Release v0.6.0

Highlights

• Continue coreutils adoption experiment — Extends the codegen pipeline beyond uu_app() argument surfaces to vendor whole upstream uutils modules with a manifest and drift-detection CI. tee, mktemp, realpath, stat, and od now flow through codegen; printf runs on a vendored copy of uucore's format implementation; and env is ported through a virtual-env shim (TM-INF-024) (#1592, #1593, #1594).
• MCP server mode removed from CLI — The bashkit mcp server mode has been removed. The recommended path for MCP integrations is now to embed bashkit via the library bindings.
• Security hardening across the sandbox — Fail-closed fixes across realfs (no-follow resolver for stat/read_link/remove; reject leaf-symlink writes), snapshot/restore (atomic, fail-closed vfs_restore), sqlite (reject VACUUM/VACUUM INTO; row caps; engine cache invalidation), network (SSRF precheck fails closed; IPv4-mapped IPv6 normalization), jq (replace halt to stop sandbox escape via process::exit; fancy-regex execution + file-binding caps), and ssh (shell-escape sftp ls; try none-auth before password/key). The final 6 OPEN entries in the threat model are now marked mitigated (#1568, #1581, #1582, #1583, #1584, #1585, #1586, #1587, #1588, #1589, #1590, #1591, #1599, #1601, #1613, #1615).

Breaking Changes

• CLI MCP server mode removed: The bashkit mcp subcommand and the MCP server transport bundled in the CLI have been removed.
  • Before: bashkit mcp --transport stdio
  • After: embed bashkit via the library bindings (bashkit crate, @everruns/bashkit on npm, bashkit on PyPI) and expose tools through your own MCP server.

