You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hawk/Eyrie production boundary completed: Hawk owns the product face,
sessions, tools, permissions, and public schemas while Eyrie v0.2.1 owns
credentials, catalog resolution, provider transport, resilience, and usage
telemetry behind the stable eyrie/engine facade.
Provider routing and usage attribution hardened: resolved route changes,
continuation segments, and terminal usage are propagated without duplicate
accounting, and production Eyrie calls use exactly one resilience layer.
Daemon conversations are durable: JSON and SSE chat requests create or
resume persisted sessions, expose stable session IDs, preserve metadata, and
distinguish invalid, missing, and corrupt state.
Release and supply-chain gates strengthened: exact ecosystem Gitlinks,
module/tag parity, Trivy enforcement, public-module builds, SBOM generation,
and cross-platform artifacts are part of the release path.
Fixed /mode auto misclassifying plain English as shell commands: shellmode.ClassifyInput trusted exec.LookPath(firstWord) alone, so any sentence starting with a word that's also a real Unix binary (make sure this works, find the bug in this file, kill the old branch, sort out the imports...) was silently executed as a shell command instead of being sent to the model — confirmed 18 of 20 sampled sentences misclassified before the fix. Now a curated allowlist of unambiguous dev-tool names (git, npm, docker, ls, cat, ...) is trusted immediately, while every other PATH match requires real shell-syntax evidence (a flag, a path, a file extension, or an operator like |/>/&&) before being trusted as a shell command — matching the same ambiguity Warp's own terminal autodetect documents and resolves with a user-configurable denylist.
Permission system unified into two independent axes: the old PermissionMode (default/acceptEdits/bypassPermissions/dontAsk/plan) is removed. /autonomy now controls the 5-tier trust ladder (Always Ask/Scout/Builder/Operator/Autonomous, bare /autonomy opens a picker), and /spec controls an independent, orthogonal spec-driven workflow gate (Specify → Plan → Tasks → ApproveImplementation, bare /spec opens a picker) that blocks Write/Edit/Bash regardless of trust tier — including at Autonomous. Fixes a real bug where the old Plan Mode's write-block could be silently bypassed at high autonomy tiers, since tier and mode were checked independently with no ordering guarantee.
Fixed PermissionService.SetAutonomy/Autonomy(): previously wrote to/read from a shadow field the permission engine's CheckTool never consulted, meaning autonomy tier changes may not have reliably taken effect. Now both read/write the same PermissionEngine.Autonomy field the check logic uses.
--permission-mode CLI flag removed; --dangerously-skip-permissions unchanged (now maps to the Autonomous tier). New --dry-run flag added as an unconditional kill switch (deny every tool call, regardless of tier or spec stage) — replaces dontAsk's hard-lockout role.
Version re-baselined to 0.1.0 across cmd/hawk/main.go, cmd/daemon.go, flake.nix, .github/workflows/release.yml, and the update/daemon test suites, aligning hawk
with the rest of the GrayCodeAI ecosystem (eyrie, tok, yaad, sight, inspect).
Architecture boundary hardening: Hawk now owns runtime request/response DTOs, transport config/provider seams, and review/verification product-boundary contracts, with eyrie/client usage restricted to internal adapters and guarded in CI.
shared/types removed: Hawk no longer ships the old shared type path, and local boundary checks now block any attempt to reintroduce it.
Added
Spec-driven workflow (/spec): independent, orthogonal permission gate that walks the model through Specify → Plan → Tasks, writing real spec.md/plan.md/tasks.md files to .hawk/specs/<slug>/, and requires explicit ApproveImplementation approval (always prompts, at any trust tier) before Write/Edit/Bash unlock. The approval prompt shows the actual written content, not a blind yes/no.
/autonomy and /spec picker overlays: bare /autonomy or /spec opens an arrow-key-navigable, filterable picker (Esc/Enter) instead of requiring subcommand syntax; typed subcommands (/autonomy tier scout, /spec status, etc.) still work.
Watch mode (--watch): file-watcher loop that acts on AI! (do-now) and AI? (answer) code comments. Off by default.
