变更日志
English
本文件记录项目所有值得注意的变更。
格式基于 Keep a Changelog,项目遵循语义化版本。
[1.0] - 2026-07-06
组件版本
| 组件 | 版本 |
|---|
| copilot-shell | 2.6.1 |
| agent-sec-core | 0.7.0 |
| agentsight | 0.7.1 |
| tokenless | 0.6.1 |
| agent-memory | 0.2.1 |
| os-skills | 0.6.1 |
| anolisa | 0.1.20 |
| skillfs | 0.3.2 |
| ws-ckpt | 0.4.1 |
| cosh-ng | 0.11.0 |
重点特性
- anolisa:更新到 v0.1.20,交付统一 CLI 网关提供组件全生命周期管理与适配器编排,用户可通过一条命令安装/更新/诊断所有组件
- cosh-ng:更新到 v0.11.0,完成 Core/Shell 分离与 AI 增强终端,Agent 可跨发行版确定性执行结构化系统操作
- agent-memory:更新到 v0.2.1,新增用户数据主权与 4 类记忆分类,用户可查询/遗忘/控制自动捕获的记忆
- tokenless:更新到 v0.6.1,新增压缩开关与 A/B 对比及 QwenCode 适配器,用户可量化各策略的 Token 节省效果而不影响任务执行
新增组件
- anolisa:首次发布 v0.1.16,构建统一 CLI 网关管理组件安装/更新/卸载(RPM + Raw 双后端),用户可通过
anolisa install --all 一键部署全部组件
- cosh-ng:首次发布 v0.11.0,实现确定性 Agent-OS 接口(5 crate workspace),Agent 可通过稳定 API 跨发行版执行结构化系统操作
- skillfs:首次发布 v0.3.2,构建 FUSE 虚拟文件系统实现基于视图的 SKILL.md 暴露,Agent 可从挂载目录发现并加载技能
组件更新
- agent-memory:更新到 v0.2.1,新增主权工具集(about/forget/consent)、AMA 导入导出、4 类分类和抗 SIGKILL 增量聚合,用户可自主控制记忆留存并跨 Agent 迁移
- tokenless:更新到 v0.6.1,新增压缩开关(dry-run + 按模式统计)、SLS JSONL 遥测默认开启和 QwenCode 适配器,开发者可 A/B 测试压缩策略并在 SLS 大盘监控 Token 节省
- agentsight:更新到 v0.7.1,新增 Token 节省可视化(策略饼图 + 行级 diff)、安全大盘和容器/K8s 全面支持,用户可直观评估各优化策略的节省贡献
- copilot-shell:更新到 v2.6.1,新增
/model 多 Provider 切换对话框和 SLS 会话遥测(32 字段 JSONL),用户可自由切换 LLM Provider 而不丢失配置
- agent-sec-core:更新到 v0.7.0,新增 Skill Ledger 完整性链(GPG 签名工作流)和 Prompt Scanner,用户可审计 Skill 安全状态并在危险操作前收到确认提示
- os-skills:更新到 v0.6.1,新增 ANOLISA Guide 知识库 skill(13 份官方文档)和 OpenClaw 安装预检引导,Agent 可在回答中引用准确的产品文档
- ws-ckpt:更新到 v0.4.1,新增自动清理调度和 TOML 配置热重载,用户可设置保留策略并即时生效无需重启 daemon
变更
- 文档治理规范通过
specs/documentation-standard.md 建立
- 双语命名约定统一为
_zh.md(从遗留 _CN.md 迁移)
[0.6] - 2026-06-12
组件版本
| 组件 | 版本 |
|---|
| copilot-shell | 2.4.1 |
| agent-sec-core | 0.5.0 |
| agentsight | 0.5.0 |
| tokenless | 0.4.1 |
| agent-memory | 0.1.0 |
| os-skills | 0.5.0 |
| cosh-ng | 0.1.0 (MVP) |
重点特性
- agent-memory:首次发布 v0.1.0,交付沙箱化文件系统 MCP 记忆服务器,Agent 可跨会话持久化存储并通过 BM25 检索上下文
- tokenless:更新到 v0.4.1,新增 Hermes Agent 插件和 Tool Ready 4 阶段预检,Agent 工具执行前自动验证环境就绪避免无效重试
- agentsight:更新到 v0.5.0,新增 Skill 维度 Token 指标和 Hermes 支持,用户可精确定位哪些 Skill 消耗最多 Token
新增组件
- agent-memory:首次发布 v0.1.0,构建 19 工具 MCP 服务器(命名空间隔离 + BM25 后台索引),Agent 可在沙箱化文件系统中读写/检索持久记忆
- cosh-ng:首次发布(MVP),完成确定性 OS 操作的生产可用功能,Agent 可获得格式可预测的结构化命令输出
组件更新
- tokenless:更新到 v0.4.1,新增 Hermes adapter runner 和 Tool Ready 机制(4 阶段环境预检集成为 cosh extension),Agent 工具调用前自动校验环境减少因环境故障浪费的 Token
- agentsight:更新到 v0.5.0,新增 Skill 维度 Token/调用指标和 Hermes matcher(含 SSL 支持),用户可在 Dashboard 中按 Skill 查看 Token 消耗明细
- agent-sec-core:更新到 v0.5.0,新增 PIIChecker(输出 PII 检测 + 脱敏引擎)和 Skill Scanner(文本/代码扫描 + 生命周期触发),Agent 输出中的敏感信息被自动拦截
- copilot-shell:更新到 v2.4.1,新增跨 Session 自动记忆提取和 hook reason UI 可见性,用户可看到安全 hook 拦截操作的具体原因
[0.5] - 2026-05-28
组件版本
| 组件 | 版本 |
|---|
| copilot-shell | 2.4.0 |
| agent-sec-core | 0.4.0 |
| agentsight | 0.4.0 |
| tokenless | 0.4.0 |
| os-skills | 0.4.0 |
重点特性
- tokenless:更新到 v0.4.0,新增 Hermes 插件和 Tool Ready 环境机制,Agent 工具执行前依赖缺失被提前拦截避免 Token 浪费
- agent-sec-core:更新到 v0.4.0,交付 PIIChecker 和 Skill Scanner 首版,Agent 输出被扫描防止敏感信息泄露
组件更新
- tokenless:更新到 v0.4.0,开发 Hermes Agent 插件(Tool Ready 4 阶段环境预检 + History 压缩),Agent 运行时依赖在执行前被自动校验
- agent-sec-core:更新到 v0.4.0,新增 PIIChecker 输出 PII 检测和 Skill Scanner 基线能力,用户免受 Agent 无意泄露敏感数据的风险
- agentsight:更新到 v0.4.0,新增 Skill 维度指标展示,用户可按 Skill 查看 Token 消耗分组
- os-skills:更新到 v0.4.0,纳入 Nightly 自动化测试覆盖,Skill 质量持续验证
[0.4] - 2026-05-13
组件版本
| 组件 | 版本 |
|---|
| copilot-shell | 2.3.0 |
| agent-sec-core | 0.4.1 |
| agentsight | 0.4.0 |
| tokenless | 0.3.0 |
| os-skills | 0.3.0 |
| ws-ckpt | 0.2.0 |
重点特性
- agent-sec-core:更新到 v0.4.1,建立 Skill 安全全生命周期管理(含 Prompt Scanner ask 策略),用户在 Agent 执行危险指令前收到确认提示
- tokenless:更新到 v0.3.0,搭建 4 套 Benchmark 对比基线,开发者可量化评估不同 Skill/OS 环境的 Token 消耗差异
- ws-ckpt:更新到 v0.2.0,扩展快照管理命令集,用户可按数量或时间维度自动清理历史快照
组件更新
- agent-sec-core:更新到 v0.4.1,集成 Prompt Scanner 至 cosh hook 和 OpenClaw 插件(ask 策略),用户在危险操作前获得交互式确认
- tokenless:更新到 v0.3.0,构建批量并发 Benchmark 平台并生成对比报告,开发者可一键跑分横向对比 Token 节省效果
- agentsight:更新到 v0.4.0,优化常驻进程内存占用,2C2G 小规格实例可稳定运行可观测服务
- copilot-shell:更新到 v2.3.0,适配 SWEBench 评测框架,开发者可通过 cosh 执行代码修复任务并验证通过率
- ws-ckpt:更新到 v0.2.0,丰富快照增删查能力,用户可按策略自动保留最近 N 份快照
[0.3] - 2026-04-30
组件版本
| 组件 | 版本 |
|---|
| copilot-shell | 2.2.1 |
| agent-sec-core | 0.3.0 |
| agentsight | 0.3.1 |
| tokenless | 0.2.0 |
| os-skills | 0.3.0 |
| ws-ckpt | 0.1.0 |
重点特性
- tokenless:更新到 v0.2.0,交付命令重写和 TOON 上下文压缩,CLI 输出 Token 消耗降低 60–90%
- agentsight:更新到 v0.3.1,新增 Token 节省 Dashboard 和 Agent 异常诊断,用户可可视化节省趋势并检测 Agent 中断
- agent-sec-core:更新到 v0.3.0,新增 Skill Ledger 完整性追踪和 Prompt Scanner,每个 Skill 的签名链可端到端审计
新增组件
- ws-ckpt:首次发布 v0.1.0,构建基于 btrfs 的工作区快照守护进程,Agent 可毫秒级创建检查点并即时回滚文件系统状态
组件更新
- tokenless:更新到 v0.2.0,新增通过 RTK 的命令重写和 TOON 上下文压缩,Agent CLI 交互 Token 消耗减少 60–90%
- agentsight:更新到 v0.3.1,新增 Token 节省 Dashboard(Session/时间段统计)和 Agent 中断检测(drain 机制),用户可监控节省趋势并在 Agent 故障时收到告警
- agent-sec-core:更新到 v0.3.0,新增 Skill Ledger 全生命周期(check/certify/bypass/status/audit)和 Prompt Scanner 越狱检测,用户可追踪并强制执行 Skill 完整性策略
- copilot-shell:更新到 v2.2.1,新增 Extension 架构(command extension + system Hook + 即时激活)、Skill 市场对接和会话导出(Markdown/HTML/JSON),用户可通过插件扩展 cosh 能力并导出对话历史
- os-skills:更新到 v0.3.0,新增 Skill 市场上架和实用技能(xlsx/pdf-reader/image-gen/humanizer),用户可从市场发现并安装技能
[0.2] - 2026-04-15
组件版本
| 组件 | 版本 |
|---|
| copilot-shell | 2.0.4 |
| agent-sec-core | 0.2.0 |
| agentsight | 0.2.2 |
| os-skills | 0.2.2 |
| tokenless | 0.1.0 |
组件更新
- agentsight:更新到 v0.2.2,新增 Token 消耗可观测(精确 Tokenizer 计量),用户可实时查看每条消息的 Token 明细
- copilot-shell:更新到 v2.0.4,新增独立鉴权(STS/ECS RAM Role)和 Skill 市场浏览,用户无需 AK/SK 即可认证并发现可用技能
- os-skills:更新到 v0.2.2,新增 SysAdmin 技能(Linux IO/网络/负载诊断),Agent 可独立诊断常见 OS 性能问题
- tokenless:首次发布 v0.1.0,构建 Skills 级 Benchmark 测试用例,开发者可跨 Skill 量化对比 Token 消耗
[0.1] - 2026-03-30
组件版本
| 组件 | 版本 |
|---|
| copilot-shell | 2.0.1 |
| agent-sec-core | 0.1 |
| agentsight | 0.1 |
| os-skills | 0.1 |
新增组件
- copilot-shell:首次发布 v2.0.1,构建 AI 驱动终端助手(Tab 补全、/bash 模式、sudo、Hook 安全),用户开机即获得 AI 原生 CLI 交互体验
- agent-sec-core:首次发布 v0.1,交付 Skill 签名校验、安全沙箱和系统加固,Agent 操作在受控最小权限环境中运行
- agentsight:首次发布 v0.1,构建基于 eBPF 的零侵入可观测探针,用户无需修改 Agent 代码即可监控 LLM API 调用和 Token 消耗
- os-skills:首次发布 v0.1,整理系统管理、SysOM 运维、DevOps 和云技能库,Agent 可自主执行常见 OS 操作
安全
- Skill 全链路安全加密与数字签名
- 硬件级安全沙箱风险隔离
- Skill 调用身份认证与完整性校验
各组件详细变更日志请参阅:
用户入口
Token 节省
运行时
Agent 可观测
Agent 安全
Changelog
0.2.1
- fix vector/hybrid search panic and empty index when an embedding provider is configured: the index worker ran on a std::thread with no tokio Handle so embeddings were never produced, and memory_search mode=vector|hybrid called Handle::block_on from a worker thread; the runtime handle is now captured at spawn and threaded through to the worker, and the search path uses block_in_place
- fix memory_get_context leaking .git internals (e.g. .git/logs/HEAD) into agent context by extending the reserved-path filter to cover .git/ via a shared is_under_git predicate in safe_fs
- fix full_scan (startup and inotify-overflow recovery) only building the BM25 index and never dense embeddings, so preexisting files were invisible to vector search until modified; a paths_without_vec query plus a backfill pass now embeds them, centralised in an embed_sync helper shared with flush
- fix memory_search returning zero hits for short CJK query terms (< 3 chars, e.g. "花名"/"小云"): the trigram tokenizer emits no tokens for terms shorter than 3 characters, so such queries now fall back to a
body LIKE '%term%' substring scan that preserves recall, agent-scope filtering, and cold/superseded exclusion
- resolve embedding dimensions from the first real response instead of hardcoding 1536 (DashScope text-embedding-v3 is 1024): dimensionality is stored in an AtomicUsize seeded with the estimate and overwritten on first embed
- add anolisa-cli adapter contract via .anolisa/component.toml so the CLI adapter manager can discover the openclaw plugin bundle through the [[adapters]] TOML schema
0.2.0
- add prompt-injection safety module (looksLikePromptInjection + escapeMemoryForPrompt) mirrored between Rust core and TS adapter
- add secret detection and PII redaction to the safety module
- add auto-recall before_prompt_build hook injecting relevant memories each turn
- add auto-capture agent_end hook with trigger filtering, SHA256 dedup and injection rejection
- add dense-vector semantic search via pluggable EmbeddingProvider (OpenAI /v1/embeddings, Ollama /api/embed)
- add files_vec table (schema v2) for per-file dense embeddings alongside FTS5 BM25
- add hybrid search with reciprocal rank fusion (RRF, k=60) of BM25 + vector scores
- add memory_search mode parameter (bm25/vector/hybrid) with graceful fallback to BM25
- add per-agent memory isolation via [memory].agent_scope (shared/isolated/filter), schema v5
- add memory sovereignty tools (memory_about/forget/auto_created/consent) with consent.toml preferences
- add 4-type closed memory classification (user/feedback/project/reference) to memory_observe
- add mem_export and mem_import for cross-agent memory migration (AMA archive format)
- add memory_summary tool for memory overview and source tracking
- add memory_session_context tool
- add memory_sessions and memory_timeline session history query tools
- add MEMORY.md index file and mem_index_refresh tool
- add user profile synthesis (Dreaming V3 mem_dream)
- add memory consolidation: auto-extract L1 atomic facts from session audit logs on shutdown
- add episodic memory extraction from coherent tool-call chains
- add cross-session task persistence and incremental consolidation
- add consolidation quality filters (mutual exclusion, non-derivable, date normalization)
- add time-decay ranking (exp(-λ×age_days)) applied to BM25/vector/hybrid scores
- add cold archival of old never-accessed files with mem_compact tool
- add conflict detection via BM25 similarity before writing new facts
- add category subdirectories (facts/<category>/) with memory_search category filter
- add token tracking (tokens field in AuditEntry)
- add mem_consolidate tool for manual consolidation trigger
- add corpus supplement registration for memory_search corpus=all
- add EmbeddingConfig (None/OpenAI/Ollama) with TOML parsing and env overrides
- extend memory_search signature with optional mode and category parameters
- cap memory_search query at 1024 characters to prevent FTS5 resource exhaustion
- truncate embedding error response bodies to 200 chars to prevent API key leakage
- distinguish CJK vs ASCII token estimation in ConsolidatedFact
- hold FactWriter JSONL file handle under mutex to prevent line interleaving
- derive BM25Store mount root from db path with canonicalize + starts_with traversal guard
- compute Episode duration from entry timestamps instead of chain length
- propagate session_id to extracted episodic facts
- return fact count from consolidate() for mem_consolidate reporting
- fix effectiveMode in search response to reflect actual mode used
- fix embedding API empty-response handling to return zero vector of correct dimensionality
0.1.0
- introduce filesystem memory MCP server for AI agents (Linux only) with 21 tools over stdio JSON-RPC 2.0 in three tiers (Tier A file ops, Tier B BM25 search, Tier C governance)
- add per-namespace mount under ~/.anolisa/memory/<ns>/ with optional user-namespace + private tmpfs isolation (auto/userland/userns strategies)
- enforce path sandbox via openat2(RESOLVE_BENEATH | RESOLVE_NO_SYMLINKS) on every Tier A file open
- add SQLite FTS5 BM25 background index with transactional upsert, schema migrations, trigram CJK tokenizer and inotify-driven debounced flush
- add optional git versioning with auto-commit serialized under a per-handle mutex
- add tar.gz snapshots with strict id whitelist, atomic rename swap on restore and rollback entries under .anolisa/trash/
- add optional cgroup v2 memory.max self-limit applied before the tokio runtime starts
- add JSONL audit log (O_NOFOLLOW | O_CLOEXEC, Mutex<File>) with optional systemd-journald fan-out
- enforce profile gating (basic/advanced/expert) at both tools/list and tools/call with deny_unknown_fields on config structs
