v0.7.1

Tool-agnostic approval guard (Bash + PowerShell)

The PreToolUse guard.py now classifies risk for both the Bash and PowerShell tools, so the approval prompt fires only for the dangerous set (destructive git, gh publish/release, package publish, file/device destruction) and routine PowerShell no longer prompts once PowerShell(*) is allowed. This patch also ships the OIDC auto-publish workflow that landed after the v0.7.0 tag.

Highlights

• PowerShell(*) allow-list + tool-agnostic classifier: one classifier runs for both shells, keying on the exact leading token of each sub-command (never a substring scan, so quoted strings like echo "rm -rf" stay safe). It strips transparent prefix runners (sudo, doas, env, command, nohup, setsid, inline VAR=VALUE) and sees through command-carrying wrappers (ssh, bash/sh/zsh -c, docker exec/run, pwsh/powershell -Command, Windows cmd /c//k, timeout, xargs) up to MAX_WRAPPER_DEPTH.
• New mandatory ask classes: package publish (npm/pnpm/yarn publish, twine upload, python -m twine upload including versioned interpreters), gh release create/delete/upload/edit, and PowerShell recursive Remove-Item (+ aliases rm/del/rd/rmdir) deletes. git checkout -- joins the destructive-git set.
• Non-bypassable: the mandatory ask set has no env-var escape; encoded PowerShell (-EncodedCommand) fails closed to ask; python -c, the low-frequency prefixes nice/ionice/stdbuf/time, and custom/private wrappers stay opaque documented non-goals.
• OIDC auto-publish workflow: .github/workflows/publish.yml uploads to PyPI and npm via OIDC Trusted Publishing on release: published, dropping long-lived tokens from the happy path.

290 guard tests pass on Windows and ARM64 Linux. Cross-repo STRICT byte-parity with the private agent-config source repo is verified.

Full changelog: v0.7.0...v0.7.1