@blamejs/core 0.11.44 → 0.12.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +6 -0
- package/package.json +1 -1
- package/sbom.cdx.json +6 -6
package/CHANGELOG.md
CHANGED
|
@@ -6,8 +6,14 @@ Pre-1.0 the surface is intentionally evolving — every release may
|
|
|
6
6
|
change something operators depend on. Read each entry before
|
|
7
7
|
upgrading across more than a few patches at a time.
|
|
8
8
|
|
|
9
|
+
## v0.12.x
|
|
10
|
+
|
|
11
|
+
- v0.12.0 (2026-05-22) — **`scripts/release.js` — orchestrated release flow with idempotent subcommands.** A single script automates the framework's release-flow mechanics. Eight subcommands run in sequence (`prepare` → `smoke` → `commit` → `push` → `watch` → `merge` → `tag` → `publish`), each idempotent so an operator can stop and resume at any phase. The script reads `release-notes/v<next>.json` to drive the commit body + PR body so the same operator-facing content lands in CHANGELOG + commit + PR. The judgment-requiring parts (writing release-notes content, reviewing Codex P1/P2 findings, choosing minor vs patch) stay manual — the script flags + stops on those, never silently chooses for the operator. Minor bump because this is an additive operator-facing surface (a new top-level script + workflow). **Added:** *`node scripts/release.js prepare [--minor]`* — Bumps `package.json` (patch by default, `--minor` for a minor bump), regenerates `CHANGELOG.md` from `release-notes/v<next>.json`, refreshes `api-snapshot.json`, runs `eslint` + `codebase-patterns` + `validate-source-comment-blocks` + `check-api-snapshot` + `check-changelog-extract`. Refuses if the release-notes JSON is missing — prints a stub template to stdout so the operator fills in headline + summary + sections before re-running. · *`node scripts/release.js smoke`* — Runs `SMOKE_PARALLEL=64 node test/smoke.js`. Auto-detects wiki changes via `git diff --name-only` and runs the wiki e2e suite when `examples/wiki/**` was touched; skips otherwise. · *`node scripts/release.js commit`* — Creates the `release/v<next>` branch, composes the commit body from the release-notes JSON (headline + summary + sections summarised as bullets), and creates a signed commit. Verifies the signature shows `G` (Good + trusted); refuses with a pointer to the SSH-signing setup section of the deploy docs when it shows `U` (Untrusted) or `N` (Unsigned). · *`node scripts/release.js push`* — Runs gitleaks against the whole git history. Pushes the release branch. Opens the PR with title `<version> — <headline>` and a body that includes the release-notes summary + a Test plan checklist. Mounts the working directory via the platform-appropriate Docker bind path (handles Windows Git Bash's `/$(pwd)` quirk). · *`node scripts/release.js watch`* — Runs `gh pr checks --watch` then enumerates open review threads via GraphQL. When any Codex (or human) thread is unresolved, prints the per-thread author + first line + exits non-zero so the operator addresses them in a new commit + re-runs watch. When all threads are resolved + CI is clean, the next step (`merge`) becomes the obvious continuation. · *`node scripts/release.js merge`* — Refuses unless the PR is `mergeStateStatus=CLEAN` + `mergeable=MERGEABLE` + zero unresolved review threads. Squash-merges + deletes the release branch. Pulls main. · *`node scripts/release.js tag`* — Creates the signed annotated tag `v<version>` + pushes it. Verifies the tag signature reports `Good`. Refuses if the tag already exists locally. · *`node scripts/release.js publish`* — Watches the npm-publish + release-container workflows triggered by the tag push. Cross-checks `npm view @blamejs/core version` against the expected version; warns if they don't match (workflow may still be in flight or have failed). · *`node scripts/release.js all [--minor]`* — Runs all eight subcommands in sequence. Pauses on the watch phase if any review thread is unresolved (operator addresses + re-runs `all` from `watch` onward). · *`node scripts/release.js status` + `help`* — `status` reports the current branch, working-tree cleanliness, package version, presence of `release-notes/v<version>.json`, and any open PR for the current release branch. `help` prints the subcommand banner. Both are read-only — safe to run anytime. **Changed:** *Minor bump (additive surface)* — First minor bump since v0.11.0. The release script is a new top-level operator surface — additive, no existing API breaks. Operators following the previous multi-step release flow keep working unchanged; the script is opt-in.
