Skip to content

Releases: Stackbilt-dev/charter

v1.9.0

Choose a tag to compare

@github-actions github-actions released this 05 Jul 07:52
8ca2a58

[1.9.0] - 2026-07-05

Unified workspace release. @stackbilt/adf/@stackbilt/cli were already bumped to 1.9.0 in-repo by #246; the release gate enforces one version across all workspace packages, so every package (including @stackbilt/scaffold-core, previously staged as 1.8.0) publishes as 1.9.0. No 1.8.0 was ever published to npm.

Added

  • charter adf suggest real module-attribution for METRICS constraint failures (#246) — replaces the session/time-window correlation heuristic in the loadedButViolated detector with exact evidence for METRICS ceiling failures from adf-evidence.ts.

Fixed

  • @stackbilt/scaffold-core generated project now typechecks clean out of the box (stackbilt-web#151 follow-through) — E2E production test (generate → npm installtsc --noEmit) caught three residual template defects after the traitMap fix: (1) generated tsconfig.json omitted lib, so tsc injected lib.dom which collides with @cloudflare/workers-types globals (~40 declaration-conflict errors) — now pins lib: ["ES2022"] + skipLibCheck: true, matching the materializer's renderTsConfig; (2) HttpError.status was number but Hono's c.json(body, status) requires ContentfulStatusCode, so the generated app.onError handler failed typecheck — now typed as ContentfulStatusCode; (3) route templates' .json<T>().catch(() => ({})) widened the body union to {}, breaking property access under strict — catch fallbacks now typed as {} as T. Regression guards added to output-quality.test.ts.
  • @stackbilt/scaffold-core hero-demo output quality (tarotscript#427, stackbilt-web#151) — classify() computed a traitMap (route_shape, default_routes, source_pattern, etc.) per matched pattern but never attached it to ClassifyResult; codegen fell back to parsing key:value pairs out of the human-readable traits array, which never contained colons. As a result src/worker.ts registered zero routes for every scaffold, the cron-worker scheduled-handler wrapper and [triggers] wrangler stanza never fired, webhook codegen always emitted Stripe signature verification even for generic/GitHub-style webhooks, and D1 schema selection silently fell back to the generic resources table for every "worker"-bucketed pattern (Stripe webhook, generic webhook, hardening overlay, AI chat all share the coarse PatternName 'worker'). ClassifyResult and ScaffoldFacts now carry traitMap and a sourcePattern field; all codegen/knowledge/wrangler lookups key off sourcePattern instead of the coarse pattern bucket. Also fixed: inferBindings() was being called with the coarse pattern name instead of the actual intention text, so D1/KV/R2/AI binding inference silently never ran (masked by a universal D1+KV fallback whenever no signal was detected).
  • @stackbilt/scaffold-core project naming (tarotscript#427) — projectName defaulted to the literal placeholder 'my-worker', and wrangler.toml/package.json had separate hardcoded names (stackbilder-generated / stackbilder-scaffold) that never matched each other or the contract filename. Added deriveProjectSlug() — derives a kebab-case slug (capped at 40 chars, falls back to scaffold-app) from the intention when no explicit projectName option is passed — and threaded the single resulting slug through wrangler.toml, package.json, the contract filename/description, and all .ai/*.adf headers.
  • @stackbilt/scaffold-core empty/broken generated files (tarotscript#427) — .ai/adr-002.md was always emitted, including as a 0-byte file when there were no compliance domains (governance.adr002 ?? ''); it is now omitted entirely when there's nothing to say. .ai/core.adf and .ai/state.adf rendered ### headings with blank bullet fields (no upstream rawFacts exist in the local scaffold-core flow); sections now render only when real content exists, with an honest fallback note otherwise.
  • @stackbilt/scaffold-core generated dependency gaps (tarotscript#427) — the generated src/contracts/*.contract.ts stub imports zod and @stackbilt/contracts, but the base package.json (generated before the contract file exists) only declared hono — so a downloaded scaffold survived npm install and then failed typecheck/build with missing modules. Both dependencies are now backfilled onto package.json whenever a contract file is emitted, using the current @stackbilt/contracts version (bumped the stale ^0.2.1 pin in FIRST_PARTY_DEPS to ^0.8.0 — that package is published, contrary to the original "unpublished" premise). Also fixed: the contract template omitted the surfaces field whenever no API/DB surface was detected, but @stackbilt/contracts' ContractDefinition.surfaces is a required field in the current published version — every generated contract now always emits surfaces: {} at minimum. Disabled the @stackbilt/worker-observability injection in FIRST_PARTY_DEPS (that package genuinely 404s on the npm registry — same defect class, different package) pending it actually shipping.

