v0.32.0

Added

• CC-SET-006: Non-boolean disableBundledSkills Setting (closes #1034). Claude Code v2.1.169 added a disableBundledSkills setting (and a CLAUDE_CODE_DISABLE_BUNDLED_SKILLS environment variable) that hides bundled skills, workflows, and built-in slash commands from the model. New MEDIUM claude-settings rule warns when the key is present with a non-boolean value (quoted "true", numbers, arrays, objects) - only strict true/false is documented, mirroring the CC-SET-002 channelsEnabled shape check. Validated across settings.json, settings.local.json, and managed-settings.json; null and absent keys are not flagged. Verified against the v2.1.169 release notes and the code.claude.com settings reference. Covered by 11 unit tests. Rule count 422 -> 423. The other v2.1.169 changes were agnix-irrelevant or already covered (the "CLAUDE.md is too long" threshold now scaling with the model's context window is a Claude Code display change; agnix's CC-MEM-014 200-line SHOULD heuristic is independent of it).

Changed

• Tool baseline: codex bumped rust-v0.137.0 -> rust-v0.138.0 (closes #1035). Diffed upstream codex-rs/core/config.schema.json between the tags; three config-surface changes: (1) new [features] key terminal_visualization_instructions added to the feature allow-list (CDX-CFG-011 / CDX-CFG-006 no longer flag it); (2) responses_websocket_response_processed was removed upstream, so it moved to the older-version tolerance block (still accepted, per the established back-compat policy); (3) model_reasoning_effort is no longer a closed enum - rust-v0.138.0 supports model-defined reasoning efforts (any non-empty string the model advertises, openai/codex#26444), so CDX-CFG-003 now flags only non-string types and empty strings instead of hard-erroring on values outside none|minimal|low|medium|high|xhigh. The new code_mode object form ({ enabled, excluded_tool_namespaces }, openai/codex#26320) needs no change - feature values are not shape-checked. Regression-tested in test_codex_0_138_0_*.
• Tool baselines: triaged the remaining release-watch issues as agnix-irrelevant and bumped claude-code v2.1.159 -> v2.1.169 (closes #1034 - see CC-SET-006 above), cline v3.86.2 -> v3.88.1 (closes #1032), and cursor 3.7.12 -> 3.7.27 (closes #1033, covering the 3.7.19/3.7.21/3.7.27 markers appended to the same issue). Cline v3.87.0 through v3.88.1 were model additions, dependency security bumps, an extension-internal MCP settings file-watcher fix, a tester-only debug settings section, and walkthrough packaging - nothing touching the validated .clinerules/workflows/hooks/skills surfaces. Cursor's tracked source exposes only a version marker. No ToolVersions or SpecRevisions change required. .github/tool-release-baselines.json and knowledge-base/RESEARCH-TRACKING.md updated.

v0.31.0

Changed

• Performance: the agnix, agnix-lsp, and agnix-mcp binaries now use mimalloc as the global allocator on Linux. Linting is allocation-heavy (per-file parse trees, diagnostics, parallel rayon workers), and mimalloc reduces allocator contention versus the default system allocator. Gated behind cfg(target_os = "linux"), so macOS and Windows builds are unaffected.
• Tool baselines: triaged the release-watch sweep and bumped cursor 3.6.31 -> 3.7.12 (closes #1024), kiro 2.5.0 -> 2.6.0 (closes #1018), and gemini-cli v0.44.1 -> v0.45.1 (closes #1017). All three were agnix-irrelevant for current validated config surfaces: Cursor and Gemini publish version markers / patch cherry-picks only, and Kiro 2.6.0's sole config-adjacent change - terminal window titles - is toggled via /settings display and is explicitly "not available as a CLI setting" (per the Kiro settings reference), so .kiro/settings.json validation is unaffected and the auto-triage KR-SET-004 candidate was not added. No validator, rule, ToolVersions, or SpecRevisions change required. .github/tool-release-baselines.json and knowledge-base/RESEARCH-TRACKING.md updated.

