Release v2026.7.12
Release-safety upgrade: non-destructive CLI updates, rollback support, mandatory CI, dependency review, hardened deployment, and npm Trusted Publishing. Also ships a full marketing landing page and web UI redesign.
Added
- Managed-tree manifest with SHA-256 baselines for files installed by AG Kit.
- Merge-aware CLI updates that preserve user-owned files and local modifications.
- Three-way conflict detection with incoming copies and machine-readable update reports.
- Automatic pre-update backups and the new
ag-kit rollbackcommand. - Pull-request CI for toolkit validation, CLI tests/package checks, web lint/typecheck/build, and production dependency audits.
- Dependency Review and Dependabot configuration for CLI, web, and GitHub Actions.
- Docker build cache, SBOM generation, and provenance metadata in the deployment workflow.
- Baseline web security headers for CSP frame protection, HSTS, referrer policy, permissions policy, and MIME sniffing protection.
- Marketing landing page at
/adapted from shadcn-landing-page: hero, stack marquee, benefits, features, workflows, testimonials, sponsored, contribute, FAQ, and footer. - Web design source of truth in
web/DESIGN.mdwith semantic tokens (zinc neutrals, teal brand accent, code surfaces) for light/dark consistency. - Landing i18n (en / vi / zh / ja) with a language switcher on the landing header.
- Sponsored section featuring Unikorn and become-a-sponsor CTAs.
- Contribute section that loads live GitHub contributors (avatar, login, commit count).
- Live GitHub star count on the hero CTA, with a shared 60s cache and compact labels (for example
7.8k). - X profile link (
@vudovn354) on the landing header next to GitHub.
Changed
ag-kit initnow safely merges into an existing.agentstree by default instead of deleting it.ag-kit updatedefaults to--strategy merge; destructive replacement requires explicit--strategy replace.- npm publishing now uses OIDC Trusted Publishing and verifies that the Git tag matches the package version.
- Release workflows use least-privilege permissions, protected environments, timeouts, concurrency controls, and immutable action SHAs.
- Documentation now consistently uses
.agentsand reports the current 47-skill inventory. - Web builds now use the stable webpack path and system font stacks for deterministic, offline-friendly production builds.
- Upgraded
gigetto 3.3.0 and Next.js/MDX/ESLint integration to 16.2.10; pinned patched PostCSS transitively. - Replaced the minimal home page (logo and two buttons) with a full product marketing experience.
- Docs and marketing UI now share semantic color tokens (
background,foreground,muted,border,brand) instead of mixed zinc/black hardcodes; a single teal brand-mark replaces multi-color highlights. - Testimonials use a masonry columns layout with a bottom fade gradient.
- Feature cards use a stable centered layout instead of the broken CardHeader grid.
- Web copy positions AG Kit for Gemini CLI and Google Antigravity only.
Removed
- Minimal home layout.
- Platinum-sponsor badge chip on the Unikorn card.
- Landing community-join block.
- Star-count badges on docs and landing headers (star count remains on the hero CTA only).
Fixed
- Prevented upgrades from silently deleting project memory, overrides, custom skills, and locally modified toolkit files.
- Included CLI runtime library files in the published npm package.
- Updated the security scanner to recognize nested TypeScript Next.js security-header configuration.
- Corrected GEO route discovery to follow localized MDX/content modules without treating layouts or components as pages.
- Corrected React performance scanning to ignore generated
.nextoutput and unrelated repository files. - Removed all web lint warnings and made CI fail on future warnings.
- Added regression coverage for GEO route resolution and generated-output exclusion.