Release v0.1.16

Highlights

• npm publish fix — Stable releases now correctly tagged as latest on npm (was stuck at 0.1.10 since v0.1.11)
• OpenAI Responses API migration — Examples updated from deprecated Chat Completions function calling to the new Responses API

What's Changed

• fix(ci): pass --ref tag to publish workflow dispatches (#1124) by @chaliy
• fix(examples): migrate OpenAI examples to Responses API (#1122) by @chaliy
• fix(ci): commit Cargo.lock for reproducible builds (#1123) by @chaliy
• fix(ci): update python3-dll-a cargo-vet exemption to 0.2.15 (#1121) by @chaliy
• chore(deps): bump rand 0.8→0.10 and russh 0.52→0.60 by @dependabot[bot]
• feat(fuzz): add awk_fuzz target for awk builtin (#1112) by @chaliy
• feat(fuzz): add jq_fuzz target for jq builtin (#1111) by @chaliy
• fix(interpreter): prevent byte range panic in ${#arr[idx]} with malformed input (#1110) by @chaliy
• fix(interpreter): Box::pin expand_word to prevent stack overflow in nested $() (#1109) by @chaliy
• fix(interpreter): add max_subst_depth limit to prevent OOM from nested $() (#1107) by @chaliy

Release v0.1.15

Highlights

• Transparent request signing (bot-auth) — Ed25519 request signing per RFC 9421 for all outbound HTTP requests, configured via BotAuthConfig
• Opt-in SSH/SCP/SFTP builtins — Pluggable SshHandler trait with russh transport, host allowlists (default-deny), and session pooling
• Opt-in TypeScript via ZapCode — Embedded TS/JS runtime with ts, node, deno, bun builtins, VFS bridging, and configurable resource limits
• AI SDK adapters — First-class JS adapters for Vercel AI SDK, OpenAI SDK, and Anthropic SDK with zero-boilerplate tool integration
• Snapshot/resume — Serialize and restore interpreter state mid-execution for checkpointing and migration
• wedow/harness compatibility — Running the wedow/harness agent framework via bashkit as another bash compatibility milestone
• Security hardening — 20+ fixes: regex size limits, memory exhaustion caps, sandbox escape fix, credential leak prevention, header injection mitigation

