Release v0.12.0

Highlights

• ExecOptions request struct + exec_with_options entry point — a single,
  extensible request object for configuring a run, replacing ad-hoc parameter
  threading at the library boundary
  (#2093).
• BashToolBuilder::configure for full BashBuilder access — LLM-tool
  callers can now reach the complete builder surface when wiring up a tool
  (#2104).
• Self-hosted Python + TypeScript API references at /api — the binding API
  docs are now built and hosted from the repo, with new public guides and a
  reorganized docs navigation
  (#2109,
  #2111).
• agents-friendly site surfaces — llms.txt agent entry points, linked
  skill sources, and cross-linked Markdown surfaces make the site easier for
  agents to consume (#2099,
  #2106).
• Interpreter correctness & security sweep — typed-state refactors of the
  directory stack, $!, and getopts cursors, plus a batch of parser/expansion
  fixes and several dependency security-advisory patches.

Breaking Changes

• PythonLimits / TypeScriptLimits fields moved under a shared common: RuntimeLimits.
  The two embedded-VM limit types now share a RuntimeLimits core (duration,
  memory, allocations, call depth)
  (#2095). The fluent builder
  API is unchanged, but code that read the pub max_* fields directly must now
  go through .common. SQLite is unaffected.
  • Before: let mem = limits.max_memory;
  • After: let mem = limits.common.max_memory;

What's Changed

• test(parallel): verify 1000-session fan-out and extend scaling bench (#2120) by @chaliy
• chore(site): upgrade to Astro 7 (#2119) by @chaliy
• chore(ci): bump the github-actions group with 5 updates (#2118) by @dependabot
• chore(deps): bump the rust-dependencies group with 4 updates (#2117) by @dependabot
• fix(read): preserve implicit REPLY whitespace (#2116) by @chaliy
• fix(interpreter): reset getopts cursor across shell boundaries (#2115) by @chaliy
• fix(snapshot): validate restored last background pid (#2114) by @chaliy
• fix(snapshot): validate restored directory stack (#2113) by @chaliy
• fix(deps): bump langsmith 0.8.5 -> 0.8.18 (GHSA-f4xh-w4cj-qxq8) (#2112) by @chaliy
• docs(site): add six public guides and reorganize docs nav (#2111) by @chaliy
• fix(site): expand too-short meta descriptions on docs and builtins pages (#2110) by @chaliy
• feat(site): self-host Python + TypeScript API references at /api (#2109) by @chaliy
• fix(builtins): include special builtins in inventory (#2108) by @chaliy
• fix(expansion): fail closed on quote marker collision (#2107) by @chaliy
• feat(site): link skill source and enrich llms.txt for agents (#2106) by @chaliy
• docs(site): cross-link Markdown surfaces to llms.txt + document contract (#2105) by @chaliy
• feat(tool): add BashToolBuilder::configure for full BashBuilder access (#2104) by @chaliy
• refactor(dirstack): move directory stack to typed interpreter state (#2103) by @chaliy
• docs(skills): list http_client, ssh, jq, bot-auth in rust install features (#2102) by @chaliy
• docs(site): add LLM tools guide (#2101) by @chaliy
• docs(site): add Embedding getting-started guide (#2100) by @chaliy
• feat(site): add llms.txt agent entry points (#2099) by @chaliy
• docs(python): fix BashKit → Bashkit in FileSystem docstring (#2098) by @chaliy
• refactor(interpreter): move $! to typed state, drop dead _BG_EXIT_CODE (#2097) by @chaliy
• refactor(interpreter): move getopts cluster cursor to typed state (#2096) by @chaliy
• refactor(builtins): share RuntimeLimits core across Python/TypeScript VMs (#2095) by @chaliy
• refactor(interpreter): decompose monolith + group scoped shell state (#2094) by @chaliy
• feat(lib): add ExecOptions request struct + exec_with_options entry point (#2093) by @chaliy
• refactor(interpreter): remove _EVAL_CMD magic-variable channel (#2092) by @chaliy
• feat(tool): gate BashTool wrapper behind default bash_tool feature (#2091) by @chaliy
• fix(deps): patch newly-disclosed dependency security advisories (#2090) by @chaliy
• fix(eval): require balanced CSV quote matches (#2089) by @chaliy
• fix(rg): skip option values in delimiter scan (#2088) by @chaliy
• fix(read): trim trailing IFS whitespace when assigning final variable (#2087) by @chaliy
• fix(parser): keep literal case patterns unexpanded (#2086) by @chaliy
• fix(interpreter): suppress ERR trap in conditions (#2085) by @chaliy
• fix(strings): preserve double-dash delimiter (#2084) by @chaliy
• fix(interpreter): preserve mixed word IFS boundaries (#2083) by @chaliy
• fix(deps): patch npm security advisories in lockfiles (#2082) by @chaliy
• fix(parser): preserve expanded backslashes in glob dirs (#2081) by @chaliy
• fix(expansion): preserve quoted operands when markers collide (#2076) by @chaliy
• fix(fs): avoid duplicate lower hide accounting (#2074) by @chaliy

Full Changelog: v0.11.0...v0.12.0

Release v0.11.0

Highlights

• cwd and env construction options for the Node and Python bindings —
  callers can now set the starting working directory and initial environment
  directly at Bash construction time, instead of paying for a leading
  cd/export prelude on every run
  (#2072).

