yadflow 3.7.0 → 3.7.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +3 -7
- package/cli/ledger.mjs +9 -2
- package/package.json +1 -1
- package/skills/yad-implement/SKILL.md +2 -1
package/CHANGELOG.md
CHANGED
|
@@ -1,13 +1,9 @@
|
|
|
1
|
-
|
|
1
|
+
## [3.7.1](https://github.com/abdelrahmannasr/yadflow/compare/v3.7.0...v3.7.1) (2026-07-04)
|
|
2
2
|
|
|
3
3
|
|
|
4
|
-
###
|
|
4
|
+
### Bug Fixes
|
|
5
5
|
|
|
6
|
-
* **
|
|
7
|
-
* **cli:** add yad checkpoint to commit machine-written back-half state ([c09089c](https://github.com/abdelrahmannasr/yadflow/commit/c09089c698884ad39fc8cf66a7e28d8d44321668))
|
|
8
|
-
* **cli:** add yad tidy up to fold finished ledger shards ([59727f3](https://github.com/abdelrahmannasr/yadflow/commit/59727f32a7b5e3274c8fd96b8b39134b3acf6705))
|
|
9
|
-
* **cli:** shard-then-fold storage for the back-half ledgers ([6182598](https://github.com/abdelrahmannasr/yadflow/commit/618259847e3dbdee5f00bce4fa2a5d64df0364a3))
|
|
10
|
-
* **cli:** wire yad checkpoint and yad tidy up into the CLI ([fe4770d](https://github.com/abdelrahmannasr/yadflow/commit/fe4770de87ebec394c3a29c78077a0baf7a924cc))
|
|
6
|
+
* **ledger:** sanitize shard-name components against path traversal ([5d85286](https://github.com/abdelrahmannasr/yadflow/commit/5d85286591cc9e6c78e449551c82d87683accba5))
|
|
11
7
|
|
|
12
8
|
# [2.2.0](https://github.com/abdelrahmannasr/yadflow/compare/v2.1.0...v2.2.0) (2026-06-14)
|
|
13
9
|
|
package/cli/ledger.mjs
CHANGED
|
@@ -18,8 +18,15 @@ import { epicFiles } from './manifest.mjs';
|
|
|
18
18
|
// story ids already contain hyphens; the filename is just a unique handle (the entry inside carries
|
|
19
19
|
// the fields), so no parsing-back is needed. A trust entry needs `uid` to stay unique across re-runs
|
|
20
20
|
// of the same (story, repo, step); a ship is unique by (story, task, repo) already.
|
|
21
|
-
|
|
22
|
-
|
|
21
|
+
//
|
|
22
|
+
// Each component is sanitized to a filename-safe charset FIRST: a `/`, `..`, or other separator in an
|
|
23
|
+
// id would otherwise be a real path element under `path.join(dir, name)` + `writeJSON`, letting a
|
|
24
|
+
// malformed shard escape the shard dir (and then vanish from `readShardDir`). Anything outside
|
|
25
|
+
// [A-Za-z0-9_-] collapses to `_` (dots dropped too, so `.`/`..` can never form); an empty component
|
|
26
|
+
// becomes `_` so a segment is never blank.
|
|
27
|
+
const safe = (c) => String(c ?? '').replace(/[^A-Za-z0-9_-]/g, '_') || '_';
|
|
28
|
+
export const trustShardName = (e) => `${safe(e.story)}-${safe(e.repo)}-${safe(e.step)}-${safe(e.uid)}.json`;
|
|
29
|
+
export const buildShardName = (e) => `${safe(e.story)}-${safe(e.task)}-${safe(e.repo)}.json`;
|
|
23
30
|
|
|
24
31
|
// Read every shard object under `dir` (each file = ONE entry object). Sorted for determinism; a
|
|
25
32
|
// corrupt/non-object shard is skipped (these ledgers are advisory evidence, never fatal).
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "yadflow",
|
|
3
|
-
"version": "3.7.
|
|
3
|
+
"version": "3.7.1",
|
|
4
4
|
"description": "Yadflow — the gated, team, multi-repo SDLC: author → review → build with a PR-driven review gate and a zero-dependency `yad` CLI (setup, gate, commit, open-pr, ship, repo, thread, reconcile). A BMAD module + 38 yad-* skills.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"author": "AbdelRahman Nasr",
|
|
@@ -123,7 +123,8 @@ finalize a `tasks` trust entry, anchored to what the human/dev actually did with
|
|
|
123
123
|
- the task list is discarded / regenerated → `rejected`.
|
|
124
124
|
Write the entry to its own shard `epics/<epic>/.sdlc/trust-log/<story>-<repo>-tasks-<uid>.json` (a fresh
|
|
125
125
|
`uid` per run, so concurrent writers never conflict; readers union the folded `trust-log.json` + the
|
|
126
|
-
loose shards
|
|
126
|
+
loose shards, skipping any shard whose full `(story, repo, step, uid)` already appears folded — a
|
|
127
|
+
half-applied `yad tidy up` — so entries are never double-counted). Schema: `../yad-epic/references/state-schema.md`. `tasks` stays `human_approve` until its slice clears
|
|
127
128
|
the threshold — this only *gathers* evidence. (The `implement` step's own verdict is finalized later,
|
|
128
129
|
at the engineer review in `yad-engineer-review`: merged as authored → `approved-unchanged`; edited first →
|
|
129
130
|
`approved-with-edits`; scope/contract/checks halt → `rejected`.)
|