v0.30.0

Changed

• Tool baseline: codex bumped rust-v0.136.0 -> rust-v0.137.0 (closes #1013). Diffed upstream codex-rs/core/config.schema.json and refreshed Codex config allow-lists for new local_thread_store_compression / unified_exec_zsh_fork feature flags plus per-app approvals_reviewer, preventing false positives from CDX-CFG-011 and CDX-CFG-006; CDX-CFG-024 now accepts auto_review and validates app-level reviewer overrides. Added CDX-PL-015 for non-string .codex-plugin/plugin.json skills fields, which Codex now ignores with a warning. .github/tool-release-baselines.json and knowledge-base/RESEARCH-TRACKING.md updated.
• Tool baselines: completed the release-watch sweep and bumped amp end-of-public-threads, claude-code v2.1.159, cline v3.86.2 (closes #1010), codex rust-v0.136.0, cursor 3.6.31 (closes #1011), gemini-cli v0.44.1, kiro 2.5.0 (closes #1009), opencode v1.15.13, and roo-code v3.54.0. Codex v0.136.0 added current config feature flags and managed requirements.toml keys, so the Codex allow-lists, rule evidence, generated rule docs, and regression tests were refreshed; the other tool releases were agnix-irrelevant for current validated config surfaces. .github/tool-release-baselines.json and knowledge-base/RESEARCH-TRACKING.md updated.

v0.29.0

Added

• CC-SK-021: Hardcoded User Directory Path (closes #832). New MEDIUM/SHOULD claude-skills rule flagging hardcoded user-home paths (/Users/<name>/, /home/<name>/, C:\Users\<name>\) in bundled skill content - they leak the author's identity and are non-portable. The SkillValidator walks the skill directory and scans the SKILL.md body, sibling .md bodies (frontmatter skipped), and bundled scripts (.sh/.bash/.zsh/.fish/.py/.rb/.pl/.lua/.js/.ts/.mjs, or any extensionless file with a #! shebang - scanned whole, including the shebang). Placeholder names (user, example, foo, ...) and <name>/${...}/{{...}}/$HOME forms are not flagged. Manual fix only (~/, $HOME/, a project-relative path, or $PROJECT_ROOT). Covered by 12 unit/integration tests. Rule count 420 -> 421.

Fixed

• CC-HK-001 no longer flags the MessageDisplay hook event (closes #989). Claude Code v2.1.152 added a MessageDisplay hook event (lets hooks transform or hide assistant message text as it is displayed). It was missing from HooksSchema::VALID_EVENTS, so a valid MessageDisplay hook in settings.json tripped CC-HK-001 "Invalid hook event". Added to the valid-event set; left out of MATCHER_EVENTS/PROMPT_EVENTS since it is a command-type display hook (so matcher and prompt/agent misuse still flag). Regression-tested in test_cc_hk_001_message_display_event_valid.

Changed

• Tool baselines: triaged the auto-opened release-watch issues and bumped claude-code v2.1.142 -> v2.1.152 (closes #989), codex rust-v0.133.0 -> rust-v0.134.0 (closes #990), opencode v1.15.10 -> v1.15.11 (closes #992), cline cli-v3.0.3 -> cli-v3.0.13 (closes #988), and cursor 3.5.33 -> 3.5.38 (closes #991). Aside from the Claude Code MessageDisplay fix above, the changes were agnix-irrelevant: Codex mcp oauth/env_vars keys and profile config are already covered; OpenCode headerTimeout/modalities sit under provider.* (not the OC-004 top-level allow-list); Cline was TUI-only; Cursor exposes only a version marker. No further validator, rule, ToolVersions, or SpecRevisions change required. .github/tool-release-baselines.json and knowledge-base/RESEARCH-TRACKING.md updated.

v0.28.1

Changed

• Codex config allow-list audited against the upstream schema (closes #969). Audited the Codex top-level allow-list against codex-rs/core/config.schema.json (rust-v0.129.0 through rust-v0.134.0-alpha.3); no valid upstream key was missing, so there are no new false positives.
  • Dropped three keys that appear in no audited schema and are not [features] sub-keys: include_apply_patch_tool (also removed from the feature-key list), js_repl_node_path, and js_repl_node_module_dirs.
  • Kept keys that an older Codex version shipped but a newer schema dropped (e.g. commit_attribution) for backwards compatibility; the rationale is now documented inline on the list.
  • Net effect: CDX-004 / CDX-CFG-006 now flag the dropped keys as unknown, a small typo-detection improvement.

v0.28.0

Removed

• Five AS-* rules with no normative origin (part of #957). A full re-audit of every AS-* rule against the current agentskills.io spec and its skills-ref reference validator (and, for the platform ones, current Claude Code docs) found five rules with no basis in any spec or vendor doc - they were agnix heuristics producing false positives. Removed: AS-007 (reserved names - no reserved-name list in spec/validator/Claude docs), AS-010 ("Use when" literal trigger phrase - spec endorses the intent but never the literal phrase), AS-014 (backslash/Windows path separator - spec is silent on separators), AS-018 (first/second person in description - spec is silent, and optimizing-descriptions actually recommends second-person imperative "Use this skill when…"), and AS-019 (vague skill name - spec defines name format only). Rule count 425 → 420.