What's Changed

• chore(specs): make CI health a hard gate in maintenance checklist (#1092) by @chaliy
• feat(examples): run wedow/harness via bashkit with OpenAI (#1086) by @chaliy
• fix(interpreter): populate BASH_SOURCE[0] for PATH-resolved scripts (#1087) by @chaliy
• feat(js): expose stat() and missing fs operations directly on Bash/BashTool (#1084) by @chaliy
• feat(js): expose fs() accessor for direct VFS operations (#1081) by @chaliy
• fix(parser): prevent word-splitting inside quoted strings during array assignment (#1082) by @chaliy
• feat(builtins): add ls -C multi-column output (#1079) by @chaliy
• feat(js): expose additional execution limits for Python parity (#1078) by @chaliy
• fix(grep): grep -r on single file returns empty (#1080) by @chaliy
• feat(js): expose real filesystem mounts with per-mount readOnly support (#1077) by @chaliy
• feat: expose maxMemory to prevent OOM from untrusted input (#1075) by @chaliy
• feat(cli): relax execution limits for CLI mode (#1076) by @chaliy
• fix(parser): handle all token types in process substitution reconstruction (#1073) by @chaliy
• feat(ssh): add ssh/scp/sftp builtins with russh transport (#945) by @chaliy
• fix(deps): resolve all npm security vulnerabilities (#1064) by @chaliy
• docs: add GitHub links to PyPI metadata and Everruns ecosystem section (#1065) by @chaliy
• chore: pre-release maintenance pass (#1063) by @chaliy
• feat(network): add transparent request signing (bot-auth) (#1062) by @chaliy
• fix(audit): update semver exemption to 1.0.28 (#1059) by @chaliy
• fix(builtins): limit AWK getline file cache to prevent memory exhaustion (#1061) by @chaliy
• fix(builtins): cap AWK printf width/precision to prevent memory exhaustion (#1048) by @chaliy
• fix(interpreter): support exec {var}>&- fd-variable redirect syntax (#1060) by @chaliy
• fix(builtins): cap AWK output buffer size to prevent memory exhaustion (#1055) by @chaliy
• fix(builtins): cap parallel cartesian product size to prevent memory blowup (#1054) by @chaliy
• fix(builtins): sanitize curl multipart field names to prevent header injection (#1053) by @chaliy
• fix(interpreter): splat "${arr[@]}" elements individually in array assignment (#1052) by @chaliy
• fix(builtins): reject path traversal in patch diff headers (#1051) by @chaliy
• fix(js): use single interpreter instance in AI adapters (#1050) by @chaliy
• fix(builtins): enforce regex size limits in sed, grep, and awk (#1049) by @chaliy
• fix(js): use shared runtime and concurrency limit for tool callbacks (#1047) by @chaliy
• fix(python): enforce recursion depth limits in monty_to_py and py_to_monty (#1046) by @chaliy
• fix(builtins): parse combined short flags in paste builtin (#1045) by @chaliy
• fix(js): use SeqCst ordering for cancellation flag (#1044) by @chaliy
• fix(interpreter): support recursive function calls inside $() command substitution (#1043) by @chaliy
• chore: update semver exemption to 1.0.28 in cargo-vet config (#1058) by @chaliy
• chore: update cc exemption to 1.2.59 in cargo-vet config (#1057) by @chaliy
• fix(mcp): apply CLI execution limits to MCP-created interpreters (#1041) by @chaliy
• fix(interpreter): remove exported vars from env on unset (#1042) by @chaliy
• fix(fs): prevent sandbox escape via TOCTOU fallback in RealFs::resolve (#1040) by @chaliy
• fix(interpreter): expand parameter operators inside arithmetic base# expressions (#1039) by @chaliy
• fix(interpreter): set BASH_SOURCE[0] when running bash /path/script.sh (#1037) by @chaliy
• fix(interpreter): short-circuit && and || inside [[ ]] for set -u (#1035) by @chaliy
• test(interpreter): add regression tests for bash -c exported variable visibility (#1038) by @chaliy
• fix(interpreter): forward piped stdin to bash script/command child (#1036) by @chaliy
• fix(interpreter): route exec fd redirects through VFS targets (#1034) by @chaliy
• fix(interpreter): compose indirect expansion with default operator by @chaliy
• chore: update tagline to "Awesomely fast virtual sandbox with bash and file system" (#1029) by @chaliy
• fix(interpreter): contain ${var:?msg} error within subshell boundary (#1031) by @chaliy
• fix(interpreter): exec < file redirects stdin for subsequent commands (#1030) by @chaliy
• fix(builtins): unescape / in sed replacement strings (#1028) by @chaliy
• fix(builtins): filter internal markers from Python os.environ (#1021) by @chaliy
• fix(builtins): harden curl redirect against credential leaks (#1020) by @chaliy
• fix(parser): cap lookahead in looks_like_brace_expansion (#1019) by @chaliy
• fix(parser): enforce subst depth limit in unquoted cmdsub (#1018) by @chaliy
• fix(interpreter): cap global pattern replacement result size (#1017) by @chaliy
• fix(interpreter): cap glob_match calls in remove_pattern_glob (#1016) by @chaliy
• fix(interpreter): save/restore memory_budget in subshell/cmdsub (#1015) by @chaliy
• fix(fs): handle symlinks in overlay rename and copy (#1014) by @chaliy
• fix(builtins): block unset of internal variables and readonly marker bypass (#1013) by @chaliy
• fix(builtins): emit stderr warning when sed branch loop limit is reached (#1012) by @chaliy
• fix(cli): install custom panic hook to suppress backtrace information disclosure (#1011) by @chaliy
• fix(builtins): clamp printf precision to prevent panic on large values (#1010) by @chaliy
• fix(trace): handle all header flag formats and missing secret headers in redaction (#1009) by @chaliy
• fix(builtins): URL-encode query params and form body in HTTP builtin (#1008) by @chaliy
• fix(builtins): prevent JSON injection in HTTP build_json_body (#1007) by @chaliy
• fix(builtins): clear variable on read at EOF with no remaining data (#976) by @chaliy
• fix(builtins): honor jq -j/--join-output flag to suppress trailing newline ([#975](https://github.com/everruns/...

Release v0.1.14

Highlights

• Massive Bash compatibility push — 25+ interpreter fixes covering errexit, namerefs, associative arrays, arithmetic expansion, redirects, glob patterns, and ANSI-C quoting
• AWK engine hardened — 8 fixes for regex literals, newline handling, printf, keyword tokenization, and multi-file FILENAME support
• New Bash features — set -a (allexport), BASH_SOURCE array, exec with command replacement, declare -f, compgen -c PATH scanning
• Prebuilt CLI binaries — macOS (ARM64/x86_64) and Linux x86_64 binaries now published to GitHub Releases with Homebrew formula
• Dependency upgrades — jaq 3.0, digest crates 0.11

