跳到主要内容

RELEASE HISTORY / GENERATED

变更日志

内容在构建时从仓库根目录及各组件 CHANGELOG 生成。

变更日志

English

本文件记录项目所有值得注意的变更。

格式基于 Keep a Changelog,项目遵循语义化版本

[1.0] - 2026-07-06

组件版本

组件版本
copilot-shell2.6.1
agent-sec-core0.7.0
agentsight0.7.1
tokenless0.6.1
agent-memory0.2.1
os-skills0.6.1
anolisa0.1.20
skillfs0.3.2
ws-ckpt0.4.1
cosh-ng0.11.0

重点特性

  • anolisa:更新到 v0.1.20,交付统一 CLI 网关提供组件全生命周期管理与适配器编排,用户可通过一条命令安装/更新/诊断所有组件
  • cosh-ng:更新到 v0.11.0,完成 Core/Shell 分离与 AI 增强终端,Agent 可跨发行版确定性执行结构化系统操作
  • agent-memory:更新到 v0.2.1,新增用户数据主权与 4 类记忆分类,用户可查询/遗忘/控制自动捕获的记忆
  • tokenless:更新到 v0.6.1,新增压缩开关与 A/B 对比及 QwenCode 适配器,用户可量化各策略的 Token 节省效果而不影响任务执行

新增组件

  • anolisa:首次发布 v0.1.16,构建统一 CLI 网关管理组件安装/更新/卸载(RPM + Raw 双后端),用户可通过 anolisa install --all 一键部署全部组件
  • cosh-ng:首次发布 v0.11.0,实现确定性 Agent-OS 接口(5 crate workspace),Agent 可通过稳定 API 跨发行版执行结构化系统操作
  • skillfs:首次发布 v0.3.2,构建 FUSE 虚拟文件系统实现基于视图的 SKILL.md 暴露,Agent 可从挂载目录发现并加载技能

组件更新

  • agent-memory:更新到 v0.2.1,新增主权工具集(about/forget/consent)、AMA 导入导出、4 类分类和抗 SIGKILL 增量聚合,用户可自主控制记忆留存并跨 Agent 迁移
  • tokenless:更新到 v0.6.1,新增压缩开关(dry-run + 按模式统计)、SLS JSONL 遥测默认开启和 QwenCode 适配器,开发者可 A/B 测试压缩策略并在 SLS 大盘监控 Token 节省
  • agentsight:更新到 v0.7.1,新增 Token 节省可视化(策略饼图 + 行级 diff)、安全大盘和容器/K8s 全面支持,用户可直观评估各优化策略的节省贡献
  • copilot-shell:更新到 v2.6.1,新增 /model 多 Provider 切换对话框和 SLS 会话遥测(32 字段 JSONL),用户可自由切换 LLM Provider 而不丢失配置
  • agent-sec-core:更新到 v0.7.0,新增 Skill Ledger 完整性链(GPG 签名工作流)和 Prompt Scanner,用户可审计 Skill 安全状态并在危险操作前收到确认提示
  • os-skills:更新到 v0.6.1,新增 ANOLISA Guide 知识库 skill(13 份官方文档)和 OpenClaw 安装预检引导,Agent 可在回答中引用准确的产品文档
  • ws-ckpt:更新到 v0.4.1,新增自动清理调度和 TOML 配置热重载,用户可设置保留策略并即时生效无需重启 daemon

变更

  • 文档治理规范通过 specs/documentation-standard.md 建立
  • 双语命名约定统一为 _zh.md(从遗留 _CN.md 迁移)

[0.6] - 2026-06-12

组件版本

组件版本
copilot-shell2.4.1
agent-sec-core0.5.0
agentsight0.5.0
tokenless0.4.1
agent-memory0.1.0
os-skills0.5.0
cosh-ng0.1.0 (MVP)

重点特性

  • agent-memory:首次发布 v0.1.0,交付沙箱化文件系统 MCP 记忆服务器,Agent 可跨会话持久化存储并通过 BM25 检索上下文
  • tokenless:更新到 v0.4.1,新增 Hermes Agent 插件和 Tool Ready 4 阶段预检,Agent 工具执行前自动验证环境就绪避免无效重试
  • agentsight:更新到 v0.5.0,新增 Skill 维度 Token 指标和 Hermes 支持,用户可精确定位哪些 Skill 消耗最多 Token

新增组件

  • agent-memory:首次发布 v0.1.0,构建 19 工具 MCP 服务器(命名空间隔离 + BM25 后台索引),Agent 可在沙箱化文件系统中读写/检索持久记忆
  • cosh-ng:首次发布(MVP),完成确定性 OS 操作的生产可用功能,Agent 可获得格式可预测的结构化命令输出

组件更新

  • tokenless:更新到 v0.4.1,新增 Hermes adapter runner 和 Tool Ready 机制(4 阶段环境预检集成为 cosh extension),Agent 工具调用前自动校验环境减少因环境故障浪费的 Token
  • agentsight:更新到 v0.5.0,新增 Skill 维度 Token/调用指标和 Hermes matcher(含 SSL 支持),用户可在 Dashboard 中按 Skill 查看 Token 消耗明细
  • agent-sec-core:更新到 v0.5.0,新增 PIIChecker(输出 PII 检测 + 脱敏引擎)和 Skill Scanner(文本/代码扫描 + 生命周期触发),Agent 输出中的敏感信息被自动拦截
  • copilot-shell:更新到 v2.4.1,新增跨 Session 自动记忆提取和 hook reason UI 可见性,用户可看到安全 hook 拦截操作的具体原因

[0.5] - 2026-05-28

组件版本

组件版本
copilot-shell2.4.0
agent-sec-core0.4.0
agentsight0.4.0
tokenless0.4.0
os-skills0.4.0

重点特性

  • tokenless:更新到 v0.4.0,新增 Hermes 插件和 Tool Ready 环境机制,Agent 工具执行前依赖缺失被提前拦截避免 Token 浪费
  • agent-sec-core:更新到 v0.4.0,交付 PIIChecker 和 Skill Scanner 首版,Agent 输出被扫描防止敏感信息泄露

组件更新

  • tokenless:更新到 v0.4.0,开发 Hermes Agent 插件(Tool Ready 4 阶段环境预检 + History 压缩),Agent 运行时依赖在执行前被自动校验
  • agent-sec-core:更新到 v0.4.0,新增 PIIChecker 输出 PII 检测和 Skill Scanner 基线能力,用户免受 Agent 无意泄露敏感数据的风险
  • agentsight:更新到 v0.4.0,新增 Skill 维度指标展示,用户可按 Skill 查看 Token 消耗分组
  • os-skills:更新到 v0.4.0,纳入 Nightly 自动化测试覆盖,Skill 质量持续验证

[0.4] - 2026-05-13

组件版本

组件版本
copilot-shell2.3.0
agent-sec-core0.4.1
agentsight0.4.0
tokenless0.3.0
os-skills0.3.0
ws-ckpt0.2.0

重点特性

  • agent-sec-core:更新到 v0.4.1,建立 Skill 安全全生命周期管理(含 Prompt Scanner ask 策略),用户在 Agent 执行危险指令前收到确认提示
  • tokenless:更新到 v0.3.0,搭建 4 套 Benchmark 对比基线,开发者可量化评估不同 Skill/OS 环境的 Token 消耗差异
  • ws-ckpt:更新到 v0.2.0,扩展快照管理命令集,用户可按数量或时间维度自动清理历史快照

组件更新

  • agent-sec-core:更新到 v0.4.1,集成 Prompt Scanner 至 cosh hook 和 OpenClaw 插件(ask 策略),用户在危险操作前获得交互式确认
  • tokenless:更新到 v0.3.0,构建批量并发 Benchmark 平台并生成对比报告,开发者可一键跑分横向对比 Token 节省效果
  • agentsight:更新到 v0.4.0,优化常驻进程内存占用,2C2G 小规格实例可稳定运行可观测服务
  • copilot-shell:更新到 v2.3.0,适配 SWEBench 评测框架,开发者可通过 cosh 执行代码修复任务并验证通过率
  • ws-ckpt:更新到 v0.2.0,丰富快照增删查能力,用户可按策略自动保留最近 N 份快照

[0.3] - 2026-04-30

组件版本

组件版本
copilot-shell2.2.1
agent-sec-core0.3.0
agentsight0.3.1
tokenless0.2.0
os-skills0.3.0
ws-ckpt0.1.0

重点特性

  • tokenless:更新到 v0.2.0,交付命令重写和 TOON 上下文压缩,CLI 输出 Token 消耗降低 60–90%
  • agentsight:更新到 v0.3.1,新增 Token 节省 Dashboard 和 Agent 异常诊断,用户可可视化节省趋势并检测 Agent 中断
  • agent-sec-core:更新到 v0.3.0,新增 Skill Ledger 完整性追踪和 Prompt Scanner,每个 Skill 的签名链可端到端审计

新增组件

  • ws-ckpt:首次发布 v0.1.0,构建基于 btrfs 的工作区快照守护进程,Agent 可毫秒级创建检查点并即时回滚文件系统状态

组件更新

  • tokenless:更新到 v0.2.0,新增通过 RTK 的命令重写和 TOON 上下文压缩,Agent CLI 交互 Token 消耗减少 60–90%
  • agentsight:更新到 v0.3.1,新增 Token 节省 Dashboard(Session/时间段统计)和 Agent 中断检测(drain 机制),用户可监控节省趋势并在 Agent 故障时收到告警
  • agent-sec-core:更新到 v0.3.0,新增 Skill Ledger 全生命周期(check/certify/bypass/status/audit)和 Prompt Scanner 越狱检测,用户可追踪并强制执行 Skill 完整性策略
  • copilot-shell:更新到 v2.2.1,新增 Extension 架构(command extension + system Hook + 即时激活)、Skill 市场对接和会话导出(Markdown/HTML/JSON),用户可通过插件扩展 cosh 能力并导出对话历史
  • os-skills:更新到 v0.3.0,新增 Skill 市场上架和实用技能(xlsx/pdf-reader/image-gen/humanizer),用户可从市场发现并安装技能

[0.2] - 2026-04-15

组件版本

组件版本
copilot-shell2.0.4
agent-sec-core0.2.0
agentsight0.2.2
os-skills0.2.2
tokenless0.1.0

组件更新

  • agentsight:更新到 v0.2.2,新增 Token 消耗可观测(精确 Tokenizer 计量),用户可实时查看每条消息的 Token 明细
  • copilot-shell:更新到 v2.0.4,新增独立鉴权(STS/ECS RAM Role)和 Skill 市场浏览,用户无需 AK/SK 即可认证并发现可用技能
  • os-skills:更新到 v0.2.2,新增 SysAdmin 技能(Linux IO/网络/负载诊断),Agent 可独立诊断常见 OS 性能问题
  • tokenless:首次发布 v0.1.0,构建 Skills 级 Benchmark 测试用例,开发者可跨 Skill 量化对比 Token 消耗

[0.1] - 2026-03-30

组件版本

组件版本
copilot-shell2.0.1
agent-sec-core0.1
agentsight0.1
os-skills0.1

新增组件

  • copilot-shell:首次发布 v2.0.1,构建 AI 驱动终端助手(Tab 补全、/bash 模式、sudo、Hook 安全),用户开机即获得 AI 原生 CLI 交互体验
  • agent-sec-core:首次发布 v0.1,交付 Skill 签名校验、安全沙箱和系统加固,Agent 操作在受控最小权限环境中运行
  • agentsight:首次发布 v0.1,构建基于 eBPF 的零侵入可观测探针,用户无需修改 Agent 代码即可监控 LLM API 调用和 Token 消耗
  • os-skills:首次发布 v0.1,整理系统管理、SysOM 运维、DevOps 和云技能库,Agent 可自主执行常见 OS 操作

安全

  • Skill 全链路安全加密与数字签名
  • 硬件级安全沙箱风险隔离
  • Skill 调用身份认证与完整性校验

各组件详细变更日志请参阅:

用户入口

Token 节省

运行时

Agent 可观测

Agent 安全

Changelog

0.2.1

  • fix vector/hybrid search panic and empty index when an embedding provider is configured: the index worker ran on a std::thread with no tokio Handle so embeddings were never produced, and memory_search mode=vector|hybrid called Handle::block_on from a worker thread; the runtime handle is now captured at spawn and threaded through to the worker, and the search path uses block_in_place
  • fix memory_get_context leaking .git internals (e.g. .git/logs/HEAD) into agent context by extending the reserved-path filter to cover .git/ via a shared is_under_git predicate in safe_fs
  • fix full_scan (startup and inotify-overflow recovery) only building the BM25 index and never dense embeddings, so preexisting files were invisible to vector search until modified; a paths_without_vec query plus a backfill pass now embeds them, centralised in an embed_sync helper shared with flush
  • fix memory_search returning zero hits for short CJK query terms (< 3 chars, e.g. "花名"/"小云"): the trigram tokenizer emits no tokens for terms shorter than 3 characters, so such queries now fall back to a body LIKE '%term%' substring scan that preserves recall, agent-scope filtering, and cold/superseded exclusion
  • resolve embedding dimensions from the first real response instead of hardcoding 1536 (DashScope text-embedding-v3 is 1024): dimensionality is stored in an AtomicUsize seeded with the estimate and overwritten on first embed
  • add anolisa-cli adapter contract via .anolisa/component.toml so the CLI adapter manager can discover the openclaw plugin bundle through the [[adapters]] TOML schema

