You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
npx @ellery/loadout — a new npm bootstrapper package (in npm/). One
command tries loadout without a prior install: if the load binary is
present it delegates straight to it; if not, it states exactly what the
official installer will do (binary into ~/.cargo/bin, PATH entry, update
receipt) and asks for consent before installing — never silently, and never
in non-interactive terminals, where it prints the manual curl command
instead. npx @ellery/loadout studio is the advertised one-liner: install
(with consent) and open the studio in one step.
Studio exit epilogue — stopping the studio (Ctrl-C or idle timeout) now
prints what to type next (load claude, and how to reopen the studio)
instead of dead-ending at an empty prompt. Ctrl-C is now a clean shutdown:
the per-port runtime file is removed instead of leaked.
Changed
The studio's guided-onboarding finish card now shows the short launch form
(load claude) instead of load run claude — one spelling everywhere.
Install loadout 0.17.0
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/elleryfamilia/loadout/releases/download/v0.17.0/loadout-installer.sh | sh
Loadout can now learn from your own agent sessions. Ambient learning is
opt-in, mines only sessions you already had, and stages every result in a
review inbox — nothing reaches a fragment without an explicit promote. There
is no daemon: the harvest runs as a plain, throttled background process,
capped at a small number of calls per day per machine, with every part of
that cap stated up front before you turn it on.
Added
load learn on — turns on ambient learning for this machine. Prints an
honest consent block first: exactly what runs (load harvest --ambient, a
normal process you can see in ps, never a daemon), when (after your agent
sessions end, and at loadout's own commands, at most once per 6-hour tick),
the ceiling (at most one extraction call per tick — four a day at most, per
machine, at default settings — plus any load harvest you run by hand), the
files it edits (a session-end hook in ~/.claude/settings.json and one in ~/.cursor/hooks.json, each backed up once before its first edit), the sync
disclosure (distilled claim text travels in your synced config; the
verbatim quote behind it never leaves the machine that observed it), and a
concrete cost estimate (typically 1-3¢ on a metered API key, $0 marginal on
a subscription-backed CLI). load learn off reverses all of it everywhere
it's synced; load learn status shows what's on, the CLI a run would use,
and the review backlog; load learn reset re-baselines the harvest
watermarks after a corrupted store (your reviewed candidates are untouched).
Session-end hooks for Claude Code and Cursor — a SessionEnd hook in
Claude's nested ~/.claude/settings.json, and a stop hook in Cursor's ~/.cursor/hooks.json, wake the harvest worker right after a session ends
instead of waiting for your next load command. Registration only happens
while learning is active, is purpose-tagged so load learn off removes
exactly loadout's own entries (any other tool's hooks, and Cursor's
freshness hook, are left byte-identical), and loadout's existing
entry-point triggers (run/refresh/studio) still catch a quiet stretch
where no hook fired. Gemini's hook surface turned out to have no reliable
trigger point — its transcripts are still read, just not hooked.
The harvest worker (load harvest) — one fenced, single-writer,
detached background pass per machine: reads new session transcripts since
the last watermark (Claude Code, Codex, and Gemini CLI — interactive
sessions only), redacts secrets before anything is measured or sent
anywhere, bounds the input (20 sessions / 400KB per run), asks a cheap model
to extract durable preferences, and stages the results. Self-throttled at
both the trigger and the worker layer, with a fencing-token lock and
monotonic watermarks, so a crash loop or a stray manual run can never push
past the consented ceiling.
Per-machine inbox journals — each machine appends only to its own
append-only journal file inside the synced config directory, so load sync
merges cleanly with no file two machines ever write to at once. Journals
fold into one deduplicated candidate view: a dismiss or a promote is
permanent (a later observation of the same claim can't reopen it), and a
candidate whose text trips the injection lint is quarantined until an edit
actually clears the flag.
