arc v0.22.1 — Quarantine reason codes

What's Changed

• fix(install): honor provides.files across all types, gate hooks by @jcfischer in #88
• fix(install): send Bearer token to auth-gated storage endpoints by @jcfischer in #91
• fix(verify): walk settings.json hook paths, surface missing targets by @jcfischer in #93
• fix(manifest): improve missing-capabilities error with example by @jcfischer in #94
• fix(install): pre-validate provides.files + rollback on hook gate fail by @jcfischer in #96
• fix(hooks): substitute $HOME and ~/ upstream, drop ~/ in checker by @jcfischer in #98
• fix(install): rollback symlinks AND unregister hooks on postinstall fail by @jcfischer in #99
• feat(arc-100): PackageBuilder § 12 - persona-driven agents + PublishBundle + AuthorPersonaAgent by @mellanon in #101
• feat(arc-102): install for type:agent bundles — closes #102, Phase 9.1 of mf#392 by @mellanon in #103
• feat(install): HTTP 451 quarantine reason codes (closes #105) by @jcfischer in #106

Full Changelog: v0.21.1...v0.22.1

arc v0.21.1 -- Network capability shorthand fix

Bug fix

• #79: capabilities.network YAML string shorthand (- github.com) now normalized to {domain, reason: ""} at readManifest, with stderr warning naming shorthand entries. Defensive coercion in toServerManifest as well — cannot emit {domain: undefined} to the registry under any input shape.

Fixes submissions that stalled in validating on metafactory due to TypeError: canonicalJson: undefined is not allowed.

Tests

597 pass (up from 577 — 20 new regression tests covering string/object/mixed/invalid network entry shapes).

Full diff: v0.21.0...v0.21.1

v0.19.3

Fixed

• arc publish rendered server errors as [object Object] when the registry returned a non-string error field. Added formatServerError() helper that extracts message/error string fields or falls back to JSON. Applied at all server-error paths in src/lib/publish.ts (uploadBundle, ensurePackageExists, registerVersion).

Added

• arc-manifest.yaml at repo root (schema: arc/v1, type: tool) with bundle.exclude for vendor/ (128MB cosign binary, fetched at build time).

Underlying dev-server 500 tracked in the-metafactory/meta-factory#167.

arc v0.19.2 — SHA-256 Regression Tests

DD-79 red-team regression tests for the R2 install path: hash mismatch, content swap, truncation, appended payload, HTTP errors, extraction integrity. 12 new tests. Closes #54.

arc v0.19.1 — Self-Update Dev Checkout Guard

What's fixed

Self-update now refuses to pull into dev checkouts (#72) — arc self-update detects when it's running from a development checkout and refuses with a clear message instead of silently modifying your working tree.

Detected conditions:

• Non-main branch (feature branch, etc.)
• Detached HEAD (tag checkout, interrupted rebase)
• Uncommitted changes (dirty working tree)

Example

Self-update failed: Refusing self-update: arc repo is on branch "feat/my-feature"
(expected main). This looks like a dev checkout — update manually with git.

Closes #72

arc v0.19.0 — Lazy Cosign Auto-Fetch

What's new

Lazy cosign auto-fetch on first use — verifySigstoreBundle() now automatically downloads and verifies the cosign binary for the current platform if not already present. No manual setup step required.

• Downloads only the single platform binary needed (not all three)
• SHA-256 verified against published checksums before writing
• Hard-fails if no checksum found (refuses unverified binary)
• Checksum validated before download starts (no wasted bandwidth)
• ensureCosignBinary() exported for explicit pre-fetch if desired
• Breaking: verifySigstoreBundle() is now async (returns Promise<VerifySigstoreResult>)

What's next

A-503 will wire verifySigstoreBundle() into arc install once meta-factory F5-500 (server-side signing) lands.

arc v0.18.0 — Cosign Binary Bundling and Wrapper

What's new

Cosign binary bundling and verification wrapper (A-501, A-502) — Client-side foundation for Sigstore supply chain verification.

A-501: cosign binary bundling

• scripts/fetch-cosign.ts downloads cosign v3.0.6 binaries for darwin-arm64, darwin-amd64, linux-amd64
• SHA-256 verification against published checksums
• Binaries stored in vendor/cosign/ (gitignored, fetched on demand)
• bun run fetch-cosign to download

A-502: cosign wrapper

• src/lib/cosign.ts — platform detection, binary resolution, verifySigstoreBundle()
• Shells out to cosign verify-blob --bundle with certificate identity and OIDC issuer validation
• Explicit errors for unsupported platforms (win32, exotic arches)

What's next

A-503 will wire verifySigstoreBundle() into arc install once meta-factory F5-500 (server-side signing) lands.

Closes #69

arc v0.17.2 — Fail Loud on Non-TTY Stdin

What's fixed

Non-interactive install no longer silently half-applies (#46) — When stdin is not a TTY and --yes is not passed, arc install now exits with a clear error instead of hanging on the consent prompt and silently skipping hook registration.

Before

Allow? [y/N]    ← hangs, then exits 0 with hooks not registered

After

Error: arc install requires an interactive terminal for capability confirmation.
Pass --yes (-y) to approve non-interactively.

Also fixes pre-existing typecheck errors in test mock fetch casts.

Closes #46

arc v0.17.1 — Surface Registry Fetch Errors

What's fixed

Registry fetch failures now surface real errors (#50) — Previously, HTTP errors, network failures, and local file read errors were silently swallowed, producing a misleading "not found in any source" message. Now:

• HTTP errors show source name, status code, URL, and response body snippet
• 401/404 includes a hint about GITHUB_TOKEN permissions
• Network errors show the error message and note stale cache fallback
• Local file errors show the path and OS error

Example

Warning: failed to fetch source "metafactory-registry" (404 Not Found): https://api.github.com/repos/...
   hint: check that GITHUB_TOKEN has 'Contents: Read' on the source repo
❌ "grove" not found in any source. Try: arc search <keyword>

Closes #50

arc v0.17.0 — Anonymous Install and Search

What's new

Anonymous install and search (A-52) — arc install and arc search no longer require authentication. Per DD-80, the metafactory registry is anonymous read-only. arc login is now only needed for publishing.

Changes

• Strip bearer tokens from all read-only API paths (install, search, info)
• downloadPackage() and resolveFromRegistry() no longer send Authorization headers
• 401/403 errors no longer suggest arc login for read operations
• arc login / arc logout descriptions clarify they're publish-only

Closes

• #52 — T-D(a): arc install — fetch tarball + SHA-256 verify (anonymous)