agentsys 5.10.0 → 5.12.0

package/.claude-plugin/marketplace.json

@@ -1,7 +1,7 @@
 {
   "name": "agentsys",
   "description": "20 specialized plugins for AI workflow automation - task orchestration, PR workflow, slop detection, code review, drift detection, enhancement analysis, documentation sync, unified static analysis, perf investigations, topic research, agent config linting, cross-tool AI consultation, structured AI debate, workflow pattern learning, codebase onboarding, contributor guidance, and Zig language support",
-  "version": "5.10.0",
+  "version": "5.12.0",
   "owner": {
     "name": "Avi Fenesh",
     "url": "https://github.com/avifenesh"
@@ -27,11 +27,11 @@
       "source": {
         "source": "url",
         "url": "https://github.com/agent-sh/next-task.git",
-        "ref": "v1.1.1",
-        "commit": "9aa32b856d81ebeeb6c6ea0ab421c80d6986a7b1"
+        "ref": "v1.1.2",
+        "commit": "8feba0141a895d651a850cbe724a0e333c24a3a0"
       },
       "description": "Master workflow orchestrator: autonomous workflow with model optimization (opus/sonnet/haiku), two-file state management, workflow enforcement gates, 8 specialist agents",
-      "version": "1.1.1",
+      "version": "1.1.2",
       "category": "productivity",
       "homepage": "https://github.com/agent-sh/next-task"
     },
@@ -40,10 +40,11 @@
       "source": {
         "source": "url",
         "url": "https://github.com/agent-sh/prepare-delivery.git",
-        "commit": "2e8f400115d8df68e6e8e02466a97117c7f86fab"
+        "commit": "0e9685fe0e93e058af5ca9a0374f4f97e1db878c",
+        "ref": "v0.1.2"
       },
       "description": "Pre-ship quality gates: deslop, simplify, agnix, enhance, review loop, delivery validation, docs sync",
-      "version": "0.1.0",
+      "version": "0.1.2",
       "category": "productivity",
       "homepage": "https://github.com/agent-sh/prepare-delivery"
     },
@@ -64,11 +65,11 @@
       "source": {
         "source": "url",
         "url": "https://github.com/agent-sh/ship.git",
-        "commit": "3e65dcf5f6aa60e8e42baff14eef0c2209302751",
-        "ref": "v1.1.1"
+        "commit": "189da6af2abdf67ab661098af2fc18453fe9e734",
+        "ref": "v1.1.2"
       },
       "description": "Complete PR workflow: commit to production, skips review when called from next-task, removes task from registry on cleanup, automatic rollback",
-      "version": "1.1.1",
+      "version": "1.1.2",
       "category": "deployment",
       "homepage": "https://github.com/agent-sh/ship"
     },
@@ -77,7 +78,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/agent-sh/deslop.git",
-        "commit": "be3ac2396dcabad450e5097e4f22f9f4e166a143"
+        "commit": "00301b9ce81d12caa38063e4a65b535ba5b011b2"
       },
       "description": "3-phase AI slop detection: regex patterns (HIGH), multi-pass analyzers (MEDIUM), CLI tools (LOW)",
       "version": "1.0.0",
@@ -89,10 +90,11 @@
       "source": {
         "source": "url",
         "url": "https://github.com/agent-sh/audit-project.git",
-        "commit": "a080ebf74184ba3ad2de19100e2b3a818c8a194c"
+        "commit": "f703facec38765b6fd8cb5a2076c98bf14e5998e",
+        "ref": "v1.0.2"
       },
       "description": "Multi-agent iterative code review until zero issues remain",
-      "version": "1.0.0",
+      "version": "1.0.2",
       "category": "development",
       "homepage": "https://github.com/agent-sh/audit-project"
     },
@@ -101,7 +103,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/agent-sh/drift-detect.git",
-        "commit": "880c2ce1f0d637a947229281aea9b9a40156b6a4"
+        "commit": "576aca37402068aef175c8a6002584e19cb6ea74"
       },
       "description": "Deep repository analysis to realign project plans with code reality - detects drift, gaps, and creates prioritized reconstruction plans",
       "version": "1.0.0",
@@ -113,7 +115,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/agent-sh/enhance.git",
-        "commit": "081e6b1c90bbd5b7297a18c6d01e86693825c113"
+        "commit": "93f299e494a3a9ea74e82bd2d15bc1c517ce8f0c"
       },
       "description": "Master enhancement orchestrator: parallel analyzer execution for plugins, agents, docs, CLAUDE.md, and prompts with unified reporting",
