0.4.1patchsecurity“Hempseed”
Source adapter timeout fix · denylist refresh
Quick patch following last week's 0.4 release. Fixes a hang in the GitHub source adapter when fetching skills from rate-limited orgs, and ships an updated denylist with three new exfiltration patterns reported by community researchers.
Fixed
- GitHub source adapter could hang for 30s on rate-limited fetches; now fails fast with a clear retry message (#412)
- Drift check on shell startup occasionally double-counted symlinked profiles on macOS
- Permissions fs_scope with relative paths now resolves against the calling agent's CWD, not the vault
Security
- Denylist update: three new exfil patterns matching data:text/plain;base64 abuse paths reported by @elvissun
0.4.0minor“Front Door”
Per-caller transformation manifest · MCP-native tool surface
The headline release. Skills now declare a transformation manifest in their frontmatter, and AutoVault renders a per-caller view at delivery time. Same skill, three rendered views; written once, no forks.
Added
- Transformation manifest in skill frontmatter maps canonical capability names to per-agent tool names
- Native MCP tools: list_skills, search_skills, get_skill, read_skill_resource, install_skill, propose_skill, check_updates
- Progressive disclosure returns metadata first, full body on demand, reducing cold-start token load
- Bridge skill autovault-skill for non-MCP agents
Changed
- Skill resolution caches rendered views per caller; first hit around 4ms, subsequent hits under 1ms
- CLI flag --agent now accepts comma-separated lists for multi-agent scoping
Removed
- Deprecated autovault sync alias removed; use autovault refresh
0.3.2patch
Dedup tuning · CI runner mode
Tuned the V1 text-similarity dedup threshold based on private beta data: too aggressive on near-paraphrases, too lenient on actual duplicates.
Added
- autovault --runner-mode for ephemeral CI environments
Fixed
- Dedup threshold tuned: 94% true-positive, 0.8% false-positive
- Sign step occasionally produced non-canonical YAML output for deeply nested transformations
0.3.0minor“Quartermaster”
Four-axis permission scoping · cloud mode preview
Every skill request now carries a four-axis context: agent, device, project, tool/user. The vault filters per-caller and opens the private preview of cloud-mode self-host.
Added
- Four-axis permission scoping
- Private preview of cloud-mode self-host
- Project-scoped profile generation
Changed
- Profile dirs are now generated from canonical vault state rather than copied skill files
0.2.0preview
Validation gate private beta
First private beta of the gate: YAML auto-repair, security denylist, capability/behavior checks, dedup, and Ed25519 signing.
Added
- Five-stage validation pipeline
- Signed vault artifact format
- GitHub and local path source adapters
0.1.0preview
Initial vault prototype
Initial local vault prototype and profile-rendering experiment.
Added
- Canonical skill storage
- Profile render directories
- First bridge skill experiment