v0.10.1

Forge v0.10.1 — Windows Agent Start Fix, Documentation Link Cleanup

Release Date: May 19, 2026
Full Changelog: v0.10.0...v0.10.1

Forge v0.10.1 is a patch release containing one user-facing reliability fix on Windows and a comprehensive documentation link cleanup. Three pull requests, 24 files changed, no breaking changes — drop-in upgrade from v0.10.0.

---

Highlights

#	Area	Change	Issue / PR
1	Windows	forge ui no longer falsely reports agent failed to start for healthy daemons. Cause: Signal(0) is unsupported on Windows; the cross-platform process-liveness check is now centralized.	#59 / #60
2	Documentation	All 21 broken doc links in the main README.md are fixed. New CI workflow gates future README link breakage.	#58 / #61
3	Documentation	All 34 broken in-doc cross-references across 14 doc files are fixed. The CI link check is extended to cover docs/**.	#62 / #63

---

What's Fixed

Windows: forge ui Recognizes Healthy Daemons (PR #60, closes #59)

Symptom: On Windows, starting an agent from forge ui produced a red banner reading agent failed to start: REST: http://localhost:<port>/tasks/send ... — but the backend agent was actually running successfully. The same flow worked correctly on macOS and Linux.

Cause: forge-ui/process.go's pidAlive function used os.Process.Signal(syscall.Signal(0)) — the standard Unix idiom for liveness checking. On Windows, Go's stdlib only translates os.Interrupt and os.Kill; every other signal (including Signal(0)) returns "operating system does not support signal". So pidAlive returned false for every PID on Windows regardless of whether the process was alive.

The waitForPort poll loop interpreted that as "child crashed", fast-failed, and surfaced whatever was already in serve.log as the supposed error — which by that point contained the daemon's normal startup banner.

A second occurrence of the same broken check in forge-ui/discovery.go was actively deleting .forge/serve.json for still-running daemons on every page-load — orphaning them from the dashboard. Both are fixed.

Fix: New shared helper forge-core/util/process/{process_unix.go, process_windows.go} with IsAlive(pid int) bool. Unix path uses FindProcess + Signal(0); Windows path uses OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION) + CloseHandle — the same pattern forge-cli/cmd/serve_windows.go already shipped for daemon-lifecycle checks. The duplicate implementations in forge-cli and forge-ui are deleted in favor of the single shared helper.

// One implementation, build-tag split, consumed by both forge-cli and forge-ui.
import "github.com/initializ/forge/forge-core/util/process"

if !process.IsAlive(pid) {
    // accurate on every supported platform
}

There is now exactly one implementation of "is this PID alive" in the repo. CI runs GOOS=windows go build to catch future build-tag drift.

README Doc Links Fixed (PR #61, closes #58)

The top-level README.md referenced 25 relative .md files. 21 of them were 404s — the README linked to canonical flat names (docs/runtime.md, docs/security/secrets.md, …) but the actual docs lived under subdirectories with different filenames (docs/core-concepts/runtime-engine.md, docs/security/secret-management.md, …). Every newcomer clicking "Quick Start", "Installation", "Architecture", "Skills", "Runtime", "Memory", "Channels", or any of 12 other top-level doc links from the README landed on a GitHub 404.

After the fix:

before: BROKEN 21, OK 4
after:  BROKEN 0,  OK 25

A new .github/workflows/docs-links.yaml runs on every push/PR touching README.md, docs/**, or the workflow itself — fails the build if any relative .md link doesn't resolve. Prevents this from regressing.

In-Doc Cross-References Fixed (PR #63, closes #62)

The same pattern that broke the README also broke 34 in-doc cross-references across 14 doc files. The heaviest hitter was docs/security/overview.md (10 broken links — the file pre-dated the rename of egress.md → egress-control.md, secrets.md → secret-management.md, signing.md → build-signing.md). Other files used paths like security/guardrails.md from within docs/core-concepts/ which resolved to docs/core-concepts/security/guardrails.md (does not exist) instead of docs/security/guardrails.md.

All 34 fixed via mechanical substitution with #anchor preservation. The CI link check is extended to walk docs/**/*.md in addition to README.md:

before: 34 broken in-doc links across 14 files
after:   0 broken; 37 files checked (1 README + 36 docs)

---

Upgrade Notes

Drop-in patch upgrade — no forge.yaml changes, no API changes, no behavior changes for healthy installs.

• Windows users on v0.10.0: this release fixes the "agent failed to start" red banner. Highly recommended.
• forge-core/util/process is a new package. If you import forge-core directly in your own Go projects, the new package is available but doesn't change any existing API.

---

Install

# Homebrew
brew upgrade initializ/tap/forge

# One-line install/upgrade
curl -sSL https://raw.githubusercontent.com/initializ/forge/main/install.sh | bash

# Docker
docker pull ghcr.io/initializ/forge:v0.10.1
docker pull ghcr.io/initializ/forge:latest

---

Reference

• Full diff (v0.10.0 → v0.10.1)
• Documentation
• Discord
• Issue tracker

v0.10.0

Forge v0.10.0 — Dynamic Secret Overlay, Configurable Security Scoring, K8s Channel Manifests, Slack Bot Admission

Release Date: May 18, 2026
Full Changelog: v0.9.2...v0.10.0

Forge v0.10.0 makes encrypted secrets, security policy, channel deployment, and inter-bot communication first-class operator concerns. Skill-declared env vars now flow from the encrypted store to the agent process without code changes; security audits can be downgraded via YAML policy with full auditability; Kubernetes manifests finally include channel env vars from the same source as docker-compose; and Slack agents can now accept @-mentions from operator-allowlisted bots while staying immune to self-loops. Two latent bugs in the secret provider chain are also fixed. 62 files changed, 2,718 insertions, 728 deletions across forge-cli, forge-core, forge-plugins, and forge-skills.

---

Highlights

#	Area	Change	Issue / PR
1	Secrets	Skill-declared env vars in encrypted store reach the agent's OS env via dynamic provider.List() discovery — no hardcoded key list	#48 / #51
2	Skills audit	New forge skills audit --policy <path> overrides scoring and policy checks; downgrades carry (via policy) / (acknowledged by policy) annotations	#49 / #53
3	K8s + channels	Channel env vars from <channel>-config.yaml now flow into k8s/secrets.yaml, k8s/deployment.yaml, and docker-compose.yaml from a single canonical source	#50 / #54
4	Secrets	Stale global ~/.forge/secrets.enc with a different passphrase no longer poisons the chain — eager-load validation drops it with a clear warning	#52 / #57
5	Slack	New allow_bot_ids setting admits @-mentions from operator-trusted bots; the agent's own bot_id is unconditionally dropped (self-loop guard)	#55 / #56

---

What's New

Dynamic Secret Overlay for Skill-Declared Env Vars (PR #51, closes #48)

Before: the runtime overlaid only a hardcoded set of LLM/channel keys (OPENAI_API_KEY, SLACK_BOT_TOKEN, etc.) from the encrypted secrets store. A skill declaring metadata.forge.requires.env.required: [ACME_API_TOKEN] would see an empty value at runtime, even after forge secret set ACME_API_TOKEN ....

