All notable changes to AgentContextKit will be documented in this file.
This project follows Semantic Versioning where practical before 1.0.0.
- Added a dedicated pure-Markdown
README.nuget.mdpackage README and package metadata wiring so nuget.org does not render GitHub README HTML as raw text. - Added agent-facing documentation for the split between GitHub
README.mdand NuGetREADME.nuget.mdownership. - Added two new stable scanner rule IDs:
ACKIT006ProductionConfigLike(High) for production configuration, environment-specific appsettings, and live-service connection strings, andACKIT007DocumentationGap(Medium) for documentation gaps surfaced by the scanner. ExistingACKIT001andACKIT005descriptions were narrowed to reflect the new dedicated rules. - Added an
Ackit006Ackit007EndToEndTestscoverage class that exercises the CoreRepositoryScanneron a syntheticappsettings.Production.jsonfixture, asserts the newACKIT006ruleId flows into JSON and the redact-check filter, asserts the catalog mapping forACKIT007, and asserts the SARIF rule catalog advertises the new ID.
PROJECT-CONTROL-0108 planning commit 08442c0 opens the new control after PROJECT-CONTROL-0107 closed TASK-0159 through TASK-0167 with 257/257 local tests green. The new batch targets additive generate targets for Anthropic CLI and Continue (Tier 1), a safe local ackit hooks command (Tier 1), read-only ackit diff for baselines (Tier 2), deterministic ackit trim --max-chars (Tier 2), a design-driven ackit watch mode (Tier 2), a conservative high-entropy scanner rule research (Tier 2), and design-only ackit mcp --stdio (Tier 2+). No release, tag, NuGet publication, secret, or model-name disclosure is part of this batch.
PROJECT-CONTROL-0106 and the independent local product/code-quality track delivered a small, additive batch: agent rule sync (AGENTS.md, CLAUDE.md, copilot, cursor, DEVELOPMENT_STANDARD); queue and handoff consistency; scanner rule doc and SARIF/JSON/SECURITY_MODEL contract alignment with two new consistency guard tests; agent instruction surface guard test; seven candidate task records (TASK-0146 through TASK-0152) and a forward-looking roadmap note; catalog text guard; config-check diagnostics cookbook; baseline diff cookbook; SARIF rule metadata completeness guard; offline-only and accessibility guard for the HTML report; prompt pack and context export redaction guard; sample gallery coverage tests. All of these changes are local-only; the published 0.2.0-alpha.2 package, JSON schema, SARIF profile, and default CLI surface remain unchanged.
PROJECT-CONTROL-0107 planning commit c249a13 opens with the post-0158 state sync and a new local-only batch: starter brandKeywords and piiKeywords config (TASK-0156); starter safeDomains and ignoredPaths config (TASK-0157); Turkish CLI locale fallback guard (TASK-0158); commit-completeness hard rule plus a new scripts/check-tracked-vs-untracked-md.ps1 guard. Total tests are 238/238. No release, tag, or NuGet state change.
- Added least-privilege GitHub artifact provenance for exact future release nupkg assets, with idempotent digest detection and CLI verification.
- Recorded bounded author-signing and SBOM deferrals without claiming controls that are not published.
- Selected
0.2.0-alpha.3as the smallest compatible next prerelease scope without changing package metadata or approving publication. - Recorded an evidence-backed alpha.3 NO-GO until independent backup security ownership and recovery authority/backup evidence are complete.
- Added the published package for MCP stdio transport,
ackit.rules,ackit watch,ackit diff,ackit trim, scan include/exclude filters, release-hardening scripts, and release blocker evidence cleanup accumulated after0.2.0-alpha.2.
- Published
AgentContextKit0.2.0-alpha.3to NuGet through the OIDC release workflow sequence. - Created exact tag
v0.2.0-alpha.3and GitHub prerelease targeting92984c6448332aa24b7cff94647f627bf944e535. - Verified global tool install from NuGet;
ackit versionreportsAgentContextKit 0.2.0-alpha.3. - Recorded refreshed hosted RC evidence run
27870246504and immutable release verification run27870813763. - Known follow-up: harden the release workflow provenance probe before the next publish so missing attestation state does not fail before attestation can run.
- Added a dependency-free local Markdown-link gate with positive/negative smoke coverage and release-gate integration.
- Added manual exact-commit GitHub release automation with NuGet OIDC Trusted Publishing, scoped permissions, idempotent recovery, package inspection, and installed-tool smoke verification.
- Added table-driven scanner regression fixtures for secret, artifact, local-path, PII/brand noise, stable rule IDs, and Critical suppression boundaries.
- Added current-source sanitized suppression audit metadata for
safeDomains,ignoredPaths, andignoredFindingIdsin human/JSON scan output. - Added safe screenshot and docs-site planning plus first-five-minutes and existing-repository adoption tutorials.