What's Changed

• feat(deps): upgrade jaq to 3.0, digest crates to 0.11 (#893) by @chaliy
• chore(deps): require major version upgrades in maintenance checklist (#892) by @chaliy
• ci(js): add Bun and Deno to JS CI matrix with runtime-compat tests (#889) by @chaliy
• fix(interpreter): handle compound array assignment in local builtin (#888) by @chaliy
• fix(interpreter): expand special variables ($#, $?, etc.) in arithmetic (#887) by @chaliy
• chore: pre-release maintenance (test counts, fuzz fix, code cleanup) (#885) by @chaliy
• fix(interpreter): set -e should not trigger on compound commands with && chain failure (#879) by @chaliy
• fix(interpreter): expand assoc array keys with command substitutions (#878) by @chaliy
• feat(release): add prebuilt CLI binary builds and Homebrew formula (#871) by @chaliy
• fix(builtins): preserve raw bytes from /dev/urandom through pipeline (#870) by @chaliy
• fix(interpreter): resolve namerefs in parameter expansion for assoc array subscripts (#869) by @chaliy
• fix(interpreter): propagate errexit_suppressed through compound commands (#868) by @chaliy
• test(parser): unskip parse_unexpected_do and parse_unexpected_rbrace (#866) by @chaliy
• fix(parser): expand $'\n' ANSI-C quoting in concatenated function args (#865) by @chaliy
• fix(interpreter): treat assoc array subscripts as literal strings (#864) by @chaliy
• fix(interpreter): correct left-to-right redirect ordering for fd dup + file combos (#863) by @chaliy
• fix(parser): handle $'...' ANSI-C quoting in parameter expansion patterns (#856) by @chaliy
• fix(awk): check word boundary before emitting keyword tokens (#859) by @chaliy
• fix(builtins): preserve full path in ls output for file arguments (#858) by @chaliy
• fix(builtins): suppress rg line numbers by default (non-tty behavior) (#857) by @chaliy
• fix(interpreter): resolve nameref for ${!ref[@]} key enumeration (#855) by @chaliy
• fix(interpreter): fire EXIT trap inside command substitution subshell (#854) by @chaliy
• fix(js): update exec security test for sandbox-safe exec behavior (#851) by @chaliy
• fix(interpreter): reset last_exit_code in VFS subprocess isolation (#850) by @chaliy
• fix(interpreter): treat invalid glob bracket expressions as literals (#845) by @chaliy
• fix(awk): support backslash-newline line continuation (#841) by @chaliy
• fix(awk): treat # inside regex literals as literal, not comment (#840) by @chaliy
• fix(interpreter): resolve namerefs before nounset check (#839) by @chaliy
• fix(builtins): sort -n extracts leading numeric prefix from strings (#838) by @chaliy
• feat(interpreter): implement BASH_SOURCE array variable (#832) by @chaliy
• fix(awk): treat newlines as statement separators in action blocks (#831) by @chaliy
• feat(api): add BashBuilder::tty() for configurable terminal detection (#830) by @chaliy
• fix(awk): accept expressions as printf format string (#829) by @chaliy
• fix(vfs): preserve raw bytes when reading /dev/urandom (#828) by @chaliy
• fix(awk): evaluate regex literals against $0 in boolean context (#827) by @chaliy
• fix(parser): preserve double quotes inside $() in double-quoted strings (#826) by @chaliy
• fix(interpreter): set -e respects AND-OR lists in functions and loops (#824) by @chaliy
• test(allexport): add regression tests for set -a behavior (#823) by @chaliy
• fix(builtins): implement declare -f for function display and lookup (#822) by @chaliy
• feat(interpreter): nameref resolution for associative array operations (#821) by @chaliy
• test(awk): add spec tests for delete array (already implemented) (#820) by @chaliy
• feat(compgen): scan PATH directories for executables in compgen -c (#819) by @chaliy
• feat(test): configurable -t fd terminal detection (#818) by @chaliy
• feat(awk): route /dev/stderr and /dev/stdout to interpreter streams (#817) by @chaliy
• feat(awk): implement FILENAME built-in variable for multi-file processing (#816) by @chaliy
• feat(interpreter): exec with command argument — execute and don't return (#815) by @chaliy
• feat(interpreter): implement set -a (allexport) (#814) by @chaliy
• feat(interpreter): subprocess isolation for VFS script-by-path execution (#813) by @chaliy
• feat(interpreter): pipe stdin to VFS script execution (#812) by @chaliy
• refactor(scripted_tool): ScriptingToolSet returns tools() instead of implementing Tool (#789) by @chaliy

Full Changelog: v0.1.13...v0.1.14

Release v0.1.13

Highlights

• Community contribution from @achicu: fixed find with multiple paths silently discarding results when one path is missing (#781)
• Python/Node binding parity — both bindings now expose the same API surface (#785)
• Live mount/unmount on running Bash instances for dynamic filesystem composition (#784)

