Skip to content

docs: record git-cas v6.2.0 publication#68

Merged
flyingrobots merged 2 commits into
mainfrom
docs/v6.2.0-publication-evidence
Jul 13, 2026
Merged

docs: record git-cas v6.2.0 publication#68
flyingrobots merged 2 commits into
mainfrom
docs/v6.2.0-publication-evidence

Conversation

@flyingrobots

Copy link
Copy Markdown
Member

Linked Issue

Closes #60
Closes #50

Follows the reviewed release candidate in #67.

Design / Proof

Records the independently observed publication state for API-0047: the signed tag and peeled merge target, successful release workflow, npm package integrity and SLSA provenance, and final GitHub Release. The published state is linked from the design record and enforced by a documentation truth test.

Validation

  • pnpm run lint
  • pnpm exec vitest run test/unit/docs/release-state.test.js test/unit/docs/release-drift.test.js test/unit/docs/planning-surfaces.test.js test/unit/docs/markdown-links.test.js (12/12)
  • git diff --check
  • pre-push hook: lint plus 1,872 Node unit tests

Release Impact

Documentation and documentation-contract tests only. The @git-stunts/git-cas@6.2.0 artifact is already public; this PR records and guards that publication without changing the package artifact.

@flyingrobots flyingrobots added this to the v6.2.0 milestone Jul 13, 2026
@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6cf59626-3c18-4ef6-8afc-f70b53efa31f

📥 Commits

Reviewing files that changed from the base of the PR and between 432c5d9 and fda13e4.

📒 Files selected for processing (7)
  • BEARING.md
  • CHANGELOG.md
  • ROADMAP.md
  • STATUS.md
  • docs/design/0047-application-storage-cache-boundary/application-storage-cache-boundary.md
  • docs/design/0047-application-storage-cache-boundary/witness/release-publication.md
  • test/unit/docs/release-state.test.js
📜 Recent review details
⏰ Context from checks skipped due to timeout. (3)
  • GitHub Check: test-docker (deno)
  • GitHub Check: test-docker (node)
  • GitHub Check: test-docker (bun)
🧰 Additional context used
📓 Path-based instructions (5)
docs/design/**

📄 CodeRabbit inference engine (AGENTS.md)

Use docs/design/ directory for durable design contracts and proof plans

Files:

  • docs/design/0047-application-storage-cache-boundary/application-storage-cache-boundary.md
  • docs/design/0047-application-storage-cache-boundary/witness/release-publication.md
ROADMAP.md

📄 CodeRabbit inference engine (AGENTS.md)

Use ROADMAP.md as a signpost to the GitHub release tracker

Files:

  • ROADMAP.md
BEARING.md

📄 CodeRabbit inference engine (AGENTS.md)

Use BEARING.md to document current execution gravity and active tensions

Files:

  • BEARING.md
STATUS.md

📄 CodeRabbit inference engine (AGENTS.md)

Use STATUS.md as a compact snapshot of release and runtime truth

Files:

  • STATUS.md
CHANGELOG.md

📄 CodeRabbit inference engine (AGENTS.md)

Use CHANGELOG.md to record the historical truth of merged behavior

Files:

  • CHANGELOG.md
🧠 Learnings (2)
📚 Learning: 2026-02-28T19:21:13.982Z
Learnt from: flyingrobots
Repo: git-stunts/git-cas PR: 15
File: test/unit/domain/services/CasService.envelope.test.js:326-330
Timestamp: 2026-02-28T19:21:13.982Z
Learning: In fuzz tests for cryptographic operations, use a seeded PRNG (e.g., xorshift32) for control-flow variables such as plaintext size selection and recipient index selection to ensure reproducibility. Continue to use randomBytes() for cryptographic keys and nonces to preserve realistic randomness and avoid security anti-patterns. This guideline applies to test files that perform fuzz testing of crypto logic; implement a consistent seed setup (e.g., fixed seed in test initialization) and document the rationale to enable deterministic replays across runs.

