Releases: aligned-team/cospec
Release list
v0.5.0
v0.5.0: Full opsx workflow parity
This release closes cospec's workflow-parity gap with OpenSpec 1.5.0's opsx command set: five new generated agent workflows — including the /cospec:verify command a user reported missing — are now rendered across every supported harness, each adapted to cospec's typed, gated model. It also documents a mise install gotcha that made fresh releases look "not found".
Added
-
Full
opsx1.5.0 workflow parity (#23 by @replygirl) — prompted by a report that/cospec:verifywas missing from the generated harnesses, this audits the wholeopsx1.5.0 workflow set and brings cospec's generated commands and skills to parity. Each is generated for the Claude, Codex, and OpenCode harnesses (as slash commands and/or skills):workflow what it does /cospec:newscaffolds a change and shows its typed artifact plan, then stops before authoring /cospec:fffast-forwards an already-scaffolded change through every remaining artifact and validates /cospec:verifydress-rehearses a change: cospec validate --strict, walks the verification ledger, and names the two hard archive gates (archive/verification-incomplete,archive/scenario-preservation) — no--forceescape hatch/cospec:bulk-archivearchives a batch of completed changes in dependency order, one gated cospec archivecall at a time/cospec:onboardwalks a first-time user through one real change end to end via the real CLI path Every rendered workflow body — new and existing — is scanned to confirm it contains no bare
openspecinvocation and no manualmv/mkdirof anopenspec/changes/entry: all change-lifecycle operations route throughcospecsubcommands.opsx'ssyncworkflow is intentionally not a new command (it maps 1:1 onto the existingsync-specsskill), andopsx'supdatepath and feedback loop are deliberately out of scope pending a proper design pass.
Documentation
- mise release-age cooldown note (#22 by @replygirl) — investigation of a reported
@aligned-team/cospec@0.5 not foundinstall failure traced the issue entirely to the mise client, not cospec's release pipeline: mise's github backend applies a defaultminimum_release_agecooldown that hides just-shipped releases from "latest"/fuzzy resolution, and a partial pin like@0.5never matches cospec's exact 3-part tags. Every documentedmise use github:aligned-team/cospecsnippet now carries a note explaining the cooldown and recommending an exact-version pin (e.g.@0.5.0) when testing a fresh release.
Full Changelog: v0.4.0...v0.5.0
v0.4.0
v0.4.0: Full OpenSpec parity, no more bare openspec
This release closes the OpenSpec command-parity gap: every everyday OpenSpec operation now has a first-class cospec command, so you never have to drop out to bare openspec. It also ships a public documentation site (cospec.aligned.team) and hardens the release pipeline.
Added
-
Full OpenSpec command coverage (#19 by @replygirl) — cospec now wraps every OpenSpec surface it previously left native, reversing v0.3.0's "store management stays native" split that forced manual
openspeccalls and a two-step store setup. New commands:command what it does cospec store <sub>manage stores: setup/register(auto-init) /unregister/remove/ls/doctorcospec contexta store's cross-repo working-set brief ( --json,--code-workspace)cospec workset <sub>personal cross-repo working views: create/list/remove/opencospec show <item>read a change or spec as markdown or JSON cospec viewthe OpenSpec dashboard cospec schemas/cospec schema which|validate|fork|initinspect and fork resolvable schemas cospec templateslist per-artifact template paths Store setup is now one command —
cospec store setup <id> --path <p>registers the root and stamps it with cospec's typed schemas (cospec init <root> --harness none), eliminating the old manual second step (opt out with--no-cospec-init):cospec store setup platform --path ./platform-store # register + auto-initvalidatenow accepts--all/--changes/--specs,list --specslists living specs, andcospec doctorfolds in OpenSpec's own root-relationship, reference, and store-health diagnostics (read-only, never repair) when the operating root is store-backed or declaresreferences:. Every new read-only/personal command is a disciplined passthrough — a version-asserted spawn, an exit-code allow-list, a stdout deny-list, and a guaranteed single JSON document on--json— while mutatingstoresubcommands verify their own disk/registry post-condition rather than trusting the wrapped exit code. -
Legacy (forked) schema changes (#19 by @replygirl) —
cospec new <legacy-schema> <slug>runs a change against a project-local schema created bycospec schema fork/init, riding the legacy lane throughvalidate/apply/archivewhile keeping cospec's schema-agnostic hard gates (tasks, scenario preservation, filesystem move, blocker fan-out) and delegating structural checks to OpenSpec. It prints a reduced-guarantees note and stamps noschemaVersion.schema fork/initrefuse (exit 1, before spawning the binary) any destination name that collides with one of the 11 canon cospec types, so a fork can never overwrite a canonschema.yaml. -
Public docs site (cospec.aligned.team) (#17 by @replygirl) — a VitePress documentation site under
apps/docswith guides (installation, workflow, harness setup), concept pages (relation to OpenSpec, types & artifacts, apply & archive, verification, blocking changes), and full reference (commands, configuration, validation rules), plus generatedllms.txt/llms-full.txt. The site builds and deploys per release, so it always matches the released CLI.
