Skip to content

Releases: SakuraCianna/agentic-sdlc-mcp

v1.8.0 — 风险感知开发简报与本地 HTTP 加固

Choose a tag to compare

@SakuraCianna SakuraCianna released this 13 Jul 05:18
446f2ff

v1.8.0 概览

v1.8.0 聚焦“让 AI 顺手、让用户省心、让 AI 长脑子、让组织敢用”:把开发工作项准备升级为风险感知、证据可追溯、失败可降级的开发简报,并在发布前完成本地 HTTP 传输、安全边界、代码结构、行尾一致性和发布链路的系统收口。

新增与改进

风险感知的 prepare_work_item

  • 汇总近期评论、仓库策略与脚本、相关文件、CODEOWNERS、PR 历史和 GitHub 原生依赖关系。
  • 对核心或高风险工作项给出防御性编程、安全边界、失败处理和验证预算提示。
  • 暴露上下文完整度与局部失败,保留已取得的证据,不把不完整结果包装成确定结论。
  • 保持既有工具 schema 与辅助导出兼容。

本地 HTTP 传输加固

  • 使用 MCP SDK 的 Express 应用工厂和无状态 Streamable HTTP transport。
  • 默认仅监听 127.0.0.1,校验 Host 与 Origin,并隔离并发请求状态。
  • 明确拒绝不支持的 GET/DELETE,统一处理畸形 JSON-RPC、超限请求和内部错误。
  • 新增并发、恶意来源、IPv6、端口边界、异常关闭和错误信息泄露测试。

HTTP 模式在本版本仍定位为本机开发能力,不应直接暴露到公网。远程 OAuth、租户隔离、限流及产品级资源预算属于后续版本范围。

代码质量与可维护性

  • 拆分 prepare-work-item.ts 的证据收集职责,降低核心工具模块的体积和耦合。
  • 新增 .gitattributes.editorconfig 和 CI 行尾检查,统一文本文件为 LF 并阻止混合行尾回归。
  • 增加行尾检查器自身的 LF/CRLF/混合行尾回归测试。
  • @modelcontextprotocol/sdk 最低版本提升至 ^1.29.0,与实际使用 API 对齐。

文档与生态发布

  • 更新中英文 README、CHANGELOG、ROADMAP、测试策略和架构说明。
  • npm 包、运行时版本与 MCP Registry 元数据统一为 1.8.0
  • GitHub Release 通过 OIDC 先发布 npm,再发布并验证 MCP Registry 元数据。

验证

  • build、typecheck、smoke test 全部通过。
  • 37 个测试文件、805 个测试全部通过。
  • 覆盖率:Statements 94.22%,Branches 89.79%,Functions 94.70%,Lines 95.05%。
  • CI 24 环境测试矩阵与 Gitleaks 均通过。
  • 行尾检查、npm 包内容检查和官方 mcp-publisher validate 均通过。
  • 独立 reviewer 最终结论:通过。

升级

npx -y agentic-sdlc-mcp@1.8.0

stdio 仍是默认传输方式;如需本地 HTTP,请按 README 显式启用。

完整变更见 CHANGELOG.md

v1.7.1 — MCP Registry identity correction

Choose a tag to compare

@SakuraCianna SakuraCianna released this 13 Jul 01:55
02edf1a

v1.7.1 — MCP Registry identity correction

This patch completes the MCP Registry publication path for the v1.7 repository-policy release.

Fixed

  • Corrected the case-sensitive Registry identity from io.github.sakuracianna/agentic-sdlc-mcp to io.github.SakuraCianna/agentic-sdlc-mcp, matching the GitHub login authorized by Registry OIDC.
  • Advanced package, lockfile, runtime, server.json, npm package metadata, workflow verification, and tests together to 1.7.1.

Why a patch version

npm v1.7.0 was successfully published and is immutable. Its Registry metadata could not be replaced safely. v1.7.1 preserves that history and publishes a consistent package/Registry identity without overwriting or reusing v1.7.0.

