diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e4a20ad..ce951bb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -177,7 +177,10 @@ jobs: - name: Install cargo-audit run: cargo install cargo-audit --locked - name: Run cargo audit - # wasmtime 42.0.1 advisories ignored — behind optional wasm feature gate. + # wasmtime 42.x advisories ignored — behind optional wasm feature gate. + # RUSTSEC-2026-0114 (2026-04-30): wasmtime panic on oversized table + # allocation. Rivet's usage doesn't allocate large wasmtime tables; + # follow-up issue tracks upgrading to wasmtime >=43.0.2. run: >- cargo audit --ignore RUSTSEC-2026-0085 @@ -193,6 +196,7 @@ jobs: --ignore RUSTSEC-2026-0096 --ignore RUSTSEC-2026-0103 --ignore RUSTSEC-2026-0104 + --ignore RUSTSEC-2026-0114 deny: name: Cargo Deny (licenses, bans, sources, advisories) diff --git a/CHANGELOG.md b/CHANGELOG.md index 57f1536..efddc98 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,103 @@ ## [Unreleased] +## [0.8.0] — 2026-05-01 + +Theme: post-0.7.0 dogfood-driven follow-ups. The 12-persona dogfood +against 0.7.0 surfaced docs-corpus drift, coverage-gate flaws, and +CLI asymmetries on cited-source + schema-migrate. All three are +fixed here. + +### Fixed + +- **Stale literals shipped in 0.7.0 docs** (#252, closes #247). + Tech-writer + DevOps personas independently flagged four embedded- + doc literals: quickstart Step 1's `rivet 0.5.0` example, `rivet + docs mcp`'s hardcoded `serverInfo.version: "0.5.0"`, + `rivet docs schema/eu-ai-act`'s wrong `rivet init --schema X` + flag, and a shipped `(TODO)` marker in `rivet docs schema/dev`. + Plus 2 bonus drift items the agent caught: `v0.5.0` example tag + in the `impact` topic, and `rivet export --gherkin` (the actual + flag is `--format gherkin`). + + All six fixed. To prevent the class of drift from re-shipping, + `rivet docs check` learned three new invariants that scan the + embedded docs strings (the things `rivet docs ` prints): + - **`EmbeddedVersionLiterals`** flags any `vX.Y.Z`/`X.Y.Z` token + that doesn't match the workspace version unless it's in + `rivet.yaml`'s new `docs-check.allowed-version-literals` + allowlist (used for legitimate non-rivet versions like ASPICE + process IDs and the rmcp crate pin). + - **`EmbeddedFlagReferences`** flags every `rivet + --` token in topic bodies whose flag isn't declared on + that subcommand in the live clap tree. + - **`EmbeddedTodoMarkers`** flags `TODO` / `FIXME` / `XXX` + markers in shipped doc bodies. + + Also adds a new `rivet docs docs-check` topic explaining the + full invariant set (markdown-side + embedded-doc-side). + +### Added + +- **`rivet docs check --coverage --warn-only`** mode + tightened + rule (#250, closes #248). The 0.7.0 `--coverage` gate marked + `batch`, `query`, `stamp`, `lsp` as covered via parent-mapping + even though the parent topic body never mentioned them. Rule 4 + (umbrella mapping) now requires the child subcommand's name to + appear in the parent topic's body (whole-word, case-insensitive). + Result: `lsp` and `batch` are now correctly reported as gaps. + + The default `--coverage` (no flag) is now silent-print exit 0, + `--coverage --warn-only` prints + emits `::warning::` GitHub + annotations, `--coverage --strict` exits 1 on any uncovered. + `--warn-only` and `--strict` are mutually exclusive. CI uses + `--warn-only` explicitly so the contract is legible at the call + site. + +- **`rivet check sources --strict`** — read-only audit mode for + cited-source drift (#251, closes #249 part 1). Walks every + artifact, reports per-artifact verdict (match / drift / + missing-hash / stale), exits 1 on any non-match. Read-only — + does NOT modify any YAML, even on drift detection. Mutually + exclusive with `--update`. Replaces the "run `--update --apply` + then `git diff --exit-code`" mutation-and-audit pattern with a + clean read-only gate. + +- **`rivet validate --strict-cited-source-stale`** — promotes + `cited-source-stale` Info diagnostics to Error (#251, closes + #249 part 2). Defaults off; current behavior preserved. Enables + audit gates that enforce "every cited-source must be re-checked + within 30 days." `cited-source-stale` now fires for missing, + unparseable, OR older-than-30-days `last-checked` (was: only + missing). + +- **`rivet schema migrate --list`** — recipe discovery (#251, + closes #249 part 3). Without ``, prints all available + recipes (built-in + project-local under `schemas/migrations/`) + as a text table, or JSON with `--format json`. Project-local + recipes shadow built-ins of the same name. Mutually exclusive + with `` and the action flags. + +### Workspace + +- Workspace, vscode-rivet, and npm root package versions bumped to + 0.8.0. Platform packages stay on the release-npm.yml override + path. + +### Verified + +- cargo check, cargo clippy --workspace -- -D warnings, cargo fmt + --all clean. +- cargo test workspace passes (912 unit tests + integration tests). +- `rivet docs check` clean against the rivet repo. +- `rivet docs check --coverage` reports 46/81 covered (was 48/81; + rule 4 tightening correctly surfaces `lsp` + `batch` as gaps). +- `rivet check sources --strict` round-trips: clean fixture exits + 0; off-disk source edit exits 1 with no YAML mutation; + `--update --apply` restores 0. +- `rivet schema migrate --list` enumerates the canned + `dev-to-aspice` recipe. + ## [0.7.0] — 2026-04-29 Theme: schema migration Phase 2 + docs coverage gate + housekeeping. diff --git a/Cargo.lock b/Cargo.lock index f0cf490..8ebefc6 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -972,7 +972,7 @@ dependencies = [ [[package]] name = "etch" -version = "0.7.0" +version = "0.8.0" dependencies = [ "petgraph 0.7.1", ] @@ -2698,7 +2698,7 @@ dependencies = [ [[package]] name = "rivet-cli" -version = "0.7.0" +version = "0.8.0" dependencies = [ "anyhow", "axum", @@ -2726,7 +2726,7 @@ dependencies = [ [[package]] name = "rivet-core" -version = "0.7.0" +version = "0.8.0" dependencies = [ "anyhow", "criterion", diff --git a/Cargo.toml b/Cargo.toml index da84d33..6d4734c 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -7,7 +7,7 @@ members = [ ] [workspace.package] -version = "0.7.0" +version = "0.8.0" authors = ["PulseEngine "] edition = "2024" license = "Apache-2.0" diff --git a/npm/package.json b/npm/package.json index 00ba828..ba972c0 100644 --- a/npm/package.json +++ b/npm/package.json @@ -1,6 +1,6 @@ { "name": "@pulseengine/rivet", - "version": "0.7.0", + "version": "0.8.0", "description": "Rivet — SDLC traceability, validation, and MCP server for safety-critical systems (ISO 26262, DO-178C, ASPICE, STPA)", "main": "index.js", "bin": { diff --git a/vscode-rivet/package.json b/vscode-rivet/package.json index 04a49a8..b7c29a7 100644 --- a/vscode-rivet/package.json +++ b/vscode-rivet/package.json @@ -3,7 +3,7 @@ "displayName": "Rivet SDLC", "description": "SDLC artifact traceability with live validation, hover info, and embedded dashboard", "publisher": "pulseengine", - "version": "0.7.0", + "version": "0.8.0", "license": "MIT", "repository": { "type": "git",