Fixed
-
Managed files stamped with the correct version on release (#18 by @replygirl) — managed files that embed the cospec version (
generatedBy: cospec@X.Y.Z) under.claude/,.codex/,.opencode/, andopenspec/.cospec-manifest.jsonare now regenerated inside the version-bump commit, rather than trailing a release by one version until a separate restamp. Also caught and corrected 31 files that had drifted since v0.3.0. -
Release bump survives large lockfiles (#21 by @replygirl) — the release bump commit step was passing its GraphQL payload (embedding base64-encoded
bun.lock) through jq's argv, which failed withArgument list too longas the lockfile grew. The payload is now aggregated and submitted entirely through temp files, so it no longer depends onARG_MAX.
Full Changelog: v0.3.0...v0.4.0
v0.3.0
v0.3.0: Store-aware change lifecycle
This release makes cospec store-aware: a new --store <id> global flag runs the entire typed change lifecycle against a registered OpenSpec store — a standalone, shared planning repo for cross-repo work — instead of the local repo. Nothing about the workflow changes; only the operating root does. With no flag and no config pointer, behavior is byte-identical to before.
Added
-
--store <id>: the change lifecycle, over a store (#16 by @thoughtpunch) — OpenSpec 1.5.0 ships stores (registered planning repos several code repos can plan against), but cospec was single-tree: every command keyed on the invocation cwd and assumedopenspec/lived beneath it, so a cross-repo epic authored in a store lost cospec's typed schemas, theapplygate, the verifiedarchive, and the blocking-changes ledger. Nownew,validate,apply,archive,status,list,instructions,sync-blockers, andmigrateall honor--store:cospec new feat cross-repo-epic --store platform cospec validate cross-repo-epic --store platform --strict cospec apply cross-repo-epic --store platform # the gate, over the store cospec archive cross-repo-epic --store platform # verified move, in the store
A code repo can point at a store by default instead of passing
--storeon every call, via its ownopenspec/config.yaml:schema: feat store: platform # cospec + openspec resolve commands against this store references: - platform # read-only upstream context surfaced in instructions
Resolution mirrors OpenSpec's own precedence — explicit
--storeflag, else astore:config pointer, else the local repo — with the store path resolved from the machine registry viaopenspec store ls --json. Areferences:list is read-only context and never a root override. An unregistered--storeid fails loudly (naming the registered stores) rather than silently falling back to local, so a typo can never write a change to the wrong place.Store management stays native —
openspec store setup|register|ls,context, andworksetare local/read-only and carry no cospec gate. To give a store cospec's typed schemas, runcospec init <store-path> --harness none. Full details in docs/stores.md.
New Contributors
- @thoughtpunch made their first contribution in #16
Full Changelog: v0.2.1...v0.3.0
v0.2.1
v0.2.1: Doctor trusts the embedded OpenSpec
A small follow-up to v0.2.0 that finishes teaching cospec about its own embedded OpenSpec bundle: cospec doctor no longer reports a healthy standalone install as broken.
