Skip to main content
July 6, 2026

Week of July 6, 2026

Release 0.6.2 shipped this week, adding a scripting-friendly githits auth token command, publishing GitHits to the official MCP registry as com.githits/githits, and polishing the githits login URL fallback plus the packaged GitHits MCP skill copy.

New

githits auth token for scripting and CI A new githits auth token command prints the current bearer token to stdout — no labels, prompts, or extra whitespace — so you can pipe it directly to other tools or use it in command substitution. Resolution matches the rest of the CLI: if GITHITS_API_TOKEN is set it wins, otherwise the stored OAuth access token is printed, refreshing it against the saved client first if it’s expired. When no credentials are available the command exits non-zero instead of triggering an interactive login, so CI runs fail fast with a clear signal.
curl -H "Authorization: Bearer $(npx githits@latest auth token)" \
  https://api.example.com/resource
Published to the official MCP registry GitHits is now listed in the official MCP registry as com.githits/githits, giving MCP-aware clients a canonical discovery and installation path in addition to the existing npx githits@latest init flow. The registry entry is published automatically from the release pipeline, so it stays in lockstep with each new CLI release.

Improved

Visible sign-in URL fallback during githits login githits login now always prints the browser sign-in URL as a visible fallback during normal runs, not just under --no-browser. If the browser launch is hidden (for example inside a wrapper terminal) or fails silently, you’ll still see the URL and can open it yourself without rerunning the command.Tightened GitHits MCP skill guidance The packaged githits-mcp skill installed by guided githits init picks up small copy tweaks — clearer framing that GitHits covers public OSS and package evidence, and less prescriptive advice about unrelated local tools — so agents get a calmer, more accurate description of when to reach for GitHits.
July 3, 2026

Week of June 29 – July 3

Release 0.6.0 shipped this week, making guided GitHits MCP setup the recommended githits init path, adding a packaged githits-mcp skill and short managed instruction block that agents pick up automatically, and expanding the set of supported MCP setup targets.

New

Guided GitHits MCP init is the new recommended path githits init now leads with Install GitHits MCP + supporting instructions (Recommended) as the top choice, with plain MCP and standalone Agent Skills kept as explicit alternatives. Guided setup installs the MCP server plus a small githits-mcp skill and a managed instruction block, so agents reliably reach for GitHits as the default OSS context layer instead of falling back to model memory or generic web search.New flags let you pick a mode non-interactively:
  • githits init --guidance — install MCP plus the supporting skill and instruction block.
  • githits init --no-guidance — install plain MCP only.
  • githits init uninstall --keep-guidance — remove the MCP config but keep the skill and instruction block in place.
Interactive setup, --yes, and staged --install-agents all default to guided MCP unless --no-guidance is passed. Reruns are idempotent: if MCP is already installed but guidance is missing, guided init installs only the missing pieces, and vice versa. Uninstall cleans up GitHits MCP config, the managed instruction block (identified by <!-- githits --> markers), and the GitHits-owned githits-mcp/SKILL.md from every target path, deleting the skill directory only if it ends up empty.Guidance is installed at both user and project scope depending on the tool — for example a project-level .claude/skills/githits-mcp/SKILL.md alongside a user-level ~/.copilot/instructions/githits.instructions.md.Packaged githits-mcp skill and managed instruction block GitHits now ships a dedicated githits-mcp Agent Skill and a short managed instruction paragraph that guided init drops into AGENTS.md, CLAUDE.md, GEMINI.md, and equivalent per-tool instruction files. The skill tells agents to prefer GitHits for open-source discovery, planning, research, implementation, debugging, and maintenance — package docs, indexed package and repository source, examples, dependency graphs, vulnerabilities, changelogs, and upgrade-review evidence — and to route to the right tool (search, docs_*, code_*, pkg_*, get_example) instead of relying on model memory. The instruction block stays intentionally one paragraph; the skill carries the detailed behavior, so agent context stays lean.Expanded MCP setup targets Guided and plain githits init now configure MCP for a wider set of current, docs-backed clients:
  • Zedcontext_servers in ~/.config/zed/settings.json (user) or .zed/settings.json (project).
  • JuniemcpServers in ~/.junie/mcp/mcp.json or .junie/mcp/mcp.json.
  • Qwen CodemcpServers in ~/.qwen/settings.json or .qwen/settings.json.
  • KiromcpServers in ~/.kiro/settings/mcp.json or .kiro/settings/mcp.json.
  • Kilo Codemcp in ~/.config/kilo/kilo.jsonc or .kilo/kilo.jsonc, using the local command shape.
  • Factory DroidmcpServers in ~/.factory/mcp.json or .factory/mcp.json.
  • Amazon Q CLI — command-driven user install via detected q mcp / qchat mcp; no direct file editing.
Each target participates in the same install, uninstall, rerun, and --install-agents --json flows as existing tools.

