StackKits v0.3.4

Highlights

• Native MCP surface: StackKits now publishes one user-facing stackkit MCP connection, with stackkit-mcp as the local adapter and stackkit-server /mcp as the protected durable endpoint after install.
• TechStack rollout readiness: release archives include the MCP/server pieces needed for kombify-TechStack managed installs, plus bounded MCP rollout and Fresh Ubuntu phase gates.
• Agent discovery: stackkit.cc now ships OpenMCP metadata, llms.txt updates, and installation-process guidance for local, SSH, and protected durable MCP paths.

Fixed

• OSS release hygiene: the StackKits runtime-action wire contract is now local to this repo, so public release builds no longer depend on private KombiverseLabs Go modules.
• Release export: the Docker image build no longer emits private module-auth configuration into the curated public release surface.
• Local gates: Beads sync, local build timing, website checks, MCP smoke tests, and timeout-budget checks are all bounded by the 15-minute command policy.

Full Changelog: v0.3.2...v0.3.4

StackKits v0.3.2

Fixed

• Public release hygiene: the public StackKits release now stays on the curated OSS export surface and release checks reject development-only paths, private workflows, internal runbooks, and test fixtures before publish.
• Release evidence: package artifacts are included in build attestations and attestation verification retries handle GitHub propagation delay without hiding real failures.
• Security gates: Go vulnerability dependencies are updated for golang.org/x/crypto, golang.org/x/net, and related golang.org/x modules, with lint/static/security checks restored to a clean state.

Full Changelog: v0.3.1...v0.3.2

StackKits v0.3.1

Highlights

• Canonical live scenarios: release work now focuses on SK-S1 local Coolify, SK-S2 kombify.me Komodo, and SK-S3 custom-domain Coolify, with installer gates split into bounded Start/Wait/Verify phases.
• Auth baseline: BaseKit rollouts restore TinyAuth/PocketID provider registration and runtime checks so protected services expose PocketID login instead of falling back to password-only TinyAuth.
• Coolify routing: generated Coolify rollouts now bootstrap, reconcile, and route StackKit-owned services through the managed proxy with service hostnames such as base, id, photos, and kuma.

Fixed

• Coolify proxy recovery: fallback and reconciliation logic now restores file-provider routing, dynamic config mounts, proxy TLS settings, service routes, host-gateway access, and same-file dynamic-config sync handling.
• Cloudflare DNS-01: custom-domain Coolify rollouts pass Cloudflare Global API Key credentials to Traefik as CF_API_KEY when CLOUDFLARE_EMAIL is present, while scoped API tokens still use CF_DNS_API_TOKEN.
• Installer readiness: live installer jobs hand off VM state before verification and wait for routed services/certificates in bounded phases instead of relying on a single long-running job.
• Runtime metrics: restore-drill host metrics preserve legitimate zero CPU values instead of dropping them as missing data.
• Release preflight: scripts/release/basekit-live-preflight.ps1 now fails closed when go, node, npm, cue, actionlint, or release helper commands return a non-zero exit code.
• Coolify endpoint contract: generated BaseKit rollouts keep the persisted .stackkit/platform.json Coolify endpoint node-local at http://127.0.0.1:8000, while bootstrap and readiness probes can use a separate endpoint reachable from remote Docker targets.
• Archive validation: release archive smoke validation now checks the current coolify_platform_bootstrap and .stackkit/platform.json contract from packaged contents instead of obsolete Coolify token API markers.
• Release state: STATUS and ROADMAP now treat v0.3.1 as the next public patch candidate and keep old v0.2.8 follow-ups as historical evidence rather than current release blockers.

Release Notes

• v0.3.1 is the next intended Public OSS patch release. v0.3.0 was a private failed release attempt and is not treated as a public release.
• Production run 26420216004 on f3419a54 was intentionally cancelled by operator request after API/Gateway, BaseKit preflight, Sim UI auth, and SK-S2 Start had passed. Complete SK-S1/SK-S2/SK-S3 end-to-end evidence should be rerun before making an Enterprise production-readiness claim.

Full Changelog: v0.3.0...v0.3.1

StackKits v0.2.8

Highlights

• BaseKit bootstrap-open Base Hub: local base.<domain> stays reachable during first-run owner setup, shows an unprotected warning, and can be protected after PocketID/TinyAuth setup.
• Registry-backed module release: module release and verify now use service auth, bootstrap missing module rows through the Admin registry, and keep all 24 module contract hashes in strict parity.
• Release gate stabilization: AdGuard Home module tests wait for routed UI readiness after provisioning, and the module release command stays below lint complexity thresholds.

Fixed

• Prevent stale service-catalog snapshots from re-protecting the local Base Hub by pinning base to identity none for local fallback defaults.
• Keep default L3/application services protected unless they are explicitly configured public; the Base Hub is the local onboarding exception only.
• Avoid browser-session Admin tokens in module release CI; signed service-auth requests now take precedence.

Full Changelog: v0.2.7...v0.2.8

StackKits v0.2.7

Highlights

• BaseKit product-contract guardrails: fresh Ubuntu evidence now checks protected/default anonymous rejection, node-local manifest visibility, and the Photos setup action instead of relying on container liveness only.
• Release mirror hygiene: the curated release export now ships a narrower documentation surface, a sanitized release roadmap, and root-relative website link validation for the Svelte/Vite site.
• Agent and website surface: stackkit.cc moved to the Svelte 5/Vite/Tailwind site while preserving installer routes, llms.txt, OpenAPI/schema mirrors, and prompt Markdown.

Fixed

• Local website release gates now run npm install, npm run check, and npm run build without failing on Windows locked native modules from an existing node_modules.
• BaseKit docs now clarify that L3 public or unauthenticated exposure is allowed only through explicit access policy, never as the default.

Full Changelog: v0.2.6...v0.2.7

v0.2.6

StackKits CLI v0.2.6

Quick Install

Base Kit (single-server homelab):

curl -sSL stackkit.cc/base | sh

CLI only (pick a kit later):

curl -sSL stackkit.cc/install | sh

Downloads

Archive	Contents
stackkits_*	Full bundle — CLI + all kits
stackkits-base-kit_*	CLI + base-kit only

Changelog

Other

• 41b4a96: release: v0.2.6 (Marcel mako.181092@googlemail.com)

Full Changelog: ...v0.2.6