release: v0.7.0#430
Merged
Merged
Conversation
Adds §10c covering back-merge of main → agent-main after release PR merges, and updates §10b to drop the obsolete fast-forward claim and document the allow_merge_commit workaround. Captures the agent-main branch-protection payload (allow_deletions=false) so the auto-delete setup survives accidental drops. Codifies the inline housekeeping from the v0.6.0 release session: back-merge, branch-protection on agent-main, and the merge-commit repo-setting flip.
…el… [ORB-00113] Dashboard responsiveness breaks at mid-width: overflowing crew select, cramped filter chips, truncated log column
…x … [ORB-00114] Dashboard: collapse two-column layout to single column at ~1000px viewport width Planned-By: codex
…ul… [ORB-00115] Refactor: split orbit-store v2_store.rs into focused submodules Planned-By: gemini
…cu… [ORB-00118] Refactor: split orbit-store sqlite/task_registry.rs into focused submodules Planned-By: claude
…du… [ORB-00120] Refactor: split orbit-store v2_bundle.rs into focused submodules Planned-By: gemini
…s [ORB-00123] Planned-By: claude
…se… [ORB-00116] Refactor: split orbit-store learning_store/api.rs into focused submodules Planned-By: codex
…00125] Planned-By: codex
…fo… [ORB-00121] Refactor: split orbit-knowledge graph/sqlite_index.rs into focused submodules Planned-By: grok
…bm… [ORB-00117] Refactor: split orbit-exec macos_sandbox.rs into focused submodules Planned-By: claude
…se… [ORB-00119] Refactor: split orbit-engine automation/vcs/pr.rs into focused submodules Planned-By: codex
…su… [ORB-00122] Refactor: split orbit-core command/job/run.rs into focused submodules Planned-By: codex
…(c… [ORB-00128] Make the Orbit workspace pass the full `make ci` gate cleanly (clippy -D warnings, tests, docs, guardrails)
Adds an onboarding/discovery skill that triggers when `.orbit/` is absent or on "what is orbit" / "give me a tour" requests. Body is intentionally thin: it detects state, picks an install path, and delegates to the README's "Setup via Agent Prompt" block (locally or via WebFetch on non-clone install paths) rather than inlining install commands that rot independently from the README. Bundled changes to keep the carve-out clean: - Register `orbit-guide` in `DEFAULT_SKILL_FILES`; bump array sizes 11→12 on both the const and `default_skill_ids()` return type. - Add `plugin/skills/orbit-guide` relative symlink. - Narrow `orbit` skill frontmatter description so it no longer claims "any Orbit-related work" — scopes to post-init workflow routing and defers setup/tour intents to `orbit-guide`. - Add `orbit-guide` bullet to the router skill's `## Skill Selection` block to satisfy the `router_skill_enumerates_all_defaults` drift test (the fifth catalog L20260517-5 flagged). - Add `orbit-guide` entry to README `## Agent Skills`. All five skill catalogs in sync; drift tests pass.
A reference companion to 2_design.md §4 that maps the three push-injection layers (L1 engine pre-prompt, L2 MCP sidecar, L3 Claude Code PreToolUse hook) against the two Orbit agent tool surfaces (MCP and CLI). Sits next to glossary.md under references/ so it does not disturb the four-numbered- doc design layout. Captures three rules for future enrichments: - Place by consumption mode (prompt context vs. tool data), not by data source. - Sidecars live in the adapter that owns the session — L2's home in orbit-mcp is correct because session dedup and admission caps are consumer-shape concerns. - Both transports must return the same canonical data; enrichment is additive only. Also names the known out-of-envelope CLI gap and the opt-in-flag pattern for closing it, so future authors do not reflexively pull L2 down into the tool layer.
Introduces a new learning document that clarifies the use of `orbit audit list --json` as the canonical source for audit-event queries, emphasizing the limitations of the local `.orbit/orbit.db`. The entry outlines best practices for querying audit data, potential pitfalls, and provides guidance on when to use direct SQLite access. This aims to improve user understanding and prevent reliance on outdated local data.