What's Changed

• fix(coreutils-port): constrain uu_app builder macro arguments (#1629) by @chaliy
• fix(coreutils-port): accept localized-Command let-binding in uu_app (#1628) by @chaliy
• chore(deps): bump the rust-dependencies group with 3 updates (#1626) by @dependabot
• fix(fuzz): strip real-shell error lines from stderr before banned-shape check (#1623) by @chaliy
• fix(fuzz): drop arithmetic_fuzz inputs that contain banned debug shapes (#1622) by @chaliy
• fix(fuzz): drop glob_fuzz inputs that contain banned debug shapes (#1621) by @chaliy
• fix(coreutils-port): allow safe clap macros in uu_app validator (#1620) by @chaliy
• fix(bashkit-eval): make rustls provider init idempotent (#1619) by @chaliy
• fix(printf): cap float exponent magnitude in format validation (#1618) by @chaliy
• fix(coreutils-port): harden uu_app builder validation (#1617) by @chaliy
• fix(sqlite): enforce row cap while stepping (#1615) by @chaliy
• fix(ci): isolate coreutils drift external execution (#1614) by @chaliy
• fix(jq): cap file binding memory (#1613) by @chaliy
• fix(ci): sandbox coreutils drift generation (#1611) by @chaliy
• fix(export): continue after invalid identifier to avoid stale env sync (#1610) by @chaliy
• fix(js): correct sqlite maxMemory unit handling (#1609) by @chaliy
• chore(specs): mark TM-DOS-057 partial on WASM (#1607) by @chaliy
• fix(bashkit-eval): install rustls provider for library providers (#1606) by @chaliy
• fix(python): preserve credential placeholder env on snapshot restore (#1605) by @chaliy
• fix(export): sync successful exports when readonly args fail (#1604) by @chaliy
• fix(tool_def): reject bare array flags without values (#1603) by @chaliy
• fix(jq): enforce fancy-regex execution limits (#1601) by @chaliy
• fix(bindings): derive sqlite limits from host time and memory caps (#1600) by @chaliy
• fix(sqlite): invalidate cached engine when VFS file changes (#1599) by @chaliy
• fix(tool_def): bound aggregate JSON flag coercion (#1598) by @chaliy
• fix(scripted-tool): isolate and bound extension invocation traces (#1597) by @chaliy
• fix(scripts): follow redirects and bump just to 1.50.0 in init-cloud-env (#1595) by @chaliy
• refactor(builtins): port tee/mktemp/realpath/stat/od to codegen args (#1594) by @chaliy
• feat(coreutils-port): add module-vendor mode with manifest and drift CI (#1593) by @chaliy
• feat(builtins): port uutils env-default surface via virtual-env shim (TM-INF-024) (#1592) by @chaliy
• fix(network): fail closed in SSRF precheck and document handler responsibility (#1591) by @chaliy
• fix(network): normalize IPv4-mapped IPv6 in is_private_ip to block SSRF (#1590) by @chaliy
• fix(jq): replace halt native to stop sandbox-escape via process::exit (#1589) by @chaliy
• fix(sqlite): reject VACUUM to block VFS escape via VACUUM INTO (#1588) by @chaliy
• fix(interop): mark filesystem import unsafe and own the foreign vtable (#1587) by @chaliy
• fix(snapshot): make vfs_restore fail closed and apply atomically (#1586) by @chaliy
• fix(realfs): reject leaf-symlink writes to block dangling-symlink escape (#1585) by @chaliy
• fix(realfs): use no-follow resolver for stat/read_link/remove (#1584) by @chaliy
• fix(ln): surface remove failure under -f instead of falling through to symlink (#1583) by @chaliy
• fix(ssh): try none-auth before password/key to avoid leaking defaults (#1582) by @chaliy
• fix(ssh): shell-escape sftp ls path to prevent remote command injection (#1581) by @chaliy
• docs(threat-model): mark final 6 OPEN entries mitigated (#1568) by @chaliy
• fix(coreutils-port): accept let-bound Command chain in uu_app validator by @chaliy
• fix(fuzz): strip uutils clap error chrome before banned-shape check by @chaliy
• chore(ci): bump artifact actions by @dependabot
• feat(printf): vendor uucore format by @chaliy
• fix(truncate): enforce VFS limits before resize by @chaliy
• fix(shuf): cap range and repeat output allocation by @chaliy
• fix(cli): remove MCP server mode by @chaliy
• chore(maintenance): add deepsec scanning workspace by @chaliy

Full Changelog: v0.5.0...v0.6.0

Release v0.5.0

Highlights

• Coreutils argument surface via codegen — New POC pipeline ports uutils' uu_app() clap definitions into bashkit so builtins share the real coreutils argument shape; cat, tac, truncate, shuf, and readlink now flow through this surface, with a coreutils differential testing harness to catch parity drift. The codegen pipeline reads a single pinned uutils revision so generated builtins, the differential harness, and CI all agree on the upstream source of truth (#1529, #1535, #1536, #1537, #1538, #1542).
• Site updates — Bashkit agent skill is now published on the site, alongside rustdoc guides and content signal declarations for discoverability.

What's Changed

• refactor(builtins): migrate readlink to codegen-ported argument surface (#1542) by @chaliy
• chore(site): publish bashkit agent skill (#1541) by @chaliy
• chore(site): declare content signals by @chaliy
• docs(site): publish rustdoc guides by @chaliy
• feat(builtins): add shuf via codegen with helper-fn inlining (#1538) by @chaliy
• chore(builtins): pin uutils revision as single source of truth (#1537) by @chaliy
• feat(builtins): add truncate via codegen-ported argument surface (#1536) by @chaliy
• test(builtins): add coreutils differential testing harness (#1535) by @chaliy
• feat(builtins): port uutils argument surfaces via codegen (POC: cat, tac) (#1529) by @chaliy
• feat(tool_def): accept --flag key=value... syntax for object/array flags (#1528) by @chaliy
• fix(tool_def): coerce stringified JSON for array/object flag schemas (#1527) by @chaliy

Full Changelog: v0.4.1...v0.5.0

Release v0.4.1

Highlights

• Fix bashkit v0.4.0 crates.io publish — Move docs/clap-builtins.md into crates/bashkit/docs/ (matching the rustdoc-guides convention) and update the include_str! path so the guide is packaged inside the crate. v0.4.0 was published to PyPI, npm, and Homebrew but the crates.io publish failed because the guide lived outside the crate directory.

