Releases: opena2a-org/hackmyagent
Release list
v0.25.0
Detection-gap release: findings that fired internally in 0.24.0 but never reached users now surface in output, score, and exit code.
Fixed detection gaps
- CRED-002 / PERM-001 now reach the user (#250). Both fired internally but never set a file, so the concrete-findings filter dropped them from output, score, and exit code — an un-ignored private key produced no visible >=HIGH signal on 0.24.0. CRED-002 now attributes the first key file with a runnable remediation and scans recursively (never a false clean bill); PERM-001 attributes the first offending file.
- GIT-001/002/003 severity is existence-aware, backed by
git check-ignore(#250). A missing/incomplete.gitignoreis a LOW advisory when nothing committable matches, and HIGH naming the actual files when a genuinely un-ignored secret exists — removing the inversion where a partial.gitignorescored worse than none. Committability honors negations, root-anchoring, dir-only rules, and nested ignores. - CRED-001 now scans
secrets.json/credentials.json(#250). scan-soulcan no longer be satisfied by the vocabulary of an attack, andcheckno longer flags prose-hardened SOULs (#251). Direction-aware control matching + six first-class governance-violation classes (override-compliance mandate, deception mandate, oversight disclaimer, exfiltration channel, persistence installation, identity-by-claim) render as HIGH file:line blocks, clamp the score, and fail--ci. Corpus soul tiers now order correctly: benign 19 (0 violations) > buggy 7 > malicious 4 (9 violations).- Security-taxonomy / coverage documents no longer false-positive as credential access (AST-CRED-002/003, #256).
git check-ignore/git ls-filesstdin EPIPE can no longer crash a scan (#264). An async pipe error when git exits early is now handled at both spawn sites; committability still resolves conservatively (fail-safe: over-report as committable, never mark a secret ignored).
Security
- Pinned
@opena2a/aim-sdkto 1.0.2 (moves transitive@opena2a/atx-verify0.2.0 -> 0.3.0), closing the post-signingdeclaredPurposetamper gap that 0.24.0 shipped in its arp re-export path.
Supply chain
Published via npm Trusted Publishing (GitHub Actions OIDC, no long-lived token). SLSA v1 provenance attached.
Verify:
npm view hackmyagent@0.25.0 dist.attestations --json(non-empty, predicateType slsa.dev/provenance/v1)npm audit signaturesafternpm install hackmyagent@0.25.0
v0.24.0
hackmyagent 0.24.0 ships the ARP runtime cutover: the runtime-protection engine now lives in @opena2a/aim-sdk, and hackmyagent/arp is a thin re-export of @opena2a/aim-sdk/arp (pinned 1.0.1). Every existing hackmyagent/arp consumer — including arp-guard and the arp CLI — keeps working unchanged (verified from both CommonJS and ESM on the published artifact).
Highlights
- ARP shim (#249):
src/arpre-exports@opena2a/aim-sdk/arp; the scan-time surface (static scanner, hardening rules, artifact parsing, NanoMind artifact classification) stays in hackmyagent. The OASB behavioral suite exercises the SDK module through the re-export as a drift guard. @opena2a/aim-sdkpinned to 1.0.1: typedConfigurationError,EventEngine.emitinput validation, CJS error-classconstructor.name,./package.jsonexport.- Security: bumped
hono(path-traversal, CORS wildcard-with-credentials, body-limit bypass GHSA cluster) andjs-yaml(merge-key quadratic DoS, GHSA-h67p-54hq-rp68) via in-rangenpm audit fix. Productionnpm auditis clean. detecthelp now states machine-wide discovery always runs (#245).
Scanner behavior is unchanged from 0.23.11.
Known pre-existing scanner follow-ups (tracked, not regressions)
- #250 — GIT-002 .gitignore severity inversion (partial .gitignore scores HIGH while missing scores LOW); needs the existence-aware design.
- #251 — scan-soul cannot evaluate prose-hardened SOULs; check emits a false HIGH on the same artifact.
- #252 — raw classifier intent label surfaced on benign artifacts in the Observations line.
Provenance
Published to the npm registry via GitHub Actions OIDC trusted publishing with SLSA v1 provenance. Verify: npm view hackmyagent@0.24.0 dist.attestations --json
What's Changed
- docs(detect): clarify machine-wide discovery always runs by @thebenignhacker in #245
- feat(arp): structural signature telemetry producer (default-on, opt-out) by @thebenignhacker in #246
- feat(arp): G6 — wire opt-out to registry right-to-delete purge by @thebenignhacker in #247
- Add
arp telemetry registersensor enrollment by @thebenignhacker in #248 - refactor(arp): make ./arp a thin re-export of @opena2a/aim-sdk/arp by @thebenignhacker in #249
Full Changelog: v0.23.11...v0.24.0
v0.23.11
Highlights
GIT-003(.env Not Ignored) is now content-aware (#242). A secret-less.env(e.g.PORT=3000) isHIGHpreventive hygiene instead ofCRITICAL"contains API keys"; an.envholding a real secret staysCRITICAL. Two-tier secret detection (vendor keys / JWT /user:pass@hostURLs key-independent; opaque values gated by a credential-shaped key) so neither key-rename evasion nor${VAR}-interpolated DSNs miscalibrate the severity.MEM-006(Memory store without input sanitization) no longer false-positives on local render arrays (#244).lines.push({ text })/out.push({ text })are no longer flagged as memory stores; thepushverb now requires a persistence-semantic receiver, so realconversationMemory.push/vectorStore.pushpoisoning still fires.scan-soulverdict now distinguishes applicable controls from the full catalog and discloses skipped domains;scan-soul --explainexplains the 11–19 domain numbering.detectaccepts--contribute/--no-contribute;explain <SOUL-XX-NNN>renders the specific control; ARP runtime assembles ordered in-scope action sequences with detection-only classification.