…260517-10 Introduces a new learning document detailing the update of child runtime sandbox permissions when exposing Orbit write tools to activities. It emphasizes the need for explicit reallows in the policy to maintain security while allowing necessary write access. The entry includes a summary of the changes, the rationale behind them, and references a related task (ORB-00129) for further context.
…ORB-00129] Planned-By: codex
…on… [ORB-00131] Guard orbit.task.start at the agent_implement activity instruction layer (revert ORB-00130 skill changes)
…B-00112] Planned-By: grok
Captures the rule that workspace-local artifact IDs (ADR-NNNN, L-NNNNNNNN-N, ORB-NNNNN) must not appear in files shipped as plugin assets — `crates/*/assets/**`, especially `SKILL.md`. Such files are injected into end-user agents' prompts in other workspaces, where local IDs are dangling references. Use Rust source comments for contributor- facing citations; use project learnings for skill-level guidance. Mirrors the cross-machine boundary already encoded in ADR-0125 (lineage is workspace-local; cross-machine reach goes through external_refs). Surfaced when an agent drafting ORB-00132 nearly added an `ADR-0149` citation directly into the `orbit-create-task` SKILL.md. Also includes L20260517-12 (stray test record created during ID probing) flipped to status=superseded via L20260517-11.
Establishes the convention of citing load-bearing constraints at their enforcement site with a literal, greppable artifact ID: - crates/orbit-tools/src/builtin/orbit/task/add.rs: ADR-0149 comment above the `workspace` ToolParam, explaining why the field is required (home-store projection binding key). - crates/orbit-store/src/sqlite/audit_event_store.rs: module-level doc comment citing L20260517-9 (use `orbit audit list --json`; local sqlite can be a stale mirror). Pure annotation pass — no behavior change, no required:-line edits, no plugin-asset files touched (per the distribution-boundary rule for workspace-local artifact IDs). Sets the format for future citations.
… loop [ORB-00133] Adds one workflow step to each authoring skill: - orbit-adr/SKILL.md step 7: when the ADR encodes a code-level constraint, drop a `// ADR-NNNN: <rationale>` comment at each enforcement site in Rust source. If no single anchor exists, record this in the Consequences body and skip. - orbit-learning/SKILL.md step 3: same pattern for learnings with a code anchor, using `// L-NNNNNNNN-N: <rationale>`. Both steps include a hard prohibition on citing inside crates/**/assets/** or other consumer-facing surfaces (workspace- local IDs are dangling refs in other workspaces). Exit Criteria sections gain one sentence each acknowledging the new step. Placeholders only in the new content (`ADR-NNNN`, `L-NNNNNNNN-N`) — no new literal workspace-local IDs introduced.
This ADR outlines the decision to eliminate the `orbit design check` CLI subcommand and related tools due to their misleading signals regarding design-doc freshness. The change aims to maintain design-doc tooling while relying on code review for quality assurance. This ADR supersedes ADR-0162, which promoted the decay checker to first-class status.
…stry, .orbit/config.yaml is a metadata stub Captures the toml-vs-yaml distinction for Orbit workspace config so future agents don't default to yaml when proposing a new behavior knob. Push-injection scope: .orbit/config.toml, .orbit/config.yaml, tags orbit-config and config.