What's Changed

• fix(docs): move clap-builtins guide inside bashkit crate so cargo publish includes it by @chaliy

Full Changelog: v0.4.0...v0.4.1

Release v0.4.0

Highlights

• Builtin extension abstraction — New public Extension trait groups related builtins for one-call registration on BashBuilder/BashToolBuilder. TypeScript registration now flows through TypeScriptExtension, and ScriptedTool reuses a shared ToolDefExtension for its per-call logic shell (#1515, #1518).
• Clap-backed custom builtins — Custom builtins can now be defined declaratively against a clap parser, replacing hand-rolled arg parsing for new integrations (#1514).
• SQLite session engine cache — The sqlite builtin keeps a session-scoped engine alive across exec() calls, so transactions and prepared state survive multiple shell invocations within one session (#1513).
• SQLite hardening follow-up — PRAGMA policy parsing now handles SQL comments and quoted/bracket/backtick identifiers (closing a PRAGMA main."cache_size" bypass), and max_db_bytes is enforced consistently across VFS writes/truncates and memory-backend persistence (#1521).
• Python + toolchain bumps — Embedded Python (monty) bumped to 0.0.17 and Rust toolchain bumped to 1.95.0 across rust-toolchain.toml and matching CI workflow refs (#1520).

What's Changed

• bench(sqlite): add Criterion benchmark for sqlite builtin (#1523) by @chaliy
• chore(python): bump monty to 49faa4c (0.0.17) and Rust to 1.95.0 (#1520) by @chaliy
• fix(deps): bump postcss to 8.5.13 in browser example (#1522) by @chaliy
• fix(sqlite): harden pragma policy and db caps (#1521) by @chaliy
• test(ssh): retry live supabase smoke (#1519) by @chaliy
• feat(scripted-tool): add ToolDef extension (#1518) by @chaliy
• feat(sqlite): session-scoped engine cache for transactions across exec() (#1513) by @chaliy
• feat(extension): add builtin extension abstraction (#1515) by @chaliy
• feat(builtins): support clap-backed custom builtins (#1514) by @chaliy
• test(sqlite): add differential tests vs host sqlite3 binary (#1511) by @chaliy

Full Changelog: v0.3.0...v0.4.0

Release v0.3.0

Highlights

• Embedded SQLite via Turso — New sqlite builtin with MemoryIO and VfsIO backends, dot-commands (.tables, .schema, .dump), and a hardened deny list that blocks ATTACH/DETACH and dangerous PRAGMAs. Exposed to Python and JS bindings (#1502, #1507, #1510).
• jq parity expansion — Filter module restructured for parity with real jq, regex backend swapped from regex to fancy-regex for advanced patterns (lookaround, backreferences), @tsv/@csv defs and short jq-style runtime errors with cross-tool no-Debug-leak guard (TM-INF-022) (#1501, #1503, #1508).
• Scripted-tool logic-only mode — Orchestrator scripts can now run in a restricted "code mode" that disables shell features unrelated to control flow, narrowing the attack surface for LLM-authored scripts.
• Python network credentials — Phase 2 of #1348 lands credentials= and credential_placeholders= kwargs on Bash(network=...), completing the Python-side network policy surface (#1499).
• Toolchain pinning — Rust toolchain pinned via rust-toolchain.toml and matched in CI workflow refs to prevent same-day rustc releases from breaking CI; RSA advisory mirrored locally and dead code gated (#1509).

