JSON Analyzer v0.1.14 - The Release Bell Finds Its Rope

JSON Analyzer v0.1.14 - The Release Bell Finds Its Rope

The Quest

The forge could build a release when the right tag arrived, but a missed GitHub release had no clean path back. This release gives the release bell a visible rope: an existing tag can now be sent through the Release workflow from GitHub Actions, while the normal tag-push path remains unchanged.

What Awoke

• The Release workflow can now be run manually with an existing vX.Y.Z tag.
• Release jobs now resolve and reuse one RELEASE_TAG value across validation, draft creation, asset uploads, and final publishing.
• Manual recovery now checks that the requested tag exists and still has a successful CI run with the required release artifacts.
• Existing releases are no longer forced back to draft when a recovery run updates notes or uploads missing assets.
• The release checklist now explicitly includes pushing the version tag and describes the CI artifact requirement for manual recovery.

Runes of Assurance

• pnpm -C frontend run typecheck passed.
• pnpm -C frontend run lint passed.
• pnpm -C frontend run test passed with 127 tests.
• ruby -e 'require "yaml"; YAML.load_file(".github/workflows/release.yml"); puts "release workflow YAML parsed"' passed.
• git diff --check passed.
• The release workflow diff was reviewed after the draft-preservation fix.

Known Boundaries

• Manual release recovery still depends on non-expired CI artifacts for the tagged commit.
• If release artifacts have expired, a fresh release commit or CI artifact rebuild is still required.
• actionlint was not available on this workstation, so GitHub Actions semantic linting was not run locally.
• Rust format, clippy, and test checks could not be run on this workstation because cargo and rustfmt were not available on PATH.

JSON Analyzer v0.1.13 - The Empty Scroll Invites the Paste

JSON Analyzer v0.1.13 - The Empty Scroll Invites the Paste

The Quest

The Curl Executor had learned to suggest better batch values, but its command editor still arrived already filled. That made guidance look like user input. This release restores the expected rhythm: the editor starts empty, the placeholder shows the Postman-style cURL shape, and execution waits for the user to paste the request they actually want to run.

What Awoke

• Curl Executor now opens with an empty curl command field instead of preloaded sample text.
• The full Postman-style cURL example now lives in the curl command placeholder.
• Execute stays disabled until the user enters a real curl command.
• Clear no longer appears active in single-request mode only because hidden batch example values exist.
• Curl workflow tests now assert the empty initial editor, placeholder guidance, and execution after pasting the sample.

Runes of Assurance

• npm --prefix frontend run test -- App.curl.test.tsx passed with 39 tests.
• npm --prefix frontend run typecheck passed.
• npm --prefix frontend run lint passed.
• npm --prefix frontend run build passed.
• git diff --check passed.

Known Boundaries

• Batch replacement remains intentionally raw and exact. Users should provide already-encoded values for URL paths or query strings.
• Example generation is shape-based only; it does not infer route semantics or API-specific entity names.
• Rust format, clippy, and test checks could not be run on this workstation because cargo and rustfmt were not available on PATH.
• Curl jobs remain in-memory only; durable job history is still deferred.
• The APT repository currently publishes Linux amd64 packages only.

JSON Analyzer v0.1.12 - The Batch Compass Learns the Shape

JSON Analyzer v0.1.12 - The Batch Compass Learns the Shape

The Quest

Batch mode no longer needed only to be general-purpose; it needed to feel obvious before the first request was sent. The old 1 and 2 sample values were too vague for real REST work, especially when a pasted Postman curl already showed whether the selected target looked like a UUID, number, email, date, slug, or token.

What Awoke

• Curl Executor now starts with neutral UUID-style batch examples instead of ambiguous numeric placeholders.
• Batch setup now generates editable example values from the selected URL path segment or query parameter shape.
• Generated examples cover UUIDs, integers, email addresses, dates, timestamps, slugs, token-like values, encoded query values, empty values, and unknown strings.
• User-entered batch values are preserved when switching batch targets; generated examples update only while the field is still auto-managed.
• Clearing the form now resets the auto-example tracker so a newly pasted curl can repopulate smart examples correctly.
• Stale domain-specific wording was removed from touched docs so Curl Executor remains framed as a generic REST API tool.

