v1.7.0 — Repository Policy & MCP Registry
v1.7.0 — Repository Policy & MCP Registry
v1.7.0 turns repository governance into explicit, explainable policy while keeping every decision tool read-only and human-controlled.
Highlights
- Added strict
.agentic-sdlc.ymlrepository policy with bounded YAML parsing, canonical SHA-256 digest, stable rule IDs, ref/blob provenance, and deterministic degraded behavior. - Bound policy-required checks to trusted
check_runApp IDs. Same-name commit statuses, other Apps, and skipped/neutral checks cannot satisfy policy. - Applied policy consistently to
repo_context,plan_from_context,quality_gate_status,review_pr_against_standard,release_readiness_check, andagent_handoff_packet. - PR gate/review use the immutable base SHA; release readiness uses the resolved target SHA. Renames, incomplete changed-file evidence, policy self-modification, team-review uncertainty, and explicit rollback evidence are handled conservatively.
- Added official MCP Registry
server.jsonmetadata forio.github.sakuracianna/agentic-sdlc-mcpand a least-privilege GitHub OIDC publication workflow.
Security
- Invalid/unknown fields, duplicate keys or IDs, unsafe globs, control characters, excessive aliases/depth/nodes, and inconsistent reviewer references reject the whole repository policy.
- Policy cannot enable auto-merge, force-push, branch deletion, approval bypasses, or suppress verified failures.
- Registry publisher is pinned to v1.7.9 and its Linux AMD64 archive is SHA-256 verified before execution; no long-lived Registry token is stored.
Compatibility and migration
- Repositories without
.agentic-sdlc.ymlretain v1.6-compatible behavior. - Start with
schemaVersion: 1, callrepo_contextwithincludePolicy: true, then add rules incrementally. Seedocs/repository-policy.md. - MCP Registry is still preview infrastructure.
npx -y agentic-sdlc-mcpremains the compatibility installation path. rollbackPlanEvidenceis explicitly marked caller-sourced; the MCP does not claim to have executed the runbook.
Verified
- 29 test files / 714 tests passed
- typecheck, build, smoke, npm audit (0 vulnerabilities), npm pack dry-run, and git diff checks passed
- official
mcp-publisher v1.7.9 validateacceptedserver.json - checksum-verified Gitleaks v8.30.1 found no leaks in 63 commits or the final worktree
- independent final reviewer: passed with no findings
Rollback
If Registry preview publication fails, keep using the npm/npx path; do not fall back to a long-lived Registry token. Correct metadata/workflow issues in a patch release because published npm/Registry versions are immutable.
Next
v1.8 will focus on risk-aware prepare_work_item briefs, including defensive programming, negative scenarios, rollback, observability, and dynamic-construction risk guidance. That work is intentionally not claimed by v1.7.
Full details: CHANGELOG.md and docs/ROADMAP.md.