Releases: limeflash/antigravity-plugin-cc
Release list
v0.8.1 — SSRF fix + read-only hardening
Bug-hunt patch (0.8.1)
The 0.8.0 changes were run back through agy itself (a read-only adversarial review) plus a hand audit. Four real issues fixed; one agy finding was a verified false positive. (A parallel codex pass wedged on an unresponsive backend and was skipped this round.)
🔒 Security
- SSRF: a private/loopback IPv4 embedded after a leading label is now blocked. The scrape guard anchored its embedded-IPv4 check at the first label, so
http://foo.127.0.0.1.nip.io/andhttp://a.b.10.0.0.1.sslip.io/slipped past — nip.io / sslip.io resolve<anything>.<ip>.nip.iostraight to<ip>. It now matches a loopback/private quad anywhere in the hostname. Public embedded IPs (foo.8.8.8.8.nip.io) still pass. Regression tests added.
🛡️ Defense in depth
- Repo-location env stripped from the remaining agy launch paths. The bash primary path already dropped
CLAUDE_PROJECT_DIR/GIT_*; now the bash no-nodewrite_filefallback and the Node read-only spawns (runReviewViaTranscript+ the read-only branch ofdefaultAgyRunner) do too./agy:rescueintentionally keeps them — it edits the repo by design.
🐛 Correctness
- Multibyte corruption in the Node stdout capture fixed. The review capture concatenated
chunk.toString()per data event, which mangles a UTF-8 character split across a chunk boundary (→�) for non-ASCII answers larger than one read. Now usessetEncoding("utf8"). (Bash / PowerShell capture to a file and were already byte-safe.)
Notes
- False positive (verified, no change): shorthand IPv4
http://127.1/as an SSRF bypass —new URL()normalizes it to127.0.0.1before the guard, which then blocks it. - Deferred (pre-existing, not 0.8.0 regressions, and the transcript path is now only a fallback behind direct stdout): transcript answer-selection race and multi-
PLANNER_RESPONSEconcat on-cruns, orphaned agy child on/agy:cancel, worktree/temp leak on Ctrl+C. Tracked for a follow-up.
246 unit tests; CI green.
Full changelog: https://github.com/limeflash/antigravity-plugin-cc/blob/main/CHANGELOG.md
v0.8.0 — agy 1.1.0 support + standalone rebrand
agy 1.1.0 support — direct stdout capture + standalone rebrand
Headline: the plugin now reads agy's stdout directly. agy 1.0.15 fixed issue #76 (non-TTY --print output was silently discarded on Windows), so the transcript-capture workaround is now just a fallback for older agy. Validated live on agy 1.1.0 (Windows).
Changed
- Direct stdout capture across all three entry points — the Bash wrapper (
_agy_capture), the Node companion (runReviewViaTranscript), and the native PowerShell script (Invoke-AgyCapture). No Node needed on the happy path for/agy:ask; the on-disk transcript read is kept only as a fallback foragy < 1.0.15. - Repositioned as a standalone project — README rebuilt (hero, badges, Why / Tested / Credits),
NOTICEand the package / marketplace / plugin descriptions reworded from "fork of…" to a gracious attribution to the upstream starting point. Landing + install URLs repointed tolimeflash.
Unchanged (by design)
- Read-only guarantee.
/agy:ask,/agy:review,/agy:adversarial-reviewstill runagyfrom a throwaway temp dir, so it has no path into your repo. agy 1.1.0's new--mode planwas evaluated and does not make a headless--printrun read-only (it still executes write tools), so the temp-dir model remains what enforces read-only. /agy:rescuekeeps--dangerously-skip-permissionsfor its delegated coding task, guarded by the clean-tree check, post-run diff, and--isolateworktree mode.
245 tests + bats/shellcheck; CI green on Node 18 / 20 / 22 (Ubuntu + macOS).
Full changelog: https://github.com/limeflash/antigravity-plugin-cc/blob/main/CHANGELOG.md
v0.7.2 — security hardening (SSRF/UNC/TOCTOU/prompt-injection/PS quoting)
v0.7.2 — security hardening of the read-only commands
Found by dogfooding /agy:adversarial-review on the 0.7.x code (the plugin reviewing its own new security code — verdict: RETHINK). All five findings fixed:
- SSRF bypasses via IPv6 encodings (
::ffff:7f00:1,::127.0.0.1, hex v4-mapped) and DNS tricks (127.0.0.1.nip.io) are now blocked; public hosts still pass. - Windows UNC/device paths (
\localhost\c$\…\.ssh\…) are rejected by the doc-to-md path guard. - TOCTOU symlink swap on staging closed — doc-to-md stages via one Node step (
lstat→ reject symlink → copy), not a shellcp. - Prompt injection via filename closed — the staged file gets a fixed name (
document.<ext>); the original filename never reaches the prompt. - PowerShell argument splitting fixed —
agy-run.ps1launches Node viaSystem.Diagnostics.Processwith proper quoting, so paths with spaces work.
