Releases: HetCreep/CoalMine
v3.7.3 - security hardening + doctrine to the org
A CodeQL/security hardening pass, the series-doctrine move to the org, and a CI cleanup.
Series doctrine moved to the org. The Phoenix-13 (hooks-safety) and scripts-quality docs are now hosted canonically at TheColliery/.github alongside DESIGN-PRINCIPLES. CoalMine dropped its docs/ copies; SECURITY.md links the org, and the doctrine-mirror gate now checks the two machine-local rule homes.
Fixed: CodeQL js/file-system-race in install.mjs, configure.mjs, and the rot-canary-touch.js tripwire (read-and-handle / fstat-on-fd, all benign in context); markdownlint MD060 disabled; the detection benchmark is now dated inline.
Security: workflow actions pinned to commit SHAs (closes Scorecard PinnedDependencies). Dependabot still tracks them. The remaining by-design Scorecard findings are dismissed with documented reasons.
To update: claude plugin update coalmine@coalmine then restart Claude Code.
v3.7.2: Design Principles at the series level + git-optional fix-mode
v3.7.2: Design Principles at the series level + a git-optional fix-mode
Changed
- The Quantum 11 Design Principles moved up to the series umbrella. They are series doctrine - every tool in TheColliery obeys them - so the canonical, tool-agnostic copy now lives at https://github.com/TheColliery/.github/blob/main/DESIGN-PRINCIPLES.md. CoalMine's repo-local
DESIGN-PRINCIPLES.mdis removed; the README links the series doc. - The README now cross-links the series (CoalMine <-> CoalTipple). The link was one-directional before - CoalTipple pointed here, but not the reverse.
Fixed
rot-canaryfix-mode no longer assumes git. The safe-fix checkpoint is now "git stash/commit in a git repo; else copy the file aside", and the auto-revert restores whichever was used - a non-git user gets the same safe auto-revert. This enforces a new series rule, no external assumption: no shipped feature HARD-requires git, GitHub, a network, or a CLI the user may not have (they are optional enhancements with a graceful fallback).
Gate: build-plugin 9/9, verify PASS, 35 tests. Commit + tag SSH-signed (Verified).
v3.7.1: config-honesty + SkillSpector v2.1.4
v3.7.1: config-honesty + SkillSpector v2.1.4
Changed
- Config-honesty pass: every documented
.coalmine.jsonkey now has a real consumer. Seven keys that were defined and documented but never read are now wired into the canaries and the conductor:defaultTier,autoFixMode,schemaPaths/migrationDirs,packageManifests,trustedDomains,skipOnboarding. Adds a conductorskipOnboardingtest (gate suite 35).
Removed
- Tombstoned
skillUpdateCheckDays: no consumer, and offline skill-staleness is not verifiable by a fail-silent hook (the marketplace/host owns update checks).
Security
- SkillSpector refreshed to v2.1.4: the static pass scores 58/100, and all 3 findings remain reviewed false-positives (an HTML-comment freshness stamp, the consent-gate line itself, a session-scoped temp file). The LLM semantic pass does not complete on the available API tier, so the headline falls back to the pessimistic static number. The real assurance is structural (Phoenix-13). See SECURITY.md.
Added (carried from Unreleased)
- Version-pin drift gate: any doc line with a
version-pin:marker must quote the currentplugin.jsonversion, orverify.mjsfails.
Gate: build-plugin 9/9, verify PASS, 35 tests. Commit + tag SSH-signed (Verified).
v3.7.0 — install.mjs all (auto-detect install)
install.mjs all — auto-detect install
node scripts/install.mjs all installs CoalMine to every agent already configured in your project — detected by its marker dir (.cursor/, .agents/, .github/, .gemini/, .junie/) — and skips the rest, printing what it detected vs skipped (fail-loud, never a silent no-op). Claude Code and Cline (both rooted at .claude/) are left out of auto-detect so it can never double a plugin install; install those by name.
