npm - @delegance/claude-autopilot - Versions diffs - 7.4.0 → 7.4.2 - Mend

@delegance/claude-autopilot 7.4.0 → 7.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/CHANGELOG.md +93 -0
package/package.json +1 -1
package/skills/autopilot/SKILL.md +52 -0

package/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,99 @@
 - v5.6 Phase 7 (docs reconciliation) — pending.
+## 7.4.2 (2026-05-11)
+**v7.4.2 — risk-tiered codex pass policy in autopilot skill.**
+Docs-only PR. Codifies finding N2 from the v7.4.1 codex strategic
+review into `skills/autopilot/SKILL.md`.
+**New policy table** in the skill:
+| Spec risk | # of codex passes |
+|---|---|
+| **Low** (CLI UX, doc-only, scaffolding, CI tweaks) | 1 |
+| **Medium** (new exec modes, auth, billing, data-access, env vars, API contracts) | 2 |
+| **High** (sandboxing, multi-tenancy, auto-merge, repo-mutation, secrets, RPC/SECURITY DEFINER) | 3 + external review |
+**Convention:** spec docs declare `risk: low | medium | high` in
+frontmatter. Omitted defaults to **medium** (safer than defaulting
+to low).
+**v7.x examples** included in the skill text:
+* v7.1.7 (low) — 1 pass, 0 CRITICALs in practice.
+* v7.4.0 (low) — 1 pass, 2 CRITICALs caught pre-impl.
+* v7.0 Phase 6 (high) — 3 passes, would have shipped credential-
+  exfiltration vector C3 without all three.
+* v8.0 spec (high) — 2 passes done, needs 3rd before v8 alpha.
+No code change. Bumping to 7.4.2.
+## 7.4.1 (2026-05-11)
+**v7.4.1 — strategic pivot doc from codex 5.5 review.** Docs-only
+PR. Records the decision to pause v8 daemon implementation pending
+customer discovery, plus 8 other findings from the codex strategic
+review of full project state on 2026-05-11.
+**Key outcome:** "ship v8 daemon" is NOT the next milestone. The CLI
+chat-session loop is the validated asset; v8 is unvalidated. New
+priority order: (1) customer discovery sprint, (2) hosted beta
+readiness slice (operational), (3) org-tier revocation completion,
+(4) risk-tiered codex pass policy in the autopilot skill.
+**Process changes adopted:**
+* **Risk-tiered codex passes** (1 for low-risk CLI UX, 2 for new
+  exec/auth/billing/data-access modes, 3 for sandboxing /
+  multi-tenancy / repo-mutation).
+* **Strategic codex review every ~10 PRs** (separate from per-spec
+  passes — catches "ship more without validating demand" trap).
+* **Bounded benchmark suite gate** (4 repo shapes only, run
+  pre-release + after major workflow changes — already in v8 spec).
+**v8 IF customer discovery validates demand:** local-only alpha
+first (per W5 of codex review). NO hosted workers, NO billing, NO
+auto-merge until alpha demand is proven.
+Full doc at `docs/strategy/2026-05-11-codex-pivot.md`.
+## 7.4.0 (2026-05-11)
+**v7.4.0 — scaffold per-stack support (Python + FastAPI).** Closes
+the v7.1.6/v7.1.8 benchmark caveat ("n=1, Node 22 ESM only —
+Python/Rust/Go remain v8 follow-ups") and gates v8 spec
+stabilization criteria #2 (4-repo benchmark suite).
+* **Stack detection precedence** (codex C1): explicit `--stack` >
+  FastAPI > Python > Node > detected-but-unsupported > Node fallback.
+  FastAPI checked BEFORE Python so FastAPI specs that include
+  `pyproject.toml` aren't mis-classified.
+* **FastAPI scaffold completeness** (codex C2): generates a runnable
+  `src/<package>/main.py` with `app = FastAPI()`, `/health` route,
+  `run()` function, plus `tests/test_main.py` (otherwise the
+  `[project.scripts]` entry was dangling).
+* **Name normalization** (codex W1): PEP 503 distribution name +
+  valid Python identifier package name. `my-pkg-2` → distribution
+  `my-pkg-2`, package `my_pkg_2`. Hatchling explicit `packages`
+  config always present.
+* **Detected-but-unsupported** (codex W2): Go/Rust/Ruby specs →
+  exit 3 with diagnostic, NOT silent fallback to Node.
+* **Polyglot guard** (codex W3): specs listing both `package.json`
+  AND `pyproject.toml` without `--stack` → exit 3.
+* **Narrow dep extraction** (codex W6): 3 patterns only, no inferred
+  versions, dedup by PEP 503 normalized name. FastAPI auto-includes
+  `fastapi>=0.110` + `uvicorn[standard]>=0.27`.
+* **Module split**: `scaffold.ts` is now the dispatcher;
+  per-stack scaffolders live under
+  `src/cli/scaffold/{node,python,types}.ts`.
+* **New flags**: `--stack <node|python|fastapi>`, `--list-stacks`.
+* **Integration test** (codex N3): scaffolds FastAPI + creates
+  isolated venv (handles PEP 668) + `pip install -e .` + import-
+  app. Skipped cleanly when `python3` unavailable.
+1563 → 1597 CLI tests; tsc clean; build clean. PR #155 spec +
+#156 impl. Version 7.3.0 → 7.4.0.
 ## 7.3.0 (2026-05-10)
 **v7.3.0 — library export surface for v8 daemon.** Minor bump

