release: SpecBridge v1.0.0#12
Merged
Merged
Conversation
…very engine Generic, schema-agnostic plan/apply/report/verify migration engine plus a recovery engine restricted to safe action kinds inside .specbridge/. Plans are hash-bound to exact file bytes; applies are atomic with backups and rollback; recovery preserves originals in quarantine and appends to an append-only log. Nothing runs automatically; CLI wiring follows.
Root, all workspace packages, CLI/MCP/extension-SDK/Action version constants, plugin and marketplace manifests. Template and extension compatibility ranges widen from <1.0.0 to <2.0.0 (scaffolds now emit >=1.0.0 <2.0.0); built-in packs, registry index/entries, and galleries regenerated; version-sensitive tests updated. Plugin and Action dist rebuilds follow once the new CLI commands land.
docs/stability/{public-contracts,versioning-policy}.md inventory every
public contract with per-area stability promises. docs/security/
threat-model.md consolidates the per-subsystem threat models (29 threats
with mitigations verified against source) and states explicit non-claims.
Adds SECURITY/SUPPORT/CONTRIBUTING/CODE_OF_CONDUCT, issue forms, PR
template, release checklist, and the temporary v1.0.0 resume document.
… security scan Machine-readable contract snapshots under contracts/ (CLI tree, exit codes, report IDs, schema versions, verification rules, runner/template/extension contracts, MCP names, Skill names, Action interface) enforced by pnpm check:public-contracts. Adds pnpm generate/check:mcp-docs (tool-reference generated from the authoritative registry) and pnpm check:security (deterministic scan for credentials, bypass strings, and bundle paths). Wires the new checks plus example validation into CI and adds a tag-driven, draft-first release workflow with a workflow_dispatch dry-run mode.
Wires the migration framework and recovery engine into the CLI: specbridge migrate status|plan|apply|verify (--dry-run/--json/--backup-directory/--target) specbridge state validate (read-only; per-family diagnosis) specbridge state recover --plan|--apply <id> (acknowledgement-token gated) specbridge doctor --repair-plan (read-only recovery preview) specbridge setup (preview-first initialization) config migrate becomes a deprecated alias (stderr notice; removal >= v2.0.0). Adds the state-family registry, corruption fixtures, and 66 tests covering migration idempotency/atomicity/rollback, read-only validation, hash-bound recovery, quarantine preservation, and the never-invent-approvals guarantees.
500-spec / 10,000-task deterministic fixtures plus 12 gated measurements (workspace detection, spec discovery, drift verification, template/extension/ registry search, affected-spec detection, MCP pagination, report generation, peak memory) with generous CI budgets and stable 'perf:' benchmark logs. docs/performance.md records methodology, indicative numbers, and two honest findings (single-spec read does full discovery; MCP spec_list analyzes all specs per page). Also pins the MCP stdio version assertions to the constant.
Three new offline, deterministic examples validated in CI: claude-code-workflow
(plugin flow + committed approvals), ci-drift-gate (verification policy +
GitHub Action + trusted commands), and template-and-extension (template
search/preview + safe analyzer flow). Adds scripts/validate-examples.mjs
(26 checks over temp copies), scripts/demo.{sh,ps1} (offline drift demo,
both run green), and docs/launch/demo-recording.md.
…0 CHANGELOG Additive documentation architecture: docs/README.md hub over the existing flat pages plus new getting-started/ (installation, quickstart, existing-kiro -project, claude-code-plugin), migrations hub, and dependency inventory. README first screen follows the launch layout (positioning, workflow, 30-second quickstart, honest maturity/security note). CHANGELOG gains the 1.0.0 entry; roadmap marks v0.7.1 and v1.0.0 shipped; verification-rules documents SBV026.
…ifacts The bare npm name 'specbridge' is taken by an unrelated project, so the package is named specbridge-cli; the bin and command stay 'specbridge'. tsup bundles the @specbridge/* workspace packages into the published dist so the package installs standalone, with an explicit files allowlist (no source maps, tests, or fixtures) and committed LICENSE/NOTICE/README. Rebuilds the plugin and GitHub Action bundles at 1.0.0 and adds the release QUICKSTART.
…otes scripts/package-standalone.mjs builds portable-node and per-platform archives (windows-x64/linux-x64/macos-x64/macos-arm64) with a pinned, hash-verified Node 20.20.2 runtime, a per-archive release manifest (schema/contract versions, SHA-256 file list, no absolute paths), and on-platform smoke tests. scripts/validate-npm-package.mjs enforces the files allowlist and proves the packed specbridge-cli tarball installs and runs in isolation. scripts/assemble-release.mjs emits SHA256SUMS.txt/json and a combined release manifest, failing on any missing expected asset. Adds the v1.0.0 migration guide and release notes, fixes the plugin-ZIP path in release.yml, ignores dist-release/, and widens the doc example compatibility ranges to <2.0.0.
Removes the temporary release working document. All local release gates pass: lint, typecheck, 1266 tests, build, public-contract snapshots, security scan, MCP-doc drift, plugin validation + isolated bundle, template/extension galleries and registries, CLI smoke (47), example validation (26), npm package validation (14, isolated install), and standalone packaging (portable-node + windows-x64 smoke, linux archive, checksummed release manifest). Versions are consistently 1.0.0. No remote operation performed; publication awaits explicit authorization.
