v0.4.0
Minor: PR receipts can now attach and post themselves. A receipt travels with the
branch as a sibling git ref and CI renders + posts the comment, so a receipt lands even
when no one runs pr --post. Rendered receipt output is unchanged from v0.3.0 (goldens
byte-identical); the new surface is opt-in.
Added
- Seamless PR receipts —
store=ref+ pre-push hook (SPEC-0065):aireceipts pr --store ref(orAIRECEIPTS_STORE=ref) writes the receipt as a deterministic git
object onrefs/receipts/<slug>— invisible in the tree and PR diff, byte-identical
across machines (dated from the session's ownendedAt, never wall-clock). A committed
.githooks/pre-pushhook generates and pushes that ref ongit push(best-effort;
never blocks a push, no second push).npm run setup:hooksactivates the hook for a
clone of this repo; the default store stayscomment. - CI posts the receipt from the ref (SPEC-0066): a two-job
pr-receipt-check.yml
fetches the branch ref, validates and sanitizes the untrusted, fork-author-controlled
payload, renders it through the existing renderer, and upserts one marker comment via
GITHUB_TOKEN— no localghrequired. Opt-in enforcement
(AIRECEIPTS_REQUIRE_PR_RECEIPT=true) makes same-repo PRs require a receipt; fork
PRs always stay notice-only (their transcripts live on the contributor's machine, so CI
can't generate one). Enforcement is currently coarse — it does not yet distinguish
agent-built from hand-written PRs. @latestdistribution pin (SPEC-0064 R1): the PR-receipt-check caller installs the
reusable workflow at@latest; the movinglatestgit tag is advanced by the release
workflow on each publish. (SPEC-0064 R2–R4, the npm-nativepr-checkcommand, remain in
progress.)
Performance
- Faster feedback (SPEC-0063): in-process sqlite parsing, a goldens compile cache, and
parallel preflight reduce CLI and preflight wall-clock.
Security
- The receipt payload that rides on the branch ref is treated as untrusted input — anyone
who can push a branch, including a fork author, controls its bytes. The CI post path is a
hardened trust boundary: a field-aware sanitizer (bracket-escape +
autolink defang for live-markdown fields, fence-guard for fencedtext, an
https-allowlist that rejects markdown-breaking characters for artifact URLs), rendered in
a token-lessrenderjob whose data-only artifact is posted by a separatepost
job — golden-gated against an injection corpus.
Docs
- Adopter kit: a minimally-invasive default plus opt-in tiers for repos that want to turn
enforcement up (docs/pr-receipts.md,docs/adopt/).