Compatibility

  • No MCP tool, policy, schema, or decision behavior changes from v1.7.0.
  • npx -y agentic-sdlc-mcp remains the compatibility path while the MCP Registry is preview infrastructure.

Verified

  • 29 test files / 714 tests passed
  • typecheck, build, smoke, npm audit (0 vulnerabilities), npm pack dry-run, and git diff checks passed
  • official mcp-publisher v1.7.9 validates server.json
  • checksum-verified Gitleaks found no leaks
  • independent patch reviewer: passed with no findings

If Registry publication still fails, do not use a long-lived token or overwrite an immutable version; inspect the exact OIDC/Registry response and correct it in another patch release.

v1.7.0 — Repository Policy & MCP Registry

Choose a tag to compare

@SakuraCianna SakuraCianna released this 13 Jul 01:47
979d786

v1.7.0 — Repository Policy & MCP Registry

v1.7.0 turns repository governance into explicit, explainable policy while keeping every decision tool read-only and human-controlled.

Highlights

  • Added strict .agentic-sdlc.yml repository policy with bounded YAML parsing, canonical SHA-256 digest, stable rule IDs, ref/blob provenance, and deterministic degraded behavior.
  • Bound policy-required checks to trusted check_run App IDs. Same-name commit statuses, other Apps, and skipped/neutral checks cannot satisfy policy.
  • Applied policy consistently to repo_context, plan_from_context, quality_gate_status, review_pr_against_standard, release_readiness_check, and agent_handoff_packet.
  • PR gate/review use the immutable base SHA; release readiness uses the resolved target SHA. Renames, incomplete changed-file evidence, policy self-modification, team-review uncertainty, and explicit rollback evidence are handled conservatively.
  • Added official MCP Registry server.json metadata for io.github.sakuracianna/agentic-sdlc-mcp and a least-privilege GitHub OIDC publication workflow.

Security

  • Invalid/unknown fields, duplicate keys or IDs, unsafe globs, control characters, excessive aliases/depth/nodes, and inconsistent reviewer references reject the whole repository policy.
  • Policy cannot enable auto-merge, force-push, branch deletion, approval bypasses, or suppress verified failures.
  • Registry publisher is pinned to v1.7.9 and its Linux AMD64 archive is SHA-256 verified before execution; no long-lived Registry token is stored.

Compatibility and migration

  • Repositories without .agentic-sdlc.yml retain v1.6-compatible behavior.
  • Start with schemaVersion: 1, call repo_context with includePolicy: true, then add rules incrementally. See docs/repository-policy.md.
  • MCP Registry is still preview infrastructure. npx -y agentic-sdlc-mcp remains the compatibility installation path.
  • rollbackPlanEvidence is explicitly marked caller-sourced; the MCP does not claim to have executed the runbook.

Verified

  • 29 test files / 714 tests passed
  • typecheck, build, smoke, npm audit (0 vulnerabilities), npm pack dry-run, and git diff checks passed
  • official mcp-publisher v1.7.9 validate accepted server.json
  • checksum-verified Gitleaks v8.30.1 found no leaks in 63 commits or the final worktree
  • independent final reviewer: passed with no findings

Rollback

If Registry preview publication fails, keep using the npm/npx path; do not fall back to a long-lived Registry token. Correct metadata/workflow issues in a patch release because published npm/Registry versions are immutable.

Next

v1.8 will focus on risk-aware prepare_work_item briefs, including defensive programming, negative scenarios, rollback, observability, and dynamic-construction risk guidance. That work is intentionally not claimed by v1.7.