What's Changed

  • fix(scaffold-core): prevent Stripe keyword from dominating SaaS intent by @stackbilt-admin in #244
  • feat(adf): telemetry-driven 'adf suggest' diagnostics + co-occurrence heuristic by @stackbilt-admin in #245
  • feat(adf): real module-attribution for METRICS constraint failures by @stackbilt-admin in #246
  • fix(scaffold-core): derive project slug, add worker route stub, populate/omit empty templates, drop unpublished import by @stackbilt-admin in #247
  • fix(scaffold-core): generated project typechecks clean out of the box by @stackbilt-admin in #248
  • chore: unify workspace packages at 1.9.0, cut CHANGELOG for release by @stackbilt-admin in #249

Full Changelog: v1.7.0...v1.9.0

v1.7.0

Choose a tag to compare

@github-actions github-actions released this 24 Jun 21:59

[1.7.0] - 2026-06-24

Added

  • @stackbilt/scaffold-core Rust/WASM governance knowledge (#230) — New rustWasmDecisions() and rustWasmThreats() exports in the knowledge module. Covers 4 architectural decisions (linear-memory ownership across the JS/Rust boundary, wasm32-unknown-unknown vs wasm32-wasi target selection, wasm-bindgen vs hand-written WASM glue, binary-size optimization) and 4 security threats (integer overflow in unsafe blocks MEDIUM, unchecked JS/Rust boundary deserialization HIGH, large binary load-time degradation LOW, missing CORS for cross-origin WASM fetch MEDIUM). Zero runtime dependencies — types enforced by TypeScript interfaces, not a runtime Zod dep.

Fixed

  • charter setup --preset rust-wasm (#232) — The setup command now accepts --preset rust-wasm. isValidPreset in the setup command was missing rust-wasm despite bootstrap and init already accepting it. The help text ("Use worker|frontend|backend|fullstack|docs") is updated to include rust-wasm.

Changed

  • npm trusted publishing (#231) — publish-npm CI job removes the _authToken NPM_TOKEN fallback step. The job already had id-token: write, npm 11.5.1+, and --provenance on every publish call; OIDC now handles auth end-to-end.

What's Changed

  • chore(ci): bump actions/checkout from 6.0.2 to 7.0.0 by @dependabot[bot] in #233
  • chore(ci): bump softprops/action-gh-release from 3.0.0 to 3.0.1 by @dependabot[bot] in #234
  • chore(deps): bump @types/node from 25.9.3 to 26.0.0 by @dependabot[bot] in #235

Full Changelog: v1.6.0...v1.7.0

v1.6.0

Choose a tag to compare

@github-actions github-actions released this 23 Jun 12:53

[1.6.0] - 2026-06-23

Added

  • charter surface --format markdown (cli#236) — --format markdown is now a valid format value for charter surface. Previously the flag was rejected with "Invalid --format value: markdown. Use text or json." Passing --format markdown now routes to the same formatSurfaceMarkdown() output as the existing --markdown/--md shorthand flags, producing a markdown table of routes and schema tables suitable for piping into documentation tools, vault sync scripts, or AI context files. --format markdown is gated to the surface subcommand — other subcommands continue to reject it with a descriptive error.
  • charter surface --exclude <glob> (cli#237) — New --exclude <path> flag filters paths from the surface scan. Accepts any number of --exclude invocations per command. Supports plain path prefixes (packages/scaffold-core), within-segment wildcards (src/gen*), and multi-segment ** wildcards (**/codegen/**, packages/**). Fixes false-positive routes when running charter surface inside repos that contain scaffold template source files (template route strings match the route extraction regex). Implemented as excludeGlobs in SurfaceInputSchema, ExtractOptions, and analyze() — programmatic callers can pass the field directly without the CLI flag.