What's Changed

• fix(examples): exit langchain example to prevent NAPI event loop hang (#786) by @chaliy
• feat(bindings): add Python/Node binding parity (#785) by @chaliy
• feat(fs): expose live mount/unmount on running Bash instance (#784) by @chaliy
• chore: add cargo-vet exemptions for jni-sys 0.3.1, 0.4.1 and jni-sys-macros 0.4.1 (#783) by @chaliy
• fix: find with multiple paths no longer discards results on missing path (#781) by @achicu

Full Changelog: v0.1.12...v0.1.13

Release v0.1.12

Highlights

• Restored SearchCapable/SearchProvider traits for indexed filesystem search
• Improved text file handling across 17 builtins with shared lossy read helpers

What's Changed

• feat(fs): restore SearchCapable/SearchProvider traits (#779)
• refactor(builtins): adopt read_text_file helper across 17 builtins (#778)
• chore(skills): move repo skills under .agents (#777)
• refactor(builtins): share lossy text file reads (#775)

Full Changelog: v0.1.11...v0.1.12

Release v0.1.11

Highlights

• Second external contribution! Welcome @shubham-lohiya, who exposed the Bash class with Monty Python execution and external function handler in the Python bindings (#760) — making it easy to extend bashkit with custom Python functions
• Browser terminal example: Bashkit now runs entirely in the browser via WebAssembly (wasm32-wasip1-threads), with a single-file terminal UI — no framework required
• New features: structured execution trace events, per-instance memory budgets, static AST budget validation, head -c byte mode, IFS separator + $_ tracking, final environment state in ExecResult
• Security hardening: blackbox security audit surfaced 15 vulnerabilities — all fixed; readonly variable bypass blocked; stack overflow, memory exhaustion, and source recursion depth limits enforced; shell injection prevented in JS VFS helpers
• Major refactoring: FileSystem split into core + FileSystemExt, shared ArgParser extracted, register_builtins! macro replacing 120+ insert calls, ShellRef Context API, shell options split-brain fix

What's Changed

• chore: pre-release maintenance — docs, fuzz, threat model, cargo-vet (#774)
• fix(interpreter): stabilize command-not-found suggestions (#773)
• refactor: remove blanket clippy::unwrap_used allows (#772)
• chore: move /ship from command to skill format (#771)
• refactor(fs): split FileSystem into core + FileSystemExt (#770)
• refactor(builtins): extract shared ArgParser (#744) (#769)
• refactor: replace hardcoded if-name dispatch with ShellRef Context API (#767)
• refactor: break up 6 monster functions into smaller helpers (#766)
• refactor(interpreter): fix shell options split brain (#736) (#764)
• refactor(builtins): replace 120+ insert calls with register_builtins! macro (#762)
• refactor(builtins): move find/xargs/timeout execution plans from interpreter to builtins (#761)
• feat(python): expose Bash class with Monty Python execution and external function handler (#760) by @shubham-lohiya
• fix(git): error on non-HEAD revision in git show rev:path (#758)
• refactor(builtins): extract git_err helper to eliminate 24 identical error wrapping lines (#757)
• refactor(error): simplify Error enum by merging Parse/ParseAt and removing dead CommandNotFound (#756)
• refactor(fs): remove dead SearchCapable/SearchProvider traits (#755)
• fix(vfs): use fs.remove() for patch file deletion instead of empty write (#754)
• refactor(interpreter): deduplicate declare/local compound assignment and flag parsing (#753)
• refactor(builtins): extract shared search utilities from grep and rg (#752)
• refactor: deduplicate is_valid_var_name into single pub(crate) function (#751)
• refactor(builtins): replace magic variable hack with BuiltinSideEffect enum (#750)
• chore(skills): add design quality review phase to ship command (#749)
• refactor(interpreter): extract glob/pattern matching to glob.rs (#748)
• fix(skills): delegate process-issues shipping to /ship skill (#747)
• chore: convert process-issues command to .claude/skills/ format (#746)
• feat: IFS separator, $_ tracking, and prefix assignment order (#724)
• fix(deps): bump ai SDK to ^5.0.52 and override jsondiffpatch >=0.7.2 (#723)
• fix(deps): override langsmith >=0.4.6 to fix SSRF vulnerability (#722)
• fix(js): wrap napi structs in Arc to prevent invalid pointer access (#721)
• fix: hex escapes, POSIX classes, DEBUG trap, noclobber, indirect arrays (#719)
• fix(js): prevent shell injection in Bash/BashTool VFS helpers (#718)
• fix(interpreter): prevent stack overflow in nested command substitution (#717)
• fix(builtins): bound seq output to prevent memory exhaustion (#716)
• feat(builtins): add head -c byte count mode (#715)
• fix(interpreter): reset transient state between exec() calls (TM-ISO-005/006/007) (#714)
• fix(interpreter): block readonly variable bypass via unset/declare/export (TM-INJ-019/020/021) (#713)
• fix(interpreter): enforce execution timeout via tokio::time::timeout (TM-DOS-057) (#712)
• fix(interpreter): source recursion depth limit (TM-DOS-056) (#711)
• fix(interpreter): declare -a/-i and local -a with inline init (#710)
• feat(fs): optional SearchCapable trait for indexed search (#709)
• feat(trace): structured execution trace events (#708)
• feat(limits): per-instance memory budget for variables/arrays/functions (#707)
• feat(limits): YAML/template depth limits + session-level cumulative counters (#706)
• fix(fs): OverlayFs validate_path + directory count limits + accounting gaps (#701)
• test(python): add advanced security tests for Python integration (#705)
• test(security): add JavaScript integration security tests (#700)
• test(security): blackbox security testing — 15 vulnerability findings (#688)
• fix(security): guard all builtins against internal variable namespace injection (#696)
• feat(interpreter): return final environment state in ExecResult (#695)
• feat(parser): static budget validation on parsed AST before execution (#694)

Full Changelog: v0.1.10...v0.1.11

Release v0.1.10

Highlights

• Node.js native bindings (@everruns/bashkit): Full npm package with NAPI-RS, async execute API, VFS file helpers, lazy file values — 6 platforms, tested on Node 20/22/24, with 200+ tests and 6 examples including OpenAI, Vercel AI, and LangChain integrations
• Pi coding agent integration: Bashkit extension for pi.dev terminal coding agent — replaces shell, read, write, and edit tools with bashkit-backed virtual implementations, zero real filesystem access
• 39 new builtins (109→148): rg, patch, zip/unzip, iconv, compgen, json, csv, tomlq, yaml, template, parallel, http, help, fc, tree, readlink, clear, fold, expand/unexpand, envsubst, join, split, and more
• Performance: Criterion benchmark harness with auto-save, 7-runner comparison suite, lazy-init HTTP client, trimmed CLI one-shot startup path
• Coprocess & background execution: coproc support with named FD pairs, background & execution with wait builtin, cancellation via AtomicBool token

New Tools & Builtins

• 14 new builtins batch 2: rg, patch, zip/unzip, iconv, compgen, json, csv, tomlq, yaml, template, parallel, http, help, fc
• 7 non-standard builtins + alias/unalias docs
• join and split commands
• clear, fold, expand/unexpand, envsubst
• tree, readlink
• ScriptingToolSet with exclusive/discovery modes
• MCP: expose ScriptedTool as MCP tool
• help builtin for runtime schema introspection

What's Changed

• feat(pi-integration): add Pi coding agent extension with bashkit VFS (#638)
• feat(find): add -printf format flag support (#637)
• test: un-ignore exec_azure_query_capacity, now passing (#636)
• feat(awk): add Unicode \u escape sequences (#635)
• feat(jq): upgrade jaq crates to latest stable versions (#634)
• feat(vfs): add /dev/urandom and /dev/random to virtual filesystem (#632)
• feat: fix bindings stderr, agent prompt, jq 1.8, awk --csv (#631)
• fix(errexit): assignment-only commands now return exit code 0 (#630)
• chore: pre-release maintenance pass (#627)
• fix(awk): implement output redirection for print/printf (#626)
• feat(js): expose VFS file helpers for agent integrations (#624)
• fix(builtins): preserve empty fields in read IFS splitting (#623)
• fix(interpreter): correct &&/|| operator precedence in [[ ]] conditional (#622)
• fix(js): prevent invalid pointer access in napi bindings (#621)
• fix(builtins): correct -a/-o operator precedence in test/[ builtin (#620)
• refactor(net): lazy-init http client (#613)
• feat(cancel): add cancellation support via AtomicBool token (#612)
• fix(eval): stop scoring tool-call trajectory (#611)
• refactor(cli): trim one-shot startup path (#609)
• fix(parser): track bracket/brace depth in array subscript reader (#603)
• fix(lexer): track brace depth in unquoted ${...} tokenization (#602)
• fix(interpreter): expand ${...} syntax in arithmetic contexts (#601)
• feat(js): support lazy file values in VFS (#598)
• feat(js): add async execute API (#597)
• feat(history): persistent searchable history across Bash instances (#596)
• feat(git): add show/ls-files/rev-parse/restore/merge-base/grep (#595)
• feat(interpreter): implement coproc (coprocess) support (#594)
• feat(eval): improve discovery prompts and bump to gpt-5.4 (#593)
• fix(tool): align toolkit library contract (#592)
• feat(vfs): add mkfifo and named pipe (FIFO) support (#591)
• feat(interpreter): implement background execution with & and wait (#590)
• feat(bench): add Criterion parallel bench with auto-save (#589)
• feat(builtins): add 14 new builtins batch 2 (#588)
• feat(eval): improve scripted tool evals with ScriptingToolSet (#587)
• fix(fs): flush RealFs append to prevent data loss race (#586)
• feat(builtins): add 7 non-standard builtins + alias/unalias docs (#585)
• feat(builtins): add join and split commands (#584)
• feat(bench): 7-runner benchmark comparison with expanded test suite (#583)
• feat(builtins): add clear, fold, expand/unexpand, envsubst commands (#582)
• feat(builtins): add tree command (#581)
• chore(maintenance): extract /maintain skill, add simplification (#580)
• feat(builtins): add readlink command (#579)
• feat(scripted_tool): add ScriptingToolSet with discovery mode support (#534)
• chore(agents): clarify worktree sync and commit identity (#533)
• feat(mcp): expose ScriptedTool as MCP tool (#532)
• docs(scripted_tool): shared context and state patterns (#530)
• feat(scripted_tool): help builtin for runtime schema introspection (#529)
• feat(js): add JavaScript/TypeScript package with npm publishing (#528)
• feat: upgrade to Rust edition 2024 + add doppler to cloud setup (#527)
• feat(eval): add scripting tool evals with multi-dataset support (#525)
• fix: prevent fuzz-found panics on multi-byte input (#513)