Studio Inbox tab — review staged candidates: promote one into a
fragment (new, or merged into an existing one, through the same
stage-then-apply diff every other studio edit uses), dismiss it, or bring a
dismissed one back. A quarantined claim can only be promoted after an edit
that clears the injection lint.
load doctor Learning section — activation state (synced intent vs.
this machine), hook registration health per agent, the last run's outcome,
next eligibility, a paused-after-repeated-failures warning, and a
corrupt-watermark-store warning.
load run's header and step line print a one-line nudge naming how many
candidates are staged and waiting for review, whenever there's at least one.
Not in this release: hook registration for Gemini, Copilot, Codex, or
opencode; transcript readers for Cursor or opencode; auto-promotion; and the
audit trail that would show why a claim was suggested — deferred to a future
release.
Install loadout 0.16.0
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/elleryfamilia/loadout/releases/download/v0.16.0/loadout-installer.sh | sh
load studio explains itself on headless machines. When there's no
browser to open — an SSH session, or a Linux console without a display —
studio now says so and points at the intended workflow (run load studio
on your own machine and load sync the changes over, or load edit the
TOML directly), instead of silently attempting xdg-open and leaving a
dead-end URL. Detection is env-based (SSH_CONNECTION/SSH_TTY, DISPLAY/WAYLAND_DISPLAY) and only ever changes what's printed.
Fixed
load sync clone works on a freshly installed machine. The shell
installer writes loadout-receipt.json (self-update state) into ~/.config/loadout/ before load ever runs, so the config dir was never
empty and clone always refused with "is not empty". clone now tolerates
loadout's own machine-local files and only refuses when real content
(e.g. an existing config.toml) is present — naming the offending files.
Machine-local state no longer syncs across machines. The managed .gitignore now covers loadout-receipt.json, studio's run/ state, and .DS_Store; sync previously committed these (via git add -A) and pushed
them to every machine — a synced receipt breaks load update elsewhere by
misreporting what's installed there. Repos that already track these files
heal on their next load sync: the files are untracked (local copies stay
put) and the removal syncs. If a machine still on an older loadout then
loses its receipt on pull, re-running the installer restores it.
Missing git is caught up front.load sync/init/clone shell out to
git; on a machine without it (minimal Debian, slim containers) they now say
so and how to install it, instead of failing mid-operation with a raw
"No such file or directory" spawn error.
Install loadout 0.15.2
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/elleryfamilia/loadout/releases/download/v0.15.2/loadout-installer.sh | sh
Recents rows carry a kind chip. Each entry now labels itself with its
artifact kind as text ("plan" today) next to the icon — the registry has
carried a kind field since 0.15.0, and future kinds (design docs, …)
label themselves automatically with no UI changes.
Install loadout 0.15.1
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/elleryfamilia/loadout/releases/download/v0.15.1/loadout-installer.sh | sh
Studio Recents tab: plan previews rendered by load plan render are
recorded in a per-machine registry (~/.local/state/loadout/recents.json)
and listed in a new always-visible Recents tab — repo, age, task counts,
staleness badge, per-row remove, and a list-only Clear. Clicking an entry
opens the render in a new browser tab, served by studio under an
origin-isolating Content-Security-Policy: sandbox response header.
Every workflow's plan stage now produces the visual plan preview. The
generated plan-slot command (/loadout:plan, whatever the workflow names
the stage) tells the agent to also emit plan.json, validate it with load plan check, and open the review page with load plan render —
including the sibling-file recipe when plan.json already holds a
different pending plan. Previously this flow lived only in the loadout-plan-preview skill, and silently disappeared in sessions where
the skill didn't surface. The always-on workflow section adds a one-line
offer covering plans written outside the workflow commands.
The plan page's Copy-feedback button now surfaces a manual-copy panel when
every clipboard path is blocked, so the paste-back loop never dead-ends.
The plan page carries a slim brand strip — the loadout mark, Loadout,
and a muted "Viewer" — naming the surface in every serving context.
Fixed
Relative FILE and --out arguments to load plan check/render resolved
against the process working directory instead of the invocation directory —
under --cwd, a relative --out silently wrote into whatever directory the
process happened to run from. They now anchor to the invocation directory
(the explicit --cwd value, else the shell's cwd).
Changed
Generated overlays re-render once on the first refresh after upgrading (a
header-version bump), deploying the reworded ## Workflow section.
