agentinit 1.19.0 → 1.20.1

package/CHANGELOG.md

@@ -1,3 +1,23 @@
+## [1.20.1](https://github.com/agentinit/agentinit/compare/v1.20.0...v1.20.1) (2026-04-25)
+
+
+### Bug Fixes
+
+* harden skill source replay and scan enforcement ([cf0efa1](https://github.com/agentinit/agentinit/commit/cf0efa17009515e1a5835b7a9c81b675a84bc91c))
+* **skills:** preserve prefixes across installs and updates ([6a0c7b3](https://github.com/agentinit/agentinit/commit/6a0c7b3f4c16bf9ee8cb60a3a94b852755f412fa))
+
+# [1.20.0](https://github.com/agentinit/agentinit/compare/v1.19.0...v1.20.0) (2026-04-22)
+
+
+### Bug Fixes
+
+* **skills:** repair missing agent installs from canonical store ([c1b2c15](https://github.com/agentinit/agentinit/commit/c1b2c156880c96768cb29ccef659bca40b336cc0))
+
+
+### Features
+
+* **lock:** add install lock tracking and skill updates ([ae27369](https://github.com/agentinit/agentinit/commit/ae27369378028370675fc78a10497526e954df2a))
+
 # [1.19.0](https://github.com/agentinit/agentinit/compare/v1.18.2...v1.19.0) (2026-04-12)
 
 
@@ -25,6 +45,11 @@
 ### Bug Fixes
 
 * **skills:** compare installed skill payloads before prompting for updates
+* **lock:** treat global installs as shared targets and warn when lock persistence fails
+
+### Features
+
+* **lock:** add lock inspection commands and tracked skill updates
 
 # [1.18.0](https://github.com/agentinit/agentinit/compare/v1.17.2...v1.18.0) (2026-04-04)
 

package/README.md

@@ -171,7 +171,7 @@ agentinit rules add --global --agent claude --template git,write_tests
 
 ### `agentinit skills`
 
-Install, list, and remove reusable agent skills from marketplaces, local paths, or GitHub repositories.
+Install, list, update, and remove reusable agent skills from marketplaces, local paths, or hosted Git repositories.
 
 **Examples:**
 ```bash
@@ -188,6 +188,12 @@ agentinit skills add ./skills
 
 # Install a skill stored in a repository subdirectory
 agentinit skills add owner/repo/path/to/skill
+agentinit skills add gitlab:group/repo//path/to/skill
+agentinit skills add bitbucket:workspace/repo/path/to/skill
+
+# Install from GitLab or Bitbucket
+agentinit skills add gitlab:group/repo
+agentinit skills add bitbucket:workspace/repo
 
 # Install marketplace-hosted skills explicitly
 agentinit skills add claude/skill-creator
@@ -208,20 +214,53 @@ agentinit skills add owner/repo --global --agent agents
 # Force copied installs instead of canonical symlink installs
 agentinit skills add ./skills --copy
 
+# Prefix installed skill names for grouping
+agentinit skills add owner/repo --prefix marketing-
+
 # Install every bundled plugin from a multi-plugin Claude bundle
 agentinit skills add owner/repo --all
 
+# Control security scanning
+agentinit skills add owner/repo
+agentinit skills add owner/repo --no-scan
+agentinit skills add owner/repo --allow-risky
+
 # Review and clean up installed skills
 agentinit skills list
 agentinit skills list --agent agents
+agentinit skills update openai-docs
+agentinit skills update openai-docs --everywhere
 agentinit skills remove openai-docs
 ```
 
 If a GitHub or local Claude bundle contains multiple plugins, `agentinit skills add` prompts you to choose one or more bundled plugins to inspect or install. Press `Space` to select, `A` to select or deselect all, and `Enter` to confirm. Use `--all` to skip the prompt and install or inspect every bundled plugin. In non-interactive `--yes` mode, ambiguous multi-plugin bundles still fail unless `--all` is provided.
 
-Skills are installed into a canonical store by default (`.agents/skills/` for project, `~/.agents/skills/` for global), with agent-specific paths symlinked automatically. Bare skill names resolve from your configured default marketplace, falling back to the public catalog at `vercel-labs/agent-skills`. Use `./name` for local paths, `owner/repo` for GitHub repos, or `--from <marketplace>` for explicit marketplace sources.
+Skills are installed into a canonical store by default (`.agents/skills/` for project, `~/.agents/skills/` for global), with agent-specific paths symlinked automatically. Bare skill names resolve from your configured default marketplace, falling back to the public catalog at `vercel-labs/agent-skills`. Use `./name` for local paths, `owner/repo` for GitHub repos, `gitlab:group/repo` for GitLab repos, `gitlab:group/repo//path/to/skill` for GitLab subdirectories, `bitbucket:workspace/repo` for Bitbucket, or `--from <marketplace>` for explicit marketplace sources.
+
+When you re-run `agentinit skills add`, AgentInit compares the installed skill payload with the source before overwriting anything. Unchanged skills are reported as already up to date. If an installed skill has changed, interactive runs ask for confirmation before replacing it, while `--yes` applies the update automatically. Use `--prefix <text>` to prepend installed skill names for grouping, or press `P` during the interactive skill picker to set it on the fly. Installs are security-scanned by default; risky helper scripts are blocked, while risky Markdown guidance is surfaced as a warning. Use `--no-scan` to skip scanning or `--allow-risky` to proceed when high-risk executable patterns are detected.
+
+`agentinit skills update [name]` replays tracked project-scoped installs from their original source in the current project. Use `agentinit skills update <name> --everywhere` to update that skill across every tracked target, including global installs.
+
+### `agentinit lock`
+
+Inspect and maintain the global install lock at `~/.agentinit/lock.json`. The lock records successful skill, MCP, and rules changes so AgentInit can report current installations, find stale project paths, detect skill drift, and update tracked skills later.
+
+**Examples:**
+```bash
+# List current tracked installs across projects
+agentinit lock list
+agentinit lock list --kind skill --agent claude
+
+# Show a summary and optionally compare skill files with their install hashes
+agentinit lock status
+agentinit lock status --check-drift
+
+# Remove entries for projects that no longer exist
+agentinit lock prune --dry-run
+agentinit lock prune
+```
 
-When you re-run `agentinit skills add`, AgentInit now compares the installed skill payload with the source before overwriting anything. Unchanged skills are reported as already up to date. If an installed skill has changed, interactive runs ask for confirmation before replacing it, while `--yes` applies the update automatically.
+The lock is stored with user-only permissions when supported by the operating system. It can include absolute project paths, agent config paths, skill install paths, source repository or marketplace names, sanitized MCP URLs, and MCP command names. Do not share this file if those paths or source names are sensitive.
 
 ### `agentinit plugins`
 
@@ -487,10 +526,13 @@ src/
 │   ├── init.ts       # Project initialization
 │   ├── detect.ts     # Stack detection
 │   ├── sync.ts       # Configuration sync
-│   └── mcp.ts        # MCP management
+│   ├── mcp.ts        # MCP management
+│   ├── skills.ts     # Skill installation and updates
+│   └── lock.ts       # Global install lock inspection
 ├── core/             # Core functionality
 │   ├── agentDetector.ts    # Agent detection
 │   ├── stackDetector.ts    # Stack analysis
+│   ├── installLock.ts      # Global install lock state
 │   ├── templateEngine.ts   # Template processing
 │   └── propagator.ts       # Config sync engine
 ├── registry/         # MCP registry