- add per-session scratch and log under /run/anolisa/sessions/<sid>/ (0700) with tmpfiles.d snippet
- add systemd user template anolisa-memory@.service with hardening (ProtectKernelTunables/Modules/Logs, SystemCallFilter, MemoryDenyWriteExecute, RestrictNamespaces, RestrictAddressFamilies=AF_UNIX)
- add RPM packaging with offline vendor tarball and single statically-linked binary (bundled SQLite + vendored libgit2)
- add OpenClaw plugin memory-anolisa with install/detect/uninstall lifecycle and 4 memory contract tools routed to the MCP server as a stdio child
- add single-source version sync from Cargo.toml into manifest/package/openclaw/mcp JSON and the bundle
- add mcp-harness example and 140 automated tests across 12 integration suites
Changelog
0.8.0
Build & Packaging
- Installed the Codex plugin during source builds so source deployments include the same Codex integration as packaged installs. (#1302)
- Updated source build scripts for the sec-core install flow. (#1348)
- Fixed system-mode source builds by placing uv-managed Python under the shared sec-core library directory and adding a system install smoke check. (#1400)
Code Scanner
- Added sensitive file path rules for common agent credentials to block API key exposure. (#1401)
OpenClaw Plugin
- Hardened OpenClaw deploy compatibility handling and covered deployment edge cases with unit tests. (#1358)
- Added an OpenClaw plugin cross-version E2E matrix that validates packaged plugin loading, Gateway flows, policy behavior, and observability across supported OpenClaw hosts. (#1372)
Documentation
- Added bilingual agent-sec-core user guide documentation and documentation maintenance rules. (#1311)
- Documented OpenClaw plugin deployment, compatibility, and upgrade guidance. (#1370)
0.7.1
Prompt Scanner
- Degraded scan-prompt to fast mode when model unready; rewrote DENY to WARN and enriched degraded reason with diagnostics. (#1258)
Skill Ledger
- Clarified skill ledger fallback warnings and sanitized finding summaries. (#1240)
- Tamed ledger reconcile noise and typed live-root skip errors. (#1232)
Security Observability
- Added observability mapping for new pii_scan at before_tool_call & after_tool_call. (#1229)
0.7.0
Codex Plugin — Full security integration for OpenAI Codex
- Added codex-plugin with code scanning, prompt scanning, skill ledger, and PII checking hooks. (#1074)
- Supported packaging codex-plugin into RPM. (#1138)
- Fixed codex-plugin paths in Makefile and CI for correct RPM install verification. (#1165)
Code Scanner
- Added code-scanner LLM mode for AI-assisted security analysis. (#1108)
- Added code-scanner static rules for expanded coverage. (#1033)
Prompt Scanner
- Added L4 multi-turn intent detection with ollama model service. (#1060)
- Routed prompt scan to daemon and added prompt model preload for reduced latency. (#786)
- Controlled prompt scan call to use daemon by env variable. (#933)
Skill Ledger — Activation daemon and policy engine
- Added Skill Ledger activation daemon for background integrity monitoring. (#857)
- Added runtime activation resolver for skill trust decisions. (#826)
- Added skill ledger activation policy for configurable enforcement. (#944)
- Updated skill ledger activation and event contracts. (#983)
- Updated Skill Ledger hook defaults and reconcile notify behavior. (#1086)
- Aligned skill ledger hooks across all agent platforms. (#1135)
- Resolved Skill Ledger FUSE and unmanaged roots handling. (#1141)
- Fail-open unsupported Hermes skill ledger scenarios. (#1155)
Daemon & Telemetry
- Added daemon service with systemd integration and RPM build support. (#1090)
- Exposed SQL query endpoint at daemon for observability queries. (#1042)
- Enhanced daemon logging including requests and jobs. (#871)
- Added telemetry schema definition and SLS JSONL writer. (#977, #1008)
- Passed agent_name to telemetry data for multi-agent identification. (#1032)
- Added logging system for structured agent-sec-cli output. (#651)
- Added security daemon socket fallback under
/run/user/<uid> for user-scoped deployments. (#1129)
PII Scanner
- Extended PII scanning coverage with additional pattern detectors. (#925)
Security Observability
- Added session report command for post-session security summaries. (#703)
Sandbox
- Converged sandbox trigger rules for consistent enforcement. (#979)
Adapter & Build
- Added ANOLISA CLI component.toml for adapter manifest integration. (#1067)
- Added systemd-rpm-macros as RPM build dependency. (#1156)
0.6.0
Self-Protection — Tamper-resistance for agent-sec-core itself
- Added self-protect code-scan rules that block disabling/uninstalling agent-sec plugins on OpenClaw and Hermes. (#692)
- Optimized self-protect rules in code-scan to eliminate false positives on prefix-matched plugin names and cover Hermes uninstall/rm patterns. (#710)
Prompt Scanner
- Unified prompt-scan warning format across cosh-extension, hermes-plugin, and openclaw-plugin with structured fields (threat type, risk level, interception stage, model confidence). (#709)
Agent-Sec-CLI
- Added daemon process for agent-sec-cli to amortize startup latency across hook invocations. (#677)
Adapter & Manifest
- Added standalone ANOLISA adapter entry
anolisa-for-openclaw to package sec-core OpenClaw adapter scripts and drive install/detect/uninstall via the adapter manifest. (#549)
- Added Hermes adapter runner: refactored the OpenClaw entry into a target-agnostic
anolisa-adapter-runner and added anolisa-for-hermes wrapper, with per-agent adapter directory layout under sec-core. (#617)
- Centralized sec-core adapter manifest parsing across adapter scripts and moved the manifest under the cli package. (#617)
OpenClaw Integration
- Normalized OpenClaw state directory handling: use
OPENCLAW_STATE_DIR for adapter filesystem state, unset OPENCLAW_HOME when invoking the OpenClaw CLI, and aligned plugin install/list/uninstall handling. (#641)
0.5.0
PII Scanner — Personal information leak detection
- Added PIIChecker scan CLI with text/file input, regex/validator-based detection, redaction, and security middleware integration. (#525)
- Added PIIChecker hooks for cosh and OpenClaw with stdin-based input passing. (#539)
- Added Hermes PII checker hook. (#556)
- Fixed scan-pii module mode detection via subprocess. (#540)
Security Observability — Agent run metrics & posture insights
- Added security observability schema, metrics definition, and CLI with jsonl writer for agent runs. (#488)
- Added openclaw plugin for security observability. (#515)
- Added cosh hook for security observability. (#528)
- Persisted observability records to sqldb with CLI review command. (#544)
- Added observability plugin for hermes. (#553)
- Correlated security events with observability events and supported batch query. (#578)
- Respected trace-id filter in count queries. (#595)
Hermes Plugin — AI Agent integration framework
- Added hermes-plugin framework with abstract hook class and code scan capability. (#536)
- Added Hermes prompt-scan capability. (#579)
- Added Hermes PII checker hook. (#556)
- Added Hermes skill ledger hook. (#565)
- Added observability plugin for hermes. (#553)
- Supported correlation context in hermes agent plugin. (#590)
- Added hermes plugin install for rpmbuild and build from scratch. (#577)
- Stabilized Hermes skill-ledger warning delivery for non-pass skill checks. (#600)
Correlation & Tracing Context
- Unified caller tracing context across CLI, OpenClaw, and cosh with
--trace-context JSON and SQLite schema v2. (#569)
- Supported correlation context in hermes agent plugin. (#590)
- Correlated security events with observability events. (#578)
Skill Ledger
- Integrated code-scanner with skill-ledger for unified security assessment. (#505)
- Updated skill ledger security interactions. (#529)
- Made openclaw skill ledger approval configurable. (#575)
- Added Hermes skill ledger hook. (#565)
- Refined skill ledger scan workflow and aligned documentation. (#529)
- Included skill-ledger e2e in install flows. (#573)
- Fixed skill-ledger hook scope limitation. (#497)
- Fixed managed skill dirs for discovery. (#510)
- Expanded home paths for skill-ledger. (#596)
- Hardened skill ledger recovery and key UX. (#575)
Code Scanner
- Added code-scan requireApproval config for openclaw. (#560)
- Added OpenClaw enableBlock hook policies. (#586)
Security Middleware & Event System
- Fixed TOCTOU race condition at sqldb read path. (#546)
- Made SQLAlchemy lazy import for non-DB subcommands. (#581)
- Lowered frequency for SQL maintenance operations. (#546)
Prompt Scanner
- Added Hermes prompt-scan capability via hermes plugin. (#579)
- Fixed warmup detection from error-string matching to file-based check. (#500)
- Fixed prompt text passing via stdin instead of argv. (#579)
Toolchain & CI
- Added build-all support with local space install for sec-core. (#527)
- Added hermes plugin install for rpmbuild and from-scratch build. (#577)
- Included skill-ledger e2e in install flows. (#573)
- Added adapter manifest for capability discovery. (#577)
0.4.0
Prompt Scanner
- Prompt scanner hook now asks user on missing model instead of fail-open. (#463)
- Added prompt injection detection benchmark dataset and evaluation toolkit. (#464)
Security Middleware & Event System
- Refactored security_events SQLite storage to SQLAlchemy ORM with multi-table extensibility and typed repositories. (#459)
Skill Ledger
- Fixed sign-skill auto-register config (exact awk match) and parse openclaw stdout unconditionally. (#445)
- Unified XDG paths under
agent-sec/skill-ledger vendor namespace. (#445)
- Unified single-skill verify into structured result for consistent output. (#445)
- Converted integration tests from subprocess to Typer CliRunner. (#445)
OpenClaw Integration
- Registered plugin at openclaw gateway explicitly to support Gateway startup planning. (#446)
Refactoring
- Removed deprecated agent-sec-core skill directory; aligned README and spec with agent-sec-cli workflow. (#454)
Toolchain & CI
- Added coverage report for sec-core CI. (#431)
- Enabled rpmbuild and e2e test CI for main branch. (#432)
0.3.0
Prompt Scanner — Multi-layer prompt injection & jailbreak detection
- Added prompt injection/jailbreak detection scanner architecture with L1 rule engine (YAML-based) and L2 ML classifier (Prompt Guard 2). (#253)
- Integrated prompt scanner into cosh hook and openclaw plugin with security middleware lifecycle. (#261, #294)
- Added
list-scanners command, improved CLI help, and made --scanner-version optional. (#284)
- Added prompt scan summary and backend tests. (#294)
- Added prompt-scanner skill definition. (#256)
- Added model warmup, audit logging, and comprehensive documentation. (#253)
- Stabilized batch scanning and verdict logic with thread-safe model loading. (#253)
- Unified prompt scanner response to use "ask" instead of "block". (#341)
- Added prompt-scanner e2e test suite and Makefile target. (#352)
Code Scanner — Static code security analysis
- Added code scanner component with rule-based detection for obfuscation, permission abuse, and more. (#234)
- Integrated code scanner into cosh hook (with ask decision support) and openclaw plugin adapter. (#234)
- Added code scanner CLI entry, error codes, and unit tests. (#234)
- Fixed code scan bugs and added e2e test. (#342)
Skill Ledger — Skill integrity tracking and signing
- Added skill-ledger CLI with middleware integration for skill integrity verification. (#252)
- Added skill-ledger skill definition. (#266)
- Added skill-ledger cosh hook for PreToolUse and openclaw-plugin capability. (#292, #281)
- Improved skill-ledger CLI and cleaned up imports. (#284)
- Restructured skill-ledger config defaults and documentation. (#296)
- Aligned skill-ledger tool name and added path validation. (#317)
- Reworked skill-ledger status, output, and check signing. (#335)
- Skill-ledger hook hardening, e2e suite, and posture integration. (#339)
- Known limitation: skill directory resolution assumes dir name matches SKILL.md
name field; see #381.