Install loadout 0.15.0
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/elleryfamilia/loadout/releases/download/v0.15.0/loadout-installer.sh | sh
Follow-ups from the first real-world use of the plan preview (a 23-task plan
reviewed through six rounds of the paste-back loop). All changes apply to load plan.
Added
Authoring guardrails in load plan check — a per-phase task breakdown
after validation, plus four non-gating advisories that catch plans which
validate but read badly: long_summary (executive summary past 1,500
chars), wall_of_text (a long summary with no paragraph breaks), long_goal (a goal_md that reads as a second summary), and long_key_point (spec-compressed bullets). Each hint names the fix. The
schema reference grew matching guidance: goal-vs-summary roles, short
paragraphs, plain-language key points, and markdown (tables, code blocks,
task lists) for scannability.
Big plans are supported — the per-string limit rose from 10,000 to
65,536 chars (the 2 MiB document cap remains the ceiling), and the loadout-plan-preview skill now tells the authoring agent to never
compress plan content to fit limits — for genuinely huge plans it should
surface the token cost and offer a markdown plan instead. A plan using
longer strings reports a clear string_too_long on older loadouts; the
fix is load update.
Changed
The review page got its first-contact redesign — the page centers
under a width ceiling; the byline sits above the title as an eyebrow with
the created date; the summary card pairs the executive prose with an
"At a glance" rail (task/phase counts, a per-phase rollup with compact
estimates and risk heat, the risk register, and the ready/blocked banner);
key points get accent markers and flow into two columns on wide screens.
Feedback copy is human-first — the copied block leads with the
readable markdown mirror; the canonical fenced JSON (stable refs, plan_hash, blocking flags) follows in a labeled block. "Copy feedback"
stays disabled until a comment exists, open questions get an Answer
CTA, and the reviewed checkbox became a labeled Mark reviewed toggle.
Fixed
Phase descriptions were rendered inside the collapsed <details> and so
were invisible until a phase was expanded; the first paragraph now shows
as a teaser in the collapsed row (any remaining block content renders in
the expanded body — teasers are strictly phrasing-safe, a review finding).
Dependency-graph node labels hard-truncated at 28 characters on one line;
they now word-wrap to two lines, nodes grew to fit, and every node carries
a full-title tooltip.
Per-criterion comment buttons overflowed their one-line rows and stacked
into a misaligned column; line anchors now use a hover-revealed, icon-only
line-comment treatment while card-level buttons stay persistent.
Install loadout 0.14.1
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/elleryfamilia/loadout/releases/download/v0.14.1/loadout-installer.sh | sh
load plan — validate, render, and review an agent-written development
plan. An agent (with the embedded loadout-plan-preview skill) writes a
structured plan.json; load plan check [--json] [--lenient] validates it
with JSON-pointer diagnostics; load plan render [FILE] [--out] [--no-open]
renders a self-contained plan.html — inline dependency graph, task cards,
element-anchored commenting, a "Copy feedback" button — and opens it in your
browser; load plan schema prints the schema reference; load plan clean
removes the rendered page and any feedback file (a plain load clean sweeps
them too). Rendering is deterministic (same plan.json + same loadout
version → byte-identical HTML) and fully self-contained — no CDN, no
external fetches. See docs/concepts.md.
The page is built to be reviewed: an agent-authored executive summary with
key points and out-of-scope (meta.summary_md / key_points / out_of_scope), a computed ask banner and per-phase rollup table, blocking
questions surfaced first, phases collapsed behind labeled ordinals with
expand-all, a phase-level dependency graph, per-task reviewed checkboxes,
and a 16-icon vocabulary (icon on phases/tasks, vendored Lucide) — set in
embedded Inter (vendored, OFL). Reviewer comments are plain text plus one
"Blocks approval" checkbox; "Copy feedback" emits a loadout.plan-feedback/1
document whose verdict is request_changes iff any comment blocks.
Per-skill install/remove toggles — Studio: per-skill install/remove toggles
on the skills card (previously the card only offered install-all; the CLI's load skill install/remove <id> already supported single skills).
