Conversation
…smoke 10/10 PASS Phase-16 fully closed. Updates §0 (8 rows: Fecha, Fase actual, Paquete npm, Estado del release, Memoria propia, Issues, Proximo paso) + §6.21 (sub-fases 9-15 marked complete with concrete outcomes: squash-merge SHAs, smoke results, dist-tags, deprecate final messages) + 3 new lecciones durables (npm view cache, npm deprecate target hardcoding, "1 bug per beta" cycle pattern) + footer "Ultima actualizacion". Outcomes locked in this update: - @netzi/recall@0.1.2 PUBLISHED in npm latest channel. - Tag v0.1.2 -> 29371f8 (= main HEAD post squash-merge PR #40). - GitHub release stable: NO prerelease, target=main. - npm view @netzi/recall dist-tags returns { latest: '0.1.2', beta: '0.1.2-beta.6' }. - 0.1.0 + 0.1.1 hard-deprecated with messages pointing at @latest. - Smoke fresh against /tmp/recall-stable-smoke (npx --yes @netzi/recall@latest init): 10/10 PASS — serverInfo.version ==="0.1.2", 6 MVP tools end-to-end, no regression of any prior fix (B-MCP-2 mem.health real state, B-MCP-8 recall hits, B-MCP-7 worker drain, etc.). - Merge-back develop <- main via PR #41 squash-merged as 181217f. - Develop and main converged. Cycle stats end-to-end: - 8 bugs closed via dogfood loop (B-MCP-1..8 + carryover serverInfo.version). - 7 betas (0.1.2-beta.0..beta.6) + 1 stable (0.1.2). - 9 PRs in the cycle: #33 (B-MCP-8 fix), #34 (release beta.5), #35 (merge-back), #36 (docs close beta.5), #37 (carryover fix), #38 (release beta.6), #39 (merge-back), #40 (release stable), #41 (merge-back final). - +139 tests netos (2421 al MVP -> 2560 hoy). This is the standard phase-close docs PR (pattern: PRs #25, #28, #32, #36). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
4 tasks
h2devx
added a commit
that referenced
this pull request
May 3, 2026
) ## Summary Phase-17 close docs-only PR. Pattern matches PR #25 (Phase-12), #28 (Phase-13), #32 (Phase-14), #36 (Phase-15), #42 (Phase-16) — each cycle/phase ends with a docs-only PR synthesizing the closure. ## What Phase-17 delivered **v0.5 hardening defensivo cycle** — 4 incremental PRs squash-merged to \`develop\`: | # | PR | Warning | Fix | |---|---|---|---| | 1 | [#43](#43) | W-3.5-SEC-M2 | chmod 0o600 on recall.db | | 2 | [#44](#44) | W-3.5-SEC-M1 | atomic write+rename on .gitignore + writeConfig consolidated with CSPRNG suffix | | 3 | [#45](#45) | W-3.5-SEC-L1 (partial) | redact absolute paths from DatabaseError messages → \`details.path\` + 4 new pino redact globs | | 4 | [#46](#46) | W-3.1-SEC-M1 | configurable buffer cap on StdioJsonRpcServer (default 10 MiB) + env var override + transport closure on overflow | Zero security-auditor rejections (4 APPROVED WITH OBSERVATIONS). 1 CI round-trip in PR-2 over S7735 negated condition trivial fix. 36 new VALOR-asserting tests consolidated, 5+1 EXIT=0 green in each PR, SonarQube quality gate PASSED in each PR. ## Key finding tracked: W-3.5-SEC-L2 follow-up PR #45's security-auditor revealed that **W-3.5-SEC-L1 is NOT categorically closed** — only closed for DatabaseError. **9+ Error factories in workspace/secrets/curator modules** still interpolate \`rootPath\`/\`startPath\`/\`hookPath\` into \`message\`, and they flow to the wire JSON-RPC via \`error-mapper.ts\` Tier 3.5. Same leak pattern, also flowing to MCP clients. Affected files (tracked as W-3.5-SEC-L2 for next hardening cycle): - \`workspace/infrastructure/errors/workspace-infrastructure-error.ts\` (9 