What's Changed

• feat(bindings): expose sqlite builtin to Python and JS bindings (#1510) by @chaliy
• chore(ci): pin Rust toolchain, mirror RSA advisory, gate dead code (#1509) by @chaliy
• feat(jq): replace regex backend with fancy-regex for advanced patterns (#1508) by @chaliy
• feat(sqlite): block ATTACH/DETACH, PRAGMA deny list, dependabot rule (#1507) by @chaliy
• fix(ci): green up failing main-branch tests and example (#1506) by @chaliy
• refactor: move git and ssh modules into builtins/ (#1505) by @chaliy
• feat(jq): expand parity with real jq + restructure into module (#1503) by @chaliy
• feat(sqlite): embedded SQLite via Turso (Phase 1 + Phase 2) (#1502) by @chaliy
• fix(jq): @tsv/@csv defs + short jq-style errors; cross-tool no-Debug-leak guard (TM-INF-022) (#1501) by @chaliy
• chore(deps): bump all workspace dependencies (#1500) by @chaliy
• feat(python): add credentials + credential_placeholders to network= (phase 2 of #1348) (#1499) by @chaliy
• fix(curl): use curl user agent by default (#1498) by @chaliy
• fix(bashkit): gate Path import behind realfs (#1497) by @chaliy
• fix(cli): enable python execution by default by @chaliy
• ci(python): build aarch64 wheels on native ubuntu-24.04-arm (#1495) by @chaliy
• feat(scripted-tool): run scripts in logic-only code mode by @chaliy

Full Changelog: v0.2.1...v0.3.0

Release v0.2.1

Highlights

• Windows mount path validation — MountableFs::mount now uses Path::has_root instead of Path::is_absolute, so POSIX-style mount points like /workspace are accepted on every host. The v0.2.0 interop FS roundtrip test (vfs › filesystem external roundtrip mounts into bash) regressed silently on Windows because PR CI runs Rust tests on Linux only (#1492).
• rustls switched to ring — Replaces the aws-lc-rs/aws-lc-sys C crypto stack with pure-Rust ring across the workspace. Unblocks the aarch64 manylinux wheel build, which had failed in v0.2.0 with 'AT_HWCAP2' undeclared from the cross-compiled aws-lc-sys 0.39.1. cargo tree -i aws-lc-sys now returns no match (#1493).

What's Changed

• fix(fs): validate mount paths with POSIX semantics on Windows (#1492) by @chaliy
• fix(http): switch rustls crypto provider to ring (#1493) by @chaliy

Full Changelog: v0.2.0...v0.2.1

Release v0.2.0

Highlights

• Filesystem interop ABI — New bashkit::interop::fs (behind the interop cargo feature) exposes a versioned repr(C) filesystem handle + vtable, plus Python FileSystem.from_capsule() / to_capsule() and Node FileSystem.fromExternal() / toExternal() so downstream native extensions can mount custom filesystems without sharing addon-private layouts (#1353)
• Python network= constructor kwarg — Bash(network=...) now controls outbound network access at construction time, the first phase of the network policy work tracked in #1348 (#1489)
• jq compatibility — Added input_filename / input_line_number / $ENV stubs (#1490) and bounded, jq-like runtime error messages that no longer dump full input values to stderr (#1488)

What's Changed

• feat(jq): add input_filename / input_line_number / $ENV stubs (#1490) by @chaliy
• feat(python): add network= constructor kwarg (phase 1 of #1348) (#1489) by @chaliy
• fix(jq): format runtime errors without value dumps (#1488) by @chaliy
• feat(site): add canonical sitemap generation (#1485) by @chaliy
• chore(deps): bump the rust-dependencies group with 5 updates (#1483) by @dependabot
• feat(interop): add filesystem ABI handles (#1353) by @chaliy