Now: a new secretOverlayKeys(provider) helper unions the builtin set with every key the provider exposes via Provider.List(). Custom skill-declared keys flow through the encrypted store to the OS env automatically — no code change required when adding a new skill.

# skills/my-skill/SKILL.md
metadata:
  forge:
    requires:
      env:
        required: [ACME_API_TOKEN]

forge secret --local set ACME_API_TOKEN my-secret-value
forge run   # ACME_API_TOKEN is now in the agent's environment

Cross-category secret-reuse detection continues to operate on the builtin set only — custom keys have no defined purpose category and are not part of the reuse check.

Policy-Configurable Security Scoring (PR #53, closes #49)

forge skills audit now accepts a --policy <path> flag that loads a YAML SecurityPolicy. The policy affects both policy-violation checks (existing) and scoring (new). Three new scoring overrides let operators down-weight builtin classifications:

# policy.yaml
script_policy: allow
max_risk_score: 90

trusted_domains:    [internal.example.com]   # +2 instead of +10 (unknown)
acknowledged_bins:  [python]                 # +3 instead of +15 (builtin high-risk)
acknowledged_env:   [DB_PASSWORD]            # +5 instead of +10 (builtin sensitive)

forge skills audit --dir skills --policy policy.yaml

Every override is auditable. Affected factors carry (via policy) or (acknowledged by policy) in their description, visible in both --format text and --format json:

egress   +2   trusted domain (via policy): internal.example.com
binary   +3   high-risk binary (acknowledged by policy): python
env      +5   sensitive variable (acknowledged by policy): DB_PASSWORD

Scoring overrides can only down-weight builtin classifications — a binary not in the high-risk set stays at +3 even if listed in acknowledged_bins. This prevents accidental score inflation.

API change: AnalyzeSkillDescriptor and AnalyzeSkillEntry now take a SecurityPolicy parameter. Pass SecurityPolicy{} to reproduce historical default scoring exactly.

Channel Env Vars in Kubernetes Manifests (PR #54, closes #50)

Before this release, forge build generated k8s/deployment.yaml and k8s/secrets.yaml containing only skill-declared env vars. Channel env vars (SLACK_BOT_TOKEN, TELEGRAM_BOT_TOKEN, etc.) were silently dropped — even though forge package --with-channels injected them into docker-compose via a hardcoded switch statement. The two output paths disagreed from the same forge.yaml.

A new ChannelsStage (forge-cli/build/channels_stage.go) reads each <channel>-config.yaml and unions every _env-suffixed setting value into Spec.Requirements.EnvRequired. EnvVarsFromConfig in forge-cli/channels/env.go is the canonical helper; generateDockerCompose in cmd/package.go calls the same function, so both output paths produce a consistent env-var set.

# slack-config.yaml — the canonical source
adapter: slack
settings:
  app_token_env: SLACK_APP_TOKEN
  bot_token_env: SLACK_BOT_TOKEN
  custom_env: MY_PROJECT_SLACK_OVERRIDE   # ← appears in K8s + docker-compose

After forge build:

# .forge-output/k8s/secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: my-agent-secrets
stringData:
  SLACK_APP_TOKEN: ""
  SLACK_BOT_TOKEN: ""
  MY_PROJECT_SLACK_OVERRIDE: ""
  TELEGRAM_BOT_TOKEN: ""

Adding a new channel adapter requires zero build-pipeline edits. Operators (and channel-adapter authors) just declare env vars via the _env suffix convention in their channel YAML.

Behavior change worth calling out: SLACK_SIGNING_SECRET is no longer injected. The Slack adapter is Socket Mode and never reads it; the previous hardcoded map included it erroneously. Operators using a custom Slack adapter that does need it can add signing_secret_env: SLACK_SIGNING_SECRET to their slack-config.yaml.

Slack Bot @-Mention Admission with Self-Loop Guard (PR #56, closes #55)

The Slack adapter previously dropped every event whose bot_id was non-empty — silently ignoring @-mentions from scheduler bots, monitoring tools, workflow steps, and CI bots even when an operator explicitly wired them up.

A new optional allow_bot_ids setting admits specific bots:

# slack-config.yaml
adapter: slack
settings:
  app_token_env: SLACK_APP_TOKEN
  bot_token_env: SLACK_BOT_TOKEN
  allow_bot_ids: B0123ABC,B0456DEF   # comma-separated bot_ids

Three coordinated rules keep loops bounded:

Rule	Behavior
Self-loop guard (always on)	The agent's own bot_id is dropped before the allowlist is consulted. No opt-out — even if its own ID is misconfigured into allow_bot_ids, the guard short-circuits.
Allowlist gate (opt-in)	Bots not in allow_bot_ids stay dropped. Empty/absent setting preserves today's behavior (no other bots admitted).
Mention requirement (unchanged)	Admitted bots still must include <@FORGE_AGENT> in the message text. Chatter without a tag is ignored.

resolveBotID now captures both user_id and bot_id from Slack's auth.test response — user_id drives mention matching; bot_id powers the self-loop guard. Drop reasons are emitted to stderr with the bot_id and a pointer to slack-config.yaml allow_bot_ids so operators can self-diagnose.

Stale Global Secrets File No Longer Poisons the Chain (PR #57, closes #52)

A latent bug in OverlaySecretsToEnv and Runner.buildSecretProvider — exposed during the validation of #51 — caused a stale ~/.forge/secrets.enc from an unrelated project (encrypted with a different passphrase) to break ChainProvider.List() for everyone. Local file's keys would silently disappear from the agent's env.

A new viableEncryptedFileProviders helper eagerly validates each candidate file at chain-build time:

Candidate state	Behavior
File missing (os.IsNotExist)	Silently skipped — common case, no log noise
Decryption succeeds	Admitted; cleartext is cached for subsequent reads (no extra Argon2id)
Decryption fails (wrong passphrase, corruption)	Dropped from the chain with a clear warning naming the file path

forge: skipping secrets provider that failed to load
  (label=global, path=/Users/.../.forge/secrets.enc,
   error=decrypting secrets file: ... wrong passphrase?)

ChainProvider semantics stay strict — non-NotFound errors from Get / List still propagate. The fix is at the chain-construction site: we don't admit providers we already know will fail.

---

Documentation

Each PR shipped with synced docs. Notable additions:

• docs/security/secret-management.md — new Skill-Declared Secrets and Provider Chain Validation sections.
• docs/skills/skills-cli.md — new Security Audit section with the policy YAML schema and the (via policy) annotation contract.
• **[docs/deployment/kubernetes.md](https://github.com/initializ/forge/blob/v0.10.0/do...

v0.9.2

Forge v0.9.2 — Skill Environment Injection, Docker Images, Agent Reliability Fixes

Release Date: April 17, 2026
Full Changelog: v0.9.1...v0.9.2

---

Highlights

Forge v0.9.2 delivers automatic environment variable and egress domain injection when saving skills, pre-built multi-architecture Docker images on GHCR, and critical agent reliability fixes for port allocation, stale daemon detection, and OAuth credential handling. This release modifies 25 files with over 1,200 lines of new code across all five modules.