Full details: CHANGELOG.md and docs/ROADMAP.md.

v1.6.0 — 真实合并门禁与结构化审查

Choose a tag to compare

@SakuraCianna SakuraCianna released this 12 Jul 03:48
73811dd

v1.6.0 — 真实合并门禁与结构化审查

v1.6.0 将 Agentic SDLC MCP 的 PR 棵查从局部启发式升级为证据驱动的真实合并门禁,并引入任务类型感知的结构化审查与分层密钥安全能力。

完整变更见 PR #33

Highlights

  • quality_gate_status 聚合 check runs、commit statuses、reviews、CODEOWNERS、branch protection/rulesets、blocking labels、关联 Issue、draft 与 mergeability
  • review_pr_against_standard 支持 docs、feature、bugfix、refactor、security、release、infra,并输出结构化审查维度
  • 明确 passing / failing / pending / policy-gap / unverified;关键证据不完整时 fail-closed
  • release_readiness_check 仅在至少一个明确 passing 且不存在失败、等待或证据缺口时 ready

Security

  • 新增最小权限、完整 SHA 固定的 Gitleaks workflow
  • Gitleaks/TruffleHog passing 证据绑定具体 Actions job、run、reviewed head 和唯一 base workflow scanner job
  • 拒绝同名/重名 noop job、未知 App、commit status 冒充、条件/允许失败 scanner、可变 action tag 和 provenance API 失败
  • 新增有界的动态凭据风险检测:多行拼接、格式化、join/concat、解码、多语言插值/builder、认证头 API sink、嵌套/计算属性与 patch-local 字段别名
  • 1MB 单行、100 行或 64,000 字符 statement 不会导致崩溃或静默放行;无法完整检查时返回 high 级 evidence-incomplete
  • 统一 Markdown 安全渲染与外部数据输出上限

Compatibility

  • 保留 ref 模式及现有 review standard
  • baseRef 为 deprecated compatibility field;headRef 支持 branch、tag 或 commit SHA
  • 没有新增自动合并、强推、分支删除等写能力
  • 内置动态构造检查仍是 patch-local 补充证据,不能替代跨文件数据流、CodeQL/SAST、成熟 scanner 或人工审查

Validation

  • 24 个测试文件,658 个测试通过
  • TypeScript typecheck、build、smoke 通过
  • npm audit:0 vulnerabilities
  • Gitleaks:提交历史、PR、main 工作树均 0 leaks
  • npm pack dry-run:agentic-sdlc-mcp@1.6.0,100 个条目
  • 独立 reviewer:通过,无阻断 finding
  • main CI 与 Secret Scan:通过

Issues

Next

v1.7 将按官方流程发布到 modelcontextprotocol/registry,包括 server.json、npm mcpName 一致性、mcp-publisher 与 GitHub OIDC Registry 认证。

v1.5.0 - Plan to Issue workflow

Choose a tag to compare

@SakuraCianna SakuraCianna released this 09 Jul 04:53
b0ee487

Agentic SDLC MCP v1.5.0

v1.5.0 completes the ROADMAP Plan-to-Issue workflow. AI coding agents can now turn a contextual SDLC plan into structured, reviewable GitHub issue drafts without manually rewriting the plan, preview the exact batch safely, and retain actionable evidence when only part of a live batch succeeds.

Highlights

Structured Plan-to-Issue workflow

  • plan_from_context now returns 3-5 structured issueDrafts for every supported work type.
  • Each draft includes:
    • executable title
    • Markdown issue body
    • labels confirmed to exist in the target repository
    • SDLC phase
    • acceptance criteria
    • risk level
    • source goal for traceability
  • Complete drafts can be passed directly to create_issue_set.issues, including through strict MCP clients.
  • Generated titles are bounded to GitHub's 256-character limit.
  • Repository labels are matched case-insensitively while preserving their actual GitHub spelling.

Reviewable and safer issue batches

  • create_issue_set still defaults to dryRun: true.
  • Dry-run output now includes:
    • exact target repository
    • final issue titles
    • labels
    • bounded body summaries
    • warnings for missing labels, short bodies, and overlong titles
  • Preview output explicitly confirms that no GitHub write API was called.
  • Live batches continue after an individual issue fails.
  • Results retain both successful issue numbers/URLs/labels and safe failure reasons.
  • Failures include a zero-based inputIndex, so duplicate titles can be located and retried without duplicating successful issues.
  • Raw GitHub response bodies are not exposed in failure output.

