Skip to content

v1.7.0 — Repository Policy & MCP Registry

Choose a tag to compare

@SakuraCianna SakuraCianna released this 13 Jul 01:47
979d786

v1.7.0 — Repository Policy & MCP Registry

v1.7.0 turns repository governance into explicit, explainable policy while keeping every decision tool read-only and human-controlled.

Highlights

  • Added strict .agentic-sdlc.yml repository policy with bounded YAML parsing, canonical SHA-256 digest, stable rule IDs, ref/blob provenance, and deterministic degraded behavior.
  • Bound policy-required checks to trusted check_run App IDs. Same-name commit statuses, other Apps, and skipped/neutral checks cannot satisfy policy.
  • Applied policy consistently to repo_context, plan_from_context, quality_gate_status, review_pr_against_standard, release_readiness_check, and agent_handoff_packet.
  • PR gate/review use the immutable base SHA; release readiness uses the resolved target SHA. Renames, incomplete changed-file evidence, policy self-modification, team-review uncertainty, and explicit rollback evidence are handled conservatively.
  • Added official MCP Registry server.json metadata for io.github.sakuracianna/agentic-sdlc-mcp and a least-privilege GitHub OIDC publication workflow.

Security

  • Invalid/unknown fields, duplicate keys or IDs, unsafe globs, control characters, excessive aliases/depth/nodes, and inconsistent reviewer references reject the whole repository policy.
  • Policy cannot enable auto-merge, force-push, branch deletion, approval bypasses, or suppress verified failures.
  • Registry publisher is pinned to v1.7.9 and its Linux AMD64 archive is SHA-256 verified before execution; no long-lived Registry token is stored.

Compatibility and migration

  • Repositories without .agentic-sdlc.yml retain v1.6-compatible behavior.
  • Start with schemaVersion: 1, call repo_context with includePolicy: true, then add rules incrementally. See docs/repository-policy.md.
  • MCP Registry is still preview infrastructure. npx -y agentic-sdlc-mcp remains the compatibility installation path.
  • rollbackPlanEvidence is explicitly marked caller-sourced; the MCP does not claim to have executed the runbook.

Verified

  • 29 test files / 714 tests passed
  • typecheck, build, smoke, npm audit (0 vulnerabilities), npm pack dry-run, and git diff checks passed
  • official mcp-publisher v1.7.9 validate accepted server.json
  • checksum-verified Gitleaks v8.30.1 found no leaks in 63 commits or the final worktree
  • independent final reviewer: passed with no findings

Rollback

If Registry preview publication fails, keep using the npm/npx path; do not fall back to a long-lived Registry token. Correct metadata/workflow issues in a patch release because published npm/Registry versions are immutable.

Next

v1.8 will focus on risk-aware prepare_work_item briefs, including defensive programming, negative scenarios, rollback, observability, and dynamic-construction risk guidance. That work is intentionally not claimed by v1.7.

Full details: CHANGELOG.md and docs/ROADMAP.md.