First npm release. npx swarmdo@latest is live — the umbrella (swarmdo@1.4.8) and the standalone CLI (@swarmdo/cli@1.4.8, self-contained via vendored staging) both publish from the new SwarmDo organization.
Headlines since v1.3.0: every slash command namespaced under /sDo: (skills /sdo-), the operational toolkit (usage analytics + budget guard, ops HUD, TDD repair, worktree isolation, transcript export, conventional-commit changelog, MCP doctor, desktop-notify hook recipes), the 5-tier config preset ladder, the Obsidian memory-vault roundtrip, and config lint.
⚠ Breaking Changes
- org: move to the SwarmDo organization — JannieP/swarmdo → SwarmDo/swarmdo (1.4.7) (
3cf16f695) - commands: namespace every swarmdo slash command under sDo (1.4.0) (
dfe87f2f0) - changelog: release notes from conventional commits (1.3.28) (
81a508804)
Features
- config:
config lint— static validation of config surfaces (1.4.6) (2dbe1da9a) - memory: Obsidian vault IMPORT —
memory import -f obsidianroundtrip (1.4.4) (bf57a10e3) - memory: Obsidian markdown-vault export —
memory export -f obsidian(1.4.3) (8a265b5f0) - commands: namespace every swarmdo slash command under sDo (1.4.0) (
dfe87f2f0) - usage:
usage guard— budget/rate-limit policy over spend (1.3.30) (071a4a083) - hooks:
hooks recipe— install Claude Code hook recipes (1.3.29) (dd99c5707) - changelog: release notes from conventional commits (1.3.28) (
81a508804) - init: configuration preset ladder + caveman/ponytail guide (1.3.27) (
50a6f84f1) - usage:
usage cache— prompt-cache efficiency + $ saved (1.3.26) (25d28bd84) - mcp:
mcp doctor— validate configured MCP servers statically (1.3.25) (70404dd62) - transcript: export Claude Code sessions to Markdown (1.3.24) (
0cffd5557) - notify: real desktop notifications for hooks notify (1.3.23) (
0b03f9438) - usage:
usage errors— tool-failure analytics from transcripts (1.3.22) (33e64d6fe) - worktree: isolated git worktrees for parallel work (1.3.21) (
bbf0a5fa4) - task: parse-prd — decompose a spec into the task DAG (1.3.20) (
c45b643c8) - usage: quantify uncounted spend when models are unpriced (1.3.19) (
7e6a60a5e) - memory: SWARMDO_REQUIRE_REAL_EMBEDDINGS strict mode — hash fallbacks throw instead of degrading silently (
a26ad159f) - memory: revectorize — repair hash-era embeddings with real ONNX vectors (
c1b147ebe) - cli: swarmdo hud — single-pane operational view (block burn, tasks, daemon, memory) (
71be65b33) - usage: 5-hour billing blocks view with live burn rate (
f69c973d0) - task: dependency-aware task graph — ready/blocked queries, dispatcher gating (
30cd218ad) - cli: swarmdo repair — Test-Driven Repair via bounded headless claude loop (
9f31fdc5d) - daemon: backup worker (13th, default-on) + honest optimize telemetry + SWARMDO_HEADLESS kill-switch (
686eb2a18) - memory: WAL-safe backup subcommand — snapshot, keep-N rotation, restore (
59354748d) - cli: swarmdo usage — Claude Code token/cost analytics from local transcripts (
838aac202) - cli: swarmdo efficiency on|off|status — post-init toggle for caveman+ponytail skills (
2241da129) - brand: marketing logo set — swarm-delta mark + full lockups, dark/light/transparent, SVG + PNG (512/1024/2560) (
074b9c8a1) - support: Buy Me a Coffee — repo Sponsor button (FUNDING.yml), README badges, website nav + footer button (slug: buymeacoffee.com/swarmdo) (
303745d86) - agents: ponytail persona flag for spawned agents (
25f0294f9)
Bug Fixes
- cli: make @swarmdo/cli standalone-installable from npm (1.4.2) (
984458243) - statusline: regenerate committed statusline.cjs artifact to match generator (pre-existing drift-guard failure) (