---

What's New

Skill Environment & Egress Auto-Configuration (#46)

When saving a skill via the UI Skill Builder or forge skills add, Forge now automatically configures the agent's environment — no manual .env or forge.yaml editing required.

How it works:

1. SKILL.md frontmatter declares metadata.forge.requires.env and metadata.forge.egress_domains
2. On save, Forge parses requirements and:
   • Writes env vars to .env (deduplicated, skips existing keys and encrypted placeholders)
   • Merges egress domains into forge.yaml security.egress.allowed_domains (deduplicated, sorted, YAML formatting preserved)
   • Reports missing env vars back to the UI for user input
3. Frontend displays what was configured and prompts for any remaining required variables

# CLI: forge skills add now also merges egress domains
forge skills add github
# ✓ Added egress domains: api.github.com, github.com
# ✓ Wrote GITHUB_TOKEN to .env

New shared utilities in forge-cli/cmd/skill_env.go:

• ParseSkillRequirements() — extracts env requirements and egress domains from SKILL.md
• MergeEgressDomains() — adds domains to forge.yaml allowlist with text-based YAML insertion
• AppendEnvVars() — appends key=value pairs to .env with deduplication
• CheckMissingEnv() — checks OS env + .env + secret placeholders for missing entries

SkillSaveFunc now returns *SkillSaveResult with structured response fields: path, egress_added, env_configured, env_missing.

Pre-Built Docker Images on GHCR (#46)

Forge now publishes multi-architecture Docker images (linux/amd64, linux/arm64) to GitHub Container Registry on every release.

# Pull the latest release
docker pull ghcr.io/initializ/forge:latest

# Pin to a specific version
docker pull ghcr.io/initializ/forge:v0.9.2

# Run with your agent directory mounted
docker run -v /path/to/agent:/home/forge/agent -w /home/forge/agent \
  -e OPENAI_API_KEY=sk-... \
  ghcr.io/initializ/forge:latest run --host 0.0.0.0

Image details:

• Tags: v0.9.2, v0.9, v0, latest (semver hierarchy)
• Base: alpine:3.22.4 with ca-certificates, git, tzdata
• Build: Multi-stage with golang:1.25-alpine, BuildKit cache mounts, CGO_ENABLED=0 static binary
• Security: Non-root forge user, minimal attack surface
• CI: QEMU for cross-platform emulation, GitHub Actions cache for layer reuse

LLM Agent Loop Robustness (#46)

Two fixes to the core agent loop that prevent subtle failures across providers:

Tool call execution fix: The loop now terminates based solely on len(ToolCalls) == 0, ignoring FinishReason. Some providers (notably certain OpenAI models) return FinishReason: "stop" even when tool calls are present — previously this caused the agent to stop mid-execution.

Session recovery deduplication: When a session is recovered from disk after a crash or timeout, the executor checks whether the conversation already ends with an identical user message and skips the duplicate. This prevents the same prompt from appearing twice in the context window on retry.

Q&A nudge suppression: When only explore-phase tools were invoked (e.g., web_search, file_read), the agent no longer sends a continuation nudge ("You stopped..."), correctly treating the response as a final answer to an informational query.

---

Bug Fixes

Port Collision on Agent Start (forge-ui)

Before: When the UI restarted, PortAllocator lost its in-memory state and always tried port 9100 first — colliding with agents already running on that port from a previous session.

After: Allocate() now does a net.Listen TCP probe to verify the port is actually free before assigning it. Occupied ports are automatically skipped.

Stale Agent Status After UI Restart (forge-ui)

Before: detectExternalAgent() only checked if a port was listening via TCP probe. If serve.json was stale (agent crashed) but another process happened to be on the same port, the dead agent appeared as "running".

After: detectExternalAgent() now checks PID liveness via pidAlive() (signal 0) before the TCP probe. If the PID from serve.json is dead, the stale file is cleaned up and the agent is correctly reported as stopped.

OAuth Silent 401 in Skill Builder and Runner (forge-cli)

Before: When OpenAI OAuth credentials were missing or unloadable (no ~/.forge/credentials/openai.json), both the Skill Builder llmStreamFunc and the Runner createProviderClient silently fell through to create a regular OpenAI client with no API key — resulting in a cryptic 401 Unauthorized error.

After: When the API key is empty/__oauth__ and oauth.LoadCredentials() fails, a clear error is returned: "no OpenAI API key or OAuth credentials found; run 'forge init' with OAuth or set OPENAI_API_KEY".

---

Files Changed

Area	Files	Description
Skill env utilities	forge-cli/cmd/skill_env.go	ParseSkillRequirements, MergeEgressDomains, AppendEnvVars, CheckMissingEnv
Skill env tests	forge-cli/cmd/skill_env_test.go	12 unit tests for shared utilities
CLI skills add	forge-cli/cmd/skills.go	Egress domain merge in runSkillsAdd
UI save func	forge-cli/cmd/ui.go	Enhanced skill save with env/egress handling, OAuth error surfacing
Runner OAuth	forge-cli/runtime/runner.go	OAuth error surfacing in createProviderClient
Parser export	forge-skills/parser/parser.go	Export ExtractForgeReqs for reuse
LLM loop	forge-core/runtime/loop.go	Ignore FinishReason, session dedup, Q&A nudge suppression
Loop tests	forge-core/runtime/loop_test.go	Regression tests for stop+tool_calls
UI types	forge-ui/types.go	SkillSaveResult, SkillEnvEntry, updated SkillSaveFunc signature
UI handler	forge-ui/handlers_skill_builder.go	Pass env vars, return SkillSaveResult
Port allocator	forge-ui/process.go	net.Listen probe in Allocate(), portFree() helper
Agent discovery	forge-ui/discovery.go	PID liveness check, stale serve.json cleanup
Frontend	forge-ui/static/dist/app.js	Env var inputs, egress/env status display
Docker	Dockerfile, .dockerignore	Multi-stage alpine build
CI	.github/workflows/release.yaml	GHCR multi-arch build+push job
Docs	docs/{runtime,skills,dashboard,deployment,commands}.md	Synced with code changes

25 files changed, 1,201 insertions, 79 deletions

---

Installation

# Homebrew
brew upgrade initializ/tap/forge

# One-line install/upgrade
curl -sSL https://raw.githubusercontent.com/initializ/forge/main/install.sh | bash

# Docker
docker pull ghcr.io/initializ/forge:v0.9.2

---

Contributors

Built with Forge — turn SKILL.md into portable, secure, runnable AI agents.

v0.9.1

Forge v0.9.1 — Container Packaging, Local Binary Overrides, External Auth, and Guardrails Library

Release Date: April 13, 2026
Full Changelog: v0.9.0...v0.9.1

---

Highlights

Forge v0.9.1 delivers container packaging improvements, local binary injection, external authentication, inline KUBECONFIG support, and a full guardrails library integration. This release modifies 65 files with over 3,600 lines of new code, making container-based agent deployments significantly more flexible and production-ready.