- Added a versioned, sanitized baseline identity model with deterministic SHA-256 finding fingerprints and focused cross-platform normalization tests.
- Added report-only Core configuration validation with stable diagnostic codes for unknown, obsolete, duplicate, malformed, and unsafe settings.
- Added explicit sanitized baseline creation/update, integrity-checked loading, finding classification, and opt-in new-finding CI policy.
- Added additive baseline metadata to SARIF, HTML reports, Web UI, and their JSON command summaries.
- Added published-config and baseline-schema upgrade compatibility fixtures with focused tests.
- Added a disposable synthetic scan benchmark and release-candidate evidence gate.
- Added security response, support lifecycle, upgrade compatibility, performance, and supply-chain policy documents.
- Added read-only
ackit config-checkwith sanitized human/JSON diagnostics, explicit warning/error exits, and manual obsolete-key migration guidance. - Added a manual-only Windows/Ubuntu/macOS release-candidate evidence workflow design with isolated predecessor/source tools, config immutability, baseline/SARIF checks, and the synthetic performance tripwire.
- Added a normalized related-tools matrix, official-source evidence policy, privacy-first external workflow examples, no-dependency interoperability/command/import designs, external-tool threat model, and disposable lab plan.
- Added the authoritative no-network default policy, agent context pipeline taxonomy, docs toolchain decision, release blocker board, maintainer decision register, and planning-only alpha.2 refresh.
- Scanner email, phone, and IP rules now evaluate all distinct candidates in each file; raw finding matches are omitted from human, JSON, and Web UI output while JSON keeps its compatible nullable field.
- Baseline-aware CI now treats severity escalation as a new finding without changing baseline schema or fingerprints.
- Config diagnostics reject unmatched quotes with sanitized
ACKITCFG006output. - Suppression audit records are deduplicated before human/JSON reporting.
- Polished README installed-tool and source command examples.
- Froze a compatibility-preserving
v0.2.0-alpha.2hardening scope without changing version metadata. - Reclassified historical v1.0 asset checks and added an explicit P0/P1/P2 1.0 readiness gap register.
- Migrated the test project from Legacy
xunit2.9.3to xUnit v3 while preserving all 169 tests and clean dependency reviews. - Added a conditional release-candidate contract freeze and explicit maintainer GO/NO-GO decision package without changing version or publishing.
- Added machine-readable command JSON, baseline, and SARIF profile schemas with sanitized golden fixtures and live-output contract tests.
- Added English/Turkish human-output, known-error, exit-code, and JSON semantic parity release gates across all language-aware commands.
- Added a metadata-only security/supply-chain evidence register, maintainer handoff, and local structure gate for private reporting, signing, SBOM, provenance, and package recovery decisions.
- Added a consolidated final RC local-readiness decision and read-only orchestration gate with an explicit remote NO-GO boundary.
- Added exact hosted CI/source/published smoke evidence for commit
37d5220while preserving the unrun manual RC workflow blocker. - Added read-only GitHub evidence that private vulnerability reporting is disabled, with explicit P0 enablement and notification-owner completion criteria.
- Added a read-only published package/release supply-chain audit covering NuGet repository signing, author-signature absence, owner-profile alignment, SBOM, provenance, and recovery evidence.
- Added an initial offline OSS ecosystem catalog, product positioning, external-tool workflow guidance, interoperability backlog, and split local-versus-maintainer execution queue without adding dependencies.
- Prevented
id-token: write, escaped text ending in drive-like syntax, and plain numeric hosted run IDs from producing token/path/phone false positives. - Made the local Markdown link gate compatible with Windows PowerShell 5.1, including repository-escape diagnostics.
- Run Markdown link release gates in isolated hosted
pwshchild processes and preserve child output on fixture failures. - Normalize Markdown targets as repository-relative path segments so Windows 8.3 temp paths cannot create false repository-escape failures.
- Use cross-platform
pwshfor release-job preparation and published-package verification on Ubuntu. - Make published-package verification choose a portable temporary directory and opt release actions into the Node.js 24 runtime.
- Made case-insensitive scanner regexes culture-invariant so ASCII token, email, domain, and local-path detection stays consistent under Turkish and other process cultures.
- Allowlisted Shields.io badge hosts and common
System.IOnamespace-shaped technical tokens to prevent culture-invariant self-scan noise.
- Published
AgentContextKit0.2.0-alpha.2to NuGet through GitHub OIDC Trusted Publishing. - Created exact tag
v0.2.0-alpha.2atf540479a92cbe66097f6796553828ee49ddd5512and published the GitHub pre-release with validated package assets.
- Added
ackit sarifsource command for SARIF 2.1.0 output. - Added scanner rule catalog with stable
ACKITrule IDs. - Added additive JSON
ruleIdfield. - Added config allowlist foundation:
safeDomains,ignoredPaths,ignoredFindingIds. - Added expanded scanner patterns.