What's Changed

• feat(site): span runtime surface across full hero width (#2079) by @chaliy
• Add GitHub sponsor username (#2078) by @chaliy
• chore: pre-release maintenance — deps update, vet refresh, threat-model & changelog sync (#2077) by @chaliy
• feat(site): simplify hero runtime snippet card (#2075) by @chaliy
• chore: set package author metadata across PyPI, npm, and crates.io (#2073) by @chaliy
• feat(bindings): expose cwd and env options to Node and Python (#2072) by @chaliy
• chore(deps): bump zeroize to 1.9.0 and napi to 3.9.2 (#2071) by @chaliy
• chore(ci): bump github-actions group (setup-uv, codecov, taiki-e) (#2070) by @chaliy
• fix(deps): patch esbuild and PyO3 security advisories (#2069) by @chaliy
• fix(paste): handle trailing -d flag (#2057) by @chaliy
• fix(fs): preserve recursive delete child whiteouts (#2056) by @chaliy
• fix(awk): cap multi-subscript arrays (#2055) by @chaliy
• fix(parser): escape ANSI-C NUL sentinel collisions (#2053) by @chaliy
• test(specs): back limitations.md stance rows with evidence tests (#2051) by @chaliy
• fix(compgen): list builtins from the live registry, not hardcoded copies (#2040) by @chaliy
• chore(specs): threat-model ledger — backfill 12 code-cited IDs, add drift lint, compress 21 KB (#2039) by @chaliy
• feat: generated builtin inventory, limitations negative spec, spec/agent-config compression (#2038) by @chaliy

Full Changelog: v0.10.0...v0.11.0

Release v0.10.0

Highlights

• Python custom builtins can now read and write the VFS via a new ctx.fs handle on BuiltinContext — a Python custom_builtins callback gets a live, sandbox-respecting view of the interpreter's filesystem, just like the embedded python3 builtin (#2010). Huge thanks to first-time external contributor @dedeswim (Edoardo Debenedetti) for designing, testing, and landing this. 🎉
• JS ↔ Python binding parity — the JS bindings close the remaining gaps with the Python API (ctx.fs, network access, shellState) so custom builtins behave consistently across hosts (#2036).
• Real PCRE for grep -P via fancy-regex, plus GNU long-option aliases (#1846).
• Broad security & resource-safety hardening sweep — a deep DoS/panic audit (#2006) plus dozens of targeted caps and budget-enforcement fixes across the interpreter, parser, and builtins (rg, grep, awk, curl, find, tar, sqlite, bc, tr, iconv), the VFS (CSPRNG random devices, lazy-materialization limits, FIFO file-count caps), streaming callbacks, and snapshot/restore.

Contributors

Welcome and thank you to our first external contributor this cycle, @dedeswim, whose #2010 brings VFS access to Python custom builtins.