---

What's New

Container Packaging: Local Binary Overrides (#44)

Inject host-compiled binaries directly into container images, bypassing remote resolution entirely. This enables air-gapped builds, custom binary versions, and rapid iteration without waiting for upstream releases.

# Inject a locally-built forge binary into the container
forge package --local-bin forge=/path/to/linux/forge

# Combine with image optimization
forge package --local-bin forge=./bin/forge --alpine --slim

• --local-bin name=/path/to/file flag on both forge build and forge package (repeatable)
• --slim flag to minimize image size by skipping heavy/optional binaries
• --alpine flag to prefer Alpine base image
• Configurable in forge.yaml via package.bin_overrides.<name>.local
• Smart Dockerfile generation with multi-stage bin resolution: local override → skill override → config override → image registry → apt/apk
• Automatic ca-certificates installation for TLS support

External Authentication Provider (#44)

Delegate token validation to an external auth endpoint for enterprise deployments. The internal loopback token ensures channel adapters (Slack, Telegram) continue to work without needing a valid external token.

# Via CLI flag
forge run --auth-url https://auth.example.com/verify

# Via environment variable (containers)
docker run -e FORGE_AUTH_URL=https://auth.example.com/verify my-agent

• Two-layer auth middleware: internal token accepted first (channel loopback), then external provider
• FORGE_AUTH_URL and FORGE_AUTH_ORG_ID environment variables
• Org ID extracted from X-Org-ID, org-id, or org_id request headers

KUBECONFIG Materialization (#44)

Pass kubeconfig content directly as an environment variable — the runtime automatically writes it to a file and updates KUBECONFIG to the file path. No volume mounts needed.

docker run -e KUBECONFIG="$(cat ~/.kube/config)" my-agent

• Detects inline YAML via newlines, apiVersion: markers, and certificate-authority-data: presence
• kubectl and helm receive the materialized path via env passthrough

Channel Adapter Fixes (#44)

• Entrypoint now includes --with flag — container entrypoint automatically becomes ["forge", "run", "--host", "0.0.0.0", "--with", "slack,telegram"] when channels are configured in forge.yaml
• Channel config files packaged — slack-config.yaml, telegram-config.yaml, etc. are automatically copied into the Docker build context
• Auth loopback — channel adapters authenticate to the A2A server using an internal token, bypassing external auth providers

Guardrails Library Integration (#45)

Replaced the hand-rolled GuardrailEngine (435 lines of hardcoded patterns) with the external github.com/initializ/guardrails library, supporting dual-mode operation.

• File-based mode (guardrails.json) for local development — zero external dependencies
• MongoDB-backed mode for platform deployments with centralized policy management and audit logging
• Inbound PII masking fixed — CheckInbound now correctly masks PII (e.g., SSNs) before they reach the LLM
• Session recovery crash fixed — orphaned tool calls (assistant tool_calls without matching tool results) are stripped on save and recovery, preventing API rejection errors

Skills Build Stage Fix (#45)

• SkillsStage now always scans the skills/ subdirectory even without a root SKILL.md, restoring binary installation (e.g., kubectl) for subdirectory-only skill projects

Root SKILL.md Removed (#44)

• forge init no longer generates a root-level SKILL.md with placeholder content
• Skills live exclusively in skills/<skill-name>/SKILL.md subdirectories
• Removed skills.path from forge.yaml template
• Build pipeline already scans skills/ automatically

OpenAI API Fix (#44)

• Fixed "Invalid value for 'content': expected a string, got null" error by omitting content field for assistant messages with tool_calls per OpenAI spec

---

New Configuration

forge.yaml — Package Section

package:
  alpine: false                     # Prefer Alpine base image
  slim: false                       # Minimize image size
  bin_overrides:
    forge:
      local: "/path/to/linux/forge" # Host path to local binary
    jq:
      apt: "jq"                     # APT package name
    custom-tool:
      url: "https://example.com/tool.tar.gz"
      dest: "/usr/local/bin/custom-tool"
      chmod: "0755"

New Environment Variables

Variable	Description
FORGE_AUTH_URL	External auth provider URL for token validation
FORGE_AUTH_ORG_ID	Organization ID sent to external auth provider
FORGE_GUARDRAILS_DB	MongoDB connection string for centralized guardrails

New CLI Flags

Command	Flag	Description
forge build	--local-bin	Local binary override as name=/path/to/file (repeatable)
forge build	--slim	Minimize image size
forge build	--alpine	Prefer Alpine base image
forge package	--local-bin	Local binary override (same as build)
forge package	--slim	Minimize image size
forge package	--alpine	Prefer Alpine base image
forge run	--auth-url	External auth provider URL
forge serve	--auth-url	External auth provider URL

---

Breaking Changes

• Root SKILL.md no longer generated by forge init. Existing projects with a root SKILL.md are unaffected — the build pipeline still reads it if present, but new projects should use skills/ subdirectories exclusively.
• skills.path removed from forge.yaml template. Existing configs with skills.path still work at runtime.

---

Pull Requests

• #44 — feat: container packaging, local binary overrides, and external auth
• #45 — feat: integrate guardrails library with dual-mode support

---

Stats

• 65 files changed, 3,652 insertions, 1,031 deletions
• 5 new CLI flags across build, package, run, and serve
• 3 new environment variables for auth and guardrails
• 1 new forge.yaml section (package)

---

Installation:

# Homebrew
brew upgrade initializ/tap/forge

# Binary (Linux/macOS)
curl -fsSL https://github.com/initializ/forge/releases/download/v0.9.1/forge-$(uname -s)-$(uname -m).tar.gz | tar xz -C /usr/local/bin forge

Documentation: docs/

v0.9.0

Forge v0.9.0 — Security Hardening, GitHub Skills, and Bug Fixes

Release Date: April 4, 2026
Full Changelog: v0.8.0...v0.9.0

---

Highlights

Forge v0.9.0 is a security-focused release that delivers two full phases of security hardening (17 fixes total), a new GitHub API skill, a critical secret decryption bug fix, and improvements across the CLI, TUI, and channel plugins. This release modifies 78 files with over 4,100 lines of new code and hardened tests.

