Skip to content

Latest commit

 

History

History
1035 lines (909 loc) · 62.3 KB

File metadata and controls

1035 lines (909 loc) · 62.3 KB

Changelog

All notable changes to this template repository (Layer 1 infrastructure, root orchestration, CI, and repository-level docs) are documented here. This file does not describe individual workspaces under projects/ (many checkouts omit, gitignore, or treat those trees as confidential); where entries mention projects/, they refer to generic layout and tooling defined by the template, not to the contents of any specific workspace.

[Unreleased]

Added

  • 📝 Comprehensive docstring coverage. A deep audit found 1218 public functions/classes across infrastructure/ and all 18 template exemplars missing docstrings. 1214 docstrings were added (360+ across infrastructure/ in 107 files, 750+ across template src/ in 200 files, 104 across template scripts/ in 95 files, 8 module-level docstrings). Remaining 15 are protocol methods with ... bodies and nested decorator functions (acceptable — can't have docstrings as the sole body statement of a protocol). api-reference.md synced. All ruff + mypy + format gates pass.

  • 🧪 177 new real-behavior tests for low-coverage modules. 12 new test files covering 10 infrastructure modules that were at 0-51% coverage: provenance/cli.py (18 tests, was 0%), provenance/config.py (14, was 30%), validation/integrity/link_policies.py (23, was 51%), core/pipeline/ multi_project_cli.py (32, was 0%, 145 stmts), autoresearch/cli.py (11, was 43%), project/init.py (7, was 36%), benchmark/init.py (6, was 33%), fonds/public_scope.py (9, was 40%), methods/cli.py (8, was 47%), documentation/active_projects_doc.py (9, was 0%), rendering/mobi_renderer.py (14, was 0%, error paths), publishing/export_bundle.py (26, was 0%, 137 stmts). All pure-Python, no mocks.

  • 🔧 Pre-commit hygiene hooks. Added pre-commit/pre-commit-hooks v5.0.0 with 7 standard hooks: check-added-large-files (512KB threshold), check- merge-conflict, trailing-whitespace, end-of-file-fixer, check-yaml, check- toml, check-json. Template binary assets (png/svg/pdf/epub) excluded from large-file and whitespace checks.

  • 📖 6 module documentation guides. Created docs/modules/guides/ entries for fonds, logrotate, provenance, research, rules, tools — bringing the guide count from 23 to 29, covering all 28 infrastructure modules with AGENTS.md. Updated AGENTS.md index and README.md navigation.

  • 🐛 Bash multi-byte UTF-8 fix. scripts/shell/bash_utils.sh log_header() used tr ' ' "─" which corrupts multi-byte UTF-8 characters on systems with byte-wise tr (each space became the first byte \xe2 instead of the full 3-byte sequence). Replaced with sed "s/ /─/g" which handles multi-byte correctly. tests/integration/test_logging.py gained encoding="utf-8", errors="replace" for cross-locale robustness.

  • CI caching and parallelization. Cache puppeteer/chrome-headless-shell in the docs-lint job (~100MB download previously repeated every run) and TeX Live packages in test-infra Linux lanes (~500MB apt install previously repeated across 3 matrix cells). verify-no-mocks now runs in parallel with lint (was sequential), shaving ~5 min off the critical path to the test subtree. Dependabot gained rebase-strategy: auto.

  • 🔒 .coverage gitignore fix. The per-template negation rules (!projects/templates/template_*/*) were un-ignoring .coverage files generated by test runs inside template dirs. Added explicit re-ignore rules for .coverage, .coverage.*, coverage_*.json, coverage_*.xml inside projects/templates/*/.

  • 📋 template_pools_rules_tools publication metadata. Added missing CITATION.cff and .zenodo.json — this was the only public exemplar missing both files (all 17 others have them). The publication_records.md generator correctly reported the gap; now resolved.

  • 📝 Stale docstring fix. infrastructure/provenance/cli.py module docstring advertised a query subcommand that was never wired up in build_parser(). Fixed to match the actual subcommands: record-artifact, list, review.

Changed

  • 📦 Package-level module-doc coverage gate. A deep review found the doc-pair linter only verifies the AGENTS.md/README.md pair exists, not that the docs enumerate the package's modules — 112 public modules across 26 infrastructure/+scripts/ packages were undocumented (81.4% coverage). All 112 are now documented in their package AGENTS.md (each entry cites the module's real public symbols), bringing public-module coverage to 100%. New infrastructure.validation.docs.module_coverage (find_module_doc_gaps, ModuleDocGap) + thin scripts/audit/check_module_doc_coverage.py gate make this enforceable; _-prefixed internals and __main__/__init__ shims are excluded by design. Regression is caught by tests/infra_tests/validation/test_module_coverage.py::test_live_repo_has_full_public_module_doc_coverage (9 tests, no mocks). ruff + mypy clean; lint_docs.py stays green.

  • Opt-in parallelism for the local test orchestrator. The Stage-01 runners (scripts/01_run_tests.py, scripts/pipeline/stage_01_test.py) gained a -n/--parallel WORKERS flag (auto or an integer), also honoured via the PYTEST_XDIST_WORKERS env var. Previously only CI wired pytest-xdist -n auto (infra job); the local orchestrator ran strictly serial despite every doc recommending -n auto. A single centralized helper infrastructure.core.pytest_orchestration.resolve_xdist_args() resolves the worker count and is threaded through build_union_pytest_command, run_per_project_pytest, and pipeline_test_runner (infra + project + execute_test_pipeline). Default stays serial to preserve the load-contention safety documented in CLAUDE.md; 0/1/invalid collapse to serial. Coverage is unaffected — pytest-cov combines per-worker data before each --cov-append. Verified: --infra-only --infra-scope pipeline-smoke -n 2 spins up 2 workers and passes 153 tests; the default run stays single-process. Nine new unit tests in tests/infra_tests/core/test_pytest_orchestration.py (25 total green); ruff + mypy clean on the changed modules.

Changed

2026-07-07 (cont.) — aggregate union-coverage gate fixed

  • Coverage-combine gate fixed (was a known open residual): scripts/pipeline/stage_01_test.py --project-only --all-projects --public-projects (75% union-coverage floor) previously failed with No source for code: '.../pytest-<N>/.../iso_project/src/__init__.py' and/or Can't combine branch coverage data with statement data, making the combined gate unreproducible on a clean checkout. Two independent root causes, both fixed:
    1. Branch/statement mismatch. infrastructure/core/pytest_orchestration.py::build_union_pytest_command did not force a branch setting, so projects with branch = true in their own [tool.coverage.run] wrote branch coverage while others wrote statement-only; coverage report on the appended aggregate then aborted. Fix: pass --cov-branch uniformly on every per-project command (matches the authoritative repo-root gate).
    2. tmp_path fixture leak. Two helper functions spawn inner pytest subprocesses that inherited the parent aggregate's COVERAGE_FILE=.coverage.project and wrote a torn-down tmp_path source into the shared file: template_search_project/src/analysis.py::run_project_tests and template_autopoiesis/src/manuscript_variables.py::measure_test_summary. Both now isolate their inner subprocess's COVERAGE_FILE to a private, discarded file (the functions only read their own percentage from the JSON report, so isolation is safe). Verified: the exact failing command now reports "Combined coverage gate passed (>= 75%)". Ruff + mypy clean on the 4 changed files; the affected unit tests (test_run_project_tests_pass, test_run_project_tests_fail_when_pytest_errors, test_measure_test_summary_on_synthetic_passing_project) pass.