0.2.0

  • add prompt-injection safety module (looksLikePromptInjection + escapeMemoryForPrompt) mirrored between Rust core and TS adapter
  • add secret detection and PII redaction to the safety module
  • add auto-recall before_prompt_build hook injecting relevant memories each turn
  • add auto-capture agent_end hook with trigger filtering, SHA256 dedup and injection rejection
  • add dense-vector semantic search via pluggable EmbeddingProvider (OpenAI /v1/embeddings, Ollama /api/embed)
  • add files_vec table (schema v2) for per-file dense embeddings alongside FTS5 BM25
  • add hybrid search with reciprocal rank fusion (RRF, k=60) of BM25 + vector scores
  • add memory_search mode parameter (bm25/vector/hybrid) with graceful fallback to BM25
  • add per-agent memory isolation via [memory].agent_scope (shared/isolated/filter), schema v5
  • add memory sovereignty tools (memory_about/forget/auto_created/consent) with consent.toml preferences
  • add 4-type closed memory classification (user/feedback/project/reference) to memory_observe
  • add mem_export and mem_import for cross-agent memory migration (AMA archive format)
  • add memory_summary tool for memory overview and source tracking
  • add memory_session_context tool
  • add memory_sessions and memory_timeline session history query tools
  • add MEMORY.md index file and mem_index_refresh tool
  • add user profile synthesis (Dreaming V3 mem_dream)
  • add memory consolidation: auto-extract L1 atomic facts from session audit logs on shutdown
  • add episodic memory extraction from coherent tool-call chains
  • add cross-session task persistence and incremental consolidation
  • add consolidation quality filters (mutual exclusion, non-derivable, date normalization)
  • add time-decay ranking (exp(-λ×age_days)) applied to BM25/vector/hybrid scores
  • add cold archival of old never-accessed files with mem_compact tool
  • add conflict detection via BM25 similarity before writing new facts
  • add category subdirectories (facts/<category>/) with memory_search category filter
  • add token tracking (tokens field in AuditEntry)
  • add mem_consolidate tool for manual consolidation trigger
  • add corpus supplement registration for memory_search corpus=all
  • add EmbeddingConfig (None/OpenAI/Ollama) with TOML parsing and env overrides
  • extend memory_search signature with optional mode and category parameters
  • cap memory_search query at 1024 characters to prevent FTS5 resource exhaustion
  • truncate embedding error response bodies to 200 chars to prevent API key leakage
  • distinguish CJK vs ASCII token estimation in ConsolidatedFact
  • hold FactWriter JSONL file handle under mutex to prevent line interleaving
  • derive BM25Store mount root from db path with canonicalize + starts_with traversal guard
  • compute Episode duration from entry timestamps instead of chain length
  • propagate session_id to extracted episodic facts
  • return fact count from consolidate() for mem_consolidate reporting
  • fix effectiveMode in search response to reflect actual mode used
  • fix embedding API empty-response handling to return zero vector of correct dimensionality

0.1.0

  • introduce filesystem memory MCP server for AI agents (Linux only) with 21 tools over stdio JSON-RPC 2.0 in three tiers (Tier A file ops, Tier B BM25 search, Tier C governance)
  • add per-namespace mount under ~/.anolisa/memory/<ns>/ with optional user-namespace + private tmpfs isolation (auto/userland/userns strategies)
  • enforce path sandbox via openat2(RESOLVE_BENEATH | RESOLVE_NO_SYMLINKS) on every Tier A file open
  • add SQLite FTS5 BM25 background index with transactional upsert, schema migrations, trigram CJK tokenizer and inotify-driven debounced flush
  • add optional git versioning with auto-commit serialized under a per-handle mutex
  • add tar.gz snapshots with strict id whitelist, atomic rename swap on restore and rollback entries under .anolisa/trash/
  • add optional cgroup v2 memory.max self-limit applied before the tokio runtime starts
  • add JSONL audit log (O_NOFOLLOW | O_CLOEXEC, Mutex<File>) with optional systemd-journald fan-out
  • enforce profile gating (basic/advanced/expert) at both tools/list and tools/call with deny_unknown_fields on config structs
  • add per-session scratch and log under /run/anolisa/sessions/<sid>/ (0700) with tmpfiles.d snippet
  • add systemd user template anolisa-memory@.service with hardening (ProtectKernelTunables/Modules/Logs, SystemCallFilter, MemoryDenyWriteExecute, RestrictNamespaces, RestrictAddressFamilies=AF_UNIX)
  • add RPM packaging with offline vendor tarball and single statically-linked binary (bundled SQLite + vendored libgit2)
  • add OpenClaw plugin memory-anolisa with install/detect/uninstall lifecycle and 4 memory contract tools routed to the MCP server as a stdio child
  • add single-source version sync from Cargo.toml into manifest/package/openclaw/mcp JSON and the bundle
  • add mcp-harness example and 140 automated tests across 12 integration suites

Changelog

0.8.0

Build & Packaging

  • Installed the Codex plugin during source builds so source deployments include the same Codex integration as packaged installs. (#1302)
  • Updated source build scripts for the sec-core install flow. (#1348)
  • Fixed system-mode source builds by placing uv-managed Python under the shared sec-core library directory and adding a system install smoke check. (#1400)

Code Scanner

  • Added sensitive file path rules for common agent credentials to block API key exposure. (#1401)

OpenClaw Plugin

  • Hardened OpenClaw deploy compatibility handling and covered deployment edge cases with unit tests. (#1358)
  • Added an OpenClaw plugin cross-version E2E matrix that validates packaged plugin loading, Gateway flows, policy behavior, and observability across supported OpenClaw hosts. (#1372)

Documentation

  • Added bilingual agent-sec-core user guide documentation and documentation maintenance rules. (#1311)
  • Documented OpenClaw plugin deployment, compatibility, and upgrade guidance. (#1370)

0.7.1

Prompt Scanner

  • Degraded scan-prompt to fast mode when model unready; rewrote DENY to WARN and enriched degraded reason with diagnostics. (#1258)

Skill Ledger

  • Clarified skill ledger fallback warnings and sanitized finding summaries. (#1240)
  • Tamed ledger reconcile noise and typed live-root skip errors. (#1232)

Security Observability

  • Added observability mapping for new pii_scan at before_tool_call & after_tool_call. (#1229)

0.7.0

Codex Plugin — Full security integration for OpenAI Codex

  • Added codex-plugin with code scanning, prompt scanning, skill ledger, and PII checking hooks. (#1074)
  • Supported packaging codex-plugin into RPM. (#1138)
  • Fixed codex-plugin paths in Makefile and CI for correct RPM install verification. (#1165)

Code Scanner

  • Added code-scanner LLM mode for AI-assisted security analysis. (#1108)
  • Added code-scanner static rules for expanded coverage. (#1033)

Prompt Scanner

  • Added L4 multi-turn intent detection with ollama model service. (#1060)
  • Routed prompt scan to daemon and added prompt model preload for reduced latency. (#786)
  • Controlled prompt scan call to use daemon by env variable. (#933)

Skill Ledger — Activation daemon and policy engine

  • Added Skill Ledger activation daemon for background integrity monitoring. (#857)
  • Added runtime activation resolver for skill trust decisions. (#826)
  • Added skill ledger activation policy for configurable enforcement. (#944)
  • Updated skill ledger activation and event contracts. (#983)
  • Updated Skill Ledger hook defaults and reconcile notify behavior. (#1086)
  • Aligned skill ledger hooks across all agent platforms. (#1135)
  • Resolved Skill Ledger FUSE and unmanaged roots handling. (#1141)
  • Fail-open unsupported Hermes skill ledger scenarios. (#1155)

Daemon & Telemetry

  • Added daemon service with systemd integration and RPM build support. (#1090)
  • Exposed SQL query endpoint at daemon for observability queries. (#1042)
  • Enhanced daemon logging including requests and jobs. (#871)
  • Added telemetry schema definition and SLS JSONL writer. (#977, #1008)
  • Passed agent_name to telemetry data for multi-agent identification. (#1032)
  • Added logging system for structured agent-sec-cli output. (#651)
  • Added security daemon socket fallback under /run/user/<uid> for user-scoped deployments. (#1129)

PII Scanner

  • Extended PII scanning coverage with additional pattern detectors. (#925)

Security Observability

  • Added session report command for post-session security summaries. (#703)

Sandbox

  • Converged sandbox trigger rules for consistent enforcement. (#979)

Adapter & Build

  • Added ANOLISA CLI component.toml for adapter manifest integration. (#1067)
  • Added systemd-rpm-macros as RPM build dependency. (#1156)

0.6.0

Self-Protection — Tamper-resistance for agent-sec-core itself

  • Added self-protect code-scan rules that block disabling/uninstalling agent-sec plugins on OpenClaw and Hermes. (#692)
  • Optimized self-protect rules in code-scan to eliminate false positives on prefix-matched plugin names and cover Hermes uninstall/rm patterns. (#710)

Prompt Scanner

  • Unified prompt-scan warning format across cosh-extension, hermes-plugin, and openclaw-plugin with structured fields (threat type, risk level, interception stage, model confidence). (#709)

Agent-Sec-CLI

  • Added daemon process for agent-sec-cli to amortize startup latency across hook invocations. (#677)

Adapter & Manifest

  • Added standalone ANOLISA adapter entry anolisa-for-openclaw to package sec-core OpenClaw adapter scripts and drive install/detect/uninstall via the adapter manifest. (#549)
  • Added Hermes adapter runner: refactored the OpenClaw entry into a target-agnostic anolisa-adapter-runner and added anolisa-for-hermes wrapper, with per-agent adapter directory layout under sec-core. (#617)
  • Centralized sec-core adapter manifest parsing across adapter scripts and moved the manifest under the cli package. (#617)

OpenClaw Integration

  • Normalized OpenClaw state directory handling: use OPENCLAW_STATE_DIR for adapter filesystem state, unset OPENCLAW_HOME when invoking the OpenClaw CLI, and aligned plugin install/list/uninstall handling. (#641)

0.5.0

PII Scanner — Personal information leak detection

  • Added PIIChecker scan CLI with text/file input, regex/validator-based detection, redaction, and security middleware integration. (#525)
  • Added PIIChecker hooks for cosh and OpenClaw with stdin-based input passing. (#539)
  • Added Hermes PII checker hook. (#556)
  • Fixed scan-pii module mode detection via subprocess. (#540)

Security Observability — Agent run metrics & posture insights

  • Added security observability schema, metrics definition, and CLI with jsonl writer for agent runs. (#488)
  • Added openclaw plugin for security observability. (#515)
  • Added cosh hook for security observability. (#528)
  • Persisted observability records to sqldb with CLI review command. (#544)
  • Added observability plugin for hermes. (#553)
  • Correlated security events with observability events and supported batch query. (#578)
  • Respected trace-id filter in count queries. (#595)

Hermes Plugin — AI Agent integration framework

  • Added hermes-plugin framework with abstract hook class and code scan capability. (#536)
  • Added Hermes prompt-scan capability. (#579)
  • Added Hermes PII checker hook. (#556)
  • Added Hermes skill ledger hook. (#565)
  • Added observability plugin for hermes. (#553)
  • Supported correlation context in hermes agent plugin. (#590)
  • Added hermes plugin install for rpmbuild and build from scratch. (#577)
  • Stabilized Hermes skill-ledger warning delivery for non-pass skill checks. (#600)

Correlation & Tracing Context

  • Unified caller tracing context across CLI, OpenClaw, and cosh with --trace-context JSON and SQLite schema v2. (#569)
  • Supported correlation context in hermes agent plugin. (#590)
  • Correlated security events with observability events. (#578)

Skill Ledger

  • Integrated code-scanner with skill-ledger for unified security assessment. (#505)
  • Updated skill ledger security interactions. (#529)
  • Made openclaw skill ledger approval configurable. (#575)
  • Added Hermes skill ledger hook. (#565)
  • Refined skill ledger scan workflow and aligned documentation. (#529)
  • Included skill-ledger e2e in install flows. (#573)
  • Fixed skill-ledger hook scope limitation. (#497)
  • Fixed managed skill dirs for discovery. (#510)
  • Expanded home paths for skill-ledger. (#596)
  • Hardened skill ledger recovery and key UX. (#575)

Code Scanner

  • Added code-scan requireApproval config for openclaw. (#560)
  • Added OpenClaw enableBlock hook policies. (#586)

Security Middleware & Event System

  • Fixed TOCTOU race condition at sqldb read path. (#546)
  • Made SQLAlchemy lazy import for non-DB subcommands. (#581)
  • Lowered frequency for SQL maintenance operations. (#546)

Prompt Scanner

  • Added Hermes prompt-scan capability via hermes plugin. (#579)
  • Fixed warmup detection from error-string matching to file-based check. (#500)
  • Fixed prompt text passing via stdin instead of argv. (#579)

Toolchain & CI

  • Added build-all support with local space install for sec-core. (#527)
  • Added hermes plugin install for rpmbuild and from-scratch build. (#577)
  • Included skill-ledger e2e in install flows. (#573)
  • Added adapter manifest for capability discovery. (#577)

0.4.0

Prompt Scanner

  • Prompt scanner hook now asks user on missing model instead of fail-open. (#463)
  • Added prompt injection detection benchmark dataset and evaluation toolkit. (#464)

Security Middleware & Event System

  • Refactored security_events SQLite storage to SQLAlchemy ORM with multi-table extensibility and typed repositories. (#459)

Skill Ledger

  • Fixed sign-skill auto-register config (exact awk match) and parse openclaw stdout unconditionally. (#445)
  • Unified XDG paths under agent-sec/skill-ledger vendor namespace. (#445)
  • Unified single-skill verify into structured result for consistent output. (#445)
  • Converted integration tests from subprocess to Typer CliRunner. (#445)

OpenClaw Integration

  • Registered plugin at openclaw gateway explicitly to support Gateway startup planning. (#446)

Refactoring

  • Removed deprecated agent-sec-core skill directory; aligned README and spec with agent-sec-cli workflow. (#454)

Toolchain & CI

  • Added coverage report for sec-core CI. (#431)
  • Enabled rpmbuild and e2e test CI for main branch. (#432)

0.3.0

Prompt Scanner — Multi-layer prompt injection & jailbreak detection

  • Added prompt injection/jailbreak detection scanner architecture with L1 rule engine (YAML-based) and L2 ML classifier (Prompt Guard 2). (#253)
  • Integrated prompt scanner into cosh hook and openclaw plugin with security middleware lifecycle. (#261, #294)
  • Added list-scanners command, improved CLI help, and made --scanner-version optional. (#284)
  • Added prompt scan summary and backend tests. (#294)
  • Added prompt-scanner skill definition. (#256)
  • Added model warmup, audit logging, and comprehensive documentation. (#253)
  • Stabilized batch scanning and verdict logic with thread-safe model loading. (#253)
  • Unified prompt scanner response to use "ask" instead of "block". (#341)
  • Added prompt-scanner e2e test suite and Makefile target. (#352)

Code Scanner — Static code security analysis

  • Added code scanner component with rule-based detection for obfuscation, permission abuse, and more. (#234)
  • Integrated code scanner into cosh hook (with ask decision support) and openclaw plugin adapter. (#234)
  • Added code scanner CLI entry, error codes, and unit tests. (#234)
  • Fixed code scan bugs and added e2e test. (#342)

Skill Ledger — Skill integrity tracking and signing

  • Added skill-ledger CLI with middleware integration for skill integrity verification. (#252)
  • Added skill-ledger skill definition. (#266)
  • Added skill-ledger cosh hook for PreToolUse and openclaw-plugin capability. (#292, #281)
  • Improved skill-ledger CLI and cleaned up imports. (#284)
  • Restructured skill-ledger config defaults and documentation. (#296)
  • Aligned skill-ledger tool name and added path validation. (#317)
  • Reworked skill-ledger status, output, and check signing. (#335)
  • Skill-ledger hook hardening, e2e suite, and posture integration. (#339)
  • Known limitation: skill directory resolution assumes dir name matches SKILL.md name field; see #381.

