0.9.0 — sanitized instrumentation telemetry
[0.9.0] - 2026-07-11
Sanitized instrumentation replaces narrative session-journal publication. A
session journal narrates the adopter's product work, so it can never be proven
safe to publish; 0.9.0 disables narrative publication entirely and introduces a
closed-vocabulary instrumentation record with zero product-information capacity
as the only session evidence that can reach a remote.
Added
- Sanitized instrumentation record and CLI (experimental):
publish-instrumentation-recordrecomputes a closed-vocabulary record
(enumerated event codes plus numbers, no repo/branch/project/path/freeform
fields) from the local observability event log and publishes it to the
constanttautline-telemetry-archivebranch via a hardened push path — pinned
adopter-neutral commit identity/date, whole-branch fail-closed hygiene,
closed-set commit-object parse, byte-compare readback, branch-tip ancestry
guard, and recompute-at-publish so a tampered preview cannot influence what
publishes.prepare-instrumentation-recordand
validate-instrumentation-recordround out the surface. - Additive
instrumentationadapter key (experimental):
{enabled (default false), cadence (default milestone)}.enabledalone
permits publishing;cadencegates only boundary prompting.
instrumentation.enabledrequiresobservabilityEvents.enabled, and unknown
instrumentation.*subkeys are rejected (remote metadata is a fixed constant). docs/reference/instrumentation.mddocumenting the record shape, guarantees,
and the explicit threat model; the generated
methodology/instrumentation-schema.jsonis registered as public-contract
surface.
Changed
- The session-journal opt-in hint, generated-adapter guidance, goal kickoff
prompt, and lane-start/status lines now describe the local-only reality and
point at instrumentation for upstream contribution.
Deprecated
publish-session-journalandpublish-pending-session-journalsare deprecated
(removal >= 1.0.0), replaced bypublish-instrumentation-record.
Security
- Narrative session-journal publication is disabled: both publish commands refuse
for every adapter in every mode (--commit --push, bare--file,
--allow-release-checkout-write). No new narrative content can reach any remote
from any adapter; journals remain local-only evidence. This invokes a new
deprecation security-exception clause allowing a stable surface confirmed to
expose adopter data to a remote to be hard-disabled ahead of its deprecation
window with a required migration note and named replacement.