- Added sample gallery and demo scenarios.
- Added Web UI preview and visual asset guidance.
- Added
ackit sarif --output <repo-relative.sarif>documentation and GitHub Code Scanning readiness notes for the published0.2.0-alpha.1package. - Added documentation-only GitHub Actions examples for scan CI, SARIF upload, published-tool smoke, and source-package smoke.
- Added GitHub Actions usage guidance for CI command order, privacy, failure interpretation, and SARIF upload decisions.
- Added sample repository gallery and demo scenario docs for onboarding.
- Added safe sample repositories for .NET console, generic empty repository health gaps, and security fixture wording.
- Added a local sample smoke helper script.
- Added a central scanner rule catalog with stable
ACKITrule IDs, default severity context, and SARIF help metadata. - Added configurable
safeDomains,ignoredPaths, andignoredFindingIdsscanner allowlist fields for narrow non-Critical noise suppression. - Added scanner coverage for additional package artifacts, provider-token-like values, bearer token-like values, and Unix home path leakage.
- Published NuGet
0.2.0-alpha.1now includesackit sarif. - JSON finding objects now include additive
ruleIdmetadata. - SARIF rule metadata now uses the centralized scanner rule catalog.
- Scanner documentation and security model are updated for v0.2.0-alpha.
- Critical findings cannot be silently suppressed by config allowlist.
- SARIF output avoids raw secret matches and absolute local paths.
- Added a cross-platform source smoke workflow that packs the current branch and installs
AgentContextKit0.1.0-alpha.2from a temporary local package source on Windows, Ubuntu, and macOS. - Added alpha.2 hardening tasks for scanner noise reduction, GitHub Actions Node 24 readiness, Turkish CLI output polish, and release preparation.
- Published
v0.1.0-alpha.2on GitHub and NuGet and verified global tool installation.
- Reduced scanner noise with a conservative safe technical domain allowlist and fixture-only placeholder email handling.
- Added safe technical allowlist coverage for common platform/package domains while preserving Critical secret detection.
- Reduced fixture placeholder noise without suppressing real source/docs email or secret findings.
- Prepared GitHub Actions workflows for Node 24-ready official action majors and explicit Windows runner labeling.
- Polished Turkish human CLI output while preserving JSON schema fields.
- Bumped source/package metadata and CLI runtime version to
0.1.0-alpha.2. - Updated the published-package smoke workflow to install
AgentContextKit0.1.0-alpha.2. - Recorded successful cross-platform GitHub Actions smoke validation for the published NuGet global tool.
- Synced post-push GitHub release status docs after
masterandv0.1.0-alpha.1were pushed. - Verified NuGet publication and global tool install for
AgentContextKitversion0.1.0-alpha.1. - Verified NuGet global tool smoke test in a clean demo app.
- Initial offline-first .NET CLI tool package with command name
ackit. - CLI commands:
init,scan,scan --ci,report,webui,prompt-pack,context-export,generate,task,redact-check,doctor,version, andhelp. - Repository scanner for docs, tests, CI, Docker, generated agent files, package metadata, and stack signals.
- Sample-aware main stack detection for
.NET,.NET CLI / .NET Tool, andGitHub Actionswithout treatingsamples/stacks as the main product stack. - Pattern-based secret, PII, brand, risky path, and risky extension scanning.
- JSON output with schema/tool metadata, generated timestamps, repository metadata, summaries, and CI mode fields.
- Task-first development document generation under
docs/tasks. - Agent instruction generation for Codex, Claude, Cursor, and GitHub Copilot.
- Offline static HTML report generation with safe repository-relative output handling.
- Offline static Web UI prototype generation for local scan review.
- Local-only dry-run prompt pack generation and explicit-approval context export manifests.
- English and Turkish output/template foundation.
- Config schema documentation and generated-file conventions.
- Focused xUnit test coverage and GitHub Actions CI.
- Local release verification, package metadata, public release audit, release blocker, public gate, and v1.0 readiness scripts.
- v1.0 final local readiness review documentation and gate script.
- Source archive hygiene docs and WinRAR exclude guidance for local ZIP/RAR sharing.
- OSS readiness, governance, privacy, support, security, package, release, and maintainer handoff documentation.
- Public package and docs metadata use the
Cynrathpersona. - Package URLs point to
https://github.com/Cynrath/agent-context-kit. - Public release blockers track the completed GitHub Release and NuGet publication state, with Codex for OSS submission as the remaining follow-up.
- Added NuGet package README metadata for local pack readiness.
- Refined self-scan stack accuracy so sample ASP.NET Core, Minimal API, TypeScript, and Tailwind CSS signals are not reported as the main repository stack.