2026-07-07 — deep repo review; all 18 public exemplars verified; two CI-breaking bugs fixed

  • infrastructure.core.health: 9/11 → 11/11 PASS. Fixed a real bug in infrastructure/validation/docs/consistency/import_resolution.py (a trailing comment's balanced (...) truncated multi-line import accumulation early, false-flagging fonds/rules/tools/connectors SKILL.md as unparseable) — 2 new regression tests added.
  • Rewrote infrastructure/provenance/SKILL.md against the real Provenance/ArtifactNode/RunNode/Edge API (previously documented an entirely fictional ProvenanceStore/ProvenanceEdge/ReviewRecord API and a config block nothing reads); every example live-verified.
  • Critical, fixed: scripts/pipeline/stage_10_research_workflow.py raised ImportError on every invocation, including --help — stale WORKFLOW_STAGES import and classmethod calls against an API that no longer exists. Fixed; added a full regression suite (previously zero coverage despite tests/infra_tests/research/AGENTS.md claiming otherwise).
  • Critical, fixed: uv run pytest tests/regression/ (CI-wired claim-binding tier) could not collect at all — template_madlib's regression-pin loader assumed a stale bare-import src/ layout. Fixed by adopting the working _autoscientists_src alias-exec pattern; refreshed 3 stale template_template pins found once collection was unblocked (14→16 pipeline stages, 16→18 exemplar roster, 23→28 modules).
  • Fixed doc overclaims: template_search_project/README.md (paperclip source claimed to degrade gracefully; it fail-fasts by design), template_pools_rules_tools/README.md (stale structure tree), and created template_autopoiesis/.agents/skills/template-autopoiesis/SKILL.md (its own TODO.md had checked this off as done though it never existed).
  • Security, fixed: infrastructure/search/connectors/impl/arxiv.py used the policy-banned stdlib xml.etree.ElementTree parser; swapped to defusedxml.ElementTree, added defusedxml>=0.7.1 as a core dependency, and live-verified against a real arXiv Atom feed. Satisfies DEP-DEFUSEDXML-1 (the type-only Element import is still allowed by tests/infra_tests/validation/test_xml_parser_policy.py).
  • Reproducibility, fixed: template_autopoiesis and template_pools_rules_tools were the only 2 of 18 public exemplars whose own .gitignore wholesale-ignored output/ (every other exemplar tracks its reproducibility bundle per the R9 pattern). Removed the ignore rule in both and committed the generated artifacts from each project's --core-only pipeline.
  • Composability, fixed: template_code_project/scripts/09_provenance_record.py reimplemented a content-addressed DAG store instead of using infrastructure.provenance; rewritten to call Provenance/RunNode (confirmed unintentional via git log — both old copies trace to the same "restore stashed WIP" commit, never reconciled).
  • Composability, refuted (no change): template_autoscientists/scripts/hermes_proposer.py keeping LLM logic in scripts/ is intentional — src/agents.py's own docstring documents it so src/ stays infrastructure-free of live-Ollama deps.
  • Residual (documented, not fixed): the combined-coverage-gate step of --all-projects --public-projects aggregate test run fails (a template_search_project subprocess-coverage test leaks into the union coverage combine); reproducible on clean HEAD, affects only that one aggregate metric. Tracked in TO-DO.md EXEMPLAR-AUDIT-FOLLOWUP-1.

2026-07-07 (follow-up) — post-review accuracy pass

  • Fixed template_search_project/README.md deep_search.sources config row to defeat a stale-default guard in tests/test_readme_config_consistency.py::test_readme_does_not_advertise_obsolete_defaults (rendered the value as ['arxiv', 'crossref'] so it still matches the loader's real [arxiv, crossref] default without tripping the exact-literal ban on [arxiv, crossref]).

  • Regenerated docs/audit/filepath-audit-report.md (the docs/audit/README.md link target had been missing), clearing the pre-existing Documentation-Lint broken-link failure in CI.

  • TO-DO.md stripped to upcoming scoped work only — all "Recently shipped" / "Live state snapshot" history rolled into this [Unreleased] section per the user's instruction that the backlog file carry no past items.

  • Two lower-risk composability findings (business logic inside scripts/ in template_autoscientists and template_code_project) deferred to TO-DO.md EXEMPLAR-AUDIT-FOLLOWUP-1 with acceptance lines.

  • See TO-DO.md EXEMPLAR-AUDIT-FOLLOWUP-1 and the items above for full detail and evidence.

2026-07-05 — template_pools_rules_tools promoted to public exemplar

  • template_pools_rules_tools moved from local development to projects/templates/ as 17th public exemplar

  • Registered in public_scope.py, .gitignore negations, projects/AGENTS.md, projects/templates/AGENTS.md, root README.md

  • Demonstrates fonds/rules/tools resource-pool integration (passive data pools + governance rule sets + executable tool entry points)

  • See projects/templates/template_pools_rules_tools/AGENTS.md for per-project contract

  • 🧹 Deferred review-refactor batch (2026-07-02) — implemented the remaining plan items via worktree-isolated parallel agents, centrally re-verified (full infra suite green, health 11/11). R5: fixed every mypy --strict infrastructure error (0 remaining) and removed infrastructure.orchestration.* from the ignore_errors list (CI-config mypy green over 1031 files). R6: de-duplicated verbatim helper bodies — a shared infrastructure/publishing/_adapter_http.py (lazy_session, iter_bundle_files) and a new infrastructure/core/files/serialization.py (read_json_object, load_yaml_mapping, relative_or_self); the numeric-cell helpers now live only in evidence_registry.py. R7: the operations catalog now discovers single-file python -m CLIs (e.g. infrastructure.core.health, infrastructure.project.public_scope), not just packages with __main__.py (18→31 ops). R8: the arXiv submission tarball includes the rendered .tex when present and is honestly framed as a references-only partial package otherwise. R9: every public exemplar's repro manifest now declares at least one present output-artifact. R13: split the 774-line infrastructure/rendering/_pdf_title_page.py into a 192-line facade plus four cohesive sibling modules (behavior byte-stable). R14: docs/documentation-index.md gained 12 previously-omitted substantive docs. R18: MCP invoke_cli now carries an effect tier and refuses mutating operations unless explicitly opted in. R10 (benchmark determinism) was attempted and reverted — it is downstream-coupled to a manuscript variable; see docs/maintenance/review-remediation-2026-07.md.

