release: prepare v18.1.1 automation

[flyingrobots]

Summary

• prepare v18.1.1 as the provenance-correct patch release from current main
• move operator workflows from docs/topics/ to docs/operations/
• add .github/RELEASE.md as the contributor/maintainer release runbook
• add Release Autotag so merged release/* PRs run final preflight, create the tag on main, and dispatch release.yml
• update README, architecture, topic index, changelog, package metadata, JSR metadata, lockfile, and private workspace versions to 18.1.1

Closes #673

Validation

• npm run release:guard -- --stage prep-pr --tag v18.1.1
• npm run release:prep
• npm run lint
• npm run lint:md
• npm run lint:md:code
• npm run lint:docs-topology
• npm run typecheck:src
• npm run typecheck:policy
• npm run typecheck:consumer
• npm run typecheck:surface
• npx vitest run test/unit/scripts/repository-standard-docs.test.ts test/unit/scripts/dependency-hygiene.test.ts test/unit/scripts/markdownlint-config.test.ts
• pre-push IRONCLAD M9 firewall, including static gates and stable unit-test shards

Release behavior

When this PR merges to main, .github/workflows/release-autotag.yml should detect the merged release/v18.1.1 branch, run npm run release:preflight, create v18.1.1 at the merge commit, and dispatch release.yml with that tag.

Summary by CodeRabbit

• New Features

  • Added automated Release Autotag behavior to tag and dispatch publishes after merged release/* branches, with a PR-time release-prep guard.
  • Added a maintainer release runbook covering the end-to-end release flow and required release-evidence updates.

• Bug Fixes

  • Updated the latest release to v18.1.1, including the republished v18.1 line and the @git-stunts/alfred timeout fix.

• Chores

  • Consolidated documentation topology to docs/operations/; updated and validated required release docs and strengthened release-preflight/guard checks.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e54d5be1-6712-43be-8e6b-a935388121af

📥 Commits

Reviewing files that changed from the base of the PR and between 6394810 and cd362c3.

📒 Files selected for processing (1)

• .github/workflows/release-autotag.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/release-autotag.yml

---

📝 Walkthrough

Walkthrough

This PR adds release-runbook guidance, release/tag automation, versioned release signposts, and updates operations documentation links to the consolidated docs layout.

Changes

Release automation and documentation topology

Layer / File(s)	Summary
Release runbook and contributor guidance .github/CONTRIBUTING.md, .github/RELEASE.md, AGENTS.md	The release runbook defines the branch/merge/tag flow, prep checklist, diff review commands, validation steps, guard rules, and fallback procedure, while contributor and agent guidance point release instructions to .github/RELEASE.md and the consolidated docs locations.
Prep-PR guard and preflight messaging .github/workflows/release-pr.yml, scripts/release-preflight.sh	The PR workflow adds a prep-stage release guard keyed to the predicted package version, and the preflight script now points non-prep-pr releases to Release Autotag with annotated-tag fallback.
Autotag workflow and docs gates .github/workflows/release-autotag.yml, scripts/release-guard.sh, scripts/check-docs-topology.sh	The autotag workflow detects merged release/* PRs on main, derives the tag from package.json, skips existing tags, runs release preflight, pushes the annotated tag, dispatches release.yml, and the docs-gate scripts require the consolidated documentation set.
Release notes and version metadata CHANGELOG.md, README.md, ARCHITECTURE.md, docs/topics/README.md, jsr.json, package.json, packages/*/package.json	The release note and signpost files are updated for v18.1.1, and the root and workspace manifests are bumped to 18.1.1.
Operations link rewiring README.md, docs/operations/README.md, docs/topics/README.md, docs/topics/cli.md, docs/topics/content-and-cas.md, docs/topics/git-substrate.md, docs/topics/strands.md, docs/topics/troubleshooting.md	Operations links in the README, operations page, and topic pages now target the consolidated operations directory or sibling topic pages.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• git-stunts/git-warp#641 — Updates the same release-guard and autotag path, including release-evidence docs and release messaging.

Poem

I hopped through release paths, soft and bright,
and tagged the version just right. 🐰
The docs now point where carrots grow,
and all the burrow roads say “go.”
Snip-snap, the moon approves tonight.

🚥 Pre-merge checks | ✅ 2 | ❌ 3

❌ Failed checks (3 warnings)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	The PR diverges from #673's v18.1.0 requirements by bumping versions to 18.1.1 and omitting several required release-note highlights.	Restore the v18.1.0 release-note/signpost scope, keep version metadata locked at 18.1.0, and include the acceptance-criteria highlights before closing #673.
Out of Scope Changes check	⚠️ Warning	It adds release automation, runbooks, version bumps, and docs-topology refactors that are beyond the linked issue's release-notes/signposts scope.	Split the automation, release-runbook, versioning, and docs-topology work into separate PRs or link them to issues that explicitly require those changes.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title is concise and accurately reflects the release-prep automation changes in the PR.
Description check	✅ Passed	The description includes a summary, issue link, validation steps, and release behavior, with only the ADR checklist left unfilled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch release/v18.1.1

---

_{Comment @coderabbitai help to get the list of available commands.}

[github-actions]

Release Preflight

• package version: 18.1.1
• prerelease: false
• npm dist-tag on release: latest
• npm pack dry-run: passed
• jsr publish dry-run: passed

If this PR is from a release/* branch and merges to main, Release Autotag will run final preflight, create v18.1.1, and dispatch the Release workflow.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release-autotag.yml:
- Around line 83-87: The release-autotag workflow is still using the generic
final-local preflight path instead of the tag-aware release guard. Update the
Final release preflight step in the release-autotag workflow to call the same
explicit preflight/guard flow used by release.yml, passing the release stage and
steps.metadata.outputs.tag before git tag rather than relying on npm run
release:preflight. Refer to the Final release preflight step and the
release-preflight.sh / release guard wiring to locate the change.
- Around line 22-30: The workflow setup in the release-autotag job should not
leave the checkout token persisted and should avoid floating action versions.
Update the actions/checkout and actions/setup-node usages in this workflow to
pinned commit SHA references, and set persist-credentials to false on the
checkout step so later install or preflight steps cannot reuse the repo write
token.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b11eb802-8119-4ff8-b73e-d1e72e14e28a

📥 Commits

Reviewing files that changed from the base of the PR and between 75763fe and 53badab.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (23)

• .github/CONTRIBUTING.md
• .github/RELEASE.md
• .github/workflows/release-autotag.yml
• .github/workflows/release-pr.yml
• AGENTS.md
• ARCHITECTURE.md
• CHANGELOG.md
• README.md
• docs/operations/README.md
• docs/topics/README.md
• docs/topics/cli.md
• docs/topics/content-and-cas.md
• docs/topics/git-substrate.md
• docs/topics/strands.md
• docs/topics/troubleshooting.md
• jsr.json
• package.json
• packages/warp-adapters/package.json
• packages/warp-kernel/package.json
• packages/warp-orset/package.json
• scripts/check-docs-topology.sh
• scripts/release-guard.sh
• scripts/release-preflight.sh

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/release-autotag.yml (2)

84-88: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Pass the tag through an env var to avoid template-injection into the shell.

${{ steps.metadata.outputs.tag }} is expanded directly into the run command, so any shell metacharacters in the value execute in the runner context. Although the tag derives from package.json's version, binding it to an env value and referencing "$TAG" removes the injection surface (zizmor template-injection).

🔒 Proposed fix

       - name: Final release preflight
         if: steps.release_pr.outputs.should_release == 'true' && steps.metadata.outputs.tag_exists != 'true'
         env:
           GH_TOKEN: ${{ github.token }}
-        run: bash scripts/release-preflight.sh --stage final-local --tag "${{ steps.metadata.outputs.tag }}"
+          TAG: ${{ steps.metadata.outputs.tag }}
+        run: bash scripts/release-preflight.sh --stage final-local --tag "$TAG"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-autotag.yml around lines 84 - 88, The Final
release preflight step is expanding the tag directly inside the shell command,
which creates a template-injection risk. Update the release-autotag workflow job
to pass the metadata tag through an env variable on the same step, then
reference that variable in the bash invocation instead of interpolating
steps.metadata.outputs.tag directly. Keep the fix scoped to the Final release
preflight step and preserve the existing release-preflight.sh arguments and
GH_TOKEN setup.

Source: Linters/SAST tools

---

90-100: 🩺 Stability & Availability | 🔴 Critical

Authenticate the tag push after disabling checkout credentials.

persist-credentials: false removes the token from .git/config, so git push origin "refs/tags/$TAG" has no auth and will fail. Re-add credentials for this step or push the tag through gh/the GitHub API.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-autotag.yml around lines 90 - 100, The release tag
creation step is pushing a tag without authentication because checkout
credentials are disabled, so update the Create release tag job to restore auth
before the git push or switch the push to use GitHub CLI/API. Use the existing
tag flow around steps.release_pr.outputs.should_release,
steps.metadata.outputs.tag_exists, and the git tag/git push commands, and ensure
the tag push has valid credentials available even when persist-credentials is
false.

Source: Learnings

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/release-autotag.yml:
- Around line 84-88: The Final release preflight step is expanding the tag
directly inside the shell command, which creates a template-injection risk.
Update the release-autotag workflow job to pass the metadata tag through an env
variable on the same step, then reference that variable in the bash invocation
instead of interpolating steps.metadata.outputs.tag directly. Keep the fix
scoped to the Final release preflight step and preserve the existing
release-preflight.sh arguments and GH_TOKEN setup.
- Around line 90-100: The release tag creation step is pushing a tag without
authentication because checkout credentials are disabled, so update the Create
release tag job to restore auth before the git push or switch the push to use
GitHub CLI/API. Use the existing tag flow around
steps.release_pr.outputs.should_release, steps.metadata.outputs.tag_exists, and
the git tag/git push commands, and ensure the tag push has valid credentials
available even when persist-credentials is false.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9f7fe4b1-100a-4877-ae2e-2336ad045cdd

📥 Commits

Reviewing files that changed from the base of the PR and between 53badab and 6394810.

📒 Files selected for processing (2)

• .github/workflows/release-autotag.yml
• scripts/release-preflight.sh

[github-actions]

Release Preflight

• package version: 18.1.1
• prerelease: false
• npm dist-tag on release: latest
• npm pack dry-run: passed
• jsr publish dry-run: passed

If this PR is from a release/* branch and merges to main, Release Autotag will run final preflight, create v18.1.1, and dispatch the Release workflow.

[github-actions]

Release Preflight

• package version: 18.1.1
• prerelease: false
• npm dist-tag on release: latest
• npm pack dry-run: passed
• jsr publish dry-run: passed

If this PR is from a release/* branch and merges to main, Release Autotag will run final preflight, create v18.1.1, and dispatch the Release workflow.