0.4.0minor“Review”
Setup review, public output, and community skills
The current source release improves install and setup review UX, adds community skill examples, smooths local imports, standardizes public CLI output, and retries Dependabot automerge after CI.
Added
- Install and setup review flows now give operators clearer choices before adopting local skill bundles
- Curated community skill examples are available as vaulted skill bundles
Fixed
- Local add imports are smoother for local bundles and native skill roots
- Public CLI output is standardized so automation can rely on cleaner stdout/stderr behavior
- Dependabot automerge retries after CI and Node typings stay aligned with the runtime policy
0.3.0minorsecurity“Cleanup”
Skill removal, profile filters, and installer polish
Adds vaulted skill removal, doctor repair, tag-filtered profiles, migration hardening, and smoother setup/serve UX.
Added
- autovault remove deletes vaulted skills, vault-local transforms, and AutoVault-managed profile symlinks with default native profile discovery
- autovault doctor --repair can re-sign unsigned local skills while refusing tampered metadata and remote sources
- Tag-filtered project profiles can narrow generated profile symlinks by local policy
Fixed
- Installer TTY, Node version, and setup wizard friction are smoothed for agent-mediated installs
- Onboarding setup and remote serve messaging now distinguish local setup from shared MCP deployment
Security
- v1 migration imports are hardened and signature warnings are deduped for clearer operator review
0.2.1patchsecurity
Bundled skills, signing, and installer UX
Patch release adding bundled skill bootstrap, expanded validation, signing sidecars, local skill installer flow, remote OAuth docs, and MIT license alignment.
Added
- Bundled skill bootstrap seeds source-tree skills through the real validation path
- Local skill imports, GitHub URL discovery, overlay transforms, and remote OAuth HTTP MCP docs expand the skill workflow
- Setup wizard and GHCR release publishing improve agent-mediated installs and deployment verification
Fixed
- Update checks, bundle ergonomics, local installer friction, Node engine alignment, and vault integrity diagnostics were tightened
Security
- Capability gates, signing sidecars, hardened skill bundles, and bin action checks make admission review more explicit
0.2.0minorsecurity
Focused TypeScript MCP server
First implementation release of the local stdio MCP server, filesystem skill storage, source adapters, validation, provenance sidecars, resource reads, and update checks.
Added
- MCP tools for list_skills, search_skills, get_skill, propose_skill, install_skill, read_skill_resource, and check_updates
- Filesystem-backed skill storage with .autovault-source.json provenance sidecars
- GitHub, agentskills, and HTTPS source adapters
- Validation pipeline with frontmatter repair, schema checks, denylist scanning, and duplicate detection
Changed
- Replaced the previous skill-manager / skill-importer scaffold with a focused TypeScript MCP server
- Standardized on a stdio-first local deployment story
Security
- Tool boundaries validate skill names to block traversal attempts
- propose_skill pre-validates resource paths before writes
- Invalid config values fail fast at startup
0.1.0preview
Initial vault prototype
Initial local vault prototype, profile-rendering experiment, and compatibility planning around the SKILL.md format.
Added
- Canonical skill storage
- Profile render directories
- First bridge skill experiment