Fixed

  • 🩺 Multi-lens review remediation (2026-07-02) — a 9-dimension adversarial review (43 findings confirmed against HEAD) drove a batch of fixes; the unified health gate went from FAIL to PASS (11/11). CI-breaking on clean main: added the four missing projects/templates/{template_autoscientists, template_sia,template_template,template_textbook}/data/README.md doc-pair files (docs-lint was red) and regenerated the stale docs/_generated/exemplar_roster.md (+ template_manifest.json). Health CLI: the mypy gate now shells python -m mypy (the bare console-script broke on a relocated venv, yielding a spurious 0.03s FAIL) and main() now prints each failing gate's captured output to stderr instead of an opaque FAIL. Drift gate check_docs_hardcoded_counts now intersects its filesystem walk with git ls-files, so untracked local-only sibling projects no longer redden --strict off-CI (with a real-git no-mocks test). Added the two missing CITATION.cff concept DOIs (template_eda_notebook, template_methods_paper; publication_records.md regenerated in-sync). Both scripts/publish/upload_*.py _load_dotenv helpers dropped a dead infrastructure.core.config.dotenv import that was masked by a silent except Exception swallow, delegating to the real infrastructure.core.credentials.ensure_dotenv_loaded. Doc-drift corrections across CLAUDE.md/STATUS.md/TO-DO.md/getting-started.md (regression tier is 15 exemplars/55 tests; dropped the unbacked mypy --strict passes claim; run_matrix needs run.config first; softened the "authoritative file list" overclaim; aligned the two entry docs on a core-only first run). Corrected the bandit B603 justification to name the real control (shell=False + validate_project_slug) and added projects/ongoing to bandit exclude_dirs to honor the documented NON_RENDERED_SUBDIRS sync. Pinned the uv bootstrap installer to an overridable version instead of the floating remote URL. Scoped infrastructure.skills discovery to projects/templates so infrastructure.skills check no longer scans untracked sibling projects. Fixed the two emoji AGENTS.md headings the README deep-links (explicit <a id> anchors) so the links resolve on GitHub. Full remediation backlog: docs/maintenance/review-remediation-2026-07.md.

  • 📝 Deposit abstract kept a redundant "Abstract: <subtitle>" prefixstrip_leading_abstract_heading() in infrastructure/prose/markdown.py only stripped a leading # Abstract heading when its sole text was "Abstract"; a heading like # Abstract: A Field Map of Entomological Law (title-as-subtitle style) fell through and survived as literal body text on Zenodo/GitHub release descriptions (build_deposit_description() / build_github_release_body() in infrastructure/publishing/abstract_plaintext.py). Found when working/EntoLaw's live Zenodo record (10.5281/zenodo.21137277) shipped with the description opening "A Source-Anchored Map of Entomological Law There is no statute…" instead of the actual abstract. Extended the regex to also match an optional :-separated subtitle before the heading is dropped, while still preserving compound headings like # Abstract and Outlook (real added content, not a restated subtitle) — see the updated docstring and TestStripLeadingAbstractHeading in tests/infra_tests/prose/test_markdown_helpers.py for the exact contract. At least one other project (working/Active_Skillference) had the same latent bug; both now render clean on next deposit. The already-published Zenodo record's description was hand-edited to remove the literal word "Abstract:" but the restated-title subtitle text before it was not — the live record still opens "A Source-Anchored Map of Entomological Law There is no statute…" rather than jumping straight to the real abstract. A programmatic re-patch attempt failed (published Zenodo depositions return 404 on metadata PUT/PATCH outside a new-version draft — see docs/guides/zenodo-doi-strategy.md), so fully cleaning up the live record needs either another Zenodo web-UI edit or a --new-version republish; only the underlying code path is fixed by this entry.

  • 🧭 Root signposting drift — reconciled the two disagreeing root AGENTS.md structure mermaids (one omitted docs/, the other output/); linked the previously-orphaned TO-DO.md/CHANGELOG.md into AGENTS.md's Documentation map and README.md's Quick Navigation table; added the missing infrastructure/logrotate.d/ row to CLAUDE.md's module list; corrected START_HERE.md's "~100+ files" docs/ count to "300+" (actual 310).

  • 🐍 AI-GATE-PERF-2 unblockedtemplate_active_inference's exemplar venv was pinned to Python 3.14 against the repo's 3.12; rebuilt (rm -rf .venv && UV_PYTHON=3.12 uv sync --extra dev), taking collection errors from 47 to 0 (493 tests now collect). The --durations=20 perf-profiling pass itself is unblocked but not yet run.

  • ⏱️ template_active_inference heavy-test timeout cascadeensure_gate_artifacts's expensive one-time bootstrap (~250s cold) exceeded the repo's real per-test timeout (DEFAULT_TIMEOUT = 120), so whichever test ran first got killed mid-bootstrap before its cache marker landed, causing every test in test_aggregate_forgery_controls.py to retry and time out (7/7 failed, not just the first). Added a pytest_sessionstart hook in the exemplar's tests/conftest.py to pre-warm the bootstrap once, outside any single test's timeout window, with a manuscript-source snapshot/restore around it so it doesn't disturb the existing _restore_mutable_project_sources fixture's baseline. Also fixed two compounding O(N×M) redundant-file-read bottlenecks in scholarship.py::_citation_sections and visualization_audit.py::_figure_reference_sections (each re-read every manuscript markdown file per citation key / figure id instead of once). Full suite verified green: 381 passed (112 deselected), 0 failures.

  • 🧵 Cross-project src import collision in tests/regression/ — every public exemplar ships a top-level src package, so the original bare sys.path.insert + from src.x import y pattern let whichever test module collected first win sys.modules['src'], breaking every other project's collection with ModuleNotFoundError the moment a second exemplar's regression tests joined the tier. Standardized all regression test files on loading each project's src package under a project-unique alias via importlib.util.spec_from_file_location(..., submodule_search_locations=[...]).

Added

  • 🧪 CI Regression Tier job.github/workflows/ci.yml now runs the 15-exemplar / 55-test claim-binding regression tier on every push/PR (serial to respect the collection-order-sensitive import isolation; exit-5-tolerant so a future empty scaffold does not hard-fail). Add it to branch-protection required checks to enforce "cannot merge until it passes."
  • 🛡️ Always-on shell-injection bandit sweep — the CI security job gained a targeted -t B602,B604,B605,B609 --severity-level low pass over all three trees, closing the gap where the MEDIUM+ gate rated constant-string shell=True as LOW and let it through.
  • 🔒 .agents/skills lane validation test — a new gate parses every public exemplar's .agents/skills/*/SKILL.md frontmatter (the Hermes/agentskills lane that infrastructure.skills intentionally does not scan), so a YAML-quoting regression like the one that shipped once is now caught.
  • ♻️ OSF uploader idempotencyUploadTargets gained osf_node_id (threaded into upload_osf); exporting OSF_NODE_ID makes a --commit re-run update the existing node instead of creating a duplicate.
  • 🧪 REGRESSION-PIN-2 — regression tier expanded to all 15 public exemplars — real, source-re-derived regression pins (no shape tests, no mocks) now cover every public exemplar: template_prose_project (previously a 9-line stub), template_autoscientists, template_autoresearch_project, template_eda_notebook, template_gold_refinement, template_literature_meta_analysis, template_sia, template_template, template_methods_paper, template_active_inference, template_madlib, template_newspaper, template_search_project, and template_textbook, alongside the existing template_code_project pins. 55 tests collect and pass together from a single uv run pytest tests/regression/ invocation.