Changed

  • CLIOptions.format type extended from 'text' | 'json' to 'text' | 'json' | 'markdown' — consumers that switch exhaustively on this type should add a 'markdown' branch.
  • SurfaceInputSchema gains excludeGlobs: z.array(z.string()).default([]). Additive only — existing calls without the field continue to work unchanged.
  • extractSurface / ExtractOptions gain excludeGlobs?: string[]. Additive only.
  • walkFiles internal signature updated to accept root and excludeGlobs parameters. Not a public export; callers using only extractSurface or analyze are unaffected.

What's Changed

Full Changelog: v1.5.0...v1.6.0

v1.5.0

Choose a tag to compare

@github-actions github-actions released this 20 Jun 12:59

[1.5.0] - 2026-06-20

Added

  • Rust/WASM first-class support (charter#230) — charter bootstrap, charter setup, charter score, and @stackbilt/scaffold-core all speak Rust/WASM natively:
    • PatternName now includes 'rust-wasm'; PatternCategory now includes 'LIBRARY' — both are additive, no existing consumers break
    • New rust-wasm scored pattern in SCORED_PATTERNS (priority 90, conjunctive Rust+WASM keyword scoring) — classifies intentions mentioning cargo, wasm-pack, wasm-bindgen, cdylib, wasm32, etc.
    • StackPreset extended with 'rust-wasm' — valid in --preset flag for bootstrap, setup, and init
    • baseFiles() branches on pattern === 'rust-wasm': generates Cargo.toml (cdylib + rlib), src/lib.rs, tests/integration.rs, private root package.json with wasm-pack scripts, .gitignore (excludes pkg/, target/), and .github/workflows/ci.yml with wasm32-unknown-unknown target + wasm-pack test --node + wasm-pack build. No wrangler.toml, schema.sql, or src/index.ts emitted.
    • inferBindings() respects no-server trait — rust-wasm patterns receive no CF Worker bindings (no D1/KV defaults)
    • detectStack() now performs a pre-flight Cargo.toml check when no package.json files are found. Pure Rust repos no longer fall to confidence: 'LOW', suggestedPreset: 'fullstack' — they return confidence: 'HIGH' with suggestedPreset: 'rust-wasm' (wasm signals present) or 'backend' (plain Rust)
    • deriveTestCommands() in charter score adds wasm-pack test --node and wasm-pack build when Cargo.toml contains wasm-bindgen/wasm-pack/wasm32 signals
    • charter score probes pkg/package.json explicitly — wasm-pack output (gitignored) no longer causes false-zero on publish readiness scoring
    • New RUST_WASM_SCAFFOLD and MANIFEST_RUST_WASM_SCAFFOLD ADF constants; rust-wasm.adf covers pure-export constraints, dual crate-type, wasm-pack gate, and pkg/ publish boundary
    • 17 new tests across classification, scaffold file assertions, and detectStack pure-Rust detection

Changed

  • --preset flag for charter bootstrap, charter setup, and charter init now accepts rust-wasm alongside worker|frontend|backend|fullstack|docs

Full Changelog: v1.4.0...v1.5.0

v1.0.0

Choose a tag to compare

@github-actions github-actions released this 23 May 14:46
56251a8

[1.0.0] - 2026-05-23

Breaking: run, architect, scaffold, and login commands removed from @stackbilt/cli. The stackbilt binary alias is also removed. These commands have moved to @stackbilt/build — install it with npm install -g @stackbilt/build. Migration tracked in RFC #112.

Removed

  • charter run, charter architect, charter scaffold, charter login — removed after four minor release cycles of deprecation warnings (0.13–0.17). All four commands live in @stackbilt/build@0.1.0+.
  • stackbilt bin alias — @stackbilt/cli now ships only the charter binary. Run npm install -g @stackbilt/build to get the stackbilt bin.
  • credentials.ts, http-client.ts, types/scaffold-contract-types.ts — removed with the commands. @stackbilt/cli now has zero network calls, no bearer-token handling, and no references to stackbilt.dev.

Changed

  • Package description updated: "Charter CLI — repo-level governance toolkit" (drops scaffolding claim).

What's Changed

Full Changelog: v0.17.0...v1.0.0

v0.17.0

Choose a tag to compare

@github-actions github-actions released this 23 May 11:17

[0.17.0] - 2026-05-23

Minor release closing issue #155 — session continuity is now first-class in the charter toolchain.