Defense in depth: agy's env is stripped of CLAUDE_PROJECT_DIR / GIT_* for the read-only commands. 245 unit tests (8 new).
Please update to 0.7.2 if you use /agy:scrape or /agy:doc-to-md.
v0.7.1 — Windows PowerShell entry + cleaner output
v0.7.1 — Windows PowerShell entry + cleaner output
Added
-
Native Windows PowerShell entry (
scripts/agy-run.ps1) for the read-only commands —ask,scrape,doc-to-md— so Windows users without git-bash can use them. Same read-only model (agy runs from a throwaway temp dir), reusinglib/transcript.mjs(capture) andlib/inputguard.mjs(SSRF/path deny-lists); native Windows paths, no cygpath. Validated live on Windows PowerShell 5.1.powershell -ExecutionPolicy Bypass -File "<plugin>\scripts\agy-run.ps1" scrape "https://example.com"
Fixed
- Cleaner output. The transcript extractor now skips agy's intermediate narration (
PLANNER_RESPONSElines that carry atool_call, e.g. "I will read the file…") and keeps only the final answer./agy:scrapeand/agy:doc-to-mdnow return just the Markdown;/agy:reviewdrops the "I will start by reviewing…" preamble. Surfaced by dogfooding the new PowerShelldoc-to-md.
237 unit tests + CI.
v0.7.0 — read-only /agy:scrape + /agy:doc-to-md (SSRF + path deny-lists)
v0.7.0 — Phase 3: read-only /agy:scrape + /agy:doc-to-md
Two new read-only commands. Both run agy from a throwaway temp dir (so they can't touch your repo) and validate their input before agy is invoked.
/agy:scrape <url>
Fetch a web page and return its main content as Markdown. The URL is SSRF-guarded: http/https only, and localhost / private (10., 172.16–31., 192.168., 100.64.) / link-local (169.254., incl. cloud metadata) / IPv6 loopback+ULA / integer+hex IP forms are blocked. (Best-effort — no DNS resolution, so don't scrape untrusted URLs.)
/agy:doc-to-md <path>
Convert a local document (PDF, DOCX, HTML, …) to Markdown. The path is validated: allow-listed document extensions only (so .env / .pem / .key / extension-less secrets are refused), a real regular file, ≤ 10 MB, symlinks resolved, and not under a sensitive dir (~/.ssh, ~/.aws, ~/.gemini, /etc, …). The file is staged into the temp dir so agy sees only it.
Under the hood
- New
lib/inputguard.mjs(URL + path deny-lists) with 18 unit tests + bats refusal tests — 236 tests total. - agy auto-runs its read tools in
--printmode, soread_url_content/view_filework with no--dangerously-skip-permissions. - Validated live on real agy 1.0.3.
See CHANGELOG · SECURITY.md
v0.6.2 — security fix: read-only commands run outside your repo
v0.6.2 — security fix: read-only commands no longer touch your repo
Important fix. agy --print executes write tools even without --dangerously-skip-permissions (a non-TTY prompt is auto-proceeded). In ≤0.6.1 the bash /agy:ask and the simple /agy:review ran agy with cwd = your repo — so agy could edit files there. The "no auto-approve ⇒ read-only" assumption was wrong. Caught by dogfooding /agy:ask on a real project.
Fix: /agy:ask, simple /agy:review, and /agy:image now run agy from a throwaway temp dir — your repo is never agy's cwd, in --add-dir, its path, or env, so it has no path to write there. Verified: explicitly asking /agy:ask to edit a repo file now leaves the working tree clean, and output capture still works.
Scope: the Node /agy:review --base and /agy:adversarial-review paths were never affected (they already run in a staging temp dir). /agy:rescue writes to the repo by design (guarded by clean-tree / --isolate).
Added tests/read_only_cwd.bats; SECURITY.md + README corrected. Please update to 0.6.2.
v0.6.1 — secret-scanner hardening + cross-platform validation
v0.6.1 — secret-scanner hardening + full cross-platform validation
Follow-up to v0.6.0 after validating end-to-end on Windows, WSL2, and macOS (real agy 1.0.3) and running an adversarial security pass on the Mac. Structural defenses held; three real secret-scanner coverage gaps are now closed.
Secret scanner
github_pat_fine-grained PATs are now caught on the Bash path too (Node↔Bash parity restored).- The full content of changed files (shipped to Gemini as review context) is now scanned — previously only the diff's added lines were, so a secret on an unchanged line could leak. It now aborts (exit 65) before any agy/network call.
