@massu/core 1.6.0 → 1.6.1

package/dist/hooks/session-start.js

@@ -8690,25 +8690,20 @@ init_parse_guard();
 import { Parser as Parser6 } from "web-tree-sitter";
 init_parse_guard();
 
-// ../adapter-go-chi/dist/index.js
-import { Parser as Parser8 } from "web-tree-sitter";
+// src/detect/adapters/go-chi.ts
+import { goChiAdapter } from "@massu/adapter-go-chi";
 
-// dist/adapter.js
-import { Query as Query2 } from "web-tree-sitter";
-import { Language as Language2, Parser as Parser7 } from "web-tree-sitter";
-var MAX_AST_FILE_BYTES2 = 1 * 1024 * 1024;
+// src/detect/adapters/rails.ts
+import { railsAdapter } from "@massu/adapter-rails";
 
-// ../adapter-rails/dist/index.js
-import { Parser as Parser9 } from "web-tree-sitter";
+// src/detect/adapters/phoenix.ts
+import { phoenixAdapter } from "@massu/adapter-phoenix";
 
-// ../adapter-phoenix/dist/index.js
-import { Parser as Parser10 } from "web-tree-sitter";
+// src/detect/adapters/aspnet.ts
+import { aspnetAdapter } from "@massu/adapter-aspnet";
 
-// ../adapter-aspnet/dist/index.js
-import { Parser as Parser11 } from "web-tree-sitter";
-
-// ../adapter-spring/dist/index.js
-import { Parser as Parser12 } from "web-tree-sitter";
+// src/detect/adapters/spring.ts
+import { springAdapter } from "@massu/adapter-spring";
 
 // src/detect/codebase-introspector.ts
 function introspect(detection, projectRoot) {

package/docs/AUTHORING-ADAPTERS.md

@@ -200,6 +200,47 @@ adapter authors to opt-in to the new shape.
 Additive changes (new optional fields on result types, new
 TreeSitterLanguage enum entries) are minor-version compatible.
 
+## Manifest sha256 round-trip — what to do when CI fails
+
+> Plan 3c Phase 9b P-D-004 runbook excerpt.
+
+The `tarball-e2e` CI job runs `adapter-manifest-roundtrip.test.ts` against the
+live registry manifest at `https://registry.massu.ai/adapters/manifest.json`.
+The test rebuilds every workspace adapter's `dist/`, computes the sha256, and
+asserts it matches the manifest's `sha256` entry for that `{package, version}`
+pair.
+
+**If the round-trip fails after a workspace adapter source edit**, the
+manifest must be re-signed BEFORE merge. The flow:
+
+1. **Verify your edit is intentional.** Run `npm run build` from the repo
+   root and inspect `git diff packages/adapter-<f>/dist/`. If the diff is
+   non-trivial, the source change is real and needs a manifest re-sign.
+2. **Bump the adapter version** in `packages/adapter-<f>/package.json` (e.g.
+   `1.0.0` → `1.0.1` for a bugfix; `1.1.0` for an additive feature). Manifest
+   entries are versioned, so re-signing without a version bump would break
+   reproducibility for users on the prior version.
+3. **Compute the new sha256** via `node packages/core/scripts/compute-adapter-shasums.mjs`
+   (or equivalent) — this writes to `~/.massu/build-shasums.json`.
+4. **Re-sign the manifest.** Run `bash scripts/provision/registry-publish.sh
+   path/to/manifest-body.json` — reads the Ed25519 private key from macOS
+   Keychain (`massu/registry/signing/private`), produces an envelope, deploys
+   to Vercel.
+5. **Re-run the round-trip test locally**: `MASSU_MANIFEST_ROUNDTRIP=1 npm test
+   -- adapter-manifest-roundtrip` — should now PASS.
+6. **Commit + open PR**. The CI gate will re-verify against the freshly-deployed
+   manifest.
+
+If CI fails on a transient registry outage (5xx, DNS, CDN cache miss), the
+test SKIPs cleanly with a console.warn — does NOT fail the job. Re-run the
+job to recover.
+
+**Non-monorepo adapter authors** (third-party packages NOT under `packages/adapter-*`):
+the round-trip test SKIPs your package automatically (workspace dir absent in
+the monorepo). Your install-time verification chain runs against the registry
+sha256 directly via `discover.ts:295-360` — that path catches the same drift
+class without requiring the test.
+
 ## See also
 
 - [`SECURITY.md`](./SECURITY.md) — signing model, key rotation, supply-chain risks

package/docs/SECURITY.md

@@ -240,6 +240,45 @@ per the canonical plan). The maintainer will:
 5. Add the affected adapter to the manifest's `unpublished: true` list
    if applicable, so all consumers refuse to load on next refresh.
 