Planned-By: claude
Resolve review feedback from PR #415: - Replace `ManagedCompanion::open_current(...).ok()` with an explicit match that emits `tracing::debug!` on the discarded error. Covers integrity mismatch, missing manifest, path validation failures, and I/O errors; debugging "why did this just reinstall" no longer requires a patched build to see the cause. - Expand `path_execution_fallback_rationale` to explicitly name macOS (and Windows) as the platforms still carrying the original ORB-00271 TOCTOU window. The descriptor-based freshness validation runs everywhere, but the model-download exec on these targets still goes through the path; release notes / docs now have an unambiguous summary to point at. - Tighten the `libc::fork()` SAFETY comment to call out the multi-threaded fork hazard (other threads' allocator/runtime locks held at fork time end up in indeterminate state in the child) and the precondition that `orbit semantic install` is invoked from a synchronous CLI path without an active tokio runtime. Notes posix_spawn /dev/fd/<N> as the portable fix if that precondition ever changes. - Add `fd_launch_executes_descriptor_not_path_after_swap`, a Linux-gated end-to-end test that opens a marker-writing companion as a `ManagedCompanion`, swaps the binary at the install path, then drives `download_model`. The marker file (`companion-identity.txt`) proves the fexecve path executed the descriptor held by `ManagedCompanion`, not the path-swapped binary. Promotes `download_model` to `pub(crate)` so the sibling test module can drive it. Acknowledges: PR #415 review comments.
…270] Planned-By: codex
…270] Resolve review feedback from PR #416: - Rename release signing key IDs from date-prefixed `orbit-release-2026-05-{primary,successor}` to stable generation labels `orbit-release-key-{1,2}`. IDs survive a rotation that promotes successor to primary without becoming confusing. The encoded `not_after` and `revoked_at` fields still carry the lifecycle metadata. - Add `notAfter`/`revokedAt` `YYYY-MM-DD` regex validation in the npm installer's `normalizeTrustedReleaseKeys` so malformed overrides fail closed instead of silently becoming "never expires" under lexicographic comparison. Mirrors the shell-side `release_date_number` validator. - Mark `ORBIT_RELEASE_PUBLIC_KEY_FILE` as deprecated in favor of the strictly-superset `ORBIT_RELEASE_TRUSTED_KEYS_FILE`. Both installers now log a deprecation notice when the old override is in use; docs updated in `docs/RELEASE.md`, `plugin/npm/README.md`, and the getting-started install page. - Rewrite `scripts/check-installer-pubkey.sh` to read the canonical key IDs out of `install-binary.js` and assert each appears in `install.sh`, instead of hardcoding specific IDs / dates. The guardrail no longer trips on legitimate rotations. - Promote the emergency-revocation npm-immutability caveat in `docs/RELEASE.md` from a buried paragraph to a callout above the procedure. Add an operator-custody note clarifying that the successor private key must be held independently of the primary. Acknowledges: PR #416 review comments.
…ee checks Replaced direct calls to `codegraph mark-dirty` and `codegraph sync-if-dirty` with a new script `scripts/codegraph-if-main` that ensures these commands are only executed from the main worktree, preventing issues with linked worktrees. This change was applied across multiple configuration files.
Added the `orbit-file-lock` command to the PreToolUse hooks in the settings and config files for .claude, .codex, .gemini, and .grok. This enhancement ensures that the command is executed before tool usage, improving workflow consistency and preventing potential conflicts during file operations.
…B-00272] Planned-By: codex
…otes - Introduced a new learning resource `L-0039` detailing the domain logic for Orbit hooks. - Added comments and votes files for the new learning resource. - Updated settings to include the new task show command in the MCP tool catalog.
- Changed the status of learning resource `L-0039` from active to superseded. - Added reference to the new superseding resource `L-0041`. - Updated the timestamp for the last modification.