Security Middleware & Event System
- Added security middleware framework with unified CLI entry point and metrics integration. (#121, #220)
- Added sqldb writer & reader with query command at CLI interface for security event persistence. (#254)
- Fixed cross-process event loss in SecurityEventWriter. (#226)
- Applied corruption whitelist to stop false-positive DB rebuilds. (#338)
- Added e2e test and fixed bugs revealed during testing. (#330)
Linux Sandbox
- Added sandbox guard and failure handler hooks. (#362)
OpenClaw Integration
- Added hook plugin for openclaw with integrated security scanning capabilities. (#242)
- Added jq requires for openclaw hook package. (#370)
Cosh Extension Integration
- Integrated with new cosh extension API and added builtin commands. (#302)
Performance
- Lazy-load ML dependencies to speed up non-ML subcommands. (#318)
Toolchain & CI
- Migrated Python toolchain to uv package manager and pinned Python 3.11.6. (#227)
- Added sec-core RPM build CI and adapted nightly build pipeline. (#295)
- Initialized code format check CI with python-code-pretty. (#229)
- Added e2e test in RPM build CI. (#369)
Bug Fixes
- Preserved seharden wrapper defaults. (#236)
- Removed dynamic import at middleware router. (#277)
- Improved missing loongshield guidance. (#289)
- Fixed build errors. (#288)
- Removed openclaw hook examples and fixed documentation. (#282)
0.2.0
- Added Hardened skill signing pipeline and added
.skill-meta layout. (#129)
- Added
Cargo.lock to version control. (#149)
- Added
make install-sandbox target. (#68)
- Fixed bubblewrap version compatibility for
--argv0 option. (#112)
- Changed Refactor SKILL.md to executable protocol and align sub-skills. (#130)
Changelog
0.7.1
Fixes
- Improve severity labels and agent sidebar UX.
- Show all verdicts in the summary command.
- Sync component.toml version with package version.
0.7.0
Features
- Add Codex CLI adaptation with three-tier SSL probe attach (symbol table → byte pattern → offset table) and cross-chunk SSE continuation buffer.
- Add security observability dashboard and server proxy for agent threat visibility.
- Add memory optimization with bounded event buffers, feature flags (
features.*) and configurable runtime limits (runtime_limits.*).
- Add
container_id to AgentsightLLMData for container-level attribution.
- Derive
session_id from process environment variables and request metadata instead of message content.
- Add
call_kind classification (chat / completion / embedding / tool_use) to GenAI semantic events.
- Add
--exclude filter to agentsight audit CLI for noise reduction, and show non-streaming LLM calls in audit output.
- Add unified
agentsight summary command for one-shot status overview.
- Enhance token savings page with baseline comparison, strategy breakdown, line-level diff highlighting and optimization tips.
- Upload skill metrics via SLS Logtail exporter.
- Improve agent health UX: role badges (P1/P2), TTL-based cleanup, process-ancestry grouping, and Session ID help tooltip.
- Filter client processes from health API to reduce dashboard noise.
- Add anolisa component contract for RPM lifecycle integration.
Fixes
- Fix sslsniff BPF verifier rejection on kernel 5.15 and add BPF load tests.
- Fix traced_processes BPF map leak causing uprobe attach failure after long runtime.
- Prevent duplicate uprobe
Links by retaining inodes in traced_files on detach.
- Decode compressed (zstd/brotli) SSE streams so Claude Code and similar agents are fully captured.
- Harden compressed SSE decode against partial chunk boundaries.
- Extract token usage from non-streaming and HTTP/2 responses.
- Fix namespace PID usage in udpdns and tcpsniff probes.
- Strip
/proc/{pid}/root prefix for uprobe attach in containerized environments.
- Implement tiered SSL and tcpsniff ring buffer reservations to reduce dropped events.
- Clamp before mask in filewrite/udpdns BPF probes; cap stdout payload to
MAX-1.
- Change cgroup gate to OR semantics and add
trace_cgroup FFI interface.
- Tighten SSE truncation detection and write pending row for deferred GenAI calls.
- Respect dynamic sysom path in SLS exporter mode selection; replace removed
sysom_logtail_path with logtail_path filter.
- Validate ring buffer size is power-of-two at startup.
- Wire feature flags and runtime limits to actual runtime code paths.
Refactoring
- Split
genai/builder.rs into 4 focused modules and genai.rs into 5 submodules.
- Bundle shared BPF maps into
SharedMaps for reduced duplication.
- Extract background threads module with stop-signal support.
- Replace remaining
unwrap() calls with if-let / ? patterns.
CI & Quality
- Add fmt, clippy, unit test coverage, and architecture boundary check CI gates.
- Add
clippy.toml + cargo-deny for lint and supply-chain auditing.
- Add architecture boundary check script (
check-arch-boundary.py).
- Add scoped AGENTS.md for FFI, unified orchestrator, and storage modules.
- Define Footprint Ladder for code surface growth control.
- Add
agentsight-code-review and pr-body develop-skills.
0.6.1
- Add real-time agent_crash detection in trace mode.
- Add OOM crash detection.
- Add cgroup-level event filtering with v1/v2 compatibility.
- Support QwenCode skill discovery via per-user home scanning.
- Support SLS Logtail activation reversible via dynamic path.
- Support bridging ilogtail
SLS_LOG_PATH into config via token-collector switch.
- Default
traceEnabled to false to drop conversation content from SLS by default.
- Drop
gen_ai.system_instructions from SLS uploads when traceEnabled=false.
- Refactor session_id and conversation_id derivation from response_id instead of message content.
- Fix CJK deadloop detection,
kill() error check, and SIGKILL escalation.
- Fix SQLite read/write contention via VACUUM optimization.
- Fix rpm-build.sh agentsight build failures.
- Fix allow log path re-init on repeated new+start.
0.6.0
- Add deadloop detection and auto-kill mechanism for runaway agent processes.
- Add retry storm detection and
/metrics interruption counters.
- Add BPF-layer HTTP protocol filter and wildcard capture (
*) for unknown IP/port targets.
- Add client-side hybrid encryption for sensitive message fields.
- Add
traceEnabled configuration toggle with SLS upload layer enforcement.
- Add HTTP domain rules resolved to tcpsniff BPF map via DNS.
- Add default DashScope HTTPS rule and
anolisa_release module.
- Add FFI interface for
tcp_targets and input_delta config.
- Add CO-RE compatibility to UDP DNS probe for kernel 6.0+.
- Support runtime SLS logtail path via config hot-reload.
- Expand interruption types and add logtail export.
- Restructure config to
https/http rules.
- Refactor query
stats.db by tool_use_id and unify savings display.
- Refactor load encryption public key from
agentsight.json.
- Fix decode HPACK Huffman headers.
- Fix BoringSSL probe attachment, FFI event delivery, and chunked-body panic.
- Fix preserve initial SSE chunk in event-stream responses.
- Fix
c_char / BPF comm portability (i8 vs u8).
- Remove dead code and deprecated APIs.
0.5.0
- Add Claude Code support including SSL probe attach for BoringSSL, Anthropic SSE thinking/tool_use content blocks, and
message.id-based session correlation.
- Add tcpsniff probe for plain HTTP traffic capture with configurable IP/port filtering (disabled by default with empty
tcp_targets).
- Add User-Agent based agent detection with
comm fallback for simplified agent matching.
- Add UDP DNS probe for agent discovery (replacing TLS SNI probe) with QNAME parsing moved to userspace.
- Add TLS SNI probe module and refactor discovery to config-driven rules.
- Add connection scanner for pre-established LLM API connections.
- Add
tools field to AgentsightLLMData FFI struct, passed through as raw JSON.
- Add container PID namespace support in BPF traced process filtering and event emission.
- Add agent matching rules and reduce BPF ring buffer to 32MB.
- Add
uid field to SLS logs with OnceLock cache and startup validation.
- Support profile-based installs.
- Fix
duration_ns calculation in LLM data.
- Fix SSL probe cleanup of stale inodes on process exit.
- Fix BPF verifier
-E2BIG issues by removing nested #pragma unroll in udpdns.bpf.c and masking payload_len on older kernels.
- Fix skill extraction for Hermes agent architecture.
- Fix Node.js
process.title change handling in OpenClaw matcher.
0.4.0
- Add HTTP/1.1 request body reassembly for fragmented SSL writes.
- Add skill metrics analysis with cosh filesystem-based discovery.
- Add SLS upload and Logtail file exporter for GenAI events.
- Add hermes agent matcher for LLM process discovery.
- Detect uv Python static OpenSSL in SSL sniffer.
- Remove AK/SK-based SLS direct upload, keep Logtail file export.
0.3.1
- Fix simplify agent_crash detection and fix multi-process dedup. (#411)
- Fix use SqliteConfig for audit CLI db path. (#399)
- Fix hide Cosh from agent health UI and remove keepalive support. (#401)
- Fix API endpoint table in AGENTS.md. (#397)
0.3.0
- Add interruption detection system with drain mechanism and dashboard integration. (#315)
- Add token savings page and API endpoint for optimization visualization. (#310)
- Add compounded token savings and request count tracking. (#320)
- Add C FFI API with cbindgen header generation. (#306)
- Add filewatch and filewrite eBPF probes for file access monitoring. (#308, #309)
- Support SysOM AK/SK GenAI capture for cosh. (#305)
- Use LLM API response_id as trace_id and add conversation_id field. (#304)
- Resolve session_id from agent's own session via ResponseSessionMapper. (#303)
- Fix interruption CLI and align conversation_id naming. (#318)
- Fix cosh session_id recognition by supporting snake_case response_id. (#307)
- Fix wrong tool call id in token savings compounding. (#316, #317)
- Fix standardize call_id, add tool_call_ids column. (#319)
- Fix session_id and response_id mapping in genai builder and storage. (#321)
- Fix token savings display in conversation list. (#322)
- Fix cache agent name by pid for dead process resolution. (#358)
- Fix remove custom db path and use default paths. (#359)
- Support nightly docker image build in CI. (#302)
0.2.2
- Support starting backend-server for dashboard with AgentSight service.
- Fix dashboard frontend dynamic width for multiple display-size.
0.2.1
- Add
/usr/lib/copilot-shell path to CoshMatcher for agent discovery. (#190)
- Add 200MB size limit for
genai_events.db to prevent unbounded growth. (#211)
- Remove
/api/stats endpoint returning incorrect data. (#197)
- Extract audit from HttpRecord and filter non-LLM calls. (#196)
- Always show comparison data when
--compare flag is used in token queries. (#194)
- Fix incorrect
discover command in README documentation. (#191)
- Remove breakdown command and keep token consumption commented. (#193)
- Replace deprecated
MemoryLimit with MemoryMax in systemd service file. (#181)
0.2.0
- AgentSight Dashboard web UI with real-time monitoring interface. (#74)
- Agent health monitoring with offline alerting and hung process dashboard restart. (#158)
- One-click navigation from dashboard to ATIF trace analysis page. (#116)
- /metrics endpoint to expose standard Prometheus-format data. (#134)
- Support for HTTP 2.0 protocol. (#147)
- Support to build RPM package. (#166)
Changelog
All notable changes to ANOLISA will be documented in this file.
The format is based on Keep a Changelog,
and this project adheres to Semantic Versioning.
[Unreleased]
[0.2.2] - 2026-07-09
Added
anolisa update --check now reports RPM upgrade opportunities without changing state.
anolisa update --check --motd now prints a short login-friendly upgrade summary.
anolisa upgrade now applies RPM image upgrades for RPM-managed toolchains.
anolisa upgrade now installs missing default components from the selected target profile.
anolisa adapter scan now marks enabled receipts with missing sources as orphaned.
anolisa adapter status now reports missing adapter sources as degraded receipts.
Changed
anolisa list now shows component scope for visible user and system records.
anolisa status now shows scope, mutability, shadowing, and state path metadata.
anolisa doctor now includes readable system components in user-mode diagnostics.
anolisa doctor now suggests system-mode commands for read-only system records.
anolisa update --check now uses the latest target profile when --target is omitted.
anolisa update --check --motd now points users to sudo anolisa upgrade when action is needed.
Fixed
anolisa uninstall, forget, and update now reject read-only system targets with system-mode guidance.
anolisa upgrade now reports unresolved target defaults as check errors.
anolisa upgrade now warns when refreshed RPM details are unavailable after an upgrade.
[0.2.1] - 2026-07-08
Added
anolisa adapter enable now supports Tokenless adapters for cosh, Codex, and Claude Code.
anolisa adapter enable now supports Tokenless adapters for Qoder.
Changed
- Claude Code adapters now use per-component marketplaces to avoid affecting other ANOLISA plugins.
anolisa adapter enable now rejects invalid framework and adapter_type combinations before changing settings.
Fixed
- Codex adapters now work when component resources come from packaged data directories.
- Qoder adapter enable now keeps malformed
settings.json unchanged instead of replacing it.
- Qoder adapter disable now removes only hook entries previously added by ANOLISA.
- Qoder adapters now prefer stable qodercli releases over matching prereleases.
[0.2.0] - 2026-07-07
Added
- Raw components can now declare
conflicts to block incompatible raw installs.
Fixed
anolisa install now rejects raw component conflicts before changing the host.
anolisa install --dry-run now reports raw component conflicts instead of showing an invalid plan.
[0.1.20] - 2026-07-03
Added
- ANOLISA can now be distributed as
@anolisa/cli with Linux x64 and arm64 binaries.
repo.toml now enables the npm backend for component distribution.
Changed
anolisa list now shows local state, ownership, and next action for each component.
anolisa list --json now includes RPM package, version, architecture, and source repository details.
Fixed
- RPM installs and updates now keep system repositories available for dependencies.
- Adapter commands now distinguish missing component manifests from invalid manifests.
[0.1.19] - 2026-07-02
Fixed
anolisa adapter disable --dry-run now previews cleanup without removing adapter receipts or resources.
- Read-only commands now use downloaded repo config when saving
repo.toml fails.
- Component commands now accept package aliases consistently when targeting installed components.