Security Middleware & Event System

  • Added security middleware framework with unified CLI entry point and metrics integration. (#121, #220)
  • Added sqldb writer & reader with query command at CLI interface for security event persistence. (#254)
  • Fixed cross-process event loss in SecurityEventWriter. (#226)
  • Applied corruption whitelist to stop false-positive DB rebuilds. (#338)
  • Added e2e test and fixed bugs revealed during testing. (#330)

Linux Sandbox

  • Added sandbox guard and failure handler hooks. (#362)

OpenClaw Integration

  • Added hook plugin for openclaw with integrated security scanning capabilities. (#242)
  • Added jq requires for openclaw hook package. (#370)

Cosh Extension Integration

  • Integrated with new cosh extension API and added builtin commands. (#302)

Performance

  • Lazy-load ML dependencies to speed up non-ML subcommands. (#318)

Toolchain & CI

  • Migrated Python toolchain to uv package manager and pinned Python 3.11.6. (#227)
  • Added sec-core RPM build CI and adapted nightly build pipeline. (#295)
  • Initialized code format check CI with python-code-pretty. (#229)
  • Added e2e test in RPM build CI. (#369)

Bug Fixes

  • Preserved seharden wrapper defaults. (#236)
  • Removed dynamic import at middleware router. (#277)
  • Improved missing loongshield guidance. (#289)
  • Fixed build errors. (#288)
  • Removed openclaw hook examples and fixed documentation. (#282)

0.2.0

  • Added Hardened skill signing pipeline and added .skill-meta layout. (#129)
  • Added Cargo.lock to version control. (#149)
  • Added make install-sandbox target. (#68)
  • Fixed bubblewrap version compatibility for --argv0 option. (#112)
  • Changed Refactor SKILL.md to executable protocol and align sub-skills. (#130)

Changelog

0.7.1

Fixes

  • Improve severity labels and agent sidebar UX.
  • Show all verdicts in the summary command.
  • Sync component.toml version with package version.

0.7.0

Features

  • Add Codex CLI adaptation with three-tier SSL probe attach (symbol table → byte pattern → offset table) and cross-chunk SSE continuation buffer.
  • Add security observability dashboard and server proxy for agent threat visibility.
  • Add memory optimization with bounded event buffers, feature flags (features.*) and configurable runtime limits (runtime_limits.*).
  • Add container_id to AgentsightLLMData for container-level attribution.
  • Derive session_id from process environment variables and request metadata instead of message content.
  • Add call_kind classification (chat / completion / embedding / tool_use) to GenAI semantic events.
  • Add --exclude filter to agentsight audit CLI for noise reduction, and show non-streaming LLM calls in audit output.
  • Add unified agentsight summary command for one-shot status overview.
  • Enhance token savings page with baseline comparison, strategy breakdown, line-level diff highlighting and optimization tips.
  • Upload skill metrics via SLS Logtail exporter.
  • Improve agent health UX: role badges (P1/P2), TTL-based cleanup, process-ancestry grouping, and Session ID help tooltip.
  • Filter client processes from health API to reduce dashboard noise.
  • Add anolisa component contract for RPM lifecycle integration.

Fixes

  • Fix sslsniff BPF verifier rejection on kernel 5.15 and add BPF load tests.
  • Fix traced_processes BPF map leak causing uprobe attach failure after long runtime.
  • Prevent duplicate uprobe Links by retaining inodes in traced_files on detach.
  • Decode compressed (zstd/brotli) SSE streams so Claude Code and similar agents are fully captured.
  • Harden compressed SSE decode against partial chunk boundaries.
  • Extract token usage from non-streaming and HTTP/2 responses.
  • Fix namespace PID usage in udpdns and tcpsniff probes.
  • Strip /proc/{pid}/root prefix for uprobe attach in containerized environments.
  • Implement tiered SSL and tcpsniff ring buffer reservations to reduce dropped events.
  • Clamp before mask in filewrite/udpdns BPF probes; cap stdout payload to MAX-1.
  • Change cgroup gate to OR semantics and add trace_cgroup FFI interface.
  • Tighten SSE truncation detection and write pending row for deferred GenAI calls.
  • Respect dynamic sysom path in SLS exporter mode selection; replace removed sysom_logtail_path with logtail_path filter.
  • Validate ring buffer size is power-of-two at startup.
  • Wire feature flags and runtime limits to actual runtime code paths.

Refactoring

  • Split genai/builder.rs into 4 focused modules and genai.rs into 5 submodules.
  • Bundle shared BPF maps into SharedMaps for reduced duplication.
  • Extract background threads module with stop-signal support.
  • Replace remaining unwrap() calls with if-let / ? patterns.

CI & Quality

  • Add fmt, clippy, unit test coverage, and architecture boundary check CI gates.
  • Add clippy.toml + cargo-deny for lint and supply-chain auditing.
  • Add architecture boundary check script (check-arch-boundary.py).
  • Add scoped AGENTS.md for FFI, unified orchestrator, and storage modules.
  • Define Footprint Ladder for code surface growth control.
  • Add agentsight-code-review and pr-body develop-skills.

0.6.1

  • Add real-time agent_crash detection in trace mode.
  • Add OOM crash detection.
  • Add cgroup-level event filtering with v1/v2 compatibility.
  • Support QwenCode skill discovery via per-user home scanning.
  • Support SLS Logtail activation reversible via dynamic path.
  • Support bridging ilogtail SLS_LOG_PATH into config via token-collector switch.
  • Default traceEnabled to false to drop conversation content from SLS by default.
  • Drop gen_ai.system_instructions from SLS uploads when traceEnabled=false.
  • Refactor session_id and conversation_id derivation from response_id instead of message content.
  • Fix CJK deadloop detection, kill() error check, and SIGKILL escalation.
  • Fix SQLite read/write contention via VACUUM optimization.
  • Fix rpm-build.sh agentsight build failures.
  • Fix allow log path re-init on repeated new+start.

0.6.0

  • Add deadloop detection and auto-kill mechanism for runaway agent processes.
  • Add retry storm detection and /metrics interruption counters.
  • Add BPF-layer HTTP protocol filter and wildcard capture (*) for unknown IP/port targets.
  • Add client-side hybrid encryption for sensitive message fields.
  • Add traceEnabled configuration toggle with SLS upload layer enforcement.
  • Add HTTP domain rules resolved to tcpsniff BPF map via DNS.
  • Add default DashScope HTTPS rule and anolisa_release module.
  • Add FFI interface for tcp_targets and input_delta config.
  • Add CO-RE compatibility to UDP DNS probe for kernel 6.0+.
  • Support runtime SLS logtail path via config hot-reload.
  • Expand interruption types and add logtail export.
  • Restructure config to https/http rules.
  • Refactor query stats.db by tool_use_id and unify savings display.
  • Refactor load encryption public key from agentsight.json.
  • Fix decode HPACK Huffman headers.
  • Fix BoringSSL probe attachment, FFI event delivery, and chunked-body panic.
  • Fix preserve initial SSE chunk in event-stream responses.
  • Fix c_char / BPF comm portability (i8 vs u8).
  • Remove dead code and deprecated APIs.

0.5.0

  • Add Claude Code support including SSL probe attach for BoringSSL, Anthropic SSE thinking/tool_use content blocks, and message.id-based session correlation.
  • Add tcpsniff probe for plain HTTP traffic capture with configurable IP/port filtering (disabled by default with empty tcp_targets).
  • Add User-Agent based agent detection with comm fallback for simplified agent matching.
  • Add UDP DNS probe for agent discovery (replacing TLS SNI probe) with QNAME parsing moved to userspace.
  • Add TLS SNI probe module and refactor discovery to config-driven rules.
  • Add connection scanner for pre-established LLM API connections.
  • Add tools field to AgentsightLLMData FFI struct, passed through as raw JSON.
  • Add container PID namespace support in BPF traced process filtering and event emission.
  • Add agent matching rules and reduce BPF ring buffer to 32MB.
  • Add uid field to SLS logs with OnceLock cache and startup validation.
  • Support profile-based installs.
  • Fix duration_ns calculation in LLM data.
  • Fix SSL probe cleanup of stale inodes on process exit.
  • Fix BPF verifier -E2BIG issues by removing nested #pragma unroll in udpdns.bpf.c and masking payload_len on older kernels.
  • Fix skill extraction for Hermes agent architecture.
  • Fix Node.js process.title change handling in OpenClaw matcher.

0.4.0

  • Add HTTP/1.1 request body reassembly for fragmented SSL writes.
  • Add skill metrics analysis with cosh filesystem-based discovery.
  • Add SLS upload and Logtail file exporter for GenAI events.
  • Add hermes agent matcher for LLM process discovery.
  • Detect uv Python static OpenSSL in SSL sniffer.
  • Remove AK/SK-based SLS direct upload, keep Logtail file export.

0.3.1

  • Fix simplify agent_crash detection and fix multi-process dedup. (#411)
  • Fix use SqliteConfig for audit CLI db path. (#399)
  • Fix hide Cosh from agent health UI and remove keepalive support. (#401)
  • Fix API endpoint table in AGENTS.md. (#397)

0.3.0

  • Add interruption detection system with drain mechanism and dashboard integration. (#315)
  • Add token savings page and API endpoint for optimization visualization. (#310)
  • Add compounded token savings and request count tracking. (#320)
  • Add C FFI API with cbindgen header generation. (#306)
  • Add filewatch and filewrite eBPF probes for file access monitoring. (#308, #309)
  • Support SysOM AK/SK GenAI capture for cosh. (#305)
  • Use LLM API response_id as trace_id and add conversation_id field. (#304)
  • Resolve session_id from agent's own session via ResponseSessionMapper. (#303)
  • Fix interruption CLI and align conversation_id naming. (#318)
  • Fix cosh session_id recognition by supporting snake_case response_id. (#307)
  • Fix wrong tool call id in token savings compounding. (#316, #317)
  • Fix standardize call_id, add tool_call_ids column. (#319)
  • Fix session_id and response_id mapping in genai builder and storage. (#321)
  • Fix token savings display in conversation list. (#322)
  • Fix cache agent name by pid for dead process resolution. (#358)
  • Fix remove custom db path and use default paths. (#359)
  • Support nightly docker image build in CI. (#302)

0.2.2

  • Support starting backend-server for dashboard with AgentSight service.
  • Fix dashboard frontend dynamic width for multiple display-size.

0.2.1

  • Add /usr/lib/copilot-shell path to CoshMatcher for agent discovery. (#190)
  • Add 200MB size limit for genai_events.db to prevent unbounded growth. (#211)
  • Remove /api/stats endpoint returning incorrect data. (#197)
  • Extract audit from HttpRecord and filter non-LLM calls. (#196)
  • Always show comparison data when --compare flag is used in token queries. (#194)
  • Fix incorrect discover command in README documentation. (#191)
  • Remove breakdown command and keep token consumption commented. (#193)
  • Replace deprecated MemoryLimit with MemoryMax in systemd service file. (#181)

0.2.0

  • AgentSight Dashboard web UI with real-time monitoring interface. (#74)
  • Agent health monitoring with offline alerting and hung process dashboard restart. (#158)
  • One-click navigation from dashboard to ATIF trace analysis page. (#116)
  • /metrics endpoint to expose standard Prometheus-format data. (#134)
  • Support for HTTP 2.0 protocol. (#147)
  • Support to build RPM package. (#166)

Changelog

All notable changes to ANOLISA will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

[0.2.2] - 2026-07-09

Added

  • anolisa update --check now reports RPM upgrade opportunities without changing state.
  • anolisa update --check --motd now prints a short login-friendly upgrade summary.
  • anolisa upgrade now applies RPM image upgrades for RPM-managed toolchains.
  • anolisa upgrade now installs missing default components from the selected target profile.
  • anolisa adapter scan now marks enabled receipts with missing sources as orphaned.
  • anolisa adapter status now reports missing adapter sources as degraded receipts.

Changed

  • anolisa list now shows component scope for visible user and system records.
  • anolisa status now shows scope, mutability, shadowing, and state path metadata.
  • anolisa doctor now includes readable system components in user-mode diagnostics.
  • anolisa doctor now suggests system-mode commands for read-only system records.
  • anolisa update --check now uses the latest target profile when --target is omitted.
  • anolisa update --check --motd now points users to sudo anolisa upgrade when action is needed.

Fixed

  • anolisa uninstall, forget, and update now reject read-only system targets with system-mode guidance.
  • anolisa upgrade now reports unresolved target defaults as check errors.
  • anolisa upgrade now warns when refreshed RPM details are unavailable after an upgrade.

[0.2.1] - 2026-07-08

Added

  • anolisa adapter enable now supports Tokenless adapters for cosh, Codex, and Claude Code.
  • anolisa adapter enable now supports Tokenless adapters for Qoder.

Changed

  • Claude Code adapters now use per-component marketplaces to avoid affecting other ANOLISA plugins.
  • anolisa adapter enable now rejects invalid framework and adapter_type combinations before changing settings.

Fixed

  • Codex adapters now work when component resources come from packaged data directories.
  • Qoder adapter enable now keeps malformed settings.json unchanged instead of replacing it.
  • Qoder adapter disable now removes only hook entries previously added by ANOLISA.
  • Qoder adapters now prefer stable qodercli releases over matching prereleases.

[0.2.0] - 2026-07-07

Added

  • Raw components can now declare conflicts to block incompatible raw installs.

Fixed

  • anolisa install now rejects raw component conflicts before changing the host.
  • anolisa install --dry-run now reports raw component conflicts instead of showing an invalid plan.

[0.1.20] - 2026-07-03

Added

  • ANOLISA can now be distributed as @anolisa/cli with Linux x64 and arm64 binaries.
  • repo.toml now enables the npm backend for component distribution.

Changed

  • anolisa list now shows local state, ownership, and next action for each component.
  • anolisa list --json now includes RPM package, version, architecture, and source repository details.

Fixed

  • RPM installs and updates now keep system repositories available for dependencies.
  • Adapter commands now distinguish missing component manifests from invalid manifests.

[0.1.19] - 2026-07-02

Fixed

  • anolisa adapter disable --dry-run now previews cleanup without removing adapter receipts or resources.
  • Read-only commands now use downloaded repo config when saving repo.toml fails.
  • Component commands now accept package aliases consistently when targeting installed components.
  • Ambiguous package aliases no longer choose an arbitrary installed component.
  • Unknown component names now report no match without querying packages.

[0.1.18] - 2026-07-01

Added

  • anolisa install now auto-installs missing system packages for raw components in system mode.
  • anolisa install --dry-run now labels unresolved dependencies as auto-install or manual.
  • anolisa install now reports packages auto-installed during raw component installs.
  • anolisa status --verbose now shows packages auto-installed for each component.

Changed

  • Commands that need repo access now download and validate repo.toml on first use.
  • Repo config dry-runs now fetch and validate without writing repo.toml.
  • RPM install and update now use only the repo.toml RPM repository.
  • User-mode raw installs now report missing dependencies with install commands before changing files.
  • Failed raw installs now list any auto-installed packages left on the system.
  • anolisa update self no longer fetches repo config before checking CLI updates.

