Skip to content

v0.7.0 — read-only /agy:scrape + /agy:doc-to-md (SSRF + path deny-lists)

Choose a tag to compare

@limeflash limeflash released this 10 Jul 14:02

v0.7.0 — Phase 3: read-only /agy:scrape + /agy:doc-to-md

Two new read-only commands. Both run agy from a throwaway temp dir (so they can't touch your repo) and validate their input before agy is invoked.

/agy:scrape <url>

Fetch a web page and return its main content as Markdown. The URL is SSRF-guarded: http/https only, and localhost / private (10., 172.16–31., 192.168., 100.64.) / link-local (169.254., incl. cloud metadata) / IPv6 loopback+ULA / integer+hex IP forms are blocked. (Best-effort — no DNS resolution, so don't scrape untrusted URLs.)

/agy:doc-to-md <path>

Convert a local document (PDF, DOCX, HTML, …) to Markdown. The path is validated: allow-listed document extensions only (so .env / .pem / .key / extension-less secrets are refused), a real regular file, ≤ 10 MB, symlinks resolved, and not under a sensitive dir (~/.ssh, ~/.aws, ~/.gemini, /etc, …). The file is staged into the temp dir so agy sees only it.

Under the hood

  • New lib/inputguard.mjs (URL + path deny-lists) with 18 unit tests + bats refusal tests — 236 tests total.
  • agy auto-runs its read tools in --print mode, so read_url_content / view_file work with no --dangerously-skip-permissions.
  • Validated live on real agy 1.0.3.

See CHANGELOG · SECURITY.md