- Ambiguous package aliases no longer choose an arbitrary installed component.
- Unknown component names now report no match without querying packages.
[0.1.18] - 2026-07-01
Added
anolisa install now auto-installs missing system packages for raw components in system mode.
anolisa install --dry-run now labels unresolved dependencies as auto-install or manual.
anolisa install now reports packages auto-installed during raw component installs.
anolisa status --verbose now shows packages auto-installed for each component.
Changed
- Commands that need repo access now download and validate
repo.toml on first use.
- Repo config dry-runs now fetch and validate without writing
repo.toml.
- RPM install and update now use only the
repo.toml RPM repository.
- User-mode raw installs now report missing dependencies with install commands before changing files.
- Failed raw installs now list any auto-installed packages left on the system.
anolisa update self no longer fetches repo config before checking CLI updates.
Fixed
anolisa list --installed now includes adopted RPM components.
anolisa list now shows adopted, failed, and disabled component statuses.
- Adapter commands now prefer resources from the datadir that supplied the component contract.
- RPM installs now fail before
dnf when [backends.rpm] is missing.
- RPM updates now explain missing
[backends.rpm] instead of using host repositories.
[0.1.17] - 2026-06-30
Added
- Repository
components.toml can now define component names, package aliases, and raw/RPM package mappings.
anolisa list --installed now filters installed components.
Changed
anolisa list and install --all now read components from components.toml instead of catalog.json.
anolisa list now shows NAME, SUMMARY, BACKENDS, and STATUS.
anolisa list --enabled is now a hidden alias for --installed.
ANOLISA_CATALOG_URL no longer changes list sources; configure repo.toml instead.
anolisa install, status, adopt, and repair now resolve RPM package aliases from components.toml.
anolisa status now suggests sudo anolisa adopt <component> for untracked RPM components.
Fixed
anolisa status <RPM package> now reports the canonical component row when an alias is installed.
anolisa repair <RPM package> now refreshes the canonical component row when an alias is used.
- Non-root
anolisa osbase mutations now reach the system helper instead of failing install-mode checks.
- Commands now reject root
--install-mode user before writing ambiguous user-mode state.
- System-mode write commands now fail before changes when sudo is missing.
- Existing installs with managed symlinks no longer show false symlink integrity failures after upgrade.
anolisa status now reports referent_mismatch when managed symlinks point elsewhere.
[0.1.16] - 2026-06-29
Added
anolisa osbase sandbox install runc now installs runc, containerd, Docker, and Docker client.
anolisa osbase sandbox install now enables services declared by sandbox scenarios.
anolisa osbase sandbox install now runs scenario verification commands after installation.
anolisa osbase sandbox install now records sandbox scenarios in installed.toml.
anolisa osbase sandbox install now reports optional scenario packages as hints.
rund, firecracker, and gvisor sandbox scenarios now define post-install checks.
anolisa adapter enable now supports adapter_type = "skill_bundle" for OpenClaw and Hermes skills.
- The RPM package now installs default
repo.toml to /etc/anolisa/repo.toml.
- ANOLISA telemetry setup now installs log rotation for ops
.jsonl files.
Changed
anolisa osbase sandbox install --dry-run now shows preflight, package, service, verify, and state phases.
anolisa osbase sandbox install runc now requires Linux kernel 4.18 or newer.
anolisa osbase sandbox install now reports verification failures as warnings when other phases succeed.
repo.toml now points RPM installs to the agentic-os repository path.
anolisa update self --json now reports apply mode, RPM package, and RPM version observations.
anolisa adapter status now treats skill bundles as healthy without plugin registration.
anolisa adapter enable now rejects skill bundles that declare framework config entries.
Fixed
- RPM-backed commands now use the component name as the default package name.
anolisa update self now delegates RPM-owned CLI updates to dnf.
- Non-root sandbox installs now show package, service, verify, and state phases.
- Telemetry setup now runs the ilogtail installer with bash-compatible script handling.
anolisa adapter disable now cleans skill bundles without plugin unregister errors.
[0.1.15] - 2026-06-25
Added
anolisa doctor now reports component health, dependency status, and suggested fixes.
- Raw components can now declare runtime dependencies for install and update preflight checks.
anolisa install --dry-run now previews runtime dependency status for raw components.
Changed
anolisa install and update <component> now refuse raw components with missing runtime dependencies before changing files.
anolisa restart <component> now restarts service units shipped by RPM-backed components.
anolisa restart <component> now shows guidance for RPM-backed template services instead of failing.
Fixed
anolisa adapter enable now expands {datadir} from the package that provided the adapter metadata.
- After
anolisa uninstall or forget, adapter commands no longer see stale component metadata.
[0.1.14] - 2026-06-24
Added
- Raw components can now place systemd unit files with
{unitdir}.
- Raw components can now place user service unit files with
{userunitdir}.
- User-mode
anolisa install now activates declared user-scope services.
Changed
- User-mode
anolisa install now resolves %u service templates to the current user.
- System-mode
anolisa install now preserves %u user service templates for later per-user activation.
anolisa uninstall now reloads systemd after removing declared service unit files.
anolisa restart <component> now restarts user-scope services from user-mode installs.
Fixed
anolisa install now starts freshly installed service units without a manual systemd reload.
anolisa uninstall now deactivates user-scope services from user-mode installs.
anolisa adapter enable now finds {datadir} skills from the package directory that provides the adapter.
[0.1.13] - 2026-06-23
Added
anolisa adapter enable now supports Hermes plugins.
anolisa adapter enable now installs declared OpenClaw skills.
anolisa adapter enable now applies declared OpenClaw config values.
anolisa install now starts declared services for raw components.
anolisa install now applies declared file capabilities for raw components.
anolisa install now runs declared hooks for raw components.
anolisa update <component> now restarts declared services for raw components.
anolisa update <component> now reapplies declared file capabilities for raw components.
anolisa uninstall now runs declared hooks for raw components.
anolisa uninstall now disables declared services after stopping them.
Changed
anolisa adapter scan now honors declared adapter resource locations.
anolisa adapter enable now reads package-installed adapter resources.
anolisa install --dry-run now previews declared capabilities for raw components.
anolisa register status now reports the latest registration after repeated changes.
- Cancelled
anolisa register and unregister prompts now exit successfully.
Fixed
anolisa adapter status now detects OpenClaw plugins from wrapped table output.
anolisa adapter status now ignores bundled Hermes plugins during checks.
anolisa adapter commands now find metadata shipped by RPM-installed components.
anolisa register status now reports sysom console registrations as active.
[0.1.12] - 2026-06-22
Added
anolisa update <component> can update raw-managed components from the raw backend.
anolisa osbase sandbox list shows scenarios from sandbox.toml.
anolisa osbase sandbox uninstall <scenario> can remove packages for a sandbox scenario.
anolisa system setup can install the helper service for non-root osbase commands.
anolisa system status can show helper health, version, uptime, and last operation.
anolisa system teardown can remove the helper service and sandbox config.
anolisa env --json includes distro identity fields.
Changed
anolisa osbase sandbox install <scenario> now installs scenarios defined in sandbox.toml.
- Omitting
--install-mode now selects system for root and user otherwise.
anolisa update <component> --dry-run now lists raw backend candidate versions.
Fixed
- Legacy
yum backend names in repo.toml and --backend now resolve to rpm.
- Raw components installed with
--package now update from the same package name.
anolisa update <component> now refuses raw updates that would downgrade a component.
anolisa update <component> now refuses raw updates when versions cannot be safely compared.
[0.1.11] - 2026-06-18
Added
anolisa adopt <component> can track a pre-installed system RPM without installing it.
anolisa repair <component> can refresh RPM component state after package details change.
anolisa forget <component> can stop tracking a component without removing packages or files.
Changed
anolisa status <component> now reports drifted RPM components when system package details change.
anolisa uninstall now keeps observed system RPMs unless --remove-system-package is used.
anolisa install now preserves adapter package resources when adopting RPM components.
[0.1.10] - 2026-06-17
Added
anolisa install --backend rpm can install missing RPM components through dnf and track them as managed.
anolisa install can adopt matching pre-installed system RPMs without downloading a raw package.
anolisa update <component> can update RPM-managed and RPM-observed components through dnf.
anolisa status now shows package, version, architecture, and source repo for RPM-backed components.
anolisa status <component> now reports matching untracked system RPMs as observed.
Changed
anolisa update runtime <component> is now anolisa update <component>; self and all stay subcommands.
repo.toml now uses [backends.rpm] instead of [backends.yum].
anolisa install --all now lists adopted RPM components in the batch summary.
Fixed
anolisa install --all now prints the reason for each failed component in human output.
anolisa install now refuses automatic RPM detection when rpm or dnf is missing, with a --backend raw hint.
anolisa install no longer replaces a raw install if another install finishes first.
[0.1.9] - 2026-06-16
Added
anolisa install --all can install every available component from the catalog.
anolisa install --all --fail-fast can stop after the first failed component.
anolisa install --all --json returns one batch summary with per-component results.
anolisa status now shows adapter summaries for installed components.
Changed
installed.toml now distinguishes ANOLISA-managed packages from observed system RPMs.
[0.1.8] - 2026-06-15
Added
anolisa adapter enable can now register installed adapters with OpenClaw.
anolisa adapter disable can now remove OpenClaw adapter registrations.
anolisa adapter status can now report OpenClaw adapter health.
anolisa adapter scan can now show installed adapter resources.
Changed
anolisa install now places adapter resources needed by later enablement.
anolisa uninstall now blocks components that still have enabled adapters.
[0.1.7] - 2026-06-13
Changed
- User-mode library paths now resolve to
~/.local/lib/anolisa; other directories continue to follow XDG_* overrides.
Fixed
anolisa install no longer requires a local catalog entry before downloading from the remote repository.
anolisa install --dry-run can preview files and services without downloading the full package.
[0.1.6] - 2026-06-12
Added
anolisa osbase sandbox install gvisor now supports standalone, containerd, and substrate deployments. (#851)
anolisa list can derive the component catalog from repo.toml configuration. (#854)
Changed
- Replaced the legacy "capability" model with a unified component lifecycle; old state auto-migrates on next write. (#876)
Fixed
anolisa list --enabled now correctly shows installed components instead of an empty list. (#872)
anolisa list no longer requires a separate local catalog file when repo.toml is configured. (#854)
[0.1.5] - 2026-06-11
Added
anolisa list reads from a remote or local component catalog and returns structured JSON. (#850)
anolisa install <component> downloads, verifies, and installs components from the remote repository. (#852)
anolisa uninstall supports the new component model while preserving legacy fallback. (#852)
Changed
- Simplified CLI help around
list, install, uninstall, status, doctor, logs, restart, update. (#850)
Fixed
anolisa list returns an empty list with a config hint when no catalog is configured. (#850)
- Failed installs now automatically roll back partially-written files. (#852)
[0.1.4] - 2026-06-10
Added
anolisa adapter scan detects available framework integrations. (#808)
anolisa adapter install downloads verified packages and registers adapters with the target framework.
anolisa adapter remove safely removes only ANOLISA-managed files, with dry-run and JSON preview support.
anolisa adapter install tokenless openclaw wires up the tokenless adapter via the OpenClaw CLI.
anolisa enable fetches component metadata from the remote repository, with offline fallback.
anolisa status now includes component health check results.
Changed
- Renamed subscription commands to top-level
anolisa register / unregister.
Fixed
- Adapter install/remove failures now roll back or preserve state for retry.
[0.1.3] - 2026-06-09
Added
anolisa --help now groups commands by category (everyday vs. management).
list command shows its ls alias in help output.
anolisa update self prints a changelog link on success.
Changed
- Corrected package license metadata to Apache-2.0.
[0.1.2] - 2026-06-08
Added
anolisa bug generates a local diagnostic report with environment info and recent error logs.
anolisa self update added as an alias for anolisa update self.
Fixed
- Restored the bug report issue template.
[0.1.1] - 2026-06-07
Added
anolisa osbase sandbox install provisions sandbox environments (firecracker and e2b backends).
anolisa register / unregister manages data-upload consent with 30-day deferral.
anolisa enable can configure log upload (ilogtail) with automatic region detection.
anolisa update self downloads and applies CLI updates with integrity verification and rollback.
- Real dnf/apt package manager backends replacing placeholder stubs.
- GitHub Actions CI for the anolisa workspace.
Fixed
- Install script uses portable bash expansion instead of
sed.
[0.1.0] - 2026-06-04
Initial alpha release of the ANOLISA CLI.
Added
- CLI commands:
env, list, status, logs, enable, disable, uninstall, restart, update, info, doctor.
- Environment detection: OS, arch, kernel, distro, container runtime, user identity (graceful degradation).
- Component lifecycle engine with preview-then-execute, integrity checks, and audit logging.
- Configuration-driven feature gates for shipping new capabilities without code changes.
- Declarative TOML component manifests with multi-architecture support.
install-anolisa.sh installer with three modes (local, checkout, URL), checksum verification, and --dry-run.
- End-to-end smoke tests for agent-observability and token-optimization.
Capabilities shipped
| Capability | Status |
|---|
| agent-observability | enable fully wired (dry-run + real-execute) |
| Others (9 total) | Manifest-only; enable returns NOT_IMPLEMENTED |
Known limitations
- Real-execute paths are Linux-only (darwin hosts can
--dry-run only).
- No signature verification or rpm/deb backend yet.
update command returns NOT_IMPLEMENTED.