Applied to files:

  • test/unit/docs/release-state.test.js
📚 Learning: 2026-03-30T19:53:48.000Z
Learnt from: flyingrobots
Repo: git-stunts/git-cas PR: 29
File: docs/design/TR-010-planning-index-consistency-review.md:121-131
Timestamp: 2026-03-30T19:53:48.000Z
Learning: In this repo, CHANGELOG.md entries should be user-facing and descriptive (bullet points) rather than cycle-ID headings (e.g., use a phrase like “Planning-index consistency review” instead of a “TR-010 — …” heading). When searching the changelog, don’t rely on grepping for cycle IDs (e.g., “TR-010”) because it may cause false negatives; search for the descriptive keywords/phrases from the bullet entries instead.

Applied to files:

  • CHANGELOG.md
🪛 Betterleaks (1.6.1)
docs/design/0047-application-storage-cache-boundary/witness/release-publication.md

[high] 14-14: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🔇 Additional comments (7)
BEARING.md (1)

17-21: LGTM!

Also applies to: 124-132

ROADMAP.md (1)

41-52: LGTM!

STATUS.md (1)

3-5: LGTM!

Also applies to: 21-24, 97-102

CHANGELOG.md (1)

10-15: LGTM!

docs/design/0047-application-storage-cache-boundary/application-storage-cache-boundary.md (1)

816-819: LGTM!

docs/design/0047-application-storage-cache-boundary/witness/release-publication.md (1)

1-65: LGTM!

test/unit/docs/release-state.test.js (1)

16-31: LGTM!


📝 Walkthrough

Summary by CodeRabbit

  • Documentation

    • Updated release documentation to reflect the publication of v6.2.0.
    • Added evidence covering signed tags, npm publication, provenance, validation, and GitHub Releases.
    • Clarified that JSR publication is outside the current release workflow.
    • Updated roadmap and design records to identify the latest landed design and active planning process.
  • Tests

    • Added coverage verifying v6.2.0 release status and publication evidence.

Walkthrough

The release records now describe v6.2.0 as published. API-0047 links to a publication witness covering signed tags, workflow results, npm provenance, and GitHub Releases. A unit test verifies key release-status and witness details.

Changes

Release evidence

Layer / File(s) Summary
Published release status and planning records
BEARING.md, CHANGELOG.md, ROADMAP.md, STATUS.md
Documentation now records v6.2.0 publication, active npm and GitHub Release surfaces, the latest landed design, and associated release evidence.
Publication witness record
docs/design/0047-application-storage-cache-boundary/...
API-0047 links to a new witness documenting signed tag identity, workflow results, npm registry data, provenance, GitHub Release publication, and JSR scope.
Release evidence assertions
test/unit/docs/release-state.test.js
A new test checks v6.2.0 status and specific publication-witness values.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

Poem

A rabbit checks the signed tag bright,
npm provenance glows tonight.
GitHub Release hops in view,
Witness pages tell what’s true.
JSR waits beyond the gate—
v6.2.0 ships in state! 🐇

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and accurately reflects the main change: documenting the v6.2.0 publication for git-cas.
Description check ✅ Passed The description matches the template with linked issues, design/proof, validation, and release impact sections filled in.
Linked Issues check ✅ Passed The PR documents and tests the v6.2.0 publication evidence and release-state metadata required by #60 and the release-context goals of #50.
Out of Scope Changes check ✅ Passed The changes stay focused on release documentation, witness evidence, and docs tests, with no clearly unrelated additions.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install failed: lockfile failed supply-chain policy check. Run pnpm install locally to update the lockfile.


Comment @coderabbitai help to get the list of available commands.

@flyingrobots

Copy link
Copy Markdown
Member Author

Self-review

Reviewed the complete two-commit diff against the release workflow output, npm registry metadata, GitHub Release metadata, and the v6.2.0 planning surfaces.

