release: v0.3.0 — cross-platform system prompts + production-ready README#24
Merged
release: v0.3.0 — cross-platform system prompts + production-ready README#24
Conversation
…ADME Bundles three landed feature/fix PRs since v0.2.0 plus a structural README rewrite. Additive — v0.2.0 Windows users see no behavior change. Functional changes (already merged in earlier PRs, surfaced as v0.3.0): - #22 — close CodeQL js/clear-text-logging high-severity alert; no substring of the stored API key emitted in user-facing output (matches dario v3.7.2+ rule). - #23 — OS-aware system prompts. Both run modes branch on process.platform; macOS gets open + osascript guidance, Linux gets xdotool/ydotool with display-server detection. Pure-helper module src/system-prompt.ts with 13 unit-test assertions. Documentation (this PR): - README structural rewrite. Added sovereignty-angle lead, explicit cost-comparison table, full threat model with operating recommendations, honest Limitations & known issues block, FAQ, trust-and-transparency table mirroring claude-bridge. README size 306 → 421 lines. - CHANGELOG documents the README rewrite as a release-polish item. Empirically un-smoked caveat (called out in the README's Limitations section): the OS-branching is unit-tested but the LLM behavior under the macOS / Linux blocks is not yet verified against a real model call on a non-Windows host. First post-publish report from a Mac or Linux user is the signal that locks in the cross-platform claim. Version bump fires auto-release.yml on merge: tag, GitHub release, inline npm publish --access public --provenance.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bundles three landed feature/fix PRs since v0.2.0 plus a structural README rewrite. Additive — v0.2.0 Windows users see no behavior change.
Functional (already merged, surfaced as v0.3.0)
js/clear-text-logginghigh-severity alert. No substring of the stored API key is emitted in user-facing output anymore (matches dario v3.7.2+ rule). 0 open security alerts.process.platform; macOS getsopen+osascriptguidance, Linux getsxdotool/ydotoolwith display-server detection. Pure-helper modulesrc/system-prompt.tswith 13 unit-test assertions. Marketing follow-through (package.json description, README headers, repo description on GitHub) all updated.Documentation (this PR)
--dry-runbefore trusting a new task class, scope-target destructive ops, audit-log review cadence), honest Limitations & known issues block (Wayland xdotool blind spot, macOS Accessibility first-run prompt, Claude-Login-no-audit-trail, cross-platform empirical state, SDK-mode-Anthropic-only), FAQ-style troubleshooting, trust-and-transparency table mirroring claude-bridge.Empirically un-smoked caveat
Called out in the new README's Limitations section and in the v0.3.0 CHANGELOG: the OS-branching is unit-tested but the LLM behavior under the macOS / Linux blocks is not yet verified against a real model call on a non-Windows host. First post-publish report from a Mac or Linux user is the signal that locks in the cross-platform claim. Windows is well-exercised.
Test plan
npm install --package-lock-only— clean, 0 vulns.npm run typecheck— clean (strict mode).npm run build— clean.npm test— 49/49 pass.node dist/cli.js --version→0.3.0.node dist/cli.js --help— full command surface.actionlint,analyze,build (20),build (22)) on this PR.auto-release.ymlfires → tagv0.3.0→npm publish --access public --provenance.npm install -g @askalf/hands@0.3.0→hands --version→hands doctorend-to-end. Catches the dario#143 class of bin-shim regression.