变更日志
本文件记录 ANOLISA 的所有重要变更。
格式基于 Keep a Changelog,
版本号遵循 语义化版本。
[未发布]
[0.2.2] - 2026-07-09
新增
anolisa update --check 现可只读报告 RPM 升级机会。
anolisa update --check --motd 现可输出简短登录升级提示。
anolisa upgrade 现可应用 RPM 工具链升级。
anolisa upgrade 现可安装目标配置缺失默认组件。
anolisa adapter scan 现将缺失来源的启用记录标为 orphaned。
anolisa adapter status 现将缺失适配器来源报告为降级。
变更
anolisa list 现显示可见用户和系统记录的 scope。
anolisa status 现显示 scope、可变性、遮蔽和状态路径。
anolisa doctor 现在用户模式诊断可读系统组件。
anolisa doctor 现为只读系统记录建议系统模式命令。
anolisa update --check 未指定 --target 时使用最新目标配置。
anolisa update --check --motd 现提示用 sudo anolisa upgrade。
修复
anolisa uninstall、forget、update 现拒绝只读系统目标。
anolisa upgrade 现将未解析默认组件报告为检查错误。
anolisa upgrade 刷新 RPM 详情失败时现会提示。
[0.2.1] - 2026-07-08
新增
anolisa adapter enable 现支持 cosh、Codex、Claude Code 的 Tokenless 适配器。
anolisa adapter enable 现支持 Qoder Tokenless 适配器。
变更
- Claude Code 适配器现使用组件专属 marketplace。
anolisa adapter enable 现先拒绝无效适配器类型。
修复
- Codex 适配器现可使用已打包数据目录资源。
- Qoder 启用遇到损坏
settings.json 时不再覆盖。
- Qoder 禁用现只移除 ANOLISA 添加的 hook。
- Qoder 适配器现优先使用稳定版 qodercli。
[0.2.0] - 2026-07-07
新增
- Raw 组件现可声明
conflicts 阻止不兼容安装。
修复
anolisa install 现会在变更主机前拒绝 Raw 组件冲突。
anolisa install --dry-run 现报告 Raw 组件冲突,不再显示无效计划。
[0.1.20] - 2026-07-03
新增
- ANOLISA 现可通过
@anolisa/cli 发布 Linux x64 和 arm64 二进制。
repo.toml 现启用 npm 后端用于组件分发。
变更
anolisa list 现显示本地状态、归属和下一步操作。
anolisa list --json 现包含 RPM 包名、版本、架构和来源。
修复
- RPM 安装和更新现可继续使用系统软件源解析依赖。
- Adapter 命令现区分缺失清单和无效清单。
[0.1.19] - 2026-07-02
修复
anolisa adapter disable --dry-run 现只预览清理。
- 只读命令保存
repo.toml 失败时仍可使用已下载配置。
- 组件命令现可一致接受软件包别名。
- 模糊软件包别名不再误选已安装组件。
- 未知组件名不再先查询软件包。
[0.1.18] - 2026-07-01
新增
anolisa install 系统模式现自动安装缺失系统包。
anolisa install --dry-run 现标出依赖处理方式。
anolisa install 现显示自动安装的系统包。
anolisa status --verbose 现显示组件自动安装包。
变更
- 需要仓库的命令现首次使用会下载
repo.toml。
- 仓库配置 dry-run 现只校验不写入。
- RPM 安装和更新现只使用
repo.toml 源。
- 用户模式 raw 安装现先提示缺失依赖。
- raw 安装失败现提示已保留的自动安装包。
anolisa update self 不再预先获取仓库配置。
修复
anolisa list --installed 现包含已收编 RPM。
anolisa list 现显示 adopted、failed、disabled 状态。
- Adapter 命令现优先使用契约所在数据目录资源。
- 缺少
[backends.rpm] 时 RPM 安装不再调用 dnf。
- RPM 更新缺少
[backends.rpm] 时不再使用主机源。
[0.1.17] - 2026-06-30
新增
- 仓库
components.toml 现可声明组件与包名映射。
anolisa list --installed 现过滤已安装组件。
变更
anolisa list 和 install --all 现读取 components.toml。
anolisa list 现显示 NAME、SUMMARY、BACKENDS、STATUS。
anolisa list --enabled 现作为隐藏别名保留。
ANOLISA_CATALOG_URL 不再控制列表来源。
install、status、adopt、repair 现解析 RPM 包别名。
anolisa status 现提示用 sudo anolisa adopt 收编 RPM。
修复
status <RPM 包> 现显示规范组件行。
repair <RPM 包> 现刷新规范组件行。
- 非 root
osbase 变更命令现可进入系统 helper。
- root 用户模式现会在写入前被拒绝。
- 缺少 sudo 的系统模式写入现提前失败。
- 旧符号链接安装不再误报完整性失败。
status 现报告符号链接目标不匹配。
[0.1.16] - 2026-06-29
新增
anolisa osbase sandbox install runc 现安装 runc、containerd、Docker 和客户端。
anolisa osbase sandbox install 现启用场景声明的服务。
anolisa osbase sandbox install 现执行场景安装校验。
anolisa osbase sandbox install 现记录沙箱安装状态。
anolisa osbase sandbox install 现提示可选场景包。
rund、firecracker、gvisor 场景现声明安装校验。
anolisa adapter enable 现支持 adapter_type = "skill_bundle"。
- RPM 包现安装默认
/etc/anolisa/repo.toml。
- ANOLISA 遥测现为
.jsonl 运维日志配置轮转。
变更
anolisa osbase sandbox install --dry-run 现显示五个安装阶段。
anolisa osbase sandbox install runc 现要求 Linux 4.18 及以上。
anolisa osbase sandbox install 校验失败现作为警告报告。
repo.toml 默认 RPM 源现指向 agentic-os 路径。
anolisa update self --json 现包含 RPM 包和版本信息。
anolisa adapter status 现不要求技能包注册插件。
anolisa adapter enable 现拒绝带配置的技能包。
修复
- RPM 相关命令现默认用组件名作为包名。
anolisa update self 现通过 dnf 更新 RPM 安装。
- 非 root 沙箱安装现显示完整阶段结果。
- ilogtail 安装脚本需 bash 时现能正常运行。
anolisa adapter disable 清理技能包时不再报插件卸载错误。
[0.1.15] - 2026-06-25
新增
anolisa doctor 现输出组件健康、依赖和修复建议。
- raw 组件现可声明运行依赖供安装和更新检查。
anolisa install --dry-run 现预览 raw 组件依赖状态。
变更
anolisa install 和 update <component> 缺依赖时先停止。
anolisa restart <component> 现重启 RPM 组件服务。
anolisa restart <component> 遇到 RPM 模板服务时给出指引。
修复
anolisa adapter enable 现按包内元数据展开 {datadir}。
anolisa uninstall 和 forget 后 adapter 不再见旧元数据。
[0.1.14] - 2026-06-24
新增
- raw 组件现可用
{unitdir} 放置系统单元。
- raw 组件现可用
{userunitdir} 放置用户单元。
- 用户模式
anolisa install 现会激活用户服务。
变更
- 用户模式
anolisa install 现将 %u 展开为当前用户。
- 系统模式
anolisa install 现保留 %u 用户模板。
anolisa uninstall 删除单元文件后现会重载 systemd。
anolisa restart <component> 现会重启用户服务。
修复
anolisa install 现无需手动重载即可启动新单元。
anolisa uninstall 现会停用用户模式安装的服务。
anolisa adapter enable 现从包目录查找 {datadir} 技能。
[0.1.13] - 2026-06-23
新增
anolisa adapter enable 现支持 Hermes 插件。
anolisa adapter enable 现安装声明的 OpenClaw 技能。
anolisa adapter enable 现写入声明的 OpenClaw 配置。
anolisa install 现启动 raw 组件声明的服务。
anolisa install 现设置 raw 组件声明的文件能力。
anolisa install 现执行 raw 组件声明的钩子。
anolisa update <component> 现重启 raw 组件声明的服务。
anolisa update <component> 现重设 raw 组件声明的文件能力。
anolisa uninstall 现执行 raw 组件卸载钩子。
anolisa uninstall 现停用已停止的声明服务。
变更
anolisa adapter scan 现按声明位置查找资源。
anolisa adapter enable 现读取包内适配器资源。
anolisa install --dry-run 现预览 raw 文件能力。
anolisa register status 现显示最新注册记录。
- 取消
anolisa register 或 unregister 不再报错。
修复
anolisa adapter status 现能识别换行的 OpenClaw 表格。
anolisa adapter status 检查 Hermes 时忽略内置插件。
anolisa adapter 现能找到 RPM 组件附带的元数据。
anolisa register status 现显示 sysom 控制台注册。
[0.1.12] - 2026-06-22
新增
anolisa update <component> 可更新 raw 组件。
anolisa osbase sandbox list 可显示 sandbox.toml 场景。
anolisa osbase sandbox uninstall <scenario> 可移除场景软件包。
anolisa system setup 可为非 root osbase 命令安装助手服务。
anolisa system status 可显示助手健康状态。
anolisa system teardown 可移除助手服务和沙箱配置。
anolisa env --json 现包含发行版身份字段。
变更
anolisa osbase sandbox install <scenario> 现按 sandbox.toml 安装场景。
- 未指定
--install-mode 时,root 用 system,普通用户用 user。
anolisa update <component> --dry-run 现显示 raw 候选版本。
修复
- 旧
yum 后端名现会作为 rpm 处理。
- 用
--package 安装的 raw 组件更新时复用包名。
anolisa update <component> 不再允许 raw 降级。
anolisa update <component> 无法比较版本时不再替换文件。
[0.1.11] - 2026-06-18
新增
anolisa adopt <component> 可接管预装 RPM。
anolisa repair <component> 可刷新漂移的 RPM 状态。
anolisa forget <component> 可停止跟踪组件。
变更
anolisa status <component> 现报告 RPM 状态漂移。
anolisa uninstall 默认保留观察到的系统 RPM。
anolisa install 接管 RPM 时保留适配器资源。
[0.1.10] - 2026-06-17
新增
anolisa install --backend rpm 可通过 dnf 安装缺失 RPM 组件。
anolisa install 可接管匹配的预装系统 RPM。
anolisa update <component> 可通过 dnf 更新 RPM 组件。
anolisa status 现显示 RPM 组件的软件包来源。
anolisa status <component> 现显示匹配的未跟踪系统 RPM。
变更
anolisa update runtime <component> 改为 anolisa update <component>。
repo.toml 现使用 [backends.rpm] 替代 [backends.yum]。
anolisa install --all 现在批量摘要列出接管的 RPM。
修复
anolisa install --all 现在普通输出显示各组件失败原因。
anolisa install 在缺少 rpm 或 dnf 时提示 --backend raw。
anolisa install 不再覆盖先完成的 raw 安装。
[0.1.9] - 2026-06-16
新增
anolisa install --all 可安装目录中的所有可用组件。
anolisa install --all --fail-fast 可在首个失败组件后停止。
anolisa install --all --json 现返回按组件汇总的批量结果。
anolisa status 现显示已安装组件的适配器摘要。
变更
installed.toml 现区分 ANOLISA 管理包和只观察的系统 RPM。
[0.1.8] - 2026-06-15
新增
anolisa adapter enable 现可将已安装适配器注册到 OpenClaw。
anolisa adapter disable 现可移除 OpenClaw 适配器注册。
anolisa adapter status 现可报告 OpenClaw 适配器健康状态。
anolisa adapter scan 现可显示已安装适配器资源。
变更
anolisa install 现会放置后续启用所需的适配器资源。
anolisa uninstall 现会阻止移除仍有启用适配器的组件。
[0.1.7] - 2026-06-13
变更
- 用户态库路径调整为
~/.local/lib/anolisa;其余目录继续遵循 XDG_* 环境变量覆盖。
修复
anolisa install 不再要求本地已有组件目录条目即可从远程仓库下载安装。
anolisa install --dry-run 无需下载完整安装包即可预览文件和服务列表。
[0.1.6] - 2026-06-12
新增
anolisa osbase sandbox install gvisor 支持 standalone、containerd 和 substrate 三种部署形态。(#851)
anolisa list 可从 repo.toml 配置自动发现组件目录。(#854)
变更
- 废弃旧版"能力"模型,统一为组件生命周期;旧状态在下次写入时自动迁移。(#876)
修复
anolisa list --enabled 现在正确显示已安装组件,而非空列表。(#872)
anolisa list 在已配置 repo.toml 时不再要求额外的本地目录文件。(#854)
[0.1.5] - 2026-06-11
新增
anolisa list 从远程或本地组件目录读取并返回结构化 JSON。(#850)
anolisa install <组件> 从远程仓库下载、校验并安装组件。(#852)
anolisa uninstall 支持新组件模型,同时保留旧版回退。(#852)
变更
- 简化 CLI 帮助输出,围绕
list、install、uninstall、status、doctor、logs、restart、update 重新分组。(#850)
修复
- 未配置组件目录时,
anolisa list 返回空列表并提示配置方法。(#850)
- 安装中途失败时自动回滚已写入的文件。(#852)
[0.1.4] - 2026-06-10
新增
anolisa adapter scan 探测已安装的 Agent 框架集成。(#808)
anolisa adapter install 下载校验后的安装包并注册到目标框架。
anolisa adapter remove 安全移除 ANOLISA 管理的文件,支持预览和 dry-run。
anolisa adapter install tokenless openclaw 通过 OpenClaw CLI 注册 tokenless 适配器。
anolisa enable 从远程仓库获取组件元数据,离线时降级到本地缓存。
anolisa status 输出中新增组件健康检查结果。
变更
- 订阅管理命令提升为顶层
anolisa register / unregister。
修复
- adapter 安装或移除失败时自动回滚或保留状态以便重试。
[0.1.3] - 2026-06-09
新增
anolisa --help 按类别分组展示命令(日常操作 vs. 管理命令)。
list 命令在帮助中展示 ls 别名。
anolisa update self 成功后输出 changelog 链接。
变更
- 修正包 license 元数据为 Apache-2.0。
[0.1.2] - 2026-06-08
新增
anolisa bug 生成本地诊断报告,包含环境信息和近期错误日志。
anolisa self update 作为 anolisa update self 的别名。
修复
[0.1.1] - 2026-06-07
新增
anolisa osbase sandbox install 一键部署沙箱环境(支持 firecracker 和 e2b 后端)。
anolisa register / unregister 管理数据上传授权,支持 30 天延后。
anolisa enable 可配置日志上传(ilogtail),自动探测地域。
anolisa update self 下载并应用 CLI 更新,含完整性校验和失败回滚。
- 真实的 dnf/apt 包管理器后端,替换占位实现。
- anolisa 工作区 GitHub Actions CI。
修复
- 安装脚本改用 bash 参数展开替代
sed,提升可移植性。
[0.1.0] - 2026-06-04
ANOLISA CLI 首个 alpha 版本。
新增
- CLI 命令:
env、list、status、logs、enable、disable、uninstall、restart、update、info、doctor。
- 环境探测:OS、架构、内核、发行版、容器运行时、用户身份(探测失败时优雅降级)。
- 组件生命周期引擎:先预览再执行,含完整性校验和操作日志。
- 配置驱动的上线门控,新能力无需改代码即可发布。
- 声明式 TOML 组件清单,支持多架构。
install-anolisa.sh 安装器:三种模式(本地、checkout、URL),支持校验和 --dry-run。
- agent-observability 和 token-optimization 端到端冒烟测试。
已交付能力
| 能力 | 状态 |
|---|
| agent-observability | enable 完整链路(dry-run + 真实执行) |
| 其余 9 个 | 仅清单;enable 返回 NOT_IMPLEMENTED |
已知限制
- 真实执行路径仅限 Linux(darwin 宿主只能
--dry-run)。
- 尚无签名校验和 rpm/deb 后端。
update 命令返回 NOT_IMPLEMENTED。
Changelog
All notable changes to ANOLISA Anvil will be documented in this file.