Changed

• AS-013 corrected to a SHOULD-level warning (part of #957). The re-audit found AS-013 (file references one level deep) is in the agentskills.io spec but as a SHOULD ("Keep file references one level deep"), not a MUST. Its normative_level and severity were wrong (MUST/HIGH/error) - corrected to SHOULD/MEDIUM/warning, and the source fixed from platform.claude.com to agentskills.io/specification.

Added

• agentskills.io spec is now tracked by the release watcher (part of #957). agentskills.io (the source of the AS-* rules) publishes no GitHub releases or tags, so a new commit_repo + commit_path source type in scripts/check-tool-releases.sh watches the latest commit SHA touching docs/specification.mdx in agentskills/agentskills. Any spec change opens a per-tool issue to diff the spec against the AS-* rules - complementing the weekly spec-drift.yml check. Baselined at the current spec commit.
• CDX-REQ-000 / CDX-REQ-001: Codex managed requirements.toml validation (closes #965). New FileType::CodexRequirements detects Codex's admin-written managed requirements.toml (system location: /etc/codex/requirements.toml on Unix, %ProgramData%\OpenAI\Codex\requirements.toml on Windows; the project .codex/ directory is deliberately not matched, since Codex never reads requirements.toml from there). CodexRequirementsValidator adds CDX-REQ-000 (HIGH, invalid TOML syntax) and CDX-REQ-001 (MEDIUM, unknown top-level key checked against the 19 documented ConfigRequirementsToml keys). Upstream has no deny_unknown_fields, so a typo'd managed constraint is silently ignored by Codex and never enforced - CDX-REQ-001 is the only catch. MVP is parse + unknown-key; cross-field invariants are tracked as a follow-up. Covered by 9 unit tests plus detection tests.
• Rule count: 423 -> 425 across all derived locations via scripts/sync-rule-bookkeeping.js (rules.json, crates/agnix-rules/rules.json mirror, CLAUDE.md/AGENTS.md, README/docs counts, plugin/skill metadata, generated website rule pages). Validator count 42 -> 43.

Changed

• Tool baseline: codex bumped rust-v0.130.0 -> rust-v0.133.0 (closes #959). Diffed upstream codex-rs/core/config.schema.json between rust-v0.129.0 and rust-v0.133.0 and extended the config-key allow-lists so CDX-004 / CDX-CFG-026 do not false-positive on valid v0.133 configs. Added (additive only - removed upstream keys are kept for older-version tolerance): top-level apps_mcp_product_sku, include_collaboration_mode_instructions, model_auto_compact_token_limit_scope, and the opaque [desktop] table; [features] mentions_v2 / network_proxy / plugin_sharing; [mcp_servers.*] oauth; [permissions.network] mitm. New hook events (SubagentStart/SubagentStop, compact SessionStart) were already recognized by schemas/hooks.rs; the FileSystemAccessMode deny-canonical change (openai/codex#23493) and per-profile permission keys have no agnix enum to update. New [tui] keys (pet/pet_anchor) were intentionally not added - TUI display tweaks are on the codex irrelevant list. Regression-tested in test_codex_0_133_0_*.
• Tool baselines: triaged the auto-opened release-watch issues as agnix-irrelevant and bumped cursor 3.4.17 -> 3.5.33 (closes #960) and opencode v1.15.0 -> v1.15.10 (closes #961). Cursor's tracked source exposes only a version marker; OpenCode's sole change was a desktop-app bugfix. No validator, rule, ToolVersions, or SpecRevisions update required. .github/tool-release-baselines.json and knowledge-base/RESEARCH-TRACKING.md updated.

