- Clarified that the documented upgrade path is
npm i -g @to-agent/agent-exec@latestacross README surfaces. - Narrowed
aexec updateto a convenience wrapper around the documented npm update plus version diagnostics. It no longer attempts package-manager or PATH repair. aexec update --restartnow restarts only when the active command appears to match npm latest.
- Added
aexec update --restartso update can optionally restart the running server after package update. - Added restart pass-through options for update, including
--public,--force,-f,--host,--port, and--use-project-env.
This release tightens ACL editing from the CLI and restores format-aware recovery for unknown non-API paths.
- Added
aexec aclfor listing, adding, removing, and checkingexec.allowrules from the command line. - Added
aexec acl remove --contains <text>for removing matching userexec.allowrules after confirmation.
- Unknown non-API paths now return recovery guidance that follows the requested format. Markdown, HTML, JSON, and SJS requests point back to the matching root skill document surface.
- JSON 404 recovery now includes the SJS recovery entry point while keeping the default response JSON.
- ACL documentation now states that user ACL edits are picked up by a running
server on the next
/api/execrequest. - Posting to SJS skill documents now returns an SJS fallback instead of a plain
route miss. The
/api/exec/SKILL.s.jsfallback points back to the executable/api/execsurface and request body form.
aexec acl addwrites to the primary user settings file.- Exact ACL edits ask for confirmation in a TTY and require
--yesin non-interactive use. - Broad glob or regexp allow rules require
--force --yesin non-interactive use.
This release adds a reset command for returning a local agent-exec installation to a fresh safe state without silently losing the previous config.
- Added
aexec resetto back up the current local config directory and recreate a fresh minimal config. - Added
aexec reset --keep-api-keyfor keeping the current API key while resetting settings and plugins. - Added
aexec reset --api-key <key>for reproducible lab or device setup. - Added
aexec reset --dry-runandaexec reset --jsonfor inspection and automation.
- Reset backs up by default to
~/.to-agent/backups/agent-exec/reset-*. - Fresh reset settings allow only
aexec --version. --no-backupis available only as an explicit destructive mode.
This release is written against the published @to-agent/agent-exec@0.1.10
package. It updates the agent-facing documentation surfaces, execution fallback
responses, plugin generation defaults, and release packaging.
- Added Skill Script documentation surfaces through
.s.js,.sjs, andAccept: text/sjs. - Added a shared SJS renderer in
modules/sjs.jsfor root, index, API, skill, runtime, and fallback surfaces. - Added raw skill document variants such as
SKILL.raw.json,SKILL.raw.html,SKILL.raw.s.js, andSKILL.raw.sjsfor inspecting skill documents withoutae:directive expansion. - Added
ae:Markdown directives for projecting selected Markdown JSON blocks into generated JSON, HTML, and SJS metadata. - Added
/skills/private/SKILL.mdas the public entry document for the private skill namespace without listing private skill names. - Added this changelog.
- Root and index documents now expose direct SJS variants while ordinary HTML and Markdown entry points remain available.
- Public API skill documents remain discoverable, while API runtime calls, private routes, and CLI routes remain protected by API key checks.
/api/execinvalid-request responses now expose the expected request body form and point back to/api/exec/SKILL.s.js./api/execSJS fallback responses are available when the request asks fortext/sjs./api/execcontinues to reject unexpected JSON body fields such ascmd,command,env,cwd, andshell;memois now allowed as optional request metadata.- ACL and execution documentation now make the relationship between allowed
command strings and
argsarrays more explicit. - Root, API, skills, private, and plugin skill documents were updated for the current discovery and execution surfaces.
- Skill Script is directly accessible, but it is not required for ordinary human use of the HTTP interface.
- Unknown non-API paths return recovery information without making SJS the default visible format.
- Fresh installs remain conservative and do not generate broad wildcard command allow rules by default.
aexec plugin createno longer generates broadcmd *style allow rules by default.aexec starterkitnow generates ACL entries from detected help/version commands instead of broad wildcard execution rules.- Generated plugin skill files include request body metadata that can be used by JSON, HTML, and SJS outputs.
aexec plugin doctorwarns about active broad wildcard allow rules.- Starterkit and plugin generation help output was normalized for direct script and command usage.
- Expanded unit and e2e coverage for SJS rendering,
ae:directives, fallback responses, plugin generation, starterkit output, ACL behavior, private/public skill separation, and packaging. - Verified package contents include the new runtime SJS module and private namespace skill document.