Better repository briefing packets

  • repo_context now includes bounded readmeSummary and packageJsonSummary values in structuredContent.
  • Missing, invalid, scalar, or array-shaped package manifests degrade cleanly in both Markdown and structured output.
  • Package summaries are capped at 2,000 characters.
  • Common package scripts are capped at 300 characters per command and 1,200 characters total.
  • A legitimate package.json _raw field is no longer confused with internal parse-failure state.

Version and documentation

  • Package, lockfile, and MCP runtime version are aligned at 1.5.0.
  • Added a regression test that checks runtime/package version consistency.
  • Updated English and Chinese README tool contracts.
  • Marked ROADMAP v1.5 as complete.

Compatibility

  • Existing repo_context, plan_from_context, and create_issue_set fields remain available.
  • New structured fields are additive.
  • Existing issue inputs continue to work.
  • This release does not add auto-merge, force-push, branch deletion, or arbitrary repository code-writing capabilities.

Verification

  • 16 test files, 268 tests passed
  • Coverage:
    • statements: 84.74%
    • branches: 82.00%
    • functions: 83.51%
    • lines: 84.32%
  • TypeScript build and typecheck passed
  • MCP smoke registration passed
  • npm package dry-run passed
  • production dependency audit: 0 vulnerabilities
  • PR CI and post-merge main CI passed
  • independent final reviewer found no actionable regressions

Upgrade

npm install --global agentic-sdlc-mcp@1.5.0

MCP configurations using npx -y agentic-sdlc-mcp will resolve the latest published version after npm propagation and client restart.

Full changes: v1.4.0...v1.5.0

v1.4.0 -- repo_context 开工简报增强 + plan_from_context workType 支持

Choose a tag to compare

@SakuraCianna SakuraCianna released this 08 Jul 15:12
7ce26dd

概览

本次发布完成 docs/ROADMAP.md v1.4「通用 Agent 可用性与上下文增强」的全部三项,是 repo_contextplan_from_context 两个核心工具自发布以来最大的一次能力升级。

  • repo_context 从"仓库基础信息读取器"升级为完整的开工简报包(repository briefing packet)
  • plan_from_context 从"千篇一律的 SDLC 模板"升级为按任务类型定制的计划生成器
  • 重建了此前缺失的通用 AI Coding Agent 冒烟测试指南

全部改动向后兼容:所有新增字段均为可选,默认关闭,不影响现有集成的调用行为和 API 调用量。


repo_context:开工简报包

新增 4 个可选上下文维度,agent 现在可以一次调用就了解"这个仓库怎么建、怎么测、谁在把关":

新参数 作用
includePackageJson(增强) 除了原有摘要外,新增包管理器探测(npm/pnpm/yarn/bun)、技术栈识别(依赖名映射为 TypeScript/Vitest/Express 等可读标签)、常用验证脚本摘要
includeWorkflows 列出 .github/workflows/*.yml 文件名(仅文件名,权限细节由 workflow_permissions_audit 负责)
includeGovernance 报告 CODEOWNERS 是否存在
includeAgentInstructions 探测并截断摘要 AGENTS.md / CLAUDE.md(跨工具通用的 agent 规则文件)

另新增 maxReadmeChars / maxInstructionChars 控制截断长度。

包管理器识别采用混合策略:优先读 package.jsonpackageManager 字段(0 次额外 API 调用);缺失时才依次探测 4 种 lock 文件,命中即停。includeGovernance 有意不重复探测分支保护——那需要 admin 权限、默认请求容易 403,这个职责继续交给专门的 branch_protection_status 工具,避免功能重叠和不必要的失败率。


plan_from_context:按任务类型定制计划

新增 workType 参数:docs / feature / bugfix / refactor / security / release / infra

  • 显式传入:直接采用,confidence: "high"
  • 未传入:由关键词启发式(支持中英文)保守推断,推断依据通过 reasoning / confidence / needsClarification 透明返回——不做静默假设,置信度低时会明确提示需要人工确认