Fixed

  • anolisa list --installed now includes adopted RPM components.
  • anolisa list now shows adopted, failed, and disabled component statuses.
  • Adapter commands now prefer resources from the datadir that supplied the component contract.
  • RPM installs now fail before dnf when [backends.rpm] is missing.
  • RPM updates now explain missing [backends.rpm] instead of using host repositories.

[0.1.17] - 2026-06-30

Added

  • Repository components.toml can now define component names, package aliases, and raw/RPM package mappings.
  • anolisa list --installed now filters installed components.

Changed

  • anolisa list and install --all now read components from components.toml instead of catalog.json.
  • anolisa list now shows NAME, SUMMARY, BACKENDS, and STATUS.
  • anolisa list --enabled is now a hidden alias for --installed.
  • ANOLISA_CATALOG_URL no longer changes list sources; configure repo.toml instead.
  • anolisa install, status, adopt, and repair now resolve RPM package aliases from components.toml.
  • anolisa status now suggests sudo anolisa adopt <component> for untracked RPM components.

Fixed

  • anolisa status <RPM package> now reports the canonical component row when an alias is installed.
  • anolisa repair <RPM package> now refreshes the canonical component row when an alias is used.
  • Non-root anolisa osbase mutations now reach the system helper instead of failing install-mode checks.
  • Commands now reject root --install-mode user before writing ambiguous user-mode state.
  • System-mode write commands now fail before changes when sudo is missing.
  • Existing installs with managed symlinks no longer show false symlink integrity failures after upgrade.
  • anolisa status now reports referent_mismatch when managed symlinks point elsewhere.

[0.1.16] - 2026-06-29

Added

  • anolisa osbase sandbox install runc now installs runc, containerd, Docker, and Docker client.
  • anolisa osbase sandbox install now enables services declared by sandbox scenarios.
  • anolisa osbase sandbox install now runs scenario verification commands after installation.
  • anolisa osbase sandbox install now records sandbox scenarios in installed.toml.
  • anolisa osbase sandbox install now reports optional scenario packages as hints.
  • rund, firecracker, and gvisor sandbox scenarios now define post-install checks.
  • anolisa adapter enable now supports adapter_type = "skill_bundle" for OpenClaw and Hermes skills.
  • The RPM package now installs default repo.toml to /etc/anolisa/repo.toml.
  • ANOLISA telemetry setup now installs log rotation for ops .jsonl files.

Changed

  • anolisa osbase sandbox install --dry-run now shows preflight, package, service, verify, and state phases.
  • anolisa osbase sandbox install runc now requires Linux kernel 4.18 or newer.
  • anolisa osbase sandbox install now reports verification failures as warnings when other phases succeed.
  • repo.toml now points RPM installs to the agentic-os repository path.
  • anolisa update self --json now reports apply mode, RPM package, and RPM version observations.
  • anolisa adapter status now treats skill bundles as healthy without plugin registration.
  • anolisa adapter enable now rejects skill bundles that declare framework config entries.

Fixed

  • RPM-backed commands now use the component name as the default package name.
  • anolisa update self now delegates RPM-owned CLI updates to dnf.
  • Non-root sandbox installs now show package, service, verify, and state phases.
  • Telemetry setup now runs the ilogtail installer with bash-compatible script handling.
  • anolisa adapter disable now cleans skill bundles without plugin unregister errors.

[0.1.15] - 2026-06-25

Added

  • anolisa doctor now reports component health, dependency status, and suggested fixes.
  • Raw components can now declare runtime dependencies for install and update preflight checks.
  • anolisa install --dry-run now previews runtime dependency status for raw components.

Changed

  • anolisa install and update <component> now refuse raw components with missing runtime dependencies before changing files.
  • anolisa restart <component> now restarts service units shipped by RPM-backed components.
  • anolisa restart <component> now shows guidance for RPM-backed template services instead of failing.

Fixed

  • anolisa adapter enable now expands {datadir} from the package that provided the adapter metadata.
  • After anolisa uninstall or forget, adapter commands no longer see stale component metadata.

[0.1.14] - 2026-06-24

Added

  • Raw components can now place systemd unit files with {unitdir}.
  • Raw components can now place user service unit files with {userunitdir}.
  • User-mode anolisa install now activates declared user-scope services.

Changed

  • User-mode anolisa install now resolves %u service templates to the current user.
  • System-mode anolisa install now preserves %u user service templates for later per-user activation.
  • anolisa uninstall now reloads systemd after removing declared service unit files.
  • anolisa restart <component> now restarts user-scope services from user-mode installs.

Fixed

  • anolisa install now starts freshly installed service units without a manual systemd reload.
  • anolisa uninstall now deactivates user-scope services from user-mode installs.
  • anolisa adapter enable now finds {datadir} skills from the package directory that provides the adapter.

[0.1.13] - 2026-06-23

Added

  • anolisa adapter enable now supports Hermes plugins.
  • anolisa adapter enable now installs declared OpenClaw skills.
  • anolisa adapter enable now applies declared OpenClaw config values.
  • anolisa install now starts declared services for raw components.
  • anolisa install now applies declared file capabilities for raw components.
  • anolisa install now runs declared hooks for raw components.
  • anolisa update <component> now restarts declared services for raw components.
  • anolisa update <component> now reapplies declared file capabilities for raw components.
  • anolisa uninstall now runs declared hooks for raw components.
  • anolisa uninstall now disables declared services after stopping them.

Changed

  • anolisa adapter scan now honors declared adapter resource locations.
  • anolisa adapter enable now reads package-installed adapter resources.
  • anolisa install --dry-run now previews declared capabilities for raw components.
  • anolisa register status now reports the latest registration after repeated changes.
  • Cancelled anolisa register and unregister prompts now exit successfully.

Fixed

  • anolisa adapter status now detects OpenClaw plugins from wrapped table output.
  • anolisa adapter status now ignores bundled Hermes plugins during checks.
  • anolisa adapter commands now find metadata shipped by RPM-installed components.
  • anolisa register status now reports sysom console registrations as active.

[0.1.12] - 2026-06-22

Added

  • anolisa update <component> can update raw-managed components from the raw backend.
  • anolisa osbase sandbox list shows scenarios from sandbox.toml.
  • anolisa osbase sandbox uninstall <scenario> can remove packages for a sandbox scenario.
  • anolisa system setup can install the helper service for non-root osbase commands.
  • anolisa system status can show helper health, version, uptime, and last operation.
  • anolisa system teardown can remove the helper service and sandbox config.
  • anolisa env --json includes distro identity fields.

Changed

  • anolisa osbase sandbox install <scenario> now installs scenarios defined in sandbox.toml.
  • Omitting --install-mode now selects system for root and user otherwise.
  • anolisa update <component> --dry-run now lists raw backend candidate versions.

Fixed

  • Legacy yum backend names in repo.toml and --backend now resolve to rpm.
  • Raw components installed with --package now update from the same package name.
  • anolisa update <component> now refuses raw updates that would downgrade a component.
  • anolisa update <component> now refuses raw updates when versions cannot be safely compared.

[0.1.11] - 2026-06-18

Added

  • anolisa adopt <component> can track a pre-installed system RPM without installing it.
  • anolisa repair <component> can refresh RPM component state after package details change.
  • anolisa forget <component> can stop tracking a component without removing packages or files.

Changed

  • anolisa status <component> now reports drifted RPM components when system package details change.
  • anolisa uninstall now keeps observed system RPMs unless --remove-system-package is used.
  • anolisa install now preserves adapter package resources when adopting RPM components.

[0.1.10] - 2026-06-17

Added

  • anolisa install --backend rpm can install missing RPM components through dnf and track them as managed.
  • anolisa install can adopt matching pre-installed system RPMs without downloading a raw package.
  • anolisa update <component> can update RPM-managed and RPM-observed components through dnf.
  • anolisa status now shows package, version, architecture, and source repo for RPM-backed components.
  • anolisa status <component> now reports matching untracked system RPMs as observed.

Changed

  • anolisa update runtime <component> is now anolisa update <component>; self and all stay subcommands.
  • repo.toml now uses [backends.rpm] instead of [backends.yum].
  • anolisa install --all now lists adopted RPM components in the batch summary.

Fixed

  • anolisa install --all now prints the reason for each failed component in human output.
  • anolisa install now refuses automatic RPM detection when rpm or dnf is missing, with a --backend raw hint.
  • anolisa install no longer replaces a raw install if another install finishes first.

[0.1.9] - 2026-06-16

Added

  • anolisa install --all can install every available component from the catalog.
  • anolisa install --all --fail-fast can stop after the first failed component.
  • anolisa install --all --json returns one batch summary with per-component results.
  • anolisa status now shows adapter summaries for installed components.

Changed

  • installed.toml now distinguishes ANOLISA-managed packages from observed system RPMs.

[0.1.8] - 2026-06-15

Added

  • anolisa adapter enable can now register installed adapters with OpenClaw.
  • anolisa adapter disable can now remove OpenClaw adapter registrations.
  • anolisa adapter status can now report OpenClaw adapter health.
  • anolisa adapter scan can now show installed adapter resources.

Changed

  • anolisa install now places adapter resources needed by later enablement.
  • anolisa uninstall now blocks components that still have enabled adapters.

[0.1.7] - 2026-06-13

Changed

  • User-mode library paths now resolve to ~/.local/lib/anolisa; other directories continue to follow XDG_* overrides.

Fixed

  • anolisa install no longer requires a local catalog entry before downloading from the remote repository.
  • anolisa install --dry-run can preview files and services without downloading the full package.

[0.1.6] - 2026-06-12

Added

  • anolisa osbase sandbox install gvisor now supports standalone, containerd, and substrate deployments. (#851)
  • anolisa list can derive the component catalog from repo.toml configuration. (#854)

Changed

  • Replaced the legacy "capability" model with a unified component lifecycle; old state auto-migrates on next write. (#876)

Fixed

  • anolisa list --enabled now correctly shows installed components instead of an empty list. (#872)
  • anolisa list no longer requires a separate local catalog file when repo.toml is configured. (#854)

[0.1.5] - 2026-06-11

Added

  • anolisa list reads from a remote or local component catalog and returns structured JSON. (#850)
  • anolisa install <component> downloads, verifies, and installs components from the remote repository. (#852)
  • anolisa uninstall supports the new component model while preserving legacy fallback. (#852)

Changed

  • Simplified CLI help around list, install, uninstall, status, doctor, logs, restart, update. (#850)

Fixed

  • anolisa list returns an empty list with a config hint when no catalog is configured. (#850)
  • Failed installs now automatically roll back partially-written files. (#852)

[0.1.4] - 2026-06-10

Added

  • anolisa adapter scan detects available framework integrations. (#808)
  • anolisa adapter install downloads verified packages and registers adapters with the target framework.
  • anolisa adapter remove safely removes only ANOLISA-managed files, with dry-run and JSON preview support.
  • anolisa adapter install tokenless openclaw wires up the tokenless adapter via the OpenClaw CLI.
  • anolisa enable fetches component metadata from the remote repository, with offline fallback.
  • anolisa status now includes component health check results.

Changed

  • Renamed subscription commands to top-level anolisa register / unregister.

Fixed

  • Adapter install/remove failures now roll back or preserve state for retry.

[0.1.3] - 2026-06-09

Added

  • anolisa --help now groups commands by category (everyday vs. management).
  • list command shows its ls alias in help output.
  • anolisa update self prints a changelog link on success.

Changed

  • Corrected package license metadata to Apache-2.0.

[0.1.2] - 2026-06-08

Added

  • anolisa bug generates a local diagnostic report with environment info and recent error logs.
  • anolisa self update added as an alias for anolisa update self.

Fixed

  • Restored the bug report issue template.

[0.1.1] - 2026-06-07

Added

  • anolisa osbase sandbox install provisions sandbox environments (firecracker and e2b backends).
  • anolisa register / unregister manages data-upload consent with 30-day deferral.
  • anolisa enable can configure log upload (ilogtail) with automatic region detection.
  • anolisa update self downloads and applies CLI updates with integrity verification and rollback.
  • Real dnf/apt package manager backends replacing placeholder stubs.
  • GitHub Actions CI for the anolisa workspace.

Fixed

  • Install script uses portable bash expansion instead of sed.

[0.1.0] - 2026-06-04

Initial alpha release of the ANOLISA CLI.

Added

  • CLI commands: env, list, status, logs, enable, disable, uninstall, restart, update, info, doctor.
  • Environment detection: OS, arch, kernel, distro, container runtime, user identity (graceful degradation).
  • Component lifecycle engine with preview-then-execute, integrity checks, and audit logging.
  • Configuration-driven feature gates for shipping new capabilities without code changes.
  • Declarative TOML component manifests with multi-architecture support.
  • install-anolisa.sh installer with three modes (local, checkout, URL), checksum verification, and --dry-run.
  • End-to-end smoke tests for agent-observability and token-optimization.

Capabilities shipped

CapabilityStatus
agent-observabilityenable fully wired (dry-run + real-execute)
Others (9 total)Manifest-only; enable returns NOT_IMPLEMENTED

Known limitations

  • Real-execute paths are Linux-only (darwin hosts can --dry-run only).
  • No signature verification or rpm/deb backend yet.
  • update command returns NOT_IMPLEMENTED.