Fixed

  • Headless-friendly githits init sign-in. Release 0.6.1 adds a --no-browser flag to githits init that prints the sign-in URL instead of trying to open a browser, so SSH sessions, containers, and other display-less environments can complete guided setup without a remote browser popping up. Behaves the same as githits login --no-browser.
June 26, 2026

Week of June 22 – June 26

Releases 0.5.1, 0.5.2, and 0.5.3 shipped this week, focused on a canonical syntax for GitHub repository targets, sharper “did you mean” guidance when a ref doesn’t exist, and a leaner aggregate path for pkg_upgrade_review.

New

Canonical github:owner/repo#ref target syntax Code navigation, search, and documentation access now accept GitHub repository targets in a canonical github:owner/repo#ref form, plus full https://github.com/owner/repo URLs. The #ref form makes refs that contain @ (for example n8n@2.26.5) unambiguous, and CLI and MCP follow-ups now echo the same canonical label everywhere. Malformed GitHub URLs are rejected up front instead of being passed through.Aggregate pkg_upgrade_review with transitive truncation metadata pkg_upgrade_review now uses a single aggregate backend query instead of fanning out per package, so reviews are faster and JSON/text output stays in lockstep. Public JSON also gains *TotalCount and *Truncated fields on transitive vulnerability detail pages, so agents can tell when a list was cut off and decide whether to ask for more.

Improved

Cleaner githits init status rows githits init now shows the read-only probe command (for example checked via claude plugin list) on rows that didn’t change, prints install or uninstall commands only when they actually ran, and aligns multi-command continuation rows to the detail column. Composite rows that pair a CLI check with a config-file write are preserved.Leaner package metadata payloads Package summary, dependency, and changelog backend calls now request only the fields each output mode actually uses — compact text and --omit-bodies skip verbose fields, while JSON and verbose modes keep everything. You should see faster responses for the common pkg info, pkg deps, and pkg changelog paths with no change in what’s rendered.“Did you mean” suggestions for unknown repository refs When code navigation hits a REF_NOT_FOUND for a GitHub target, the error now includes the backend’s suggestedRefs (a short “did you mean” list) separately from availableRefs (indexed refs you can retry against). CLI and MCP error details surface both, and the inline hint only appends a suggestion when the backend message doesn’t already include one — no more duplicated suggestions in the same error.Indexing wait estimates in error messages Code navigation responses for repos that are still being indexed now include a compact estimate of how long indexing should take, alongside structured indexingEstimate fields in the error details. You’ll know whether to wait a few seconds or come back later.
June 19, 2026

Week of June 15 – June 19

Releases 0.4.14 and 0.4.15 shipped this week, focused on a much clearer init install/uninstall experience, stricter package target syntax, and a wave of auth hardening for users running multiple agents in parallel.

New

Per-tool change rows in githits init githits init now reports exactly what changed for every detected tool — created, updated, unchanged, or ran — alongside the config path or command it touched, instead of a generic success line. Already-configured tools are included in the audit so you can see at a glance what your setup looks like, and --install-agents --json includes structured changes for scripting.Unified init uninstall UX githits init uninstall now uses the same selection model as install: configured tools are pre-checked, deselecting one keeps it, and --yes removes from all configured tools. Per-tool result rows use the same aligned renderer as install, so install and uninstall finally read the same way.Auth-clear breadcrumb in githits doctor githits doctor now surfaces the last auth-clear event (reason + timestamp) when your token went missing — for example after a refresh-token reuse, a rejected client registration, or an explicit logout. When the active token is missing, doctor also prints a cause-specific recommendation so you know what to do next. No secrets are stored.

