v0.1.16

What's Changed

• chore: bump version to v0.1.15 and fix release workflow by @homanp in #48

Full Changelog: v0.1.14...v0.1.16

v0.1.15

What's Changed

• chore: bump version to v0.1.15 and fix release workflow by @homanp in #48

Full Changelog: v0.1.14...v0.1.15

v0.1.14

What's Changed

• feat: add --tolerance, --refresh, --mode, and --format flags by @homanp in #47

Full Changelog: v0.1.13...v0.1.14

v0.1.13

Full Changelog: superagent-ai/brin@v0.1.12...v0.1.13

v0.1.11

v0.1.11 - Agent Install Instructions in AGENTS.md

Automatically adds package installation instructions to AGENTS.md during init, guiding agents to use brin for all package operations

Features

• Package installation instructions — brin init now appends a "Package Installation" section to AGENTS.md, instructing agents to use brin add, brin remove, brin scan, and brin check instead of running npm/yarn/pnpm/pip directly
• Idempotent patching — Instructions are only added once, detected via a ## Package Installation marker. Running brin init multiple times won't duplicate the section
• Auto-create AGENTS.md — If no AGENTS.md exists, one is created with the installation instructions included

Technical Changes

• New INSTALL_INSTRUCTIONS_MARKER constant for idempotent detection
• add_install_instructions() and add_install_instructions_at_path() functions in agents_md.rs
• Called automatically at the end of brin init after the docs index update
• Three new tests covering: append to existing file, idempotency, and creation of new file

Full Changelog: superagent-ai/brin@v0.1.10...v0.1.11

What's Changed

• feat: add skills seeding from CSV by @homanp in https://github.com/superagent-ai/brin/pull/41
• feat: wire up install_scripts detection in scan pipeline by @homanp in https://github.com/superagent-ai/brin/pull/42
• feat: add --skip-existing flag to seed script by @homanp in https://github.com/superagent-ai/brin/pull/43
• feat: add package installation instructions to AGENTS.md during brin init by @homanp in https://github.com/superagent-ai/brin/pull/44

Full Changelog: superagent-ai/brin@v0.1.10...v0.1.11

v0.1.10

v0.1.10 - Agent Skills Registry

Secure scanning for Agent Skills from skills.sh with chain-loading detection

Features

• Skills registry support — Scan Agent Skills (SKILL.md) from GitHub repos via brin skills check owner/repo/skill
• Chain-loading detection — Flags skills that instruct agents to install other skills or packages, a supply-chain risk unique to the agent ecosystem
• Nested dependency scanning — Automatically queues scans for skills referenced by other skills
• Skill-specific CLI output — Tailored display showing repo, trust score, and threats instead of CVEs and download counts

Technical Changes

• New SkillsAdapter implementing the RegistryAdapter trait for GitHub-hosted skills
• Initial scans now use Fireworks minimax-m2p5 for faster threat detection
• Opus-verified threats marked as Verified and affect risk level
• JSON salvage fallback for malformed LLM output
• OpenCode scans run sequentially to avoid SQLite lock contention

CLI Usage

Full Changelog: superagent-ai/brin@v0.1.9...v0.1.10

v0.1.9

v0.1.9 - Rebrand to brin

Complete rebrand from "sus" to "brin" across the entire codebase, infrastructure, and npm package.

Changes

• New name — CLI binary, npm package, and all services renamed from sus to brin
• New domain — brin.sh / api.brin.sh
• New npm package — npm install -g brin
• Updated CLI — all commands now use brin (brin add, brin check, brin scan, etc.)
• Updated env vars — BRIN_API_URL, BRIN_INSTALL_DIR, BRIN_VERSION
• Updated config — brin.json, .brin-docs/, [brin Docs Index] markers in AGENTS.md
• Updated infrastructure — Cloud Run services redeployed as brin-api, brin-worker, brin-watcher, brin-cve
• Fixed API startup race — health server socket now releases cleanly before main server binds

Migration from sus

1. Run brin init to regenerate config (replaces sus.json with brin.json)
2. Update any SUS_API_URL env vars to BRIN_API_URL
3. Rename .sus-docs/ to .brin-docs/
4. AGENTS.md index markers update automatically on next brin add

