securegit 0.7.0

Zero-trust git replacement with 12 built-in security scanners, universal undo, durable backups, and a 37-tool MCP server
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184

# Changelog

All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).

## [0.6.1] - 2026-02-22

### Added
- Specification Commons License v0.1 (SCL-0.1) for layered licensing
- `LICENSE-SCL`: Full SCL-0.1 license text covering specifications and evaluation scenarios
- `LICENSING.md`: Maps each project layer to its appropriate license
- `PROVENANCE.json`: Generative Bill of Materials baseline for provenance tracking
- SCL headers on specification documents (README.md, docs/README.md)

### Changed
- License section in README updated to reflect layered model
- Implementation remains MIT OR Apache-2.0; specifications now additionally covered by SCL-0.1

SecureGit is the inaugural adopter of the Specification Commons License,
establishing distinct protections for specifications (open), implementation
(MIT/Apache-2.0), and evaluation scenarios (restricted).

## [0.6.0] - 2026-02-22

### Added
- 20 educational workflow scripts for guided git operations (`workflows/`)
- Shared workflow library (`workflows/lib/securegit-common.sh`) with output helpers, language detection, config loading, and securegit integration
- Workflow configuration system with 4-level override chain (shipped defaults → user global → per-project → environment variables)
- Language auto-detection for Rust, Go, Python, JavaScript, Java, Ruby, PHP, and C
- Workflow scripts section in README with usage examples and configuration docs

### Workflows
- `01-stash-manager` — Smart stash management with snapshots and search
- `02-branch-manager` — Branch lifecycle with naming conventions and protection
- `03-pr-prepare` — PR pipeline with quality gates and security scan
- `04-worktree-manager` — Parallel development with git worktrees
- `05-commit-craft` — Conventional commit builder with ticket references
- `06-quality-gates` — Pre-commit quality runner (lint, format, test, build, scan)
- `07-history-navigator` — Interactive log search, blame, and commit archaeology
- `08-cherry-pick-hotfix` — Safe cherry-pick with undo and conflict handling
- `09-merge-strategy` — Merge intelligence with configurable strategies
- `10-prune-cleanup` — Repository hygiene and stale branch cleanup
- `11-reset-recovery` — Safe reset with securegit undo and reflog recovery
- `12-remote-manager` — Multi-remote management with auth status
- `13-repo-architecture` — Repository setup with CODEOWNERS, hooks, and structure
- `14-dev-flow` — Flagship PR-first professional development workflow
- `15-release-manager` — Release pipeline with version bumping and changelog
- `16-diff-mastery` — Advanced diff, patch creation, and change analysis
- `17-code-promotion` — Environment promotion pipeline (dev → staging → prod)
- `18-quality-check` — Quick quality validation on changed files
- `19-multi-repo` — Workspace management across multiple repositories
- `20-project-setup` — New project bootstrap with securegit

## [0.5.3] - 2026-02-22

### Added
- Git compatibility flags table in README
- Testing section documenting 205-test suite
- Acquire `-b`/`--branch` example in README

### Fixed
- Production `unwrap()` calls replaced with `expect()` or safe alternatives
- Rustdoc bare URL warning in CLI args
- Leaked developer filesystem path in doc comments
- CI clippy job now fails on warnings (removed `continue-on-error`)
- Release workflow action pinned to SHA (supply chain hardening)

### Changed
- Added `repository`, `homepage`, `rust-version`, `readme` to Cargo.toml metadata
- Added `.gitlab-ci.yml` for GitLab CI/CD
- Added `tests/` to crate exclude list

## [0.5.2] - 2026-02-22

### Added
- 116 new tests across auth, ops, compact, and tracking (89 → 205 total)
- Auth security tests: SecureString masking, credential store encryption, token discovery
- Ops integration tests: init, status, commit, branch, tag, checkout, log, diff, stash, config, clean
- Compact output tests: truncation boundaries, token estimation, CLI flag/env activation
- Tracking unit tests: timer, record/retrieve, summary aggregation

## [0.5.1] - 2026-02-22

### Fixed
- Resolved all 56 clippy warnings for zero-warning builds
- Refactored functions with too many arguments into option structs (DiffDisplayOptions, LogOptions, PullOptions, AcquireParams, CreatePrParams, CreateReleaseParams)
- Removed needless borrows across 11 files
- Simplified match guards and char comparisons in tag parsing
- Derived Default for BackupConfig (replaced manual impl)

