v0.3.7 — Coder Skill, Knowledge Base, Authorization Layer
What's New
Autonomous Skill Generation (Coder)
/codercommand generates dynamic skills from natural language via local LLM- Runtime validation: compile, load, test, retry loop (configurable max retries)
- RAG-powered: queries knowledge base for Erlang/Elixir docs and skill patterns
- Targeted retrieval by kind (erlang_docs, elixir_source, skill_source)
Knowledge Base Reinforcement
- erlang_docs_scraper — fetches OTP docs from GitHub .erl source files with Elixir calling convention hints
- lyse_scraper — scrapes Learn You Some Erlang OTP chapters
- skill_source_indexer — indexes existing skill source code with checksum-based freshness tracking
- elixir_source_scraper — fetches Elixir stdlib source from GitHub
- Knowledge base grew from ~4400 to ~7200 embeddings
Agent Authorization Layer
Three-phase composable authorization system:
Phase 1 — Context-Aware Permission Checks
AuthContextstruct carries caller, type, permission, chain depth, workflow run IDPolicyEngineevaluates context with chain-depth enforcement (max 3)- Structured audit logging for all authorization denials
Phase 2 — Capability Tokens (Macaroon-style)
- HMAC-signed tokens with permission attenuation
- Workflow steps get scoped tokens; cross-skill invocation further restricts
SafeExecutorruns dynamic skills in isolated processes- Tampered tokens rejected via timing-safe comparison
Phase 3 — Policy Rules Engine
- Configurable policy rules stored in PostgreSQL (rate_limit, time_window, chain_restriction, permission_override)
- Per-skill rate limiting via ETS counters
- Audit log persistence with 30-day auto-prune
- Admin UI at
/policiesfor CRUD + audit log viewing
Other Changes
- Removed stale Feeds nav link
- Updated SECURITY.md with full authorization documentation and JSON config examples