每种类型拥有独立的 Plan → Create → Test → Review → Optimize → Secure 六阶段任务模板,直接对应 ROADMAP 的验收标准:

  • docs 任务的 Test 阶段验证示例可执行、检查链接,不再默认要求代码单元测试
  • bugfix 任务的 Plan 阶段强制要求复现根因,Create 阶段强制要求回归测试
  • security 任务强制要求威胁模型、最小权限实现、攻击场景测试
  • release 任务强制要求 CHANGELOG、版本号、CI 验证、回滚计划
  • infra 任务强制要求最小权限、workflow_permissions_audit 复核

buildPlan() 新增的 workType 参数默认值为 "feature",纯函数签名向后兼容。


📖 新增冒烟测试文档

docs/ai-coding-agent-smoke-test.md:客户端无关的 5 分钟验收指南,覆盖最小配置、repo_context 只读验证路径、create_issue_set dry-run 预览路径、常见失败排查表。


🔍 独立代码审查发现并修复的问题

按项目规则,本次改动完成后创建了独立 reviewer 子智能体审查。审查发现一个高优先级 buginferWorkType 最初实现用裸子串匹配(text.includes(keyword)),导致 "fix" 会误命中 "prefix" / "suffix" / "fixed-price""secret" 会误命中 "secret santa" 等常见 feature 描述,被静默误判为 bugfix/security。

修复为词边界匹配(英文关键词要求完整单词匹配,同时补充 fixes/permissions/secrets 等常见词形变体避免漏判;中文关键词维持子串匹配,因为中文文本没有空格分词,多字关键词本身特异性已经足够),并补充了 4 个词边界回归测试、1 个平局(tie-break)测试用例,以及 repo_context 在 include 开关关闭时"确实不发起额外 API 调用"的调用计数断言。


📊 测试与验证

npm run typecheck       # 通过
npm run build            # 通过
npm run test              # 214/214 通过(本次新增 49 个测试用例,上一版本 165 个)
npm run smoke            # 通过
npm run test:coverage   # 82.9% statements / 80.19% branches

🔒 安全说明

  • 未修改任何工具的 dryRun 默认值
  • 新增的 GitHub API 调用均复用已有 GITHUB_TOKEN 权限范围内的仓库内容读取,风险等级与现有 includeReadme/includePackageJson 一致
  • 所有新增 include* 开关默认 false,不影响现有调用方的默认行为
  • 冒烟测试文档示例统一使用 REPLACE_WITH_GITHUB_TOKEN 占位符

📋 完整变更

查看完整 diff:v1.3.1...v1.4.0

详见 PR #21

🗺️ 下一步

ROADMAP v1.5「Plan 与 Issue 创建闭环」——plan_from_context 输出 issueDrafts 并打通 create_issue_set,让计划可以直接 dry-run 创建对应的 GitHub issue 草稿。


🤖 Generated with Claude Code

v1.3.1

Choose a tag to compare

@SakuraCianna SakuraCianna released this 07 Jul 09:11
b94cedd

支持 GITHUB_TOKEN 全局配置文件与终端交互式配置引导,升级各项核心依赖包。

v1.3.0

Choose a tag to compare

@SakuraCianna SakuraCianna released this 06 Jul 17:12
c01a869

v1.3.0 - Workflow Permissions Audit

  • 新增 \workflow_permissions_audit\ 安全审计工具(扫描 actions workflow 权限声明)
  • 新增 \�ranch_protection_status\ 保护状态读取工具
  • 补齐对应单元测试,测试用例增加至 165 个
  • 更新中英文对照说明文档