…RB-00275] Planned-By: codex
…[ORB-00277] Move Claude Read() exclusions from per-developer settings.local.json (absolute paths, single machine) into committed settings.json so every contributor shares the same noise reduction. Add target/, .codegraph/, node_modules/, dist/, build/, .astro/, .ruff_cache/, and the .orbit/ runtime state dirs to the deny list. Delete the 1,328-file benchmark runs/ tree (~72MB) — the harness regenerates these per run, so the "frozen for reproducibility" rationale no longer holds. Update .gitignore and .orbitignore to keep regenerated artifacts out of future commits, and document the local-override pattern in CLAUDE.md. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…277] Companion to b1a7ce8 — adds the CLAUDE.md "Agent Read Exclusions" section pointing at .claude/settings.json and explaining the settings.local.json override pattern, updates .orbitignore to drop the now-incorrect "frozen for reproducibility" claim, and adds benchmarks/**/runs/** + benchmarks/**/tasks/** to .gitignore so future harness output stays out of commits. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…ti… [ORB-00273] Hook-driven async steering: surface review-thread asks to executing agent Planned-By: codex
…ec… [ORB-00278] Re-expose 6 over-hidden tools from MCP_HIDDEN_TOOL_NAMES (correction to ORB-00272) Planned-By: codex
…-00274] [GITHUB-PR-421] Implemented-By: claude
…rf… [ORB-00281] Dashboard review-threads panel: hide threads on closed tasks, surface parent task status, drop location column
…ub… [ORB-00280] Mark 15 ops/maintenance tools inactive in the registry and scrub references from README + agent skills Planned-By: codex
…ba… [ORB-00276] Migrate v2 audit / job-runs / sessions JSON stores into global ~/.orbit/orbit.db with workspace_id discrimination Planned-By: claude
…ty_v2 audit tests - orbit-dashboard: drop needless &validated_id (3 sites) to satisfy clippy -D warnings - orbit-core/activity_v2: add run_id to V2ActivityRunResult and rewrite the two tests that were .expect-ing on the now-always-None audit_jsonl to use list_v2_audit_events instead (per ORB-00282 plan) - Verified: make ci-fast, full workspace clippy -D warnings, affected tests under parallelism, doc build Task: ORB-00288
Linearize the PR branch after merging agent-main and keep the CI fixes for inactive-tool tests, Linux fd companion launch, and installer traversal archive validation.
`orbit mcp init --claude` was writing `mcp__plugin_orbit_orbit__*` entries
into `.claude/settings.json`, even though the CLI registers the MCP server
under id `orbit` (`ORBIT_MCP_SERVER_ID`). Claude derives MCP permission
names from the connected server id, so the CLI path must emit
`mcp__orbit__<tool>` instead. The plugin-scoped shape is what Claude itself
synthesizes for Claude Code *plugin* installs and is intentionally not
emitted from this code path.
- claude_permission_name now formats `mcp__{ORBIT_MCP_SERVER_ID}__<tool>`;
doc comment explains why the plugin-scoped shape is deliberately not
produced here.
- New `claude_legacy_safe_permissions` migration helper produces the old
plugin-prefixed names; `apply_claude_remove` strips both current and
legacy lists so a post-upgrade `orbit mcp remove --claude` leaves a
clean settings.json instead of orphaning stale entries.
- Tests in setup/tests/dispatch.rs and setup/providers/tests/claude.rs
assert the new literal `mcp__orbit__orbit_task_show`, add a negative
`mcp__plugin_*` guard, and cover the legacy-cleanup path with a
dedicated `claude_remove_strips_legacy_plugin_prefixed_entries` test.
