Releases: bjgreenberg/senior-engineering-partner
Release list
v1.5.0 — consumer-contract testing, runnable-setup-as-docs, adversarial verify
1.5.0 (2026-06-30)
Dogfooding again: two PRs' worth of lessons from a real build session where a fully green test
suite still shipped a broken integration, plus an escalation of the verification step itself.
Features
- Consumer-side contract testing — and "test the decision, not the component it renders" (#16, aeee0e5). A new-user flow shipped broken past a green suite: the UI was coded and mocked against an assumed response (
200-with-empty) while the server correctly returned403— a false green no unit test caught.references/testing.mdnow requires a consumer's mock to encode the producer's real responses (status codes and error bodies), or a thin integration test across the seam — contract drift cuts both ways. And it calls out the sibling miss: a "thin" route/handler still owns the branch decision (which state to show, how to classify an error), so that logic must be extracted and tested — "the components are tested" is not "the orchestration is tested." - The runnable setup is documentation too (#16, aeee0e5). A required config var that never reached the dev compose crashed
docker compose upat boot, long after the test suite was green. The documentation discipline (SKILL.md) now treats every launch surface — compose files, env templates, deploy manifests, the README quickstart — as documentation that must move in lockstep when a new required var is added, and treats the quickstart as a verifiable artifact you actually run before claiming it works. - Adversarial multi-lens verification for high-stakes diffs (#15, bf9f7db). The "verify before done" step now escalates a Tier-2 / security- or isolation-sensitive change to several independent, refute-first lenses — then re-reviews whatever folding the findings introduced. That loop is what catches a green-but-insufficient change (passes every gate, reads as correct, yet misses its scoped goal) that a single confirmatory read sails past. A multi-lens panel on a trivial diff is review-theater — match the breadth to the stakes.
v1.4.0 — Dogfooding: file-sync repo corruption, scheduled-job catch-up, infra-doc discipline
Three generalizable lessons that surfaced running the skill against a real multi-machine fleet migration:
dev-environment-isolation.md(new §2 subsection) + ENVIRONMENT ISOLATION floor — never host a live.gitin a file-sync tree. A file-syncer (iCloud "Desktop & Documents", Dropbox, OneDrive) replicating a live repo corrupts it — concurrent.gitwrites, half-synced pack/ref/lock files, online-only eviction of.gitobjects, conflict copies — a distinct failure from "sync ≠ backup" (which is about a sync propagating a bad change). Fix: repos in a non-synced path, synced via git push/pull; if a sync tree must contain one, relocate it out and leave a symlink (verify the sync tool's symlink behavior with a scratch test first).resilience-engineering.md(new §5) — scheduled work must catch up after downtime. Wall-clock schedulers (cron, launchdStartCalendarInterval, systemd calendar timers) silently skip runs missed while the host was off/asleep, not defer them. Pair the wall-clock trigger with an elapsed-time catch-up trigger + an idempotent due-gate, and compute "is a run outstanding?" the same way in the gate and in whatever heartbeat monitors the job (a no-op catch-up run must write nothing, so it can't reset the monitor's signal).- SKILL.md DOCUMENTATION — "every representation" now names infra/environment/layout docs. A doc you read to understand a change is one you must update — including the environment/host profiles and directory-layout indexes that describe how things are wired, not just code-level docs.
v1.3.1 — Fix-at-source discipline + a portability correction
Tag cut retroactively on 2026-06-29 to backfill release history (the change landed in the linked PR; release-please automation was added in #14).
v1.3.0 — Dogfooding: test/prod privilege-parity + gate-construction lessons
Tag cut retroactively on 2026-06-29 to backfill release history (the change landed in the linked PR; release-please automation was added in #14).
v1.2.0 — Dogfooding: `AUDIT:` mode + lessons from a real codebase audit
Tag cut retroactively on 2026-06-29 to backfill release history (the change landed in the linked PR; release-please automation was added in #14).
v1.1.0 — evaluation follow-ups
A round of fixes and additions from a full skill self-evaluation.
Privacy & authoring correctness
- Two-tier
leakage-guard: generic class-patterns ship publicly; literal identifiers live in an un-committedreferences/leakage-denylist.local(from a.template) — the public repo no longer publishes fingerprints to block them. - Frontmatter
descriptiontrimmed to ≤1024 chars (Anthropic's limit).
Security-framework naming (the controls already existed; now they're mapped)
- OWASP LLM Top 10 (2025) in
secure-data-processing.md; OWASP API Security Top 10 (2023) — API1 BOLA ≠ web A01 — inthreat-modeling-and-api-design.md.
New references
google-apps-script.md(+ a guarding eval) andjavascript-and-typescript.mdclose the two headline-language gaps.
Disciplines added
- Profile-before-you-optimize; legacy-refactor + tech-debt register; systems-theory naming (feedback loops, Senge archetypes, iceberg/Cynefin, Conway's Law, Safety-II); PCI-DSS / NIST AI RMF / ISO 42001 / i18n one-liners.
Repo/community
- README "What it governs" coverage section;
MAINTAINERS.md; CODEOWNERS prepared for a second maintainer.
See the full changelog in SKILL.md.