变更日志

本文件记录 ANOLISA 的所有重要变更。

格式基于 Keep a Changelog, 版本号遵循 语义化版本

[未发布]

[0.2.2] - 2026-07-09

新增

  • anolisa update --check 现可只读报告 RPM 升级机会。
  • anolisa update --check --motd 现可输出简短登录升级提示。
  • anolisa upgrade 现可应用 RPM 工具链升级。
  • anolisa upgrade 现可安装目标配置缺失默认组件。
  • anolisa adapter scan 现将缺失来源的启用记录标为 orphaned。
  • anolisa adapter status 现将缺失适配器来源报告为降级。

变更

  • anolisa list 现显示可见用户和系统记录的 scope。
  • anolisa status 现显示 scope、可变性、遮蔽和状态路径。
  • anolisa doctor 现在用户模式诊断可读系统组件。
  • anolisa doctor 现为只读系统记录建议系统模式命令。
  • anolisa update --check 未指定 --target 时使用最新目标配置。
  • anolisa update --check --motd 现提示用 sudo anolisa upgrade

修复

  • anolisa uninstallforgetupdate 现拒绝只读系统目标。
  • anolisa upgrade 现将未解析默认组件报告为检查错误。
  • anolisa upgrade 刷新 RPM 详情失败时现会提示。

[0.2.1] - 2026-07-08

新增

  • anolisa adapter enable 现支持 cosh、Codex、Claude Code 的 Tokenless 适配器。
  • anolisa adapter enable 现支持 Qoder Tokenless 适配器。

变更

  • Claude Code 适配器现使用组件专属 marketplace。
  • anolisa adapter enable 现先拒绝无效适配器类型。

修复

  • Codex 适配器现可使用已打包数据目录资源。
  • Qoder 启用遇到损坏 settings.json 时不再覆盖。
  • Qoder 禁用现只移除 ANOLISA 添加的 hook。
  • Qoder 适配器现优先使用稳定版 qodercli。

[0.2.0] - 2026-07-07

新增

  • Raw 组件现可声明 conflicts 阻止不兼容安装。

修复

  • anolisa install 现会在变更主机前拒绝 Raw 组件冲突。
  • anolisa install --dry-run 现报告 Raw 组件冲突,不再显示无效计划。

[0.1.20] - 2026-07-03

新增

  • ANOLISA 现可通过 @anolisa/cli 发布 Linux x64 和 arm64 二进制。
  • repo.toml 现启用 npm 后端用于组件分发。

变更

  • anolisa list 现显示本地状态、归属和下一步操作。
  • anolisa list --json 现包含 RPM 包名、版本、架构和来源。

修复

  • RPM 安装和更新现可继续使用系统软件源解析依赖。
  • Adapter 命令现区分缺失清单和无效清单。

[0.1.19] - 2026-07-02

修复

  • anolisa adapter disable --dry-run 现只预览清理。
  • 只读命令保存 repo.toml 失败时仍可使用已下载配置。
  • 组件命令现可一致接受软件包别名。
  • 模糊软件包别名不再误选已安装组件。
  • 未知组件名不再先查询软件包。

[0.1.18] - 2026-07-01

新增

  • anolisa install 系统模式现自动安装缺失系统包。
  • anolisa install --dry-run 现标出依赖处理方式。
  • anolisa install 现显示自动安装的系统包。
  • anolisa status --verbose 现显示组件自动安装包。

变更

  • 需要仓库的命令现首次使用会下载 repo.toml
  • 仓库配置 dry-run 现只校验不写入。
  • RPM 安装和更新现只使用 repo.toml 源。
  • 用户模式 raw 安装现先提示缺失依赖。
  • raw 安装失败现提示已保留的自动安装包。
  • anolisa update self 不再预先获取仓库配置。

修复

  • anolisa list --installed 现包含已收编 RPM。
  • anolisa list 现显示 adopted、failed、disabled 状态。
  • Adapter 命令现优先使用契约所在数据目录资源。
  • 缺少 [backends.rpm] 时 RPM 安装不再调用 dnf
  • RPM 更新缺少 [backends.rpm] 时不再使用主机源。

[0.1.17] - 2026-06-30

新增

  • 仓库 components.toml 现可声明组件与包名映射。
  • anolisa list --installed 现过滤已安装组件。

变更

  • anolisa listinstall --all 现读取 components.toml
  • anolisa list 现显示 NAME、SUMMARY、BACKENDS、STATUS。
  • anolisa list --enabled 现作为隐藏别名保留。
  • ANOLISA_CATALOG_URL 不再控制列表来源。
  • installstatusadoptrepair 现解析 RPM 包别名。
  • anolisa status 现提示用 sudo anolisa adopt 收编 RPM。

修复

  • status <RPM 包> 现显示规范组件行。
  • repair <RPM 包> 现刷新规范组件行。
  • 非 root osbase 变更命令现可进入系统 helper。
  • root 用户模式现会在写入前被拒绝。
  • 缺少 sudo 的系统模式写入现提前失败。
  • 旧符号链接安装不再误报完整性失败。
  • status 现报告符号链接目标不匹配。

[0.1.16] - 2026-06-29

新增

  • anolisa osbase sandbox install runc 现安装 runc、containerd、Docker 和客户端。
  • anolisa osbase sandbox install 现启用场景声明的服务。
  • anolisa osbase sandbox install 现执行场景安装校验。
  • anolisa osbase sandbox install 现记录沙箱安装状态。
  • anolisa osbase sandbox install 现提示可选场景包。
  • rundfirecrackergvisor 场景现声明安装校验。
  • anolisa adapter enable 现支持 adapter_type = "skill_bundle"
  • RPM 包现安装默认 /etc/anolisa/repo.toml
  • ANOLISA 遥测现为 .jsonl 运维日志配置轮转。

变更

  • anolisa osbase sandbox install --dry-run 现显示五个安装阶段。
  • anolisa osbase sandbox install runc 现要求 Linux 4.18 及以上。
  • anolisa osbase sandbox install 校验失败现作为警告报告。
  • repo.toml 默认 RPM 源现指向 agentic-os 路径。
  • anolisa update self --json 现包含 RPM 包和版本信息。
  • anolisa adapter status 现不要求技能包注册插件。
  • anolisa adapter enable 现拒绝带配置的技能包。

修复

  • RPM 相关命令现默认用组件名作为包名。
  • anolisa update self 现通过 dnf 更新 RPM 安装。
  • 非 root 沙箱安装现显示完整阶段结果。
  • ilogtail 安装脚本需 bash 时现能正常运行。
  • anolisa adapter disable 清理技能包时不再报插件卸载错误。

[0.1.15] - 2026-06-25

新增

  • anolisa doctor 现输出组件健康、依赖和修复建议。
  • raw 组件现可声明运行依赖供安装和更新检查。
  • anolisa install --dry-run 现预览 raw 组件依赖状态。

变更

  • anolisa installupdate <component> 缺依赖时先停止。
  • anolisa restart <component> 现重启 RPM 组件服务。
  • anolisa restart <component> 遇到 RPM 模板服务时给出指引。

修复

  • anolisa adapter enable 现按包内元数据展开 {datadir}
  • anolisa uninstallforget 后 adapter 不再见旧元数据。

[0.1.14] - 2026-06-24

新增

  • raw 组件现可用 {unitdir} 放置系统单元。
  • raw 组件现可用 {userunitdir} 放置用户单元。
  • 用户模式 anolisa install 现会激活用户服务。

变更

  • 用户模式 anolisa install 现将 %u 展开为当前用户。
  • 系统模式 anolisa install 现保留 %u 用户模板。
  • anolisa uninstall 删除单元文件后现会重载 systemd。
  • anolisa restart <component> 现会重启用户服务。

修复

  • anolisa install 现无需手动重载即可启动新单元。
  • anolisa uninstall 现会停用用户模式安装的服务。
  • anolisa adapter enable 现从包目录查找 {datadir} 技能。

[0.1.13] - 2026-06-23

新增

  • anolisa adapter enable 现支持 Hermes 插件。
  • anolisa adapter enable 现安装声明的 OpenClaw 技能。
  • anolisa adapter enable 现写入声明的 OpenClaw 配置。
  • anolisa install 现启动 raw 组件声明的服务。
  • anolisa install 现设置 raw 组件声明的文件能力。
  • anolisa install 现执行 raw 组件声明的钩子。
  • anolisa update <component> 现重启 raw 组件声明的服务。
  • anolisa update <component> 现重设 raw 组件声明的文件能力。
  • anolisa uninstall 现执行 raw 组件卸载钩子。
  • anolisa uninstall 现停用已停止的声明服务。

变更

  • anolisa adapter scan 现按声明位置查找资源。
  • anolisa adapter enable 现读取包内适配器资源。
  • anolisa install --dry-run 现预览 raw 文件能力。
  • anolisa register status 现显示最新注册记录。
  • 取消 anolisa registerunregister 不再报错。

修复

  • anolisa adapter status 现能识别换行的 OpenClaw 表格。
  • anolisa adapter status 检查 Hermes 时忽略内置插件。
  • anolisa adapter 现能找到 RPM 组件附带的元数据。
  • anolisa register status 现显示 sysom 控制台注册。

[0.1.12] - 2026-06-22

新增

  • anolisa update <component> 可更新 raw 组件。
  • anolisa osbase sandbox list 可显示 sandbox.toml 场景。
  • anolisa osbase sandbox uninstall <scenario> 可移除场景软件包。
  • anolisa system setup 可为非 root osbase 命令安装助手服务。
  • anolisa system status 可显示助手健康状态。
  • anolisa system teardown 可移除助手服务和沙箱配置。
  • anolisa env --json 现包含发行版身份字段。

变更

  • anolisa osbase sandbox install <scenario> 现按 sandbox.toml 安装场景。
  • 未指定 --install-mode 时,root 用 system,普通用户用 user
  • anolisa update <component> --dry-run 现显示 raw 候选版本。

修复

  • yum 后端名现会作为 rpm 处理。
  • --package 安装的 raw 组件更新时复用包名。
  • anolisa update <component> 不再允许 raw 降级。
  • anolisa update <component> 无法比较版本时不再替换文件。

[0.1.11] - 2026-06-18

新增

  • anolisa adopt <component> 可接管预装 RPM。
  • anolisa repair <component> 可刷新漂移的 RPM 状态。
  • anolisa forget <component> 可停止跟踪组件。

变更

  • anolisa status <component> 现报告 RPM 状态漂移。
  • anolisa uninstall 默认保留观察到的系统 RPM。
  • anolisa install 接管 RPM 时保留适配器资源。

[0.1.10] - 2026-06-17

新增

  • anolisa install --backend rpm 可通过 dnf 安装缺失 RPM 组件。
  • anolisa install 可接管匹配的预装系统 RPM。
  • anolisa update <component> 可通过 dnf 更新 RPM 组件。
  • anolisa status 现显示 RPM 组件的软件包来源。
  • anolisa status <component> 现显示匹配的未跟踪系统 RPM。

变更

  • anolisa update runtime <component> 改为 anolisa update <component>
  • repo.toml 现使用 [backends.rpm] 替代 [backends.yum]
  • anolisa install --all 现在批量摘要列出接管的 RPM。

修复

  • anolisa install --all 现在普通输出显示各组件失败原因。
  • anolisa install 在缺少 rpmdnf 时提示 --backend raw
  • anolisa install 不再覆盖先完成的 raw 安装。

[0.1.9] - 2026-06-16

新增

  • anolisa install --all 可安装目录中的所有可用组件。
  • anolisa install --all --fail-fast 可在首个失败组件后停止。
  • anolisa install --all --json 现返回按组件汇总的批量结果。
  • anolisa status 现显示已安装组件的适配器摘要。

变更

  • installed.toml 现区分 ANOLISA 管理包和只观察的系统 RPM。

[0.1.8] - 2026-06-15

新增

  • anolisa adapter enable 现可将已安装适配器注册到 OpenClaw。
  • anolisa adapter disable 现可移除 OpenClaw 适配器注册。
  • anolisa adapter status 现可报告 OpenClaw 适配器健康状态。
  • anolisa adapter scan 现可显示已安装适配器资源。

变更

  • anolisa install 现会放置后续启用所需的适配器资源。
  • anolisa uninstall 现会阻止移除仍有启用适配器的组件。

[0.1.7] - 2026-06-13

变更

  • 用户态库路径调整为 ~/.local/lib/anolisa;其余目录继续遵循 XDG_* 环境变量覆盖。

修复

  • anolisa install 不再要求本地已有组件目录条目即可从远程仓库下载安装。
  • anolisa install --dry-run 无需下载完整安装包即可预览文件和服务列表。

[0.1.6] - 2026-06-12

新增

  • anolisa osbase sandbox install gvisor 支持 standalone、containerd 和 substrate 三种部署形态。(#851)
  • anolisa list 可从 repo.toml 配置自动发现组件目录。(#854)

变更

  • 废弃旧版"能力"模型,统一为组件生命周期;旧状态在下次写入时自动迁移。(#876)

修复

  • anolisa list --enabled 现在正确显示已安装组件,而非空列表。(#872)
  • anolisa list 在已配置 repo.toml 时不再要求额外的本地目录文件。(#854)

[0.1.5] - 2026-06-11

新增

  • anolisa list 从远程或本地组件目录读取并返回结构化 JSON。(#850)
  • anolisa install <组件> 从远程仓库下载、校验并安装组件。(#852)
  • anolisa uninstall 支持新组件模型,同时保留旧版回退。(#852)

变更

  • 简化 CLI 帮助输出,围绕 listinstalluninstallstatusdoctorlogsrestartupdate 重新分组。(#850)

修复

  • 未配置组件目录时,anolisa list 返回空列表并提示配置方法。(#850)
  • 安装中途失败时自动回滚已写入的文件。(#852)

[0.1.4] - 2026-06-10

新增

  • anolisa adapter scan 探测已安装的 Agent 框架集成。(#808)
  • anolisa adapter install 下载校验后的安装包并注册到目标框架。
  • anolisa adapter remove 安全移除 ANOLISA 管理的文件,支持预览和 dry-run。
  • anolisa adapter install tokenless openclaw 通过 OpenClaw CLI 注册 tokenless 适配器。
  • anolisa enable 从远程仓库获取组件元数据,离线时降级到本地缓存。
  • anolisa status 输出中新增组件健康检查结果。

变更

  • 订阅管理命令提升为顶层 anolisa register / unregister

修复

  • adapter 安装或移除失败时自动回滚或保留状态以便重试。

[0.1.3] - 2026-06-09

新增

  • anolisa --help 按类别分组展示命令(日常操作 vs. 管理命令)。
  • list 命令在帮助中展示 ls 别名。
  • anolisa update self 成功后输出 changelog 链接。

变更

  • 修正包 license 元数据为 Apache-2.0。

[0.1.2] - 2026-06-08

新增

  • anolisa bug 生成本地诊断报告,包含环境信息和近期错误日志。
  • anolisa self update 作为 anolisa update self 的别名。

修复

  • 恢复 bug report issue 模板。

[0.1.1] - 2026-06-07

新增

  • anolisa osbase sandbox install 一键部署沙箱环境(支持 firecracker 和 e2b 后端)。
  • anolisa register / unregister 管理数据上传授权,支持 30 天延后。
  • anolisa enable 可配置日志上传(ilogtail),自动探测地域。
  • anolisa update self 下载并应用 CLI 更新,含完整性校验和失败回滚。
  • 真实的 dnf/apt 包管理器后端,替换占位实现。
  • anolisa 工作区 GitHub Actions CI。

修复

  • 安装脚本改用 bash 参数展开替代 sed,提升可移植性。

[0.1.0] - 2026-06-04

ANOLISA CLI 首个 alpha 版本。

新增

  • CLI 命令:envliststatuslogsenabledisableuninstallrestartupdateinfodoctor
  • 环境探测:OS、架构、内核、发行版、容器运行时、用户身份(探测失败时优雅降级)。
  • 组件生命周期引擎:先预览再执行,含完整性校验和操作日志。
  • 配置驱动的上线门控,新能力无需改代码即可发布。
  • 声明式 TOML 组件清单,支持多架构。
  • install-anolisa.sh 安装器:三种模式(本地、checkout、URL),支持校验和 --dry-run
  • agent-observability 和 token-optimization 端到端冒烟测试。

已交付能力

能力状态
agent-observabilityenable 完整链路(dry-run + 真实执行)
其余 9 个仅清单;enable 返回 NOT_IMPLEMENTED

已知限制

  • 真实执行路径仅限 Linux(darwin 宿主只能 --dry-run)。
  • 尚无签名校验和 rpm/deb 后端。
  • update 命令返回 NOT_IMPLEMENTED。

Changelog

All notable changes to ANOLISA Anvil will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

[0.2.0] - 2026-06-30

Added

  • FirecrackerSpawner: Firecracker microVM backend, daemon auto-detects and selects strongest isolation at startup.
  • TCP remote API: configurable [listen].http_addr enables TCP listener (port 14159) for platform calls.
  • Prioritized backend selection: build_spawner() auto-selects by firecracker → linux-sandbox → mock priority.
  • Storage section: [storage].images_dir unifies vmlinux/rootfs lookup path.
  • Packaging skeleton: dist/anvil.service (systemd unit) + anvil.spec (RPM) + tmpfiles-anvil.conf.
  • [backends] config section for direct backend binary path mapping.