       "version": "1.0.0",
@@ -125,7 +127,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/agent-sh/sync-docs.git",
-        "commit": "f8281a98f440577934b67dc9ef3f9da85d56f9de"
+        "commit": "410e06739da101583b7238669f4acad7f5aea7ab"
       },
       "description": "Standalone documentation sync: find outdated refs, update CHANGELOG, flag stale examples based on code changes",
       "version": "1.0.0",
@@ -150,10 +152,11 @@
       "source": {
         "source": "url",
         "url": "https://github.com/agent-sh/perf.git",
-        "commit": "cc988ec68863a18243297d216e2fcd37802f2296"
+        "commit": "189eb15e22bb6678da4d773f1c52b57d8880abff",
+        "ref": "v1.0.1"
       },
       "description": "Rigorous performance investigation workflow with baselines, profiling, hypotheses, and evidence-backed decisions",
-      "version": "1.0.0",
+      "version": "1.0.1",
       "category": "development",
       "homepage": "https://github.com/agent-sh/perf"
     },
@@ -162,7 +165,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/agent-sh/learn.git",
-        "commit": "91983c1fe35b96bcda5360f4155465d69a0b01fc"
+        "commit": "b3025d376a83841078f3ab5cf53b62c6960e46c3"
       },
       "description": "Research topics online and create comprehensive learning guides with RAG-optimized indexes",
       "version": "1.0.0",
@@ -187,7 +190,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/agent-sh/consult.git",
-        "commit": "71a08ef5566cfb189d5161c2d0e31542d2c99155"
+        "commit": "8ce96f86c0ae67f732383a8b45c9994a7cd64d2a"
       },
       "description": "Cross-tool AI consultation: get second opinions from Gemini CLI, Codex CLI, Claude Code, OpenCode, or Copilot CLI with model and thinking effort control",
       "version": "1.0.0",
@@ -199,10 +202,11 @@
       "source": {
         "source": "url",
         "url": "https://github.com/agent-sh/debate.git",
-        "commit": "95c0333b432aa8b0911e9accccecb219d3bc3ad7"
+        "commit": "aba659706bd25f7e394096acb457446e44966711",
+        "ref": "v1.0.1"
       },
       "description": "Structured multi-round debate between AI tools with proposer/challenger roles and verdict",
-      "version": "1.0.0",
+      "version": "1.0.1",
       "category": "productivity",
       "homepage": "https://github.com/agent-sh/debate"
     },
@@ -224,10 +228,11 @@
       "source": {
         "source": "url",
         "url": "https://github.com/agent-sh/skillers.git",
-        "commit": "88efb0346b2582a224f3f85db72450b9f3ba7507"
+        "commit": "e1c1a9b752c0d20a0a1f83747c26e5dea195b5ae",
+        "ref": "v0.2.1"
       },
       "description": "Learn from workflow patterns across sessions and suggest skills, hooks, and agents to automate repetitive work",
-      "version": "1.0.0",
+      "version": "0.2.1",
       "category": "productivity",
       "homepage": "https://github.com/agent-sh/skillers"
     },
@@ -236,11 +241,11 @@
       "source": {
         "source": "url",
         "url": "https://github.com/agent-sh/onboard.git",
-        "ref": "v0.1.0",
-        "commit": "7444d6475055897498a348639dd0bcb12ba7906b"
+        "ref": "v0.1.1",
+        "commit": "6c2e47e567aac6249a0df6d15491cbcd42ce7717"
       },
       "description": "Codebase onboarding - automated data collection and interactive project orientation",
-      "version": "0.1.0",
+      "version": "0.1.1",
       "category": "productivity",
       "homepage": "https://github.com/agent-sh/onboard"
     },
@@ -249,11 +254,11 @@
       "source": {
         "source": "url",
         "url": "https://github.com/agent-sh/can-i-help.git",
-        "ref": "v0.1.0",
-        "commit": "5610a54ce9200577879a0ad8a9dc174133f56abf"
+        "ref": "v0.1.1",
+        "commit": "f1364158deb359b581d7113a54e8a6aa7a6d8679"
       },
       "description": "Find where to contribute to any project - matches developer skills to test gaps, stale docs, bugspots, and open issues",
-      "version": "0.1.0",
+      "version": "0.1.1",
       "category": "productivity",
       "homepage": "https://github.com/agent-sh/can-i-help"
     },