|
|
12
|
+
|
|
9
13
|
## v0.11.x
|
|
10
14
|
|
|
15
|
+
- v0.11.45 (2026-05-22) — **Wiki compose pins track framework version.** The dev and prod compose pins for `ghcr.io/blamejs/blamejs-wiki` move from the legacy `0.3.x` wiki-only versioning (`0.3.24` prod, `0.3.8` dev) to the framework version (`0.11.45`). The wiki container's build tag has matched the framework version since the v0.11.44 release-container workflow fix; the compose pins now follow suit so a fresh clone + `docker compose up` works against the most recent published image without manual edits. **Changed:** *`examples/wiki/docker-compose.prod.yml` pin: `0.3.24` → `0.11.45`* — The prod compose now pulls `ghcr.io/blamejs/blamejs-wiki:0.11.45`. Operators deploying to a host running an older pin keep working unchanged — their `.env` / image override takes precedence. To upgrade, the operator runs `docker compose -f docker-compose.yml -f docker-compose.prod.yml pull && docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d` on the host. · *`examples/wiki/docker-compose.yml` pin: `0.3.8` → `0.11.45`* — The dev compose (local-build path) also tracks the framework version. Aligns the locally-built dev image tag with the published image tag so the two paths don't drift over time.
|
|
16
|
+
|
|
11
17
|
- v0.11.44 (2026-05-22) — **Fix wiki container build — release-container smoke step still hit port 8080.** The v0.11.40 wiki port swap (8080 → 3008) missed `.github/workflows/release-container.yml`'s post-publish smoke step. The smoke ran `docker run -p 8080:8080` + curled `localhost:8080/healthz`, but the v0.11.40+ wiki container listens on 3008 — so the smoke failed and the wiki container was NOT pushed to GHCR for v0.11.40, v0.11.42, or v0.11.43. The npm package was unaffected (publish completes on a different job). Operators pulling `ghcr.io/blamejs/blamejs-wiki:latest` were getting the v0.11.39 build until this fix. This release fixes the workflow + adds a codebase-patterns detector that gates the Dockerfile's `WIKI_PORT` against the workflow's port map + curl host so the same silent-deploy failure can't recur. **Fixed:** *release-container.yml smoke step uses port 3008* — Three locations updated: comment header references port 3008; `-p 3008:3008` host port mapping; `curl http://localhost:3008/healthz` health check. Tagging v0.11.44 triggers a fresh container build + push that lands the v0.11.40 / v0.11.42 / v0.11.43 changes (port 3008 default, JSCalendar Group, BYSETPOS, multi-rule recurrence union, JMAP EmailSubmission/set, wiki nav alphabetical) in GHCR for the first time. **Detectors:** *Wiki-port cross-artifact agreement gate* — `testWikiPortAgreesAcrossArtifacts` reads `WIKI_PORT=<n>` from `examples/wiki/Dockerfile` and asserts every `docker run -p X:X` mapping + every `curl http://localhost:X/healthz` reference in `.github/workflows/release-container.yml` matches. Smoke-tested by introducing a deliberate mismatch — detector fires with file:line + the conflicting values. Prevents the v0.11.40 silent-deploy failure class from recurring on any future port change.
