Releases: fatecannotbealtered/gitlab-cli
Releases · fatecannotbealtered/gitlab-cli
Release list
v1.2.15
[1.2.15] - 2026-07-08
Fixed
- Package-manager
updatesuccess now reports the final post-install state (current_version == target_version,update_available: false) and clears the cached update notice immediately after the package manager commits. - Post-swap Skill-sync partial-success details now also report
target_versionandupdate_available: false, so agents can tell the binary is already at the target version even though the Skill still needs syncing. - Windows Go test binaries (
*.test.exe) no longer read or write the real user update-notice cache by default.
v1.2.14
[1.2.14] - 2026-07-02
Changed
- Bumped
github.com/theupdateframework/go-tuf/v2to2.4.2(#13) — the TUF client used byupdate's trust-root/signature verification, vendored into the release binary.
Fixed
npm cilockfile drift fixed. The per-platformoptionalDependenciessubentries inpackage-lock.json(node_modules/@fateforge/gitlab-cli-*) were missing theirversion, so once those platform packages were published,npm cifailed its consistency check (lock file's <pkg>@ does not satisfy <pkg>@<version>). The version bump (scripts/version-files.js) now syncs the lockfile platform subentries too, andcheck-version.jsguards them, so the drift can't silently recur.
v1.2.13
[1.2.13] - 2026-06-29
Fixed
updatenotice cache reads are now version-aware: a cachedupdate_availablenotice is suppressed once the running binary is already at or past the cached latest version. This closes a gap on the package-manager update path, which upgrades through the manager without clearing the cache, so within the 24h cache TTL business commands no longer kept advertising an update to a version already installed.updatenow routes a Homebrew-managed install (detected by path or the install-method override) through the package-manager-driven path (brew upgrade gitlab-cli) instead of letting it fall through to the standalone in-place binary swap. Replacing a Cellar-managed binary in place would desync Homebrew's metadata; the manager now owns the upgrade (CLI-SPEC §14).
v1.2.12
[1.2.12] - 2026-06-25
Added
- Canonical JSON contract is now single-sourced from the
ai-native-cli-spectemplate (pinned via.agent/SPEC_VERSION=v1.4).contract/contract.jsonis vendored and generatesinternal/contract/contract_gen.go; the error-code → exit → retryable mapping andschema_versionnow derive from it, so they cannot drift from the fleet contract.E_CANCELLEDis registered incontract/contract-ext.json(exit 5, non-retryable) to keep it valid. A new conformance test (internal/output/contract_conformance_test.go) asserts every emitted error code, the exit/retryable mapping, the envelope key sets, andmetakeys match the contract.
Changed
- The bundled
.agent/specs are now synced (not hand-maintained) fromai-native-cli-spec@v1.4, which adds the machine-readable contract governance (CLI-SPEC §3.1) and the install-method dispatch note forupdate. Acheck-specCI guard is added to thenpm-auditjob to fail closed on drift of the vendored specs/contract or the generated module. updatenow drives the package manager for npm/Go-managed installs. A baregitlab-cli updaterunsnpm install -g @fateforge/gitlab-cli@<version>(orgo install …@<version>) on the user's behalf, then syncs the Skill, reportingstatus: "installed". The binary is never mutated in place under a package manager.--check/--dry-runstay read-only and preview the package-manager command without running it. A package-manager failure reportsE_IO(exit 1) withbinary_replaced: falseand the exact command to run manually.
v1.2.11
[1.2.11] - 2026-06-25
Fixed
updatediscover/download failures are now classified by the upstream HTTP status type through the singleErrorCodeFromStatusmapping instead of being collapsed intoE_NETWORKor sniffed out of the human-readable message (CLI-SPEC §6): a404is the non-retryableE_NOT_FOUND(exit 3),429→E_RATE_LIMITED,5xx→E_SERVER, transport errors stayE_NETWORK. The discover-stage failure now carries the samestage/current_version/binary_replacedinvariant as the other stages.- The
verify_signaturestage now splits transport vs integrity: a failure fetching the Sigstore bundle is reported as a retryable network/HTTP failure (classified by status), while only a genuinely missing/invalid signature stays the non-retryableE_INTEGRITY. Previously any bundle-download blip was misreported as an integrity failure an agent must not retry. The TUF trust-root refresh in the in-process verifier is now bounded by a timeout and cancelled onctx(SIGINT) rather than running on an unboundedhttp.DefaultClient. - A TUF trust-root refresh failure during
verify_signatureis now also classified as retryable network, notE_INTEGRITY. When the embedded-TUF metadata refresh fails because the Sigstore TUF registry is down/slow/DNS-unresolvable — the bounded 30s refresh timing out while the parent context is still alive, or the fetch returning a transport error — the verifier wraps it as a trust-root-unavailable network condition (E_TIMEOUTexit 8 for a deadline,E_NETWORKexit 7 for a transport error,retryable:true). Previously this transient network step collapsed into the non-retryableE_INTEGRITY(exit 1), telling an agent not to retry a forged-release verdict that had not actually occurred. Only a genuine signature/identity/checksum mismatch remainsE_INTEGRITY. install_methodis now a real probe of the running executable's path (npmnode_modules, HomebrewCellar,go installGOPATH/bin, otherwisebinary; overridable viaGITLAB_CLI_INSTALL_METHOD). The field was previously declared but never assigned, so it was always omitted from update results and notices.- A successful self-update now clears the cached
update_availablenotice immediately after the binary swap, so business commands stop nagging to update to the version that was just installed (the next active check rewrites the cache).
