v0.2.1

Bug-fix release from a systemic review of documented functionality — 13 confirmed bugs across security, stability, and provider/MCP handling, each fixed test-first.

Security

• Invisible-char guard used U+0FEF (a visible glyph) instead of U+FEFF — a real BOM/ZWNBSP injection marker could slip through memory/skill scanning.
• write/edit/apply_patch forced new project files to 0600; they now inherit the umask, while session/memory state stays owner-only.
• On --no-default-features (semantic-bash off), bash redirect/mutation targets (echo x > /etc/passwd) were ungated — now routed through the write rules + external-dir gate.
• MCP external-path guard only inspected top-level args; nested path arguments ({edits:[{path:…}]}) now go through the guard.
• A relative redirect after cd outside the project (cd /etc && echo x > passwd) is now correctly gated.

Stability

• A cancelled LSP spawn (Ctrl-C during a cold rust-analyzer/jdtls start) no longer leaks the spawn slot and permanently disables that server for the session.
• edit with replace_all no longer corrupts/panics when fuzzy matchers return overlapping ranges.
• Two dirge sessions in one project no longer trigger false memory drift (MEMORY.md → .bak); genuine external edits are still preserved.
• Memory file lock now re-checks staleness on every attempt, so a holder that crashes mid-wait no longer causes a spurious timeout.

Provider / MCP

• A config-declared alias of a built-in name with a custom base_url (e.g. ollama → openai backend + local proxy, as documented) is now accepted; the collision guard applies only to untrusted plugins.
• A custom provider alias with no explicit model now resolves its backend's default model instead of falling back to the OpenRouter id.
• The MCP stderr forwarder emits a single …[truncated] marker per over-long line instead of one every 16 KiB.

Install: cargo install dirge-agent (binary: dirge). Cross-platform binaries are attached below.