|
|
12
18
|
|
|
13
19
|
- v0.11.43 (2026-05-22) — **Wiki nav: alphabetical sidebar + dedup drifted category labels.** The wiki sidebar now lists categories alphabetically (case-insensitive) instead of in editorial order. Welcome remains pinned first (landing page); Other and Reference remain pinned last (catch-all groups). Three category-label dups are also consolidated at the source comment-blocks: `Agent Protocols` (one entry — `a2a-tasks`) joins `Agent` with the rest of the agent substrate; `Networking` (two entries — `stream-throttle`, `web-push-vapid`) joins `Network`; `Audit & Compliance` (one entry — `nist-crosswalk`) joins `Compliance`. New `@nav` categories now land in their alphabetical slot automatically without a site.config edit. **Changed:** *Wiki sidebar group order alphabetical* — Replaces the curated `GROUP_ORDER` editorial list in `examples/wiki/site.config.js` with an alphabetical sort. Pinning preserved: `Welcome` always first; `Other` and `Reference` always last. Adding a new `@nav` category to any `lib/*.js` `@module` block now slots into its alphabetical position automatically — no separate site.config update required. · *Category consolidation: Agent Protocols → Agent* — `a2a-tasks` was the sole entry under `Agent Protocols`. Moved to `Agent` to live alongside the orchestrator / saga / idempotency / event-bus / posture-chain / stream / trace / tenant / snapshot / fsm primitives — the W3C A2A task surface is part of the same agent-substrate concern. · *Category consolidation: Networking → Network* — `stream-throttle` and `web-push-vapid` were tagged `Networking` while every other network-layer primitive used `Network`. Drift cleanup — both now live under `Network`. · *Category consolidation: Audit & Compliance → Compliance* — `nist-crosswalk` was the sole entry under `Audit & Compliance`. Moved to `Compliance` alongside the other regulatory primitives. **Detectors:** *Nav-category allowlist gate* — `testNavCategoryAllowlist` in the codebase-patterns runner walks every `lib/*.js` `@module` block and refuses any `@nav` value not in the canonical category list. Adding a new sidebar category is a deliberate edit — it lands in `NAV_ALLOWLIST` + the operator-facing `FIRST_GROUPS` / `LAST_GROUPS` pin list in `examples/wiki/site.config.js` at the same time. Prevents the Networking-vs-Network and Agent-vs-Agent-Protocols dup classes from re-emerging silently.
|
package/package.json
CHANGED
package/sbom.cdx.json
CHANGED
|
@@ -2,10 +2,10 @@
|
|
|
2
2
|
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
|
|
3
3
|
"bomFormat": "CycloneDX",
|
|
4
4
|
"specVersion": "1.5",
|
|
5
|
-
"serialNumber": "urn:uuid:
|
|
5
|
+
"serialNumber": "urn:uuid:8c4e3f98-d5b0-4b97-a108-7ea2093527b5",
|
|
6
6
|
"version": 1,
|
|
7
7
|
"metadata": {
|
|
8
|
-
"timestamp": "2026-05-
|
|
8
|
+
"timestamp": "2026-05-22T16:44:43.720Z",
|
|
9
9
|
"lifecycles": [
|
|
10
10
|
{
|
|
11
11
|
"phase": "build"
|
|
@@ -19,14 +19,14 @@
|
|
|
19
19
|
}
|
|
20
20
|
],
|
|
21
21
|
"component": {
|
|
22
|
-
"bom-ref": "@blamejs/core@0.
|
|
22
|
+
"bom-ref": "@blamejs/core@0.12.0",
|
|
23
23
|
"type": "application",
|
|
24
24
|
"name": "blamejs",
|
|
25
|
-
"version": "0.
|
|
25
|
+
"version": "0.12.0",
|
|
26
26
|
"scope": "required",
|
|
27
27
|
"author": "blamejs contributors",
|
|
28
28
|
"description": "The Node framework that owns its stack.",
|
|
29
|
-
"purl": "pkg:npm/%40blamejs/core@0.
|
|
29
|
+
"purl": "pkg:npm/%40blamejs/core@0.12.0",
|
|
30
30
|
"properties": [],
|
|
31
31
|
"externalReferences": [
|
|
32
32
|
{
|
|
@@ -54,7 +54,7 @@
|
|
|
54
54
|
"components": [],
|
|
55
55
|
"dependencies": [
|
|
56
56
|
{
|
|
57
|
-
"ref": "@blamejs/core@0.
|
|
57
|
+
"ref": "@blamejs/core@0.12.0",
|
|
58
58
|
"dependsOn": []
|
|
59
59
|
}
|
|
60
60
|
]
|