## [0.5.0] - 2026-02-21

### Added
- **Compact output mode** (`--compact` flag or `SECUREGIT_COMPACT=1` env var)
- Token-optimized output for LLM contexts (60-90% reduction)
- Per-command compact formatting: status, diff, log, show, branch, stash, write ops
- **Token tracking** with SQLite storage
- **`securegit gain`** command for token savings analytics
- `securegit gain --history` for per-command savings breakdown

## [0.4.6] - 2026-02-20

### Fixed
- Code review findings addressed before release

## [0.4.5] - 2026-02-20

### Added
- Missing git CLI compatibility flags: `checkout --force`, `merge --no-ff/--squash/--ff-only`, `tag -a/-l`, `rebase --skip/--onto`, `cherry-pick --skip/--no-commit`, `revert --skip/--no-commit`, `config --global`, `clone -b`, `clean -x`
- Git-compatible flat syntax for config command (`securegit config user.name`)

## [0.4.3] - 2026-02-19

### Added
- `--initial-branch` and `--object-format` flags to init command

### Fixed
- 7 medium-severity code review issues
- Low-severity and nit code review issues

## [0.4.2] - 2026-02-19

### Fixed
- 3 critical code review issues
- 4 high-severity code review issues

## [0.4.1] - 2026-02-19

### Fixed
- Git CLI compatibility for `tag --sort`, `log -N`, and `diff <path>`

## [0.4.0] - 2026-02-18

### Added
- **Platform integration**: GitHub/GitLab OAuth device flow, PR creation with security gates, auto-file issues from scan findings, releases with security attestation, CI status checking
- **Durable backups**: Git bundle backups to local, rsync, or rclone (S3/B2/GCS/70+ providers) destinations with auto-backup on push
- **MCP server expansion**: 32 tools total (security, git read/write, backup, platform)
- Professional terminal output system across all commands

### Fixed
- Hook install, scan JSON output, and CI/CD content detection issues

## [0.2.0] - 2026-02-15

### Added
- **6 innovation features**: universal undo, continuous snapshots, AI commit messages, conflict management, stacked diffs, MCP server
- **12 new git commands**: checkout, switch, merge, rebase, cherry-pick, revert, blame, show, config, clean, rm, mv
- **7 new security scanner plugins**: supply chain, CI/CD, container, IaC, deserialization, dangerous files, encoding (Trojan Source)
- Global `--json`, `--verbose`, `--quiet` flags
- `log --all`, `reset -- <files>`, `add -A/-u`, `commit --amend`, `pull --rebase/--ff-only`
- GraphRAG client for code intelligence integration
- Path translation for GraphRAG Docker integration

### Fixed
- Production hardening for cherry-pick, revert, log, diff, blame, rm, clean
- GitHub archive URL construction
- Push and tag handling edge cases
- Default branch detection and bare-to-git conversion in acquire

## [0.1.0] - 2026-01-30

### Added

- **ZIP-with-History acquisition model**: Download code as ZIP, fetch history via bare clone, scan both, merge safely
- **Multiple acquisition strategies**: zip-with-history (default), zip-only, bare-checkout
- **Security scanning pipeline**:
  - Pattern scanner (dangerous code patterns, eval, exec, shell injection)
  - Secrets scanner (API keys, credentials, private keys)
  - Entropy scanner (high-entropy / obfuscated content detection)
  - Binary scanner (unexpected executables)
  - Git internals scanner (hooks, dangerous config, LFS)
- **Git sanitization**: Automatic removal of hooks, dangerous config keys, LFS auto-fetch
- **Archive validation**: Zip bomb protection, path traversal prevention, configurable size limits
- **Integrity verification**: ZIP contents validated against git HEAD
- **Git hook management**: Install/uninstall pre-commit and pre-push hooks
- **Pre-commit scanning**: Scan staged changes before commit
- **Pre-push scanning**: Scan commits before push to remote
- **Plugin system**: Hybrid architecture with built-in Rust scanners and external plugin support
- **External tool integration**: gitleaks, trivy, grype support via plugin interface
- **Pure Rust git operations**: Authentication, LFS handling, submodule detection
- **Cross-platform builds**: Linux and macOS (x86_64 + aarch64)
- **Configurable severity thresholds**: Fail on low, medium, high, or critical findings
- **CI mode**: Machine-readable JSON output for pipeline integration