chore: bump version to 0.2.3 (#18) 

v0.2.2: docs overhaul, security hardening, env var config, and test i… …mprovements (#8) * docs: documentation overhaul, security hardening, and test improvements Documentation - Add SECURITY.md (vulnerability reporting, threat model, security controls) - Add CONTRIBUTING.md (PR process, code style, commit conventions) - Add SKILLS-DIRECTORY.md (curated skill repositories and resources) - Add security sections to all 6 package READMEs - Expand root README: MCP CLI server docs, custom provider examples - Deduplicate CONTRIBUTING.md and DEVELOPMENT.md content - Remove stale SECURITY-PLAN.md and agentskills-mcp ghost package - Remove hardcoded version tags from DEVELOPMENT.md Tests - Add ~60 new tests across all packages (boundary, edge cases, parametrized, CLI) - Fix unawaited coroutine warnings in MCP server tests - 265 passing, 0 failures CI/CD - Add Dependabot configuration for pip and GitHub Actions - Add CodeQL workflow for static security analysis - Add pip-audit to lint job * chore: bump version to 0.2.1 Bump all package versions from 0.2.0 to 0.2.1 in preparation for release. Packages updated: - agentskills-core - agentskills-fs - agentskills-http - agentskills-langchain - agentskills-agentframework - agentskills-mcp-server * ci: add pip-audit to dev dependencies Add pip-audit to poetry dev dependencies so the CI lint job's `poetry run pip-audit` step can find the command. Updated poetry.lock accordingly. * fix: address PR review feedback (CodeQL pinning, streaming, cleanup) Address GitHub Copilot review feedback: - Pin github/codeql-action to SHA (27c67e8, v3.27.4) for supply-chain hardening consistency with actions/checkout - Remove unused logging import and _logger variable from HTTP provider (static.py) - Switch HTTP responses from buffered to streaming (client.stream + aiter_bytes) so max_response_bytes is enforced incrementally during download, preventing memory exhaustion from oversized responses - Fix sync TLS warning tests to avoid deprecated asyncio.get_event_loop() and prevent resource-leak warnings from unclosed AsyncClient instances * fix: address PR review feedback (CodeQL pinning, streaming, cleanup) Address GitHub Copilot review feedback: - Pin github/codeql-action to SHA (27c67e8, v3.27.4) for supply-chain hardening consistency with actions/checkout - Remove unused logging import and _logger variable from HTTP provider (static.py) - Switch HTTP responses from buffered to streaming (client.stream + aiter_bytes) so max_response_bytes is enforced incrementally during download, preventing memory exhaustion from oversized responses - Fix sync TLS warning tests to avoid deprecated asyncio.get_event_loop() and prevent resource-leak warnings from unclosed AsyncClient instances - Add pip-audit to dev dependencies for CI audit step * Current runner version: '2.331.0' Runner Image Provisioner Operating System Runner Image GITHUB_TOKEN Permissions Secret source: Actions Prepare workflow directory Prepare all required actions Getting action download info Download action repository 'actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5' (SHA:34e114876b0b11c390a56381ad16ebd13914f8d5) Download action repository 'github/codeql-action@27c67e832fca5f1f63e241559363ac6f107895fb' (SHA:27c67e832fca5f1f63e241559363ac6f107895fb) Error: An action could not be found at the URI 'https://api.github.com/repos/github/codeql-action/tarball/27c67e832fca5f1f63e241559363ac6f107895fb' (1C00:2B76EA:22DF9:2B41B:6993089A) The previously pinned SHA (27c67e8, from Copilot suggestion) did not exist in the github/codeql-action repository. Updated to the actual v3.32.3 release commit (f5c2471be782132e47a6e6f9c725e56730d6e9a3). * feat: env var substitution in MCP config, streaming HTTP, bump 0.2.2 New features: - Add ${VAR} environment variable substitution in MCP server config files (JSON/YAML). Unset vars resolve to empty string with a warning. Keeps secrets out of config files. - Switch HTTP provider to streaming responses (client.stream + aiter_bytes) so max_response_bytes is enforced incrementally during download, preventing memory exhaustion. Fixes: - Pin github/codeql-action to SHA (f5c2471, v3.32.3) for supply-chain hardening - Remove unused logging import from HTTP provider - Fix test resource leaks (unclosed AsyncClient in sync tests) - Fix dependabot label (ci/cd → ci) - Add pip-audit to dev dependencies for CI Version bumped to 0.2.2 across all packages. 14 new tests for env var resolution (279 total, 1 skipped). * docs: replace em dashes with hyphens across all markdown files Replace all em dash (—) and en dash (–) characters with standard hyphens (-) across 14 markdown files for consistency. Fixed double-space artifacts from the substitution.

ci: add release workflow, release config, and update dev tooling (#2) * ci: add release workflow, release config, and update dev docs Add GitHub Release workflow triggered on version tags (v*) using softprops/action-gh-release. Add release.yml config to group release notes by PR labels. Add Python 3.14 to CI test matrix. Document CI, releasing, and dev task runner in DEVELOPMENT.md. * ci: add release workflow, release config, and lint examples Add GitHub Release workflow triggered on version tags. Add release.yml config for grouping release notes by PR labels. Include examples/ in lint and format checks across dev.py and CI. Fix long lines in example files. Add Python 3.14 compatibility note to README. Document CI, releasing, and dev task runner in DEVELOPMENT.md.