---

What's New

Security: Phase 1 — Critical Fixes (C-1 through C-7)

• SSRF protection — new IP validator blocks requests to private/loopback/link-local ranges (#34)
• Safe dialer — all outbound HTTP connections routed through a secure dialer with DNS rebinding protection
• Redirect validation — HTTP redirects are checked against the egress allowlist before following
• bash_execute removed — eliminated the high-risk shell execution tool from the code-agent skill (#29)
• Egress enforcer hardened — stricter domain matching and proxy enforcement

Security: Phase 2 — High-Priority Fixes (H-1 through H-10)

• Scoped environment variables — KUBECONFIG, NO_PROXY, and GH_CONFIG_DIR are now injected only into their target binaries (kubectl, helm, gh), not the global environment (#39, #42)
• A2A server hardened — added input validation, rate limiting, and auth improvements to the Agent-to-Agent server
• Custom tool sandboxing — external tool execution now enforces stricter argument validation
• Channel plugin hardening — Slack and Telegram adapters received input sanitization and error-handling improvements
• Guardrails loader hardened — runtime guardrail loading now validates schema before application

New Feature: GitHub API Skill

• Query GitHub users, pull requests, forks, and stargazers directly from within an agent (#38)
• Includes six new scripts: github-get-user, github-list-prs, github-list-forks, github-list-stargazers, github-pr-author-profiles, github-stargazer-profiles
• Per-tool PII exemptions — tools that need GitHub usernames can bypass PII redaction on a per-tool basis

Bug Fixes

• Secret decryption — fixed a bug where decryption failed even with the correct passphrase (#40, #41)
• Q&A nudge suppression — resolved unwanted nudge prompts during agent conversations
• UI agent start errors — fixed errors when starting agents from the skill builder UI
• Chat streaming — resolved streaming interruption issues in the TUI
• File attachment — cli_execute now correctly handles file attachment behavior
• Errcheck lint — fixed unchecked error returns in test files

Documentation

• Updated security docs covering egress enforcement, guardrails, and the new IP validator
• Synced architecture, channels, runtime, skills, and tools documentation with code changes (#43)

---

Breaking Changes

• bash_execute tool removed — agents using the bash_execute builtin tool must migrate to cli_execute or custom tool definitions. This tool was removed for security reasons.

---

Upgrade Guide

# Update via Homebrew
brew upgrade initializ/tap/forge

# Or pull the latest binary
curl -sSL https://raw.githubusercontent.com/initializ/forge/main/install.sh | bash

No configuration changes required. Existing agents and skills are fully compatible with v0.9.0.

---

Stats

Metric	Value
Files changed	78
Insertions	+4,126
Deletions	−632
Net new lines	+3,494
PRs merged	6
Contributors	2

---

Pull Requests Included

• #43 — docs: sync documentation for Phase 2 fixes and UI improvements (@initializ-mk)
• #42 — security: Phase 2 high-priority fixes and UI improvements (@initializ-mk)
• #41 — [Bug]: Secret decryption fails with correct passphrase #40 (@pandey03muskan)
• #39 — security: Phase 2 high-priority fixes (H-1 through H-10) (@initializ-mk)
• #38 — feat: add GitHub API query tools and per-tool PII exemptions (@initializ-mk)
• #34 — security: Phase 1 critical fixes (C-1 through C-7) (@initializ-mk)

---

Contributors

• @initializ-mk
• @pandey03muskan

---

Forge is a secure, portable AI agent runtime. Build, run, and deploy AI agents from a single SKILL.md file.
Learn more at github.com/initializ/forge • Documentation

v0.8.0

Forge v0.8.0 — Code Agent, Skill Guardrails, and Telegram Reliability

Forge v0.8.0 introduces the Code Agent skill for autonomous code generation, a multi-layer skill guardrails system for fine-grained security policy enforcement, Kubernetes cost visibility, and critical Telegram reliability fixes — making Forge the most secure open-source AI agent runtime for enterprise deployments.

---

Code Agent Skill

New embedded skill (code-agent) that enables autonomous code generation, modification, and project scaffolding across multiple frameworks.

• 7 builtin tools: file_read, file_write, file_edit, file_patch, glob_search, grep_search, directory_tree — all confined to the agent's working directory via PathValidator
• Multi-framework scaffolding: Vite + React, Express, FastAPI, Go, Spring Boot, and more via code_agent_scaffold
• Surgical code editing: Exact string matching with unified diff output via code_agent_edit
• Batch operations: Atomic multi-file add/update/delete/move in a single call via file_patch
• Smart search: Uses ripgrep when available, with Go-based fallback for grep_search
• Layered registration: Skills request only the capabilities they need — search-only, read-only, or full read-write

forge skills add code-agent

GitHub Skill — Now Script-Backed

The github skill has been upgraded from binary-backed to script-backed with 6 shell scripts and 8 tools:

Tool	Purpose
github_clone	Clone a repository and create a feature branch
github_checkout	Switch to or create a branch
github_status	Show git status
github_commit	Stage and commit changes
github_push	Push feature branch to remote
github_create_pr	Create a pull request
github_create_issue	Create a GitHub issue
github_list_issues	List open issues

Multi-Layer Skill Guardrails

Skills can now declare domain-specific security policies in their SKILL.md frontmatter, enforced at four interception points in the agent loop:

Guardrail	Hook Point	Purpose
deny_commands	Before tool execution	Block dangerous CLI commands (e.g., kubectl get secrets)
deny_output	After tool execution	Block or redact sensitive tool output (e.g., Secret manifests, tokens)
deny_prompts	Before LLM call	Intercept capability enumeration probes
deny_responses	After LLM call	Prevent binary name disclosure in LLM responses

• Declarative YAML config in SKILL.md frontmatter — no code changes needed
• Pattern aggregation across multiple active skills with deduplication
• Runtime fallback — guardrails fire during forge run without requiring forge build
• file:// protocol blocking in cli_execute to prevent filesystem traversal via curl file:///etc/passwd

Kubernetes Cost Visibility Skill

New embedded skill (k8s-cost-visibility) that estimates cluster infrastructure costs:

• Four cost dimensions: Compute (CPU + memory), Storage (PVC/PV), LoadBalancer, and Waste (unbound PVs)
• Multiple grouping modes: namespace, workload, node, label, annotation
• Auto-detect cloud pricing: AWS, GCP, Azure, or static/custom rates
• Strictly read-only — only kubectl get commands, never mutating operations

forge skills add k8s-cost-visibility

Telegram Reliability Fix

Resolved a critical context cancellation bug that killed in-flight agent tasks during polling restarts:

• Context isolation: Each handler goroutine now runs with an independent context (10-minute timeout), detached from the polling lifecycle
• Interim messaging: After 15 seconds of processing, Telegram sends "Working on it — I'll send the result when ready" — matching Slack's existing behavior
• Shared handler logic: Extracted handleEvent() method eliminates duplication between polling and webhook code paths

PII Detection Improvements

Reduced false positives in the guardrail engine with structural validators:

Pattern	Validator	What It Checks
SSN	validateSSN	Rejects area=000/666/900+, group=00, serial=0000, known test SSNs
Credit Card	validateLuhn	Luhn checksum, 13-19 digit length
Phone	Regex	Area code 2-9, requires separators (prevents matching version numbers)

Outbound messages are now always redacted rather than blocked — even in enforce mode — to avoid discarding useful agent responses over false positives in source code.