Fixed

• Claude/platform-specific AS-* rules scoped correctly, and AS-012 re-sourced (part of #957). An audit of every AS-* rule against the current agentskills.io spec found four that cited platform.claude.com rather than the generic spec: AS-007 (reserved names), AS-010 ("Use when" trigger phrase), and AS-015 (8 MB upload limit) are genuinely Claude/platform-specific (absent from the agentskills.io spec and its reference validator), so they now fire only for Claude Code (and unscoped) skills and are suppressed for known non-Claude clients. AS-012 (500-line SKILL.md body) is the opposite case - it is in the agentskills.io spec ("Keep your main SKILL.md under 500 lines"), so its evidence was corrected from platform.claude.com / claude-code-only to agentskills.io/specification and it remains a generic rule for all clients.
• XML-001 no longer flags placeholders in skill/agent frontmatter (part of #957). The XML balance validator scanned the whole file, so <name>/<X>-style placeholders in a skill's frontmatter description (or any frontmatter value) tripped XML-001 "Unclosed XML tag". The YAML frontmatter region is now masked before the balance check - it is structured metadata, not body XML. Body XML is still validated, with line/column offsets preserved. Applies to all frontmatter file types the validator runs on (Skill, Agent, Copilot, …).
• The entire CC-SK-* family is now scoped to Claude Code skills (part of #957). The Claude Code skill rules previously fired on every SKILL.md regardless of owning tool, so a Codex/OpenCode/Cursor skill was judged against Claude's model values, tool vocabulary, and frontmatter fields. They now run for Claude Code skills and unscoped skills (no identifiable client) but are suppressed for skills owned by another known tool, which are covered by the generic AS-* rules and the per-client skill validator.
• Claude-specific skill/agent rules corrected and scoped (part of #957).
  • CC-SK-008 (unknown tool name): refreshed KNOWN_TOOLS to the current Claude Code built-in set (adds PowerShell - the reported false positive - plus Agent, Cron*, Team*, EnterWorktree/ExitWorktree, ScheduleWakeup, ListMcpResourcesTool/ReadMcpResourceTool/WaitForMcpServers, etc.; legacy names kept). Now scoped with the CC-SK family (Claude Code and unscoped skills; suppressed for known non-Claude clients - see above) - other clients have their own tool vocabularies.
  • CC-SK-017 (unknown frontmatter field): added the documented when_to_use and arguments fields. Now scoped with the CC-SK family (Claude Code and unscoped skills; suppressed for known non-Claude clients - see above) (other clients' fields are checked by the per-client skill validator). aliases remains correctly flagged - it is not a documented Claude skill field.
  • CC-AG-007 (agent parse error): sub-agent tools/disallowedTools now accept a comma/space-separated string (the canonical tools: Read, Glob, Grep form) as well as a YAML list, so the documented string form no longer surfaces as a parse error.
• allowed-tools as a YAML list no longer trips AS-016 (part of #957). Claude Code accepts allowed-tools as a space-separated string or a YAML list; agentskills.io documents a space-separated string. The skill frontmatter parser previously only accepted a string, so the list form failed to deserialize and surfaced as an AS-016 skill parse error. It now deserializes both shapes (a list is joined with spaces for downstream tool parsing). The list form is accepted for every client by design. It is a Claude-specific feature, and the tools that follow agentskills.io (Codex/OpenCode/Kiro) do not constrain the field's shape. Since an unscoped skill using a list is almost certainly a Claude skill, agnix does not warn on it - a warning would re-introduce a false positive with no client to safely attach it to.
• Skill rules now scope by owning client, fixing Claude Code false positives (part of #957). Skills are attributed to a client via their path (.claude/skills/, .agents/skills/, …) or the configured target/tools, and two divergent rules are resolved per client: AS-008 description length is the agentskills.io baseline 1024 (matched by Codex/OpenCode/Kiro) but 1536 for Claude Code skills (Claude truncates at 1536); AS-009 (angle brackets in description) now fires only for Codex skills - its quick_validate.py rejects </>, but agentskills.io and Claude Code impose no such restriction, so AS-009 no longer false-positives on Claude/generic skills. Verified against agentskills.io, Codex, OpenCode, Kiro, and Claude Code specs.
• Codex top-level allow-list drift between the TOML and JSON/YAML backends (closes #966). The Codex config top-level allow-list was maintained twice (KNOWN_TOP_LEVEL_KEYS + KNOWN_TABLE_KEYS in schemas/codex.rs for TOML; KNOWN_CONFIG_TOP_LEVEL_KEYS in rules/codex.rs for JSON/YAML) and had diverged, so the same key was accepted by one backend and flagged by the other: debug and include_apply_patch_tool false-positived on JSON/YAML (CDX-CFG-006), while js_repl_node_path / js_repl_node_module_dirs false-positived on TOML (CDX-004). Both backends now consult a single schemas::codex::is_known_top_level_key predicate; the duplicate const was removed. Lenient union (102...