Improved

Explicit package registries in target specs Package targets across search, code navigation, documentation access, and package inspection now require an explicit registry prefix — for example npm:express instead of a bare express. GitHub repository shorthands github:owner/repo and github.com/owner/repo are normalized. Errors for mixed package/repo targets, CLI help, and MCP tool descriptions were rewritten to match.Cleaner login and logout output githits login and githits logout output is now concise — no token-lifetime or environment details, no implementation-oriented progress lines. Just what happened.Dedicated message for missing git refs Code navigation tools now classify backend REF_NOT_FOUND responses separately and show repo/ref-specific guidance instead of generic path-narrowing or “try code_files” hints. You’ll know immediately when a branch, tag, or commit doesn’t exist.Windows launcher detection in doctor githits doctor’s PATH lookup now checks PATHEXT launchers like githits.cmd on Windows, so doctor correctly reports the CLI as installed instead of missing.

Fixed

  • Refresh-token reuse races between concurrent agents. The auth refresh lock is now keyed to the credential scope (per-user) instead of the active config directory, so two local agents sharing the same keychain credential no longer both submit the same single-use refresh token and trigger a server-side family revocation. Terminal invalid_client and refresh-reuse failures also clear stale state immediately so the next login starts clean.
  • Cross-class credential tug-of-war. Keychain and file-mode auth storage are now isolated for both reads and writes — agents running in different storage modes can no longer steal and delete each other’s tokens. Switching auth.storage between modes now requires an explicit githits login.
  • Automatic auth clears stay scoped to the active backend. A stale credential in an inactive backend (for example a leftover keychain token) can no longer wipe the good credential in the mode you actually run. Explicit githits logout still clears every backend.
  • Auth lock acquisition retries on write races. Concurrent token refreshes no longer fail with ENOENT when another contender removes the lock directory between create and owner-file write.
June 12, 2026

Week of June 8 – June 12

New

GitHits onboarding skill A new githits-onboarding skill walks coding agents through a safe, staged GitHits setup — detecting supported tools, asking before writing any config, installing the ones you pick, guiding you through login, and verifying the result. It ships as a public skill and as part of the Claude Code plugin. Install GitHits Skills and your agent can run setup for you instead of you wiring init flags by hand.

Improved

More resilient githits init on slow machines Agent detection and config probes in githits init now run with bounded timeouts (2–5s) so a stuck binary lookup or hung config check fails fast instead of stalling onboarding. Set GITHITS_INIT_TRACE=1 to print step-by-step diagnostics on stderr when you need to debug a detection issue — JSON output on stdout is unaffected and stays machine-parseable.
June 5, 2026

Week of June 1 – June 5

New

OpenCode support in githits init githits init now detects and configures OpenCode alongside the other supported AI coding tools, with a higher generated MCP timeout tuned for OpenCode’s session flow.Safer MCP package tool inputs Package inspection tools picked up cleaner, agent-safer schemas: pkg_deps now takes max_depth, pkg_changelog takes omit_bodies, and pkg_upgrade_review takes skip_transitive_security. Defaults are no longer silently coupled to other options, so agents get more predictable behavior on every call.

Improved

Better language search results githits languages and the search_language MCP tool now route queries through the backend’s ranked /languages endpoint instead of local filtering. Short aliases like ts, py, js, c++, and c# now surface the right language first.Clearer authentication errors Auth failures now distinguish missing local credentials from backend-rejected tokens, both in CLI JSON output and MCP error envelopes. Remediation guidance points you to the right next step — OAuth login, GITHITS_API_TOKEN, or support — instead of a generic “not authenticated” message.Normalized empty MCP search filters The search tool no longer fails with INVALID_ARGUMENT when an agent passes empty docs-only filter fields. Blank filters are treated as absent, matching how other MCP inputs behave.