Additional Changes

• TUI: Updated OpenAI provider description to show current model names (GPT 5.4, GPT 5 Mini, GPT 5 Nano)
• UI: Fixed auth and channel config propagation when starting agents from the web dashboard
• Docs: Comprehensive documentation sync across tools, skills, channels, and security guardrails

---

Upgrade

# macOS / Linux
curl -fsSL https://raw.githubusercontent.com/initializ/forge/main/install.sh | bash

# Or build from source
git clone https://github.com/initializ/forge.git && cd forge && make build

Contributors

Built by the Initializ team.

---

Full Changelog: v0.7.0...v0.8.0

v0.7.0

What's New in Forge v0.7.0

Forge v0.7.0 brings Kubernetes cost optimization, frontend code generation, an interactive skill builder UI, and OpenAI Enterprise support — plus infrastructure improvements that make adding new skills a single-directory operation.

---

Kubernetes Pod Rightsizer Skill

New embedded skill (k8s-pod-rightsizer) that analyzes real workload metrics and produces deterministic CPU/memory rightsizing recommendations — no LLM guessing.

• Three modes: dry-run (report only), plan (generate patch YAMLs), apply (execute with automatic rollback bundles)
• Prometheus p95 metrics with metrics-server fallback
• Policy model with per-namespace and per-workload overrides (safety factors, min/max bounds, step constraints)
• Workload classification: over-provisioned, under-provisioned, right-sized, limit-bound, insufficient-data
• Safety: apply mode requires explicit i_accept_risk: true confirmation; generates rollback bundle before patching

Code Generation Skills

Two new embedded skills for scaffolding and iterating on frontend applications:

• codegen-react — Vite + React 19 with Tailwind CSS. Four tools: scaffold, run (npm install + dev server with browser auto-open), read, write. Vite hot-reloads on file changes.
• codegen-html — Preact + HTM with zero local dependencies. Three tools: scaffold (single-file or multi-file mode), read, write. No Node.js, no build step — just open index.html in a browser.

Both skills include Forge dark theme defaults, path traversal prevention, and LLM guardrails to prevent common errors.

Skill Builder UI

Interactive LLM-powered skill creation wizard in the web dashboard:

• Real-time chat for generating skills from natural language descriptions
• YAML frontmatter validation with inline error display
• One-click save to agent configuration
• Daemon lifecycle — agents now run as forge serve daemon processes via exec.Command, surviving UI shutdown and auto-detected on restart

file_create Builtin Tool

New tool for creating downloadable files that are both written to disk and uploaded to the user's channel (Slack/Telegram):

• Files written to agent-scoped .forge/files/ directory (not system temp) via FilesDir context injection
• Returns a path field so other tools (e.g., kubectl apply -f <path>) can reference created files
• Supports .json, .yaml, .yml, .txt, .md, .csv, .xml, .html, .sh, .py, .go, .js, .ts

OpenAI Enterprise Organization ID

Full-stack support for routing OpenAI API requests to the correct enterprise organization:

• organization_id in forge.yaml and OPENAI_ORG_ID env var
• OpenAI-Organization header on all OpenAI API calls (chat, embeddings, responses)
• Fallback inheritance with per-fallback override
• Audit logging includes organization_id field
• TUI wizard and web dashboard org ID configuration

Skill Metadata Improvements

All 11 embedded skills now declare icon, category, and tags in their SKILL.md frontmatter:

• Icons flow from SKILL.md → parser → scanner → registry → TUI (no hardcoded map)
• Adding a new skill never requires touching forge-cli — all metadata is in the SKILL.md
• Enforced by tests: TestEmbeddedRegistry_AllSkillsHaveIcons and TestEmbeddedRegistry_AllSkillsHaveCategoryAndTags
• Category and tag filtering: forge skills list --category sre --tags kubernetes

Additional Improvements

• TUI scroll fix — MultiSelect and SingleSelect components now use viewport-based scrolling with ▲ N more above / ▼ N more below indicators
• Update notifications — Dashboard checks GitHub Releases API (30-min cache) and shows an animated banner when a newer Forge version is available
• Slack file handling — Preserves raw content for typed files (JSON, YAML) instead of unwrapping as markdown

---

Embedded Skills (11 total)

Skill	Icon	Category	Type
github	🐙	developer	binary-backed
weather	🌤️	utilities	binary-backed
tavily-search	🔍	research	script-backed
tavily-research	🔬	research	script-backed
k8s-incident-triage	☸️	sre	binary-backed
k8s-pod-rightsizer	⚖️	sre	binary-backed
code-review	🔎	developer	script-backed
code-review-standards	📏	developer	template-based
code-review-github	🐙	developer	binary-backed
codegen-react	⚛️	developer	script-backed
codegen-html	🌐	developer	script-backed

Pull Requests

• #22 — feat: skill builder UI, daemon lifecycle, update notifications
• #21 — feat: add k8s-pod-rightsizer skill, file_create tool, and skill metadata improvements
• #20 — feat: OpenAI Enterprise org ID support and TUI scroll fix
• #19 — feat: add codegen-react and codegen-html embedded skills

Full Changelog: v0.6.0...v0.7.0

v0.6.0

What's New

Code Review Skill Suite

Three new embedded skills for AI-powered code review:

• code-review — Script-backed skill with code_review_diff and code_review_file tools. Supports GitHub PR URLs and local git diffs, Anthropic/OpenAI LLM routing, large diff detection, untracked file inclusion, ~ path expansion, and org standards via .forge-review/ directory.
• code-review-standards — Standards discovery and initialization with templates for config.yaml, ignore patterns, and language-specific rules (Go, Python, TypeScript, security, testing).
• code-review-github — PR workflow orchestration: list PRs, post inline review comments, apply labels, and guarded auto-merge.

Bug Fix

• Fixed OneOf env vars not being passed to skill script executor, causing skills with one_of requirements (e.g., ANTHROPIC_API_KEY/OPENAI_API_KEY) to silently fail at runtime.

Full Changelog: v0.5.0...v0.6.0

v0.5.0

Forge v0.5.0 — A2A Authentication, Slack Socket Mode & Documentation Overhaul

Forge is an open-source, secure AI agent runtime for building, deploying, and operating LLM-powered agents with built-in security, observability, and multi-provider support. This release adds bearer token authentication to the A2A server, rewrites the Slack adapter to Socket Mode, and reorganizes all documentation into a navigable 22-page doc site.

---

Highlights

Secure-by-Default A2A Authentication

The Forge A2A HTTP server now requires bearer token authentication on all endpoints by default — closing the open-localhost attack surface that affects most local AI agent frameworks.

