v0.9.1

[0.9.1] - 2026-06-26

Changed

• content audit — formalized the localisation control inputs. LOCALISATION_MODE gains a
  third value translate-and-rewrite (produce target copy from the source when no usable target
  draft exists, held to the same native-first bar), and both LOCALISATION_MODE and
  TERMINOLOGY_POLICY now have an explicit "control effect" spec defining what each value does — so
  a run's localisation behaviour is unambiguous rather than inferred. No structural change; the gate
  stays green (13/13).

v0.9.0

[0.9.0] - 2026-06-26

Added

• MCP server (mcp/) — a dependency-light stdio Model Context Protocol server that exposes the
  verified, version-pinned audit prompts as native agent tools (list_audits, get_audit_prompt,
  get_orchestrator, get_standard) for Claude Desktop, Claude Code, Cursor, and any MCP-capable
  agent. Mirrors the canonical AUDITS catalogue and reads prompts live from audit-prompts/.
• Per-audit detail pages — /audits/<key> (German mirror /de/audits/<key>) with long-form
  copy, an audit-specific activation prompt, and per-audit Open Graph images, for deep-linking and
  SEO. Short vanity slugs (e.g. /security-audit, /a11y-audit) 308-redirect to the canonical path.
• Sample-report gallery — /reports and /reports/<slug> rendering the real #97 self-audit run
  (scorecard, not-applicable reasons, headline findings, and the cross-audit dedup exhibit), every
  field mapped to a verifiable GitHub artifact and localized EN/DE.
• Per-audit photographic hero images ("Verified Systems Lab") shown on the audit detail pages and
  the homepage audit cards, auto-detected via the public/<key>.webp convention.
• Native-language & locale integrity (C15) in the content audit — a localization lens with a
  locale input contract (LOCALE/SOURCE_LANGUAGE/LOCALISATION_MODE/TERMINOLOGY_POLICY), a
  Phase-0 language brief + terminology matrix, a "Native Reader" blind-back-translation skeptic
  (Phase 3), a mode-dependent scorecard dimension, and de-CH definition-of-done checks, so an audit
  yields original-sounding copy in the target locale rather than translated source. de-CH (Swiss)
  defaults to ss, never ß.
• TERMINOLOGY.md — a bilingual EN/de-CH glossary (Binding + Advisory tiers) that serves as the
  content audit's STYLE_REFERENCE; linked from CONTRIBUTING.md.

Changed

• The landing page is now a multi-route site (home, per-audit details, reports) sharing a common
  header/footer/nav chrome, rather than a single page.
• Vercel deploys are git-connected and automatic (production on push to main, previews per branch),
  with the monorepo build unblocked (Root Directory = web).
• Cross-cutting de-CH locale rule in ISSUE-OUTPUT-STANDARD.md (Swiss orthography, German
  quotation marks, terminology consistency) inherited by all 13 audits, and the issue-label axis
  canonicalized to dimension:/effort: (with locale:de-CH); DOCUMENTATION-STANDARD.md
  orthography aligned to Swiss ss.
• Native Swiss-German site copy — the entire German site (web/lib/i18n.ts and all 13 audit
  detail pages) re-modeled into original de-CH by dogfooding the new C15 lens on this repo:
  English sentence architecture and Denglish removed, terminology unified, every protected technical
  term preserved. Locked in by a web/lib/locale-de-ch.test.ts regression guard (no ß, a
  morphology-aware Denglish denylist) and a corrected principle-translation assertion.

Fixed

• CI/release hardening — automated CHECKSUMS.txt regeneration and verification, a version-pin
  verification gate so release pins can't silently drift, an ESLint / jsx-a11y gate for web/, and a
  CI workflow for the mcp/ package.
• Dropped dead exports in reports.ts flagged by the lean audit.

v0.8.0

Added

• lean audit — the 13th template: a repo-leanness / anti-AI-slop / dependency-transparency audit that challenges dead code, redundancy, unused/phantom dependencies, and bloat, makes the full dependency surface transparent (SBOM), and proposes a safe strip-down gated against over-deletion — a Phase-0 Protected/Load-Bearing Manifest, Chesterton's Fence, a four-class removal register, and a "Resurrector"/"Fence-Keeper" adversarial pass. Maps to Software Engineering at Google (deprecation/dependency management), OWASP Component Analysis, SLSA, and YAGNI. Dogfooded against this repo — see #125.

Changed

• Landing-page overhaul (from a dogfooded content audit and follow-up non-design reviews): a Proof section with the real #97 self-audit backlog exhibit, scorecard, and a filed finding; copy-to-clipboard activation CTAs; grounded claims and a Trust/FAQ block; a visual "input → six-phase pipeline → GitHub issues" process diagram in "How it works"; inline jargon tooltips; plus accessibility (EN og:image, hreflang), performance, SEO and German-copy fixes. All 23 content-audit findings (#100–#122) closed.

v0.7.0

Adds the content & messaging audit — the 12th template.

Added

• content audit: goes beyond prose polish. It challenges the thesis (steelmans the strongest counter-argument), measures information gain against best-in-class references, audits audience/awareness-stage fit, evidence & originality, structure, voice, persuasion, and ethics — and ships concrete before/after rewrites, filed as GitHub issues per ISSUE-OUTPUT-STANDARD.
• Built on the canonical house skeleton (Phase 0–5, P0–P3, shared finding schema, definition of done) with a 0–100 content scorecard; passes the prompt-structure gate 12/12.
• Wired into the orchestrator menu + machine index, llms.txt, the landing page (audit count auto-updates to 12), the README library table, ARCHITECTURE.md, and the new-audit issue template.

Full changelog: https://github.com/marcelrapold/auditor/blob/main/CHANGELOG.md

v0.6.0

First published release. Resolves the full-repo orchestrator self-audit backlog (#97) and hardens the release/supply-chain surface.

Added

• Per-locale root layouts (route groups (en)/(de)) so /de serves <html lang="de">; a German Open Graph image and per-route Twitter/OG metadata.
• scripts/bump-version.mjs + RELEASING.md: single-source the release tag pinned in the orchestrator and llms.txt; a CHECKSUMS.txt verification gate (sha256sum -c) in CI.
• Escape-to-close + focus-return on the mobile menu; reduced-motion handling for smooth scrolling.

Changed

• English copy/metadata now say "GitHub issues in German or English"; audit count derived from AUDIT_COUNT.
• CI hardening: GitHub Actions pinned to commit SHAs, concurrency + timeout-minutes on every workflow, prompts Node sourced from .nvmrc; Dependabot grouping/labels; engines.node aligned to >=22; vitest 4 (0 vulnerabilities); HSTS response header.
• Fixed the check-prompts.mjs legacy-severity guard and added a self-test.

Full changelog: https://github.com/marcelrapold/auditor/blob/main/CHANGELOG.md