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "agentsys",
-  "version": "5.10.0",
+  "version": "5.12.0",
   "description": "Professional-grade slash commands for Claude Code with cross-platform support",
   "keywords": [
     "workflow",

package/CHANGELOG.md

@@ -9,6 +9,28 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [5.12.0] - 2026-04-26
+
+### Propagated upstream releases
+- agent-core v0.4.4 (fixer.js symlink + TOCTOU) -> v0.4.5 (client-side SLSA verification + sync allowlist) synced into all 13 consumers.
+- agent-analyzer v0.8.0 -> v0.8.1 (cargo-deny CI).
+- prepare-delivery v0.1.2, audit-project v1.0.2 (reviewer-contract markers + orchestrator blocked handling).
+
+## [5.11.0] - 2026-04-26
+
+### Changed
+- **Upgraded marketplace sub-plugin pins from SHA-only to tag+SHA** after each downstream plugin cut security releases. Post-run totals: 12 pinned to tags, 8 fell back to default-branch SHA (up from 7/13 in v5.10.0). New tag pins in this wave: `prepare-delivery` v0.1.1, `audit-project` v1.0.1, `next-task` v1.1.2, `ship` v1.1.2, `skillers` v0.2.1, `onboard` v0.1.1, `can-i-help` v0.1.1, `perf` v1.0.1, `debate` v1.0.1. Consumers now install from verifiable release tags for these plugins.
+
+### Propagated upstream security fixes
+- agent-core v0.4.4 synced into all 13 consumers via `lib/`: fixer.js symlink + TOCTOU guards (#14 agent-core), earlier v0.4.3 code-point-safe truncate + sync-workflow test-file exclusion, v0.4.2 additive sync + upstreamed workflow-state/queries, v0.4.1 binary SHA-256 + zip-slip defenses.
+- prepare-delivery + audit-project: falsePositive review-bypass cap (50% ratio + required reason).
+- next-task: worktree-manager TASK_ID/BASE_BRANCH validation.
+- ship: platform-API health checks instead of log-grep rollback DoS.
+- skillers: transcript redaction pipeline (ported from consult).
+- onboard + can-i-help: explicit argv arrays in collector git invocations.
+- perf: command-parser error message accuracy.
+- debate: SKILL.md routes AI CLI invocations through consult's hardened ACP transport.
+
 ## [5.10.0] - 2026-04-26
 
