Skip to content

v0.23.4

Choose a tag to compare

View all tags
@anthony-chaudhary anthony-chaudhary released this 10 Jun 23:56
· 528 commits to master since this release
v0.23.4
5cf3f77

version: 0.23.4
date: 2026-06-10
headline: "Patch — the issues workflow lands (capture, triage, close-by-evidence), and releases now tag only witnessed-green SHAs."
themes: ["issues", "release", "oracle", "docs"]
highlights:

  • "Issues are the backlog: capture rule, triage labels, close-by-evidence convention"
  • "Releases tag after the CI verdict on the SHA, never before"
  • "commit-audit: a .gitattributes-only diff can witness a ci-scoped claim"
  • "dos helped --explain labels are rung-honest (WARN never reads as a block)"
  • "Carries the full unreleased 0.23.x line toward PyPI"

TL;DR — The GitHub issue tracker joins the trust substrate: out-of-scope
findings get filed with a checkable done-condition and close only on evidence,
never narration. The release flow itself learned the v0.23.0–2 lesson and now
tags only a SHA whose CI verdict already exists. Two small verdict fixes land in
the kernel. PyPI consumers should care: this is the version intended to move the
index past 0.22.0.

issues — the tracker joins the trust substrate

  • The capture rule — a finding that isn't your current task is filed as an
    issue with a done-condition, a lane guess, and provenance, instead of widening
    the commit or evaporating.
    • Where: CLAUDE.md "Out-of-scope findings", AGENTS.md Committing,
      CONTRIBUTING.md "Issues — the backlog, and how one closes".
  • Triage labelsready (done-condition present, anyone may pick it),
    design (needs a docs/NN plan first), human-only (the fleet skips it).
  • Close on evidence, not narrationFixes #N in the commit body lets the
    landing on master close the issue off ancestry. Manual closes carry their
    witnesses (the issue-verify skill).
    • Why: issue text is public output the tracked-file leak gate never scans —
      the authoring-time privacy rule is now stated where agents read it.

release — tag-after-green

  • The tag waits for the verdict. /release now pushes the commit, waits for
    ci.yml to rule on that exact SHA, and tags only on green — plus a pre-tag
    test subset of the exact families that killed v0.23.0–2, and a backlog sweep
    that surfaces unapproved publish runs at every release.
    • Why: a tag is immutable and PyPI accepts each version once; three version
      numbers died in one day betting the other way (issue #7).
  • Version bumps survive the generated-README erarelease_bump.py
    regenerates the assembled README and the canonical-example corpus it sweeps.
  • The dry-run plandocs/295 plans the TestPyPI rehearsal and
    tag-last ordering this release already practices.
  • v0.23.1/v0.23.2 notes are marked superseded; three rotted docs-index links
    retargeted.

oracle — two verdict fixes

  • commit-audit: a bare dotfile like .gitattributes now counts as source,
    so a fix(ci) commit whose whole fix is a .gitattributes change is
    witnessed by its own diff instead of flagged (issue #4).
    • How: src/dos/commit_audit.py + pinning test.
  • dos helped --explain: bucket labels are rung-honest — a WARN-only
    bucket can no longer read as if it blocks.
    • How: src/dos/help_summary.py + tests.

docs — contract maintenance and the first stable channel

  • Write plainlyCLAUDE.md carries the operator's plain-English rule:
    simple words, short sentences, simplify wording, never facts.
  • docs/ARCHITECTURE.md — the roster⇔section bijection restored (seven
    missing leaves documented, the witness family added).
  • Rotted counts refreshed in the contract docs; the stale "(no plans declared)"
    reading retired for the evidence-horizon one.
  • Orientation READMEs added for examples/, docs/_audits/, spikes/; the
    claude-plugin README no longer claims a JSON+markdown-only payload.
  • stable/2026-06-bedrock — the first stable-channel promotion (of
    v0.23.3), with its evidence file at docs/stable-releases/2026-06-bedrock.md.

Also in this tag

Four commits landed between the release commit and the witnessed-green SHA the
tag names:

  • privacy — the private-fleet bleed-through a fresh-lens audit found is
    scrubbed from three docs.
  • kernel — evidence subprocesses never inherit the caller's stdin
    (docs/295), fixing a transport-pipe wedge in long-lived dos-mcp servers
    on Windows.
  • hosts — Trae proved out: advisory-only binding for the host with no hook
    seam (docs/294); dos init --hooks trae fails loud instead of writing
    config nothing reads.
  • arbiter — refuse-reason advice names --lane, the flag dos actually
    has (issue #11).
Assets 2
Loading