Skip to content

v3.13.1 — first public release

Latest

Choose a tag to compare

@oharms oharms released this 09 Jul 18:20

PAN Wizard v3.13.1 — first public release.

[3.13.1] - 2026-07-09

Changed — public-release hygiene sweep

Preparation for taking the repository public. Full-history secret scan (gitleaks, 200 commits): clean; commit authorship already uses noreply addresses.

  • Neutral codenames in shipped content. Field-sourced learnings, workflow notes, and CHANGELOG entries now reference source projects by neutral codenames (e.g. "the lending project", "the compliance project") instead of private project directory names; machine-local absolute paths removed from repo docs. No pattern content changed — only source identity. Learnings index rebuilt; lint-strict clean.
  • Community health files. Added .github/ISSUE_TEMPLATE/{bug_report,feature_request}.md and PULL_REQUEST_TEMPLATE.md; SECURITY.md supported-versions table refreshed; CODE_OF_CONDUCT enforcement contact now routes to GitHub private reporting (was a placeholder email); README clone-directory casing fixed.
  • Stale tracked build artifacts untracked. Three hooks/dist/*.js copies predating the ignore rule removed from git (regenerated at build/release; hooks/dist still ships to npm via the build).

[3.13.0] - 2026-07-02

Added — project hygiene system: version alignment + history/memory cleanup (hygiene.cjs, /pan:hygiene)

Past projects drift as PAN advances: runtime installs fall behind (the lending project had five runtimes at 3.12.5 under a 3.13.0 core), pre-v3.12.4 hooks left poisoned cost ledgers (79% suspect records in one live project), memory logs grow past the compaction cap, legacy uppercase planning filenames linger, atomic-write .tmp orphans and unbounded trace sessions pile up, and stray fragment .planning/ dirs appear where a lone mapping step once ran. The new hygiene system detects and (safely) fixes all of it:

  • pan-tools hygiene scan — read-only findings report: per-runtime manifest version vs latest (re-run-installer remediation, never auto-run), untracked installs, legacy filenames, .tmp orphans (>1h), memory bloat (> entry cap), poisoned ledgers (≥50% suspect via the v3.12.4 isSuspectRecord, ≥20 records), stale trace sessions (>30d, newest 5 always kept), fragment planning dirs (no workflow spine — phase model, focus model, and orchestration layouts all recognized).
  • pan-tools hygiene clean [--apply] — dry-run by default; --apply executes only the safe subset: case-hop lowercase renames, orphan deletion, memory compact, ledger quarantine-by-rename (content never deleted), trace pruning. Version drift and fragment dirs always stay manual.
  • /pan:hygiene command (new, 57th) wraps scan → confirm → clean → re-scan.
  • 25 new unit tests (tests/hygiene.test.cjs); five HYGIENE_* constants.

Added — ADR-0039: worktrees are project variants

Records the design rule harvested from an external agent-tooling monorepo worktree-awareness spec: any future feature keying identity or mutable state off a project path must resolve project-then-variant and namespace state per (project, variant) — never match a worktree to its parent's mutable state, never treat it as a separate project. No code change today; binding on the first feature that violates the assumption.

Added — field harvest pass 2: 7 audit-doctrine patterns from the lending project audit rounds

Deep-mine of the round-3/4 code-quality audits and the 340-line verified findings register. New universal topics audit-convergence (stop on zero-top-severity + order-of-magnitude collapse, escalate model / taper fan-out as the tree hardens; rotate audit lenses per round with prior-scope exclusion) and fix-campaigns (hand fixers defect-class clusters ranked by real risk, not N tickets; treat auditor suggestedFix as untrusted input; run a dedicated fix-regression lens for inert/half-wired/sibling-breaking fixes), plus two adversarial-verification additions (anti-double-jeopardy git provenance; reachable-trigger confirmation with precedent-calibrated severity and the five false-positive shapes). Library now 47 topics / 93 patterns.

Added — field harvest: 20 new patterns from the d:\ project sweep (docs/FIELD-HARVEST-2026-07.md)

