Releases: npxchaos/repospec
Release list
v0.2.0
[0.2.0] — 2026-07-01
Re-platforms Repospec from the single-file Python reference tool onto a TypeScript
monorepo with a real engine, CLI, and protocol packages. The .repospec/ directory
is still the human-authored source of truth; generation is now checksum-tracked and
ownership-aware.
Added
- Monorepo (pnpm workspaces). Four published packages:
@repospec/protocol— zod schemas, frontmatter/parse, repository model,
protocol versioning.@repospec/engine— theinit,generate,sync, anddoctoroperations,
tool adapters (agents,claude), and an injectable filesystem.@repospec/cli— therepospeccommand-line front end.@repospec/templates— the scaffoldsinitseeds.
- Idempotent, ownership-aware sync. Generated outputs carry a managed header
with asha256checksum.syncwill not overwrite a hand-edited output without
--force;sync --checkreports drift and exits non-zero (ADR-0004). doctor. Validates.repospec/and reports problems with path-first
messages; detects drift and version mismatch.- Normative specification under
spec/(protocol, repository, lifecycle,
workflow, configuration, versioning, RFC process) plus seven ADRs. - Two worked examples, both engine-generated and drift-guarded in CI:
demo-serviceand a richeracme-billing(six roles, billing rules). - CI (
.github/workflows/ci.yml): format, lint, build, typecheck, test, and an
AGENTS.md drift-guard that runsrepospec sync --checkon every example.
Changed
- Renamed the npm scope and CLI to
@repospec/*/repospecand the convention
directory to.repospec/, completing the move offforge(Foundry collision). - AGENTS.md is now generated by the TypeScript engine rather than the Python
build tool, via theagentsadapter.
Removed
- The Python reference tool (
tools/repospec_build.py) and its standalone
workflow, superseded by@repospec/engine. It remains available at thev0.1.0
tag for the zero-dependency path.
Known limitations (open problems)
- Enforcement.
AGENTS.mdremains advisory to agents. CI now guards staleness
(drift-guard) and validity (doctor); commit/merge-time gate hooks are future
work. - Code ⇄
.repospec/drift.sync/doctordetect drift between source and
generated outputs, but divergence between the code and the.repospec/
description it documents is still not automatically detected.
v0.1.0
[0.1.0] — 2026-07-01
First working draft of the Repospec Protocol: an open, tool-agnostic standard that
makes a repository self-describing to AI coding agents. Humans author a .repospec/
directory; a build tool compiles it into the root AGENTS.md that agents already read.
Added
- Protocol specification (v0.1).
docs/spec-v0.1.mddefines the.repospec/
directory —project.yaml,constitution.md,workflow.md,agents/,rules/,
decisions/,history/,templates/— and the invariant that humans edit
.repospec/whileAGENTS.mdis generated. Accompanied bydocs/manifesto.md. - Roles model. Named responsibilities (
.repospec/agents/) with owned scope,
bounded authority, and defined hand-offs — a contract per role, replacing
"act like a senior engineer." - Durable memory model. Versioned decisions (
.repospec/decisions/, append-only
ADRs) and narrative history (.repospec/history/) that outlive any single
conversation or model. - Reference build tool.
tools/repospec_build.pycompiles.repospec/into
AGENTS.md(repospec build) and, with--check, verifies the committed
AGENTS.mdis current without writing. Dependency-light — PyYAML only. - CI drift-guard.
.github/workflows/repospec.ymlrunsrepospec build --check
on every push and pull request, failing whenAGENTS.mddrifts from.repospec/. - Worked example.
examples/acme-billing/— a complete.repospec/and its
generatedAGENTS.md.
Changed
- Renamed the project
forge→repospecto avoid colliding with Foundry's
Solidity CLI, whose first command is literallyforge init. The rename covers the
protocol name, the CLI verb, the reference build tool, the.repospec/convention
directory, and all user-facing strings and prose.
Known limitations (open problems)
- Enforcement — partially addressed.
AGENTS.mdis advisory; an agent can ignore
it. v0.1.0 ships a CI check that the compiledAGENTS.mdis current, which closes
the staleness gap. Optional gate hooks that enforce the workflow at commit/merge
time remain future work. - Drift detection — still open. When code and
.repospec/diverge (as opposed to
AGENTS.mddrifting from.repospec/), there is no mechanism yet to detect the
divergence or decide which side wins before it misleads an agent.