Full Changelog: v0.1.21...v0.2.0

Release v0.1.21

Highlights

• Codex security run — Large-scale security and hardening sweep landed 100+ fixes: panic-safety across expr/sed/sort/date/extglob, resource limits for local/allexport/lazy files/yes/dirstack, depth and size caps in jq/sed/mktemp/snapshot restore, RealFs symlink-escape blocks, bot-auth signatures bound to method+URI, JS real-FS mount allowlist, scripted-tool injection blocks, MCP stdin bounds, unzip path-traversal blocks, parser timeout/input limits in WASM/eval/source/nested-bash, and credential/log redaction
• Site and docs — New bashkit.sh homepage (Astro + Cloudflare), public CLI reference rewrite, canonical /docs rendering, builtins index, and refreshed homepage proof and sourcing
• External contributions — Thanks to @oliverlambson for BuiltinResult support in Python custom builtins (#1427) and publishing Python 3.14 wheels to PyPI (#1351)

What's Changed

• chore(deps): address security advisories (#1481) by @chaliy
• fix(interpreter): restore errexit for mixed and-or lists (#1480) by @chaliy
• fix(parser): preserve literal semantics for single-quoted =~ regex patterns (#1479) by @chaliy
• fix(read): split on mixed whitespace/non-whitespace IFS (#1478) by @chaliy
• fix(interpreter): assign array elements for parameter := expansion (#1477) by @chaliy
• fix(strings): restore -NUM shorthand argument handling (#1476) by @chaliy
• fix(find): preserve missing-path errors in -exec execution plans (#1475) by @chaliy
• fix(awk): avoid double evaluation in boolean binops (#1474) by @chaliy
• fix(interpreter): preserve truncating redirects with empty mixed fd output (#1473) by @chaliy
• fix(interpreter): parse arithmetic parameter operators at first operator (#1472) by @chaliy
• fix(js): enforce allowlist for real filesystem mounts (#1471) by @chaliy
• fix(python): virtualize datetime clock in sandbox (#1470) by @chaliy
• fix(credential): restrict placeholder replacement to credential headers (#1469) by @chaliy
• fix(js): retain ScriptedTool callbacks for weak TSFN (#1468) by @chaliy
• fix(snapshot): preserve legacy function snapshot deserialization (#1467) by @chaliy
• fix(awk): close range when start and end match same record (#1466) by @chaliy
• fix(grep): avoid quadratic context match lookup (#1465) by @chaliy
• fix(logging): redact and sanitize execution errors before logging (#1464) by @chaliy
• fix(jq): enforce depth limit for --argjson values (#1463) by @chaliy
• fix(parser): preserve literal dollars in concatenated single quotes (#1462) by @chaliy
• fix(builtins): harden mktemp against path collisions (#1461) by @chaliy
• fix(sed): enforce grouped command depth at parse time (#1460) by @chaliy
• fix(python): harden in-process opt-in against script overrides (#1459) by @chaliy
• test: add regressions for #1414, #1421, #1401 hardening fixes (#1458) by @chaliy
• fix(archive): reject malformed tar size headers (#1457) by @chaliy
• fix(interpreter): prevent duplicate shell flags from leaking to parent state (#1456) by @chaliy
• fix(expr): avoid UTF-8 panic in capture-group matches (#1455) by @chaliy
• fix(interpreter): preserve control flow in case fallthrough (#1454) by @chaliy
• fix(interpreter): restore env once per prefix assignment name (#1453) by @chaliy
• fix(fs): enforce parent existence check in PosixFs::append_file (#1452) by @chaliy
• fix(git): harden remote allowlist URL validation (#1451) by @chaliy
• fix(parser): split assignments on first '=' to avoid += value regression (#1450) by @chaliy
• fix(rg): propagate -m missing-value parse error (#1449) by @chaliy
• fix(interpreter): restore full assoc subscript parameter expansion (#1448) by @chaliy
• fix(fs): honor upper dir precedence in overlay read_dir (#1447) by @chaliy
• fix(hooks): honor on_exit cancel and modified exit code (#1446) by @chaliy
• fix(parsers): harden unicode and nesting guards (#1445) by @chaliy
• fix(scripts): verify bootstrap binary integrity (#1444) by @chaliy
• fix(grep): avoid panic in quoted include/exclude parsing (#1443) by @chaliy
• docs(cli): rewrite public CLI reference (#1442) by @chaliy
• fix(glob): honor dotglob during globstar directory traversal (#1441) by @chaliy
• fix(parser): preserve quoting semantics for $'...' and $"..." (#1440) by @chaliy
• fix(alias): preserve quoted words during alias reparse (#1439) by @chaliy
• fix(parser): preserve quoted expansion semantics in mixed words (#1438) by @chaliy
• fix(cli): keep network default-deny unless explicitly enabled (#1437) by @chaliy
• fix(interpreter): suppress coproc output in streaming callbacks (#1436) by @chaliy
• fix(js): keep cancellation working after reset (#1435) by @chaliy
• fix(parser): enforce parser timeout in wasm parse path (#1434) by @chaliy
• fix(parser): validate quoted command/process substitutions in budget pass (#1433) by @chaliy
• fix(fs): enforce max_dir_count for recursive mkdir and dir CoW in OverlayFs (#1432) by @chaliy
• fix(interpreter): isolate exec fd table across subshell contexts (#1431) by @chaliy
• fix(interpreter): propagate [[ ]] expansion errors (#1430) by @chaliy
• fix(cli): restore bounded limits for one-shot execution (#1429) by @chaliy
• fix(interpreter): prevent fd3 pending output leakage (#1428) by @chaliy
• fix(python): support BuiltinResult for custom builtins (#1427) by @oliverlambson
• fix(python): validate timeout_seconds before Duration conversion (#1425) by @chaliy
• fix(cli): disable interactive rc sourcing by default (#1424) by @chaliy
• fix(interpreter): scope proc_sub cleanup to session-owned paths (#1423) by @chaliy
• fix(trace): avoid unicode slice panic in equals-form redaction (#1422) by @chaliy
• fix(snapshot): verify keyed HMAC in constant time (#1421) by @chaliy
• fix(expansion): preserve quoted literalness in pattern operands (#1420) by @chaliy
• fix(realfs): block symlink target escapes via host symlinks (#1419) by @chaliy
• fix(hooks): enforce input size before before_exec hooks (#1418) by @chaliy
• fix(network): revalidate HTTP URL after before_http hook rewrites (#1417) by @chaliy
• fix(scripted-tool): sanitize custom dry-run handler errors (#1416) by @chaliy
• fix(python): scope and cap direct glob traversal (#1415) by @chaliy
• fix(interpreter): avoid overflow panic in array slice length (#1414) by @chaliy
• fix(glob): avoid unbounded bracket-range expansion (#1413) by @chaliy
• fix(interpreter): enforce nested bash parser input and timeout limits (#1412) by @chaliy
• fix(awk): enforce configured loop iteration li...