What's Changed

• feat(js): close Python-binding parity gaps (ctx.fs, network, shellState) (#2036) by @chaliy
• chore: maintenance pass — cargo update, vet refresh, doc/spec sync (#2035) by @chaliy
• fix(history): bound persistent command history (#2024) by @chaliy
• fix(awk): stream redirected output through vfs to enforce quotas (#2023) by @chaliy
• fix(interpreter): preserve array budget for local shadows (#2018) by @chaliy
• fix(readlink): cap symlink canonicalization paths (#2015) by @chaliy
• fix(find): enforce 1 MiB output cap for -printf and default output (#2034) by @chaliy
• fix(git): contain inspection pathspecs and refs (#2032) by @chaliy
• fix(js): prevent ScriptedTool.executeSync deadlock on registered-tool invocation (#2033) by @chaliy
• fix(expand): cap output bytes to prevent unbounded allocation by @chaliy
• fix(vfs): enforce file-count limit on FIFO creation by @chaliy
• fix(curl): cap multipart body assembly at request body limit by @chaliy
• fix(grep): enforce max-count limit to prevent unbounded output by @chaliy
• fix(rg): cap passthrough output at 10 MB per invocation by @chaliy
• feat(python): expose VFS to custom builtins via BuiltinContext.fs (#2010) by @dedeswim
• fix(tree): bound traversal resources by @chaliy
• fix(vfs): use CSPRNG for random devices by @chaliy
• fix(awk): reject oversized single output writes by @chaliy
• fix(python): avoid async callback GIL deadlock via unbounded work channel by @chaliy
• fix(builtins): reject zero join fields (#2027) by @chaliy
• fix(parser): avoid brace range budget overflow (#2020) by @chaliy
• fix(parser): avoid quadratic quote marker insertion (#2013) by @chaliy
• fix(interpreter): shadow arrays for bare local declarations (#2011) by @chaliy
• fix(python): restore deterministic teardown for async-callback machinery (#2009) by @chaliy
• fix(python): keep private-loop worker off Python during interpreter exit (#2008) by @chaliy
• fix: harden DoS and panic surfaces found in deep security audit (#2006) by @chaliy
• fix(ci): repair drift-workflow YAML and fix GIL deadlocks hanging Coverage (#2007) by @chaliy
• fix(ci): suppress phantom failure for coreutils-args-drift on push events by @chaliy
• fix(interpreter): restore scoped local arrays (#1936) by @chaliy
• fix(interpreter): clear BASH_SOURCE after cancelled exec (#1931) by @chaliy
• fix(rg): cap colorized output growth by @chaliy
• fix(python): yield private async callbacks for timeouts (#1918) by @chaliy
• fix(interpreter): resolve array default subscripts consistently (#1965) by @chaliy
• fix(rg): emit all passthru only matches (#1957) by @chaliy
• fix(ci): pin release action SHAs and scope permissions to job level (#2001) by @chaliy
• fix(limits): count exec calls before parsing (#2000) by @chaliy
• fix(parser): split unquoted mixed-quote suffix expansions (#1969) by @chaliy
• fix(redirect): scope fd3 pending buffers (#1923) by @chaliy
• fix(rg): merge context windows before expansion to prevent CPU DoS (#1905) by @chaliy
• fix(expansion): bound operand quote marker search (#1999) by @chaliy
• fix(grep): preserve recursive indexed search semantics (#1987) by @chaliy
• fix(rg): correct quiet files-without-match status (#1956) by @chaliy
• fix(builtins): reject checksum options (#1945) by @chaliy
• fix(interpreter): bound explicit subshell nesting (#1941) by @chaliy
• fix(interpreter): clear errexit_suppressed at subshell/function boundaries (#1986) by @chaliy
• fix(interpreter): escape quoted expansions adjacent to unquoted globs (#1972) by @chaliy
• fix(examples): avoid provider symlink clobber (#1970) by @chaliy
• fix(read): treat adjacent mixed IFS delimiters as one sequence (#1964) by @chaliy
• fix(test): isolate real bash spec comparisons (#1995) by @chaliy
• fix(jq): bind setpath arguments before recursion (#1993) by @chaliy
• fix(builtins): resolve readlink canonical symlinks (#1992) by @chaliy
• fix(bench): isolate I/O benchmark file writes (#1991) by @chaliy
• fix(bench): secure parallel benchmark cache (#1990) by @chaliy
• fix(pi): isolate bashkit state per agent start (#1989) by @chaliy
• fix(security): remove repo-controlled Claude startup hook (#1988) by @chaliy
• fix(iconv): reject unsupported target suffixes (#1974) by @chaliy
• fix(fuzz): exercise template renderer in template_fuzz (#1973) by @chaliy
• fix(builtins): gate jq command metadata (#1971) by @chaliy
• fix(alias): preserve mixed quoted glob reparse (#1968) by @chaliy
• fix(parser): ignore subscript equals in array appends (#1967) by @chaliy
• fix(strings): preserve dash-prefixed filenames (#1966) by @chaliy
• fix(fs): enforce POSIX mount path prefixes (#1963) by @chaliy
• fix(bench): avoid predictable sqlite temp file (#1962) by @chaliy
• fix(rg): honor rgignore precedence over gitignore (#1961) by @chaliy
• fix(interpreter): clear BASH_SOURCE transient state (#1951) by @chaliy
• fix(curl): validate multipart URLs before upload reads (#1943) by @chaliy
• fix(awk): bound getline file cache (#1932) by @chaliy
• fix(vfs): preserve UTF-8 file decoding (#1985) by @chaliy
• fix(find): consume negated type predicate (#1978) by @chaliy
• fix(api): clear tty state when disabled (#1984) by @chaliy
• fix(sort): preserve stable equal-key order (#1983) by @chaliy
• fix(interpreter): honor errexit for final and-or failures (#1982) by @chaliy
• fix(builtins): enforce head byte limit for utf8 stdin (#1981) by @chaliy...