v0.27.1

Fixed

• XML-001 false positives inside indented Markdown code blocks (related to #942). The shared Markdown scanner now skips 4-space and tab-indented code blocks before extracting XML tags, so placeholder syntax such as <resolved feature dir> inside indented JSON/YAML examples no longer triggers XML balance diagnostics or safe-fix suggestions. Fenced code blocks and inline code remain skipped as before, and document-level XML is still validated outside code.
• AS-014 false positives on shell-escape syntax and backtick-wrapped backslashes (closes #940). The Windows path-separator detector's loose token regex previously matched any non-whitespace run containing a \, so prose like 'I'\''m Groot' (single-quote shell-escape) and `\` (markdown documenting the backslash character) tripped a HIGH-confidence safe autofix that rewrote \ → / and corrupted the content. extract_windows_paths now requires matched tokens to be path-shaped and keeps standalone regex escapes out of the rule. Plain Windows paths (foo\bar\baz, references\guide.md, C:\Users\me\file.txt) and quoted Windows paths still fire as before. Covered by regression tests; existing AS-014 fixture and safe-fix tests unchanged.

v0.27.0

Added

• [[overrides]] per-file rule suppression (closes #909). New .agnix.toml array-of-tables lets users disable specific rules for files matching a glob list without losing the rule globally. Each entry has paths (glob list, matched with require_literal_separator = true to mirror [files].exclude semantics) and disabled_rules (rule IDs). Multiple blocks stack as a set union; the layer is additive only - overrides can never re-enable a globally or category-disabled rule. Targets the original use case from #909: ~/.claude/CLAUDE.md-style memory files that legitimately contain quoted-example patterns ("in the future we should...", "make sure to verify ...") which would otherwise trip CC-MEM-005 / CC-MEM-007.
  • Schema validation: glob syntax, traversal (..), and absolute paths are rejected at config load; unknown rule-ID prefixes warn via the same code path as [rules].disabled_rules (validate_rule_ids helper).
  • Per-file dispatch: validators now receive a PerFileLintConfig<'_> view bound to the file being linted; config.is_rule_enabled(rule_id) consults global disabled_rules ∪ matching [[overrides]].disabled_rules for that file. Validator::validate_per_file is the new abstract trait method; the original validate(&LintConfig) remains as a default impl that builds the view and dispatches, so external Validator impls (LSP, etc.) keep working unchanged.
  • Project-level rules (AGM-006, XP-004, XP-005, XP-006, VER-001) also honor [[overrides]]. For cross-file rules the participating file set is filtered up front by config.for_path(path).is_rule_enabled(rule_id) before the detector runs, so an overridden file is invisible to the rule - it neither fires nor appears in other files' diagnostic messages. This makes suppression deterministic regardless of which file the cross-file detector picks as the diagnostic report path. VER-001 (single report path) honors an override targeting .agnix.toml (or the project root when .agnix.toml is absent).
  • Symlink resolution: for_path retries strip_prefix once via the configured FileSystem::canonicalize when the direct path remains absolute (typical for dotfile-manager symlinks like ~/.claude/ → mackup/stow/chezmoi stores). Non-symlinked paths pay no syscall cost.
  • Covered by 27 unit tests (12 schema + 3 wiring + 12 matching + symlink regression) and 8 end-to-end integration tests via validate_project (CC-MEM-005 carve-out, AGM-006 full + partial, XP-004 full + partial, VER-001). Documented in docs/CONFIGURATION.md and SPEC.md.

Changed

• Tool baselines: triaged the three auto-opened release-watch issues and bumped baselines for claude-code v2.1.141 -> v2.1.142 (#920), cline v3.83.0 -> cli-v3.0.3 (#921), and opencode v1.14.50 -> v1.15.0 (#922). No new validator, rule, ToolVersions, or SpecRevisions update is required: Claude Code's root-level plugin SKILL.md behavior is already covered by generic SKILL.md detection, plugin LSP server metadata is already covered by CC-PL-011, skills: ["./"] is already accepted by the component path checks, and the Cline/OpenCode releases are runtime, CLI, TUI, desktop, or SDK changes outside currently validated config surfaces.
• Tool baselines: triaged the three open release-watch issues and bumped baselines for amp neo -> npm-package-changes (#916), cursor 3.4.16 -> 3.4.17 (#917), and opencode v1.14.49 -> v1.14.50 (#918). All three are agnix-irrelevant for current validated config surfaces: Amp changed npm packaging and package names only, Cursor's stable endpoint exposed only a version marker, and OpenCode v1.14.50 contains runtime/SDK/TUI fixes already covered by existing config validators. No validator, ToolVersions, or SpecRevisions update required.