 ### Security

package/lib/binary/index.js

@@ -19,6 +19,22 @@
  *     script validates every zip entry before extracting it and rejects
  *     absolute, UNC, and parent-traversal entries.
  *
+ * Verification chain (in order, each gate must pass to proceed):
+ *   1. TLS - https.get() pins the GitHub CA chain at the OS level.
+ *   2. SHA-256 sidecar - `<asset>.sha256` fetched from the same release and
+ *      verified against the downloaded bytes. Closes basic tampering.
+ *   3. SLSA build provenance (optional / required) - `gh attestation verify`
+ *      checks the Sigstore-signed attestation that agent-analyzer's release
+ *      workflow publishes via `actions/attest-build-provenance`. This closes
+ *      the "stolen release token uploads attacker binary + attacker sha256"
+ *      hole that steps 1 and 2 cannot see.
+ *
+ *      SLSA verification is SOFT by default: if `gh` is not on PATH we log
+ *      a warning and proceed with just SHA-256. Set env var
+ *      `AGENT_ANALYZER_REQUIRE_ATTESTATION=1` to make a missing `gh` a hard
+ *      failure (recommended for CI). A present `gh` that reports a failed
+ *      verification is ALWAYS a hard failure regardless of the env var.
+ *
  * @module lib/binary
  */
 
@@ -572,6 +588,117 @@ function findBinaryInScratch(scratch, binaryBaseName) {
   return null;
 }
 
+// ---------------------------------------------------------------------------
+// SLSA build provenance verification
+// ---------------------------------------------------------------------------
+
+/**
+ * Result of an attempted SLSA attestation verification.
+ * @typedef {Object} SlsaResult
+ * @property {'verified'|'skipped'|'failed'} status
+ * @property {string} [reason]   human-readable detail (for skipped/failed)
+ * @property {string} [stderr]   captured stderr from `gh` (failed only)
+ */
+
+/**
+ * Default runner: spawn `gh attestation verify` and return the captured
+ * exit code, stdout, and stderr. Injectable for tests.
+ * @param {string} filePath
+ * @param {string} repo e.g. `agent-sh/agent-analyzer`
+ * @returns {{ status: number|null, stdout: string, stderr: string }}
+ */
+function defaultGhRunner(filePath, repo) {
+  try {
+    const stdout = cp.execFileSync(
+      'gh',
+      ['attestation', 'verify', filePath, '--repo', repo, '--format', 'json'],
+      {
+        encoding: 'utf8',
+        stdio: ['ignore', 'pipe', 'pipe'],
+        timeout: 60000,
+        windowsHide: true
+      }
+    );
+    return { status: 0, stdout: stdout || '', stderr: '' };
+  } catch (err) {
+    return {
+      status: typeof err.status === 'number' ? err.status : null,
+      stdout: err.stdout ? String(err.stdout) : '',
+      stderr: err.stderr ? String(err.stderr) : (err.message || '')
+    };
+  }
+}
+
+/**
+ * Returns true if the `gh` CLI is on PATH. Uses a short, non-privileged probe.
+ * @param {function} [runner] optional probe; defaults to real `gh --version`
+ * @returns {boolean}
+ */
+function isGhAvailable(runner) {
+  if (typeof runner === 'function') {
+    try { return !!runner(); } catch (e) { return false; }
+  }
+  try {
+    cp.execFileSync('gh', ['--version'], {
+      stdio: 'ignore',
+      timeout: 5000,
+      windowsHide: true
+    });
+    return true;
+  } catch (e) {
+    return false;
+  }
+}
+
+/**
+ * Verify a downloaded asset's SLSA build provenance attestation via the
+ * GitHub CLI. The check is SOFT by default: if `gh` is not installed the
+ * function returns { status: 'skipped' } and the caller logs a warning. Set
+ * `requireAttestation` (or the env var) to make a missing `gh` a failure.
+ *
+ * A present `gh` that reports verification failure ALWAYS returns
+ * { status: 'failed' } regardless of `requireAttestation`; the caller is
+ * expected to abort in that case.
+ *
+ * @param {string} filePath absolute path to the downloaded archive
+ * @param {Object} [options]
+ * @param {string} [options.repo] e.g. `agent-sh/agent-analyzer`
+ * @param {boolean} [options.requireAttestation] defaults to env
+ *   `AGENT_ANALYZER_REQUIRE_ATTESTATION === '1'`
+ * @param {function} [options.ghRunner] injectable runner for tests. Receives
+ *   (filePath, repo), returns { status, stdout, stderr }.
+ * @param {function} [options.ghProbe] injectable gh-on-PATH probe for tests.
+ * @returns {SlsaResult}
+ */
+function verifySlsaAttestation(filePath, options) {
+  const opts = options || {};
+  const repo = opts.repo || GITHUB_REPO;
+  const runner = typeof opts.ghRunner === 'function' ? opts.ghRunner : defaultGhRunner;
+  const require_ = typeof opts.requireAttestation === 'boolean'
+    ? opts.requireAttestation
+    : process.env.AGENT_ANALYZER_REQUIRE_ATTESTATION === '1';
+
+  const ghPresent = isGhAvailable(opts.ghProbe);
+  if (!ghPresent) {
+    const reason = '`gh` CLI not found on PATH';
+    if (require_) {
+      return { status: 'failed', reason: reason + ' (AGENT_ANALYZER_REQUIRE_ATTESTATION=1)' };
+    }
+    return { status: 'skipped', reason: reason };
+  }
+
+  const result = runner(filePath, repo);
+  if (result && result.status === 0) {
+    return { status: 'verified' };
+  }
+  return {
+    status: 'failed',
+    reason: 'gh attestation verify exited with status ' +
+      (result && result.status !== null ? result.status : 'unknown'),
+    stderr: (result && result.stderr) || ''
+  };
+}
+
 // ---------------------------------------------------------------------------
 // Download + install
 // ---------------------------------------------------------------------------
@@ -582,11 +709,19 @@ function findBinaryInScratch(scratch, binaryBaseName) {
  * @param {Object} [options]
  * @param {boolean} [options.skipChecksum=false] LOCAL DEV ONLY. Skips the
  *   `.sha256` sidecar fetch and verification. NEVER set this in production.
+ * @param {boolean} [options.skipAttestation=false] LOCAL DEV ONLY. Skips the
+ *   SLSA attestation check entirely.
+ * @param {boolean} [options.requireAttestation] when true, a missing `gh`
+ *   CLI becomes a hard failure. Defaults to
+ *   `process.env.AGENT_ANALYZER_REQUIRE_ATTESTATION === '1'`.
+ * @param {function} [options.ghRunner] injectable runner for tests.
+ * @param {function} [options.ghProbe] injectable gh-on-PATH probe for tests.
  * @returns {Promise<string>} path to the installed binary
  */
 async function downloadBinary(ver, options) {
   const opts = options || {};
   const skipChecksum = opts.skipChecksum === true;
+  const skipAttestation = opts.skipAttestation === true;
 