Release v0.9.0

Highlights

• Pyodide/Emscripten (wasm32) Python wheel — a reduced-feature wasm32-unknown-emscripten Python wheel now ships, enabling the embedded Python builtin in browser/wasm hosts (#1811).
• Broad resource-safety hardening sweep — fuel/budget enforcement and memory caps across the interpreter, parser, rg, sqlite, snapshot, and expansion paths (arithmetic expansion bounds, coproc/process-substitution budgets, heredoc reinjection fuel, brace-step overflow, compound-array limits, replacement-growth caps, sqlite result memory cap).
• JS BashTool snapshot authentication plus keyed snapshot APIs and snapshot counter/byte-accounting fixes for correct resume.
• Benches snapshot site page and CI hardening for the release/publish workflows.

What's Changed

• chore(ci): pin Pyodide wheel toolchain and document browser verification (#1843) by @chaliy
• fix(js): authenticate BashTool snapshots (#1838) by @chaliy
• fix(interpreter): bound arithmetic variable expansion (#1828) by @chaliy
• fix(streaming): clear output callback on cancellation by @chaliy
• fix(snapshot): account function source bytes by @chaliy
• fix(awk): reject chained range patterns by @chaliy
• fix(snapshot): preserve counters on resume by @chaliy
• fix(sqlite): cap result memory growth by @chaliy
• fix(sqlite): invalidate engine cache on snapshot restore by @chaliy
• fix(scripted-tool): isolate extension invocation traces by @chaliy
• fix(tool_def): bound parsed array flag inputs by @chaliy
• fix(rg): cap replacement expansion by @chaliy
• fix(rg): stream summary scans to avoid eager line allocation by @chaliy
• fix(parser): charge heredoc reinjection to parser fuel by @chaliy
• fix(ci): scope Doppler token to secret fetch steps by @chaliy
• fix(interpreter): prevent brace step overflow by @chaliy
• fix(parser): enforce coproc parser limits by @chaliy
• fix(limits): enforce budgets for local compound arrays by @chaliy
• fix(interpreter): scope deferred process substitutions by @chaliy
• fix(interpreter): gate allexport env updates by @chaliy
• fix(interpreter): cap word-split array assignments by @chaliy
• fix(ci): validate CLI release tag input by @chaliy
• fix(interpreter): avoid IFS nameref recursion by @chaliy
• fix(js): expose keyed snapshot APIs by @chaliy
• fix(interpreter): clear transient stdin after timeouts by @chaliy
• fix(ci): verify release publish refs by @chaliy
• fix(parser): debit nested process substitution budgets by @chaliy
• fix(expansion): cap per-element replacement growth by @chaliy
• fix(rg): bound ignore rule resource use by @chaliy
• fix(ci): use integration test binary for cat/tac spec tests in drift workflow by @chaliy
• feat(python): add Pyodide/Emscripten (wasm32) wheel (#1811) by @chaliy
• chore(deps): bump the rust-dependencies group with 3 updates by @dependabot
• fix(interpreter): preserve legacy nameref targets (#1810) by @chaliy
• feat(site): add benches snapshot page (#1789) by @chaliy
• chore(python): bump monty to v0.0.18 (#1809) by @chaliy

Full Changelog: v0.8.0...v0.9.0

Release v0.8.0

Highlights

• Python open() support — VFS-backed open() / Path.open() read, write, and append now work in the embedded Python builtin, so LLM-generated with open("/tmp/...") scripts run instead of failing. Host filesystem and network stay unavailable to Python (#1800).
• Further rg parity and hardening fixes (default type globs, JSON context fanout cap, root-arg allocation) plus interpreter fixes for variable attribute/nameref persistence and persistent file descriptor validation.

What's Changed

• ci: reclaim runner disk before disk-hungry scheduled jobs (#1807) by @chaliy
• fix(rg): align r and tf default type globs with ripgrep (#1805) by @chaliy
• fix(rg): cap JSON context event fanout (#1804) by @chaliy
• fix(interpreter): persist var attrs and namerefs across shell state restore (#1803) by @chaliy
• fix(interpreter): reject negative persistent file descriptors (#1802) by @chaliy
• fix(rg): avoid root arg string cloning across candidates (#1801) by @chaliy
• feat(python): support vfs-backed open (#1800) by @chaliy
• feat(site): add bashkit logo assets (#1799) by @chaliy
• fix(ci): bypass pnpm -- separator that breaks napi build flag forwarding (#1798) by @chaliy
• fix(site): add homepage canonical link header (#1797) by @chaliy

Full Changelog: v0.7.2...v0.8.0

Release v0.7.2

Highlights

• Maintenance release — rolls up ~25 rg hardening fixes, a CoW subshell-snapshot perf landmark (#1767), security tightening (FD cap #1780, tool-hook enforcement for command #1781), a BuiltinHelper refactor (#1788), and test/build hygiene work.