It is the low-risk form of "install everywhere": every source-grounded vendor path is kept (no silent coverage drop) while the convergent majority is covered in one command. Unknown or brand-new agents route to a platform report, not a path map that quietly rots.
Also in 3.7.0
- Agent-count drift gate (batched from Unreleased): the README agent-table row count must equal the targets in
scripts/lib/targets.mjs, orverify.mjsfails. - Docs: the SECURITY.md
git tag -vverify example is now number-free (git describe); version placeholders carry greppableversion-pinmarkers. - Gate suite: 33 tests.
Full changelog: https://github.com/HetCreep/CoalMine/blob/main/CHANGELOG.md
v3.6.0 - drop dead Roo Code, fix Cline path, platform-aware escalation tiers
Removed
- Dropped the Roo Code target — upstream repo archived 2026-05-15 (team pivoted to Roomote, "IDEs aren't the future"). Supported targets 12 -> 11. Existing Roo forks can still copy a conformed SKILL.md manually.
Fixed
- Corrected the Cline skills path (
.agents/skills->.claude/skills; Cline does not read.agents/). Re-source-grounded every agent skill-path against agentskills.io (Jun 2026).
Changed
- Platform-aware Escalation Tiers: tiers are now capability targets with a degrade-gracefully rule (no faking parallelism a platform lacks) + a per-platform Heavy-lever map (Claude Dynamic Workflows/
ultracode, Codexxhigh+Cloud, Cursor Max+Cloud Agents, Antigravity Agent Manager, Amp Oracle, ...). Keyed on stable mode names, not volatile model IDs.
v3.5.1 - manifest integrity traversal-guard fix (security)
rot-canary auto-scan on the v3.5.0 SFC-lite code caught a real path-traversal-guard bypass: a Windows-backslash manifest key slipped past the /-split guard, letting verify.mjs hash a file outside the install dir (read-only oracle). Fixed with a resolve-and-contain check covering both separators, absolute, and drive-relative keys; escape test extended. Same class as the v2.6.1 safeSkillNames fix. Full details in CHANGELOG.md.
v3.5.0 - Windows-grade hardening: distrust your own artifacts
Self-consistency layer (cross-document facts, byte-identical doctrine mirrors, stamp shape) + SFC-lite installed-artifact integrity (per-file SHA-256 in the manifest, re-checked by verify.mjs ) + memory/rule poison detection in gold-standard RE-VALIDATE. Closes the two HIGH trust-surface gaps an FMEA found: the suite now verifies what it trusts (memory, installed copies, doctrine mirrors), not only what it ships. Gate 30 tests. Full details in CHANGELOG.md.
v3.4.0 — Fat-trim: shared hook regions, schema table, conductor diet
Conductor session injection -37% chars; stop-nudge tails -40% in all 5 languages; hook config plumbing deduplicated into hooks/_shared and synced via coalmine-shared marker regions (verify gates drift; hooks stay copy-one-file portable); 22-key config schema becomes one table shared by verify.mjs and configure.mjs (validation, CLI flags, and --help all generate from it); gate suite 25 tests. Full details in CHANGELOG.md.
v3.3.0 — .coalmine.json config system (programmer overrides, zero-config defaults)
Categorized 22-key .coalmine.json with a fully commented template dropped at install; configure.mjs CLI with validation and legacy-key migration; hooks resolve config from the git root and honor legacy v3.0.0 keys; deterministic 24h temp-sweep throttle (Phoenix #8); worktree/submodule installs via gitdir: resolution; installer self-destruct guard; hook stdin BOM hardening. Closes issue #5 (7/7 findings). Full details in CHANGELOG.md.
v3.2.1 — Tier rubric freshness cap
Freshness cap: a scope already audited at Standard or higher this session now caps the tier recommendation at Light regardless of size score - caught live during the first dogfood of the plugin-served skill. Full details in CHANGELOG.md.