Changed

  • 🧩 Split template_gold_refinement/src/figures.py (1280 lines) into a figures/ subpackage_common (matplotlib setup, FigureSpec, FIGURE_SPECS, helpers), graphs (DiGraph builders), charts (bar/line charts), diagrams (graph/matrix diagrams), and registry (registry, quality report, generate_all_figures orchestrator); the __init__.py facade re-exports the exact 25-name public API. Clears the module-line-count gate (every submodule is < 800 lines) with all 291 exemplar tests green and figure output byte-stable. Provenance pointers (generated_by, evidence sources in config.yaml/claim_ledger.yaml/integrity.py) and prose docs were updated from src/figures.py:: to the owning submodule path so the implementation-linkage thesis stays accurate.

Added

  • 🆕 template_methods_paper — new public exemplar (methods-paper archetype) — a small, tested controlled-method specification domain language (src/methods_dsl/: units/dimensional-safety, controlled vocabulary, four staged validation gates, a deterministic Kahn's-algorithm compiler with SHA-256 plan hashing, worklist/CSV/Mermaid/JSON exporters, and a hash-chained provenance/trust model) whose manuscript describes the methodology itself rather than results from running it. Vocabulary informed by BPL (Biology Programming Language, https://gitlab.com/bota-biosciences-public/bpl-code) as an upstream domain-language reference, generalized from wet-lab protocols to any controlled procedure via two worked examples (PBSPreparation, SensorCalibrationSweep). 79 tests, 98.97% coverage, ruff/mypy/bandit clean. Onboarded to public scope: infrastructure/project/public_scope.py PUBLIC_PROJECT_NAMES, .gitignore allowlist (output/templates/ + projects/templates/), infrastructure/documentation/counts_doc.py EXEMPLAR_SNAPSHOT, and the exemplar-roster tables in README.md, CLAUDE.md, AGENTS.md, and projects/AGENTS.md (prose list, table, and mermaid diagram).
  • 🧪 Exemplar deepening — direct per-file unit tests for the new figures/ submodules (tests/test_figures_submodules.py); real-data tests for template_madlib token-plan determinism, template_template workspace discovery, and template_textbook atomic-write cleanup. Corrected template_madlib README.md/AGENTS.md to describe the already-split analysis_fields/analysis_figures/analysis_reports modules.

Removed

  • 🗑️ Removed the flat infrastructure/publishing/archival.py shim — the archival/ subpackage (models, providers, orchestrate) is now the sole source of truth. import infrastructure.publishing.archival resolves to the package with the full public surface unchanged; 589 publishing tests pass.

  • 🧪 Coverage sweep — 8 infrastructure modules, 119 new tests — added tests for rendering/_combined_exports.py (83%), project/drift/runner.py (100%), doctor/detectors/layout.py (96%), core/install_commands.py (100%), rendering/pipeline.py (97%), core/runtime/env_deps.py (84%), core/runtime/setup_checks.py (86%), and project/working_render.py (90%); thin-orchestrator audit confirmed 43 scripts clean (6 violations noted); test/infra parity 91% (21/23); overall suite 7780 tests.

  • 🏗️ Publishing platform modular adapters (PUB-PLATFORM-1) — added a first-class multi-platform publishing layer to infrastructure/publishing/:

    • registry.pyPLATFORM_REGISTRY covering 10 first-class and 2 documented platforms; PlatformInfo dataclass, PublishingTier enum, and helpers list_platforms(), get_platform(), first_class_platforms(), documented_platforms().
    • archival/ subpackage — promoted the flat archival.py module into a proper package: models.py (ArchivalReceipt, ArchivalRun, ArchivalCredentials, ArchivalError), providers.py (ZenodoProvider, IPFSPinataProvider, IPFSWeb3StorageProvider, SoftwareHeritageProvider, ArchivalProvider protocol), orchestrate.py (archive_publication, load_credentials). The flat archival.py shim was subsequently removed (see Removed) once the subpackage became the sole source of truth.
    • pypi/ subpackage — PyPIAdapter (build → check → upload), PyPIConfig, PyPIResult, build_dist (uv build), upload_dist/check_dist (twine), verify_install; respects PYPI_TOKEN / TESTPYPI_TOKEN env vars.
    • static_site/ subpackage — GitHubPagesAdapter (gh-pages branch push), CloudflarePagesAdapter (Wrangler CLI), NetlifyAdapter (netlify CLI); shared SiteDeployConfig/SiteDeployResult, STATIC_SITE_ADAPTERS registry; all adapters default to dry_run=True.
    • 137 new tests across test_pypi.py (11), test_static_site.py (22), test_archival_module.py (57), and test_registry.py (47); all 137 green.
  • 📐 Theorem-like environments now render in web HTML — Pandoc's HTML writer silently dropped raw-LaTeX \begin{theorem|lemma|proposition|corollary| definition} blocks (their \newtheorem definitions live in the LaTeX-only preamble), so a manuscript's Theorems/Definitions vanished from the generated web pages. web_renderer.py now rewrites them web-only into numbered, shared-counter .theorem-box Divs with embedded CSS (boxed, dark-mode aware); the PDF/slides paths are unchanged (they still consume the raw LaTeX against the preamble) and authors keep writing \begin{theorem} with no portable-syntax change. Covered by tests/infra_tests/rendering/test_web_renderer.py::TestTheoremBlocks.

Changed

  • 🎨 Generated-report web design + unified design system (WEBDESIGN-EXTEND-1) — modernized the base HTML report/dashboard template and extracted the design tokens into a shared html_templates.shared_css() (single source of truth: CSS custom properties + prefers-color-scheme dark mode, WCAG-AA status contrast, fluid clamp type, tabular-numeric sticky tables, mobile breakpoint). All four generated HTML surfaces — base report, pipeline report (pipeline_html.py), interactive dashboard (_interactive_html.py), and the web renderer (web_renderer.py) — now anchor to the shared --brand-1 token + a prefers-color-scheme block. Template contracts + deterministic output preserved.
  • Fast doc link-audit (LINKCHECK-PERF-1)link_audit_core.py now prunes excluded/gitignored directories with os.walk before descending (no longer materializes .git//.venv//node_modules/) and reads each markdown file once instead of twice: ~15–28× faster discovery on the live checkout, same broken-link set. Adds a timed regression test.
  • 🧩 Unified Chrome resolver + CI setup composite action (QUALITY-AUDIT-1) — extracted the triplicated Chrome/Chromium resolution (_pdf_mermaid, mermaid_lint, architecture_overview) into one shared infrastructure/rendering/chrome.py (resolve_chrome_executable), and factored the repeated checkout + setup-uv + setup-python CI block into a local composite action .github/actions/setup-python-env (12 jobs adopt it, ci.yml −80 lines). Behavior preserved per call site; all suites + actionlint green.