What's Changed

• chore(tests): move OverlayFs path-validation tests inline (#1795) by @chaliy
• chore(tests): consolidate integration test binaries into one (#1794) by @chaliy
• chore(build): slim test binaries, document cargo test --all-features hazard (#1793) by @chaliy
• feat(site): add homepage markdown negotiation by @chaliy
• fix(interpreter): isolate bash -c / sh -c from parent shell state (#1791) by @chaliy
• fix(interpreter): resolve array elements in arithmetic param expansion (#1790) by @chaliy
• refactor(builtins): BuiltinHelper trait, centralized limits, split ls/awk (#1788) by @chaliy
• fix(rg): resolve type filters after type db mutations (#1787) by @chaliy
• chore: normalize Bashkit capitalization (#1786) by @chaliy
• fix(rg): apply global sort for explicit path sets (#1785) by @chaliy
• fix(rg): harden hyperlink URL interpolation (#1784) by @chaliy
• fix(rg): bound color match amplification for dense patterns (#1783) by @chaliy
• fix(rg): bound --colors parsing and sanitize invalid spec echo (#1782) by @chaliy
• fix(interpreter): enforce tool hooks for command host-builtins (#1781) by @chaliy
• fix(security): cap persistent file descriptors (#1780) by @chaliy
• chore(bench): refresh runtime comparison + add in-proc reminder (#1778) by @chaliy
• chore(bench): move criterion results to crates/bashkit/benches/results (#1774) by @chaliy
• chore(eval): refresh model lineup with Opus 4.7 and GPT-5.5 (#1773) by @chaliy
• chore(skills): hide private workflow skills (#1772) by @chaliy
• test(bench): cover VarAttrs/BashFlags + add VFS/rg/glob benches (#1770) by @chaliy
• chore(deps): bump serde_json to 1.0.150 and reqwest to 0.13.4 (#1769) by @dependabot
• chore(ci): bump pnpm/action-setup from 4 to 6 (#1768) by @dependabot
• perf(interpreter): CoW subshell snapshots, attribute bitset, flag cache (#1767) by @chaliy
• chore(js): migrate packages to pnpm (#1766) by @chaliy
• fix(rg): honor explicit file path parity (#1765) by @chaliy
• chore(deps): bump turso_core from 0.6.0 to 0.6.1 (#1764) by @dependabot
• ci(nightly): raise ASAN timeout to 90 minutes (#1761) by @chaliy
• fix(tac): preserve unterminated last line on reversal (#1760) by @chaliy
• fix(rg): match output mode precedence (#1759) by @chaliy
• chore(site): allow AI content signals (#1758) by @chaliy
• fix(docs-grep-agent): stop mounting lockfile-bearing example dirs (#1757) by @chaliy
• test(rg): cover binary default reporting for explicit inputs and stdin (#1756) by @chaliy
• fix(rg): preserve collected diagnostics in quiet match paths (#1755) by @chaliy
• fix(rg): count unrestricted flags independently (#1754) by @chaliy
• fix(rg): skip indexed prefilter for --crlf searches (#1753) by @chaliy
• fix(rg): apply max-count after multiline invert (#1752) by @chaliy
• fix(rg): align -u ignore classes with --no-ignore (#1751) by @chaliy
• fix(rg): clear explicit line-number state on negation (#1750) by @chaliy
• fix(rg): honor --no-context-separator between files (#1749) by @chaliy
• fix(rg): avoid false --generate detection in value arguments (#1748) by @chaliy
• fix(rg): skip indexed prefilter for --no-unicode non-literal queries (#1747) by @chaliy
• fix(rg): keep parent dot-ignore active for --no-ignore-vcs (#1746) by @chaliy
• fix(rg): bound ignore rule parsing and traversal memory (#1745) by @chaliy
• fix(rg): avoid quadratic glob toggle recompilation (#1744) by @chaliy
• fix(rg): cap brace alternation recursion depth (#1743) by @chaliy
• fix(rg): avoid eager match vector allocation (#1742) by @chaliy
• fix(ci): close DOPPLER_AVAILABLE bypass in examples workflow (#1741) by @chaliy
• feat(site): negotiate markdown docs by @chaliy
• docs(site): add agent development quickstart by @chaliy
• docs(readme): remove stale install version pins by @chaliy

Full Changelog: v0.7.1...v0.7.2

Release v0.7.1

Fixed

• fix(ci): skip publish-js AI examples step on Windows + Node 24. The libuv assertion !(handle->flags & UV_HANDLE_CLOSING) fires during process shutdown of the example scripts on that combination only, blocking the npm publish in v0.7.0. The same scripts pass on every other platform/Node combination, so the step is gated off for runner.os == 'Windows' && matrix.node == '24'.