Added

  • charter hook print --claude (hook.ts): New subcommand on the existing hook command. Prints a copy-pasteable UserPromptSubmit hook config JSON to stdout. Pasting into .claude/settings.json makes Claude Code auto-run charter context-refresh --once at every session open, so charter_context returns live project state before the agent acts. The command is a deliberate generator (not a writer) — .claude/settings.json is user-controlled.

  • Session-start next step in charter bootstrap (bootstrap.ts): After setup, bootstrap now surfaces charter hook print --claude as a next step with an explicit reason: agents that skip this start cold, re-inferring constraints already declared in .ai/.

  • ## Session Start section in generated CLAUDE.md (adf.ts): Both POINTER_CLAUDE_MD (thin) and POINTER_CLAUDE_MD_HYBRID (with module index) now include a ## Session Start section telling the agent to call charter_context before any other action. Includes fallback instructions for sessions where charter serve is not running.

  • charter context-refresh Phase 1 + 2 (context-refresh.ts, index.ts, docs/tests): new live-context refresh command that writes both .ai/context.adf and .ai/context.snapshot.json.

    • Phase 1 (c5e90fd): git-source snapshot generation, optional markdown mirror via --output, initial command wiring and tests.
    • Phase 2 (5fb4a44): source expansion (git, github), config contract support via .charter/context-sources.json, TTL controls (--once, --ttl-minutes, --force), and machine-readable refresh status.
  • Snapshot contract for warm starts: normalized root aggregates (openWork, recentActivity, pendingDecisions) are generated at refresh time from source payloads to prevent semantic drift while preserving raw source diagnostics under sources.*.

Changed

  • charter context-refresh GitHub failure mode is fail-closed: missing GITHUB_TOKEN or unavailable GitHub source no longer crashes refresh. Snapshot records sources.github.available = false plus warning context, and refresh continues with remaining sources.
  • CLI + docs command surface: top-level help and CLI reference now include charter context-refresh usage, flags, output artifacts, and config-file behavior.

What's Changed

  • docs(context-refresh): phase-3 kickoff skeleton + release verification gates by @stackbilt-admin in #178
  • feat(serve): session-start hook wiring + CLAUDE.md warm-start section by @stackbilt-admin in #179

Full Changelog: v0.16.0...v0.17.0

v0.16.0

Choose a tag to compare

@github-actions github-actions released this 23 May 10:05
fe49035

[0.16.0] - 2026-05-22

Minor release adding ADF write-back tooling — the first step in closing the LM→ADF automation loop.

Added

  • updateEvidence MCP tool (serve.ts): charter serve now registers updateEvidence, which measures actual file line counts for every metric declared in manifest.adf, diffs them against stored ADF values, and writes UPDATE_METRIC patches back to the owning ADF modules in place. Returns { measured, changes, skipped, written, constraints } so agents get full before/after visibility and live constraint pass/fail after the write. Supports dryRun: true (preview without writing) and metrics: [...] (update specific keys only). Deliberately does not touch .adf.lock — callers should run charter adf sync --write if lock hygiene is needed (preserves drift-detection signal).
  • adf patch changes[] output (adf.ts): charter adf patch --format json now includes a changes array alongside opsApplied. Each entry records { op, section/key, before, after }UPDATE_METRIC shows numeric before/after values, REPLACE_BULLET/REMOVE_BULLET show the original item text, ADD_BULLET shows before: null. Human-readable output also prints inline per-op diffs for metrics and bullet ops.

Fixed

  • charter serve exits cleanly on startup errors (serve.ts, #157): Both @modelcontextprotocol/sdk/server/mcp.js and @modelcontextprotocol/sdk/server/stdio.js bind process.stdin at module load time, keeping Node's event loop alive past process.exit(). Both imports are now lazy (dynamic import() inside serveCommand(), after path guards). A bad --ai-dir now exits in under 100 ms with a JSON-RPC error and non-zero exit code instead of hanging indefinitely.
  • charter stamp-policies structured error + env fallback (stamp-policies.ts): CHARTER_POLICY_REPO_REF env var is now accepted as a fallback when --policy-repo-ref is not passed. When SHA resolution fails, the command emits a structured JSON error object with code: POLICY_REPO_REF_UNRESOLVED and a recoveryCommand hint rather than a plain string message.

