legacy ad-hoc test scripts (kept only `scripts/build.sh` and `scripts/test.sh`). ### Fixed - CLI tracing timestamps now use the local timezone instead of UTC. ## [0.1.2] - 2026-04-29 ### Added - Read-only mount write protection: `mknod`, `symlink`, `link`, and write callbacks all return `EROFS`. ### Fixed - Parser summary truncation now respects multi-byte character boundaries. ## [0.1.1] - 2026-04-29 ### Added - `skillfs-mount` agent skill under `docs/skills/` to help users set up, mount, and unmount a SkillFS instance. ## [0.1.0] - 2026-04-25 ### Added - Initial release of the SkillFS workspace. - `skillfs-core`: `SKILL.md` parser (with `Ok` / `Degraded` / `Error` status), in-memory `SkillStore` with flat and categorized directory layouts, `skillfs-views.toml` configuration, conditional `compiler::compile`, and environment probing (OS, commands, env vars). - `skillfs-fuse`: read-only FUSE filesystem that exposes the configured default view at `/skills`, always-on virtual `skill-discover`, and compile-on-read for `SKILL.md`. Other files in a skill directory are passed through to the physical source. - `skillfs` CLI: `mount`, `classify`, `validate`, `list` subcommands. ===== src/tokenless/CHANGELOG.md ===== # Changelog ## 0.6.1 - bundle tool_categories.json into dist for npm installs - use node: prefix, eliminate shell subprocess in openclaw plugin ## 0.6.0 - add absolute saved values + schema version to JSON output - use import.meta.dirname instead of __dirname in openclaw plugin - add qwencode adapter for Qwen Code extension - fix rtk pytest 'No tests collected' regression - add trusted FHS fallback paths for hook_utils import in codex scripts - add SLS JSONL data collection with config toggle - add tokenless RPM component contract (publishing metadata) - add compression toggle with dry-run compare mode (`TOKENLESS_COMPRESSION_ENABLED`, `stats summary --compare`) - enable SLS recording by default and document usage - align compression mode serde/db form and dedup config load - expand RPM component contract (bundle.entry + hermes) - make SLS writer append-only and skip when log file absent - prefer tool_call_id over internal tool_use_id for qwencode hooks - bump vendored rtk to v0.43.0; rework pytest stderr-surfacing patch for the refactored runner; drop grep-fallback-fix (root cause fixed upstream) and preflight-skip-python (reversed upstream) - sync toon-format to 0.5.0 in Makefile and spec (was stale at 0.4.6) ## 0.5.1 - add --json output to stats summary - implement unified tool categorization and 3-layer compression strategy - add rtk grep fallback pattern fix patch - add rtk pytest error report patch ## 0.5.0 - add Hermes adapter runner - drop TOON wrapper prefix and slim diagnostic tags - unify rtk rewrite exit code 3 handling across adapters - secure shell variable interpolation in env-fix and hooks - add subprocess returncode checks and extract shared hook utilities - secure resolveBinaryPath and improve binary cache invalidation - use mktemp in tests and safe home expansion - bound SchemaCompressor recursion to prevent stack overflow - propagate env-fix subprocess failures instead of returning stdout - anchor home lookup on getpwuid_r and trust-check candidate binaries - harden env-fix install paths with uid trust check and divert stderr to log - recover from poisoned mutex in stats recorder instead of failing - add input size limit and validate db path - reserve truncation marker length in response compressor - rename openclaw plugin Name to Tokenless and ID to tokenless - add qoder CLI adapter - compress-schema on array input - warn when compression is skipped - stats command syntax - add Claude Code adapter plugin - error on TTY stdin instead of hang - add codex adapter plugin - fix compression pipeline output inflation, truncation and hook timeouts - harden env-fix, version extraction, file trust, schema, permissions - address review findings — trailing newline, chmod guard, rate-limited log, comment - make env attribution reachable for skip-tools entries - add selective-claw context engine plugin - address review findings for selective-claw plugin - remove invalid "2" dependency from selective-claw - restore indentation in compress_response_hook.py - harden hook exit-code handling + trust model consistency - only warn on truly unexpected rtk exit codes - dedup rewrite_hook, import from hook_utils ## 0.4.1 - fix version_ge 3-segment truncation in env_check.rs (compare all segments) - add qoder, claude-code, codex adapter plugins and documentation - sync manifest.json with template to include all six agents - update README and user manuals for new agent integrations - add __pycache__ to root .gitignore - update response-compression.md with all agent integration paths - derive Makefile version from Cargo.toml, fix spec changelog weekday - normalize adapter version numbers to 0.4.0 - derive adapter plugin versions from Cargo.toml instead of hardcoding ## 0.4.0 - correct 5 bugs in stats, naming, SQL, paths and permissions - align FHS paths, restructure adapter dir, remove install.sh - address code review findings across schema, env-check, hooks, and plugin - add hermes agent plugin - security hardening & critical algorithm correctness - behavioral correctness & logic fixes - dedup, dead code removal & cosmetic cleanup - support staged installs - support Debian/Ubuntu FHS paths and harden binary resolution - build OpenClaw plugin to dist/index.js ## 0.3.2 - replace spoofable home-dir uid derivation with libc::getuid() syscall for trust chain integrity - replace subprocess toon -e calls with in-process toon_format::encode_default() library call - replace rtk/toon git submodules with crates.io deps and inline toon-format source - hard-fail on rtk stats patch failure in justfile setup-rtk recipe - unify compress-toon/compress-schema/compress-response error exit codes (all exit 2) - remove 2>/dev/null || true from Makefile toon install (hard fail on missing binary) - remove redundant #[source] attribute on thiserror variants that already have #[from] - deduplicate Python hook FHS path constants into shared hook_utils module - add libc to workspace dependencies for uid syscall - add detailed rust >= 1.89 comment in spec.in explaining CI pin rationale ## 0.3.0 - add tool-ready 4-phase environment pre-check with cosh extension integration - skip compression and stats when no token savings - pass caller context to rtk stats via .rewrite-context file - remove redundant cosh extension install/uninstall from install.sh - convert cosh hooks to extension format per cosh dev guide - skip zero compression and stats recording - use isExecutable() and resolved paths in openclaw plugin - resolve rtk/toon binary paths for RPM-installed plugins - correct RPM install paths to align with install.sh expectations - preserve tool result message structure in TOON encoding - align install paths with FHS - auto-record stats with real tool_use_id from hook payload - restructure RPM dirs and remove auto plugin/hook installation ## 0.2.0 - add compression stats with auto-record from real data - add TOON context compression support - skip compression for skill and content-retrieval tools ## 0.1.0 - introduce tokenless into ANOLISA (#199) ===== src/ws-ckpt/CHANGELOG.md ===== # Changelog [中文版](CHANGELOG_zh.md) ## 0.4.1 ### Features - Added skip auto-checkpoint after rollback (#1263) ### Bug Fixes - Fixed workspace sync after config update (#1263) - Fixed absolute path handling for ws-ckpt in crontab entries (#1263) - Changed rollback -n offset, pass numAncestors as-is (#1263) ## 0.4.0 ### Breaking Changes - **BREAKING** checkpoint `-i`/`--id` flag replaced by `-s`/`--snapshot` as primary; `-i` remains as hidden alias but may be removed in a future release (#1064) ### Features - Added plugin install/uninstall subcommand (#1005) - Added component.toml for anolisa-cli adapter discovery (#1005) - Added rollback preview support with --preview parameter (#1103) - Added elapsed time display after each CLI operation (#1075) - Added auto-generated snapshot ID when --snapshot is omitted (#1064) - Added SLS ops log output for dashboard metrics (#1059) - Added optional -t flag for diff to compare snapshot against current workspace (#848) - Added rollback-by-ancestor-count and snapshot DAG tracking (#877) - Added cron-based scheduled checkpoint snapshots (#819) ### Bug Fixes - Fixed --snapshot/-s as primary flag and aligned plugin flag handling (#1103, #1064) - Fixed SKILL.md to sync with actual CLI/plugin implementation (#847) - Fixed init and recover to guard against replaced workspace symlink (#860) - Fixed init rsync by dropping --copy-unsafe-links (#873) ## 0.3.3 ### Features - Added per-workspace policy override with hermes/openclaw plugin support (#721) - Added `/proc` cwd occupant guard for init and rollback (#684) - Added Hermes adapter runner script (#617) ### Bug Fixes - Fixed write lock contention and cwd guard deadlock in rollback (#721, #684) - Fixed input validation for non-UTF-8 paths and path-traversal snapshot IDs (#695, #678) - Fixed seccomp arch selection, workspace registry concurrency, and RPM packaging (#695, #684) ## 0.3.2 - Fixed openclaw uninstall to remove tool whitelist from config - Fixed parent path refusal to apply as workspace-level rules for skill and openclaw plugin ## 0.3.1 - Fixed plugin workspace config registration and auto-loading - Reject workspace paths that are hermes cwd itself or parent - Fixed plugin tool to prefer explicit workspace parameter over config - Fixed skill delete requiring --force flag - Fixed daemon workspace path validation and fswatch fd leak - Removed unused btrfs_ops.rs module ## 0.3.0 - Added openclaw plugin scaffolding for ws-ckpt - Added hermes plugin scaffolding for ws-ckpt - Made ws-ckpt skill agent-agnostic and prompted for workspace at invocation - Followed `make install` contract for build-all integration - Fixed bugs in list and diff sub-commands - Made daemon stateful ## 0.2.0 - Added auto_cleanup feature and switch - Unified config modification entry through the TOML file - Added global CLI warning when any workspace>1000 snapshots or filesystem usage>90% - Fixed backend detection and daemon state recovery logic - Fixed image size configuration not taking effect after daemon restart - Removed obsolete fs_warn_threshold_percent parameter - Fixed config.toml to ship as a sample file ## 0.1.0 - Daemon with Unix Socket IPC and Bincode binary protocol. - `init` / `checkpoint` / `rollback` / `delete` / `list` / `diff` / `cleanup` / `status` / `config` commands. - Background scheduler: auto-cleanup, health check, orphan recovery. - Multi-backend: btrfs-base / btrfs-loop / overlayfs with auto-detection. - TOML config persistence with runtime hot-reload. - systemd service with RPM packaging for Alinux 4.