Full Changelog: superagent-ai/brin@v0.1.8...v0.1.9

What's Changed

• feat: add risk_level filter to packages API by @alanzabihi in https://github.com/superagent-ai/brin/pull/32
• chore: npm module packaging by @homanp in https://github.com/superagent-ai/brin/pull/33
• chore: rebrand to brin by @homanp in https://github.com/superagent-ai/brin/pull/37

Full Changelog: superagent-ai/brin@v0.1.8...v0.1.9

v0.1.8

v0.1.8 - Threat Verification & Cautious Language

Human verification for agentic threats and legally-safe CLI messaging

Features

• Threat verification workflow - Added verification_status column to agentic threats with three states: pending, in_progress, verified. Only verified threats affect package risk level.
• Refined risk calculation - Risk level now based solely on CVEs and verified agentic threats. Capabilities and trust score are informational only.
• Cautious CLI wording - Updated all threat messages to use factual language ("possible threat", "patterns consistent with") instead of accusatory terms.

Technical Changes

• New migration adds verification_status column with constraint check and index
• API only returns verified threats in package responses
• calculate_risk() ignores unverified threats regardless of confidence

Why This Matters

• Reduces false positives - Human review required before flagging packages as risky
• Fair to maintainers - Packages aren't penalized by unverified automated scans
• Legal safety - Factual language avoids defamation risk

New Contributors

• @alanzabihi made their first contribution in #29

Full Changelog: v0.1.7...v0.1.8

What's Changed

• feat: add latest query param to group search results by @homanp in #28
• feat: optimize batch push seed + watcher service by @homanp in #30
• use cautious language in security assessments to reduce legal risk and be fair to package authors by @alanzabihi in #29
• feat: add threat verification system and cautious CLI wording by @homanp in #31

New Contributors

• @alanzabihi made their first contribution in #29

Full Changelog: v0.1.7...v0.1.8

v0.1.7

v0.1.7 - Registry Plugin System

Refactored package scanning into a pluggable adapter-based architecture for easier multi-registry support

Features

• Registry Adapter Architecture - New RegistryAdapter trait defines a standard interface for registry-specific logic (metadata fetching, package downloading, trust scoring, CVE ecosystem mapping)
• Unified Package Types - Introduced ExtractedPackage and PackageMetadata types that work across all registries, eliminating duplicate code paths
• Adapter Registry - Central AdapterRegistry manages multiple adapters, making it easy to add new registries by implementing the trait
• Unified Scanner Methods - New scan_unified() and scan_tarball_unified() methods replace registry-specific scan functions

Technical Changes

• NpmAdapter - Refactored existing npm client into adapter pattern with fetch_metadata, download_package, extract_local, and compute_trust_score
• PypiAdapter - Refactored existing PyPI client into adapter pattern with support for both sdist and wheel formats
• Capabilities Module - Updated to detect language (Python vs JS/TS) from unified SourceFile types and apply appropriate analysis
• Simplified Worker Dispatch - Main worker loop now uses single code path for all registries

Architecture

RegistryAdapter (trait)
├── NpmAdapter → npm registry
├── PypiAdapter → PyPI registry
└── CratesAdapter → crates.io (future)

Benefits

• Extensibility - Add new registries by implementing RegistryAdapter trait
• Maintainability - Single unified scan path instead of duplicated npm/PyPI code
• Consistency - All registries produce the same ExtractedPackage format for downstream processing

Full Changelog: v0.1.6...v0.1.7

What's Changed

• feat: add registry plugin system by @homanp in #27

Full Changelog: v0.1.6...v0.1.7

v0.1.6

v0.1.6 - Uninstall & Upgrade Commands

Easy self-removal and self-update for curl-based installations

Features

• sus uninstall command - Remove sus from your system with a single command. Supports --yes to skip confirmation and --all to also remove project files (.sus-docs/, sus.json, and sus section from AGENTS.md).
• sus upgrade command - Check for and install the latest version from GitHub releases. Supports --force to reinstall even if already on latest.
• Smart AGENTS.md cleanup - Uninstall with --all removes only the sus Docs Index section from AGENTS.md, preserving any other content.

CLI Usage

sus uninstall # With confirmation
sus uninstall --yes # Skip confirmation
sus uninstall --all # Also remove project files

sus upgrade # Upgrade if newer version available
sus upgrade --force # Re-download even if on latest

Full Changelog: v0.1.5...v0.1.6

What's Changed

• feat: add uninstall command to cli by @homanp in #20

Full Changelog: v0.1.5...v0.1.6