v0.26.0

Added

• CC-PL-015: Default component folder shadowed by manifest (closes #905). Claude Code v2.1.140 now warns when default plugin component folders are ignored because plugin.json overrides the matching component path. CC-PL-015 mirrors that behavior for .claude-plugin/plugin.json: if a root commands/, agents/, skills/, or hooks/ folder exists and the matching manifest field is set without including ./<component>, agnix emits a MEDIUM warning. Covered by 6 unit tests for shadowing, explicit inclusion, absent default folder, file-vs-directory false positives, invalid manifest path shapes, and disabled-rule behavior.
• KR-MCP-006: Invalid OAuth client ID configuration (closes #912). Kiro CLI 2.3.0 added pre-registered oauth.clientId support for HTTP-based MCP servers that do not support Dynamic Client Registration. KR-MCP-006 warns when oauth is not an object, oauth.clientId is missing/non-string/empty, or the OAuth block is attached to a command, sse://, ws://, or otherwise non-HTTP(S) MCP server. Covered by 6 unit tests.
• Rule count: 421 -> 423 across all derived locations via scripts/sync-rule-bookkeeping.js, including crates/agnix-rules/rules.json, CLAUDE.md/AGENTS.md, README/docs counts, plugin/skill metadata, and generated website rule pages.

Changed

• OpenCode JSONC config detection (closes #908). OpenCode v1.14.49 now creates a global opencode.jsonc when no config exists. agnix already parses JSONC comments, and now file type detection plus LSP project-change triggering recognize opencode.jsonc alongside opencode.json.
• Tool baselines: refreshed every open tool-release issue from the release watcher. claude-code v2.1.133 -> v2.1.141 (#905), codex rust-v0.129.0 -> rust-v0.130.0 (#906), cursor 3.3.27 -> 3.4.16 (#907), opencode v1.14.41 -> v1.14.49 (#908), cline v3.82.0 -> v3.83.0 (#910), gemini-cli v0.41.2 -> v0.42.0 (#911), and kiro 2.2.0 -> 2.3.0 (#912). Codex, Cursor, Cline, Gemini, and Claude Code v2.1.141 changes were triaged as already covered or runtime-only for currently validated surfaces. OpenCode v1.14.49 only required the opencode.jsonc file-detection update above. .github/tool-release-baselines.json and knowledge-base/RESEARCH-TRACKING.md were updated.
• Docs release checks: scripts/check-rule-counts.py now covers all current rule categories in the knowledge-base tables and SPEC count sum. The docs-site workflow keeps PR validation lightweight, while non-PR deploy builds use the normal searchable/minified Docusaurus build.