[0.1.3] - 2026-06-24

Changed

  • Sandbox processes now run with full namespace isolation (PID, network, filesystem).

[0.1.2] - 2026-06-22

Added

  • Sandbox processes are now managed by the daemon: auto-spawn on create, auto-kill on destroy.
  • Daemon gracefully degrades when backend binary is unavailable (useful for dev environments).

[0.1.1] - 2026-06-20

Added

  • Policy validation rejects unsafe configurations before sandbox starts.
  • Safe coordination with osbase sandbox uninstall (prevents removing in-use backends).

[0.1.0] - 2026-06-18

Initial scaffold of ANOLISA Anvil per-host sandbox daemon.

Added

  • Create, list, inspect, checkpoint (state-only), reset, and destroy sandboxes via HTTP API.
  • Policy-driven backend selection: assign workload class → get the right sandbox type automatically.
  • Warm pool: pre-created sandboxes ready for instant allocation, configurable min/target/max.
  • Template sharing: multiple sandboxes share one base memory image, reducing per-instance cost.
  • Prometheus metrics endpoint for monitoring.

变更日志

本文件记录 ANOLISA Anvil 的所有重要变更。

格式基于 Keep a Changelog, 版本号遵循 语义化版本

[未发布]

[0.2.0] - 2026-06-30

新增

  • FirecrackerSpawner:支持 Firecracker microVM 后端,daemon 启动时自动探测并选择最强隔离。
  • TCP 远程 API:可配置 [listen].http_addr 开启 TCP 监听(端口 14159),供平台远程调用。
  • 优先级后端选择:build_spawner() 按 firecracker → linux-sandbox → mock 优先级自动选型。
  • Storage section:[storage].images_dir 统一管理 vmlinux/rootfs 查找路径。
  • 打包骨架:dist/anvil.service(systemd unit)+ anvil.spec(RPM)+ tmpfiles-anvil.conf
  • [backends] 配置段,直接映射后端二进制路径。

[0.1.3] - 2026-06-24

变更

  • sandbox 进程现在运行在完整 namespace 隔离中(PID、网络、文件系统)。

[0.1.2] - 2026-06-22

新增

  • daemon 现在管理 sandbox 进程生命周期:创建时自动启动,销毁时自动终止。
  • backend 二进制不可用时优雅降级(便于开发环境使用)。

[0.1.1] - 2026-06-20

新增

  • Policy 校验在 sandbox 启动前拒绝不安全的配置。
  • osbase sandbox uninstall 安全协调(防止移除正在使用的 backend)。

[0.1.0] - 2026-06-18

ANOLISA Anvil 首个骨架版本。

新增

  • 通过 HTTP API 创建、列出、查看、checkpoint(仅状态转换)、reset、销毁 sandbox。
  • 策略驱动的 backend 选型:指定 workload class 即可自动匹配合适的 sandbox 类型。
  • Warm pool:预创建 sandbox 随时分配,可配置 min/target/max 容量。
  • 模板共享:多个 sandbox 共用一份 base 内存镜像,降低单实例内存开销。
  • Prometheus metrics 端点,供监控系统采集。

Changelog

2.6.1

  • Added npm packaging support for CLI and cosh. (#1307)
  • Added multi-hook toggles support. (#1206)
  • Fixed tips banner to stay visible after initial login. (#1308)
  • Fixed Ctrl+O to prioritize error details over compact mode. (#1202)
  • Fixed system-profile BINDIR to follow PREFIX. (#1193)
  • Fixed AfterModel hook non-blocking notifications not surfacing. (#1182)
  • Updated component docs to migrate into user-guide and developer-guide. (#1295)
  • Added copilot-shell zh/en user and developer docs. (#1236)
  • Fixed CONTRIBUTING.md file mode from symlink to regular file. (65601f06)

2.6.0

  • Added multi-hook enable and disable support to /hooks. (#1200)
  • Added cosh-ng compatibility with cosh-switch. (#1169)
  • Added instance_id to SysOM API request params. (#1160)
  • Added anolisa component contract. (#1128)
  • Added SLS JSONL session telemetry with expanded metrics. (#1057)
  • Added authenticated models display in /model dialog. (#1030)
  • Added kitty csi-u keys support with sequence timeout management. (#552)
  • Added large paste placeholder and fixed placeholder id reset on esc cancel. (#312)
  • Fixed SLS log write to skip when file does not exist or is not writable. (#1101)
  • Fixed useless sandbox guard and failure handler hooks by removing them. (#979)
  • Fixed missing keyboard shortcut hints in footer status bar. (#921)
  • Fixed response language and model identity rules. (#920)
  • Fixed sub-model refusal detection and byteLength display. (#895)
  • Fixed webfetch sub-model output validation to avoid silent refusals. (#895)
  • Fixed thinking output to be distinguished from user input with prefix and color. (#894)
  • Fixed custom model configuration to be preserved. (#887)
  • Fixed partial message finalization on API error. (#801)
  • Fixed API error reporting in all output formats, not only text. (#801)
  • Improved escape key handling by unifying it in appcontainer. (#437)

2.5.0

  • Fixed missing esc hint in tool confirmation footer status bar (#732)
  • Fixed invisible cursor in provider/auth config inputs (#683)

2.4.1

  • Fixed HookSystemMessage rendering as info and resolved Content/Thought duplication (#636)
  • Fixed prompt ids to remain monotonic after shell remount (#628)

2.4.0

  • Added DashScope Token Plan provider entry to the OpenAI-compatible auth dialog. (#598)
  • Added UserPromptSubmit and PostToolUse hook reason surfacing in the UI. (#545)
  • Added run_id field to HookInput for per-run event correlation. (#482)
  • Fixed UserPromptSubmit hook decision merging to enforce safety priority over allow. (#597)
  • Fixed missing tool_use_id in PreToolUse hook input. (#559)
  • Fixed memory hooks lock takeover with atomic rename and async IO. (#550)
  • Fixed auto-memory workspace cleanup wiping user-added directories. (#548)
  • Fixed auto-memory session hook missing read_file events due to wrong arg key. (#547)
  • Fixed run_id ordering by setting it before UserPromptSubmit hook fires. (#537)
  • Fixed UserPromptSubmit hook firing on tool-result and Stop continuations. (#534)
  • Updated installer to support multiple install profiles. (#541)

2.3.0

  • BREAKING Removed qwen-oauth authentication support. (#455)
  • Added auto memory background extraction system. (#465)
  • Added full shell command display in hook-ask and exec confirm dialogs. (#452)
  • Added esc key to cancel running slash commands. (#290)
  • Fixed JavaScript heap out of memory during long sessions. (#462)
  • Fixed missing allow decision reason in UI when systemMessage is absent. (#435)
  • Improved test coverage with standalone tests for ExecCommandPreview. (#460)
  • Updated hook docs to clarify difference between systemMessage and reason. (#436)

2.2.1

  • Fixed initial chat being blocked during skill/subagent first-load discovery. (#418)
  • Fixed missing tool_use_id in PostToolUse hook event payload. (#414)
  • Fixed missing skill_context in PreToolUse hook input for resolved skill path. (#409)
  • Fixed missing auto-completion for /statusline subcommands. (#408)
  • Fixed unavailable agents appearing in the key sharing prompt. (#394)
  • Fixed bash option not being restored after canceling from the provider screen. (#393)
  • Fixed hook systemMessages to be concatenated with a [name] prefix for clarity. (#387)

2.2.0

  • Added ask decision support for UserPromptSubmit hook. (#328)
  • Added new command for Clawhub CLI. (#313)
  • Added interactive Skills TUI Panel with enable/disable support. (#311)
  • Added variable substitution and display control for extension TOML commands. (#291)
  • Added immediate hook activation on extension install/uninstall. (#283)
  • Added ask decision support for PreToolUse hooks. (#276)
  • Added configurable status bar. (#251)
  • Added /export command for session history. (#245)
  • Fixed API key validation to skip non-Dashscope providers. (#337)
  • Fixed PreToolUse ask dialog by unifying it to info type with diff preview. (#345)
  • Fixed memory leak in memory management. (#309)
  • Fixed extension lifecycle reliability. (#298)
  • Fixed hook registry sync on extension enable/disable. (#298)
  • Fixed interface crash caused by leftBottomContent of Box nested in Text in Footer. (#293)
  • Fixed /hooks install command by removing it and adding default help. (#287)
  • Fixed extension examples installation and package configuration. (#271)

2.1.0

  • Added startup bash entry and simplified manual auth dialog. (#217)
  • Added async fzf-based tab completion optimization. (#214)
  • Fixed OpenAI API key and model validation via /models endpoint on auth. (#243)
  • Fixed API key retention when navigating to apiKey field in auth dialog. (#241)
  • Fixed node-pty native binary bundling for both linux architectures. (#232)
  • Fixed stream redaction by replacing integer offset with committed text reference. (#210)
  • Fixed missing fields in hook system. (#188)

2.0.4

  • Added STS authentication support via ECS RAM role. (#161)
  • Added BeforeModel, AfterModel, and BeforeToolSelection hooks. (#154)
  • Added sandbox usage summary on session exit. (#137)
  • Added Tab-completion for ! shell mode. (#131)
  • Fixed config-dir source unification and prevented ~/.copilot creation on startup. (#171)
  • Fixed /bug command crash in headless environment. (#175)
  • Fixed undefined metrics.sandbox in StatsDisplay. (#171)
  • Supplement /hooks install step to post-installation guide. (#142)
  • Supplement hooks documentation (index, reference, writing-hooks). (#142)

2.0.3

  • Migrated config directory from ~/.copilot to ~/.copilot-shell. (#78)
  • Added API key detection from configured agents with user approval on bootstrap. (#127)
  • Added support for configuring multiple custom model providers. (task#80737766)
  • Added global API endpoint support for Dashscope. (#133)
  • Added custom skill paths support via settings.json. (#128)
  • Added support for loading skills from extension directories with cosh-extension.json compatibility. (#54)
  • Added /bug command for submitting bug reports. (#122)
  • Added sandbox-guard install command with bypass approval flow. (#125)
  • Added secret redaction for model output and tool results. (#100)
  • Added extensible feature tip banner for first-launch guidance. (#113)
  • Added built-in /dir cd command for in-session directory navigation. (#19)
  • Added session renaming command. (task#80737766)
  • Added nvm-aware Node.js detection in cosh wrapper script. (#72)
  • Added system-level install via Makefile with FHS-compliant directory layout. (#72)
  • Fixed 24-item limit on @ file completion menu. (#92)
  • Fixed TUI flicker on Qwen OAuth page in limited-height terminals. (#76)
  • Fixed left-arrow key not wrapping from line start to previous line end. (#53)
  • Fixed irrelevant info display in /model command. (#85)
  • Fixed credentials encryption support in settings.json. (#90)
  • Fixed test failure when running as root user. (#29)
  • Fixed pre-commit hook working directory for lint-staged. (#90)
  • Configured Husky hooks and documented pre-commit setup. (#65)

2.0.1

  • Renamed OpenAI authentication label to "BaiLian (OpenAI Compatible)" for clarity.
  • Fixed login shell stdin drain to prevent unwanted input echo.
  • Removed ripgrep unavailable warning message.

2.0.0

  • Synced upstream qwen-code to v0.9.0 and rebranded to Copilot Shell.
  • Bumped version directly to 2.0.0 (skipping 1.x, which was used by a previous OS Copilot release).
  • Integrated Skill-OS online remote skill discovery with priority-based fallback (Project > User > Extension > Remote).
  • Added /skills remote and /skills cache clear commands for remote skill management.
  • Added /bash interactive shell mode
  • Added -c argument support for inline bash commands.
  • Added PTY mode for sudo command support.
  • Added hooks system with PreToolUse event for intercepting tool calls before execution.
  • Added new model provider named Aliyun
  • Added nested startup detection warning banner.
  • Added system-wide skill path (/usr/share) support.
  • Removed original Gemini sandbox.
  • Fixed skill frontmatter parsing for YAML special characters (|, &, >).
  • Fixed login escaped character echo issue in ECS workbench.
  • Fixed Linux headless environment browser open failure when auth with Qwen OAuth.
  • Fixed Qwen OAuth authentication, replay, and UI rendering issues.
  • Fixed exception handling when adding workspace directories.
  • Fixed user query start with unix path being misidentified as command.
  • Fixed API key display explicitly.
  • Fixed Chinese i18n for /resume command.
  • Improved ? hint visibility — hidden while user is typing.
  • Miscellaneous UI, branding, CI, and build improvements.