Full Changelog: v0.7.0...v0.7.1

Release v0.7.0

Highlights

• Ripgrep (rg) parity push — ~80 PRs landed expanding the rg builtin to near-feature-parity with upstream ripgrep: pcre2, multiline, encoding, glob brace/character-class/globstar, comprehensive default file types, ignore-file precedence (parent + global git ignore), preprocessor controls, hyperlink prefixes, ansi/hex colour styles, sort-by-modified, stats, max-filesize, mmap/engine flags, gzip search, follow-symlinks, and many bug fixes for output-mode precedence and binary-search behaviour.
• Host-owned BuiltinRegistry API — embedders (JS, Python, Rust) can now register and remove builtins at any point in the interpreter's lifetime via Bash::builder().builtin_registry(...) and addBuiltin / removeBuiltin on Bash / BashTool. Replaces the rebuild-on-register approach (which silently wiped the in-memory VFS). Brought to Python parity via add_builtin / remove_builtin (#1721, #1732, #1733).
• VFS read-only enforcement for live mounts — readonly_filesystem now reliably blocks runtime mount writes (#1691).
• Maintenance pass — turso 0.5.3→0.6.0, langchain examples to v1.x, fuzz leak-guard hardening, dependency-edge cleanup (#1632, #1635, #1636, #1639).

What's Changed

• fix(rg): avoid eager rg allocations in low-output/search-json paths (#1690) by @chaliy
• fix(rg): cap replacement expansion output (#1650) by @chaliy
• feat(python): wire custom builtins through BuiltinRegistry (#1733) by @chaliy
• chore(ci): scope homebrew-tap push to dedicated PAT (#1735) by @chaliy
• fix(rg): match explicit binary search (#1736) by @chaliy
• test(js): benchmark customBuiltins callback overhead from bash (#1734) by @chaliy
• fix(ci): close fork-PR secret exfiltration in examples job (TM-INF-026) (#1728) by @chaliy
• docs(js): add customBuiltins example, README sections, and public guide (#1726) by @chaliy
• feat(js): guardrail against executeSync + custom builtin deadlock (#1732) by @chaliy
• fix(rg): avoid quadratic multiline matching hot path (#1689) by @chaliy
• fix(rg): bound gzip decompression in search-zip mode (#1687) by @chaliy
• fix(fs): enforce readonly_filesystem for runtime live mounts (#1691) by @chaliy
• fix(rg): gate explicit symlink dereference behind --follow (#1688) by @chaliy
• fix(rg): reject empty pattern with --only-matching (#1649) by @chaliy
• fix(rg): match quiet output precedence by @chaliy
• fix(rg): match json event modes (#1730) by @chaliy
• fix(rg): match only-output modes (#1729) by @chaliy
• fix(rg): match zip extension behavior (#1727) by @chaliy
• feat(core,js): host-owned mutable BuiltinRegistry (#1721) by @chaliy
• fix(rg): match pre and zip precedence (#1723) by @chaliy
• feat(rg): sort by modified time (#1720) by @chaliy
• fix(ci): harden python wheel builds (#1722) by @chaliy
• feat(rg): support pcre2 patterns (#1719) by @chaliy
• feat(rg): complete real file types (#1718) by @chaliy
• feat(rg): add document file types (#1717) by @chaliy
• feat(rg): add project file types (#1716) by @chaliy
• feat(rg): add metadata file types (#1715) by @chaliy
• feat(rg): add more real file types (#1714) by @chaliy
• feat(rg): add format file types (#1713) by @chaliy
• feat(rg): add common real rg file types (#1712) by @chaliy
• feat(rg): add early real rg file types (#1711) by @chaliy
• feat(rg): add more real rg file types (#1710) by @chaliy
• feat(rg): add additional default file types (#1709) by @chaliy
• feat(rg): add more language file types (#1708) by @chaliy
• feat(rg): support globstar directory prefixes (#1707) by @chaliy
• feat(rg): add more default file types (#1706) by @chaliy
• feat(rg): support escaped glob metacharacters (#1705) by @chaliy
• feat(rg): support glob brace alternation (#1704) by @chaliy
• feat(rg): support glob character classes (#1703) by @chaliy
• feat(rg): add common file types (#1702) by @chaliy
• feat(rg): support hex ansi color numbers (#1701) by @chaliy
• feat(rg): support ansi color numbers (#1700) by @chaliy
• feat(rg): support highlight colors (#1699) by @chaliy
• feat(rg): validate sort choices (#1698) by @chaliy
• feat(rg): support all file types (#1697) by @chaliy
• feat(rg): honor option delimiter (#1696) by @chaliy
• feat(rg): parse separator escapes as bytes (#1695) by @chaliy
• feat(rg): emit hyperlink prefixes (#1694) by @chaliy
• feat(rg): expand custom color styles (#1693) by @chaliy
• feat(rg): honor custom color styles (#1692) by @chaliy
• feat(rg): add ansi color output (#1686) by @chaliy
• feat(rg): honor global git ignore files (#1685) by @chaliy
• feat(rg): honor parent ignore files (#1684) by @chaliy
• feat(rg): expand generated completion flags (#1683) by @chaliy
• feat(rg): gate preprocessors with pre-glob (#1682) by @chaliy
• feat(rg): honor ascii regex mode (#1681) by @chaliy
• feat(rg): add generate output mode (#1680) by @chaliy
• feat(rg): add reset compatibility flags (#1679) by @chaliy
• feat(rg): accept diagnostic controls (#1678) by @chaliy
• feat(rg): accept preprocessor controls (#1677) by @chaliy
• feat(rg): add gzip search mode (#1676) by @chaliy
• feat(rg): follow symlink search paths (#1675) by @chaliy
• feat(rg): add context separator controls (#1674) by @chaliy
• feat(rg): add null-data record search (#1673) by @chaliy
• feat(rg): add color and engine compatibility flags (#1672) by @chaliy
• feat(rg): add compatibility flag aliases (#1671) by @chaliy
• feat(rg): add ignore toggle parity (#1670) by @chaliy
• feat(rg): add max depth aliases (#1669) by @chaliy
• feat(rg): add ignore file control flags (#1668) by @chaliy
• feat(rg): add max-filesize filtering (#1667) by @chaliy
• feat(rg): add case-insensitive glob filters (#1666) by @chaliy
• fix(rg): handle multiline invert matches (#1665) by @chaliy
• feat(rg): add multiline mode (#1664) by @chaliy
• feat(rg): add crlf mode (#1663) by @chaliy
• feat(rg): add encoding support (#1662) by @chaliy
• feat(rg): add engine and mmap flags ([#1661](#1661...