Fixed
load doctor could hang forever probing an agent CLI. Doctor checked
each agent's launch CLI with an unbounded --version run; GitHub Copilot's
version check can leave a background updater holding the output pipe, which
blocked doctor indefinitely. Agent probes now get the same hard deadline as
script probes (3s): a wedged CLI degrades to a "probe timed out" warning.
The shared probe runner also bounds its output reads (not just the child's
exit) and kills the probe's whole process group on expiry, so lingering
update-checker grandchildren are reaped instead of orphaned — this protects refresh/render environment probes too.
Duplicate "changed outside loadout" warnings on refresh --agent all.
The out-of-band script-change warning printed once per agent resolving the
same fragment; it now prints once per changed script per run.
A trust store written by a newer loadout is refused, not misread. After
a downgrade, a trust store with a higher schema version is now treated like
a corrupt store — loud warning, record refused, load trust --rebuild
recovers — instead of reinterpreting entries whose meaning may have changed.
Security
Studio's markdown rendering now de-links unsafe URL schemes. Fragment
and loadout guidance previews in load studio previously escaped raw HTML
but did not check link destinations — a [text](javascript:…) link in
guidance markdown rendered as a real, clickable <a href="javascript:…">.
Studio now shares the same sanitizing markdown renderer introduced for load plan (src/markdown.rs): link destinations are limited to http(s):, mailto:, in-page #fragments, and scheme-less relative
paths; anything else is de-linked to plain text, checked case-insensitively
after stripping control/whitespace characters. Images never fetch — a safe
destination renders as a link, not <img>.
Install loadout 0.14.0
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/elleryfamilia/loadout/releases/download/v0.14.0/loadout-installer.sh | sh
A security-focused release. loadout now guarantees that no secret reaches an
agent — not the generated context files, and not the launch prompt — tracks
out-of-band changes to your scripts, lints imported workflow text for prompt
injection, and adds a security review to the packaged verify step. Everything
runs at render time; nothing stays resident and no new LLM calls are made.
Added
Secret redaction is now a guarantee, not a best effort. Every value
loadout renders — fragment guidance, params, fragment titles, and the output
of a script or provider (both its text and its structured data) — is scanned
for token-like secrets before it is written. A match is replaced with ***REDACTED*** and you get one warning naming the fragment. A final pass at
the point of writing re-checks the overlay and every generated command file,
and provider data is scrubbed before it is cached to disk. Content authored by
the repo itself (e.g. an AGENTS.md copied into the override) is deliberately
left alone.
load doctor scans your config for secrets. It reads the raw text of each
config file, including the private local.toml, and points at the file and
line so you remove the credential at its source (multi-line private keys
included).
Config health checks run on every load refresh. The fast, read-only
subset of load doctor (dangling references, ambiguous default loadout,
gitignore coverage, the new secret and injection scans, and more) now runs
automatically during refresh. A healthy config adds no output; problems show
as warning lines. load doctor remains the full diagnostic.
Per-machine script trust. loadout records a hash of each fragment and
target script the first time it sees it (silently), stored per machine and
never synced. If a script later changes outside loadout — a hand edit, a load sync pull — you are warned before it runs, everywhere a script runs
(refresh, run, doctor, target detection), until you re-approve it with load fragments trust <id> or load targets trust <id>. Editing through load studio or load edit counts as approval. load trust shows the store; load trust --rebuild recovers a corrupted one. The script still runs this
release — the policy is warn, not block.
Prompt-injection lint on imported workflows. Imported [[workflows]] step
text is checked for instruction-override phrasing, role reassignment,
concealment, exfiltration-shaped URLs, and hidden Unicode, surfaced in load doctor and load refresh as warnings.
Security review in the verify step. The generated verify command now
asks Claude Code to run its /code-review and /security-review; agents
without native review commands get a vendored copy of Anthropic's
security-review prompt instead.
Verified install channels are documented in the README so a binary from
anywhere else reads as untrusted.