+## Migration: 1.5.x → 1.6.0 (workspace adapter publish)
+
+> Plan 3c Phase 9b shipped 2026-05-09. See root `CHANGELOG.md` `[1.6.0]`.
+
+`1.6.0` is **additive** — end-users on `1.5.x` are unaffected. No
+breaking changes. No config migration. The 5 first-party AST adapters
+(`rails`, `phoenix`, `aspnet`, `spring`, `go-chi`) continue to ship
+CORE-BUNDLED in `@massu/core` itself; zero-config detection still works
+out of the box.
+
+What's new for users who want REGISTRY-VERIFIED trust:
+
+```bash
+npm install @massu/core@^1.6.0 @massu/adapter-rails@^1.0.0
+```
+
+After install, `npx massu adapters list` will show TWO entries for
+`rails`:
+
+- `rails` — CORE-BUNDLED (from `@massu/core`'s bundled `dist/detect/adapters/rails.js`).
+- `@massu/adapter-rails` — REGISTRY-VERIFIED (from `node_modules/@massu/adapter-rails/dist/`,
+  sha256-cross-checked against the signed manifest at
+  `https://registry.massu.ai/adapters/manifest.json`).
+
+The two co-exist. Discovery prefers REGISTRY-VERIFIED when present
+(the standalone package opts the user into the more-verified path);
+CORE-BUNDLED remains the fallback. There is no "elevation" — they are
+two distinct trust-class entries.
+
+### peerDependency note
+
+`@massu/adapter-*@1.0.0` declares `peerDependencies: { "@massu/core": "^1.6.0" }`.
+Users pinning `@massu/core@1.5.x` who install a standalone adapter will
+see an npm peerDep warning (non-fatal). For cleanest UX, upgrade
+`@massu/core` to `^1.6.0` before installing standalone adapters. The
+adapter source is binary-identical between CORE-BUNDLED and
+REGISTRY-VERIFIED — the warning is informational, not a runtime
+incompatibility.
+
 ## See also
 
 - [`AUTHORING-ADAPTERS.md`](./AUTHORING-ADAPTERS.md) — how to write a

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@massu/core",
-  "version": "1.6.0",
+  "version": "1.6.1",
   "type": "module",
   "description": "AI Engineering Governance MCP Server - Session memory, knowledge system, feature registry, code intelligence, rule enforcement, tiered tooling (12 free / 72 total), 55+ workflow commands, 11 agents, 20+ patterns",
   "main": "src/server.ts",
@@ -22,8 +22,8 @@
     "build:adapter-types": "tsc -p tsconfig.adapter-types.json",
     "build:adapter-subpath": "tsx scripts/bundle-adapters.ts --subpath-only",
     "build:bundle-adapters": "tsx scripts/bundle-adapters.ts",
-    "build:cli": "esbuild --bundle --platform=node --format=esm --outfile=dist/cli.js src/cli.ts --external:better-sqlite3 --external:yaml --external:zod --external:chokidar --external:proper-lockfile --external:fsevents --external:web-tree-sitter --external:tweetnacl --external:tar --external:smol-toml --external:vscode-languageserver-protocol --banner:js='#!/usr/bin/env node\nimport{createRequire as __cr}from\"module\";const require=__cr(import.meta.url);'",
-    "build:hooks": "esbuild --bundle --platform=node --format=esm --outdir=dist/hooks src/hooks/*.ts --external:better-sqlite3 --external:yaml --external:zod --external:chokidar --external:proper-lockfile --external:fsevents --external:web-tree-sitter --external:tweetnacl --external:tar --external:smol-toml --external:vscode-languageserver-protocol --banner:js='import{createRequire as __cr}from\"module\";const require=__cr(import.meta.url);'",
+    "build:cli": "esbuild --bundle --platform=node --format=esm --outfile=dist/cli.js src/cli.ts --external:better-sqlite3 --external:yaml --external:zod --external:chokidar --external:proper-lockfile --external:fsevents --external:web-tree-sitter --external:tweetnacl --external:tar --external:smol-toml --external:vscode-languageserver-protocol --external:@massu/adapter-rails --external:@massu/adapter-phoenix --external:@massu/adapter-aspnet --external:@massu/adapter-spring --external:@massu/adapter-go-chi --banner:js='#!/usr/bin/env node\nimport{createRequire as __cr}from\"module\";const require=__cr(import.meta.url);'",
+    "build:hooks": "esbuild --bundle --platform=node --format=esm --outdir=dist/hooks src/hooks/*.ts --external:better-sqlite3 --external:yaml --external:zod --external:chokidar --external:proper-lockfile --external:fsevents --external:web-tree-sitter --external:tweetnacl --external:tar --external:smol-toml --external:vscode-languageserver-protocol --external:@massu/adapter-rails --external:@massu/adapter-phoenix --external:@massu/adapter-aspnet --external:@massu/adapter-spring --external:@massu/adapter-go-chi --banner:js='import{createRequire as __cr}from\"module\";const require=__cr(import.meta.url);'",
     "prepublishOnly": "bash ../../scripts/prepublish-check.sh && node ../../scripts/bundle-pubkey.mjs && npm run build",
     "bench:watch": "tsx test/perf/watch-benchmark.ts"
   },

package/src/security/registry-pubkey.generated.ts

@@ -1,4 +1,4 @@
-// AUTO-GENERATED by scripts/bundle-pubkey.mjs at 2026-05-09T23:01:13.664Z.
+// AUTO-GENERATED by scripts/bundle-pubkey.mjs at 2026-05-10T21:58:17.622Z.
 // Source pem: packages/core/security/registry-pubkey.pem
 // RAW-bytes sha256: 3b6226d036c472e533110d11a7d0cd2773ce1d7d4f1003517d5bd69c5418ed4c
 // DO NOT EDIT — regenerate via `node scripts/bundle-pubkey.mjs` or