Skip to content

release: SpecBridge v1.0.0#12

Merged
HelloThisWorld merged 13 commits into
mainfrom
release/v1.0.0
Jul 18, 2026
Merged

release: SpecBridge v1.0.0#12
HelloThisWorld merged 13 commits into
mainfrom
release/v1.0.0

Conversation

@HelloThisWorld

Copy link
Copy Markdown
Owner

Summary

Final stabilization and public-release phase for SpecBridge v1.0.0. This is
not a feature-expansion release: it makes the existing v0.1–v0.7.1 product
stable, installable, recoverable, documented, secure, and releasable. The
product promise is unchanged — start in Kiro, continue anywhere, return
whenever you want
— and it is now backed by documented, machine-checked
contracts.

Every public contract is inventoried and frozen behind machine-readable
snapshots; persisted state gained an explicit migration framework, read-only
validation, and hash-bound recovery; and the release itself is now
reproducible across platforms with checksummed assets.

Stable contracts

Ten contract areas are inventoried in
docs/stability/public-contracts.md with
per-area compatibility promises, and the versioning/deprecation policy lives in
docs/stability/versioning-policy.md.
Machine-readable snapshots under contracts/ freeze the CLI
command tree and exit codes, JSON report IDs, every persisted schemaVersion,
verification rule IDs SBV001SBV026, the runner adapter vocabulary,
template and extension contracts, MCP tool/resource/prompt names, Claude Code
Skill names, and the GitHub Action interface. CI fails on drift via
pnpm check:public-contracts, so a stable contract cannot change without an
intentional snapshot update.

No persisted schema version changed in this release.

Migrations and recovery

A single migration framework replaces ad-hoc migration code:

  • specbridge migrate status | plan | apply | verify — plans are hash-bound to
    exact file bytes, applies are atomic with backups and rollback, dry-run
    writes nothing, and applying twice is a no-op. Reports land under
    .specbridge/migrations/<id>/.
  • specbridge state validate — read-only diagnosis across every state family.
  • specbridge state recover --plan | --apply <id> — plan-only by default;
    applying requires an acknowledgement token derived from the plan hash and
    re-validates every file hash first.
  • specbridge doctor --repair-plan — read-only recovery preview.

Recovery is structurally constrained: it can only act inside .specbridge/, so
.kiro, .git, and project sources are out of reach. Corrupted files are moved
to quarantine, never destroyed, and approvals, evidence, and completed tasks are
never invented. The only real historical migration is config v1 → v2; the guide
says so honestly rather than inventing migrations that never existed.

Security

docs/security/threat-model.md consolidates
the per-subsystem models into 29 threats with mitigations verified against
source, plus explicit non-claims. A deterministic scan (pnpm check:security)
guards against credentials, private keys, .env inclusion, permission-bypass
strings, eval/Function, absolute build paths, and source maps in release
bundles.

Performance

A large-repository suite (500 specs / 10,000 tasks, large diffs, 500
templates/extensions, MCP pagination) with generous CI budgets is documented in
docs/performance.md. Two findings are recorded honestly
rather than silently "fixed" during stabilization: single-spec reads perform a
full workspace discovery, and MCP spec_list analyzes all specs per page. Both
are within budget and are not regressions.

Packaging

  • npm package is specbridge-cli — the bare name specbridge is taken on
    npm by an unrelated project. The bin and command remain specbridge. The
    published bundle includes the workspace packages, proven by an isolated
    npm install smoke test.
  • Standalone archives for windows-x64, linux-x64, macos-x64, macos-arm64 with a
    pinned, hash-verified Node 20.20.2 runtime, plus a portable-node archive and
    the Claude Code plugin ZIP.
  • Every archive carries a release manifest (schema/contract versions, SHA-256
    file list, no absolute paths); SHA256SUMS.txt/.json verify independently.
  • release.yml is tag-driven and draft-first, publishes only after asset
    verification, never clobbers an existing tag or Release, and grants
    contents: write to the publish job alone. workflow_dispatch runs it as a
    build-only dry run.

Documentation

Documentation was reorganized additively around a new hub
(docs/README.md) so no existing link breaks, with new
getting-started guides, a migrations hub, migration guide, release notes, and a
dependency inventory. The README first screen was rewritten for launch. Three
new offline examples and reproducible demo scripts are validated in CI.

