AutoVaultv0.2.0
Markdown
Launch free
Changelog

Every skill leaves a trail.

A permanent, signed record of what changed in AutoVault — and a model for how we'd like the rest of the skill ecosystem to look. Every release is signed; every signature is verifiable.

3 of 3 releases
May 2026
in progress
Unreleasedpreviewsecurity“Bootstrap”

Bundled skills, local installers, and remote polish

The current source branch documents the post-0.2 work: bundled skills, bootstrap installs, add-local, vendor installer routing, remote Streamable HTTP MCP with OAuth, resource reads, transforms, and drift checks.

Added
  • Bundled skills: autovault-skill, commit-message, and skill-author
  • scripts/bootstrap-skills.mjs seeds bundled skills through the real install_skill validation path
  • autovault add-local installs local skill bundles from third-party installers with local provenance
  • AUTOVAULT_SKILL_INSTALL controls AutoVault-first, native-first, both, native-only, and off routing
  • Remote Streamable HTTP MCP at /mcp with OAuth discovery, login, token issuance, and role-aware skill visibility
Changed
  • Profile sync materializes transform overlays into rendered per-agent directories before linking native roots
  • README and INSTALL now document Claude Code, Cursor, Codex, Docker, Railway, and remote MCP setup
Security
  • Expanded capability-declaration cross-checks and denylist coverage; Ed25519 sidecars are written for installed skills
main @jack4 contributors
Apr 19, 2026
2 weeks ago
0.2.0minorsecurity

Focused TypeScript MCP server

First implementation release of the local stdio MCP server, filesystem skill storage, source adapters, validation, provenance sidecars, resource reads, and update checks.

Added
  • MCP tools for list_skills, search_skills, get_skill, propose_skill, install_skill, read_skill_resource, and check_updates
  • Filesystem-backed skill storage with .autovault-source.json provenance sidecars
  • GitHub, agentskills, and HTTPS source adapters
  • Validation pipeline with frontmatter repair, schema checks, denylist scanning, and duplicate detection
Changed
  • Replaced the previous skill-manager / skill-importer scaffold with a focused TypeScript MCP server
  • Standardized on a stdio-first local deployment story
Security
  • Tool boundaries validate skill names to block traversal attempts
  • propose_skill pre-validates resource paths before writes
  • Invalid config values fail fast at startup
0.2.0 @jack4 contributors
early 2026
prototype
0.1.0preview

Initial vault prototype

Initial local vault prototype, profile-rendering experiment, and compatibility planning around the SKILL.md format.

Added
  • Canonical skill storage
  • Profile render directories
  • First bridge skill experiment
09ac21d @jack2 contributors