Planned-By: claude
Inactivates six tools on the agent MCP surface and keeps them reachable via the CLI / `runtime.run_tool` path used by `orbit-cli` subcommands and `orbit-dashboard`: orbit.adr.list — agents discover ADRs via `orbit search` orbit.semantic.uninstall — destructive local index teardown orbit.task.lint — admin lint surface orbit.task.delete — destructive task removal orbit.learning.prune — destructive learnings cleanup orbit.learning.comment.delete — destructive comment cleanup `orbit.task.list` is intentionally retained on the agent surface. Surface changes: - orbit-tools: 6 `registry.register(...)` flipped to `register_inactive(...)`. - orbit-cli/mcp/host.rs: per-family constants drop the 6 names; SEMANTIC_TOOL_NAMES collapses to `&[]` (kept for aggregation symmetry). - orbit-cli/mcp/tests/mod.rs: EXPECTED_INACTIVE_TOOL_NAMES 15 → 21, REQUIRED_AGENT_FACING_TOOL_NAMES drops the 6. - orbit-tools/tests/public_tool_surface.rs: INACTIVE_TOOL_NAMES adds the 6; `orbit.semantic.uninstall` removed from the workflow-critical retained list. - The 3 orbit.task.delete-over-MCP tests in orbit-cli/mcp/tests/mod.rs were removed (they asserted a contract we're explicitly removing); generic inactive-tool rejection is covered by `inactive_tool_is_rejected_over_mcp_dispatch`. Task-delete business logic in orbit-core/.../tests/task_tools.rs swapped from `runtime.execute_tool_command` (now gated) to `runtime.run_tool` to keep tool-dispatch business-logic coverage. - Skills updated: orbit-adr/SKILL.md routes ADR discovery through `orbit search --kind adr` (the table row + 5 prose references); orbit-learning/SKILL.md marks `comment.delete` and `prune` rows as CLI-only; orbit-docs/SKILL.md ADR-list reference updated similarly. - Activity whitelists drop `orbit.learning.comment.delete` from agent_implement.yaml and agent_review.yaml. CLI follow-on (was blocking the worktree-resolution integration test which exercised `include_remote` semantics that aren't on `orbit search`): - New `orbit adr list` subcommand mirroring ORB-00280's `orbit docs list` shape. Single-file `command/adr.rs`, routes through `runtime.run_tool` so the existing tool's input parsing + filter semantics (`--include-remote`, etc.) are reused without duplication. Wired into `Commands` enum, help template, and `audit_middleware`. - `crates/orbit-cli/tests/worktree_resolution.rs` switched from `orbit tool run orbit.adr.list ...` to `orbit adr list ...`. Also includes a one-line fmt fix to the ORB-00286 providers test that `make ci-fast` caught after that commit. Verified: `cargo test -p orbit-cli mcp::` (47/0), `cargo test -p orbit-tools --test public_tool_surface` (10/0), `cargo test -p orbit-core --lib orbit_tool_host` (106/0), `cargo test -p orbit-cli --test worktree_resolution` (2/0), `make ci-fast` (exit 0). Planned-By: claude
- Delete orphan `crates/orbit-core/src/runtime/orbit_tool_host/task_tools_tests.rs`
(not declared by any `mod` statement; still referenced the pre-ORB-00289
`runtime.execute_tool_command("orbit.task.delete", ...)` shape).
- README "Full tool reference": annotate the six trimmed tools as CLI-only with
pointers at the equivalent `orbit <verb>` CLI form; the ADR row also calls out
`orbit.search --kind adr` as the agent replacement. Intro paragraph extended
to enumerate the new CLI-only set alongside the existing examples.
- CHANGELOG Unreleased: lead breaking-changes entry for ORB-00289 (lists the
six trimmed names, calls out `register_inactive`, the
`EXPECTED_INACTIVE_TOOL_NAMES` 15 → 21 canary, and the agent replacement);
fixes entries for ORB-00286 (Claude MCP permission-name fix + legacy entry
cleanup on remove) and ORB-00289 (new `orbit adr list` CLI verb).
Verified: `cargo check -p orbit-core --tests` and `make ci-fast` both clean.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…json - Added a new configuration file `.claude.json` for MCP server settings. - Updated code references from `.mcp.json` to `.claude.json` in various files to reflect the new configuration structure. - Removed the unused `dummy-for-terminal` file. Verified changes with existing tests to ensure functionality remains intact.
- Bump version from 0.6.0 to 0.7.0 in Cargo.lock, Cargo.toml, README.md, and plugin configuration files. - Reflect the new version in the CHANGELOG, highlighting breaking changes and new features introduced in this release.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Promotes v0.7.0 from
agent-maintomain.See
CHANGELOG.mdfor the release notes.Validation from release prep:
make release-checkfailed only for expected pre-tag drift: local plugin/npm are 0.7.0 while npm/latest GitHub release still report 0.6.0.make buildpassed.make ci-fastpassed.git diff --checkpassed.