See CHANGELOG.md for the full list.
Provenance
Published via npm Trusted Publishing (GitHub Actions OIDC) — no long-lived token. Verify the SLSA attestation:
npm view hackmyagent@0.23.11 dist.attestations --json
v0.23.10
What's Changed
- Clarify scan-soul control counts and polish governance CLI UX by @thebenignhacker in #227
- chore(cli-ui): adopt 0.5.2 — stream-split --version + remote-aware verdict by @thebenignhacker in #228
Full Changelog: v0.23.9...v0.23.10
v0.23.9
Added
- First-party scanner provenance on
--publish. WhenHMA_SCANNER_SIGNING_KEY(a dedicated Ed25519 seed, runtime-env only) is set, a published scan self-tagssource=first_party_scannerand signs the registry strong canonical (name|version|score|maxScore|source|nonce|signedAt) so the registry can authenticate the claim. End-user--publishruns (no key) publish ascommunity— the safe default. Signing fails closed (never crashes a publish). Uses the shared@opena2a/registry-clientFirstPartySigner0.2.0. AST-SCOPE-004— adversarial configuration directives. The scope analyzer now flags agent_config / mcp_config artifacts whose configuration flags are themselves the attack (self-escalation, RBAC/validation bypass, audit evasion, covert persistence, credential harvesting). Value-guarded, artifact-gated, validated against the OASB benign corpus (190 samples) with zero FPs.
Provenance
Published via npm Trusted Publishing (GitHub Actions OIDC) with SLSA v1 attestations. Verify:
```
npm view hackmyagent@0.23.9 dist.attestations --json
```
v0.23.8
What's Changed
- Rename composite assessment label to OASB Composite by @thebenignhacker in #224
Full Changelog: v0.23.7...v0.23.8
v0.23.7
What's Changed
- fix(deps): bump vitest to ^4.1.8 (GHSA-5xrq-8626-4rwp, Dependabot #37) by @thebenignhacker in #217
- ci(parity): bump SHA to pick up scan-soul-hardened clamp re-baseline (#12) by @thebenignhacker in #218
- feat(trust): add AAP --grant gate (second TS AAP consumer) by @thebenignhacker in #219
- fix(scanner): scan single-file artifact targets; gate red-team training export by @thebenignhacker in #220
- fix(secure): normalize single-file targets so they scan like a directory by @thebenignhacker in #222
- fix(check): honor --no-scan for GitHub repo targets (closes test F4) by @thebenignhacker in #221
- Renumber SOUL governance domains to 11-19 for OASB-2 alignment by @thebenignhacker in #223
Full Changelog: v0.23.6...v0.23.7
v0.23.6
hackmyagent 0.23.6
Bug-fix release. Two scanner false-positive paths resolved + adversarial-review hardening.
Fixes (PR #214)
- create-skill scaffold no longer trips its own check skill scan. Previously the scaffolded
SOUL.mdemitted HIGH findings on the same scaffold the command produced -- a dead-end for new users following the tool's own suggestions. - harden-soul + scan-soul rescan loop now produces 100/100 HARDENED on the empty-tree gold path. Previously the loop left the rescan score below the hardened threshold.
- Section-aware constraint extraction: constraints are now classified by markdown section heading (Trust Hierarchy, Capability Boundaries, Injection Hardening, Data Handling) rather than by text-regex only, so constraints declared under their domain heading count toward that domain.
Adversarial-review hardening
- SOUL-OVERRIDE-001: decoy-negation gate (e.g.
Never ... unless ...no longer satisfies the override-resistance check by accident). - AST-PROMPT-004: sibling-decoy detector tightened.
- LIFECYCLE-001: realpath dedupe (case-insensitive double-load surface).
- YAML strip on prompt-analyzer noise filter (frontmatter no longer counts as prompt text).
Trusted Publishing
This release is the first hackmyagent publish under npm Trusted Publishing (OIDC) since the workflow was upgraded. Verify provenance:
npm view hackmyagent dist.attestations --json
Expected: a predicateType of https://slsa.dev/provenance/v1.
Known follow-up
- hackmyagent#216:
scan-soul --profile <override>returns 100/100 HARDENED on the malicious-corpuskitchen-sinkfixture (user-explicit profile override bypasses the auto-detection scope clamp). Not a 0.23.6 regression. Defaultscan-soulcorrectly clamps + discloses scope.
Full Changelog: v0.23.4...v0.23.6
v0.23.4
What's Changed
- fix(scanner): suppress NEMO-009 + AST-CRED-* false positives on test files, training corpora, and integrity manifests (nanomind#26) by @thebenignhacker in #192
- chore: merge 0.23.3 release commits back to main by @thebenignhacker in #199
- fix(check): query Registry with bare PyPI name (drop pip: prefix) [0.23.4] by @thebenignhacker in #198
Full Changelog: v0.23.2...v0.23.4
v0.23.3
What's Changed
- fix(scanner): suppress NEMO-009 + AST-CRED-* false positives on test files, training corpora, and integrity manifests (nanomind#26) by @thebenignhacker in #192
Full Changelog: v0.23.2...v0.23.3