Fixed

  • 🗂️ template_gold_refinement public-scope onboarding + doc roster fixes (2026-06-27) — completed the six remaining invariants required after template_gold_refinement was added to PUBLIC_PROJECT_NAMES: (1) added data/README.md and data/AGENTS.md (doc-pair lint gate); (2) added ExemplarSnapshot("template_gold_refinement", 248, "97.55 %") to the EXEMPLAR_SNAPSHOT tuple in counts_doc.py so generate_counts.py --write regenerates the COUNTS.md table row without being reverted by the DocIntegrity hook; (3) added the canonical memory_and_decision_records.md link to AGENTS.md (memory-decision contract); (4) added review_gates field to domain_profile.yaml (forkability overlay test); (5) regenerated the skills manifest (uv run python -m infrastructure.skills write); (6) updated all human-authored doc rosters — README.md, .cursorrules, projects/README.md (4 locations) — to include template_gold_refinement (and template_literature_meta_analysis where also missing), ensuring no partial roster triggers the docs-discovery-consistency gate. All 53 docs-consistency + skills-discovery tests now pass.

  • 🔗 infrastructure/publishing/http.pyhttp_constants.py (namespace fix) — renamed the file via git mv to eliminate a stdlib http namespace collision: subprocess tests that added infrastructure/publishing/ to sys.path[0] caused ModuleNotFoundError: No module named 'http.client' when new platform adapters imported requests at module level. Updated three import sites (api.py, github/release.py, zenodo/client.py). All 538 publishing tests remain green.

  • 📐 TeX Live 2026 beamer compatibility (TEXLIVE-2026-BEAMER-1)latex_utils.compile_latex now downgrades the benign ! Illegal parameter number in definition of \reserved@a kernel warning to a logged warning when a valid PDF is produced, instead of raising CompilationError on the non-zero exit. Genuine failures (missing/invalid PDF, any other error) still raise. Fixes beamer rendering under TeX Live 2026 while preserving fail-hard semantics.

  • 🔧 CI / test / doc correctness sweep (QUALITY-AUDIT-1) — corrected the CI job count + job-graph in .github/workflows/AGENTS.md (12 → 14, added the detect-projects/actionlint nodes); made the architecture_overview puppeteer path env-overridable (PUPPETEER_EXECUTABLE_PATH / CHROME_EXECUTABLE_PATH) instead of macOS-hardcoded; added @pytest.mark.timeout(60) to the real-mmdc render tests (load-flaky against the 10s default); set a repo-local git identity in the test_copy_exemplar fixture so it passes on CI runners without a global git user; regenerated docs/_generated/COUNTS.md; strengthened TestLogOperation with caplog assertions; surfaced each prompt references/ doc from its parent README.

Refactored

  • Extract discover_infrastructure_packages to api_reference_gen.py (SCRIPTS-LOGIC-1)
  • Extract stage_label helper to core/pipeline/dag.py (SCRIPTS-LOGIC-2)
  • Extract scan_test_roots to no_mock_enforcer.py (SCRIPTS-LOGIC-3)
  • Extract format_audit_statistics to audit_orchestrator.py (SCRIPTS-LOGIC-4)
  • Move DEFAULT_STAGE_TABLE_TARGETS constant to stage_table.py (SCRIPTS-LOGIC-5)
  • Extract aggregate_check_results + fix log_header missing logger to setup_checks.py (SCRIPTS-LOGIC-6)

Security

  • 🔒 Dependency CVE remediation (QUALITY-AUDIT-1) — bumped pypdf to >=6.12.0 (clears CVE-2026-48155 / CVE-2026-48156) and cryptography to >=48.0.1 (clears GHSA-537c-gmf6-5ccf). pip-audit reports no known vulnerabilities; pip PYSEC-2026-196 remains the single documented ignore.

[3.4.0] — 2026-06-12

Comprehensive multi-pass review-and-improvement of infrastructure/, docs/, scripts/, and the public exemplars (RedTeam + FirstPrinciples + SystemsThinking lenses), the thermo-nuclear v2 remediation, and the post-v3.3.1 backlog closeout. All gates green; no mocks; tests added with each change.

Added

  • 🧭 Reproducible run matrix (run.config)scripts/runner/run_matrix.py + infrastructure/core/pipeline/run_matrix.py: a deterministic project × stage matrix runner (resolves projects, orders stages canonically), the version-controllable alternative to the interactive menu. run.config.example.yaml shipped; the user's run.config is git-ignored.
  • ⏱️ SOURCE_DATE_EPOCH determinisminfrastructure/core/determinism.py threads a reproducible build timestamp through xelatex /CreationDate, manuscript GENERATION_TIMESTAMP, and data generated_at (opt-in via TEMPLATE_DETERMINISTIC/SOURCE_DATE_EPOCH; no-op otherwise) for byte-stable outputs.
  • 🔢 Generated COUNTS.md + CI --checkscripts/docgen/counts.py + infrastructure/documentation/counts_doc.py derive the canonical counts from the live tree, closing the long-standing doc-drift loop (canonical_facts.md was the one _generated/ file with no generator). Renamed canonical_facts.mdCOUNTS.md.
  • 🚪 Opt-in methods-plan gatescripts/gates/methods_plan_check.py enforces the previously-unenforced methods publication contract.
  • 🔬 Deep research dispatch (infrastructure/search/deep_research) — opt-in, paid multi-provider deep-research CLI; fail-fast provider validation + bounded wait (max_wait_seconds/DeepResearchWaitTimeout) + cancel.
  • 🔐 Kmyth TPM adapter + NSA kmyth submodule on the steganography surface.

Changed

  • 🏷️ Exemplar-support tierinfrastructure/sia and infrastructure/scientific tagged as Layer-1-but-exemplar-only in their docs and the module roster.
  • 🔀 Validation ↔ autoresearch decoupling — the generic validation layer no longer special-cases the domain-specific autoresearch module.
  • 🗂️ scripts/ reorg — operator tooling grouped under scripts/maintenance/ (numbered pipeline stages + gates kept at root).
  • 🧩 Output-validation + reporting modularization; benchmark test rename.

Removed

  • 🧹 Dead modules deleted (zero production importers, re-verified): core/menu.py, validation/cli/markdown.py, rendering/poster_renderer.py, and scientific/{templates,documentation,validation}.py.