factories) - \`workspace/application/errors/workspace-application-error.ts\` (NoWorkspaceAtPathError) - \`secrets/infrastructure/errors/foreign-hook-exists-error.ts\` - \`curator/infrastructure/errors/curator-infrastructure-error.ts\` (scanFailed) Recommendation: apply same \`details: { path }\` pattern across all error factories before v0.5 GA. ## What this PR adds Pure HANDOFF.md changes (212 insertions / 8 deletions): - **§0**: 6 rows updated (Fecha, Fase actual, Lineas codigo, Tests, Issues abiertos, Proximo paso). - **§6.21**: roadmap row 4 (hardening defensivo) marked CLOSED in Phase-17. - **§6.22 NEW**: full Phase-17 cycle close section (decisions, sub-phases, detail per PR, consolidated observations table with 12 entries, 8 orchestrator decisions D-1701..D-1708, 5 durable lessons, repo state, next-action with 3 options for release). - **Footer** "Ultima actualizacion" updated to reflect Phase-17 closure. ## State of repo post-merge | Item | Value | |---|---| | HEAD develop | \`f23457e\` (4 commits ahead of main) | | HEAD main | \`29371f8\` (unchanged) | | Tag latest | \`v0.1.2\` (unchanged) | | npm dist-tags | \`{ latest: '0.1.2', beta: '0.1.2-beta.6' }\` (unchanged — Phase-17 publishes nothing) | | Tests | 2588 passing in 212 files (+28 vs Phase-16 baseline) | | Coverage | new 100% / overall 96.4% | | Hardening warnings closed | 4/4 | | Follow-ups tracked | 12 (1 medium W-3.5-SEC-L2 + 11 low/info) | | Issues open | 0 | | PRs open | 0 (after this merge) | ## Test plan - [x] No code changes — pure docs PR (HANDOFF.md only). - [x] Hooks pre-commit no-op (no \`code/src/\` changes → typecheck not triggered). - [x] CI required status check \`ci\`. - [x] SonarQube quality gate (no source files affected). ## Decision pending after merge **Cut \`release/0.1.3-beta.0\` now or later?** - **Option A** — cut now with 4 hardening fixes alone (Phase-9/12/14 cooling pattern: ship beta, dogfood real, fix what surfaces). - **Option B** — accumulate more changes (item #1 multi-key envelope, item #3 perf hardening, item #5 swap embedder) before next release. - **Option C** — defer release until a real bug surfaces in 0.1.2 stable ("first new bug + feature plus" pattern from §6.21). Recommendation: Option A aligns with project's historical cadence. Final call belongs to the human. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Standard phase-close docs PR (pattern: #25, #28, #32, #36). Updates HANDOFF.md §0 + §6.21 + 3 new lecciones durables + footer to reflect Phase-16 fully closed end-to-end.
What Phase-16 delivered (all already shipped)
v0.1.2→29371f8+ GitHub release stable (NO prerelease).npm publish(user, WebAuthn passkey, NO--tag beta→ published tolatest).npm deprecate0.1.0 + 0.1.1 with messages pointing at@latest.npx --yes @netzi/recall@latestin clean workspace/tmp/recall-stable-smoke.serverInfo.version === "0.1.2"confirmed (no-betasuffix).What this PR adds
Only HANDOFF.md changes (30 insertions, 23 deletions):
npm view dist-tagscache local sin honor TTL — usar--prefer-online; (6)npm deprecatecon target hardcoded a una version envejece mal — siempre apuntar a@latest; (7) "1 bug por beta" del cycle 0.1.2-beta.* es patrón observado, no garantía para 0.1.3-beta.* futuros.npm registry state confirmed
Test plan
code/src/changes → typecheck not triggered).After this merges, the cycle
0.1.2-beta.*+0.1.2stable + Phase-16 follow-up docs is fully closed end-to-end. Next session inherits an accurate HANDOFF reflecting the published state.🤖 Generated with Claude Code