Skip to content

v0.6.2 — security fix: read-only commands run outside your repo

Choose a tag to compare

@limeflash limeflash released this 10 Jul 14:02

v0.6.2 — security fix: read-only commands no longer touch your repo

Important fix. agy --print executes write tools even without --dangerously-skip-permissions (a non-TTY prompt is auto-proceeded). In ≤0.6.1 the bash /agy:ask and the simple /agy:review ran agy with cwd = your repo — so agy could edit files there. The "no auto-approve ⇒ read-only" assumption was wrong. Caught by dogfooding /agy:ask on a real project.

Fix: /agy:ask, simple /agy:review, and /agy:image now run agy from a throwaway temp dir — your repo is never agy's cwd, in --add-dir, its path, or env, so it has no path to write there. Verified: explicitly asking /agy:ask to edit a repo file now leaves the working tree clean, and output capture still works.

Scope: the Node /agy:review --base and /agy:adversarial-review paths were never affected (they already run in a staging temp dir). /agy:rescue writes to the repo by design (guarded by clean-tree / --isolate).

Added tests/read_only_cwd.bats; SECURITY.md + README corrected. Please update to 0.6.2.