Fixed

  • 🔒 Confidentiality guardprojects/*.md wildcard replaced with an explicit nav-doc allowlist so a stray top-level markdown can't be tracked.
  • 🧪 No-mocks enforcer — rewritten as AST + comment/string-stripped scan, closing trailing-comment / mock_-prefix / from unittest import mock bypasses.
  • 📦 Repro bundle (REPRO-VERIFY-1) — output paths rebased onto the project tree so verify actually hashes artifacts and fails closed on declared-but-absent outputs.
  • 🧷 Evidence-graph claims (EVIDENCE-CLAIM-1)output/data/*claims*.json glob so the autoresearch exemplar's ledger is ingested as claim nodes + supports edges.
  • 🧰 Default-project selection (qualified names), --stage clean mismatch, book-length book.title metadata, markdown-CLI repo-root, arXiv old-style IDs, and Ollama tests using the discovered model instead of a hard-coded gemma3:4b.
  • 📦 Correction to [3.3.1] "Public-exemplar outputs tracked" — tracked output/ render proofs were removed on 2026-06-08; the repo ships no committed output/ artifacts. Supersedes the 3.3.1 "outputs tracked" claim below.

[3.3.1] — 2026-06-07

Fixed

  • 📄 DOCX output completion — Pandoc DOCX rendering now embeds figures and resolves cross-references (infrastructure/rendering/pipeline.py).
  • 🔢 Generated-count reconciliationdocs/_generated/COUNTS.md project-scope collection count refreshed to 216 after test additions.

Changed

  • 📦 Public-exemplar outputs tracked — refreshed rendered output/ artifacts for the public template exemplars are committed alongside the source so the repository ships reproducible, inspectable deliverables.

[3.3.0] — 2026-06-07

Added

  • 🔎 Reference-existence verification (infrastructure/reference/verification) — deterministic anti-hallucination gate that resolves each cited reference against Crossref → OpenAlex / arXiv, classifying it ok / mismatch / fabricated / unverifiable / unchecked / anachronism. Offline-first with a persistent SQLite cache; live resolution is opt-in. CLI: python -m infrastructure.reference.verification verify <bib>.
  • ✍️ AI-writing fingerprint detector (infrastructure/validation/content/ai_writing.py, validation.cli prose-quality) — flags AI-typical phrasing, em-dash density, and low sentence-length burstiness. Both distilled clean-room from Academic Research Skills ideas (CC-BY-NC-4.0); no code vendored.
  • 🕸️ Evidence graph (infrastructure/reporting/evidence_graph.py) — typed producer/consumer/validator/claim/artifact graph assembled from the real stage DAG, with a query API and byte-stable JSON (EVIDENCE-GRAPH-1).
  • 📦 Reproduction bundle (infrastructure/publishing/repro_bundle.py, scripts/runner/repro_bundle.py) — deterministic repro manifest (lockfile, artifact hashes, canonical-facts pointer, repro command) plus a fail-closed verifier (REPRO-BUNDLE-1).
  • 📊 Release-readiness dashboard (infrastructure/reporting/release_readiness.py) — local, no-network report aggregating docs-lint, coverage/test facts, pipeline snapshots, evidence-graph status, and release metadata (DASHBOARD-1).
  • 🧩 Pipeline plugin stages (infrastructure/core/pipeline/plugins.py) — schema-validated projects/{name}/pipeline_plugins.yaml adds DAG stages without core edits. Opt-in; default plan unchanged (PLUGIN-STAGES-1).
  • ⏭️ Incremental pipeline skipping (infrastructure/core/pipeline/incremental.py, IncrementalConfig) — content-hash stage skipping with downstream invalidation and fail-safe (never skip when outputs absent). Opt-in, default-off (INCREMENTAL-PIPELINE-1).

Changed

  • Parallel infrastructure tests — CI test-infra runs with pytest-xdist -n auto (~892s → ~585s per leg); suite verified parallel-safe.
  • 🧬 Dynamic CI project matrixtest-project derives its matrix from infrastructure.project.public_scope via fromJSON (detect-projects job), so adding/retiring a templates/ exemplar no longer edits the matrix literal (CI-MATRIX-DYNAMIC-1).
  • 🔇 Quieter terminal logging — console handler floors at INFO (no DEBUG/spinner chrome on stdout) while the file handler retains timestamped DEBUG; per-file render internals demoted to DEBUG; default -v dropped from pytest addopts (LOG-CLEAN-1).
  • 🧱 Consolidated safe markdown readerinfrastructure/validation/docs/_io.py hosts read_markdown; doc linters route their read-and-skip sites through it (READFILE-SAFE-1).
  • 📚 Documentation accuracy passes — deep audit + fixes across docs/ and every infrastructure/*/{SKILL,README,AGENTS}.md, correcting examples that cited methods/params/CLI flags/test paths that no longer exist; new deterministic infra is wired into the docs/prompts workflows.

[3.2.0] — 2026-06-04

Added

  • 🧭 Agentic-use workflow routing — Added template-agentic-use as a first-party workflow for skill discovery, local routing, agent onboarding, contract/eval checks, and external-skill review without vendoring companion skills into the public repository.
  • 🧪 Skill eval coverage — Extended the trigger eval set, eval harness configuration, mode registry, generated skill index, and editor skill manifest so requests such as "make template more agentic", "find relevant skills", and "improve agent routing" route through the new workflow.
  • 🔍 Public documentation audit — Added advisory RedTeam-style helpers and a CLI for inventorying public Markdown, volatile project roster/count claims, verifier claims without nearby negative controls, and Python symbol docstring coverage across public CI source paths.
  • 🧠 Decision-memory contract — Added a repository rule for WHY comments, ADRs, local agent memory, failure autopsies, selective ignorance, and negative controls, plus consistency checks that require key workflow docs and public exemplar AGENTS files to link back to that contract.
  • 📚 Active Inference scholarship traceability — Added a source-backed scholarship matrix builder, scholarship track registration, manuscript scholarship sections, figure wiring, references, and tests for the template_active_inference exemplar.

Changed

  • 🧱 Agent-facing docs — Refreshed AGENTS/README guidance across root, docs, scripts, tests, infrastructure validation, public exemplars, and prompt workflows so agents can locate rules, public-scope boundaries, and decision-memory expectations without relying on stale path lore.
  • 🚀 Rendering and validation plumbing — Tightened rendering pipeline behavior, documentation lint integration, accuracy checks, link extraction, and Active Inference output-check/gate surfaces to keep generated claims connected to source contracts.
  • 🧾 Release metadata — Bumped the repository package and citation metadata to 3.2.0.

Fixed

  • 🔐 Public-scope drift risk — Added explicit audit paths for hard-coded public exemplar rosters/counts and for verifier prose that claims enforcement without naming a known-wrong fixture or negative-control path.
  • 🧰 Agent memory ergonomics — Expanded core agent-memory tests and docs so local-only memory remains useful for agents while staying out of committed public repository state.
  • Scholarship/manuscript consistency — Connected Active Inference scholarship references, manuscript sections, sheaf track metadata, claim ledger entries, visualizations, and tests so literature anchors are checked as part of the exemplar's public source surface.