The format is based on Keep a Changelog,
and this project adheres to Semantic Versioning.
[Unreleased]
[0.2.0] - 2026-06-30
Added
- FirecrackerSpawner: Firecracker microVM backend, daemon auto-detects and selects strongest isolation at startup.
- TCP remote API: configurable
[listen].http_addr enables TCP listener (port 14159) for platform calls.
- Prioritized backend selection:
build_spawner() auto-selects by firecracker → linux-sandbox → mock priority.
- Storage section:
[storage].images_dir unifies vmlinux/rootfs lookup path.
- Packaging skeleton:
dist/anvil.service (systemd unit) + anvil.spec (RPM) + tmpfiles-anvil.conf.
[backends] config section for direct backend binary path mapping.
[0.1.3] - 2026-06-24
Changed
- Sandbox processes now run with full namespace isolation (PID, network, filesystem).
[0.1.2] - 2026-06-22
Added
- Sandbox processes are now managed by the daemon: auto-spawn on create, auto-kill on destroy.
- Daemon gracefully degrades when backend binary is unavailable (useful for dev environments).
[0.1.1] - 2026-06-20
Added
- Policy validation rejects unsafe configurations before sandbox starts.
- Safe coordination with
osbase sandbox uninstall (prevents removing in-use backends).
[0.1.0] - 2026-06-18
Initial scaffold of ANOLISA Anvil per-host sandbox daemon.
Added
- Create, list, inspect, checkpoint (state-only), reset, and destroy sandboxes via HTTP API.
- Policy-driven backend selection: assign workload class → get the right sandbox type automatically.
- Warm pool: pre-created sandboxes ready for instant allocation, configurable min/target/max.
- Template sharing: multiple sandboxes share one base memory image, reducing per-instance cost.
- Prometheus metrics endpoint for monitoring.
变更日志
本文件记录 ANOLISA Anvil 的所有重要变更。
格式基于 Keep a Changelog,
版本号遵循 语义化版本。
[未发布]
[0.2.0] - 2026-06-30
新增
- FirecrackerSpawner:支持 Firecracker microVM 后端,daemon 启动时自动探测并选择最强隔离。
- TCP 远程 API:可配置
[listen].http_addr 开启 TCP 监听(端口 14159),供平台远程调用。
- 优先级后端选择:
build_spawner() 按 firecracker → linux-sandbox → mock 优先级自动选型。
- Storage section:
[storage].images_dir 统一管理 vmlinux/rootfs 查找路径。
- 打包骨架:
dist/anvil.service(systemd unit)+ anvil.spec(RPM)+ tmpfiles-anvil.conf。
[backends] 配置段,直接映射后端二进制路径。
[0.1.3] - 2026-06-24
变更
- sandbox 进程现在运行在完整 namespace 隔离中(PID、网络、文件系统)。
[0.1.2] - 2026-06-22
新增
- daemon 现在管理 sandbox 进程生命周期:创建时自动启动,销毁时自动终止。
- backend 二进制不可用时优雅降级(便于开发环境使用)。
[0.1.1] - 2026-06-20
新增
- Policy 校验在 sandbox 启动前拒绝不安全的配置。
- 与
osbase sandbox uninstall 安全协调(防止移除正在使用的 backend)。
[0.1.0] - 2026-06-18
ANOLISA Anvil 首个骨架版本。
新增
- 通过 HTTP API 创建、列出、查看、checkpoint(仅状态转换)、reset、销毁 sandbox。
- 策略驱动的 backend 选型:指定 workload class 即可自动匹配合适的 sandbox 类型。
- Warm pool:预创建 sandbox 随时分配,可配置 min/target/max 容量。
- 模板共享:多个 sandbox 共用一份 base 内存镜像,降低单实例内存开销。
- Prometheus metrics 端点,供监控系统采集。
Changelog
2.6.1
- Added npm packaging support for CLI and cosh. (#1307)
- Added multi-hook toggles support. (#1206)
- Fixed tips banner to stay visible after initial login. (#1308)
- Fixed Ctrl+O to prioritize error details over compact mode. (#1202)
- Fixed system-profile BINDIR to follow PREFIX. (#1193)
- Fixed AfterModel hook non-blocking notifications not surfacing. (#1182)
- Updated component docs to migrate into user-guide and developer-guide. (#1295)
- Added copilot-shell zh/en user and developer docs. (#1236)
- Fixed CONTRIBUTING.md file mode from symlink to regular file. (65601f06)
2.6.0
- Added multi-hook enable and disable support to
/hooks. (#1200)
- Added cosh-ng compatibility with cosh-switch. (#1169)
- Added instance_id to SysOM API request params. (#1160)
- Added anolisa component contract. (#1128)
- Added SLS JSONL session telemetry with expanded metrics. (#1057)
- Added authenticated models display in /model dialog. (#1030)
- Added kitty csi-u keys support with sequence timeout management. (#552)
- Added large paste placeholder and fixed placeholder id reset on esc cancel. (#312)
- Fixed SLS log write to skip when file does not exist or is not writable. (#1101)
- Fixed useless sandbox guard and failure handler hooks by removing them. (#979)
- Fixed missing keyboard shortcut hints in footer status bar. (#921)
- Fixed response language and model identity rules. (#920)
- Fixed sub-model refusal detection and byteLength display. (#895)
- Fixed webfetch sub-model output validation to avoid silent refusals. (#895)
- Fixed thinking output to be distinguished from user input with prefix and color. (#894)
- Fixed custom model configuration to be preserved. (#887)
- Fixed partial message finalization on API error. (#801)
- Fixed API error reporting in all output formats, not only text. (#801)
- Improved escape key handling by unifying it in appcontainer. (#437)
2.5.0
- Fixed missing esc hint in tool confirmation footer status bar (#732)
- Fixed invisible cursor in provider/auth config inputs (#683)
2.4.1
- Fixed HookSystemMessage rendering as info and resolved Content/Thought duplication (#636)
- Fixed prompt ids to remain monotonic after shell remount (#628)
2.4.0
- Added DashScope Token Plan provider entry to the OpenAI-compatible auth dialog. (#598)
- Added UserPromptSubmit and PostToolUse hook reason surfacing in the UI. (#545)
- Added run_id field to HookInput for per-run event correlation. (#482)
- Fixed UserPromptSubmit hook decision merging to enforce safety priority over allow. (#597)
- Fixed missing tool_use_id in PreToolUse hook input. (#559)
- Fixed memory hooks lock takeover with atomic rename and async IO. (#550)
- Fixed auto-memory workspace cleanup wiping user-added directories. (#548)
- Fixed auto-memory session hook missing read_file events due to wrong arg key. (#547)
- Fixed run_id ordering by setting it before UserPromptSubmit hook fires. (#537)
- Fixed UserPromptSubmit hook firing on tool-result and Stop continuations. (#534)
- Updated installer to support multiple install profiles. (#541)
2.3.0
- BREAKING Removed qwen-oauth authentication support. (#455)
- Added auto memory background extraction system. (#465)
- Added full shell command display in hook-ask and exec confirm dialogs. (#452)
- Added esc key to cancel running slash commands. (#290)
- Fixed JavaScript heap out of memory during long sessions. (#462)
- Fixed missing allow decision reason in UI when systemMessage is absent. (#435)
- Improved test coverage with standalone tests for ExecCommandPreview. (#460)
- Updated hook docs to clarify difference between systemMessage and reason. (#436)
2.2.1
- Fixed initial chat being blocked during skill/subagent first-load discovery. (#418)
- Fixed missing tool_use_id in PostToolUse hook event payload. (#414)
- Fixed missing skill_context in PreToolUse hook input for resolved skill path. (#409)
- Fixed missing auto-completion for
/statusline subcommands. (#408)
- Fixed unavailable agents appearing in the key sharing prompt. (#394)
- Fixed bash option not being restored after canceling from the provider screen. (#393)
- Fixed hook systemMessages to be concatenated with a
[name] prefix for clarity. (#387)
2.2.0
- Added
ask decision support for UserPromptSubmit hook. (#328)
- Added new command for Clawhub CLI. (#313)
- Added interactive Skills TUI Panel with enable/disable support. (#311)
- Added variable substitution and display control for extension TOML commands. (#291)
- Added immediate hook activation on extension install/uninstall. (#283)
- Added
ask decision support for PreToolUse hooks. (#276)
- Added configurable status bar. (#251)
- Added
/export command for session history. (#245)
- Fixed API key validation to skip non-Dashscope providers. (#337)
- Fixed PreToolUse ask dialog by unifying it to info type with diff preview. (#345)
- Fixed memory leak in memory management. (#309)
- Fixed extension lifecycle reliability. (#298)
- Fixed hook registry sync on extension enable/disable. (#298)
- Fixed interface crash caused by leftBottomContent of Box nested in Text in Footer. (#293)
- Fixed
/hooks install command by removing it and adding default help. (#287)
- Fixed extension examples installation and package configuration. (#271)
2.1.0
- Added startup bash entry and simplified manual auth dialog. (#217)
- Added async fzf-based tab completion optimization. (#214)
- Fixed OpenAI API key and model validation via /models endpoint on auth. (#243)
- Fixed API key retention when navigating to apiKey field in auth dialog. (#241)
- Fixed node-pty native binary bundling for both linux architectures. (#232)
- Fixed stream redaction by replacing integer offset with committed text reference. (#210)
- Fixed missing fields in hook system. (#188)
2.0.4
- Added STS authentication support via ECS RAM role. (#161)
- Added BeforeModel, AfterModel, and BeforeToolSelection hooks. (#154)
- Added sandbox usage summary on session exit. (#137)
- Added Tab-completion for
! shell mode. (#131)
- Fixed config-dir source unification and prevented ~/.copilot creation on startup. (#171)
- Fixed /bug command crash in headless environment. (#175)
- Fixed undefined metrics.sandbox in StatsDisplay. (#171)
- Supplement /hooks install step to post-installation guide. (#142)
- Supplement hooks documentation (index, reference, writing-hooks). (#142)
2.0.3
- Migrated config directory from
~/.copilot to ~/.copilot-shell. (#78)
- Added API key detection from configured agents with user approval on bootstrap. (#127)
- Added support for configuring multiple custom model providers. (task#80737766)
- Added global API endpoint support for Dashscope. (#133)
- Added custom skill paths support via
settings.json. (#128)
- Added support for loading skills from extension directories with
cosh-extension.json compatibility. (#54)
- Added
/bug command for submitting bug reports. (#122)
- Added sandbox-guard install command with bypass approval flow. (#125)
- Added secret redaction for model output and tool results. (#100)
- Added extensible feature tip banner for first-launch guidance. (#113)
- Added built-in
/dir cd command for in-session directory navigation. (#19)
- Added session renaming command. (task#80737766)
- Added nvm-aware Node.js detection in
cosh wrapper script. (#72)
- Added system-level install via
Makefile with FHS-compliant directory layout. (#72)
- Fixed 24-item limit on
@ file completion menu. (#92)
- Fixed TUI flicker on Qwen OAuth page in limited-height terminals. (#76)
- Fixed left-arrow key not wrapping from line start to previous line end. (#53)
- Fixed irrelevant info display in
/model command. (#85)
- Fixed credentials encryption support in
settings.json. (#90)
- Fixed test failure when running as
root user. (#29)
- Fixed pre-commit hook working directory for lint-staged. (#90)
- Configured Husky hooks and documented pre-commit setup. (#65)
2.0.1
- Renamed OpenAI authentication label to "BaiLian (OpenAI Compatible)" for clarity.
- Fixed login shell stdin drain to prevent unwanted input echo.
- Removed ripgrep unavailable warning message.
2.0.0
- Synced upstream
qwen-code to v0.9.0 and rebranded to Copilot Shell.
- Bumped version directly to 2.0.0 (skipping 1.x, which was used by a previous
OS Copilot release).
- Integrated Skill-OS online remote skill discovery with priority-based fallback (Project > User > Extension > Remote).
- Added
/skills remote and /skills cache clear commands for remote skill management.
- Added
/bash interactive shell mode
- Added
-c argument support for inline bash commands.
- Added PTY mode for
sudo command support.
- Added hooks system with PreToolUse event for intercepting tool calls before execution.
- Added new model provider named Aliyun
- Added nested startup detection warning banner.
- Added system-wide skill path (
/usr/share) support.
- Removed original Gemini sandbox.
- Fixed skill frontmatter parsing for YAML special characters (
|, &, >).
- Fixed login escaped character echo issue in ECS workbench.
- Fixed Linux headless environment browser open failure when auth with Qwen OAuth.
- Fixed Qwen OAuth authentication, replay, and UI rendering issues.
- Fixed exception handling when adding workspace directories.
- Fixed user query start with unix path being misidentified as command.
- Fixed API key display explicitly.
- Fixed Chinese i18n for
/resume command.
- Improved
? hint visibility — hidden while user is typing.
- Miscellaneous UI, branding, CI, and build improvements.