Release gates (all pass locally)

Gate Result
lint / typecheck / build pass
full test suite 1266 pass (baseline was 1180)
check:public-contracts / check:security / check:mcp-docs pass
plugin validation + isolated bundle verification pass (11 skills, 1.0.0)
galleries, registries, CLI smoke (47), examples (26) pass
npm package validation (14 checks, isolated install) pass
standalone packaging (portable-node + windows-x64 smoke, linux archive) pass
sha256sum -c over assembled assets all verify

Reviewer notes

  • macOS x64/arm64 archives build on native CI runners and could not be
    smoke-tested on the Windows development machine; the release matrix builds
    each platform natively.
  • assemble-release.mjs --verify-remote is implemented but only exercisable
    against a real published Release.
  • specbridge config migrate is retained as a deprecated alias (stderr notice,
    removal no earlier than v2.0.0); JSON stdout stays clean.
  • The GitHub Action version was aligned from 0.6.0 to 1.0.0, and template and
    extension compatibility ranges widened to <2.0.0.

Known limitations (documented, not defects)

  • Extension isolation is process-level, not an operating-system sandbox.
  • Checksums verify integrity, not publisher identity; registry listing is
    not endorsement.
  • Released binaries may be unsigned.
  • Model-assisted authoring and execution remain nondeterministic.
  • Antigravity integration remains experimental.

Checklist

  • pnpm lint, pnpm typecheck, and pnpm test pass locally
  • pnpm check:public-contracts passes — snapshots are introduced in this
    PR as the initial frozen baseline
  • Documentation updated for any user-visible behavior change
  • CHANGELOG entry added for any user-visible change
  • Everything is in English (code, comments, docs, commit messages)
  • No employer or client proprietary content — examples and fixtures are
    synthetic
  • No credentials, tokens, or secret values anywhere in the diff, fixtures,
    or recorded test output

Security-relevant invariants touched: migration and recovery are hash-bound and
refuse stale plans; recovery cannot escape .specbridge/; protected paths and
archive/symlink defenses are unchanged and now documented centrally.

…very engine

Generic, schema-agnostic plan/apply/report/verify migration engine plus a
recovery engine restricted to safe action kinds inside .specbridge/. Plans
are hash-bound to exact file bytes; applies are atomic with backups and
rollback; recovery preserves originals in quarantine and appends to an
append-only log. Nothing runs automatically; CLI wiring follows.
Root, all workspace packages, CLI/MCP/extension-SDK/Action version
constants, plugin and marketplace manifests. Template and extension
compatibility ranges widen from <1.0.0 to <2.0.0 (scaffolds now emit
>=1.0.0 <2.0.0); built-in packs, registry index/entries, and galleries
regenerated; version-sensitive tests updated. Plugin and Action dist
rebuilds follow once the new CLI commands land.
docs/stability/{public-contracts,versioning-policy}.md inventory every
public contract with per-area stability promises. docs/security/
threat-model.md consolidates the per-subsystem threat models (29 threats
with mitigations verified against source) and states explicit non-claims.
Adds SECURITY/SUPPORT/CONTRIBUTING/CODE_OF_CONDUCT, issue forms, PR
template, release checklist, and the temporary v1.0.0 resume document.
… security scan

Machine-readable contract snapshots under contracts/ (CLI tree, exit codes,
report IDs, schema versions, verification rules, runner/template/extension
contracts, MCP names, Skill names, Action interface) enforced by
pnpm check:public-contracts. Adds pnpm generate/check:mcp-docs (tool-reference
generated from the authoritative registry) and pnpm check:security
(deterministic scan for credentials, bypass strings, and bundle paths).
Wires the new checks plus example validation into CI and adds a tag-driven,
draft-first release workflow with a workflow_dispatch dry-run mode.
Wires the migration framework and recovery engine into the CLI:
  specbridge migrate status|plan|apply|verify  (--dry-run/--json/--backup-directory/--target)
  specbridge state validate                    (read-only; per-family diagnosis)
  specbridge state recover --plan|--apply <id> (acknowledgement-token gated)
  specbridge doctor --repair-plan              (read-only recovery preview)
  specbridge setup                             (preview-first initialization)
config migrate becomes a deprecated alias (stderr notice; removal >= v2.0.0).
Adds the state-family registry, corruption fixtures, and 66 tests covering
migration idempotency/atomicity/rollback, read-only validation, hash-bound
recovery, quarantine preservation, and the never-invent-approvals guarantees.
500-spec / 10,000-task deterministic fixtures plus 12 gated measurements
(workspace detection, spec discovery, drift verification, template/extension/
registry search, affected-spec detection, MCP pagination, report generation,
peak memory) with generous CI budgets and stable 'perf:' benchmark logs.
docs/performance.md records methodology, indicative numbers, and two honest
findings (single-spec read does full discovery; MCP spec_list analyzes all
specs per page). Also pins the MCP stdio version assertions to the constant.
Three new offline, deterministic examples validated in CI: claude-code-workflow
(plugin flow + committed approvals), ci-drift-gate (verification policy +
GitHub Action + trusted commands), and template-and-extension (template
search/preview + safe analyzer flow). Adds scripts/validate-examples.mjs
(26 checks over temp copies), scripts/demo.{sh,ps1} (offline drift demo,
both run green), and docs/launch/demo-recording.md.
…0 CHANGELOG

