Install
// changelog

v0.9.1

Safety scope narrowing — `--yes` no longer bypasses secret scanner or cost preflight.

Released May 25, 2026

⚠️ Breaking

  • --yes no longer bypasses the secret scanner or cost preflight. Previously, --yes (intended to auto-answer the .commitbrief/ pre-send guard) also silently approved any flagged credential and any above-threshold cost estimate — a footgun for CI users wiring --yes to skip the guard prompt. Use the dedicated bypasses: --allow-secrets for the scanner, --no-cost-check for the preflight.

  • cache.max_size_mb config field removed. Defined in the struct and surfaced via config get/set, but no code ever read it — cache eviction is TTL-based. Setting it now errors as an unknown field. Remove the line from your config.

Changed

  • Active provider doctor check. commitbrief doctor now verifies that the currently selected provider has its own credentials — not just that some provider does. Closes a gap where setting provider: openai while only anthropic.api_key was configured would pass doctor but fail every review.

  • Localised confirm vocabulary, guard prompt, and setup wizard. Catalog drives accept-vocabulary (y/yes in EN, e/evet in TR), the [y/N] / [e/H] suffix, the .commitbrief/ guard warning, and every label in commitbrief setup.

Added

  • Rules content secret scan. The pre-send secret scanner now inspects user-authored COMMITBRIEF.md and OUTPUT.md content in addition to the diff. Rules join the system prompt verbatim, so a credential pasted into either file would leak just as surely as one in a diff. Embedded defaults are skipped.

  • cache.enabled and cache.ttl_days are now honored. Previously defined but inert.

Fixed

  • install-hook --hook=pre-push ships a real pre-push body. Previously every hook variant got the same --staged invocation, which silently no-op’d at push time. The new pre-push script parses git’s per-ref stdin protocol and runs commitbrief diff <remote-sha>..<local-sha> --fail-on=critical per ref. Push blocks on the first critical finding.

  • init no longer aborts on the first existing file. Existing files are now skipped with a per-file log line and the missing sibling is still written.

  • init --force is now a real flag. Previously the docs promised it but the CLI returned “unknown flag”.