Changelog
All notable changes to the cosh-ng project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
[0.11.0] — 2026-06-28
Added
- Aliyun authentication provider with ECS auto-detection, STS credentials, and QR code flow
- SysOM Aliyun provider with ACS3 signing for LLM API access
- Per-turn SLS JSONL logging for observability
- SysOM request source identification headers
- Structured tracing logging system across all crates
- Sandbox bypass approval flow on PostToolUseFailure hook events
- Startup health scan for environment diagnostics
- Extension/hook/skill enable/disable commands (
/extensions, /hooks, /skills)
- Unified component state management module
- Dedicated HOOK approval panel with simplified UI
- UserPromptSubmit hook with Ask approval enforcement
- Shell evidence read admission control in cosh-core
- Tool activity rendering in cosh-shell
cosh-switch hint in startup banner for toggling between cosh-ng and copilot-shell
Changed
- BREAKING: Rename CLI binary from
cosh to cosh-cli; remove dispatch_core
- RPM spec: install cosh-cli binary,
/usr/bin/cosh launcher, cosh-switch script, Conflicts: copilot-shell
- Replace eprintln with structured tracing macros
- Unify hook decision aggregation with fold_decision
- Update workspace repository URL to github.com/alibaba/anolisa
Fixed
- Auth ECS flow and panel overlap on phase transitions
- Auth QR code rendered without ANSI escape codes
- Use SysomProvider for aliyun after auth success
- Align hook input fields and AfterModel/wrap_tool_response with copilot-shell protocol
- tool_result dedup guard and visibility
- Restore prompt before shell handoff
- Suppress duplicate evidence reads
- Reduce failed-command auto analysis noise
- Skill existence check and harden approval matching
- Resolve clippy warnings across cosh-core and cosh-shell
[0.10.0] — 2026-06-23
Added
- Shell evidence protocol for capturing and replaying command execution context
- Shell evidence control tool in cosh-core for evidence lifecycle management
- Hook protocol aligned with copilot-shell for zero-change extension support
- Per-hook decision propagation through notification protocol
- Hook warnings rendered with per-hook decision color-coding in cosh-shell
Changed
- Share agent error display text across cosh-shell modules
Tests
- Cover shell evidence raw CLI flows
[0.9.0] — 2026-06-22
Added
- Hook notifications integrated into approval panel with ⚠ warning display
- Hook ask decisions enforce user approval even in Trust/Auto modes
- Extended hook system with tool_use_id association and new event types
- Registry protocol for /extensions /skills /hooks slash commands
Fixed
- Show Registry group in /help output
Changed
- Remove dead skill management code
[0.8.0] — 2026-06-18
Changed
- Rename
cosh-tui crate and binary to cosh-core across the entire workspace
- Update adapter system:
CoshTuiAdapter → CoshCoreAdapter, AdapterKind::CoshTui → CoshCore
- Update environment variable
COSH_TUI_PATH → COSH_CORE_PATH
- Update RPM spec, documentation, and all test fixtures
Fixed
- Neutralize agent status text in streaming cards
- Align streaming card widths in cosh-shell
[0.7.0] — 2026-06-17
Added
- Extension discovery and loading module with
cosh-extension.json manifest support
- Extension hooks integrated into startup lifecycle
- Skill module with multi-level loading (built-in, user, project) and hot-reload
- SkillManager integrated into tool registry and startup
- Available skills injected into system prompt for LLM discovery
Fixed
- Infinite loop in
expand_env_vars when environment variable is undefined
- Warn on unsupported extension hook events (
PostToolUseFailure, BeforeModel, AfterModel) instead of silently discarding
- Align extension hooks format with copilot-shell nested group structure
- Remove unused
args parameter from skill tool schema to avoid misleading LLM
- Show question free text answers in cosh-shell
- Harden foreground shell handoffs
- Share copilot shell config path and keep legacy config fallback
Changed
- Normalize cosh-shell config keys
- Standardize cosh-shell code and test organization
- Move user state under copilot shell scope
[0.6.0] — 2026-06-16
Added
- P0 hook system with 5 lifecycle events (
on_session_start, on_turn_start, on_turn_end, on_tool_call, on_session_end) in cosh-tui
- Shell approval classification and hook origin tracking in cosh-shell
- Migrate current cosh shell into monorepo workspace
Fixed
- Address approval review findings in cosh-shell
- Harden shell evidence continuation to prevent dropped context
- Normalize tool call streaming protocol in cosh-tui
- Fix passthrough for subcommands in cosh-shell
[0.5.0] — 2026-06-15
Added
- CoshTuiAdapter persistent process mode (spawn once, reuse across agent runs, auto-restart on death)
ask_user round-trip through control protocol (agent can ask inline questions routed to TUI)
Changed
- Split cosh-tui main into cli/headless/interactive modules
- Rename binary from cosh-tui-core back to cosh-tui
[0.4.1] — 2026-06-15
Added
- settings.json → config.toml auto-migration with AES-256-GCM encrypted API key decryption
- JSONL protocol and tool approval integration tests
Fixed
- Prepend precmd in PROMPT_COMMAND to capture real exit code (Alibaba Cloud Linux /etc/bashrc issue)
[0.4.0] — 2026-06-15
Added
- JSONL wire protocol (InputMessage / OutputMessage) for cosh-shell ↔ cosh-tui communication
- Provider abstraction with OpenAI-compatible streaming (DashScope, OpenAI, DeepSeek, Generic profiles)
- Tool execution framework with 7 built-in tools (shell, read_file, write_file, edit, grep, todo, skill) and approval control
- Context window management, message truncation, loop detection, conversation compression
- Lifecycle hooks framework
- CoshCore agent loop engine
- TOML-based multi-provider config with environment variable expansion
Changed
- BREAKING: Binary interface from ratatui interactive TUI to JSONL stdin/stdout backend
- BREAKING: Config format from settings.json to config.toml
- Rewrite session store with single-file JSON persistence
Removed
- Legacy ratatui-based TUI code (app, commands, llm, logger, theme, tools, ui modules)
[0.3.0] — 2026-06-15
Added
- cosh-shell crate — PTY-based AI-augmented shell host with OSC marker protocol
- Claude, Qwen, Fake AI adapters with streaming support
- Inline rendering engine (approval, question, recommendation, activity panels)
- Governance layer with approval modes
- Terminal recovery via signal handlers (SIGTERM/SIGHUP/SIGQUIT) and panic hook
- Exit code classification with 8 categories (Smart/Auto/Manual analysis modes)
- Tool display engine with per-tool-type parsing and ANSI color categories
- Hook engine with built-in hooks (FailedCommandHook, TestFailureHook) and skill routing
- External hook loading from ~/.config/cosh/hooks/ with subprocess execution
- Native shell compatibility (rcfile loading, PS1, history, login shell detection)
- Context window with sliding window (max commands, max age, token budget)
- Prompt intent optimization (do → Bash tool, know → prose)
- Natural language intercept with visual feedback
- InputClassifier conservative mode for native mode
- Analysis throttle (30s cooldown, max 3 consecutive)
- Consultation card rendering with keyboard capture
- Control protocol for tool approval round-trips
- Startup banner with gradient ASCII art logo
/mode and /hooks slash commands
- Architecture documentation
Fixed
- Native mode input rendering with powerlevel10k dual-line prompts
- Slash/NL intercept via buffered-then-judge strategy in native mode
- Zsh preexec intercept for command_not_found
- CandidateRedraw line clearing for CJK input and backspace
- Suppress cosh-osc$ prompt leak in native mode
- Tool display label matching in bash tool executor
- Wide character placeholder cell handling in buffer extraction
Changed
- Unified workspace version (0.3.0) for all crates (cosh-types, cosh-platform, cosh-cli, cosh-shell, cosh-tui)
[0.2.0] - 2026-05-16
Hardening + audit-subsystem release. Workspace versions bumped to 0.2.0 together with the release profile and lockfile commit.
Added
audit subsystem with PEP/PDP/log split: cosh audit check / cosh audit log for command-safety gating and per-session retrieval.
- Workspace release profile (
opt-level = 3, lto = true, strip = true, codegen-units = 1), committed Cargo.lock, workspace-level dependency pinning, and native CA cert support.
- Command timeouts, input validation, and panic-safe JSON output across
cosh-cli and cosh-platform so a panic still emits a CoshResponse envelope on stderr instead of an empty exit.
forbid(unsafe_code) on cosh-cli / cosh-platform, plus svc list --state filter validation against an allow-list.
pkg search cross-references installed status so results show which matches are already installed.
ResponseMeta.warning field for non-fatal warnings; audit responses are explicitly marked as stub via this field.
- LLM tool surface expansion in cosh-tui: pkg / svc / checkpoint wrapper tools, plus
svc enable / svc disable --dry-run.
- Timeouts + exponential-backoff retries on LLM and external command tools in cosh-tui; 60 s shell-tool timeout.
Changed
- TUI
/help aligned with the full command set; title bar version and markdown prefix stripping corrected.
- Clippy warnings resolved across the workspace; dead-code allowances dropped; test code aligned with production lint level.
- Build warnings eliminated and version detection improved across cosh-tui / cosh-platform.
Fixed
- Shell safety check tokenized to close tab / newline / redirect / chain bypasses; substring matching on raw command strings replaced with whitespace (incl.
\t / \n / \r) tokenization and metacharacter rejection (; | & > < $ ` ( ) { }) — is_safe_command in crates/cosh-tui/src/tools/shell.rs.
- Forbidden tool calls are now blocked even under Yolo approval mode.
cosh-cli wrapper tool output is bounded so a chatty subcommand cannot blow the LLM context window.
- Tool-call IDs synthesized via a process-wide counter to guarantee uniqueness across the agentic loop.
settings.json and session files written atomically with 0600 permissions.
- Runtime bounds enforced for the agentic loop, history, config, and tool messages; scrollback bounded with UTF-8-safe truncation.
- Panic hook installed in the TUI; history navigation recovered after panic.
- ws-ckpt IPC response size bounded to 64 MiB.
- Nonexistent systemd services detected via
LoadState=not-found instead of misclassifying them as "inactive".
Security
- Audit-stub
recoverable / hint semantics surface clearly to agents via the standard CoshError envelope.
- Atomic-rename +
0600 perms on credential-bearing files.
[0.1.0] - 2026-05-10
Initial public-shaped release after renaming the workspace from agos-core to cosh-ng and adding the interactive TUI crate.
Added
- 4-crate workspace:
cosh-types, cosh-platform, cosh-cli, cosh-tui with strict dependency direction cosh-cli / cosh-tui → cosh-platform → cosh-types.
cosh CLI binary with dual-mode dispatch: cosh (no args) execs into cosh-tui, cosh <subsystem> <action> returns structured JSON.
- Cross-distro
pkg subsystem: install / remove / search / list routed across dnf / apt-get (apt-cache for search) / zypper based on Distro::detect() reading /etc/os-release.
svc subsystem over systemctl: status / start / stop / restart / enable / disable / list, with uptime and corrected column mapping in list.
checkpoint subsystem talking to the ws-ckpt daemon over Unix-socket IPC; bincode wire format with 4-byte LE length prefix and explicit protocol versioning + error handling. Commands: init / create / list / restore / recover / delete / diff / cleanup / status.
cosh-tui interactive TUI on ratatui + crossterm: slash-command system with auto-complete, session management, theming, custom border set, echo-on-submit.
- Agentic loop with cosh-cli wrapper tools in cosh-tui, bringing pkg / svc / checkpoint tooling to the LLM (initially shipped as
cosh-tui v0.4.0).
- LLM chat integration with config-driven providers and UI surfacing.
- Unified
settings.json V2 config consolidating prior scattered config files.
- AES-256-GCM decryption for encrypted credentials.
- macOS detection + Homebrew backend in
cosh-platform, with unit tests.
- Unified JSON envelope
CoshResponse<T> with ok / data / error / meta, classified CoshError carrying recoverable and hint for agent retry decisions.
- Integration tests for
pkg and checkpoint CLI commands.
Changed
- Workspace renamed from
agos-core (with agos-types / agos-platform / agos-cli) to cosh-ng (with cosh-* crates); agos-cli and agos-platform removed in the same commit.
cosh-tui checkpoint tooling adapted to the new daemon protocol.
Fixed
cosh-cli stdout validated as JSON before forwarding to the LLM, preventing parser confusion on malformed bytes.
[pre-0.1.0] - 2026-05-03 → 2026-05-08
Pre-rename agos-core foundation.
Added
- Initial 2-crate workspace
agos-types + agos-platform.
agos-cli cross-distro CLI prototype with pkg, svc, checkpoint, audit command shapes.
- MVP v2 CLI Gateway architecture document and bilingual (English / Chinese) usage guide.
Changelog
All notable changes to ktuner are documented in this file.
The format is based on Keep a Changelog,
and this project adheres to Semantic Versioning.
[Unreleased]
Added
- Initial kernel-tuning engine:
check/tune/fix/why/rollback commands
evaluate 207 rules and output structured JSON tuning recommendations.
Changelog
0.6.1
- Rewrote
sysom-diagnosis skill and removed legacy CLI. (#1241)
- Fixed OpenClaw gateway write scope verification in
install-openclaw skill. (#1205)
0.6.0
- Added anolisa component contract (component.toml, Makefile, RPM spec). (#1159)
- Added OpenClaw bootstrap guidance to
install-openclaw skill. (#1051)
- Added model endpoint preflight before gateway startup in
install-openclaw skill. (#1031)
- Added static knowledge base update script for
anolisa-guide skill. (#1010)
- Added
anolisa-guide skill. (#849)
- Fixed Aliyun mirror fallback for uv and qwenpaw install. (#968)
- Fixed dashscope proxy URL to new Anthropic endpoint in
install-claude-code skill. (#858)
- Renamed
copaw to qwenpaw across os-skills. (#968)
0.5.0
- Added
anolisa-register skill. (#829)
0.4.0
- Added auto-install tokenless plugin support for agent install skills. (#731)
- Added OpenClaw dependency precheck. (#719)
- Improved OpenClaw non-interactive setup. (#687)
- Added Hermes adapter runner. (#617)
- Added standalone ANOLISA adapter entry. (#549)
- Fixed OpenClaw state dir handling normalization. (#641)
- Improved Makefile install paths and contract. (#541)
0.3.0
- Added
hermes-agent-install skill. (#353)
- Added
clawhub-skill-mng skill with npm install support and YAML description matching. (#315)
- Fixed AgentSight custom db path issue, using default paths instead. (#366)
- Fixed AgentSight token savings query support. (#355)
- Fixed AgentSight interruption CLI and aligned
conversation_id naming. (#334)
0.2.2
- Support enable AgentSight dashboard in
agentsight skill. (#222)
0.2.1
- Upgraded
xlsx skill with MiniMax open-source implementation. (#218)
- Updated skill descriptions from "suitable for alinux4" to "rpm-base linux". (#182)
0.2
- Added
humanizer, image-gen, pdf-reader, and xlsx skills. (#178)
- Added
cosh-guide skill. (#23)
- Support net/io/load diagnostic capabilities to
sysom-diagnosis skill. (#163)
Changelog
All notable changes to SkillFS are documented in this file.
The format is based on Keep a Changelog,
and this project adheres to Semantic Versioning.
[Unreleased]
[0.3.3] - 2026-07-10
Added
- Hermes workspace layout compatibility. SkillFS now recognizes Hermes hub
markers, preserves management paths, and exposes nested
category/skill/SKILL.md skills alongside top-level skills.
- Nested Hermes skills now support activation state, installer lifecycle
writes, notifications, audit attribution, fallback snapshots, and hidden
visibility.
Fixed
skillfs validate --json now includes source paths for warning and error
entries so automation can locate invalid skills.
