yafm v0.8.0 — Make it yours

Extensibility re-opens — safely. Plugins come back with a capability model: declare what you need in a manifest, grant it at enable-time in Settings, get nothing more.

Highlights

• Plugin manifests — a sidecar <plugin>.json gives a plugin identity (id/version/apiVersion) and gates every surface beyond a column. A bare .js still loads compute-only.
• Per-plugin enable/disable in Settings ▸ Plugins, with capabilities listed and a trust badge (Signed / Author / Unsigned).
• Commands & menu items — plugins can add pane-menu commands and row right-click items (capability-gated).
• Scoped file reads (read:cwd) — yafm.readText(entry, "rel") resolves host-side against the entry's folder, refuses ../symlink escape (O_NOFOLLOW), caps at 256 KB, and hands JS an opaque handle, never a path. You consent when enabling — never the plugin.
• Flagship Git Branch plugin (reads .git/HEAD via the capability) ships disabled — enable it to see the flow.
• Archive browsing — open a .zip to browse it read-only like any folder, streamed so a big archive never freezes.

Deferred (with reason)

• Remote marketplace + cryptographic plugin signing — need hosted infra + a signing key/PKI (same blocker class as DMG notarization). The manifest already carries the trust tier + a signature field, so signing slots in later without a format change.

Install

DMG is unnotarized — first launch: right-click ▸ Open ▸ Open Anyway.

Tests: +14 Core → 70 total. Full notes: CHANGELOG.md