v0.6.0
This release focuses on runtime schema validation hardening, dependency security updates, fail-closed contract loading behavior, and improved cross-platform correctness. Contracts are now validated at load time and rejected when the schema is unavailable, ensuring deterministic architectural integrity.
⚠️ Breaking Changes
Node.js >= 20 Required
- Minimum Node.js version bumped to >=20.
- Required by dependency and security updates.
- Users on Node.js < 20 must upgrade.
🔁 Changed
Dependency Updates
- Upgraded
ts-morphto 27.0.2 (from 21.0.1) with improved TypeScript 5.x support. - Updated
globto 13.0.6 to address a minimatch ReDoS vulnerability.
➕ Added
Runtime Schema Validation
.uif.jsonsidecar contract files are now validated via AJV at load time.- Invalid, malformed, or schema-drifted contracts are rejected.
- Prevents corrupted architectural context from being consumed by tooling or AI agents.
- Validation errors are capped at 20 entries for clarity.
🐞 Fixed
Fail-Closed Schema Behavior
- Contracts are now rejected when the JSON schema cannot be loaded.
- Prevents silent validation bypass.
Schema Validator Reliability
- Ensures consistent
valid/errorsreturn values. - Correct
err.datareporting. - Properly reports
nullandarrayinstead of genericobject.
Contract Loader Error Handling
- Clearly distinguishes:
- File not found
- Read errors
- JSON parse errors
- Schema validation errors.
- Improves debugging clarity.
File Lock Race Condition
- Prevents concurrent processes from acquiring locks mid-write.
- Improves cross-platform reliability.
🔐 Security
- Enforces strict project-root boundaries across file loading utilities (path traversal protection).
- Includes a fix for a minimatch ReDoS vulnerability via
glob@13.0.6.
📚 Documentation
- Updated
SECURITY.mdto document runtime schema validation and contract integrity guarantees. - Updated
schema.mdto reflect enforced validation behavior.
🧪 Tests
- Added root-boundary traversal tests.
- Expanded extraction and route coverage.
- All tests passing.
🔗 Related PRs