Dangerous command approval: run_command skill now checks commands
against 9 regex patterns (rm -rf /, dd, mkfs, fork bombs, shutdown,
device writes, etc.) and blocks execution with a clear message.
Defense-in-depth layer on top of VM isolation.
Cron agents: templates support schedule (5-field cron) and
schedule_timeout (seconds, default 300) fields. Overseer checks
every 60s, spawns {name}-cron agents on match, auto-destroys after
timeout. Inline cron parser supports *, ranges, lists, and steps.
No npm dependencies added.
- New read_file skill: paginated file reading with line ranges,
path restricted to /workspace, binary detection, directory listing
- Session persistence via SQLite + FTS5: conversation history survives
agent restarts, last N messages restored into deque on boot,
auto-prune to 1000 messages
- Update truncation hint to reference read_file instead of run_command
- New scripts/update.sh for patching rootfs + rebuilding snapshot
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