Release v0.6.0

Highlights

• Continue coreutils adoption experiment — Extends the codegen pipeline beyond uu_app() argument surfaces to vendor whole upstream uutils modules with a manifest and drift-detection CI. tee, mktemp, realpath, stat, and od now flow through codegen; printf runs on a vendored copy of uucore's format implementation; and env is ported through a virtual-env shim (TM-INF-024) (#1592, #1593, #1594).
• MCP server mode removed from CLI — The bashkit mcp server mode has been removed. The recommended path for MCP integrations is now to embed bashkit via the library bindings.
• Security hardening across the sandbox — Fail-closed fixes across realfs (no-follow resolver for stat/read_link/remove; reject leaf-symlink writes), snapshot/restore (atomic, fail-closed vfs_restore), sqlite (reject VACUUM/VACUUM INTO; row caps; engine cache invalidation), network (SSRF precheck fails closed; IPv4-mapped IPv6 normalization), jq (replace halt to stop sandbox escape via process::exit; fancy-regex execution + file-binding caps), and ssh (shell-escape sftp ls; try none-auth before password/key). The final 6 OPEN entries in the threat model are now marked mitigated (#1568, #1581, #1582, #1583, #1584, #1585, #1586, #1587, #1588, #1589, #1590, #1591, #1599, #1601, #1613, #1615).

Breaking Changes

• CLI MCP server mode removed: The bashkit mcp subcommand and the MCP server transport bundled in the CLI have been removed.
  • Before: bashkit mcp --transport stdio
  • After: embed bashkit via the library bindings (bashkit crate, @everruns/bashkit on npm, bashkit on PyPI) and expose tools through your own MCP server.

