Skip to content

v1.3.1

Choose a tag to compare

View all tags
@strifero strifero released this 11 Jun 01:17
· 2 commits to main since this release
v1.3.1
6803791

Hardening release: every finding from a full project audit, fixed. No new features, no output changes for normal projects (all 294 snapshots byte-identical).

Behavior change worth knowing

Existing files are never overwritten without --force. Previously, --tool agents (and cursor, copilot, windsurf, etc.) silently replaced an existing hand-written file, and --tool all bypassed the .claude/ protection entirely. Now every target skips files that already exist and lists them with a --force hint. --update remains the edit-preserving path for .claude/.

Fixed

Data loss

  • --update no longer deletes user-authored skills/agents that follow the standard skills/<name>/SKILL.md / agents/<name>.md layout — removal is restricted to paths ContextEngine itself can generate
  • --tool all no longer clobbers an edited .claude/CLAUDE.md or skill files
  • --update now preserves preamble edits, handles CRLF files, ignores ## lines inside code fences, and never duplicates the footer

Security

  • Strings read from the scanned repo (package name, script bodies, dependency versions) are sanitized before being embedded in AGENTS.md-family output — a malicious repo can no longer inject instructions into generated agent files
  • File reads capped at 5 MB; tsconfig extends resolution bounded to the project root
  • CI workflow runs with least-privilege token permissions

Detection correctness

  • tsconfig files with trailing commas now parse (strict-mode detection no longer silently fails)
  • extends merging fixed for array extends and diamond chains — a parent that doesn't mention strict can no longer wipe it
  • --no-agents actually skips all agents (the code-reviewer agent was always emitted)
  • workspace:*, latest, file: version specifiers render cleanly instead of leaking into the Stack section
  • Malformed package.json now produces a visible warning instead of a silent empty detection

CLI

  • Strict argument parsing: typo'd flags (--updat) and missing values (-d with no path) exit with a clean error instead of being silently ignored or stack-tracing
  • Importing the package as a module no longer executes the CLI (main removed)

Tests

  • New unit suite covering --update safety, overwrite guards, injection hardening, tsconfig edge cases, and the CLI layer (tests/unit.mjs, runs in npm test and before every publish)
  • Snapshot runner now fails on missing snapshots instead of silently passing

Full changelog: v1.3.0...v1.3.1

Assets 2
Loading