Runes of Assurance

• npm --prefix frontend run test -- App.curl.test.tsx src/components/curl-executor/utils.test.ts passed with 49 tests.
• npm --prefix frontend run typecheck passed.
• npm --prefix frontend run lint passed.
• npm --prefix frontend run test passed with 127 tests.
• npm --prefix frontend run build passed.
• git diff --check passed.
• Neutral-language scans found no blocked domain-specific wording in source, tests, docs, release notes, README, or package metadata touched by this release.

Known Boundaries

• Batch replacement remains intentionally raw and exact. Users should provide already-encoded values for URL paths or query strings.
• Example generation is shape-based only; it does not infer route semantics or API-specific entity names.
• Rust format, clippy, and test checks could not be run on this workstation because cargo and rustfmt were not available on PATH.
• Curl jobs remain in-memory only; durable job history is still deferred.
• The APT repository currently publishes Linux amd64 packages only.

JSON Analyzer v0.1.11 - The Curl Lens Sharpens

JSON Analyzer v0.1.11 - The Curl Lens Sharpens

The Quest

Curl Executor had become general-purpose, but the last steps still needed a sharper eye. HTTP errors should be visible responses, and batch setup should make common path and query replacements easy without guessing domains or mutating the wrong URL.

What Awoke

• Single curl execution now shows non-2xx HTTP responses with status, headers, formatted body preview, copy response, and copy details instead of treating them as missing-url or parse failures.
• Batch setup can detect URL path segments and query parameters from the actual request URL and insert generic placeholders for selected targets.
• Query-parameter insertion now preserves raw URL text, duplicate parameter order, encoded names, fragments, empty values, and valueless parameters.
• Curl URL detection now follows a span-aware argument parser for supported curl options, including quoted and inline --url values, multiline Postman curl commands, and safe rejection of ambiguous unsupported URL options.
• Batch result handling now counts HTTP 4xx and 5xx responses as failed items while preserving their response payloads and input value traceability.
• Curl response spacing, typography, status badges, and body previews were tightened for easier scanning.

Runes of Assurance

• pnpm -C frontend run test -- App.curl.test.tsx --runInBand passed with 114 tests.
• pnpm -C frontend run typecheck passed.
• pnpm -C frontend run lint passed.
• pnpm -C frontend run build passed.
• git diff --check passed.
• Neutral-language scans found no domain-specific wording in curl-related implementation and tests.

Known Boundaries

• Rust format, clippy, and test checks could not be run on this workstation because cargo and rustfmt were not available on PATH.
• Batch replacement remains intentionally raw and exact. Users should provide already-encoded values for URL paths or query strings.
• Curl jobs remain in-memory only; durable job history is still deferred.
• The APT repository currently publishes Linux amd64 packages only.

JSON Analyzer v0.1.10 - The Curl Path Widens

JSON Analyzer v0.1.10 - The Curl Path Widens

The Quest

Curl Executor could walk one known path, but batch runs still carried old assumptions in their pack. A pasted Postman curl should be enough: the user chooses the variable, provides values, and the app expands the run without guessing domains, identifiers, or private business language.

What Awoke

• Curl batch jobs now use one curl command plus an explicit placeholder and input values instead of a pre-expanded curl list.
• Batch expansion is owned by the Rust job service, including placeholder validation, generated-curl parsing, input value tracking, size limits, large-batch confirmation, and bounded concurrency.
• Batch mode now keeps the curl editor visible, detects generic {name} placeholders, previews the first generated request, and explains exact raw replacement.
• Single curl execution now renders the request method and URL alongside status, elapsed time, headers, body preview, and copy actions.
• Batch results now show generic input values, merged successful payload copying, and grouped errors tied to affected input values.
• Curl private-network policy is configurable and now defaults to allowing private/internal targets unless strict mode is enabled by environment.
• The default single-request sample is a normal executable-looking curl; batch examples opt into placeholders explicitly.

Runes of Assurance

• pnpm -C frontend run typecheck passed.
• pnpm -C frontend run lint passed.
• pnpm -C frontend run test -- --runInBand passed with 94 tests.
• pnpm -C frontend run build passed.
• git diff --check passed.
• Neutral-language scans found no domain-specific wording in the implementation, tests, README, decision docs, or release notes touched by this release.

