v1.9.16

Security fix

This release patches GHSA-rhp4-jmr9-fmc5 — a high-severity command injection in capa's command-tool executor.

CommandToolExecutor.runCommand() previously built the shell command by string-replacing {name} placeholders with caller-supplied values and spawning the result with shell: true. Values were never escaped, so an agent steered by indirect prompt injection could insert shell metacharacters in a tool argument and run arbitrary commands as the capa process.

The fix tokenizes the operator's template into argv once, substitutes caller values as inert argv elements, and spawns with shell: false on every platform. Metacharacters in argument values are now passed as literal argv text.

Upgrade is recommended for everyone running capa with command-type tools exposed over MCP.

Behavior note

Operator templates that deliberately embedded shell pipelines (grep foo | sort, &&, redirects) in cmd: will now treat those tokens as literal argv elements. If you rely on shell features, invoke the shell explicitly:

run:
  cmd: "sh -c 'grep {pattern} file.txt | sort'"

Plain-string argument values (the documented contract) are unaffected.

Credits

Reported by @eun119.

Full Changelog: v1.9.15...v1.9.16

v1.9.15

What's Changed

• fix(install): stop folding sub-agent context into CLAUDE.md / copilot-instructions.md by @Minitour in #121

Full Changelog: v1.9.14...v1.9.15

What's Changed

• fix(install): stop folding sub-agent context into CLAUDE.md / copilot-instructions.md by @Minitour in #121

Full Changelog: v1.9.14...v1.9.15

v1.9.14

What's Changed

• feat(subagents): accept @server.tool / server.tool / bare id in subagent tools[] by @Minitour in #120

Full Changelog: v1.9.13...v1.9.14

What's Changed

• feat(subagents): accept @server.tool / server.tool / bare id in subagent tools[] by @Minitour in #120

Full Changelog: v1.9.13...v1.9.14

v1.9.13

What's Changed

• feat(subagents): expand skills/tools blocks with descriptions and capa sh form by @Minitour in #118
• feat(install): warn on unknown subagent skill/tool references by @Minitour in #119

Full Changelog: v1.9.12...v1.9.13

What's Changed

• feat(subagents): expand skills/tools blocks with descriptions and capa sh form by @Minitour in #118
• feat(install): warn on unknown subagent skill/tool references by @Minitour in #119

Full Changelog: v1.9.12...v1.9.13

v1.9.12

What's Changed

• feat(cli): registry search + capabilities-manager skill refresh by @Minitour in #117

Full Changelog: v1.9.11...v1.9.12

What's Changed

• feat(cli): registry search + capabilities-manager skill refresh by @Minitour in #117

Full Changelog: v1.9.11...v1.9.12

v1.9.11

What's Changed

• feat(skills): add bootstrap skill for capifying existing projects by @Minitour in #116

Full Changelog: v1.9.10...v1.9.11

What's Changed

• feat(skills): add bootstrap skill for capifying existing projects by @Minitour in #116

Full Changelog: v1.9.10...v1.9.11

v1.9.10

What's Changed

• perf(install): parallelize tool validation and stream live progress by @Minitour in #113
• Enhance tool validation with parallel processing and live progress by @Minitour in #114

Full Changelog: v1.9.9...v1.9.10

What's Changed

• perf(install): parallelize tool validation and stream live progress by @Minitour in #113
• Enhance tool validation with parallel processing and live progress by @Minitour in #114

Full Changelog: v1.9.9...v1.9.10

v1.9.9

What's Changed

• fix(shell): load MCP tool schemas lazily so capa sh never blocks on remote servers by @Minitour in #106
• feat(rules): support installing rules from local files (closes #105) by @Minitour in #107
• fix(hooks): reference local hook scripts by a portable relative path by @Minitour in #109
• fix(git): non-interactive clones (no hang, #104) + blobless partial clone for speed (#91) by @Minitour in #108
• Improve shell tool loading, local rule support, and git handling by @Minitour in #110

Full Changelog: v1.9.8...v1.9.9

What's Changed

• fix(shell): load MCP tool schemas lazily so capa sh never blocks on remote servers by @Minitour in #106
• feat(rules): support installing rules from local files (closes #105) by @Minitour in #107
• fix(hooks): reference local hook scripts by a portable relative path by @Minitour in #109
• fix(git): non-interactive clones (no hang, #104) + blobless partial clone for speed (#91) by @Minitour in #108
• Improve shell tool loading, local rule support, and git handling by @Minitour in #110

Full Changelog: v1.9.8...v1.9.9

v1.9.8

What's Changed

• Fix LFS clones, Windows MCP visibility, and OpenCode config by @Minitour in #103

Full Changelog: v1.9.7...v1.9.8

What's Changed

• Fix LFS clones, Windows MCP windows, and OpenCode config by @Minitour in #102
• Fix LFS clones, Windows MCP visibility, and OpenCode config by @Minitour in #103

Full Changelog: v1.9.7...v1.9.8

v1.9.7

What's Changed

• fix: preserve YAML comments/order in capa add (#93) and pointer cursor on buttons (#92) by @Minitour in #96
• fix(plugins): command-based MCP servers from plugins expose no tools (#94) by @Minitour in #97
• fix(install): Windows upgrade fails to replace running capa.exe (#19) by @Minitour in #98
• Preserve YAML comments and order, fix button cursor on hover by @Minitour in #99

Full Changelog: v1.9.6...v1.9.7

What's Changed

• fix: preserve YAML comments/order in capa add (#93) and pointer cursor on buttons (#92) by @Minitour in #96
• fix(plugins): command-based MCP servers from plugins expose no tools (#94) by @Minitour in #97
• fix(install): Windows upgrade fails to replace running capa.exe (#19) by @Minitour in #98
• Preserve YAML comments and order, fix button cursor on hover by @Minitour in #99

Full Changelog: v1.9.6...v1.9.7