Additive documentation architecture: docs/README.md hub over the existing
flat pages plus new getting-started/ (installation, quickstart, existing-kiro
-project, claude-code-plugin), migrations hub, and dependency inventory.
README first screen follows the launch layout (positioning, workflow,
30-second quickstart, honest maturity/security note). CHANGELOG gains the
1.0.0 entry; roadmap marks v0.7.1 and v1.0.0 shipped; verification-rules
documents SBV026.
…ifacts

The bare npm name 'specbridge' is taken by an unrelated project, so the
package is named specbridge-cli; the bin and command stay 'specbridge'. tsup
bundles the @specbridge/* workspace packages into the published dist so the
package installs standalone, with an explicit files allowlist (no source
maps, tests, or fixtures) and committed LICENSE/NOTICE/README. Rebuilds the
plugin and GitHub Action bundles at 1.0.0 and adds the release QUICKSTART.
…otes

scripts/package-standalone.mjs builds portable-node and per-platform archives
(windows-x64/linux-x64/macos-x64/macos-arm64) with a pinned, hash-verified
Node 20.20.2 runtime, a per-archive release manifest (schema/contract
versions, SHA-256 file list, no absolute paths), and on-platform smoke tests.
scripts/validate-npm-package.mjs enforces the files allowlist and proves the
packed specbridge-cli tarball installs and runs in isolation.
scripts/assemble-release.mjs emits SHA256SUMS.txt/json and a combined release
manifest, failing on any missing expected asset. Adds the v1.0.0 migration
guide and release notes, fixes the plugin-ZIP path in release.yml, ignores
dist-release/, and widens the doc example compatibility ranges to <2.0.0.
Removes the temporary release working document. All local release gates pass:
lint, typecheck, 1266 tests, build, public-contract snapshots, security scan,
MCP-doc drift, plugin validation + isolated bundle, template/extension
galleries and registries, CLI smoke (47), example validation (26), npm
package validation (14, isolated install), and standalone packaging
(portable-node + windows-x64 smoke, linux archive, checksummed release
manifest). Versions are consistently 1.0.0.

No remote operation performed; publication awaits explicit authorization.
Two CI failures on the v1.0.0 PR:

The committed Claude Code plugin bundle predated the `setup` command, so
CI's reproducibility check (git diff over the bundled dist) failed on Linux.
Rebuilt from current source; a second build is now byte-identical.

The large-repository performance suite builds ~9,000-file fixtures and real
git history inside the main worker pool, which starved vitest's worker RPC on
loaded runners: every test passed but the run still failed with an unhandled
"Timeout calling onTaskUpdate" error (seen on windows/node-20). The suite now
runs separately via `pnpm test:perf` (vitest.perf.config.ts, serial, generous
timeouts) and CI runs it as its own step on one matrix combination, matching
the policy of treating performance numbers as informational benchmarks.

Main suite: 92 files / 1254 tests. Perf suite: 12 tests. Both green, with no
unhandled errors.
SpecBridge 1.0.0 widens built-in template and reference-extension
compatibility ranges to '<2.0.0' (the old '<1.0.0' bound excluded 1.0.0
itself, failing every built-in template with SBT006). That is a real change
in grounded CLI output, so the pinned fixture in
agent-skill-verification-template was regenerated and tagged v0.2.0; this
pins the new ref. The verifier release pin (ASV_VERSION/ASV_SHA256) is
unchanged.
@HelloThisWorld
HelloThisWorld merged commit e91e88a into main Jul 18, 2026
7 checks passed
@HelloThisWorld
HelloThisWorld deleted the release/v1.0.0 branch July 18, 2026 13:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant