chore: backmerge main into develop after v0.8.0 release#483
Merged
Conversation
CHANGELOG entry summarises the v0.8.0 cycle: - Plugin distribution moves to orphan dist/claude-plugin + git-subdir marketplace source (ADR-0043, closes #461 + #474). - New: /issue:tackle conductor skill (#443), /specorator:onboard guided series (#460), GitHub remote MCP server in project default (#471), conductor-driven model-tier injection (#440), `specorator --version` / `-v` flag (#424, #419). - Plugin install smoke test in CI (#427); operational-bot dry-run + drift checks (#438); ADR-0042 typed-artifact reader seam. - Fixes for plugin command prefix (#420), /quality:status CLI usage (#426, #428), init no-git warning (#421), product-page deployment (#456), archive-sync git identity (#468), feature-tracker readFile race (#408), and historical-status normalisation (#439). - ADR-0030 (repo-adoption) withdrawn — superseded by plugin packaging. - README + docs/specorator.md status banner refreshed for v0.8.0. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Codex P2 on PR #478: scripts/lib/workflow-schema.ts treats `superseded` as a valid workflow status, and v0.8.0 sets specs/repo-adoption-track/workflow-state.md to `status: superseded` (ADR-0030 withdrawn). The Astro content schema's StateStatusEnum was missing that value, so the feature-tracker loader silently skipped superseded workflow-state files instead of ingesting them — dropping them from product-page reporting. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Trusted Publisher activated on the specorator package on 2026-05-10, closing #411. Switch release.yml step 10 back to OIDC + provenance: - Drop NODE_AUTH_TOKEN env from publish step; OIDC token mints via id-token: write. - Drop the NPM_TOKEN-not-set guard. - Add --provenance to npm publish so every release ships with a sigstore attestation on the npmjs.com package page. - Remove # zizmor: ignore[use-trusted-publishing] suppression — the audit passes by construction now. - Refresh workflow header + permissions comment block. ADR-0044 supersedes ADR-0041 (frontmatter status: superseded; superseded-by: [ADR-0044]). ADR index regenerated. Operator guide §1 (prereqs), §5 (publish step), §5.1 (provenance posture), §7.1 (manual recovery) refreshed: NPM_TOKEN repo secret is decommissioned; manual recovery now requires minting a fresh classic Automation token on npmjs.com web UI and revoking after use. scripts/lib/release-readiness.ts comment block flips id-token: write narrative from "kept across the ADR-0041 fallback for the GitHub Release tarball attestation" to "load-bearing for both OIDC paths (npm publish + Release tarball attestation)". CHANGELOG v0.8.0 entry adds the Trusted Publishing restoration line. Closes #411 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Codex P2 on PR #478: after the conditional-presence gate (ADR-0043), a partial bundle (e.g. someone deletes claude-plugin/specorator/agents/ after running build:claude-plugin) silently passed check:claude-plugin because each helper short-circuited on its own missing-file branch. Replace per-helper guards with an outer all-or-nothing presence check across the five generated artifacts (plugin.json, .mcp.json, agents/, skills/, commands/). When 0 are present, skip cleanly (clean checkout). When all 5 are present, run the full shape checks. When 1..4 are present, fail closed with a "partial bundle detected" diagnostic naming the missing paths. New test exercises the partial-bundle rejection path. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Codex P2 on PR #478: dropping `build:claude-plugin --check` from the package.json `check:claude-plugin` script (per ADR-0043) was correct for the verify gate on a clean develop/main checkout (no committed bundle to drift against), but it removed the contributor-facing drift detection too — a hand-edited or stale locally-built bundle silently passes validation. Restore drift detection inside `check-claude-plugin.ts`, gated on the all-or-nothing bundle-present branch from the prior commit. When all five generated paths are present, spawn `build-claude-plugin --check` and propagate its diagnostics. When the bundle is absent (the typical develop/main case), the drift step is skipped — the verify-gate behavior promised by ADR-0043 is preserved. Resolve the build script via this file's on-disk location rather than repoRoot so the test harness's SPECORATOR_ROOT redirection still finds the real script next to it. New test exercises the drift rejection path; the existing "validates manifest, marketplace, and generated directories" test now invokes build-claude-plugin from a seeded fixture before check, which is a more realistic shape for a successful run. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
chore(release): promote v0.8.0 to main
Release-candidate dispatch slot for the v0.8.0 cycle. Smoke-tests the restored npmjs.com Trusted Publishing path (ADR-0044, supersedes ADR-0041) before the v0.8.0 final dispatch — exercises the OIDC + --provenance shape end-to-end on a low-stakes version. Surface content unchanged from v0.8.0: - README badge + status banner reframed as RC; references ADR-0044 and acknowledges v0.7.x shipped via the ADR-0041 NPM_TOKEN fallback. - docs/specorator.md version line updated; v0.8.x publish-via-OIDC narrative replaces the earlier "deferred per ADR-0041" line. - CHANGELOG adds a minimal [v0.8.0-rc.1] section above the planned [v0.8.0] entry. Post-RC: bump back to 0.8.0 in a follow-up PR, tag, dispatch v0.8.0 final. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
chore(release): cut v0.8.0-rc.1 — Trusted Publishing smoke test
The v0.8.0-rc.1 dispatch (run 25639883562) failed Layer 1 readiness with
RELEASE_READINESS_WORKFLOW_PERMISSIONS — `jobs.smoke.permissions.contents`
was `read` but the readiness check enforces strict equality with the
top-level `contents: write` value (scripts/lib/release-readiness.ts
diagnosticsForPermissions, line ~852).
Drop the job-level `permissions:` block so smoke inherits the top-level
{ contents: write, attestations: write, id-token: write } block. The
reusable smoke-test workflow is read-only in practice (npm pack +
install + CLI smoke); the inherited write scopes are unused.
Comment block in release.yml header already says "job-level overrides
may only narrow, never widen" — the actual readiness check enforces
equality, not subset. The narrowing-allowed semantics is documented as
intent (line ~775) but the implementation is exact-match. Either the
comment is wrong or the check is too strict; aligning the workflow with
the implementation unblocks v0.8.0-rc.1 / v0.8.0 dispatch immediately.
A follow-up may relax the readiness check.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
fix(release): unblock v0.8.0 dispatch by dropping smoke job permissions override
The v0.8.0-rc.1 dispatch (run 25640431367, second attempt) failed at the
Publish step with:
npm error You must specify a tag using --tag when publishing a
prerelease version.
`npm publish` refuses to default a semver prerelease (`-rc.1`) to the
`latest` dist-tag because that would silently demote stable consumers
who pin `latest`. Without `--tag`, prereleases fail closed.
Parameterise the publish step on `inputs.prerelease`:
- prerelease=true → `npm publish --provenance --tag next <tarball>`
- prerelease=false → `npm publish --provenance <tarball>` (defaults to
`latest`)
This is workflow plumbing — every other step (Layer 1+2 readiness,
build:claude-plugin, tarball provenance attestation, Release create
with asset upload) succeeded on the previous dispatch, so the
Trusted-Publishing config on npmjs.com is reachable end-to-end. This
fix unblocks the last gate before the OIDC publish actually runs.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
fix(release): pass --tag next when publishing a pre-release
v0.8.0-rc.1 dispatch (run 25640962728) succeeded end-to-end on the fourth attempt after the npmjs.com Trusted Publisher record was completed (Environment field was empty; now set to `release` to match release.yml's environment.name). The RC published to npmjs.com under the `next` dist-tag with a sigstore provenance attestation (https://registry.npmjs.org/-/npm/v1/attestations/specorator@0.8.0-rc.1). Cut the v0.8.0 final: - package.json: 0.8.0-rc.1 -> 0.8.0 - README badge + status banner: restore v0.8.0 framing, mention TP restoration alongside ADR-0043 plugin distribution as headlines. - docs/specorator.md version line: restore v0.8.0 framing. - CHANGELOG: both [v0.8.0-rc.1] (RC validation record) and [v0.8.0] (release content) entries retained. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
chore(release): cut v0.8.0 final (TP validated via rc.1)
4 tasks
Luis85
added a commit
that referenced
this pull request
May 11, 2026
…#485) After install (or after any new install), users can confirm both halves of the v0.8.0 surface independently in an empty directory: 1. CLI path — npm install -g specorator + specorator --version + specorator init (with --dry-run preview). Plus a one-liner to surface the sigstore provenance attestation on the published tarball. 2. Plugin path — /plugin marketplace add Luis85/agentic-workflow + /plugin install specorator@specorator-marketplace. This is the end-to-end test for the orphan dist/claude-plugin branch (git-subdir marketplace source per ADR-0043). Helps adopters self-validate after npmjs.com or marketplace configuration changes, and gives the next release operator a fast post-publish smoke test. ADR-0044 is referenced as an absolute main-branch URL because the backmerge into develop is still in flight (PR #483). Co-authored-by: Luis Mendez <hallo@luis-mendez.de> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Backmerge main into develop after the v0.8.0 release dispatch (run 25641268853) so develop's `package.json` and surface files catch up to the released state. Standard post-release housekeeping per ADR-0020.
What landed on main since v0.7.0
The branch is fast-forward — develop has zero commits ahead of main (everything from develop got promoted into main via #478, then four release fixes landed on main only).
Released state
Test plan
🤖 Generated with Claude Code