Full Changelog: v0.1.9...v0.1.10

Release v0.1.9

Highlights

• First external contribution! Welcome @achicu, who contributed external function handler support for the Python bindings (#394) — a milestone for the project as our first community-contributed feature. Thank you!
• Comprehensive security hardening: deep audit with 40+ fixes across VFS, parser, interpreter, network, and Python bindings
• HTTP, git, and Python features now enabled by default in the CLI
• Multi-byte UTF-8 safety across builtins (awk, tr, printf, expr)
• Python runtime improvements: GIL release, tokio runtime reuse, security config preservation

What's Changed

• feat(python): add external function handler support (#394) by Alexandru Chiculita
• feat(cli): enable http, git, python by default (#507)
• chore: run maintenance checklist (012-maintenance) (#508)
• docs: convert doc examples to tested doctests (#504)
• fix(security): batch 3 — issues #498-#499 (#503)
• fix(security): batch 2 — issues #493-#497 (#502)
• fix(security): batch 1 — issues #488-#492 (#501)
• docs: align rustdoc with README, add doc review to maintenance (#500)
• test(security): deep security audit with regression tests (#487)
• fix(builtins): make exported variables visible to Python's os.getenv (#486)
• refactor(interpreter): extract inline builtins from execute_dispatched_command (#485)
• fix(parser): allow glob expansion on unquoted suffix after quoted prefix (#484)
• fix(parser): handle quotes inside ${...} in double-quoted strings (#483)
• fix(parser): expand variables in [[ =~ $var ]] regex patterns (#482)
• fix(builtins): count newlines for wc -l instead of logical lines (#481)
• fix(interpreter): reset OPTIND between bash script invocations (#478)
• fix(builtins): awk array features — SUBSEP, multi-subscript, pre-increment (#477)
• fix(builtins): prevent awk parser panic on multi-byte UTF-8 (#476)
• fix(network): use byte-safe path boundary check in allowlist (#475)
• fix(interpreter): use byte-safe indexing for arithmetic compound assignment (#474)
• fix(builtins): add recursion depth limit to AWK function calls (#473)
• fix(network): use try_from instead of truncating u64-to-usize cast (#472)
• fix(network): redact credentials from allowlist error messages (#471)
• fix(scripted_tool): use Display not Debug format in errors (#470)
• fix(python): add depth limit to py_to_json/json_to_py (#469)
• fix(builtins): handle multi-byte UTF-8 in tr expand_char_set() (#468)
• fix(builtins): use char-based precision truncation in printf (#467)
• fix(builtins): use char count instead of byte length in expr (#466)
• fix(interpreter): detect cyclic nameref to prevent wrong resolution (#465)
• fix(interpreter): sandbox $$ to return 1 instead of host PID (#464)
• fix(python): preserve security config across Bash.reset() (#463)
• fix(git): validate branch names to prevent path injection (#462)
• fix(tool): preserve custom builtins across create_bash calls (#461)
• fix(fs): add validate_path to all InMemoryFs methods (#460)
• fix(fs): recursive delete whiteouts lower-layer children in OverlayFs (#459)
• fix(fs): use combined usage for OverlayFs write limits (#458)
• fix(fs): prevent usage double-counting in OverlayFs (#457)
• fix(fs): enforce write limits on chmod copy-on-write (#456)
• fix(archive): prevent tar path traversal in VFS (#455)
• fix(fs): prevent TOCTOU race in InMemoryFs::append_file() (#454)
• docs: add quick install section to README (#453)
• fix(jq): prevent process env pollution in jq builtin (#452)
• fix(python): reuse tokio runtime instead of creating per call (#451)
• fix(python): release GIL before blocking on tokio runtime (#450)
• fix(python): prevent heredoc delimiter injection in write() (#449)
• fix(python): prevent shell injection in BashkitBackend (#448)
• fix(interpreter): add depth limit to extglob pattern matching (#447)
• fix(interpreter): block internal variable namespace injection (#445)
• chore(ci): bump the github-actions group with 2 updates (#479)
• chore: add tokio-macros 2.6.1 to cargo-vet exemptions (#480)