One stale-state defect was found during review: STATUS.md still labeled closed goalpost #50 as current. Follow-up commit fda13e4 changes it to the latest completed goalpost and adds a negative regression assertion. [cite: STATUS.md#97-103@fda13e4059e159f35a83216527df9f16113aecae] [cite: test/unit/docs/release-state.test.js#22-30@fda13e4059e159f35a83216527df9f16113aecae]

The remaining publication claims are internally consistent and trace to immutable release identity, successful workflow jobs, npm integrity/provenance, and the final GitHub Release. [cite: docs/design/0047-application-storage-cache-boundary/witness/release-publication.md#9-20@fda13e4059e159f35a83216527df9f16113aecae] [cite: docs/design/0047-application-storage-cache-boundary/witness/release-publication.md#22-54@fda13e4059e159f35a83216527df9f16113aecae]

The design record links the publication witness, and a documentation-contract test guards the critical public facts. [cite: docs/design/0047-application-storage-cache-boundary/application-storage-cache-boundary.md#816-818@fda13e4059e159f35a83216527df9f16113aecae] [cite: test/unit/docs/release-state.test.js#16-30@fda13e4059e159f35a83216527df9f16113aecae]

Validation repeated on the current head: lint passed, focused documentation tests passed 12/12, git diff --check passed, and the pre-push gate passed all 1,872 Node unit tests.

Result: no unresolved self-review findings.

@flyingrobots

Copy link
Copy Markdown
Member Author

Code Lawyer review

Claim boundary: This PR records facts about an already-published release; it does not alter the v6.2.0 artifact or retroactively broaden its API contract. The changelog classifies the change as unreleased documentation. [cite: CHANGELOG.md#7-15@fda13e4059e159f35a83216527df9f16113aecae]

Release identity invariant: the signed annotated tag, tag object, signing key, peeled target, and reviewed merge are explicit, with the peeled target equal to the reviewed merge. [cite: docs/design/0047-application-storage-cache-boundary/witness/release-publication.md#7-20@fda13e4059e159f35a83216527df9f16113aecae]

Publication invariant: npm publication is supported by package/version, timestamp, dist-tag, integrity, shasum, tarball, and SLSA attestation evidence; GitHub publication is separately identified. JSR is explicitly excluded, preventing an unsupported publication claim. [cite: docs/design/0047-application-storage-cache-boundary/witness/release-publication.md#38-54@fda13e4059e159f35a83216527df9f16113aecae] [cite: docs/design/0047-application-storage-cache-boundary/witness/release-publication.md#63-64@fda13e4059e159f35a83216527df9f16113aecae]

Downstream dependency invariant: git-warp is authorized to consume only the published registry artifact, not a local path override. [cite: docs/design/0047-application-storage-cache-boundary/witness/release-publication.md#56-61@fda13e4059e159f35a83216527df9f16113aecae]

Planning-state invariant: v6.2.0 is represented as shipped and #50 as completed, while selection of later work remains with GitHub. [cite: BEARING.md#121-133@fda13e4059e159f35a83216527df9f16113aecae] [cite: STATUS.md#93-103@fda13e4059e159f35a83216527df9f16113aecae]

Enforcement: tests pin release status, workflow identity, merge identity, package integrity, provenance predicate, GitHub Release URL, and absence of the stale current-goalpost label. [cite: test/unit/docs/release-state.test.js#16-30@fda13e4059e159f35a83216527df9f16113aecae]

Verdict: contract-consistent; no blocking legal or semantic ambiguity found.

@flyingrobots

Copy link
Copy Markdown
Member Author

Merge gate

  • GitHub CI: green for lint, unit tests, and Node/Bun/Deno Docker integration.
  • CodeRabbit: approved current head fda13e4059e159f35a83216527df9f16113aecae with no actionable comments.
  • Thread-aware GraphQL audit: zero review threads.
  • Self-review and Code Lawyer review: complete with no unresolved findings.

CodeRabbit Betterleaks heuristically labeled the release signing-key fingerprint as a generic API key. It is intentionally public GPG release identity, not a credential. [cite: docs/design/0047-application-storage-cache-boundary/witness/release-publication.md#9-20@fda13e4059e159f35a83216527df9f16113aecae]

Gate result: clean and merge-ready.

@flyingrobots flyingrobots merged commit 80059fa into main Jul 13, 2026
6 checks passed
@flyingrobots flyingrobots deleted the docs/v6.2.0-publication-evidence branch July 13, 2026 20:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Publish git-cas v6.2.0 CAS ownership APIs v6.2.0: Application CAS and cache ownership boundary

1 participant