@holdyourvoice/hyv 2.8.7 → 2.8.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +20 -0
- package/README.md +1 -1
- package/agents/cursor.md +1 -1
- package/dist/index.js +644 -304
- package/package.json +1 -1
- package/scripts/postinstall-lib.js +232 -7
- package/scripts/postinstall.js +8 -92
- package/assets/ai-eliminator-skill.md +0 -63
- package/assets/claude-code-skill.md +0 -24
- package/assets/cursor-rules.md +0 -12
- package/assets/hold-your-voice-skill.md +0 -174
- package/assets/voice-matcher-skill.md +0 -57
package/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,26 @@
|
|
|
2
2
|
|
|
3
3
|
All notable CLI changes. Also mirrored to [holdyourvoice.com/changelog](https://holdyourvoice.com/changelog) for user-facing releases.
|
|
4
4
|
|
|
5
|
+
## [2.8.8] — 2026-06-12
|
|
6
|
+
|
|
7
|
+
### Security
|
|
8
|
+
- OAuth browser flow verifies server `state` on callback (CSRF protection)
|
|
9
|
+
- Automatic token refresh via `getValidToken()` before API calls
|
|
10
|
+
- `HYV_API_URL` host allowlist; `assertSafeOpenUrl` for checkout/OAuth redirects
|
|
11
|
+
- Profile name path traversal blocked; MCP file reads symlink-safe with `isError` responses
|
|
12
|
+
- Sensitive `~/.hyv` files and dirs use `0o600`/`0o700` permissions
|
|
13
|
+
|
|
14
|
+
### Fixed
|
|
15
|
+
- `hyv doctor --fix-agents` uses correct postinstall-lib path
|
|
16
|
+
- `hyv import` registered; `--fail-on-hit` exits code 2 (scan + batch)
|
|
17
|
+
- Queue sync sends `original_text` / `accepted_text` for learning reinforce
|
|
18
|
+
- Postinstall: Claude Desktop MCP merge with backup, Cursor `alwaysApply` rule, absolute MCP command path
|
|
19
|
+
|
|
20
|
+
### Improved
|
|
21
|
+
- `hyv mcp --test` spawns stdio subprocess and validates JSON-RPC `tools/list`
|
|
22
|
+
- `hyv batch --fix --in-place` and `hyv watch --command fix` require `--yes` (`.bak` backups)
|
|
23
|
+
- Stale duplicate agent/skill markdown removed from `assets/` (canonical copies in `agents/` + `skills/`)
|
|
24
|
+
|
|
5
25
|
## [2.8.6] — 2026-06-12
|
|
6
26
|
|
|
7
27
|
### Changed
|
package/README.md
CHANGED
|
@@ -17,7 +17,7 @@ npx @holdyourvoice/hyv scan draft.md
|
|
|
17
17
|
npm i -g @holdyourvoice/hyv
|
|
18
18
|
```
|
|
19
19
|
|
|
20
|
-
postinstall
|
|
20
|
+
postinstall copies agent rules and configures MCP for claude desktop and cursor (plus claude code, windsurf, codex, command code skills when detected). set `HYV_AUTO_CONFIGURE_AGENTS=0` to skip.
|
|
21
21
|
|
|
22
22
|
## free vs paid
|
|
23
23
|
|
package/agents/cursor.md
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# Hold Your Voice
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
Use HYV MCP tools for all writing tasks. If no profile exists yet, call `hyv_welcome` or `hyv_profiles` first — free local scan works without a profile.
|
|
4
4
|
|
|
5
5
|
## When to use
|
|
6
6
|
- Any email, post, doc, or content creation
|