Skip to content

v2.1.0

Latest

Choose a tag to compare

@github-actions github-actions released this 03 Jul 11:34

v2.1.0 — 2026-07-03

pm-ai-shipping

  • /security-audit-static findings now carry a mandatory Evidence line (file:line + verbatim snippet), and every citation is re-verified against the file before the final report ships.
  • Subagent fan-out has a concrete trigger (scope over ~30 files / ~5,000 lines) and a structured candidate-record contract, so parallel audit slices merge cleanly into one self-refute pass.
  • /performance-audit-static now hunts N+1 queries and request waterfalls — the most common perf failure in AI-generated code — alongside over-fetching, indexes, and caching, and gained a refute-before-reporting pass (dynamic field access, existing indexes, hot-path evidence).
  • Both audit commands pre-approve a read-only toolset (allowed-tools): read, search, fan out, and write under reports/ — never edit the code under audit.
  • The audited repo is treated as untrusted input across the kit: instructions embedded in code, comments, or docs are data to analyze — a steering attempt is itself a finding — never directives to follow.
  • /ship-check runs the security and performance audits as parallel subagents once the docs exist.
  • Security reports gained severity anchors (what Critical/High/Medium/Low mean) and a consolidation rule (more than ~12 findings → lead with the worst, group the tail by root cause).
  • Docs and reports now use repo-relative paths (documentation/, reports/) — the old absolute forms (/documentation) could resolve to the filesystem root — and reports are always written, with the path announced, instead of "optionally".

Repo

  • Added this CHANGELOG.md as the release source of truth with auto-tag-and-release on merge (adapted from claude-usage): pushing a new ## vX.Y.Z heading to main tags that version and publishes a GitHub Release with the section as notes — gated on the test suite and a version-sync check.
  • Added a test suite (tests/) and a Tests workflow (every PR and push to main): plugin-spec validation plus docs consistency — README skill/command counts vs. disk, marketplace plugin list vs. directories, version sync across all manifests, CHANGELOG format.
  • CONTRIBUTING now documents the changelog convention (every user-facing change gets a bullet; contributors credited inline) and the release procedure.
  • Docs since v2.0.0: native Codex CLI install path; companion badges (burnstop, claude-usage).