Release v0.1.20

Highlights

• Snapshot fidelity - Added shell-only snapshots, preserved shell functions in snapshots, and stored function source alongside AST for restore parity
• Bindings parity - Added Python shell_state, custom_builtins, clear_cancel(), and streaming callback support plus JS clearCancel and BashTool snapshot support
• Bindings hardening - Rejected same-instance callback re-entry and expanded cancel-state and FastAPI regression coverage
• CI and release polish - Added coverage uploads and Codecov config, removed duplicate example builds, and hardened crates publish verification
• External contributions - Thanks to @oliverlambson and @shubhlohiya for shipping Python and JS binding improvements in this release

What's Changed

• fix(snapshot): store function source alongside ast (#1332) by @chaliy
• fix(bindings): reject same-instance callback re-entry (#1331) by @chaliy
• test(bindings): cover async cancel state recovery (#1330) by @chaliy
• test(python): cover fastapi custom builtins (#1329) by @chaliy
• fix(snapshot): preserve functions in shell snapshots (#1328) by @chaliy
• feat(snapshot): add shell-only snapshots (#1327) by @chaliy
• feat(python): expose shell_state on Bash and BashTool (#1326) by @oliverlambson
• chore(ci): add codecov config (#1324) by @chaliy
• docs(specs): remove numeric prefixes from spec names (#1323) by @chaliy
• test(python): cover in-flight clear_cancel recovery (#1322) by @chaliy
• feat(js): add clearCancel parity (#1321) by @chaliy
• feat(ci): add binding coverage uploads (#1318) by @chaliy
• fix(ci): split codecov upload job (#1317) by @chaliy
• fix(ci): avoid duplicate example builds in test job (#1316) by @chaliy
• feat(python): add custom_builtins to Bash and BashTool (#1315) by @oliverlambson
• feat(python): add clear_cancel() to Bash and BashTool (#1314) by @shubhlohiya
• fix(ci): harden crates publish verification (#1313) by @chaliy
• feat(javascript): add BashTool snapshot support (#1310) by @chaliy
• feat(node): expose streaming output callbacks (#1309) by @oliverlambson
• feat(python): expose streaming output callbacks (#1308) by @oliverlambson

Full Changelog: https://github.com/everruns/bashkit/commits/v0.1.20

Release v0.1.19

Highlights

• Scripted tool ergonomics — New ToolImpl composition plus --help, --dry-run, and structured discover schema for MCP-backed callbacks
• Python bindings — Added direct VFS helpers, callable file providers, snapshot restore, stronger parity coverage, and security regression tests
• Targeted fixes — Correct touch mtimes for existing paths, quoted-adjacent glob expansion, Python publish stripping for multi-feature defaults, and rustls-webpki audit advisories
• Docs and CI polish — New snapshotting guide, richer Python/Node examples, aligned package docs, and JS type-check coverage in CI
• External contribution — Python snapshot restore support landed via @oliverlambson in #1298

What's Changed

• docs(readme): align Python and Node package guides (#1307) by @chaliy
• test(python): tag security tests with threat-model ids (#1306) by @chaliy
• test(python): add parity suites for builtins, strings, and scripts (#1305) by @chaliy
• refactor(python): split binding tests by category (#1304) by @chaliy
• fix(python): cover issue 1264 security gaps (#1303) by @chaliy
• docs: add public snapshotting guide (#1302) by @chaliy
• test(node): add missing security coverage (#1300) by @chaliy
• test(node): add integration workflow coverage (#1299) by @chaliy
• feat(python): add snapshot restore support (#1298) by @oliverlambson
• feat(python): support callable file providers (#1297) by @chaliy
• feat(python): add direct VFS convenience methods (#1295) by @chaliy
• fix(touch): update mtimes for existing paths (#1294) by @chaliy
• feat(scripted-tool): add --dry-run flag with pluggable validation (#1293) by @chaliy
• feat(scripting-toolset): structured discover input schema for MCP (#1292) by @chaliy
• docs(python): add @example blocks to type stubs and modules (#1291) by @chaliy
• docs: add missing examples to Python and Node bindings (#1290) by @chaliy
• ci(node): add TypeScript type-check job to JS workflow (#1289) by @chaliy
• feat(scripted-tool): add --help flag to tool callbacks (#1288) by @chaliy
• fix(glob): expand glob * adjacent to quoted variable expansion (#1287) by @chaliy
• fix(security): resolve 6 CodeQL alerts in test code (#1286) by @chaliy
• fix(ci): handle multi-feature default array in python stripping (#1285) by @chaliy
• feat(scripted_tool): add ToolImpl combining ToolDef + sync/async exec (#1284) by @chaliy
• feat(credential): generic credential injection for outbound HTTP requests (#1282) by @chaliy

Full Changelog: https://github.com/everruns/bashkit/commits/v0.1.19