@repospec/templates@0.9.0
Minor Changes
- d1b48e8: Add three built-in adapters — Zed (
.rules), Cline
(.clinerules/repospec.md), and Continue (.continue/rules/repospec.md) —
bringing the total to nine. Paths verified against each tool's current
documentation. Enable them inproject.yamladapters(or viarepospec init). - 7891ea3:
repospec doctornow detects rule-target drift: a rule whoseappliesTo
globs match no files in the repository is flagged, since it targets code that no
longer exists. This extends drift detection past the stack into the.repospec/
artifacts themselves. It only runs when a rule declaresappliesTo(repositories
that don't use it pay nothing), and — like other drift — it's a warning that
--strictpromotes to a CI failure.
Patch Changes
@repospec/templates@0.8.0
Minor Changes
- 23e9fd7: Plugins are now bundled engine-side with esbuild before they run
(ADR-0011),
lifting ADR-0010's single-file constraint: a plugin may span multiple files and
use dependencies (local imports andnode_modulesare inlined;node:builtins
stay external). The integrity hash is now computed over the whole bundle, so
tampering any imported file or dependency — not just the entry — fails the
approval check. The sandbox is unchanged (the self-contained bundle runs in the
zero-fsdata:-URL child).@repospec/enginegains esbuild as a dependency; the
integrity hash depends on the esbuild version (re-approve after an upgrade).
Patch Changes
- Updated dependencies [23e9fd7]
- @repospec/protocol@0.8.0
@repospec/templates@0.7.0
Minor Changes
-
7e1a7fd: Plugin hardening: capability-gated network + npm resolution.
- Network capability enforced (partial): a plugin not approved for the
networkcapability runs withfetchandWebSocketreplaced by throwing
stubs. Low-levelnode:net/node:httpcan't be blocked in-process (Node has
no network permission, and loader-hook gating needs--allow-worker, which the
sandbox denies), so that residual remains — see ADR-0010; full isolation needs
an OS sandbox. - npm resolution: a declared plugin now resolves from a local
.repospec/plugins/<id>/or an installed npm package<id>that ships a
repospec-plugin.yaml. Resolution/reads happen engine-side; the sandboxed
child still receives only the source (zero-fs). Plugin entries must remain
single self-contained modules.
- Network capability enforced (partial): a plugin not approved for the
-
7c6e8f9: Harden the plugin sandbox (ADR-0010, supersedes ADR-0009's worker). Approved
plugins now run in a childnodeprocess under Node's Permission Model with
no filesystem access (no read or write), no child-process/worker/addon
permissions, andenv: {}. The engine reads the (integrity-checked) plugin
source and the child imports it as adata:URL, so it needs zero fs grants —
an OS-enforced boundary, not cooperative isolation. Filesystem writes from a
plugin are now blocked by the runtime (verified by test). Constraint: a plugin
entry must be a single self-contained module (bundle any dependencies), since a
data:URL cannot resolve relative ornode_modulesimports.
Patch Changes
@repospec/templates@0.6.0
Minor Changes
-
b74f6a0: Ship the plugin runtime (ADR-0008 trust model, ADR-0009 sandbox, RFC-0001
manifest/lockfile). Plugins now execute — safely and opt-in:- protocol:
PluginManifest/PluginLockschemas +parsePluginManifest,
parsePluginLock,serializePluginLock. - engine:
runPlugins/resolvePlugins/buildApprovalLock+integrityOf.
A plugin runs only if.repospec/plugins.lockapproves it with a matching
integrity hash and thegenerate-outputscapability (declared + approved).
Execution is aworker_threadsworker with no ambient environment;
integrity + consent are the load-bearing controls (the worker is
defense-in-depth, not a hard boundary — see ADR-0009). Outputs flow through the
same ownership/managed pipeline as adapters. - cli:
repospec plugins list/repospec plugins approve, and--plugins
ongenerate/sync(off by default). Plugin execution is opt-in and skipped
with a warning for anything unapproved or tampered.