Changelog

All notable changes to the cosh-ng project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[0.11.0] — 2026-06-28

Added

  • Aliyun authentication provider with ECS auto-detection, STS credentials, and QR code flow
  • SysOM Aliyun provider with ACS3 signing for LLM API access
  • Per-turn SLS JSONL logging for observability
  • SysOM request source identification headers
  • Structured tracing logging system across all crates
  • Sandbox bypass approval flow on PostToolUseFailure hook events
  • Startup health scan for environment diagnostics
  • Extension/hook/skill enable/disable commands (/extensions, /hooks, /skills)
  • Unified component state management module
  • Dedicated HOOK approval panel with simplified UI
  • UserPromptSubmit hook with Ask approval enforcement
  • Shell evidence read admission control in cosh-core
  • Tool activity rendering in cosh-shell
  • cosh-switch hint in startup banner for toggling between cosh-ng and copilot-shell

Changed

  • BREAKING: Rename CLI binary from cosh to cosh-cli; remove dispatch_core
  • RPM spec: install cosh-cli binary, /usr/bin/cosh launcher, cosh-switch script, Conflicts: copilot-shell
  • Replace eprintln with structured tracing macros
  • Unify hook decision aggregation with fold_decision
  • Update workspace repository URL to github.com/alibaba/anolisa

Fixed

  • Auth ECS flow and panel overlap on phase transitions
  • Auth QR code rendered without ANSI escape codes
  • Use SysomProvider for aliyun after auth success
  • Align hook input fields and AfterModel/wrap_tool_response with copilot-shell protocol
  • tool_result dedup guard and visibility
  • Restore prompt before shell handoff
  • Suppress duplicate evidence reads
  • Reduce failed-command auto analysis noise
  • Skill existence check and harden approval matching
  • Resolve clippy warnings across cosh-core and cosh-shell

[0.10.0] — 2026-06-23

Added

  • Shell evidence protocol for capturing and replaying command execution context
  • Shell evidence control tool in cosh-core for evidence lifecycle management
  • Hook protocol aligned with copilot-shell for zero-change extension support
  • Per-hook decision propagation through notification protocol
  • Hook warnings rendered with per-hook decision color-coding in cosh-shell

Changed

  • Share agent error display text across cosh-shell modules

Tests

  • Cover shell evidence raw CLI flows

[0.9.0] — 2026-06-22

Added

  • Hook notifications integrated into approval panel with ⚠ warning display
  • Hook ask decisions enforce user approval even in Trust/Auto modes
  • Extended hook system with tool_use_id association and new event types
  • Registry protocol for /extensions /skills /hooks slash commands

Fixed

  • Show Registry group in /help output

Changed

  • Remove dead skill management code

[0.8.0] — 2026-06-18

Changed

  • Rename cosh-tui crate and binary to cosh-core across the entire workspace
  • Update adapter system: CoshTuiAdapterCoshCoreAdapter, AdapterKind::CoshTuiCoshCore
  • Update environment variable COSH_TUI_PATHCOSH_CORE_PATH
  • Update RPM spec, documentation, and all test fixtures

Fixed

  • Neutralize agent status text in streaming cards
  • Align streaming card widths in cosh-shell

[0.7.0] — 2026-06-17

Added

  • Extension discovery and loading module with cosh-extension.json manifest support
  • Extension hooks integrated into startup lifecycle
  • Skill module with multi-level loading (built-in, user, project) and hot-reload
  • SkillManager integrated into tool registry and startup
  • Available skills injected into system prompt for LLM discovery

Fixed

  • Infinite loop in expand_env_vars when environment variable is undefined
  • Warn on unsupported extension hook events (PostToolUseFailure, BeforeModel, AfterModel) instead of silently discarding
  • Align extension hooks format with copilot-shell nested group structure
  • Remove unused args parameter from skill tool schema to avoid misleading LLM
  • Show question free text answers in cosh-shell
  • Harden foreground shell handoffs
  • Share copilot shell config path and keep legacy config fallback

Changed

  • Normalize cosh-shell config keys
  • Standardize cosh-shell code and test organization
  • Move user state under copilot shell scope

[0.6.0] — 2026-06-16

Added

  • P0 hook system with 5 lifecycle events (on_session_start, on_turn_start, on_turn_end, on_tool_call, on_session_end) in cosh-tui
  • Shell approval classification and hook origin tracking in cosh-shell
  • Migrate current cosh shell into monorepo workspace

Fixed

  • Address approval review findings in cosh-shell
  • Harden shell evidence continuation to prevent dropped context
  • Normalize tool call streaming protocol in cosh-tui
  • Fix passthrough for subcommands in cosh-shell

[0.5.0] — 2026-06-15

Added

  • CoshTuiAdapter persistent process mode (spawn once, reuse across agent runs, auto-restart on death)
  • ask_user round-trip through control protocol (agent can ask inline questions routed to TUI)

Changed

  • Split cosh-tui main into cli/headless/interactive modules
  • Rename binary from cosh-tui-core back to cosh-tui

[0.4.1] — 2026-06-15

Added

  • settings.json → config.toml auto-migration with AES-256-GCM encrypted API key decryption
  • JSONL protocol and tool approval integration tests

Fixed

  • Prepend precmd in PROMPT_COMMAND to capture real exit code (Alibaba Cloud Linux /etc/bashrc issue)

[0.4.0] — 2026-06-15

Added

  • JSONL wire protocol (InputMessage / OutputMessage) for cosh-shell ↔ cosh-tui communication
  • Provider abstraction with OpenAI-compatible streaming (DashScope, OpenAI, DeepSeek, Generic profiles)
  • Tool execution framework with 7 built-in tools (shell, read_file, write_file, edit, grep, todo, skill) and approval control
  • Context window management, message truncation, loop detection, conversation compression
  • Lifecycle hooks framework
  • CoshCore agent loop engine
  • TOML-based multi-provider config with environment variable expansion

Changed

  • BREAKING: Binary interface from ratatui interactive TUI to JSONL stdin/stdout backend
  • BREAKING: Config format from settings.json to config.toml
  • Rewrite session store with single-file JSON persistence

Removed

  • Legacy ratatui-based TUI code (app, commands, llm, logger, theme, tools, ui modules)

[0.3.0] — 2026-06-15

Added

  • cosh-shell crate — PTY-based AI-augmented shell host with OSC marker protocol
  • Claude, Qwen, Fake AI adapters with streaming support
  • Inline rendering engine (approval, question, recommendation, activity panels)
  • Governance layer with approval modes
  • Terminal recovery via signal handlers (SIGTERM/SIGHUP/SIGQUIT) and panic hook
  • Exit code classification with 8 categories (Smart/Auto/Manual analysis modes)
  • Tool display engine with per-tool-type parsing and ANSI color categories
  • Hook engine with built-in hooks (FailedCommandHook, TestFailureHook) and skill routing
  • External hook loading from ~/.config/cosh/hooks/ with subprocess execution
  • Native shell compatibility (rcfile loading, PS1, history, login shell detection)
  • Context window with sliding window (max commands, max age, token budget)
  • Prompt intent optimization (do → Bash tool, know → prose)
  • Natural language intercept with visual feedback
  • InputClassifier conservative mode for native mode
  • Analysis throttle (30s cooldown, max 3 consecutive)
  • Consultation card rendering with keyboard capture
  • Control protocol for tool approval round-trips
  • Startup banner with gradient ASCII art logo
  • /mode and /hooks slash commands
  • Architecture documentation

Fixed

  • Native mode input rendering with powerlevel10k dual-line prompts
  • Slash/NL intercept via buffered-then-judge strategy in native mode
  • Zsh preexec intercept for command_not_found
  • CandidateRedraw line clearing for CJK input and backspace
  • Suppress cosh-osc$ prompt leak in native mode
  • Tool display label matching in bash tool executor
  • Wide character placeholder cell handling in buffer extraction

Changed

  • Unified workspace version (0.3.0) for all crates (cosh-types, cosh-platform, cosh-cli, cosh-shell, cosh-tui)

[0.2.0] - 2026-05-16

Hardening + audit-subsystem release. Workspace versions bumped to 0.2.0 together with the release profile and lockfile commit.

Added

  • audit subsystem with PEP/PDP/log split: cosh audit check / cosh audit log for command-safety gating and per-session retrieval.
  • Workspace release profile (opt-level = 3, lto = true, strip = true, codegen-units = 1), committed Cargo.lock, workspace-level dependency pinning, and native CA cert support.
  • Command timeouts, input validation, and panic-safe JSON output across cosh-cli and cosh-platform so a panic still emits a CoshResponse envelope on stderr instead of an empty exit.
  • forbid(unsafe_code) on cosh-cli / cosh-platform, plus svc list --state filter validation against an allow-list.
  • pkg search cross-references installed status so results show which matches are already installed.
  • ResponseMeta.warning field for non-fatal warnings; audit responses are explicitly marked as stub via this field.
  • LLM tool surface expansion in cosh-tui: pkg / svc / checkpoint wrapper tools, plus svc enable / svc disable --dry-run.
  • Timeouts + exponential-backoff retries on LLM and external command tools in cosh-tui; 60 s shell-tool timeout.

Changed

  • TUI /help aligned with the full command set; title bar version and markdown prefix stripping corrected.
  • Clippy warnings resolved across the workspace; dead-code allowances dropped; test code aligned with production lint level.
  • Build warnings eliminated and version detection improved across cosh-tui / cosh-platform.

Fixed

  • Shell safety check tokenized to close tab / newline / redirect / chain bypasses; substring matching on raw command strings replaced with whitespace (incl. \t / \n / \r) tokenization and metacharacter rejection (; | & > < $ ` ( ) { }) — is_safe_command in crates/cosh-tui/src/tools/shell.rs.
  • Forbidden tool calls are now blocked even under Yolo approval mode.
  • cosh-cli wrapper tool output is bounded so a chatty subcommand cannot blow the LLM context window.
  • Tool-call IDs synthesized via a process-wide counter to guarantee uniqueness across the agentic loop.
  • settings.json and session files written atomically with 0600 permissions.
  • Runtime bounds enforced for the agentic loop, history, config, and tool messages; scrollback bounded with UTF-8-safe truncation.
  • Panic hook installed in the TUI; history navigation recovered after panic.
  • ws-ckpt IPC response size bounded to 64 MiB.
  • Nonexistent systemd services detected via LoadState=not-found instead of misclassifying them as "inactive".

Security

  • Audit-stub recoverable / hint semantics surface clearly to agents via the standard CoshError envelope.
  • Atomic-rename + 0600 perms on credential-bearing files.

[0.1.0] - 2026-05-10

Initial public-shaped release after renaming the workspace from agos-core to cosh-ng and adding the interactive TUI crate.

Added

  • 4-crate workspace: cosh-types, cosh-platform, cosh-cli, cosh-tui with strict dependency direction cosh-cli / cosh-tuicosh-platformcosh-types.
  • cosh CLI binary with dual-mode dispatch: cosh (no args) execs into cosh-tui, cosh <subsystem> <action> returns structured JSON.
  • Cross-distro pkg subsystem: install / remove / search / list routed across dnf / apt-get (apt-cache for search) / zypper based on Distro::detect() reading /etc/os-release.
  • svc subsystem over systemctl: status / start / stop / restart / enable / disable / list, with uptime and corrected column mapping in list.
  • checkpoint subsystem talking to the ws-ckpt daemon over Unix-socket IPC; bincode wire format with 4-byte LE length prefix and explicit protocol versioning + error handling. Commands: init / create / list / restore / recover / delete / diff / cleanup / status.
  • cosh-tui interactive TUI on ratatui + crossterm: slash-command system with auto-complete, session management, theming, custom border set, echo-on-submit.
  • Agentic loop with cosh-cli wrapper tools in cosh-tui, bringing pkg / svc / checkpoint tooling to the LLM (initially shipped as cosh-tui v0.4.0).
  • LLM chat integration with config-driven providers and UI surfacing.
  • Unified settings.json V2 config consolidating prior scattered config files.
  • AES-256-GCM decryption for encrypted credentials.
  • macOS detection + Homebrew backend in cosh-platform, with unit tests.
  • Unified JSON envelope CoshResponse<T> with ok / data / error / meta, classified CoshError carrying recoverable and hint for agent retry decisions.
  • Integration tests for pkg and checkpoint CLI commands.

Changed

  • Workspace renamed from agos-core (with agos-types / agos-platform / agos-cli) to cosh-ng (with cosh-* crates); agos-cli and agos-platform removed in the same commit.
  • cosh-tui checkpoint tooling adapted to the new daemon protocol.

Fixed

  • cosh-cli stdout validated as JSON before forwarding to the LLM, preventing parser confusion on malformed bytes.

[pre-0.1.0] - 2026-05-03 → 2026-05-08

Pre-rename agos-core foundation.

Added

  • Initial 2-crate workspace agos-types + agos-platform.
  • agos-cli cross-distro CLI prototype with pkg, svc, checkpoint, audit command shapes.
  • MVP v2 CLI Gateway architecture document and bilingual (English / Chinese) usage guide.

Changelog

All notable changes to ktuner are documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

Added

  • Initial kernel-tuning engine: check/tune/fix/why/rollback commands evaluate 207 rules and output structured JSON tuning recommendations.

Changelog

0.6.1

  • Rewrote sysom-diagnosis skill and removed legacy CLI. (#1241)
  • Fixed OpenClaw gateway write scope verification in install-openclaw skill. (#1205)

0.6.0

  • Added anolisa component contract (component.toml, Makefile, RPM spec). (#1159)
  • Added OpenClaw bootstrap guidance to install-openclaw skill. (#1051)
  • Added model endpoint preflight before gateway startup in install-openclaw skill. (#1031)
  • Added static knowledge base update script for anolisa-guide skill. (#1010)
  • Added anolisa-guide skill. (#849)
  • Fixed Aliyun mirror fallback for uv and qwenpaw install. (#968)
  • Fixed dashscope proxy URL to new Anthropic endpoint in install-claude-code skill. (#858)
  • Renamed copaw to qwenpaw across os-skills. (#968)

0.5.0

  • Added anolisa-register skill. (#829)

0.4.0

  • Added auto-install tokenless plugin support for agent install skills. (#731)
  • Added OpenClaw dependency precheck. (#719)
  • Improved OpenClaw non-interactive setup. (#687)
  • Added Hermes adapter runner. (#617)
  • Added standalone ANOLISA adapter entry. (#549)
  • Fixed OpenClaw state dir handling normalization. (#641)
  • Improved Makefile install paths and contract. (#541)

0.3.0

  • Added hermes-agent-install skill. (#353)
  • Added clawhub-skill-mng skill with npm install support and YAML description matching. (#315)
  • Fixed AgentSight custom db path issue, using default paths instead. (#366)
  • Fixed AgentSight token savings query support. (#355)
  • Fixed AgentSight interruption CLI and aligned conversation_id naming. (#334)

0.2.2

  • Support enable AgentSight dashboard in agentsight skill. (#222)

0.2.1

  • Upgraded xlsx skill with MiniMax open-source implementation. (#218)
  • Updated skill descriptions from "suitable for alinux4" to "rpm-base linux". (#182)

0.2

  • Added humanizer, image-gen, pdf-reader, and xlsx skills. (#178)
  • Added cosh-guide skill. (#23)
  • Support net/io/load diagnostic capabilities to sysom-diagnosis skill. (#163)

Changelog

All notable changes to SkillFS are documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

[0.3.3] - 2026-07-10

Added

  • Hermes workspace layout compatibility. SkillFS now recognizes Hermes hub markers, preserves management paths, and exposes nested category/skill/SKILL.md skills alongside top-level skills.
  • Nested Hermes skills now support activation state, installer lifecycle writes, notifications, audit attribution, fallback snapshots, and hidden visibility.

Fixed

  • skillfs validate --json now includes source paths for warning and error entries so automation can locate invalid skills.
  • FUSE teardown now bounds failed unmount cleanup and prevents leaked test mounts from affecting later sessions.