Two CI failures on the v1.0.0 PR: The committed Claude Code plugin bundle predated the `setup` command, so CI's reproducibility check (git diff over the bundled dist) failed on Linux. Rebuilt from current source; a second build is now byte-identical. The large-repository performance suite builds ~9,000-file fixtures and real git history inside the main worker pool, which starved vitest's worker RPC on loaded runners: every test passed but the run still failed with an unhandled "Timeout calling onTaskUpdate" error (seen on windows/node-20). The suite now runs separately via `pnpm test:perf` (vitest.perf.config.ts, serial, generous timeouts) and CI runs it as its own step on one matrix combination, matching the policy of treating performance numbers as informational benchmarks. Main suite: 92 files / 1254 tests. Perf suite: 12 tests. Both green, with no unhandled errors.
SpecBridge 1.0.0 widens built-in template and reference-extension compatibility ranges to '<2.0.0' (the old '<1.0.0' bound excluded 1.0.0 itself, failing every built-in template with SBT006). That is a real change in grounded CLI output, so the pinned fixture in agent-skill-verification-template was regenerated and tagged v0.2.0; this pins the new ref. The verifier release pin (ASV_VERSION/ASV_SHA256) is unchanged.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Final stabilization and public-release phase for SpecBridge v1.0.0. This is
not a feature-expansion release: it makes the existing v0.1–v0.7.1 product
stable, installable, recoverable, documented, secure, and releasable. The
product promise is unchanged — start in Kiro, continue anywhere, return
whenever you want — and it is now backed by documented, machine-checked
contracts.
Every public contract is inventoried and frozen behind machine-readable
snapshots; persisted state gained an explicit migration framework, read-only
validation, and hash-bound recovery; and the release itself is now
reproducible across platforms with checksummed assets.
Stable contracts
Ten contract areas are inventoried in
docs/stability/public-contracts.mdwithper-area compatibility promises, and the versioning/deprecation policy lives in
docs/stability/versioning-policy.md.Machine-readable snapshots under
contracts/freeze the CLIcommand tree and exit codes, JSON report IDs, every persisted
schemaVersion,verification rule IDs
SBV001–SBV026, the runner adapter vocabulary,template and extension contracts, MCP tool/resource/prompt names, Claude Code
Skill names, and the GitHub Action interface. CI fails on drift via
pnpm check:public-contracts, so a stable contract cannot change without anintentional snapshot update.
No persisted schema version changed in this release.
Migrations and recovery
A single migration framework replaces ad-hoc migration code:
specbridge migrate status | plan | apply | verify— plans are hash-bound toexact file bytes, applies are atomic with backups and rollback, dry-run
writes nothing, and applying twice is a no-op. Reports land under
.specbridge/migrations/<id>/.specbridge state validate— read-only diagnosis across every state family.specbridge state recover --plan | --apply <id>— plan-only by default;applying requires an acknowledgement token derived from the plan hash and
re-validates every file hash first.
specbridge doctor --repair-plan— read-only recovery preview.Recovery is structurally constrained: it can only act inside
.specbridge/, so.kiro,.git, and project sources are out of reach. Corrupted files are movedto quarantine, never destroyed, and approvals, evidence, and completed tasks are
never invented. The only real historical migration is config v1 → v2; the guide
says so honestly rather than inventing migrations that never existed.
Security
docs/security/threat-model.mdconsolidatesthe per-subsystem models into 29 threats with mitigations verified against
source, plus explicit non-claims. A deterministic scan (
pnpm check:security)guards against credentials, private keys,
.envinclusion, permission-bypassstrings,
eval/Function, absolute build paths, and source maps in releasebundles.
Performance
A large-repository suite (500 specs / 10,000 tasks, large diffs, 500
templates/extensions, MCP pagination) with generous CI budgets is documented in
docs/performance.md. Two findings are recorded honestlyrather than silently "fixed" during stabilization: single-spec reads perform a
full workspace discovery, and MCP
spec_listanalyzes all specs per page. Bothare within budget and are not regressions.
Packaging
specbridge-cli— the bare namespecbridgeis taken onnpm by an unrelated project. The bin and command remain
specbridge. Thepublished bundle includes the workspace packages, proven by an isolated
npm installsmoke test.pinned, hash-verified Node 20.20.2 runtime, plus a portable-node archive and
the Claude Code plugin ZIP.
file list, no absolute paths);
SHA256SUMS.txt/.jsonverify independently.release.ymlis tag-driven and draft-first, publishes only after assetverification, never clobbers an existing tag or Release, and grants
contents: writeto the publish job alone.workflow_dispatchruns it as abuild-only dry run.
Documentation
Documentation was reorganized additively around a new hub
(
docs/README.md) so no existing link breaks, with newgetting-started guides, a migrations hub, migration guide, release notes, and a
dependency inventory. The README first screen was rewritten for launch. Three
new offline examples and reproducible demo scripts are validated in CI.
Release gates (all pass locally)
check:public-contracts/check:security/check:mcp-docssha256sum -cover assembled assetsReviewer notes
smoke-tested on the Windows development machine; the release matrix builds
each platform natively.
assemble-release.mjs --verify-remoteis implemented but only exercisableagainst a real published Release.
specbridge config migrateis retained as a deprecated alias (stderr notice,removal no earlier than v2.0.0); JSON stdout stays clean.
extension compatibility ranges widened to
<2.0.0.Known limitations (documented, not defects)
not endorsement.
Checklist
pnpm lint,pnpm typecheck, andpnpm testpass locallypnpm check:public-contractspasses — snapshots are introduced in thisPR as the initial frozen baseline
synthetic
or recorded test output
Security-relevant invariants touched: migration and recovery are hash-bound and
refuse stale plans; recovery cannot escape
.specbridge/; protected paths andarchive/symlink defenses are unchanged and now documented centrally.