v0.7.0 — read-only /agy:scrape + /agy:doc-to-md (SSRF + path deny-lists)
v0.7.0 — Phase 3: read-only /agy:scrape + /agy:doc-to-md
Two new read-only commands. Both run agy from a throwaway temp dir (so they can't touch your repo) and validate their input before agy is invoked.
/agy:scrape <url>
Fetch a web page and return its main content as Markdown. The URL is SSRF-guarded: http/https only, and localhost / private (10., 172.16–31., 192.168., 100.64.) / link-local (169.254., incl. cloud metadata) / IPv6 loopback+ULA / integer+hex IP forms are blocked. (Best-effort — no DNS resolution, so don't scrape untrusted URLs.)
/agy:doc-to-md <path>
Convert a local document (PDF, DOCX, HTML, …) to Markdown. The path is validated: allow-listed document extensions only (so .env / .pem / .key / extension-less secrets are refused), a real regular file, ≤ 10 MB, symlinks resolved, and not under a sensitive dir (~/.ssh, ~/.aws, ~/.gemini, /etc, …). The file is staged into the temp dir so agy sees only it.
Under the hood
- New
lib/inputguard.mjs(URL + path deny-lists) with 18 unit tests + bats refusal tests — 236 tests total. - agy auto-runs its read tools in
--printmode, soread_url_content/view_filework with no--dangerously-skip-permissions. - Validated live on real agy 1.0.3.
See CHANGELOG · SECURITY.md