83421b1a6) - security: bound functionPatterns in swarmvector DIST too (143 completeness) (
2ad7a11e1) - security: actually close 5 re-confirmed CodeQL alerts (141,143,230-232) (
f339fc333) - security: harden two test-file sanitizers/regex — no bump (
f70d68b26) - security: sanitization/url/escaping fixes in vendored swarmvector + agentic-flow — 1.3.16 (
fab3e4436) - security: bound 10 flagged ReDoS regexes across cli/codex/swarmvector — 1.3.15 (
9f8b2cfb7) - security: argv-form syntax check in swarmvector bin/cli — 1.3.14 (
e7d137945) - security: linear-time regexes in vendored agentic-flow dist — 1.3.13 (
9b9deebcc) - security: block scriptable data: URIs in swarmvocal markdown hrefs (
59f8b33cd) - security: 2 V8-reproducible first-party ReDoS — 1.3.12 (
533471e04) - security: argv-form git/exec in vendored forks — 1.3.11 (
3d42b915c) - security: crypto-strong session IDs in vendored agentdb + swarmdo-swarm — 1.3.10 (
08bf23a55) - security: linear-time regexes in vendored swarmvector — 1.3.9 (
99fb4c931) - security: CORS wildcard+credentials, no-op replace, esp32 argv exec (
9b19fe3b8) - security: complete incomplete sanitizers (loop + escape-order) — 1.3.8 (
95fa27eb6) - security: helmet CSP + vbscript: scheme + entity-decode order — 1.3.7 (
7811037ab) - security: guard prototype-polluting assignments — bump 1.3.6 (
ea2e744b6) - security: crypto-strong IDs in integration/mcp-tools/plugins/cloud-fn (
e4a790996) - security: crypto-strong session/terminal IDs in cli + mcp — bump 1.3.5 (
353dc6341) - security: remove dead script/handler strips in browser sanitizer — bump α6 (
8090e301c) - security: linear-time regexes in gastown-bridge + prime-radiant plugins (
1c78e405b) - security: linear-time regexes in aidefence/browser/guidance — bump 1.3.4 (
4cb547413) - security: linear-time regexes across mcp/shared/memory/plugins — bump 1.3.3 (
a73dabdbd) - security: linear-time regexes in codex loop/migrations/validators — bump alpha.10 (
eec848d49) - security: linear-time swarmvector analyzers (ast/coverage/diff) — bump 1.3.2 (
f456b2d8b) - security: linear-time regexes in cli parser/doctor/init/graph-analyzer — bump 1.3.1 (
e91d3acf3) - security: shell-free git invocations in release-manager + Windows npm-arg guard (
72bc4e96a) - security: constant console format strings, key-prefix redaction, regex-injection guard (
6c7c802ad) - security: uniform verification codes + crypto-strength session ids (
931a7ca04) - security: least-privilege permissions blocks in all 17 workflows lacking them (
a23208511) - plugins: marketplace-valid author objects for vendored caveman/ponytail manifests (
d0755a22b) - ci: repair rename-corrupted integrity hashes in four lockfiles (
fd7a7930e) - memory: restore real ONNX embeddings — semantic memory search was silently hash-based (
342ee8977) - parser: mirror camelCased flags to kebab twins — un-breaks ~120 dead flag reads (
ae71933b9) - daemon: consolidate worker does real work — TTL expiry, EWC Fisher, run ledger (
25c406877)
Documentation
- all: Operational Toolkit surfaced in README, USERGUIDE, and site (1.4.5) (
cc1ca99a9) - release: 1.4.1 — README/site/CLAUDE.md for the sDo release; fix attribution URLs (
9dae62984) - fix stale claude-flow-era version references in CLAUDE.md (
75c48e84b) - site+readme: dedicated Caveman & Ponytail integration section — before/after demo, agent persona, toggle matrix, MIT credits (
319f11453) - live GitHub stars badge (repo is now public) (
1d78205bc) - swarmdo compress in README quick start (e2e-verified 33% reduction) (
a94b34c51)