Skip to content

v1.7.0: harness reach (MCP tools + integrate), web hardening, cost credibility, CLI errors#70

Merged
xmpuspus merged 12 commits into
mainfrom
feat/v1.7.0-audit-enhancements
Jul 8, 2026
Merged

v1.7.0: harness reach (MCP tools + integrate), web hardening, cost credibility, CLI errors#70
xmpuspus merged 12 commits into
mainfrom
feat/v1.7.0-audit-enhancements

Conversation

@xmpuspus

@xmpuspus xmpuspus commented Jul 8, 2026

Copy link
Copy Markdown
Owner

What

Implements the full July 2026 product audit fix list plus the harness-reach extension, in two waves of isolated-worktree work on top of the v1.6.1 hotfix.

Harness reach (the differentiators now reach every coding agent)

  • review, compliance/oscal, plan are now MCP tools. 13 of 14 popular coding agents are MCP clients (Claude Code, Cursor, Cline, Windsurf, Copilot, Zed, Codex CLI, Junie, Kiro, Antigravity), so one server puts cloudwright's design-time checks in all their agent loops. MCP surface: 22 tools / 9 groups (was 18/6).
  • cloudwright integrate generates the exact MCP config per client (mcpServers / VS Code servers / Zed context_servers / Codex TOML), a CLI-pipe path for Aider (not an MCP client), and an AGENTS.md/CLAUDE.md/GEMINI.md rules block that gates infra through cloudwright. Grounded in sourced research (docs/integrations.md).
  • Web canvas gains a Review tab and OSCAL download.

Audit fixes

  • Web hardening: diagram render off the event loop (asyncio.to_thread), 1 MB body + component-count caps, rate-limiter bucket eviction, container auth guard (CLOUDWRIGHT_REQUIRE_AUTH), configure_logging() on all launch paths.
  • Cost credibility: prices_as_of (catalog vintage) split from estimated_on, per-alternative confidence in compare, real regional price rows when present (else medium-confidence multiplier), a catalog-backed ratio. docs/provider-coverage.md states coverage plainly.
  • CLI: clean errors instead of Pydantic tracebacks, JSON error envelope in --json mode.
  • Ops: CI pip-audit gate + check_version_sync.py gate, RELEASING.md, SECURITY.md, spec schema_version.

Verification

  • CI-parity suites: core 1390, cli 137, web 144, mcp 35 (1706 passed, +132 over baseline). Lint + format clean.
  • Fresh-context adversarial review: SHIP verdict, all 7 integration areas cleared. Two flagged doc/docstring drifts fixed in this PR.
  • Visual QA: Review tab renders, /api/review returns an offline critique with no key.
  • Built on the merged v1.6.1 hotfix.

Reviewed by Xavier Puspus

xmpuspus added 12 commits July 8, 2026 06:23
…r (v1.6.1)

The per-call telemetry log passed structlog-style kwargs (model=, tokens=, ...)
to the stdlib logger returned by get_logger(). Under the CLI, which enables root
INFO via configure_logging(), this raised
  TypeError: Logger._log() got an unexpected keyword argument 'model'
right after the model responded and tokens were billed, so every live
`cloudwright design`/`modify` produced a traceback and no spec.

Latent since v1.1.0: pytest leaves the root logger at WARNING, so info() short-
circuits and the line never emitted or crashed under tests. Switch both the
Anthropic and OpenAI providers to %-style stdlib formatting. Side effect: LLM
telemetry (model, latency, tokens, cache hits) now actually emits.

Regression: test_llm_telemetry_logging.py runs both providers under
configure_logging() and asserts no crash.
…viction, container auth guard, logging on launch
…r-alternative + ratio confidence, coverage doc
@xmpuspus xmpuspus merged commit 46740a0 into main Jul 8, 2026
7 checks passed
@xmpuspus xmpuspus deleted the feat/v1.7.0-audit-enhancements branch July 8, 2026 15:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant