v0.3.3 — security hardening + review fixes

What's changed

Post-review hardening pass on top of v0.3.2's prompt optimization work.

Security

• web_fetch SSRF defense: reject URLs targeting loopback (127.*, ::1, localhost), link-local metadata (169.254.* including cloud-metadata 169.254.169.254), and RFC1918 private ranges (10.*, 192.168.*, 172.16–31.*, fc*/fd*). Reduced --max-redirs from 5 → 3 (note: defense is best-effort — curl does not re-validate redirect targets).

Bug fixes

• call_api: replaced globally-scoped RETURN trap with explicit rm -f "$auth_file" after curl. The trap was firing on every subsequent function return across the script, stomping $auth_file state.
• Typo detector false-positives: tightened from the previous same-first-3/±2-char heuristic to strict prefix truncation only. Words like helper, held, configure no longer get rejected with "did you mean 'help'?". sess → sessions, hel → help, and other genuine truncations still work.
• manage_context: switched summary-input cap from head -c 8000 (byte-based, could split a multi-byte UTF-8 rune) to head -n 200 (line-based, UTF-8 safe).

Code quality

• is_binary: simplified fragile $(...) && [[ ]] && return 0 || true chain into direct [[ ]] && return 0 checks.
• read_file: dropped dead || echo 0 guards on wc -l and grep -c '' (never triggered).
• resume: removed redundant ${SESSION_ID%%--*} double-strip.
• run_format_hook: documented FORMAT_CMD trust boundary (user-owned, chmod 600 config).

Version bump: SHOOP_VERSION → 0.3.3

---

v0.3.2 content (not separately released, folded here):

• Optimized system prompt, CRISP rewriter, and context summarizer with truncation awareness, denial handling, and error recovery guidance.

v0.3.1 — refactor + UX fixes + bug fixes

What's changed

Refactoring (8 function extractions)

• run_with_timeout — wraps timeout-safe command execution
• safe_write — TOCTOU-safe atomic file writes (extracted from write_file and replace_in_file)
• trim_messages — hard window fallback for context management
• die_ambiguous_sessions — prints matching sessions and exits
• find_session — locate session by exact/substring/content search
• manage_context — LLM summarization with hard-trim fallback (replaces inline sliding window)
• dispatch_tool — all tool implementations in one function (agent loop: 300 → ~80 LOC)
• Nullglob subshell cleanup throughout session/subcommand code

UX improvements

• Typo guard: bare lowercase words resembling known commands print "did you mean?" hint
• Config migration: appends missing REWRITE/FORMAT_CMD/CHECKPOINT keys to older config files
• TTY guard fix: confirm_or_skip now uses true </dev/tty openability test instead of -e /dev/tty
• config show subcommand prints config with API key redacted
• Session list displays deduplicated timestamp IDs in fixed-width columns
• resume shows last assistant message preview before prompting for continuation

Bug fixes

• find_session was defined after its call site — moved before the case subcommand block
• Session resume double-slug: SESSION_ID contained the slug; save_session was appending it again — fixed by splitting on -- at resume time
• run_format_hook was placed inside safe_write where its appended output got overwritten by the outer result assignment — moved to call sites in write_file and replace_in_file
• web_fetch tool display: _tdisp now includes .url in the jq selector

Version bump: SHOOP_VERSION set to 0.3.1

v0.3.0

Full Changelog: v0.2.0...v0.3.0

v0.2.0 — Tool improvements, DRY refactors, and security hardening

What's new

Tool improvements

• read_file: line range support (start_line/end_line) and binary file detection
• search_files: context_lines and case_insensitive parameters
• run_shell: timeout parameter (1–300s, default 30); requires interactive terminal
• list_dir: new tool to browse directory trees (no confirmation needed)
• Truncation: smart head+tail strategy — shows first and last N/4 lines instead of cutting at the top

DRY refactors

• reject_tool and confirm_or_skip helpers eliminate repeated inline patterns
• Batched jq+@tsv reads reduce jq fork count per turn
• mapfile-based truncation replaces fragile wc -l + printf chain
• jq -n payloads for API calls; call_api now receives payload as argument

Security hardening

• Working directory confinement: check_path/resolve_path block traversal outside $WORKDIR
• Config loaded safely with while IFS='=' read — never source; config dir/file get 700/600 perms
• API key passed via temp file with trap RETURN cleanup — never interpolated into command strings
• Session IDs validated against ^[0-9]{8}-[0-9]{6}-[0-9]+$ before use
• run_shell always requires confirmation regardless of --no-confirm / CONFIRM=0