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@delegance/claude-autopilot",
-  "version": "7.4.0",
+  "version": "7.4.2",
   "type": "module",
   "publishConfig": {
     "tag": "next"

package/skills/autopilot/SKILL.md CHANGED Viewed

@@ -25,6 +25,58 @@ The ONLY time you stop is if a step **fails and cannot be recovered**. Otherwise
 Brief status lines like `[autopilot] Step 3: Executing plan...` are fine. Full summaries, questions, or check-ins are not.
+## Codex pass policy (risk-tiered)
+> Adopted from the v7.4.1 strategic review (see
+> `docs/strategy/2026-05-11-codex-pivot.md`, codex finding N2).
+>
+> The v8 spec pass-2 finding 3 CRITICALs the original spec missed
+> (especially sandbox / credential exfiltration) was concrete evidence
+> that 1 codex pass is insufficient for security-sensitive architecture.
+> But running 3 passes on every CLI polish spec adds latency without
+> proportional value.
+**Tier the spec by risk; pass count follows.**
+| Spec risk | Triggers | # of codex passes |
+|---|---|---|
+| **Low** | CLI UX changes, doc-only PRs, scaffolding extensions, config polish, CI workflow tweaks | **1 pass** (this skill's existing pattern — codex on the committed spec) |
+| **Medium** | New execution modes, auth changes, billing flows, data-access patterns, new env vars, API contracts | **2 passes** (1 on the draft spec, 1 on the merged spec after edits) |
+| **High** | Sandboxing, multi-tenancy, auto-merge, anything that mutates user repos, new secrets-handling, RPC/SECURITY DEFINER changes | **3 passes** + external review (1 draft, 1 post-edit, 1 on the impl PR diff) |
+**How to apply.** Spec docs declare risk in their frontmatter:
+```markdown
+---
+title: <topic>
+risk: low | medium | high
+---
+```
+If the spec's `risk:` is omitted, default to **medium** (safer than
+defaulting to low; matches the v8 spec pattern where pass-1 was
+clearly insufficient).
+The brainstorming skill's per-step codex pass (approach selection,
+architecture, components, error handling, implementation prep) is
+ALWAYS run — it's how we get a draft spec good enough to merge.
+This tier policy applies to the **post-brainstorm** passes and to
+the codex PR review at Step 7 below.
+**Examples from v7.x:**
+* v7.1.7 (setup polish — CLAUDE.md scaffold + .gitignore + dedup): low.
+  1 pass on the committed spec. Caught zero CRITICALs in practice.
+* v7.4.0 (Python/FastAPI scaffold extension): low. 1 pass. Found
+  2 CRITICALs (FastAPI precedence, dangling entrypoint) — both
+  fixed pre-impl, no PR-pass surprises.
+* v7.0 Phase 6 (engine-off removal + middleware revocation): high.
+  3 passes (spec, post-edit, PR diff). Each pass surfaced new
+  trust-boundary issues; without all three the launch would have
+  shipped with the credential-exfiltration vector C3.
+* v8.0 spec (standalone daemon): high. 2 passes so far + needs a
+  3rd before any v8 alpha implementation.
 ## Pipeline
 Execute these steps in order. Do NOT pause between steps unless a step fails.