v0.5.2 — Full Feature Parity, 14 Types, Security Hardening

What's New

14 Built-in Types (was 10)

Added 4 extended types across all 4 languages:

• msf_options — Metasploit KEY VALUE pairs with injection checking
• credential_file — Relative path with existence/file verification
• duration — Plain seconds or suffixed (5m, 2h, 1h30m, 500ms)
• regex_match — Value must match mandatory pattern field

Custom Types

Project-level toolclad.toml defines reusable custom types with base type inheritance:

[types.service_protocol]
base = "enum"
allowed = ["ssh", "ftp", "http", "https"]

Security Hardening

• Real timeout enforcement — try_wait polling + killpg process group kill (Rust)
• String type rejects shell metacharacters by default (fail-closed)
• Unknown arg types error instead of falling through
• HTTP body JSON-escaping prevents request injection
• Platform-aware evidence dirs — uses OS temp directory, not hardcoded /tmp

Output Parsers (all 4 languages)

• builtin:json, builtin:jsonl, builtin:csv, builtin:xml, builtin:text
• CSV: auto-delimiter detection, quoted fields, type inference
• XML: real parsing with attributes, text content, nested arrays

Full Feature Parity

All 4 implementations (Rust, Python, JavaScript, Go) now support:

• All 14 types + custom types
• HTTP and MCP backend routing from execute()
• All 5 output parsers
• Executor escape hatch
• Rich MCP schema generation with format, pattern, minimum, maximum
• HTTP error semantics (client_error for 4xx, server_error for 5xx)
• Scope validation aligned across languages
• [command] section optional for HTTP/MCP-only manifests

Test Coverage

• Rust: 63 tests
• Python: 114 tests
• JavaScript: 74 tests
• Go: all passing