v0.25.0

Added

• CC-SET-003: Invalid worktree.baseRef value (closes #883). Claude Code 2.1.133 added the worktree nested object with a baseRef enum. Allowed values: "fresh" (branch from origin/<default>, the v2.1.133 default) or "head" (branch from local HEAD, the pre-v2.1.133 EnterWorktree behavior). Any other string value silently falls back to the default with no warning. CC-SET-003 (MEDIUM, WARNING) parses .claude/settings.json / .local.json / managed-settings.json, walks worktree.baseRef, and flags non-enum string values and non-string types. Missing field, missing worktree, and baseRef: null are not flagged. Case-sensitive ("FRESH" is not accepted). Non-object worktree is intentionally not flagged to avoid false-positiving on future schema extensions. Covered by 8 unit tests including case-sensitivity, null handling, disabled-rule path, and line-position pinning.
• CC-SET-004: Invalid sandbox path setting (closes #883). Claude Code 2.1.133 added sandbox.bwrapPath and sandbox.socatPath managed settings (Linux/WSL) so admins can point the sandbox at custom bubblewrap/socat binaries. CC-SET-004 (MEDIUM, WARNING) walks both fields under sandbox, flags empty strings and non-string values independently (both fields fire their own diagnostic when both are wrong), and does not stat the path (agnix validates files, not filesystem state). null and absent are not flagged. Non-object sandbox is intentionally tolerated. Covered by 9 unit tests including independent-firing and managed-settings-path coverage.
• CC-SET-005: Invalid parentSettingsBehavior value (closes #883). Claude Code 2.1.133 added this admin-tier top-level key to let admins opt SDK managedSettings (parent tier) into the policy merge. Allowed values: "first-wins" (preserve existing behavior) or "merge". CC-SET-005 (MEDIUM, WARNING) flags non-enum strings, non-string types. null and absent are not flagged. Case-sensitive. Covered by 9 unit tests. Also rounds out the CC-SET family to five rules covering the full v2.1.133 settings-schema additions.
• MCP-026: Reserved MCP server name (workspace) (closes #869). Claude Code 2.1.128 reserved the server name workspace for internal use - existing mcpServers.workspace entries are silently skipped at startup with only a log warning that users can easily miss. MCP-026 (HIGH) walks the top-level keys of mcpServers and flags any match against a reserved list (currently just workspace). Case-sensitive (JSON keys are case-sensitive and so is Claude Code's comparison), string-literal-safe (shares the JSON-key walker with MCP-023's duplicate detector so mentions inside prose values are ignored), and emits one diagnostic per reserved occurrence without suppressing siblings. Covered by 6 unit tests plus a fixture at tests/fixtures/mcp/reserved-server-name.mcp.json.
• CC-SET-002: Non-boolean channelsEnabled setting (closes #869). Claude Code 2.1.128 added --channels support for console (API-key) authentication and requires console orgs with managed settings to opt in via channelsEnabled: true. A quoted "true" or numeric value leaves Channels silently disabled - same footgun shape as MCP-025 alwaysLoad. CC-SET-002 (MEDIUM, WARNING) parses .claude/settings.json / .local.json / managed-settings.json and flags non-boolean values of channelsEnabled; missing, explicit null, and explicit false are not flagged. Covered by 11 unit tests including coexistence with CC-SET-001 on the same file. Validates across all three Claude Code settings paths - if a user misplaces the key, the mis-typed value is still wrong.
• Rule count: 416 -> 421 across all derived locations (rules.json, CLAUDE.md, AGENTS.md, README.md, plugin.json, SKILL.md files, website docs) via scripts/sync-rule-bookkeeping.js. The 2 -> 5 jump in the CC-SET family adds a new CC-SET- prefix to the config/schema.rs validated-prefix allowlist so the disable_rule("CC-SET-00X") pattern stops warning on build().