• Auto-generated tokens — forge run generates a cryptographically random token on startup and stores it at .forge/runtime.token with 0600 permissions
• HTTP middleware — validates Authorization: Bearer <token> on all JSON-RPC and SSE endpoints
• Smart path skipping — health checks (/healthz), agent card (/.well-known/agent.json), and CORS preflight (OPTIONS) bypass authentication
• Channel integration — the channel router and forge ui chat proxy automatically load and send the token when forwarding requests
• Opt-out for development — --no-auth flag disables authentication (only allowed on localhost bindings)
• Explicit tokens — --auth-token <value> for CI/CD and scripted setups
• Audit trail — auth_success and auth_failure events emitted with request method, path, and remote address
• Daemon support — forge serve passes auth flags to the background process and reports auth status

# Default: auth enabled, token auto-generated
forge run
# Auth:    enabled (token in .forge/runtime.token)

# Disable for local development
forge run --no-auth

# Explicit token for CI/CD
forge run --auth-token "my-secret-token"

Why this matters: Local AI agent servers typically bind to localhost:8080 with no authentication. Any local process — a malicious browser extension, compromised npm package, or rogue script — can send requests to the agent, exfiltrate data via tool calls, or trigger actions. Forge now prevents this by default.

Slack Socket Mode Rewrite

The Slack channel adapter has been completely rewritten from webhook-based to Socket Mode, eliminating the need for public URLs, ngrok, or inbound webhooks.

• Outbound WebSocket only — connects to Slack via apps.connections.open, no public URL needed
• Mention-aware filtering — responds only when @mentioned in channels, always in DMs and active threads
• Processing indicators — 👀 reaction on receipt, interim "Researching..." message after 15 seconds
• Large response handling — responses >4096 chars split into summary + downloadable Markdown file upload
• Thread support — replies in-thread when the original message is in a thread
• Community files — added CONTRIBUTING.md, CODE_OF_CONDUCT.md, issue templates, and PR template

Documentation Reorganization

The README has been slimmed from 1,349 lines to 115 lines. All detailed content now lives in 22 focused, navigable documentation pages.

• 10 new doc pages — installation, quickstart, memory, configuration, deployment, scheduling, dashboard, secrets, signing, guardrails
• 7 enriched pages — skills, tools, runtime, hooks, channels, commands, architecture updated with full README content
• Security docs restructured — SECURITY.md renamed to overview.md with sub-pages for egress, secrets, signing, and guardrails
• Navigation system — every doc has prev/next links in a 22-page reading order
• /sync-docs slash command — Claude Code command that reads git diff, maps changed files to affected docs, and updates them

---

New: forge-core/auth Package

A new forge-core/auth package provides reusable authentication primitives:

Component	Description
auth.GenerateToken()	Generate 32-byte cryptographically random hex token
auth.StoreToken(dir, token)	Write token to .forge/runtime.token with 0600 permissions
auth.LoadToken(dir)	Read token from an agent directory
auth.Middleware(cfg)	HTTP middleware for bearer token validation
auth.Config	Configuration with skip paths, audit callbacks, and enable/disable

Platform-aware file permissions: 0600 on Unix, ACL-restricted on Windows.

---

Breaking Changes

Channel Router API

channels.NewRouter() now requires a bearer token parameter:

// Before (v0.4.0)
router := channels.NewRouter(agentURL)

// After (v0.5.0)
router := channels.NewRouter(agentURL, bearerToken)

Pass an empty string to disable authentication on the router.

Slack Configuration

Slack now requires Socket Mode tokens instead of webhook configuration:

# Before: webhook-based
SLACK_BOT_TOKEN=xoxb-...

# After: Socket Mode (requires app-level token)
SLACK_APP_TOKEN=xapp-1-...
SLACK_BOT_TOKEN=xoxb-...

See Slack App Setup for the full configuration guide.

---

New CLI Flags

Command	Flag	Description
forge run	--no-auth	Disable bearer token authentication (localhost only)
forge run	--auth-token	Set an explicit bearer token
forge serve	--no-auth	Disable auth for the background daemon
forge serve	--auth-token	Set an explicit token for the daemon

---

New Audit Events

Event	Description
auth_success	Authenticated request (method, path, remote_addr)
auth_failure	Rejected request — missing or invalid token

---

Documentation

Page	Description
Quick Start	Get an agent running in 60 seconds
Installation	All installation methods
Architecture	System design and data flows
Skills	Skill definitions, registry, and built-in skills
Tools	Built-in tools, adapters, and custom tools
Runtime	LLM providers, fallbacks, running modes
Memory	Session persistence and long-term memory
Channels	Slack and Telegram adapter setup
Security Overview	Complete security architecture
Configuration	Full forge.yaml schema and env vars
Commands	CLI reference with all flags
Dashboard	Web UI for agent management
Deployment	Container, Kubernetes, and air-gap deployment

---

Stats

• 68 files changed, 4,317 insertions, 1,968 deletions
• 17 Go files changed across forge-core, forge-cli, forge-plugins, and forge-ui
• 22 documentation pages (10 new, 12 updated)
• 6 new Go source files in forge-core/auth/
• PRs: #15, #17
• Issue: Closes #16

---

Contributors

Thanks to everyone who contributed to this release.

Install / Upgrade

# Homebrew
brew upgrade initializ/tap/forge

# Binary
curl -sSL https://github.com/initializ/forge/releases/download/v0.5.0/forge-$(uname -s)-$(uname -m).tar.gz | tar xz
sudo mv forge /usr/local/bin/

# Verify
forge --version

Full Changelog: v0.4.0...v0.5.0

v0.4.0

Forge v0.4.0 — Cron Scheduler, Web Dashboard, K8s Triage & Deep Research

Forge is an open-source framework for building, deploying, and operating AI agents with built-in security, observability, and multi-provider LLM support. This release adds a built-in cron scheduler with channel delivery, a local web dashboard for agent lifecycle management, a Kubernetes incident triage skill, deep research capabilities, and a redesigned forge serve daemon manager.

---

Highlights

Built-in Cron Scheduler with Channel Delivery

Forge agents can now execute tasks on cron schedules — no external scheduler, database, or message queue required. Schedules are created declaratively in forge.yaml or dynamically by the LLM via tool calls during conversation.

• Standard cron expressions — 5-field (*/15 * * * *), aliases (@hourly, @daily), intervals
• Overlap prevention — running tasks are tracked per schedule ID; next tick skips if still executing
• Markdown-backed persistence — schedules stored in .forge/memory/SCHEDULES.md (human-readable, version-controllable)
• Channel delivery — scheduled task results are automatically sent to Slack or Telegram channels
• Channel context injection — when users create schedules from a chat conversation, the originating channel and chat ID are captured automatically for result delivery
• Execution history — last 50 runs tracked with timestamp, status, duration, and correlation ID
• 4 new LLM tools — schedule_set, schedule_list, schedule_delete, schedule_history
• 2 new CLI commands — forge schedule list, forge schedule delete <id>
• YAML sync — declarative schedules in forge.yaml are auto-synced to the store on startup

# forge.yaml
schedules:
  - id: daily-health-check
    cron: "0 9 * * *"
    task: "Run health check on all services and report status"
    skill: k8s-incident-triage
    channel: telegram
    channel_target: "-100123456"

forge serve — Background Daemon Manager

forge serve has been redesigned from a duplicate foreground server into a proper daemon lifecycle manager with start/stop/status/logs subcommands.

