@@ -42,18 +42,52 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
4242- ** Wired into ` HttpInputServer ` ** : Pre-handler signature verification on raw ` Bytes ` before JSON parsing. Returns 401 on failure, 400 on bad JSON.
4343- ** REPL ` :webhook ` command** : List configured webhook endpoints
4444
45+ #### Skill Scanning (ClawHavoc)
46+ - ** ` SkillScanner ` ** with 10 built-in defense rules for detecting malicious patterns in agent skills:
47+ - ` pipe-to-shell ` (Critical): ` curl ... | sh `
48+ - ` wget-pipe-to-shell ` (Critical): ` wget ... | sh `
49+ - ` env-file-reference ` (Warning): References to ` .env ` files
50+ - ` soul-md-modification ` (Critical): Attempts to rewrite ` SOUL.md `
51+ - ` memory-md-modification ` (Critical): Attempts to rewrite ` MEMORY.md `
52+ - ` eval-with-fetch ` (Critical): ` eval() ` + network fetch
53+ - ` fetch-with-eval ` (Critical): Network fetch + ` eval() `
54+ - ` base64-decode-exec ` (Critical): Base64 decode piped to shell
55+ - ` rm-rf-pattern ` (Critical): ` rm -rf / `
56+ - ` chmod-777 ` (Warning): World-writable permissions
57+ - ** Automatic scanning on skill load** : Every text file in the skill directory scanned line-by-line
58+ - ** Custom rules** : Add domain-specific regex patterns alongside ClawHavoc defaults
59+ - ** SchemaPin integration** : Skills are both signature-verified and content-scanned
60+
61+ #### Metrics & Telemetry
62+ - ** ` FileMetricsExporter ` ** : Atomic JSON file writes (tempfile + rename) for metric snapshots
63+ - ** ` OtlpExporter ` ** : Send metrics to any OpenTelemetry-compatible endpoint via gRPC or HTTP (behind ` metrics ` feature flag)
64+ - ** ` CompositeExporter ` ** : Fan-out to multiple backends simultaneously; individual failures logged but don't block others
65+ - ** ` MetricsCollector ` ** : Background thread for periodic snapshot collection from scheduler, task manager, load balancer, and system resources
66+ - ** ` /api/v1/metrics ` endpoint** : Full snapshot covering job counts, task queue depths, worker utilization, CPU, and memory usage
67+
4568#### DSL Parser Fixes
4669- ** Bare identifier in ` value ` rule** : ` store markdown ` , ` provider github ` now parse correctly
4770- ** Short-form duration literals** : ` 90d ` , ` 6m ` , ` 1y ` alongside existing ` 90.seconds ` form
4871- ** Conflict resolution** : ` conflicts ` declaration for ` expression ` /` value ` ambiguity
4972
73+ ### SDK Parity (v0.6.0)
74+
75+ Both SDKs ship at v0.6.0 with full feature parity:
76+
77+ - ** Python SDK** ([ PyPI] ( https://pypi.org/project/symbiont-sdk/0.6.0/ ) ): ` MarkdownMemoryStore ` , ` HmacVerifier ` , ` JwtVerifier ` , ` WebhookProvider ` , ` SkillScanner ` , ` SkillLoader ` with SchemaPin integration, ` MetricsClient ` , ` FileMetricsExporter ` , ` CompositeExporter ` — 120 tests passing
78+ - ** JavaScript SDK** ([ npm] ( https://www.npmjs.com/package/symbiont-sdk-js ) ): ` MarkdownMemoryStore ` , ` HmacVerifier ` , ` JwtVerifier ` , ` WebhookProvider ` , ` SkillScanner ` with all 10 ClawHavoc rules, ` MetricsApiClient ` , ` FileMetricsExporter ` — 1,037 tests passing
79+
5080### Crate Versions
5181| Crate | Version |
5282| -------| ---------|
5383| ` symbi ` | 1.4.0 |
5484| ` symbi-dsl ` | 1.4.0 |
5585| ` symbi-runtime ` | 1.4.0 |
86+ | ` symbi-channel-adapter ` | 0.1.1 |
5687| ` repl-core ` | 1.4.0 |
88+ | ` repl-proto ` | 1.4.0 |
89+ | ` repl-cli ` | 1.4.0 |
90+ | ` repl-lsp ` | 1.4.0 |
5791
5892## [ 1.1.0] - 2026-02-12
5993
0 commit comments