Known Boundaries

• Rust format, clippy, and test checks could not be run on this workstation because cargo and rustfmt were not available on PATH.
• Curl jobs remain in-memory only; durable job history is still deferred.
• Batch replacement is intentionally raw and exact. Users should provide already-encoded values for URL paths or query strings.
• The APT repository currently publishes Linux amd64 packages only.

JSON Analyzer v0.1.9 - The Quiet Path Opens

JSON Analyzer v0.1.9 - The Quiet Path Opens

The Quest

The repository gate was sound, but its footpath was too narrow. The installer verified the setup package correctly and enabled the APT source, yet APT could not let its _apt sandbox step through the private temporary directory that held the local setup package. The install completed, but the road ended with a warning that looked sharper than it was.

What Awoke

• The APT repository installer now keeps signature, checksum, keyring, and GnuPG work inside the private verification directory.
• The local repository setup .deb is now placed in a separate /tmp install directory that APT's _apt sandbox can traverse.
• The setup package remains world-readable only for the short install window, and cleanup removes both temporary directories on exit.
• The README latest/download/install-apt-repo.sh path will pick up this quieter installer once the release assets are published.

Runes of Assurance

• sh -n scripts/install-apt-repo.sh passed.
• git diff --check passed.
• A simulated release substitution with the live APT signing fingerprint kept the pinned fingerprint intact.
• Temporary directory permissions were sanity checked so verification files stay private while the local .deb path is _apt-readable.

Known Boundaries

• The exact _apt notice could not be reproduced on the local macOS workstation; hosted Linux release validation remains the final build proof.
• This release changes installer behavior only; application UI, parsing, PDF export, auto-update metadata, and Windows signing remain unchanged.
• The APT repository currently publishes Linux amd64 packages only.

JSON Analyzer v0.1.8 - The Pinned Key Holds

JSON Analyzer v0.1.8 - The Pinned Key Holds

The Quest

The release road found a quiet trap in its own warding. The installer carried the trusted APT signing key into the published asset, then mistook that same key for an unreplaced placeholder and erased it before verification could begin. This release reforges that check so the pinned key remains pinned.

What Awoke

• The APT repository installer template now keeps its placeholder sentinel separate from the release-injected signing fingerprint.
• The Linux release workflow now renders install-apt-repo.sh into a dedicated release asset directory instead of mutating the source template in place.
• Release validation now checks the generated installer asset directly, including shell syntax, absence of the raw placeholder, presence of the injected fingerprint, and protection against clearing that fingerprint.
• Linux release asset upload now publishes the generated installer from release-assets/, matching the file that validation inspected.

Runes of Assurance

• sh -n scripts/install-apt-repo.sh passed.
• A simulated release substitution with the live APT signing fingerprint kept the default fingerprint and did not create a self-clearing sentinel check.
• .github/workflows/release.yml parsed as YAML.
• git diff --check passed for the installer and release workflow changes.

Known Boundaries

• The hosted release workflow remains the final proof that GitHub Pages, release assets, and package signing all converge.
• Existing broken installer assets from older releases still need to be replaced by publishing this release.
• The APT repository currently publishes Linux amd64 packages only.
• PDF export UI, auto-update metadata, and Windows signing remain outside this release.

JSON Analyzer v0.1.7 - The Ledger Learns Its Shape

JSON Analyzer v0.1.7 - The Ledger Learns Its Shape

The Quest

The release road is no longer only about proving packages. This release turns inward and pays down the complexity that had gathered around the app: broad frontend files are split into clearer rooms, browser mocks become command-family ledgers, and the release gate gains a repeatable baseline before the next feature push.

What Awoke

• Values Explorer now lives as a stateful controller with focused panels, icons, types, and pure helpers instead of one broad component.
• Curl Executor now follows the same shape, with response, job, and error panels separated from execution state.
• The app stylesheet is split into ordered domain files under frontend/src/styles/app/, while app.css remains the cascade manifest.
• Browser mocks are split into analysis, curl, config, and problem modules while preserving the public mock dispatcher.
• Release discipline now has pnpm baseline, pnpm run release:verify, and a release-candidate checklist.
• Values Explorer large-result pagination and curl relative same-origin redirect behavior both gained regression coverage.
• Tauri capability auditing now requires the allowed command list to exactly match the app command set.

Runes of Assurance

• pnpm run release:verify passed before the release cut, including baseline capture, pnpm check, and the no-bundle Tauri release build.
• Browser smoke on http://127.0.0.1:5173/ covered Analyze, Values Explorer, Curl Executor, light theme, dark theme, console errors, and horizontal overflow.
• Focused frontend, Rust, and capability checks passed during implementation before the final integrated gate.

Known Boundaries

• The packaged desktop light/dark manual smoke remains a release-candidate validation step for generated artifacts.
• The APT repository currently publishes Linux amd64 packages only.
• Curl jobs remain in-memory only; durable job history is still deferred.
• PDF export UI, auto-update metadata, and Windows signing remain outside this release.

JSON Analyzer v0.1.6 - The Seals Face Dawn

JSON Analyzer v0.1.6 - The Seals Face Dawn

The Quest

The unsigned road has ended. This release turns the restored signing wards back toward the release gate: macOS must prove the fresh Developer ID certificate and notarization secrets, while Linux must prove the zstd-aware Debian signature verifier against a real tagged artifact.

What Awoke

• macOS release jobs are back on the signed and notarized path with the refreshed Developer ID Application archive.
• Debian package signing is enabled again after replacing the release-side dpkg-sig verifier with a zstd-aware signature check.
• Release validation now checks the Debian package signature, signer fingerprint, role, and archive member hashes without rejecting control.tar.zst or data.tar.zst.
• The v0.1.6 tag exists to prove both restored signing paths in hosted GitHub Actions.

Runes of Assurance

• The new Debian verifier accepted the previously failed signed v0.1.4 package and rejected a tampered copy.
• Hosted CI on main passed after Debian signing was re-enabled, with Sign Debian packages executed successfully.
• Local workflow parsing, git diff --check, Python bytecode compilation, and pnpm check passed before this release cut.

Known Boundaries

• This release is the hosted proof run for macOS notarization with the refreshed Apple secrets.
• The APT repository currently publishes Linux amd64 packages only.
• Curl jobs remain in-memory only; durable job history is still deferred.
• PDF export UI, auto-update metadata, and Windows signing remain outside this release.

JSON Analyzer v0.1.5 - The Unsigned Road Clears

JSON Analyzer v0.1.5 - The Unsigned Road Clears

The Quest

The named Linux gate held in CI, but the release altar revealed two older wards: Debian package signatures that could not be trusted by dpkg-sig, and an Apple certificate secret whose password no longer opened the archive. This release keeps the ship moving by using the reliable signed APT repository path for Linux and the existing unsigned macOS bundle path until fresh Apple credentials are ready.

What Awoke

• The v0.1.4 CI repair is carried forward: Debian artifacts keep package-safe filenames before validation, upload, and release publishing.
• Release configuration now skips fragile package-level dpkg-sig signatures and relies on the signed APT repository plus checksum sidecars for Linux distribution integrity.
• macOS release jobs now use the unsigned build path while the Apple certificate secret is corrected outside the repository.
• The release notes record the hosted failure clearly so the next signing restoration has a known trail to follow.

Runes of Assurance

• Hosted CI passed for the v0.1.4 commit after Debian artifacts were renamed to json-analyzer_0.1.4_amd64.deb.
• The release failure was traced past CI into release-only checks: dpkg-sig reported BADSIG _gpgbuilder, and macOS certificate import reported a PKCS12 password failure.
• Local workflow YAML parsing, embedded shell syntax checks, git diff --check, and pnpm check passed before the v0.1.4 cut; v0.1.5 only changes release identity and notes.

Known Boundaries

• macOS DMGs are unsigned until the Apple certificate/password secrets are replaced and ENABLE_MACOS_SIGNING is turned back on.
• Debian packages are not individually signed with dpkg-sig; the APT repository remains the signed Linux installation path.
• The APT repository currently publishes Linux amd64 packages only.
• Curl jobs remain in-memory only; durable job history is still deferred.
• PDF export UI, auto-update metadata, and Windows signing remain outside this release.