- Modern keys
sk-ant-…(Anthropic) andsk-proj-…(OpenAI project) are now detected (the oldsk-<alnum>pattern missed the dashes).
Defense in depth
--dangerously-skip-permissionsis gated on the write-capable command (rescue) explicitly..agy-plugin/is auto-added to the workspace's local.git/info/exclude(keeps yourgit statusclean; never touches your tracked.gitignore).
Validation
- macOS 26.5 on real agy 1.0.3:
/agy:ask,/agy:review,/agy:adversarial-reviewall pass from symlinked/var/folders/…paths. 218 unit tests + CI (shellcheck, bats, vitest on Node 18/20/22).
Full notes: CHANGELOG · SECURITY.md
v0.6.0 — read-only commands drop --dangerously-skip-permissions
v0.6.0 — read-only commands no longer auto-approve
/agy:ask, /agy:review, /agy:adversarial-review now run with NO --dangerously-skip-permissions.
agy persists its own conversation transcript to disk on every --print run — with no tool permission and no auto-approve — so the read-only commands run agy read-only under --sandbox and read the answer back from that transcript, instead of the old write_file + auto-approve workaround. agy's read-only tools (list_dir/view_file) run without approval; it never gets write access or the repo.
/agy:rescue and /agy:image keep the scoped write_file path (they legitimately write); rescue's clean-tree / --isolate guards are unchanged.
Highlights
- New
lib/transcript.mjs(+18 unit tests, 210 total). The store dir is self-located from agy's own log line (CLI app data directory:), so the transcript path is correct on Windows / macOS / Linux / WSL by construction. .gitattributesforceseol=lffor scripts — CRLF line endings broke real bash under WSL ($'\r': command not found).- Validated end-to-end on Windows (git-bash) and WSL2 Ubuntu 24.04 with real agy 1.0.3 — read-only,
--sandbox, no auto-approve; the review caught both planted bugs.
Full notes: CHANGELOG · SECURITY.md
v0.5.9 — Design A+ hardening (bg-leak, cancel race, path traversal)
Fixes from a fifth dogfood round (adversarial self-review of the 0.5.8 Design A+ staging code):
- Background review temp-dir leak — the detached worker now always removes its stage dir after reading the response (was leaking one dir per background review).
- Cancel status race —
runJobWorkerno longer overwrites acanceledstatus back tofailedwhen the worker dies just after/agy:cancel. - Stage-dir path traversal —
stageReviewMaterialsrejects absolute /..-escaping changed-file paths (EINVAL on Windows, or writes outside the stage) and verifies the destination stays underfiles/.
Accepted/documented: changed-files-only context (worktree-for-read reintroduces the .git leak we rejected), orphaned child + no-commits edge.
188 unit tests, CI green. /plugin update agy.
v0.5.8 — Design A+ staged review (no size ceiling, full context)
Reviews no longer have a command-line size ceiling, and agy gets the full content of changed files regardless of size — fixing both the ENAMETOOLONG crash on large diffs and the context-blind false positives on large files.
What changed
agy --print takes the whole prompt as one command-line argument, so a big review (expanded diff + embedded files) blew past the OS limit (~32 KB on Windows) and crashed — or got truncated. Design A+ fixes this by staging the review materials to disk:
- the full diff →
<temp>/diff.patch - full current content of changed files →
<temp>/files/<relpath>(≤2 MB each; symlinks, binaries, and out-of-repo paths skipped) - the argv prompt only points at them, so it stays tiny
agy reads the staged copies from disk. No ENAMETOOLONG, no truncation, full context on any size. The real repo is never placed in --add-dir, and agy runs with its working directory set to the stage dir — so it has no handle to your repository.
Verified live against real agy 1.0.3: a 305-line file with a change ~300 lines away from a definition — agy read the full staged file, confirmed the definition, and reported no false positive (the exact context-blind FP from earlier rounds).
Read-only posture (honest tiers)
Getting output from agy 1.0.3 headless requires --dangerously-skip-permissions (issue #76). For the read-only review commands we scope it tightly and document the real guarantee:
- macOS / Linux / WSL: OS-enforced —
agy --sandboxconfines writes to the (temp) workspace. - Native Windows: very strong practical — the repo is never exposed by path/env/cwd — but not OS-hard (no lightweight no-admin Windows sandbox exists;
icacls/attribare reversible theater and were deliberately not used). For an OS-hard guarantee on Windows, run under WSL.
See SECURITY.md for the full analysis (pressure-tested with agy itself).
Notes
- The Bash
/agy:review(no-flag working-tree path) still embeds + byte-caps; use the companion path (--base, or any flag) for large reviews. - 186 unit tests, CI green. Update with
/plugin update agy.