   const platformKey = getPlatformKey();
   if (!platformKey) {
@@ -643,6 +778,47 @@ async function downloadBinary(ver, options) {
     verifySha256(buf, expected, filename);
   }
 
+  // --- 2b. Verify SLSA build provenance (optional / required) ------------
+  if (skipAttestation) {
+    process.stderr.write(
+      '[WARN] skipAttestation=true - SLSA verification disabled. ' +
+      'This is LOCAL DEV ONLY and MUST NOT be used in production.\n'
+    );
+  } else {
+    // `gh attestation verify` needs a real file. Persist buf to a tmp path,
+    // verify, then drop it. Extraction continues from the in-memory buf so
+    // we don't need the tmp file beyond the verify call.
+    const attestDir = fs.mkdtempSync(path.join(os.tmpdir(), 'agent-analyzer-slsa-'));
+    const attestFile = path.join(attestDir, filename);
+    try {
+      fs.writeFileSync(attestFile, buf);
+      const result = verifySlsaAttestation(attestFile, {
+        repo: GITHUB_REPO,
+        requireAttestation: opts.requireAttestation,
+        ghRunner: opts.ghRunner,
+        ghProbe: opts.ghProbe
+      });
+      if (result.status === 'verified') {
+        process.stderr.write('[OK] SLSA attestation verified for ' + filename + '\n');
+      } else if (result.status === 'skipped') {
+        process.stderr.write(
+          '[WARN] SLSA attestation check skipped: ' + result.reason + '. ' +
+          'Install the GitHub CLI (`gh`) to enable provenance verification. ' +
+          'Set AGENT_ANALYZER_REQUIRE_ATTESTATION=1 to require it.\n'
+        );
+      } else {
+        // 'failed'
+        throw new Error(
+          'SLSA attestation verification failed for ' + filename + ': ' +
+          result.reason + '. Refusing to execute binary.' +
+          (result.stderr ? '\n--- gh stderr ---\n' + result.stderr : '')
+        );
+      }
+    } finally {
+      rmrf(attestDir);
+    }
+  }
+
   // --- 3. Extract to isolated scratch dir + validate entries -------------
   const binaryBaseName = path.basename(binPath);
   let scratch;
@@ -707,7 +883,13 @@ async function ensureBinary(options) {
     }
   }
 