GitHub Action (.github/actions/hawk): interactive mode on @hawk mentions, automation mode on labeled issues/PRs, and skill dispatch for /-prefixed prompts.
Messaging gateways: opt-in Telegram, Discord, and Slack gateways on the daemon for chatting with hawk from messaging apps.
AST repo-map (internal/context/repomap): structural repository map for richer model context.
Auto codebase analysis on first run (internal/autoinit): opt-in seeding of project context.
Auto-lint / auto-fix cycle: runs the matching linter after edits and iterates on fixes with bounded retries (opt-in).
Image / multimodal context (internal/engine/vision.go): feed screenshots/images to vision-capable models.
Plan & Explore sub-agent modes: read-only plan (task decomposition) and explore (codebase investigation) modes; explore supports quick/medium/very-thorough thoroughness budgets.
Persona color and hooks: per-agent display color and lifecycle hook (pre_run/post_run) fields.
YAML agents & eval tasks: define personas and eval tasks in YAML alongside markdown personas.
IT-managed policy tier (internal/context/rules.go): non-excludable org-policy rule tier with highest precedence; strips HTML comments from rule files.
Cavecrew personas (internal/multiagent/agents): three new
built-in personas built into GrayCode Hawk
(cavecrew-investigator, cavecrew-builder, cavecrew-reviewer).
Each enforces a strict output format so downstream agents can parse
outputs mechanically:
cavecrew-investigator: path:line — symbol — note, max 6 words per note
cavecrew-reviewer: severity emoji (🔴/🟡/🔵/❓) at the start of every line
Exposed via CavecrewPersonas() helper and EnsureCavecrew()
registry method; BuiltinPersonas() returns 21 (was 18).
internal/safewrite package: hardened atomic file-write utility
native GrayCode hardened atomic writes. Refuses symlinks at destination
and parent, refuses paths that escape via .., opens with O_NOFOLLOW via golang.org/x/sys/unix, writes to a temp file
with mode 0600, syncs to disk, then atomically renames. ErrSymlinkTarget
and ErrPathEscape sentinel errors.
internal/jsonc package: JSON-with-Comments parser and ValidateClaudeSettings validator, native GrayCode settings
parser and validateHookFields. Accepts // and /* */ comments
plus trailing commas in objects and arrays. Validates Claude Code settings.json fields (model, permissions, hooks, mcpServers,
env) with type checks and value validation.
internal/permissions/verdict.go: unified PermissionVerdict
type with Risk levels (RiskLow, RiskMedium, RiskHigh, RiskBlocked). Helpers: Allow, Deny, RequireApproval. Additive
change — existing GuardianDecision is unchanged.
internal/providers package: PROVIDERS matrix (34 entries)
native GrayCode PROVIDERS matrix. Each
entry describes an AI coding agent (Claude Code, Cursor, Codex,
Aider, etc.) with install mechanism and detection probes. Probe
kinds: command (PATH), dir (filesystem), vscode-ext, cursor-ext, macapp, jetbrains-plugin. API: Get(id), All(), Hard(), Detect(). Soft: true means detection is
best-effort; soft providers are excluded from auto-detect.
internal/session.GainTracker: per-session gain event recording
in a new gains SQLite table inside the session store. Each event
captures original/compressed byte + token counts, mode/tier/model,
and a command label. API: Record, AggregateForSession, ListForSession, PruneForSession. Scoped to a single session so
callers can selectively compact their own history. Companion to
tok's internal/tracking.Tracker (tok tracks globally, hawk tracks
per-session).
Dead-code removal: 13 unused declarations removed (caught by the unused linter).
Real bugs fixed where append results were silently discarded
(mcp/server.go, repomap/depgraph.go, flagged by staticcheck SA4010).
session package is now fully errcheck-clean, protecting persistence integrity.
Tests
auth package coverage raised from ~18% to ~71% with table-driven tests covering
every code path.
update package coverage raised from ~22% to ~92% with full HTTP mocking, including
error paths (server failure, invalid JSON, unreachable host) and Summary() rendering.