Changed
- Windows self-update now performs the binary swap in place atomically via the same cross-platform rename trick used on Unix (write
.<base>.new→ rename the in-use binary to.<base>.old→ rename.newinto place → restore.oldon failure → remove.oldon success, ignoring a still-locked.oldon Windows). The previous Windows path that wrote a.cmdshim and scheduled a replace-on-restart is gone:updatenow reportsstatus: "installed"/binary_replaced: trueimmediately on every platform, and no longer emits thepending_pathfield or ascheduledstatus.
v1.2.10
[1.2.10] - 2026-06-22
Added
- The cached update-available notice now also appears in every command's
meta.notices(CLI-SPEC §3, §14), read only from the local cache with zero network I/O — business commands surface the cached notice without ever phoning home. It is omitted when the cache has nothing to report. The active-check commands (context/doctor/update --check) keep their freshdata.noticesview. - Update notices are now severity-graded at check time from the embedded CHANGELOG delta between the running and latest versions:
warningwhen the delta contains asecurityentry or the latest crosses a major version, otherwiseinfo(criticalis reserved). The computed severity is stored in the cache, so the cachedmeta.noticescarries the right level.
v1.2.9
[1.2.9] - 2026-06-21
Changed
updateis now a single command with no confirm token. A baregitlab-cli updateperforms the whole self-update in one call — resolve latest (or--target-version) → verify signature → verify checksum → replace binary → sync Skill — and is exempt from the--dry-run→--confirm <token>write gate (in-process Sigstore verification is the safety guarantee, not an agent's review of a preview).update --checkandupdate --dry-runstay as optional read-only flags;--dry-runnow issues NOconfirm_tokenand NOexpires_at.updateis idempotent: already-latest returns ok with a no-op. Other write commands are unchanged.
Added
- Staged failure & interruption envelope for
update. Every update failure carriesstage(discover|download|verify_signature|verify_checksum|replace|skill_sync),current_version,binary_replaced, andskill_sync_status. Failures are classified by next action: discover/download → retryableE_NETWORK/E_TIMEOUT/E_RATE_LIMITED; signature/checksum → non-retryableE_INTEGRITY(exit 1, unchanged fail-closed behavior); replace stage local failures →E_IO(exit 1) orE_FORBIDDEN(exit 4) instead of being misclassified asE_NETWORK. A skill-sync failure after a successful binary replace is now PARTIAL SUCCESS (ok:false,binary_replaced:true,retryable:true) carryingskill_sync_command, instead of a hard error that hid the binary already being updated. - SIGINT/SIGTERM during
updateis trapped: it unwinds to a clean state, always cleans the temp dir, and still emits a terminal JSON envelope (E_INTERRUPTED, exit 130) stating the post-state per the stage invariant. - New error codes
E_IO(→ exit 1) andE_INTERRUPTED(→ exit 130) added to the output error package and code→exit mapping.
v1.2.8
[1.2.8] - 2026-06-16
Added
repo commit listnow answers "commits by a person over a time range" and scales across scopes. New flags:--author(server-side author filter, GitLab 15.10+),--with-stats(per-commitadditions/deletions/total, so an agent can size output without any diff), and--all-branches(all refs, not one branch). The scope selector is--project(now repeatable / comma-separated),--group(every project under the group tree, subgroups included), or--all-projects(every project the token can see; fail-closed without--author). Multi-project scopes fan out client-side (CLI-SPEC §15): each commit item carries itsproject, anddatareportsscope,projectsScanned, andprojectErrors[]— a project that fails to scan is reported, not silently dropped, and never aborts the rest.repo commit diff <sha>returns the per-file diff for one commit (structuredfiles[]witholdPath/newPath,newFile/deletedFile/renamedFile, computedadditions/deletions, and thediffpatch). It is a heavy sub-resource kept out ofcommit list: triage withcommit list --with-stats, then read diffs only for the SHAs that matter.--fields newPath,additions,deletionsyields a cheap inventory without the patch text;--pathnarrows to one file.
v1.2.7
[1.2.7] - 2026-06-16
Fixed
- npm
optionalDependenciesplatform-package pins now match the package version. The previous release bumped the top-level version but left the pins at the prior version, sonpm installresolved a stale platform binary (the new wrapper with the old binary). The publish workflow now rewritesoptionalDependenciesfrom the package version beforenpm publish, so the pins can no longer drift from the single source of truth.
v1.2.6
[1.2.6] - 2026-06-16
Changed
updatenow verifies the release Sigstore signature onchecksums.txtin-process (embeddedsigstore-go, bootstrapped from the embedded TUF trust root) instead of shelling out to an externalcosign. Verification is mandatory and fail-closed: a missing signature bundle, a signature that does not verify against this repo's tagged release-workflow identity, or a checksum mismatch all refuse the update — there is no skip path. Releases are now signed withcosign sign-blob --new-bundle-format.
Security
- Release-integrity failures (missing/invalid signature or checksum mismatch) now return the non-retryable
E_INTEGRITYerror code (exit 1) instead of a retryable network code, so an agent treats a possible supply-chain issue as a hard stop rather than retrying.