claudemd-cli 0.23.6 → 0.23.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +31 -0
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -8,6 +8,37 @@ All notable changes to the `claudemd` plugin. This changelog tracks plugin artif
|
|
|
8
8
|
- **Canonical spec version source**: `spec/CLAUDE.md` top-line title (`# AI-CODING-SPEC vX.Y.Z — Core`) + `spec/CLAUDE-changelog.md` top `##` entry.
|
|
9
9
|
- **Plugin semver vs spec semver** are independent: plugin patch (0.2.0 → 0.2.1) may ship when spec is unchanged (this release); plugin minor (0.1.9 → 0.2.0) ships when spec minor updates (v0.2.0 shipped spec v6.10.0).
|
|
10
10
|
|
|
11
|
+
## [0.23.8] - 2026-06-03
|
|
12
|
+
|
|
13
|
+
**Patch — audit-remediation batch from the 2026-06-03 maturity audit + adversarial verification.** New self-vs-external deny telemetry, a mechanized spec-headroom gate, and a macOS bash-3.2 static CI gate. Spec version v6.14.1 unchanged (the OPERATOR.md + Sizing-line edits below are human-only handbook / metadata, not Agent-ruleset changes).
|
|
14
|
+
|
|
15
|
+
### Added
|
|
16
|
+
|
|
17
|
+
- `scripts/lib/rule-hits-parse.js` + `scripts/audit.js`: `denyByProjectClass` — per-hook **blocking-deny** split into `self` (the plugin dogfooding itself; project path ends in `-claudemd`) / `external` (real downstream repos) / `unknown`. Raw deny counts overstated enforcement value when claudemd's own repo dominates traffic (live: banned-vocab 198 deny = 194 self / 1 external; ship-baseline 59 = 8 self / 37 external). Scoped to the deny family (`deny` / `deny-repeat` / `deny-prose`; excludes the non-blocking `deny-prose-dry-run`) so escalation variants are not dropped. `/claudemd-audit` renders the split, leading with `external` as the real-enforcement number.
|
|
18
|
+
- `scripts/spec-coherence-audit.js`: `sizing-headroom` check — mechanizes the §0.1 HARD char caps. `actual > cap` → HIGH (fails `--strict`); `cap·0.97 < actual ≤ cap` → LOW advisory. Surfaces the core-at-98.2% headroom state on every run instead of relying on the manual Sizing-line ritual.
|
|
19
|
+
- `.github/workflows/ci.yml`: static gate rejecting bash-4+ constructs (`declare`/`local`/`typeset -…A`, `mapfile`, `readarray`, array/pattern case-mod) in `hooks/*.sh`. Backstops the v0.23.6 `declare -A` regression class that Linux CI (bash 5) and the gnubin-shimmed macOS leg both missed. Whitespace/flag-tolerant; strips comments per-line so fix-note prose does not trip it.
|
|
20
|
+
|
|
21
|
+
### Fixed
|
|
22
|
+
|
|
23
|
+
- `tests/hooks/memory-coverage-scan.test.sh`: `unset MEMORY_COVERAGE_SCAN` at entry. The suite inherits the operator's `settings.json` env; with a local dogfood opt-in set, Case 6 ("opt-in OFF → silent") inherited `=1` and fired the advisory. Same hermeticity precedent as the `banned-vocab` / `transcript-structure-scan` tests.
|
|
24
|
+
|
|
25
|
+
### Spec files (v6.14.1 unchanged)
|
|
26
|
+
|
|
27
|
+
- `spec/OPERATOR.md` §13.1: added a patch-release batching note (the maintenance-treadmill finding — 117 release commits over 43 days, 41% corrective). Human-only handbook, not Agent-loaded.
|
|
28
|
+
- `spec/CLAUDE-extended.md`: Sizing line reconciled for the OPERATOR.md byte change (6405 → 7018; extended stays within ±20B).
|
|
29
|
+
|
|
30
|
+
### Verification
|
|
31
|
+
|
|
32
|
+
Full suite green on Linux. Adversarial multi-agent verification (4 reviewers) caught and fixed pre-ship: the deny-family undercount (ship-baseline external 33 → 37), a `classifyProject` trailing-substring vs segment-anchor defect, CI-gate false-negatives on tab / flag-reorder / array-case-mod, and a missing `/claudemd-audit` render directive for the new field.
|
|
33
|
+
|
|
34
|
+
## [0.23.7] - 2026-06-03
|
|
35
|
+
|
|
36
|
+
**Patch — hotfix: restore §8 enforcement on macOS (bash 3.2 regression from v0.23.6).** v0.23.6's deny-telemetry-attribution used `declare -A` (associative array), a bash 4+ feature. macOS ships **bash 3.2**, where it errors out — and the error aborted the deny path *before* `hook_deny`, so `rm -rf $VAR` / unpinned `npx` were **not denied on macOS** (Linux CI passed on bash 5, masking it; macOS CI caught `FAIL [deny]: rm -rf $WORK_DIR … declare: -A: invalid option`). v0.23.6 was published ~minutes before this hotfix; macOS users should skip it.
|
|
37
|
+
|
|
38
|
+
### Fixed
|
|
39
|
+
|
|
40
|
+
- `hooks/pre-bash-safety-check.sh`: replaced the associative-array deny-record loop with indexed arrays + plain string accumulators + a small helper (three fixed buckets: `§8-rm-rf-var` / `§8-npx` / `§8`). bash 3.2-compatible; granular deny attribution preserved; `hook_deny` now fires regardless of telemetry outcome. Verified: shellcheck clean, no `declare -A` remains in `hooks/` (mirrors the existing `mem-audit.sh` bash-3.2 note), full suite + 115/115 corpus on Linux; macOS CI is the portability gate.
|
|
41
|
+
|
|
11
42
|
## [0.23.6] - 2026-06-03
|
|
12
43
|
|
|
13
44
|
**Patch — doctor false-alarm fixes + safety-hook deny telemetry attribution (no enforcement change).** Five fixes from a spec/global-prompt audit (`docs/spec-audit-v6.14.1-2026-06-03.md`), adversarially reviewed by 5 fresh-context agents before ship. Spec unchanged at v6.14.1 (two doc errata only). **No §8 enforcement behavior changed** — `pre-bash-safety-check.sh` still denies the identical command set (113→115 corpus tests); only the rule-hits *record* section moved.
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "claudemd-cli",
|
|
3
|
-
"version": "0.23.
|
|
3
|
+
"version": "0.23.8",
|
|
4
4
|
"description": "Standalone CLI for §10-V banned-vocab + transcript scanning. Companion to the claudemd Claude Code plugin (github.com/sdsrss/claudemd) for use in git pre-commit hooks, GitHub Actions, and other agents.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"bin": {
|