[3.1.0] — 2026-05-30

Added

  • SIA public exemplar — Added projects/templates/template_sia/ plus infrastructure.sia, project contracts, tests, docs, generated module guide, and CLI validation for the mini_classify task.
  • Active Inference semantic sheaf hardening — Added semantic gluing, dependency-graph, evidence-crosswalk, policy-comparison, graph-world, and animation coverage so the exemplar now carries machine-checkable manuscript and output contracts beyond static prose.
  • Folder-doc and stale-path guardrails — Extended documentation consistency checks so public exemplar docs, generated facts, and folder-level AGENTS.md/README.md pairs are checked across all six public templates.
  • Interactive simulation dashboard groundwork — Kept the project-agnostic dashboard and invariant infrastructure in the release train, including plaintext-validatable dashboard artefacts and real-data tests.

Changed

  • Public project signposting — Migrated long-lived documentation, generated indexes, workflow docs, archived audit notes, and skill-eval fixtures from stale projects/template_* paths to canonical projects/templates/template_* paths.
  • Generated facts and skills — Refreshed docs/_generated/active_projects.md, COUNTS.md, publication_records.md, the architecture overview, API reference, skill manifest, and skill index from live repository state.
  • Release metadata — Bumped the repository package and citation metadata to 3.1.0.
  • Entry-point docs — Tightened README.md, CLAUDE.md, AGENTS.md, .github/README.md, and workflow docs around public scope, pipeline stages, coverage gates, release behavior, and private-project boundaries.

Fixed

  • Multi-project coverage corruption — Project pytest subprocesses now pin coverage to the workspace version before appending into .coverage.project, preventing mixed project virtualenvs from corrupting the shared SQLite trace.
  • Documentation lint blind spots — Unqualified public exemplar links are no longer suppressed as intentionally local, and ghost-path checks now treat projects/template_* as stale public paths.
  • Public source gates — Narrowed broad exception handling and fixed type issues in the code and Active Inference exemplars so Ruff and mypy remain clean across public source paths.
  • Generated output stability — Normalized PNG writes atomically and made simulation logging recreate missing parent directories after fresh-output cleanup.

[0.7.2] — 2026-05-05

CI / GitHub

  • pip-audit (blocking): CI parses .github/pip-audit-ignore.txt into --ignore-vuln flags, retries up to three times on failure, and fails the job on remaining findings. Root tool.uv.override-dependencies adds pip>=26.1.1 so the lock does not pin a vulnerable pip pulled in via pip-auditpip-api.
  • Bandit: CI invokes bandit -c bandit.yaml over the same configured roots as before (infrastructure/, scripts/, optional projects/ tree per workflow excludes). bandit-quick pre-push hook matches that scope.
  • Manual CI dispatch: Removed unused workflow_dispatch.inputs.project from ci.yml.
  • Release workflow: Set generate_release_notes: false so the git-log body_path is not duplicated by GitHub auto-notes.
  • Dependency bumps (security): black, cryptography, pillow, pygments, pypdf, pytest, requests, werkzeug refreshed in uv.lock to satisfy pip-audit.
  • Docs: .github/AGENTS.md, .github/README.md, .github/workflows/{AGENTS,README}.md, stale-issue parity (do-not-close on issues), PR template CI parity, issue-template fork note.

🧹 Wave-3 backlog: 6 items closed (m1–m3 minor, MED1–MED3 medium)

All forward-looking items in the v0.7.0 TO-DO are now shipped. Every gate in the "Live state snapshot" table of TO-DO.md is green via uv run python -m infrastructure.core.health.

Minor

  • m1 — Telemetry retention. New infrastructure/core/telemetry/retention.py (rotate(reports_dir, keep=…)); collector wires through TELEMETRY_KEEP env var (default 10). Older telemetry.json files archive into <reports_dir>/.history/telemetry-<unix_ts>.json deterministically. 10 real-data tests.
  • m2 — Steganography deterministic mode. New infrastructure.steganography.config.resolve_build_timestamp(...) honors STEGANOGRAPHY_DETERMINISTIC=1 (or secure_run.sh --deterministic) → reads git log -1 --format=%cI for the build timestamp, falls back to wall-clock with a warning. Wired through metadata, overlays, barcodes, hashing, encryption. Two consecutive secure_run.sh invocations now produce byte-identical output PDFs (verified end-to-end). 8 real-data tests.
  • m3 — Config schema-extension hook (per workspace root). New register_project_schema_extension(project_name, schema), get_project_schema_extensions(project_name), clear_project_schema_extensions() in infrastructure/core/config/schema.py. Validator hook in loader.py infers the workspace segment from the config path (or accepts explicit project_name=). 12 real-data tests.

Medium

  • MED1 — Multi-project parallel execution. New infrastructure/core/pipeline/multi_project_parallel.py exposes run_projects_in_parallel(...). CLI flags --parallel and --max-workers=N added to scripts/runner/execute_multi_project.py (default remains serial — backwards compatible). Per-worker stdout/stderr is redirected via os.dup2 into each workspace's …/output/logs/pipeline.log under the configured projects root (no parent-process interleaving). Observed wall-time improvement in fixture runs: serial vs parallel with multiple workers (~2–3× in synthetic multi-workspace tests). 8 tests.
  • MED2 — Unified health command. New infrastructure/core/health.py with GateResult, HealthReport, run_health_checks(...), and python -m infrastructure.core.health CLI. Runs 10 gates (mypy, ruff, ruff-format, bandit, no-mocks, all-exports, docs-lint, stage-table, api-reference, architecture-overview) and prints a colored status table. --json emits machine-readable output. New informational health CI job uploads health-report.json as an artefact. 14 tests.
  • MED3 — Coverage trend dashboard. New infrastructure/reporting/coverage_history.py with parse_coverage_xml, collect_history_from_dir, collect_history_via_gh, build_history_markdown. Driver: scripts/docgen/coverage_history.py (offline --from-dir and online --from-gh modes). Generated docs/_generated/coverage_history.md includes a 30-day rolling table + ASCII sparkline. CI uploads coverage-history artefact. 15 tests using defusedxml.

Quality gates (v0.7.1, all enforced — uv run python -m infrastructure.core.health)

Gate Status
mypy --strict infrastructure/ ✅ 0 errors / 327 files
ruff check ✅ clean
ruff format --check ✅ 325 already formatted
bandit -ll -c bandit.yaml ✅ 0 HIGH / 0 MEDIUM / 0 LOW
verify_no_mocks.py ✅ no mocks
infrastructure.skills check_all_exports ✅ 0 violations
scripts/audit/lint_docs.py ✅ mermaid + links + consistency
Stage-table + API-reference + architecture generators ✅ idempotent
uv run pytest tests/infra_tests/ (no LLM, no bench) ✅ all pass

[0.7.0] — 2026-05-04

🧹 Reconciliation cycle: 14 backlog items closed (M1–M7 + MED1–MED7)

This cycle reconciles the live repo state with the gates the v3.0.0 row had previously claimed but not actually shipped. Every claim in the "Live state snapshot" table of TO-DO.md is verifiable from a single command (linked in that table).