- protocol:
Patch Changes
- 604f373: Refresh package READMEs to the current, feature-complete surface: all nine CLI
commands, six adapters, theLlmClientport, the plugin runtime, and the
manifest/lockfile schemas (they previously described a Milestone 1–3 subset). - Updated dependencies [604f373]
- Updated dependencies [b74f6a0]
- @repospec/protocol@0.6.0
@repospec/templates@0.5.0
Minor Changes
-
07bec44: Add opt-in AI assist to
repospec bootstrap(--ai). When enabled, the detected
facts (project name + the inference evidence — metadata only, never source code)
are sent to the model to refine the project description; the result is still a
draft for human approval.planBootstrapgains an optionalllm(the engine's
injectableLlmClientport), so the assist is provider-agnostic and unit-tested
with a fake. Offline inference remains the default. Closes roadmap 7.2. -
16f258c: Add the AI-assisted operations
repospec reviewandrepospec architect,
completing the protocol's command surface.reviewjudges a change (agit diff) against the repository's constitution
and rules, returning structured findings; exits non-zero on an error-severity
finding (--strictfor any finding).architectdrafts or revises.repospec/architecture.mdfrom the project
identity and current document; prints a draft,--writeto save it.
The engine gains a small, injectable
LlmClientport, so the operations stay
UI- and vendor-agnostic and unit-testable with a fake (ADR-0007). The CLI
supplies a Claude implementation via@anthropic-ai/sdk(modelclaude-opus-4-8,
adaptive thinking); it resolves credentials fromANTHROPIC_API_KEYor an
ant auth loginprofile. All roadmap command stubs are now implemented. -
49809e9: Plugins (declarative), deeper drift detection, and a command reference.
- Plugins (declarative only):
doctorvalidates declaredplugins(warns on
duplicates) and the generated guide now lists them, explicitly noting no plugin
code is executed (spec §3.7; roadmap Milestone 6 discovery + validation). - Deeper code drift:
doctornow also compares declared runtimes against the
repo, andbootstrapinfers the Node runtime version frompackage.json
engines.node(e.g.node20). - Docs: add
docs/commands.md(full command reference) and refreshTODO.md
to the current, feature-complete command surface.
- Plugins (declarative only):
-
93c0c91: Add template rendering primitives to
@repospec/templates:interpolate(a
{{ dotted.path }}substitution engine that throws on a missing variable rather
than emitting a blank) andpartials(reusable snippets). The seed
architecture.mdnow renders through them, and both are exported for future
user-authored templates (roadmap Milestone 4).
Patch Changes
@repospec/templates@0.4.0
Minor Changes
- f81d077:
repospec doctor --stricttreats warnings — including code ⇄.repospec/drift —
as failures, so CI can gate on them. Also extend drift detection to testing tools
(declaredstack.testingvs the dependencies), in both directions. - c06a2c7: Implement
repospec upgrade— the protocol-migration operation (spec/versioning.md
§4). It reads the repository's declaredrepospecProtocol, compares it to what the
tool targets, and: reports when already current; refuses a repo declaring a newer
protocol; and, for an older repo, applies the chain of migrations, bumping
repospecProtocol(edits to source artifacts require consent). The migration
registry is empty for now —0.1is the first protocol version — but the mechanism
is complete and tested. AddsparseProtocolVersion/compareProtocolVersionsto
@repospec/protocol.
Patch Changes
@repospec/templates@0.3.0
Minor Changes
- f3ad5c6: Add
repospec bootstrap— infer a draft.repospec/from an existing repository
using offline heuristics (manifests, lockfiles, dependencies), presented for human
review before writing. Add Windsurf (.windsurf/rules/repospec.md) and Gemini CLI
(GEMINI.md) adapters. - 2e80c89:
repospec doctornow warns on code ⇄.repospec/drift: it compares the declared
stack (languages, package manager, frameworks) against what the repository actually
contains, using the same offline inference asbootstrap. Warnings only, gated to
repositories with apackage.json. Also fixrepospec --version, which reported
0.0.0instead of the real package version.
Patch Changes
@repospec/templates@0.2.1
Patch Changes
- 11465bf: Point the generated
project.yaml$schemaat a hosted JSON Schema
(raw.githubusercontent.com/npxchaos/repospec/main/schemas/0.1/project.schema.json)
instead of the unhostedrepospec.devURL, fixing a dead link in every generated
repository. - Updated dependencies [11465bf]
- @repospec/protocol@0.2.1