- FUSE teardown now bounds failed unmount cleanup and prevents leaked test
mounts from affecting later sessions.
[0.3.2] - 2026-07-03
Fixed
- CLI SLS ops logging now records SkillFS mount and runtime operations.
- Runtime metrics now emit real-time deltas for SLS consumers.
[0.3.1] - 2026-07-03
Added
- Managed mount supervision can recover stale FUSE mounts and bound recovery
retries during repeated starts.
Changed
- English and Chinese README guidance now covers managed mounts, in-place
operation, security boundaries, and troubleshooting.
Fixed
- Post-publish grace reads fallback skill files from source paths after
installers finish.
skillfs validate now reports parse failures in the status summary.
- In-place authoring supports new skills and pending-install ownership changes.
- Managed stop and runtime-dir handling avoid stale ownership and unbounded
recovery retries.
- Daemon-facing backing roots under PrivateTmp are rejected before mount
startup.
- FUSE smoke cleanup handles leftover mounts and temporary paths more reliably.
[0.3.0] - 2026-06-26
Added
- Runtime security integration for agent skill directories. SkillFS can now
consume activation decisions from
.skill-meta/activation.json or the
user.agent_sec.skill_ledger.activation xattr, then expose each skill as
current, hidden, or a trusted fallback snapshot.
- File-change notification for external security daemons. With
--activation-mode file, --notify-socket, --activation-events-log, and
--activation-reload-mode poll, SkillFS reports skill mutations, reloads
activation decisions, and keeps already-opened file handles pinned to their
original target.
- Trusted control socket for activation writes. A daemon verified with
SO_PEERCRED, executable identity, and start-time checks can update
activation JSON or activation xattr through a bounded request API instead of
writing .skill-meta through the agent-visible mount path.
- Installer compatibility for common skill installation flows. Staging
directories, direct writes, quiet-timeout completion, and post-publish grace
windows allow installers to finish writing a skill before SkillFS asks the
security provider to scan and activate it.
- In-place mount support for security daemons. Ledger backing roots are bind
mounted privately and validated at startup so scanners read the real source
tree rather than the agent-facing FUSE view.
- Canonical skill identity based on the directory basename. Frontmatter
name: remains display metadata and no longer changes the SkillFS store key
or daemon-facing skill id.
Changed
.skill-meta/** is hidden from ordinary agents and remains accessible only
through trusted metadata paths or the control socket.
- Skill mutation notify uses ordinary filesystem event kinds, including
create, write, rename, unlink, rmdir, and truncate events, instead
of a separate install-complete protocol event.
- POSIX passthrough behavior was expanded for symlink, hardlink, FIFO, path
length fallback, open-after-unlink, xattr, and inode consistency cases.
Fixed
- Prevented stale activation views by combining notify-triggered reload,
polling, and activation watcher convergence.
- Hardened trusted-writer and trusted-peer checks against process reuse and
executable replacement with start-time and file-identity validation.
- Avoided installer and daemon visibility bugs around hidden skills, fallback
snapshots, staging paths, and backing-root propagation.
[0.2.0] - 2026-05-09
Added
- FUSE write passthrough for
write, create, mkdir, rename, unlink,
rmdir, and setattr(size) operations on skill directories.
- Background sync worker that reparses
SKILL.md on write and upserts the
entry back into SharedSkillStore.
- Immediate visibility for newly created skill directories:
mkdir inserts a
ParseStatus::Degraded placeholder, then the sync worker overwrites it with
the real entry once SKILL.md is written.
- in-place mount mode that accesses the underlying source via
/proc/self/fd/{n} to avoid the over-mount self-loop.
- Integration suite
crates/skillfs-fuse/tests/write_guard_tests.rs covering
both normal and in-place write paths.
Changed
- Directory name is now the authoritative store key. After
rename, stale
frontmatter name: no longer revives the old key.
- Read of
SKILL.md still returns the compiled result; raw file is only used
for writes and parsing.
- Architecture docs refactored into
docs/specs/skillfs-spec.md,
docs/specs/core-spec.md, docs/specs/fuse-spec.md.
Removed
- Workspace-related code paths and the unused workspace config support from
skillfs-core (commit 6d604c7).
- Legacy ad-hoc test scripts (kept only
scripts/build.sh and
scripts/test.sh).
Fixed
- CLI tracing timestamps now use the local timezone instead of UTC.
[0.1.2] - 2026-04-29
Added
- Read-only mount write protection:
mknod, symlink, link, and write
callbacks all return EROFS.
Fixed
- Parser summary truncation now respects multi-byte character boundaries.
[0.1.1] - 2026-04-29
Added
skillfs-mount agent skill under docs/skills/ to help users set up,
mount, and unmount a SkillFS instance.
[0.1.0] - 2026-04-25
Added
- Initial release of the SkillFS workspace.
skillfs-core: SKILL.md parser (with Ok / Degraded / Error status),
in-memory SkillStore with flat and categorized directory layouts,
skillfs-views.toml configuration, conditional compiler::compile, and
environment probing (OS, commands, env vars).
skillfs-fuse: read-only FUSE filesystem that exposes the configured
default view at /skills, always-on virtual skill-discover, and
compile-on-read for SKILL.md. Other files in a skill directory are
passed through to the physical source.
skillfs CLI: mount, classify, validate, list subcommands.
Changelog
0.6.1
- bundle tool_categories.json into dist for npm installs
- use node: prefix, eliminate shell subprocess in openclaw plugin
0.6.0
- add absolute saved values + schema version to JSON output
- use import.meta.dirname instead of __dirname in openclaw plugin
- add qwencode adapter for Qwen Code extension
- fix rtk pytest 'No tests collected' regression
- add trusted FHS fallback paths for hook_utils import in codex scripts
- add SLS JSONL data collection with config toggle
- add tokenless RPM component contract (publishing metadata)
- add compression toggle with dry-run compare mode (
TOKENLESS_COMPRESSION_ENABLED, stats summary --compare)
- enable SLS recording by default and document usage
- align compression mode serde/db form and dedup config load
- expand RPM component contract (bundle.entry + hermes)
- make SLS writer append-only and skip when log file absent
- prefer tool_call_id over internal tool_use_id for qwencode hooks
- bump vendored rtk to v0.43.0; rework pytest stderr-surfacing patch for the refactored runner; drop grep-fallback-fix (root cause fixed upstream) and preflight-skip-python (reversed upstream)
- sync toon-format to 0.5.0 in Makefile and spec (was stale at 0.4.6)
0.5.1
- add --json output to stats summary
- implement unified tool categorization and 3-layer compression strategy
- add rtk grep fallback pattern fix patch
- add rtk pytest error report patch
0.5.0
- add Hermes adapter runner
- drop TOON wrapper prefix and slim diagnostic tags
- unify rtk rewrite exit code 3 handling across adapters
- secure shell variable interpolation in env-fix and hooks
- add subprocess returncode checks and extract shared hook utilities
- secure resolveBinaryPath and improve binary cache invalidation
- use mktemp in tests and safe home expansion
- bound SchemaCompressor recursion to prevent stack overflow
- propagate env-fix subprocess failures instead of returning stdout
- anchor home lookup on getpwuid_r and trust-check candidate binaries
- harden env-fix install paths with uid trust check and divert stderr to log
- recover from poisoned mutex in stats recorder instead of failing
- add input size limit and validate db path
- reserve truncation marker length in response compressor
- rename openclaw plugin Name to Tokenless and ID to tokenless
- add qoder CLI adapter
- compress-schema on array input
- warn when compression is skipped
- stats command syntax
- add Claude Code adapter plugin
- error on TTY stdin instead of hang
- add codex adapter plugin
- fix compression pipeline output inflation, truncation and hook timeouts
- harden env-fix, version extraction, file trust, schema, permissions
- address review findings — trailing newline, chmod guard, rate-limited log, comment
- make env attribution reachable for skip-tools entries
- add selective-claw context engine plugin
- address review findings for selective-claw plugin
- remove invalid "2" dependency from selective-claw
- restore indentation in compress_response_hook.py
- harden hook exit-code handling + trust model consistency
- only warn on truly unexpected rtk exit codes
- dedup rewrite_hook, import from hook_utils
0.4.1
- fix version_ge 3-segment truncation in env_check.rs (compare all segments)
- add qoder, claude-code, codex adapter plugins and documentation
- sync manifest.json with template to include all six agents
- update README and user manuals for new agent integrations
- add pycache to root .gitignore
- update response-compression.md with all agent integration paths
- derive Makefile version from Cargo.toml, fix spec changelog weekday
- normalize adapter version numbers to 0.4.0
- derive adapter plugin versions from Cargo.toml instead of hardcoding
0.4.0
- correct 5 bugs in stats, naming, SQL, paths and permissions
- align FHS paths, restructure adapter dir, remove install.sh
- address code review findings across schema, env-check, hooks, and plugin
- add hermes agent plugin
- security hardening & critical algorithm correctness
- behavioral correctness & logic fixes
- dedup, dead code removal & cosmetic cleanup
- support staged installs
- support Debian/Ubuntu FHS paths and harden binary resolution
- build OpenClaw plugin to dist/index.js
0.3.2
- replace spoofable home-dir uid derivation with libc::getuid() syscall for trust chain integrity
- replace subprocess toon -e calls with in-process toon_format::encode_default() library call
- replace rtk/toon git submodules with crates.io deps and inline toon-format source
- hard-fail on rtk stats patch failure in justfile setup-rtk recipe
- unify compress-toon/compress-schema/compress-response error exit codes (all exit 2)
- remove 2>/dev/null || true from Makefile toon install (hard fail on missing binary)
- remove redundant #[source] attribute on thiserror variants that already have #[from]
- deduplicate Python hook FHS path constants into shared hook_utils module
- add libc to workspace dependencies for uid syscall
- add detailed rust >= 1.89 comment in spec.in explaining CI pin rationale
0.3.0
- add tool-ready 4-phase environment pre-check with cosh extension integration
- skip compression and stats when no token savings
- pass caller context to rtk stats via .rewrite-context file
- remove redundant cosh extension install/uninstall from install.sh
- convert cosh hooks to extension format per cosh dev guide
- skip zero compression and stats recording
- use isExecutable() and resolved paths in openclaw plugin
- resolve rtk/toon binary paths for RPM-installed plugins
- correct RPM install paths to align with install.sh expectations
- preserve tool result message structure in TOON encoding
- align install paths with FHS
- auto-record stats with real tool_use_id from hook payload
- restructure RPM dirs and remove auto plugin/hook installation
0.2.0
- add compression stats with auto-record from real data
- add TOON context compression support
- skip compression for skill and content-retrieval tools
0.1.0
- introduce tokenless into ANOLISA (#199)
更新日志
English
0.4.1
新功能
- 新增 rollback 后跳过自动 checkpoint (#1263)
缺陷修复
- 修复 config 更新后的工作区同步 (#1263)
- 修复 crontab 条目中 ws-ckpt 的绝对路径处理 (#1263)
- 变更 rollback -n 偏移量,直接传递 numAncestors (#1263)
0.4.0
不兼容变更
- 不兼容 checkpoint
-i/--id 参数更名为 -s/--snapshot 作为主参数;-i 保留为隐藏别名,未来版本可能移除 (#1064)
新功能
- 新增插件安装/卸载子命令 (#1005)
- 新增 component.toml 用于 anolisa-cli 适配器发现 (#1005)
- 新增 rollback 预览功能,支持 --preview 参数 (#1103)
- 新增每次 CLI 操作后的耗时显示 (#1075)
- 新增省略 --snapshot 时自动生成快照 ID (#1064)
- 新增 SLS 运维日志输出用于仪表盘指标 (#1059)
- 新增 diff 的可选 -t 参数,用于将快照与当前工作区对比 (#848)
- 新增按祖先数量 rollback 和快照 DAG 追踪 (#877)
- 新增基于 cron 的定时 checkpoint 快照 (#819)
缺陷修复
- 修复 --snapshot/-s 作为主参数的处理及插件参数对齐 (#1103, #1064)
- 修复 SKILL.md 与实际 CLI/插件实现的同步 (#847)
- 修复 init 和 recover 对被替换的 workspace 符号链接的防护 (#860)
- 修复 init rsync 去除 --copy-unsafe-links (#873)
0.3.3
新功能
- 新增每工作区策略覆盖,支持 hermes/openclaw 插件 (#721)
- 新增
/proc cwd 占用者检测,用于 init 和 rollback (#684)
- 新增 Hermes 适配器运行脚本 (#617)
缺陷修复
- 修复 rollback 中的写锁竞争和 cwd 检测死锁 (#721, #684)
- 修复非 UTF-8 路径和路径穿越快照 ID 的输入验证 (#695, #678)
- 修复 seccomp 架构选择、工作区注册并发和 RPM 打包问题 (#695, #684)
0.3.2
- 修复 openclaw 卸载时未从配置中移除工具白名单
- 修复父路径拒绝规则作为工作区级别规则应用于 skill 和 openclaw 插件
0.3.1
- 修复插件工作区配置注册和自动加载
- 拒绝将 hermes cwd 本身或其父路径作为工作区路径
- 修复插件工具优先使用显式 workspace 参数而非配置
- 修复 skill 删除需要 --force 参数
- 修复 daemon 工作区路径验证和 fswatch 文件描述符泄漏
- 移除未使用的 btrfs_ops.rs 模块
0.3.0
- 新增 openclaw 插件脚手架
- 新增 hermes 插件脚手架
- 将 ws-ckpt skill 改为 agent 无关,在调用时提示输入工作区
- 遵循
make install 契约用于 build-all 集成
- 修复 list 和 diff 子命令的缺陷
- 将 daemon 改为有状态
0.2.0
- 新增 auto_cleanup 功能及开关
- 统一通过 TOML 文件修改配置
- 新增全局 CLI 警告:当任意工作区快照数 >1000 或文件系统使用率 >90%
- 修复后端检测和 daemon 状态恢复逻辑
- 修复 daemon 重启后镜像大小配置不生效
- 移除过时的 fs_warn_threshold_percent 参数
- 修复 config.toml 作为示例文件分发
0.1.0
- 带 Unix Socket IPC 和 Bincode 二进制协议的 Daemon
init / checkpoint / rollback / delete / list / diff / cleanup / status / config 命令
- 后台调度器:自动清理、健康检查、孤立恢复
- 多后端:btrfs-base / btrfs-loop / overlayfs 自动检测
- TOML 配置持久化及运行时热重载
- systemd 服务及 Alinux 4 RPM 打包