Full Changelog: v0.1.8...v0.1.9

Release v0.1.8

Highlights

• Stderr and combined redirects (2>, 2>&1, &>) for real-world script compatibility
• ANSI-C quoting ($'...') and $"..." syntax support
• New builtins: base64, md5sum/sha1sum/sha256sum, find -exec, grep -L/--exclude-dir
• jq enhancements: setpath, leaf_paths, improved match/scan
• Recursive variable deref and array access in arithmetic expressions
• awk user-defined functions, curl -F multipart form data
• tar -C/-O flags, xargs command execution
• Per-tool-call timeout_ms in ToolRequest
• 244 new Oils-inspired spec tests
• 20+ interpreter/parser bug fixes: heredoc pipes, IFS splitting, subshell isolation, exit code truncation, unicode ${#x}, shift builtin, and more

What's Changed

• fix(ci): trigger Python publish workflow on release (#403)
• chore(eval): 2026-02-28 eval run across 5 models with v0.1.7 analysis (#402)
• feat: process remaining issues (#308, #310, #311, #312, #321, #327, #329, #331, #332, #333, #334) (#393)
• chore: add rebase hint to process-issues step 9 (#392)
• fix: reduce skipped spec tests, implement cut/tr features (#309, #314) (#391)
• fix(ci): switch tarpaulin to LLVM engine to fix coverage failures (#390)
• fix: implement var operators, IFS splitting, parser errors, nameref, alias (#389)
• fix(builtins): add jq -R raw input and awk printf parens (#388)
• chore: update pin-project-lite cargo-vet exemption to 0.2.17 (#387)
• feat(builtins): implement find -exec command execution (#386)
• feat(builtins): add grep -L, --exclude-dir, -s, -Z flags (#385)
• feat(builtins): implement jq setpath, leaf_paths, fix match/scan (#384)
• fix(parser): handle heredoc pipe ordering and edge cases (#379)
• fix(interpreter): count unicode chars in ${#x} and add printf \u/\U escapes (#378)
• feat(interpreter): implement stderr and combined redirects (2>, 2>&1, &>) (#377)
• fix(interpreter): isolate subshell state for functions, cwd, traps, positional params (#376)
• chore(specs): document sort/uniq flags, update spec test counts (#375)
• fix(interpreter): split command substitution output on IFS in list context (#374)
• feat(interpreter): implement recursive variable deref and array access in arithmetic (#373)
• feat(parser): implement $'...' ANSI-C quoting and $"..." syntax (#371)
• fix(interpreter): write heredoc content when redirected to file (#370)
• feat(eval): add OpenAI Responses API provider (#366)
• fix(interpreter): truncate exit codes to 8-bit range (#365)
• fix(builtins): make xargs execute commands instead of echoing (#364)
• chore: add ignored-test review step to process-issues (#363)
• test: add 14 Oils-inspired spec test files (244 tests) (#351)
• feat(tool): add per-tool-call timeout_ms to ToolRequest (#350)
• chore(eval): expand eval suite to 52 tasks, add multi-model results (#349)
• feat(eval): add database, config, and build simulation eval categories (#344)
• feat(tool): list all 80+ builtins in help text (#343)
• fix(wc): match real bash output padding behavior (#342)
• chore(tests): update spec_tests.rs skip count from 66 to 18 (#341)
• refactor(error): add Fromregex::Error impl for Error (#340)
• chore: add /process-issues claude command (#339)
• chore: close verified-not-reproducible issues #279, #282 (#307)
• test: verify issues #275, #279, #282 are not reproducible (#306)
• feat(curl): add -F multipart form data support (#305)
• feat(find): parse -exec flag without erroring (#304)
• feat(awk): add user-defined function support (#303)
• feat(tar): add -C (change directory) and -O (stdout) flags (#302)
• feat(base64): add base64 encode/decode builtin command (#301)
• fix(eval): add /var/log to script_health_check task files (#300)
• fix(eval): accept both quoted and unquoted CSV in json_to_csv_export (#299)
• fix(jq): return ExecResult::err instead of Error::Execution for stderr suppression (#298)
• fix(test): resolve relative paths against cwd in file test operators (#297)
• fix(interpreter): shift builtin now updates positional parameters (#296)
• fix(lexer): handle backslash-newline line continuation between tokens (#295)
• fix(interpreter): forward pipeline stdin to user-defined functions (#294)
• fix(test): trim whitespace in parse_int for integer comparisons (#293)