• forge serve / forge serve start — forks forge run in background, writes PID to .forge/serve.json, logs to .forge/serve.log
• forge serve stop — SIGTERM with 10-second graceful timeout, SIGKILL fallback
• forge serve status — shows PID, listen address, and health endpoint status
• forge serve logs — tails last 100 lines of daemon log
• Passphrase handling — parent process prompts for passphrase (has TTY), child inherits via environment
• Cross-platform — Unix (Setsid, SIGTERM/SIGKILL) and Windows (DETACHED_PROCESS, OpenProcess) via build-tagged files

forge run — Production Flags

forge run gains flags for container deployments:

• --host — bind address (e.g., 0.0.0.0 for containers; default: all interfaces)
• --shutdown-timeout — graceful shutdown duration (e.g., 30s; default: immediate)

# Container deployment
CMD ["forge", "run", "--host", "0.0.0.0", "--shutdown-timeout", "30s"]

Local Web Dashboard (forge ui)

A browser-based agent management interface — the GUI equivalent of the full CLI.

• Agent dashboard — discover, start, stop, and monitor agents in a workspace
• Interactive chat — A2A streaming chat with live progress indicators
• 9-step creation wizard — mirrors forge init with inline credential collection, OAuth support, model selection, skill picking, and passphrase setup
• Monaco config editor — tree-shaken YAML-only Monaco bundle (~615KB) with live validation and Cmd/Ctrl+S save
• Skills browser — browse registry skills by category with full SKILL.md content viewer
• Real-time updates — Server-Sent Events for live agent state changes
• Zero dependencies — Preact + HTM via ESM CDN, no npm/webpack build step; embedded in binary via go:embed

forge ui                          # Open http://localhost:4200
forge ui --port 8080 --dir /work  # Custom port + workspace

K8s Incident Triage Skill

A read-only Kubernetes triage skill with comprehensive operational instructions (~320 lines of LLM guidance).

• 7-step triage process — preconditions → health snapshot → events → describe → node diagnostics → logs → metrics
• 8 detection heuristics — CrashLoop, OOMKilled, Image Pull, Scheduling, Probe Failure, PVC/Volume, Node Pressure, Rollout Stuck — each with hypothesis, evidence, confidence score, and recommended next commands
• Safety constraints — read-only only (get, describe, logs, top); never executes apply, patch, delete, exec, port-forward, scale, or rollout restart
• Denied tools — removes http_request and web_search from registry to prevent LLM from bypassing kubectl
• Full SKILL.md body injected inline into the system prompt (no read_skill call needed)

Skill Filtering & Full Body Threading

• Category and tags — skills can declare category (e.g., sre) and tags (e.g., kubernetes, incident-response) in frontmatter
• Filterable — forge skills list --category sre --tags kubernetes,triage with AND semantics
• --skill flag — forge run --skill k8s-incident-triage restricts the agent to specific skills
• Body threading — SkillEntry.Body captures the full markdown after frontmatter and injects it into the system prompt for binary-backed skills

Tavily Deep Research & Skill-as-Tool Adapter

• Async two-tool pattern — tavily_research (submit) + tavily_research_poll (poll with internal retry, up to 280s)
• Skill-as-tool adapter — SkillTool wraps script-backed skills as first-class LLM tools with JSON Schema input
• Channel document upload — responses >4096 chars split into summary message + full report as file attachment (Slack files.upload, Telegram sendDocument)
• Local egress proxy — subprocess egress enforcement for skill scripts

---

New CLI Commands

Command	Description
forge ui	Launch local web dashboard
forge schedule list	List all cron schedules with status
forge schedule delete <id>	Delete a cron schedule
forge serve start	Start agent as background daemon
forge serve stop	Stop the running daemon
forge serve status	Show daemon status and health
forge serve logs	Tail daemon log output
forge run --host 0.0.0.0	Bind to specific address
forge run --shutdown-timeout 30s	Graceful shutdown for containers
forge skills list --category sre	Filter skills by category

---

New Built-in Tools

Tool	Description
schedule_set	Create or update a cron schedule with optional channel delivery
schedule_list	List all schedules with status and next run time
schedule_delete	Delete a schedule by ID
schedule_history	View execution history for schedules

---

Configuration

New schedules block in forge.yaml:

schedules:
  - id: daily-report
    cron: "0 9 * * *"
    task: "Generate daily status report"
    skill: k8s-incident-triage   # optional: restrict to a skill
    channel: telegram            # optional: deliver to channel
    channel_target: "-100123456" # optional: chat/channel ID

New skill frontmatter fields:

category: sre                    # optional: lowercase kebab-case
tags: [kubernetes, triage]       # optional: filterable
metadata.forge.denied_tools:     # optional: remove tools from registry
  - http_request
  - web_search

---

What Changed

118 files changed, 16,573 insertions(+), 510 deletions(-)

New Modules & Packages

• forge-ui/ — Local web dashboard module (server, handlers, process manager, discovery, SSE, chat proxy, embedded SPA)
• forge-core/scheduler/ — Cron scheduler package (tick loop, cron parsing, overlap prevention, history)
• forge-cli/runtime/scheduler_store.go — Markdown-backed schedule persistence

New Skills

• skills/k8s-incident-triage/SKILL.md — Kubernetes incident triage (~320 lines)
• skills/tavily-research/ — Async deep research with submit + poll scripts

New CLI Commands

• forge-cli/cmd/schedule.go — forge schedule list, forge schedule delete
• forge-cli/cmd/serve.go — Daemon manager (start/stop/status/logs)
• forge-cli/cmd/serve_unix.go / serve_windows.go — Platform-specific process management
• forge-cli/cmd/ui.go — Web dashboard launcher with dependency injection

New Tools

• forge-core/tools/builtins/schedule_set.go — Create/update schedules
• forge-core/tools/builtins/schedule_list.go — List schedules
• forge-core/tools/builtins/schedule_delete.go — Delete schedules
• forge-core/tools/builtins/schedule_history.go — Execution history

Key Changes

• forge-cli/runtime/runner.go — Scheduler integration, ScheduleNotifier, channel delivery, skill body threading
• forge-cli/channels/router.go — Channel context injection ([channel:X channel_target:Y] prefix)
• forge-core/types/config.go — Schedule config, channel fields
• forge-skills/contract/filter.go — Category/tag filtering with AND semantics

---

Pull Requests

• #14 — Add cron scheduler, serve daemon, and channel delivery
• #13 — Add local web dashboard (forge ui)
• #12 — Add K8s incident triage skill, filtering, and inline skill instructions
• #11 — Add skill-as-tool adapter, Tavily Research skill, and channel document upload

Contributors

• @initializ-mk

---

Installation

brew tap initializ/tap
brew install forge-cli

Or download from releases:

curl -sSL https://github.com/initializ/forge/releases/download/v0.4.0/forge-$(un...