v0.6.0 — read-only commands drop --dangerously-skip-permissions
v0.6.0 — read-only commands no longer auto-approve
/agy:ask, /agy:review, /agy:adversarial-review now run with NO --dangerously-skip-permissions.
agy persists its own conversation transcript to disk on every --print run — with no tool permission and no auto-approve — so the read-only commands run agy read-only under --sandbox and read the answer back from that transcript, instead of the old write_file + auto-approve workaround. agy's read-only tools (list_dir/view_file) run without approval; it never gets write access or the repo.
/agy:rescue and /agy:image keep the scoped write_file path (they legitimately write); rescue's clean-tree / --isolate guards are unchanged.
Highlights
- New
lib/transcript.mjs(+18 unit tests, 210 total). The store dir is self-located from agy's own log line (CLI app data directory:), so the transcript path is correct on Windows / macOS / Linux / WSL by construction. .gitattributesforceseol=lffor scripts — CRLF line endings broke real bash under WSL ($'\r': command not found).- Validated end-to-end on Windows (git-bash) and WSL2 Ubuntu 24.04 with real agy 1.0.3 — read-only,
--sandbox, no auto-approve; the review caught both planted bugs.
Full notes: CHANGELOG · SECURITY.md