[0.3.2] - 2026-07-03

Fixed

  • CLI SLS ops logging now records SkillFS mount and runtime operations.
  • Runtime metrics now emit real-time deltas for SLS consumers.

[0.3.1] - 2026-07-03

Added

  • Managed mount supervision can recover stale FUSE mounts and bound recovery retries during repeated starts.

Changed

  • English and Chinese README guidance now covers managed mounts, in-place operation, security boundaries, and troubleshooting.

Fixed

  • Post-publish grace reads fallback skill files from source paths after installers finish.
  • skillfs validate now reports parse failures in the status summary.
  • In-place authoring supports new skills and pending-install ownership changes.
  • Managed stop and runtime-dir handling avoid stale ownership and unbounded recovery retries.
  • Daemon-facing backing roots under PrivateTmp are rejected before mount startup.
  • FUSE smoke cleanup handles leftover mounts and temporary paths more reliably.

[0.3.0] - 2026-06-26

Added

  • Runtime security integration for agent skill directories. SkillFS can now consume activation decisions from .skill-meta/activation.json or the user.agent_sec.skill_ledger.activation xattr, then expose each skill as current, hidden, or a trusted fallback snapshot.
  • File-change notification for external security daemons. With --activation-mode file, --notify-socket, --activation-events-log, and --activation-reload-mode poll, SkillFS reports skill mutations, reloads activation decisions, and keeps already-opened file handles pinned to their original target.
  • Trusted control socket for activation writes. A daemon verified with SO_PEERCRED, executable identity, and start-time checks can update activation JSON or activation xattr through a bounded request API instead of writing .skill-meta through the agent-visible mount path.
  • Installer compatibility for common skill installation flows. Staging directories, direct writes, quiet-timeout completion, and post-publish grace windows allow installers to finish writing a skill before SkillFS asks the security provider to scan and activate it.
  • In-place mount support for security daemons. Ledger backing roots are bind mounted privately and validated at startup so scanners read the real source tree rather than the agent-facing FUSE view.
  • Canonical skill identity based on the directory basename. Frontmatter name: remains display metadata and no longer changes the SkillFS store key or daemon-facing skill id.

Changed

  • .skill-meta/** is hidden from ordinary agents and remains accessible only through trusted metadata paths or the control socket.
  • Skill mutation notify uses ordinary filesystem event kinds, including create, write, rename, unlink, rmdir, and truncate events, instead of a separate install-complete protocol event.
  • POSIX passthrough behavior was expanded for symlink, hardlink, FIFO, path length fallback, open-after-unlink, xattr, and inode consistency cases.

Fixed

  • Prevented stale activation views by combining notify-triggered reload, polling, and activation watcher convergence.
  • Hardened trusted-writer and trusted-peer checks against process reuse and executable replacement with start-time and file-identity validation.
  • Avoided installer and daemon visibility bugs around hidden skills, fallback snapshots, staging paths, and backing-root propagation.

[0.2.0] - 2026-05-09

Added

  • FUSE write passthrough for write, create, mkdir, rename, unlink, rmdir, and setattr(size) operations on skill directories.
  • Background sync worker that reparses SKILL.md on write and upserts the entry back into SharedSkillStore.
  • Immediate visibility for newly created skill directories: mkdir inserts a ParseStatus::Degraded placeholder, then the sync worker overwrites it with the real entry once SKILL.md is written.
  • in-place mount mode that accesses the underlying source via /proc/self/fd/{n} to avoid the over-mount self-loop.
  • Integration suite crates/skillfs-fuse/tests/write_guard_tests.rs covering both normal and in-place write paths.

Changed

  • Directory name is now the authoritative store key. After rename, stale frontmatter name: no longer revives the old key.
  • Read of SKILL.md still returns the compiled result; raw file is only used for writes and parsing.
  • Architecture docs refactored into docs/specs/skillfs-spec.md, docs/specs/core-spec.md, docs/specs/fuse-spec.md.

Removed

  • Workspace-related code paths and the unused workspace config support from skillfs-core (commit 6d604c7).
  • Legacy ad-hoc test scripts (kept only scripts/build.sh and scripts/test.sh).

Fixed

  • CLI tracing timestamps now use the local timezone instead of UTC.

[0.1.2] - 2026-04-29

Added

  • Read-only mount write protection: mknod, symlink, link, and write callbacks all return EROFS.

Fixed

  • Parser summary truncation now respects multi-byte character boundaries.

[0.1.1] - 2026-04-29

Added

  • skillfs-mount agent skill under docs/skills/ to help users set up, mount, and unmount a SkillFS instance.

[0.1.0] - 2026-04-25

Added

  • Initial release of the SkillFS workspace.
  • skillfs-core: SKILL.md parser (with Ok / Degraded / Error status), in-memory SkillStore with flat and categorized directory layouts, skillfs-views.toml configuration, conditional compiler::compile, and environment probing (OS, commands, env vars).
  • skillfs-fuse: read-only FUSE filesystem that exposes the configured default view at /skills, always-on virtual skill-discover, and compile-on-read for SKILL.md. Other files in a skill directory are passed through to the physical source.
  • skillfs CLI: mount, classify, validate, list subcommands.

Changelog

0.6.1

  • bundle tool_categories.json into dist for npm installs
  • use node: prefix, eliminate shell subprocess in openclaw plugin

0.6.0

  • add absolute saved values + schema version to JSON output
  • use import.meta.dirname instead of __dirname in openclaw plugin
  • add qwencode adapter for Qwen Code extension
  • fix rtk pytest 'No tests collected' regression
  • add trusted FHS fallback paths for hook_utils import in codex scripts
  • add SLS JSONL data collection with config toggle
  • add tokenless RPM component contract (publishing metadata)
  • add compression toggle with dry-run compare mode (TOKENLESS_COMPRESSION_ENABLED, stats summary --compare)
  • enable SLS recording by default and document usage
  • align compression mode serde/db form and dedup config load
  • expand RPM component contract (bundle.entry + hermes)
  • make SLS writer append-only and skip when log file absent
  • prefer tool_call_id over internal tool_use_id for qwencode hooks
  • bump vendored rtk to v0.43.0; rework pytest stderr-surfacing patch for the refactored runner; drop grep-fallback-fix (root cause fixed upstream) and preflight-skip-python (reversed upstream)
  • sync toon-format to 0.5.0 in Makefile and spec (was stale at 0.4.6)

0.5.1

  • add --json output to stats summary
  • implement unified tool categorization and 3-layer compression strategy
  • add rtk grep fallback pattern fix patch
  • add rtk pytest error report patch

0.5.0

  • add Hermes adapter runner
  • drop TOON wrapper prefix and slim diagnostic tags
  • unify rtk rewrite exit code 3 handling across adapters
  • secure shell variable interpolation in env-fix and hooks
  • add subprocess returncode checks and extract shared hook utilities
  • secure resolveBinaryPath and improve binary cache invalidation
  • use mktemp in tests and safe home expansion
  • bound SchemaCompressor recursion to prevent stack overflow
  • propagate env-fix subprocess failures instead of returning stdout
  • anchor home lookup on getpwuid_r and trust-check candidate binaries
  • harden env-fix install paths with uid trust check and divert stderr to log
  • recover from poisoned mutex in stats recorder instead of failing
  • add input size limit and validate db path
  • reserve truncation marker length in response compressor
  • rename openclaw plugin Name to Tokenless and ID to tokenless
  • add qoder CLI adapter
  • compress-schema on array input
  • warn when compression is skipped
  • stats command syntax
  • add Claude Code adapter plugin
  • error on TTY stdin instead of hang
  • add codex adapter plugin
  • fix compression pipeline output inflation, truncation and hook timeouts
  • harden env-fix, version extraction, file trust, schema, permissions
  • address review findings — trailing newline, chmod guard, rate-limited log, comment
  • make env attribution reachable for skip-tools entries
  • add selective-claw context engine plugin
  • address review findings for selective-claw plugin
  • remove invalid "2" dependency from selective-claw
  • restore indentation in compress_response_hook.py
  • harden hook exit-code handling + trust model consistency
  • only warn on truly unexpected rtk exit codes
  • dedup rewrite_hook, import from hook_utils

0.4.1

  • fix version_ge 3-segment truncation in env_check.rs (compare all segments)
  • add qoder, claude-code, codex adapter plugins and documentation
  • sync manifest.json with template to include all six agents
  • update README and user manuals for new agent integrations
  • add pycache to root .gitignore
  • update response-compression.md with all agent integration paths
  • derive Makefile version from Cargo.toml, fix spec changelog weekday
  • normalize adapter version numbers to 0.4.0
  • derive adapter plugin versions from Cargo.toml instead of hardcoding

0.4.0

  • correct 5 bugs in stats, naming, SQL, paths and permissions
  • align FHS paths, restructure adapter dir, remove install.sh
  • address code review findings across schema, env-check, hooks, and plugin
  • add hermes agent plugin
  • security hardening & critical algorithm correctness
  • behavioral correctness & logic fixes
  • dedup, dead code removal & cosmetic cleanup
  • support staged installs
  • support Debian/Ubuntu FHS paths and harden binary resolution
  • build OpenClaw plugin to dist/index.js

0.3.2

  • replace spoofable home-dir uid derivation with libc::getuid() syscall for trust chain integrity
  • replace subprocess toon -e calls with in-process toon_format::encode_default() library call
  • replace rtk/toon git submodules with crates.io deps and inline toon-format source
  • hard-fail on rtk stats patch failure in justfile setup-rtk recipe
  • unify compress-toon/compress-schema/compress-response error exit codes (all exit 2)
  • remove 2>/dev/null || true from Makefile toon install (hard fail on missing binary)
  • remove redundant #[source] attribute on thiserror variants that already have #[from]
  • deduplicate Python hook FHS path constants into shared hook_utils module
  • add libc to workspace dependencies for uid syscall
  • add detailed rust >= 1.89 comment in spec.in explaining CI pin rationale

0.3.0

  • add tool-ready 4-phase environment pre-check with cosh extension integration
  • skip compression and stats when no token savings
  • pass caller context to rtk stats via .rewrite-context file
  • remove redundant cosh extension install/uninstall from install.sh
  • convert cosh hooks to extension format per cosh dev guide
  • skip zero compression and stats recording
  • use isExecutable() and resolved paths in openclaw plugin
  • resolve rtk/toon binary paths for RPM-installed plugins
  • correct RPM install paths to align with install.sh expectations
  • preserve tool result message structure in TOON encoding
  • align install paths with FHS
  • auto-record stats with real tool_use_id from hook payload
  • restructure RPM dirs and remove auto plugin/hook installation

0.2.0

  • add compression stats with auto-record from real data
  • add TOON context compression support
  • skip compression for skill and content-retrieval tools

0.1.0

  • introduce tokenless into ANOLISA (#199)

更新日志

English

0.4.1

新功能

  • 新增 rollback 后跳过自动 checkpoint (#1263)

缺陷修复

  • 修复 config 更新后的工作区同步 (#1263)
  • 修复 crontab 条目中 ws-ckpt 的绝对路径处理 (#1263)
  • 变更 rollback -n 偏移量,直接传递 numAncestors (#1263)

0.4.0

不兼容变更

  • 不兼容 checkpoint -i/--id 参数更名为 -s/--snapshot 作为主参数;-i 保留为隐藏别名,未来版本可能移除 (#1064)

新功能

  • 新增插件安装/卸载子命令 (#1005)
  • 新增 component.toml 用于 anolisa-cli 适配器发现 (#1005)
  • 新增 rollback 预览功能,支持 --preview 参数 (#1103)
  • 新增每次 CLI 操作后的耗时显示 (#1075)
  • 新增省略 --snapshot 时自动生成快照 ID (#1064)
  • 新增 SLS 运维日志输出用于仪表盘指标 (#1059)
  • 新增 diff 的可选 -t 参数,用于将快照与当前工作区对比 (#848)
  • 新增按祖先数量 rollback 和快照 DAG 追踪 (#877)
  • 新增基于 cron 的定时 checkpoint 快照 (#819)

缺陷修复

  • 修复 --snapshot/-s 作为主参数的处理及插件参数对齐 (#1103, #1064)
  • 修复 SKILL.md 与实际 CLI/插件实现的同步 (#847)
  • 修复 init 和 recover 对被替换的 workspace 符号链接的防护 (#860)
  • 修复 init rsync 去除 --copy-unsafe-links (#873)

0.3.3

新功能

  • 新增每工作区策略覆盖,支持 hermes/openclaw 插件 (#721)
  • 新增 /proc cwd 占用者检测,用于 init 和 rollback (#684)
  • 新增 Hermes 适配器运行脚本 (#617)

缺陷修复

  • 修复 rollback 中的写锁竞争和 cwd 检测死锁 (#721, #684)
  • 修复非 UTF-8 路径和路径穿越快照 ID 的输入验证 (#695, #678)
  • 修复 seccomp 架构选择、工作区注册并发和 RPM 打包问题 (#695, #684)

0.3.2

  • 修复 openclaw 卸载时未从配置中移除工具白名单
  • 修复父路径拒绝规则作为工作区级别规则应用于 skill 和 openclaw 插件

0.3.1

  • 修复插件工作区配置注册和自动加载
  • 拒绝将 hermes cwd 本身或其父路径作为工作区路径
  • 修复插件工具优先使用显式 workspace 参数而非配置
  • 修复 skill 删除需要 --force 参数
  • 修复 daemon 工作区路径验证和 fswatch 文件描述符泄漏
  • 移除未使用的 btrfs_ops.rs 模块

0.3.0

  • 新增 openclaw 插件脚手架
  • 新增 hermes 插件脚手架
  • 将 ws-ckpt skill 改为 agent 无关,在调用时提示输入工作区
  • 遵循 make install 契约用于 build-all 集成
  • 修复 list 和 diff 子命令的缺陷
  • 将 daemon 改为有状态

0.2.0

  • 新增 auto_cleanup 功能及开关
  • 统一通过 TOML 文件修改配置
  • 新增全局 CLI 警告:当任意工作区快照数 >1000 或文件系统使用率 >90%
  • 修复后端检测和 daemon 状态恢复逻辑
  • 修复 daemon 重启后镜像大小配置不生效
  • 移除过时的 fs_warn_threshold_percent 参数
  • 修复 config.toml 作为示例文件分发

0.1.0

  • 带 Unix Socket IPC 和 Bincode 二进制协议的 Daemon
  • init / checkpoint / rollback / delete / list / diff / cleanup / status / config 命令
  • 后台调度器:自动清理、健康检查、孤立恢复
  • 多后端:btrfs-base / btrfs-loop / overlayfs 自动检测
  • TOML 配置持久化及运行时热重载
  • systemd 服务及 Alinux 4 RPM 打包