Install loadout 0.13.0
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/elleryfamilia/loadout/releases/download/v0.13.0/loadout-installer.sh | sh
Cursor support — a new built-in cursor agent covers the Cursor IDE and
the cursor-agent CLI with one wiring: a gitignored, always-on rule at .cursor/rules/loadout.mdc (Cursor doesn't filter rules by gitignore —
verified live in both surfaces). Workflow stages ship as Cursor Skills
(/loadout-plan, /loadout-verify, …), and load run cursor launches the
CLI with a fresh overlay like any other agent.
Hands-free freshness and adoption in the IDE — loadout registers a sessionStart hook in ~/.cursor/hooks.json (automatically, from any refresh/run/studio/sync, and only when Cursor is installed; other
tools' hook entries are preserved). Each IDE session quietly re-renders the
workspace before the first prompt, and opening a git repo one of your
loadouts applies to wires it on the spot — no load refresh ever needed.
Opt-outs: auto_adopt = false on the hook registry, or load hook cursor --remove. load doctor checks the registration.
Agent aliases — agents resolve by the binary name you know, not just
their id: load cursor-agent and load agent (Cursor's alias binary) both
reach cursor. Custom [[agents]] entries can declare their own aliases.
Unknown agent errors now list the known ids.
New [[agents]] descriptor fields for custom agents: target_file
(a fully loadout-owned wired file, written raw), preamble (mandatory first
bytes, e.g. MDC frontmatter), hook_registry (user-level lifecycle-hook
freshness), and aliases.
Changed
The generated header now tells agents to self-refresh — an agent launched
outside load run (an IDE session, a direct CLI launch) is instructed to run load refresh and re-read the overlay instead of merely being warned it may
be stale. Existing overlays pick the new wording up on their next refresh
(expect a one-time rewrite of every overlay).
Fixed
Probes and script fragments can no longer hang a render — every
provider/command subprocess is bounded (10s), gets no stdin (a CLI that
prompts sees EOF), and is killed at the deadline. A wedged daemon (e.g. an
unresponsive docker ps) now degrades to "not available" like a missing
tool; a timed-out script fragment surfaces as a visible failure and is never
cached.
Install loadout 0.12.0
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/elleryfamilia/loadout/releases/download/v0.12.0/loadout-installer.sh | sh
Create-a-Loadout board — selecting a loadout in load studio now opens an
editable board of slots instead of a read-only document: Applies to
(targets), Fragments, and a single Workflow slot, plus a one-line
readout of what it renders and where. Each slot edits in place (add/remove a
target, equip/remove a fragment from a category-grouped picker, bind/swap/clear
the workflow). The composed-guidance view moves behind a Preview action
(with a "← Board" button back).
Per-loadout workflow, in the UI — a loadout's workflow binding
(Profile.workflow) is now first-class: equip one in the board's Workflow
slot. (It was always in the model but had no UI — and a write bug meant it
never persisted; see Fixed.)
Paged fragments — the board's Fragments section pages a long list 9 at a
time in a fixed 3×3 grid, so a big loadout no longer sprawls and flipping pages
never shifts the layout.
Single canonical default loadout — the no-targets catch-all is now the
default: pinned to the top of the rail with a Default badge, a locked "Applies
to", and no rename/delete. Every other loadout needs ≥1 target. load doctor
warns when there are zero or more than one. Starter packs reflect this — the everyday pack is the default (no targets), and every pack now binds the
house workflow (superpowers).
Changed
Studio top nav is now two destinations: Loadouts | Library. Fragments,
Targets, and Workflows moved into the Library (a pill sub-nav) — they're the
shared gear a loadout binds, not peers of a loadout.
Removed
The global active workflow ([defaults].workflow) is gone (breaking). A
workflow is bound per-loadout only (equip it in the Workflow slot; use the
default loadout for "everywhere"). A leftover [defaults].workflow is
tolerated and ignored. The studio's "active workflow" / "Use this workflow"
activation is replaced by per-loadout binding.
Fixed
The studio wrote profiles without their workflow field, so a per-loadout
workflow binding never persisted. It does now.
Install loadout 0.11.0
Install prebuilt binaries via shell script
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/elleryfamilia/loadout/releases/download/v0.11.0/loadout-installer.sh | sh