-  return downloadBinary(targetVer, { skipChecksum: opts.skipChecksum === true });
+  return downloadBinary(targetVer, {
+    skipChecksum: opts.skipChecksum === true,
+    skipAttestation: opts.skipAttestation === true,
+    requireAttestation: opts.requireAttestation,
+    ghRunner: opts.ghRunner,
+    ghProbe: opts.ghProbe
+  });
 }
 
 /**
@@ -730,11 +912,27 @@ function ensureBinarySync(options) {
 
   const targetVer = (options && options.version) || ANALYZER_MIN_VERSION;
   const skipChecksum = !!(options && options.skipChecksum);
+  const skipAttestation = !!(options && options.skipAttestation);
+  // Forward requireAttestation when explicitly set (tri-state: undefined
+  // lets the child fall back to the AGENT_ANALYZER_REQUIRE_ATTESTATION
+  // env var, matching ensureBinary()). Without this forwarding, a sync
+  // caller with requireAttestation:true would silently lose the hard-fail
+  // intent when gh is missing.
+  const requireAttestation = options && typeof options.requireAttestation === 'boolean'
+    ? options.requireAttestation
+    : undefined;
   const selfPath = __filename;
+  const ensureOpts = {
+    version: targetVer,
+    skipChecksum: skipChecksum,
+    skipAttestation: skipAttestation
+  };
+  if (requireAttestation !== undefined) {
+    ensureOpts.requireAttestation = requireAttestation;
+  }
   const helperLines = [
     'var b = require(' + JSON.stringify(selfPath) + ');',
-    'b.ensureBinary({ version: ' + JSON.stringify(targetVer) +
-      ', skipChecksum: ' + JSON.stringify(skipChecksum) + ' })',
+    'b.ensureBinary(' + JSON.stringify(ensureOpts) + ')',
     '  .then(function(p) { process.stdout.write(p); })',
     '  .catch(function(e) { process.stderr.write(e.message); process.exit(1); });'
   ];
@@ -798,6 +996,8 @@ module.exports = {
   assertSafeArchiveEntry,
   assertInsideRoot,
   downloadBinary,
+  verifySlsaAttestation,
+  isGhAvailable,
   // Exported for tests only
   extractTarGzToScratch,
   extractZipToScratch,

package/lib/enhance/fixer.js

@@ -7,6 +7,37 @@
 const fs = require('fs');
 const path = require('path');
 
