v0.1.29

What's Changed

A documentation-focused release: a major refresh of the agent-skill guidelines plus new supply-chain hardening guidance. No dependency changes — the lockfile is byte-identical to v0.1.28.

Documentation

• Agent Skills & CLI Integration Patterns (tbd guidelines cli-agent-skill-patterns): rewritten to be broad, multi-agent, and current as of May 2026. Leads with a non-dogmatic simple baseline (one SKILL.md) and layers up to CLI-as-skill and MCP only when needed. Adds a 15-agent integration matrix (Claude Code, Codex, Cursor, Copilot, Gemini CLI, Windsurf, Cline, Aider, opencode, Amp, Jules, Goose, Zed, Factory, pi), the AGENTS.md / Agent Skills open-standard model, a CLI install vs. zero-install design section, and sections on security, testing skills before publishing, and versioning.
• New supply-chain-hardening guideline (tbd guidelines supply-chain-hardening): a concise cross-ecosystem policy — the 14-day cool-off plus Node/pnpm/Bun enforcement (lifecycle-script allowlists, lockfile discipline, ncu --cooldown, a CI audit gate, a pre-push age guard, and the exception process). Strongly recommended for every repo, and it references the Supply Chain Hardening guidebook for the full playbooks. The duplicated Supply-Chain Mitigation content was removed from the bun and pnpm monorepo guides and consolidated here.

Fixes

• Cleaner generated skill files: tbd setup no longer writes a stray mid-document YAML frontmatter block into .claude/skills/<tool>/SKILL.md or the AGENTS.md integration section. The composed skill now strips the baseline's own frontmatter, so the generated files are stable and idempotent under Prettier and flowmark (no more spurious diffs after running tbd setup).

Security

• Lockfile byte-identical to v0.1.28; no dependency or manifest changes, so no new advisories.

Full commit history: v0.1.28...v0.1.29