What's Changed

  • chore(oss): ship CodeQL, CoC, CODEOWNERS coverage, and policy-block fallback by @stackbilt-admin in #173
  • fix(score): filter URLs, env-vars, Windows paths, and HTTP routes from grounding checker by @stackbilt-admin in #168
  • fix(context): use CLI package version when repo is a private workspace root by @stackbilt-admin in #169
  • feat(setup): detect npm/yarn workspace monorepos + brief stack fallback by @stackbilt-admin in #170
  • feat(ux): risk-first posture view for installed repos, adoption pitch for new ones by @stackbilt-admin in #176
  • chore: add keywords, author, and provenance to all 12 packages by @stackbilt-admin in #171
  • test: export boundary tests for @stackbilt/ci, classify, and validate by @stackbilt-admin in #174
  • feat(dogfood): bootstrap .charter governance to score 80/100 on own audit by @stackbilt-admin in #175
  • docs(ci): add VERSIONING.md documenting unified workspace versioning invariant by @stackbilt-admin in #177

Full Changelog: v0.15.1...v0.16.0

v0.15.1

Choose a tag to compare

@github-actions github-actions released this 22 May 13:37

What changed

Patch release fixing three charter serve MCP startup issues discovered during real-world Claude Code wiring (#156).

Fixed

  • Path anchoring--ai-dir is now resolved to an absolute path at startup. Relative paths were previously re-resolved against process.cwd() at each tool invocation, causing getProjectContext and all ADF tools to fail in multi-repo / WSL2 setups where the MCP host's cwd differed from the project root.
  • getProjectContext double-prefix bug — the bundleModules reader callback was prepending aiDir to a path that already included it, producing paths like .ai/.ai/core.adf and making every getProjectContext call throw "Module not found".
  • Structured startup errors — startup validation failures now emit a JSON-RPC -32000 envelope to stdout so Claude Code shows a human-readable message instead of a dead error code. Error messages distinguish missing .ai/ directory (→ charter init) from missing manifest.adf (→ charter adf init).
  • adf init scaffolding guardcharter adf init no longer silently overwrites existing core.adf, state.adf, or preset module files. Files are skipped if present (with a notice and --force hint); only the missing manifest.adf is written.

Documentation

  • Added dedicated charter serve section to `docs/cli-reference.md` covering `--ai-dir` behavior, `.mcp.json` wiring, startup error table, and all registered MCP tools.
  • Updated `charter adf init` flag docs to clarify the new skip-if-exists behavior.

Full diff: v0.15.0...v0.15.1

v0.15.0

Choose a tag to compare

@github-actions github-actions released this 20 May 10:22

v0.15.0

See CHANGELOG.md for release details.

What's Changed

Full Changelog: v0.12.1...v0.15.0

v0.12.1

Choose a tag to compare

@stackbilt-admin stackbilt-admin released this 05 May 16:56
04cc3a8

v0.12.1

Hotfix release for npm consumer install breakage in 0.12.0.

What happened

0.12.0 published with workspace: protocol dependencies in package manifests for some @stackbilt/* packages.
This broke pnpm installs for consumers outside the Charter monorepo.

Fix in this release

  • Republished all publishable @stackbilt/* packages at 0.12.1.
  • Replaced published internal runtime dependency specifiers with concrete semver ranges (for example, ^0.12.1).
  • Updated release runbook to require concrete dependency verification and removed stale pnpm pack --dry-run guidance.

Consumer impact

  • pnpm add @stackbilt/cli@0.12.1 now succeeds in external repos.
  • If you are pinned to 0.12.0, upgrade immediately to 0.12.1 or later.

Deprecated versions

The following broken 0.12.0 package versions are deprecated with an upgrade message to 0.12.1:

  • @stackbilt/cli@0.12.0
  • @stackbilt/ci@0.12.0
  • @stackbilt/classify@0.12.0
  • @stackbilt/drift@0.12.0
  • @stackbilt/git@0.12.0
  • @stackbilt/validate@0.12.0

Verification

  • npm dist-tag latest now points to @stackbilt/cli@0.12.1.
  • Published @stackbilt/cli@0.12.1 dependencies resolve to concrete semver ranges (no workspace: specifiers).