+/**
+ * Reject symlinks before read/write operations.
+ *
+ * Security: A hostile repo could symlink a fixable file (e.g. `agent.md`) to a
+ * sensitive target (e.g. `~/.ssh/authorized_keys`). A HIGH-certainty auto-fix
+ * would then silently overwrite that target. We refuse to follow symlinks on
+ * any path we intend to read from or write to, including `.backup` siblings.
+ *
+ * This is called both before opening and immediately before writing, which
+ * narrows - though does not fully close - the TOCTOU window between calls.
+ * Node's fs module does not expose a portable `O_NOFOLLOW` open flag, so
+ * repeated lstat is the cleanest available mitigation for text-file edits.
+ *
+ * @param {string} targetPath - Path to check.
+ * @throws {Error} If the path exists and is a symlink.
+ */
+function assertNotSymlink(targetPath) {
+  let stat;
+  try {
+    stat = fs.lstatSync(targetPath);
+  } catch (err) {
+    if (err.code === 'ENOENT') return; // Path does not yet exist - fine.
+    throw err;
+  }
+  if (stat.isSymbolicLink()) {
+    const err = new Error('target is a symlink; refusing to follow');
+    err.code = 'ESYMLINK_REFUSED';
+    throw err;
+  }
+}
+
 function applyFixes(issues, options = {}) {
   const { dryRun = false, backup = true } = options;
 
@@ -59,6 +90,23 @@ function applyFixes(issues, options = {}) {
         continue;
       }
 
+      // Security: refuse symlinks before we read, so a hostile repo can't
+      // redirect a HIGH-certainty fix at ~/.ssh/authorized_keys or similar.
+      try {
+        assertNotSymlink(filePath);
+      } catch (err) {
+        if (err.code === 'ESYMLINK_REFUSED') {
+          results.errors.push({
+            filePath,
+            error: err.message,
+            success: false,
+            reason: 'target is a symlink; refusing to follow'
+          });
+          continue;
+        }
+        throw err;
+      }
+
       const content = fs.readFileSync(filePath, 'utf8');
       let data;
 
@@ -135,6 +183,8 @@ function applyFixes(issues, options = {}) {
         // Create backup
         if (backup) {
           const backupPath = `${filePath}.backup`;
+          // Refuse if the backup slot itself is a pre-existing symlink.
+          assertNotSymlink(backupPath);
           fs.writeFileSync(backupPath, content, 'utf8');
         }
 
@@ -145,6 +195,11 @@ function applyFixes(issues, options = {}) {
         } else {
           newContent = JSON.stringify(modified, null, 2);
         }
+        // Re-check immediately before write. Narrows the TOCTOU window
+        // between the initial lstat and this writeFileSync (an attacker
+        // who swaps the regular file for a symlink between calls will
+        // be caught here).
+        assertNotSymlink(filePath);
         fs.writeFileSync(filePath, newContent, 'utf8');
       }
 
@@ -280,7 +335,14 @@ function restoreFromBackup(filePath) {
     return false;
   }
 
+  // Security: refuse if either the backup or the restore target is a
+  // symlink. Same threat model as applyFixes - a malicious post-hoc swap
+  // could redirect the restore at a sensitive file.
+  assertNotSymlink(backupPath);
+  assertNotSymlink(filePath);
+
   const backupContent = fs.readFileSync(backupPath, 'utf8');
+  assertNotSymlink(filePath);
   fs.writeFileSync(filePath, backupContent, 'utf8');
   fs.unlinkSync(backupPath);
 
@@ -717,5 +779,6 @@ module.exports = {
   fixAggressiveEmphasis,
   previewFixes,
   restoreFromBackup,
-  cleanupBackups
+  cleanupBackups,
+  assertNotSymlink
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentsys",
-  "version": "5.10.0",
+  "version": "5.12.0",
   "description": "A modular runtime and orchestration system for AI agents - works with Claude Code, OpenCode, and Codex CLI",
   "main": "lib/platform/detect-platform.js",
   "type": "commonjs",

package/site/content.json

@@ -5,7 +5,7 @@
     "url": "https://agent-sh.github.io/agentsys",
     "repo": "https://github.com/agent-sh/agentsys",
     "npm": "https://www.npmjs.com/package/agentsys",
-    "version": "5.10.0",
+    "version": "5.12.0",
     "author": "Avi Fenesh",
     "author_url": "https://github.com/avifenesh"
   },