Skip to content

Releases: git-stunts/plumbing

v2.8.0–Back Logged

29 Jan 05:05
@flyingrobots flyingrobots
v2.8.0
This tag was signed with the committer’s verified signature.
flyingrobots James Ross
GPG key ID: 39560E0406CA9135
Verified
Learn about vigilant mode.
cdbed77
This commit was signed with the committer’s verified signature.
flyingrobots James Ross
GPG key ID: 39560E0406CA9135
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v2.8.0–Back Logged Latest
Latest

v2.8.0–Back Logged

This release tightens up the command sanitizer with strict per-command flag allowlisting—no more mystery substances flowing through your pipes.

Features

  • Strict per-command flag allowlisting: Each git command now has an explicit allowlist of permitted flags, blocking anything unexpected
  • Show command support: Added to the allowed commands for history traversal
  • Docker Guard integration: Shared safety guards via @git-stunts/docker-guard

Fixes

  • Handle end-of-options marker (--) in flag validation
  • Recognize combined numeric short forms (-n10, -15)

Maintenance

  • Stabilized public API with root-level barrel files
  • Node.js version requirement updated to >= 20.0.0
20260128_2042_Image Generation_simple_compose_01kg40wwr0e7w8n5ntcz84c814
Assets 2
Loading

v2.7.0 — Big Splash

08 Jan 01:12
@flyingrobots flyingrobots
v2.7.0
ae578ae
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v2.7.0 — Big Splash

v2.7.0 – BIG SPLASH

This release marks a structural shift for @git-stunts/plumbing.

What began as a small synchronous helper is now a fully async, stream-oriented interface for interacting with Git as a subsystem rather than a shell command.

Big Splash is about correctness, composability, and control.

What Changed

Stream-First Execution

  • All Git commands now execute asynchronously
  • stdout is always streamed
  • buffering is bounded and explicit
  • works consistently across Node, Bun, and Deno

Git is no longer treated as a fire-and-forget process.

Structured Error Classification

  • Exit codes and stderr are classified into typed domain errors
  • Repository lock contention is detected and retryable
  • Errors include context, latency, and remediation hints

No more guessing what “exit 128” meant.

Explicit Security Boundaries

  • Commands are validated against a strict whitelist
  • Dangerous flags (--git-dir, --work-tree, -c, etc.) are blocked
  • Environment variables are filtered through a policy layer
  • Global flag escapes are explicitly forbidden

Git is powerful. This release makes it safe to embed.

Domain-Driven Git Objects

  • First-class entities for blobs, trees, and commits
  • Immutable value objects for SHAs, refs, signatures, and file modes
  • Persistence is explicit and type-checked

You now work with Git objects, not incidental strings.

Why This Matters

This release makes it possible to build higher-level systems on top of Git. Datastores, content pipelines, event logs, and agent memory–without relying on brittle shell execution or ad-hoc parsing.

Git can now be embedded, composed, and reasoned about as infrastructure.

Breaking Changes

  • The execution model is now async-only
  • Consumers relying on synchronous helpers must migrate to streaming APIs

Looking Forward

This release lays the foundation for:

  • Content-addressable storage layers
  • Git-backed databases
  • Event-driven workflows
  • Agent-native Git systems

From here on out, Git is no longer a black box.

GIT-STUNTS 🛹

Loading