Fixed
-
cospec doctorfalse failure on standalone installs (#15 by @replygirl) — v0.2.0 gave every wrapped command an embedded-OpenSpec fallback, butdoctornever learned it:checkOpenspecVersionresolved@fission-ai/openspeconly from the project'snode_modules. On a runtime-freemise/GitHub-release install (no project install), that produced a falseopenspec-resolveERROR ("runbun install") and a non-zero exit, even though every wrapped command worked via the embedded bundle. Spawns and diagnostics now share oneresolveOpenspec()path so they can't drift, and doctor reports the embedded pin asINFOwhile staying read-only (it reads the compile-time pin and extracts nothing):INFO openspec-resolve: no project @fission-ai/openspec; wrapped calls use the embedded pinned 1.5.0Project-copy diagnostics are unchanged — an in-range copy produces no finding, and an out-of-range copy still raises the existing
openspec-versionERROR. The now-obsolete doctor caveat was also removed from both READMEs.
Changed
- npm trusted publishing with provenance (#14 by @replygirl) — the release pipeline now publishes all packages via npm trusted publishing (OIDC) with
--provenance, so published artifacts carry verifiable build provenance attestations.
Full Changelog: v0.2.0...v0.2.1
v0.2.0
v0.2.0: Batteries-included standalone binary
This release makes the cospec standalone binary truly self-contained: it now embeds the pinned OpenSpec CLI and runs it with its own bun runtime, so wrapped commands work with no JS runtime and no project install.
Added
-
Self-contained standalone binary (#13 by @replygirl) — previously the binary resolved
@fission-ai/openspeconly from your project'snode_modules, so amise-only install still needednpm i -D @fission-ai/openspecbefore wrapped commands (new,validate,apply,archive, …) would run. That caveat is gone. The binary now embeds the pinned OpenSpec CLI (1.5.0) as a minified single-file bundle and extracts + spawns it on demand under${XDG_CACHE_HOME:-~/.cache}/cospec/. A fresh, runtime-free install just works:mise use github:aligned-team/cospec cospec init cospec new feat demo
A project-installed
@fission-ai/openspec(any>=1.0.0 <2.0.0) still takes precedence — you keep your pin override and existing dev behavior — with the embedded copy used only as a fallback. (cospec doctorstill resolves OpenSpec fromnode_modulesand needs a project install.) The bundled OpenSpec dependency closure's MIT/ISC/Apache license notices ship as a generatedTHIRD-PARTY-LICENSES.mdalongside the main package, all seven platform packages, and every release archive.
Fixed
--jsoncorruption on a fresh HOME (#13 by @replygirl) — OpenSpec prints its first-run telemetry notice to stdout, which corrupted every--jsonread for standalone users (who always start from a fresh HOME). Wrapped calls now setOPENSPEC_TELEMETRY=0.
Full Changelog: v0.1.1...v0.2.0
v0.1.1
v0.1.1: Unblock the release pipeline
A maintenance release that repairs the automated release/publish workflow after the v0.1.0 dispatch failed to publish to npm. There are no application code changes — this release exists to get cospec reliably onto npm.
Fixed
- npm publish path classification (#11 by @replygirl) —
npm publishwas handed a bare relative tarball path (npm-dist/<pkg>.tgz), which npm's argument classifier treats as GitHub owner/repo shorthand, causing it to attempt an SSHgit ls-remoteand fail withPermission denied (publickey). Publishes now pass a./-prefixed path, forcing the correct local-tarball interpretation. - Safe failure rollback (#11) — the
cleanupjob previously deleted the GitHub release on any failure, which in thev0.1.0incident tore down an already-public release while a tag-protection ruleset kept the dangling tag. Rollback is now gated on npm liveness: it checks all eight packages (main + seven platform packages) and only removes the tag/release when nothing is live, otherwise leaving everything intact for a clean resume. - Resumable release dispatch (#11) — the
versionjob's tag-exists guard now distinguishes a genuine conflict (tag on a different commit) from a safe resume (tag on the current bump commit with the package not yet published). The resume case proceeds and finishes the remaining publishes; the conflict case still fails.
Full Changelog: v0.1.0...v0.1.1