What's Changed

• fix(coreutils-port): constrain uu_app builder macro arguments (#1629) by @chaliy
• fix(coreutils-port): accept localized-Command let-binding in uu_app (#1628) by @chaliy
• chore(deps): bump the rust-dependencies group with 3 updates (#1626) by @dependabot
• fix(fuzz): strip real-shell error lines from stderr before banned-shape check (#1623) by @chaliy
• fix(fuzz): drop arithmetic_fuzz inputs that contain banned debug shapes (#1622) by @chaliy
• fix(fuzz): drop glob_fuzz inputs that contain banned debug shapes (#1621) by @chaliy
• fix(coreutils-port): allow safe clap macros in uu_app validator (#1620) by @chaliy
• fix(bashkit-eval): make rustls provider init idempotent (#1619) by @chaliy
• fix(printf): cap float exponent magnitude in format validation (#1618) by @chaliy
• fix(coreutils-port): harden uu_app builder validation (#1617) by @chaliy
• fix(sqlite): enforce row cap while stepping (#1615) by @chaliy
• fix(ci): isolate coreutils drift external execution (#1614) by @chaliy
• fix(jq): cap file binding memory (#1613) by @chaliy
• fix(ci): sandbox coreutils drift generation (#1611) by @chaliy
• fix(export): continue after invalid identifier to avoid stale env sync (#1610) by @chaliy
• fix(js): correct sqlite maxMemory unit handling (#1609) by @chaliy
• chore(specs): mark TM-DOS-057 partial on WASM (#1607) by @chaliy
• fix(bashkit-eval): install rustls provider for library providers (#1606) by @chaliy
• fix(python): preserve credential placeholder env on snapshot restore (#1605) by @chaliy
• fix(export): sync successful exports when readonly args fail (#1604) by @chaliy
• fix(tool_def): reject bare array flags without values (#1603) by @chaliy
• fix(jq): enforce fancy-regex execution limits (#1601) by @chaliy
• fix(bindings): derive sqlite limits from host time and memory caps (#1600) by @chaliy
• fix(sqlite): invalidate cached engine when VFS file changes (#1599) by @chaliy
• fix(tool_def): bound aggregate JSON flag coercion (#1598) by @chaliy
• fix(scripted-tool): isolate and bound extension invocation traces (#1597) by @chaliy
• fix(scripts): follow redirects and bump just to 1.50.0 in init-cloud-env (#1595) by @chaliy
• refactor(builtins): port tee/mktemp/realpath/stat/od to codegen args (#1594) by @chaliy
• feat(coreutils-port): add module-vendor mode with manifest and drift CI (#1593) by @chaliy
• feat(builtins): port uutils env-default surface via virtual-env shim (TM-INF-024) (#1592) by @chaliy
• fix(network): fail closed in SSRF precheck and document handler responsibility (#1591) by @chaliy
• fix(network): normalize IPv4-mapped IPv6 in is_private_ip to block SSRF (#1590) by @chaliy
• fix(jq): replace halt native to stop sandbox-escape via process::exit (#1589) by @chaliy
• fix(sqlite): reject VACUUM to block VFS escape via VACUUM INTO (#1588) by @chaliy
• fix(interop): mark filesystem import unsafe and own the foreign vtable (#1587) by @chaliy
• fix(snapshot): make vfs_restore fail closed and apply atomically (#1586) by @chaliy
• fix(realfs): reject leaf-symlink writes to block dangling-symlink escape (#1585) by @chaliy
• fix(realfs): use no-follow resolver for stat/read_link/remove (#1584) by @chaliy
• fix(ln): surface remove failure under -f instead of falling through to symlink (#1583) by @chaliy
• fix(ssh): try none-auth before password/key to avoid leaking defaults (#1582) by @chaliy
• fix(ssh): shell-escape sftp ls path to prevent remote command injection (#1581) by @chaliy
• docs(threat-model): mark final 6 OPEN entries mitigated (#1568) by @chaliy
• fix(coreutils-port): accept let-bound Command chain in uu_app validator by @chaliy
• fix(fuzz): strip uutils clap error chrome before banned-shape check by @chaliy
• chore(ci): bump artifact actions by @dependabot
• feat(printf): vendor uucore format by @chaliy
• fix(truncate): enforce VFS limits before resize by @chaliy
• fix(shuf): cap range and repeat output allocation by @chaliy
• fix(cli): remove MCP server mode by @chaliy
• chore(maintenance): add deepsec scanning workspace by @chaliy

Full Changelog: v0.5.0...v0.6.0

Release v0.5.0

Highlights

• Coreutils argument surface via codegen — New POC pipeline ports uutils' uu_app() clap definitions into bashkit so builtins share the real coreutils argument shape; cat, tac, truncate, shuf, and readlink now flow through this surface, with a coreutils differential testing harness to catch parity drift. The codegen pipeline reads a single pinned uutils revision so generated builtins, the differential harness, and CI all agree on the upstream source of truth (#1529, #1535, #1536, #1537, #1538, #1542).
• Site updates — Bashkit agent skill is now published on the site, alongside rustdoc guides and content signal declarations for discoverability.

What's Changed

• refactor(builtins): migrate readlink to codegen-ported argument surface (#1542) by @chaliy
• chore(site): publish bashkit agent skill (#1541) by @chaliy
• chore(site): declare content signals by @chaliy
• docs(site): publish rustdoc guides by @chaliy
• feat(builtins): add shuf via codegen with helper-fn inlining (#1538) by @chaliy
• chore(builtins): pin uutils revision as single source of truth (#1537) by @chaliy
• feat(builtins): add truncate via codegen-ported argument surface (#1536) by @chaliy
• test(builtins): add coreutils differential testing harness (#1535) by @chaliy
• feat(builtins): port uutils argument surfaces via codegen (POC: cat, tac) (#1529) by @chaliy
• feat(tool_def): accept --flag key=value... syntax for object/array flags (#1528) by @chaliy
• fix(tool_def): coerce stringified JSON for array/object flag schemas (#1527) by @chaliy

Full Changelog: v0.4.1...v0.5.0