A four-scout sweep of every past project directory on the dev drive, deduped against the existing library and promoted through the standard manual gate (learn promote, lint-strict clean). Library grows 32→45 topics, 66→86 patterns. New universal topics: live-path-honesty (no fabricated data/success on live paths; honest-empty + demo gating; scaffold ≠ deliverable), test-integrity (no dumbing down generated tests), adversarial-verification (per-finding refute-first verifiers; expect 30-55% refutation), integration-verification (intra-phase PASS ≠ integrated; regenerate derived closure artifacts), single-source-of-truth (one classification predicate; re-sync parallel truth copies + golden-reproduction E2E), migration-safety (no unattended destructive DDL), flaky-triage (isolated re-run protocol; windowed stats + 2-of-3 reproduction), external-tool-truth (judge CLIs by artifact, not exit code), golden-sets (human-verified golden sets; execution-gated corpus curation), harness-isolation (SHA-locked frozen artifacts), workaround-catalog (catalog env overlays before ticket close), service-security (authed-CRUD security spine), mcp-security (MCP surface = injection channel). Internal: P-RES-008 (retrieval-first over fine-tuning; schema-linking is the enterprise bottleneck). Sources: the lending project fake-code audit, the platform project v2.0 milestone audit + dispatch postmortem, the compliance project campaign v1.1, the spec-factory project research corpus, mph_factory/_limits harness rules, montyhall learning corpus. New topics carry curated agent-relevance rows in learn-index.cjs; shipped evidence prose is machine-path-free (exact paths live in the repo-only harvest doc).

Added — Skill-Aligned Decomposition pass for planning (ADR-0038)

SkillWeaver (Alibaba, arXiv 2606.18051) measured one-shot task decomposition at 51% accuracy against its tool library and 92% with a Skill-Aware Decomposition feedback loop — draft, retrieve loosely-matching skills, realign the decomposition to the vocabulary/granularity of what exists. PAN's planner decomposed phases in exactly that one-shot pattern. This adopts the loop's mechanism at PAN scale, inside ADR-0036's distill-and-select yardstick:

  • skills align (skill-align.cjs) — scores a draft planner task list against an on-the-fly index of the installed skill surface (commands/pan/, templates/ recursive, references/, learnings topics via learn-index.cjs) using the shipped scoreRelevance keyword scorer. Returns per-task top-k matches, coverage, and a deduped token-budgeted vocabulary hint list (default 1500t) with explicit dropped overflow — no silent caps. Planning glue words are stripped from cues so "Create the API" doesn't match everything.
  • skills index — prints the skill index ({entries, total, by_kind, skipped_roots}). Nothing is persisted: the walk is ~140 small files, so no staleness, no installer changes, no rebuild step.
  • pan-planner gains a skill_alignment step between task breakdown and dependency-graph building: realign task wording/granularity to matched skill names, cite matched learnings topics in <action> blocks; unmatched tasks signal a wording/split rethink — never added scope. Advisory and fail-open: any error skips the step. One matching quality-gate line in plan-phase.md.
  • Guardrails held: no embeddings, no FAISS, no vector store, zero runtime dependencies; missing roots (partial installs, non-Claude command formats) are skipped and reported, never thrown. Spec: docs/specs/skill-aligned-decomposition.md.

Added — bounded, cue-scoped memory (ADR-0036 follow-up work)

Brings PAN's per-agent memory onto the distill-and-select axis (the learnings/ store already was), so per-agent memory injection can't grow unbounded and flood context as the bot army fans out. This closes ADR-0036's own follow-up work; the ADR moves Proposed → Accepted.

  • memory select (selectMemory) — a cue + recency-floored + token-budgeted read of .planning/memory/<agent>.md, alongside the existing whole-file readMemory. Always keeps the newest entries (so recall never returns empty on a non-empty log), fills the rest by cue relevance, falls back to recency-only when the cue matches nothing, and is bounded by an explicit token budget. Reuses the shipped scoring / greedy-pack idioms; zero new dependencies.
  • exec-phase uses it size-gated. Memory injection stays whole-file by default; when the memory-load budget flags a large log it switches to a per-agent cue-scoped slice (cue = phase objective + changed files), with a whole-file fallback if a cue matches nothing — so a mis-scoped cue never silently drops a rule.
  • Soft auto-compaction. appendMemory now trims to DEFAULT_MAX_ENTRIES once a log crosses MEMORY_SOFT_CAP_MULT× (2×) that cap (surfaced via auto_compacted), closing the "a log grows past 500 unbounded until someone runs compact manually" hole.
  • memory budget (memoryLoadBudget) — the ADR's acceptance signal, wired into validate health --full: estimates whole-memory injection tokens vs the median per-agent input from the (v3.12.4 suspect-quarantined) cost ledger; read-only, non-blocking, degrades to an absolute-token check when the ledger is thin.
  • knowledge ask --recall-cue — minimal FW-1: re-scores the already-gathered CITATION_ROOTS candidates against a follow-up cue and returns a tighter recall_sources slice (no second filesystem walk, no new deps). sources keeps its existing {file, score, bytes} shape.

Also corrected two factual errors in ADR-0036 that an e2e review caught — the original draft wrongly cited context-budget.cjs (a read-only reporter that never reads memory/ or learnings/) as the memory-bounding backstop. Hard guardrails held: no vector store, no embeddings, zero runtime dependencies.


Install: npx pan-wizard@latest · npm · Docs in README