Full Changelog: v0.1.7...v0.1.8

Release v0.1.7

Highlights

• 20+ new builtins: declare/typeset, let, getopts, trap, caller, shopt, pushd/popd/dirs, seq, tac, rev, yes, expr, mktemp, realpath, and more
• Glob options: dotglob, nocaseglob, failglob, noglob, globstar
• Shell flags: bash -e/-x/-u/-f/-o, set -x xtrace debugging
• select construct, case ;;& fallthrough, FUNCNAME variable
• Nameref variables (declare -n), case conversion (declare -l/-u)
• 10+ bug fixes for quoting, arrays, globs, and redirections

What's Changed

• feat(interpreter): implement bash/sh -e/-x/-u/-f/-o flags (#270)
• chore(eval): run 2026-02-25 evals across 4 models (#271)
• feat(interpreter): implement glob options (dotglob, nocaseglob, failglob, noglob, globstar) (#269)
• feat(builtins): implement pushd, popd, dirs (#268)
• feat(builtins): implement file comparison test operators (#267)
• feat(builtins): implement expr builtin (#266)
• feat(builtins): implement yes and realpath builtins (#265)
• feat(interpreter): implement caller builtin (#264)
• feat(builtins): implement printf %q shell quoting (#263)
• feat(builtins): implement tac and rev builtins (#262)
• feat(builtins): implement seq builtin (#261)
• chore(deps): bump pyo3 to 0.28.2 and pyo3-async-runtimes to 0.28 (#260)
• feat(builtins): implement mktemp builtin (#259)
• feat(interpreter): implement trap -p flag and sorted trap listing (#258)
• feat(builtins): implement set -o / set +o option display (#257)
• feat(interpreter): implement declare -l/-u case conversion attributes (#256)
• feat(interpreter): implement declare -n nameref variables (#255)
• feat(builtins): implement shopt builtin with nullglob enforcement (#254)
• feat(interpreter): implement set -x xtrace debugging (#253)
• feat(bash): auto-populate shell variables (PWD, HOME, USER, etc.) (#252)
• feat(bash): implement select construct (#251)
• feat(bash): implement let builtin and fix declare -i arithmetic (#250)
• feat(bash): case ;& and ;;& fallthrough/continue-matching (#249)
• feat(bash): implement FUNCNAME special variable (#248)
• fix(bash): backslash-newline line continuation in double quotes (#247)
• fix(bash): nested double quotes inside $() in double-quoted strings (#246)
• fix(bash): input redirections on compound commands (#245)
• fix(bash): glob pattern matching in [[ == ]] and [[ != ]] (#244)
• fix(bash): negative array indexing ${arr[-1]} (#243)
• fix(bash): BASH_REMATCH not populated when regex starts with parens (#242)
• feat(bash): arithmetic exponentiation, base literals, mapfile (#241)
• feat: grep binary detection, awk %.6g and sorted for-in (#240)
• feat: bash compatibility — compound arrays, grep -f, awk getline, jq env/input (#238)
• feat: string ops, read -r, heredoc tests (#237)
• feat: associative arrays, chown/kill builtins, array slicing tests (#236)
• feat: cat -v, sort -m, brace/date/lexer fixes (#234)
• feat: type/which/declare/ln builtins, errexit, nounset fix, sort -z, cut -z (#233)
• feat: paste, command, getopts, nounset, [[ =~ ]], glob **, backtick subst (#232)
• feat(date): add -R, -I flags and %N format (#231)
• fix(lexer): handle backslash-escaped metacharacters (#230)
• feat(grep): add --include/--exclude glob patterns (#229)
• feat(sort,uniq,cut,tr): add sort/uniq/cut/tr missing options (#228)
• feat(sed): grouped commands, branching, Q quit, step/zero addresses (#227)
• chore(deps): upgrade monty to latest main (87f8f31) (#226)
• fix(ci): repair nightly CI and add fuzz compile guard (#225)

Full Changelog: v0.1.6...v0.1.7