Changed

• Tool baseline: claude-code bumped from v2.1.128 to v2.1.133 (closes #883). Five upstream releases span the jump (v2.1.129, v2.1.130, v2.1.131, v2.1.132, v2.1.133); the bulk of config-affecting changes arrive in v2.1.133, which ships three new settings-schema additions that land as CC-SET-003/004/005 above.
  • Config-affecting (all in v2.1.133): worktree.baseRef nested enum, sandbox.bwrapPath / sandbox.socatPath Linux/WSL managed settings, parentSettingsBehavior admin-tier key. All three are now validated.
  • Runtime-only (v2.1.129-132): hook effort-level metadata (effort.level JSON input / $CLAUDE_EFFORT env var) - behavior-only, no schema change; parallel-session credential race fix; Edit/Write allow-rule matching fix for drive-root and POSIX / scopes; file-lock ECOMPROMISED unhandled-rejection fix; compaction Esc notification fix; MCP OAuth proxy HTTP(S)_PROXY / NO_PROXY / mTLS plumbing fix; network-drive --add-dir fix; Remote Control stop/interrupt cancellation fix; cross-session /effort leakage fix; subagent skill-discovery fix via the Skill tool; claude --help listing --remote-control; VSCode extension unsupported-platform fix; memory improvements releasing warm-spare background workers under memory pressure; focus mode polish.
  • No ToolVersions or SpecRevisions update required. .github/tool-release-baselines.json and knowledge-base/RESEARCH-TRACKING.md ("Last Reviewed" for Claude Code) updated.
• Tool baseline: codex bumped from rust-v0.128.0 to rust-v0.129.0 (closes #888). Diffed upstream codex-rs/core/config.schema.json@rust-v0.129.0 against our KNOWN_TOP_LEVEL_KEYS / KNOWN_TABLE_KEYS and added the one new table (debug) to KNOWN_TABLE_KEYS to prevent CDX-004 false-positives on valid v0.129 configs.
  • Schema additions (config-surface relevant):
    • [debug] top-level table with nested [debug.config_lockfile] sub-table carrying allow_codex_version_mismatch, export_dir, load_path, save_fields_resolved_from_model_catalog. Added to KNOWN_TABLE_KEYS. Regression-tested in test_codex_0_129_0_new_table_keys_not_flagged.
    • HookStateToml.trusted_hash string field (hook trust metadata, openai/codex#20321). Nested inside the already-known [hooks] table, so does not trigger CDX-004; no validator change required.
    • HooksToml.PreCompact / HooksToml.PostCompact hook events (compact lifecycle hooks, openai/codex#19905). These event names were already recognized by schemas/hooks.rs for the Claude Code hooks validator; Codex does not have a hook-event enum validator, so the new events surface through existing hook shape checks without modification.
    • Tui.raw_output_mode / Tui.session_picker_view / Tui.status_line_use_colors / Tui.vim_mode_default, plus TuiEditorKeymap.kill_whole_line, TuiGlobalKeymap.toggle_fast_mode / .toggle_raw_output / .toggle_vim_mode, TuiKeymap.vim_normal / .vim_operator, and the new ProfileTui nested inside ConfigProfile. All TUI-layer - nested inside the already-known [tui] table and explicitly listed as irrelevant in the codex changes_of_interest.irrelevant list ("TUI keyboard shortcuts and display tweaks"). No validator action.
  • Runtime-only changes (not validated):
    • Large TUI / plugin-sharing / plugin-marketplace refactor (openai/codex#20278, #21124, #21419, #20560, #19843, #20478, #20268, #20298); goals lifecycle polish (#20083, #20790, #20746, #20558); hooks browser (#19882) and hooks PreToolUse additionalContext (#20692); Codex Apps auth + eligible MCP elicitations through TUI/Guardian flows (#19193, #19431); /copy in tmux (#20207); Windows paste/typing latency (#18914); Linux sandbox bundled bwrap + bubblewrap 0.11.2 (#21255-21257, #21312, #21285, #21389); large paste / Ctrl+C drafts / /clear resilience (#21091, #21190, #21351, #21397); TUI startup and accessibility tightening (#20654, #21450, #20564); Windows sandbox ConPTY / git safe.directory / heredoc redirects / dangerous project-config keys / unbounded MCP output growth fixes (#20270, #20685, #20336, #21409, #21275, #20676, #20275, #20098, #20113, #20260, #21069); analytics and diagnostics expansion across tool lifecycles / goals / plugins / thread sources / service tiers / PR labeling (#17089, #17090, #20799, #20923, #20949, #20969, #20893); app-server and protocol internal decomposition (#20324-20325, #20348, #20545, #21251, #21278, #21395); Bazel Windows CI cross-compile (#20585, #20701, #21057).
  • Docs: embedded OpenAI Docs sample skill alignment (#21263); generated git-commit-attribution doc gated by codex_git_commit inside [features] (nested, no CDX-004 impact) (#21379); local planning/spec docs removed (#20896).
  • No ToolVersions or SpecRevisions update required; no new CDX- or CDX-CFG- rule needed. .github/tool-release-baselines.json and knowledge-base/RESEARCH-TRACKING.md ("Last Reviewed" for Codex CLI) updated.
• Tool baseline: cursor bumped from 3.2.21 to 3.3.27 (closes #884). The api2.cursor.sh stable-update endpoint only exposes a version marker; spot-checked cursor.com/changelog for the 3.3 line.
  • Notable 3.3 features: parallel "Build in Parallel" execution via async subagents, Explore subagent behavior controls (model: opus and similar generic model names), Security Reviewer and Vulnerability Scanner agents for PR checks / scheduled codebase scans, context-usage breakdown across rules/skills/MCPs/subagents, enterprise model-access and spend controls.
  • Triage: none of these changes touch validated config surfaces - .cursor/rules/**/*.{md,mdc} frontmatter (CUR-001-009), .cursor/hooks.json schema (CUR-010-013, CUR-017-019), .cursor/agents/**/*.md subagent frontmatter (CUR-014-015, which already accepts generic model names like opus via the alphanumeric id validator), .cursor/environment.json (CUR-016), or .cursor/mcp.json.
  • No valid...