Fixed

  • Concurrent agents no longer invalidate each other’s auth tokens. Token refresh is now serialized across CLI and MCP processes sharing the same credentials, so running multiple agents in parallel won’t spend a single-use refresh token twice and log you out.
May 29, 2026

Week of May 25 – May 29

New

Project-level githits init githits init now supports installing GitHits MCP configuration at the project level, alongside the existing user-level setup. Project mode covers detect, install, and uninstall flows for supported agents — including a new VS Code stdio config — so you can scope GitHits to a single repo without touching your global agent setup.githits doctor diagnostics command A new githits doctor command prints a redacted snapshot of your runtime, environment, config path, service override, and auth file state. Text and --json output are both supported, and probes are read-only so running it never triggers auth migration or token refreshes. Use it first when filing an issue.Swift package support Swift is now a first-class registry across search, code navigation, documentation access, and package inspection. Vulnerability and dependency lookups, v-prefixed versions, and GitHub-shaped package coordinates all work for Swift packages out of the box.

Improved

Simpler search source selection The search tool and githits search --source now take a single source value instead of a list. Descriptions for target and source were also rewritten to be clearer for agents. Passing --source more than once is now rejected explicitly instead of silently picking one.Request timeouts everywhere REST, OAuth, and package metadata GraphQL calls now share a fetch timeout wrapper with timeout-specific error classification, so stalled requests fail fast with a clear reason instead of hanging.Structured auth failures Missing-auth failures from authenticated commands now return a consistent JSON envelope (AUTH_REQUIRED), while terminal sessions still see the friendly login guidance. Easier to handle from scripts and agents.

Fixed

  • Empty optional MCP fields no longer break tool calls. pkg_upgrade_review, search targets, pkg_changelog addressing, and code_* targets now treat harness-filled empty arrays and blank strings as absent instead of failing validation.
  • Token refresh races hardened. Concurrent refresh attempts coalesce correctly across soft and forced refreshes, rotated refresh tokens are preserved on same-lineage conflicts, and newer external sessions/logouts still take precedence.
  • Windows init no longer triggers Node DEP0190. Subprocess probes now run through cmd.exe with safe argument escaping so shim resolution works without deprecation warnings.
May 22, 2026

Week of May 18 – May 22

New

Hermes Agent support in githits init githits init now detects Hermes Agent alongside the other supported AI coding tools and writes its MCP server configuration to ~/.hermes/HERMES_HOME while preserving existing YAML comments. Run githits init to set it up.Agent-safe staged onboarding The init command now supports a staged, non-interactive flow for agents and CI. New flags on githits init:
  • --detect-agents — scan for supported AI tools and exit without making changes.
  • --install-agents <ids> — install only the agents you explicitly name. Idempotent for already-configured agents.
  • --json — emit detection and install results as structured JSON.
--yes is rejected in non-interactive runs to prevent surprise side effects. See the headless CI guide for usage patterns.Copy-paste agent snippet on the init ready screen After setup completes, githits init now prints a snippet you can drop directly into your AGENTS.md or CLAUDE.md so your agent knows when to reach for GitHits tools.

Improved

Redesigned init onboarding flow Rewritten copy across every init screen (intro, detect, choose, sign-in, install, ready, uninstall) in a clearer, agent-focused voice. The CLI also picks up a new brand color, a gradient ASCII logo, highlighted --help section titles, and an animated spinner with rotating labels on example, search, code, and docs while requests are in flight.Target resolution feedback for code navigation Code navigation tools (search, code_files, code_read, code_grep) now surface compact, actionable warnings when a target needs freshness or indexing attention, and stay quiet on healthy default-branch requests. Follow-up targets and default-branch intent are preserved across calls.Severity-filtered transitive upgrade advisories pkg_upgrade_review now applies your min_severity setting to transitive vulnerability counts, so the evidence you see matches the threshold you asked for. The previous “transitive counts are unfiltered” caveat has been removed.

Fixed

  • --no-color now actually disables color. The flag was previously registered but never wired up. Every styled output across the CLI now respects it.
  • githits logout no longer reads the keychain. Logout completes cleanly without unnecessary credential prompts.
  • Auth is refreshed before init login to avoid stale-session failures during onboarding.
  • Init detection messaging is clearer when no compatible agents are found, and login guidance is suppressed when an install step fails.
  • Node 20 compatibility restored after a regression in the previous release.
  • Stale-search warnings suppressed when the follow-up target matches the original request.