v2026.2.15-beta.0

2026.2.15-beta.0 (Pre-release)

This is a beta release focused on security hardening and safer skill behavior before next stable.

Highlights

• Removed insecure buyer key CLI arg flow.
• Added strict publish guardrails for local file exposure.
• Removed skill auto-install/git-clone fallback behavior.
• Updated release runbook for fast same-day prereleases.

Breaking changes

• leak buy --buyer-private-key ... is no longer supported.
• Use one of:
  • --buyer-private-key-file <path>
  • --buyer-private-key-stdin

Security hardening

• Publish path must be a regular file (no directories/symlinks).
• Sensitive paths blocked by default (~/.ssh, ~/.aws, ~/.gnupg, ~/.config/gcloud, /etc, /proc, /sys, /var/run/secrets).
• --public now requires explicit confirmation (--public-confirm I_UNDERSTAND_PUBLIC_EXPOSURE in non-interactive mode).

Skill/runtime changes

• Removed skills/leak/scripts/ensure_leak.sh.
• Skill wrappers now use local leak or pinned npx -y leak-cli@2026.2.15-beta.0.
• Skill docs now include explicit safety policy and secure key handling rules.

Release tooling updates

• scripts/check_version_sync.js now accepts prerelease versions (YYYY.M.P-beta.N) as well as stable (YYYY.M.P).
• RELEASE.md rewritten to event-driven beta-first flow with same-day prerelease steps.

Validation

• npm run check:release passed.
• RELEASE_VERSION=2026.2.15-beta.0 npm run check:changelog-version passed.

Upgrade notes

• Update any scripts/agents using --buyer-private-key to file/stdin key input.

Rollback

• Reinstall previous stable:
  • npm i -g leak-cli@2026.2.14

Full Changelog: v2026.2.14...v2026.2.15-beta.0