Foundation (closed inline)

  • M1 — mypy --strict __all__ re-export fix. Added explicit __all__ to infrastructure/core/exceptions.py, infrastructure/core/runtime/environment.py, infrastructure/rendering/latex_package_validator.py. Typed missing generic in infrastructure/rendering/_pdf_pandoc_engine.py. Result: mypy --strict infrastructure/0 errors / 323 files.
  • M2 — pip-audit blocking gate. Removed continue-on-error: true from the security job's pip-audit step in .github/workflows/ci.yml. Added per-CVE allow-list at .github/pip-audit-ignore.txt (empty by default). Documented in .github/AGENTS.md.
  • M3 — Bandit MEDIUMs closed. xml.etree.ElementTreedefusedxml.ElementTree in infrastructure/search/literature/{backends,fulltext}.py; # nosec B615 with rationale on the HF fixture script. Result: bandit -llHIGH 0 · MEDIUM 0 · LOW 0 (with bandit.yaml).

Wave 2 (parallel agents)

  • M4 — Bandit LOW triage. Repo-wide allow-list in bandit.yaml with per-test-ID justifications. Both MEDIUM+ and strict-LOW CI passes invoke -c bandit.yaml. No genuine code fixes were necessary; every flagged pattern is either a research-context norm (B311, B404, B607) or a typed-only re-export (B405).
  • M5 — Pre-push parity. New hooks bandit-quick, skills-check, bandit-low (manual), all-exports-check in .pre-commit-config.yaml mirror CI gates locally.
  • M6 — Architecture overview generator. New infrastructure/documentation/architecture_overview.py + scripts/docgen/architecture_overview.py produce docs/_generated/architecture_overview.{mmd,svg} from live infra and workspace-root discovery (layout only; no workspace contents).
  • M7 — Roadmap freshness. Re-baselined docs/development/coverage-gaps.md and docs/development/roadmap.md; date-stamped audit reports; docs/audit/archived/ scaffold added.
  • MED1 — Stage-table single source of truth. New infrastructure/documentation/stage_table.py + scripts/docgen/stage_table.py inject a deterministic Markdown table from infrastructure/core/pipeline/pipeline.yaml into 5 docs via <!-- BEGIN:STAGE_TABLE --> … <!-- END:STAGE_TABLE --> markers.
  • MED2 — Workspace setup-hook polish. Optional setup_hook.yaml manifest (required tools / env vars / timeout / skip_if_env); PROJECT_SETUP_HOOK_DRY_RUN=1 mode; preflight-before-invoke; Windows portability documented.
  • MED3 — Per-workspace pytest driver. New infrastructure/core/test_runner.py lifts the open-coded shell loop over discovered test directories out of .github/workflows/ci.yml#test-project into a tested infrastructure function. CI workflow now calls scripts/pipeline/stage_01_test.py --project-only --all-projects.
  • MED4 — Documentation linter. New infrastructure/validation/docs/{mermaid_lint,cross_link_lint,consistency_lint}.py
    • scripts/audit/lint_docs.py + new docs-lint CI job. Detects parallelogram-syntax abuse, broken cross-links (with inline-code spans correctly excluded), and stale "N Python packages" claims.
  • MED5 — __all__ audit. New infrastructure/skills/check_all_exports.py (AST-based) flags any module that re-exports without an explicit __all__. 13 modules got new __all__ lists. CI gate + pre-push hook.
  • MED6 — Bench harness. Opt-in tests/infra_tests/bench/ (-m bench) measures find_setup_hook (~6 µs), no-op run_project_setup_hook (~10 µs), trivial-subprocess hook (~21 ms), and run_analysis_pipeline at N=1/5/25 (~30/150/737 ms). Informational CI step + bench-results.json artefact upload.
  • MED7 — API-reference auto-generation. New infrastructure/documentation/api_reference_gen.py + scripts/docgen/api_reference.py walk every __all__ and inject a generated symbol catalogue into docs/reference/api-reference.md. CI --check gate.

Restored architecture

  • infrastructure/core/analysis_pipeline.py (Stage-02 runner) was silently overwritten during parallel edits; restored, plus its 7-test no-mocks suite, plus re-thinned scripts/pipeline/stage_02_analysis.py.

Quality gates (v0.7.0, all enforced)

Gate Status
ruff check (E501 included) ✅ enforced
ruff format --check ✅ enforced
mypy --strict infrastructure/ ✅ 0 errors / 323 files
bandit -ll -c bandit.yaml ✅ 0 HIGH / 0 MEDIUM / 0 LOW
pip-audit ✅ blocking
infrastructure.skills.check_all_exports ✅ 0 violations
scripts/audit/lint_docs.py ✅ 0 issues across mermaid + links + consistency
Stage-table & API-reference generators ✅ idempotent
uv run pytest tests/infra_tests/ (no LLM, no bench) ✅ 5347 passed

[0.6.0] — 2026-03-10

🧹 Code Health: Desloppify Campaign (161 commits)

The largest code-quality improvement cycle since the template's inception. All infrastructure/ packages and repository-level scripts were subjected to systematic blind review and remediation across 26 review rounds, eliminating AI-generated debt, convention outliers, and structural issues; tracked exemplar layouts were aligned where they share code with Layer 1.

Fixes

  • Import hygiene: Removed unused imports across 8+ files; separated TYPE_CHECKING guarded imports from runtime imports; eliminated sys.path mutations from CLI modules
  • Exception handling: Narrowed broad except Exception / bare except clauses throughout integrity.py, logging_utils, config_loader, and llm modules; fixed silent JSONDecodeError swallowing; restored exception context with raise ... from exc
  • Dead code removal: Deleted orphaned coverage_reporter.py (zero importers); removed stub/passthrough wrapper methods across 10+ modules; eliminated dead HTML-entities dict from InputSanitizer
  • Type annotations: Modernised legacy typing imports (List[x]list[x], Optional[x]x | None) across 30+ modules; added TypedDict returns for integrity results; annotated CLI re-exports
  • API surface: Consolidated OllamaClientConfig env-read wrappers (ABS-001); merged duplicate PerformanceMetrics naming conflict; removed ProjectLogger pure-forwarder abstraction; eliminated calculate_file_hash re-export from publishing boundary
  • Bug fixes: Fixed inverted scan_errors bool in doc scanner; fixed stall-detection dead branch in pipeline reporter; fixed config_files path bug in config_cli; fixed clean_output_directory return type; fixed broken accessor imports after core.py hub elimination
  • Structural: Eliminated infrastructure/core/core.py hub (delegated validate_markdown_cli to canonical location); extracted _build_stage_list to remove stage-list duplication; moved MultiProjectResult to TYPE_CHECKING to break reporting→core circular dep
  • Logging: Removed nosy debug logs from LLM and environment modules; downgraded verbose entry logs; added get_logger to logic modules lacking structured logging
  • docstrings: Stripped AI-generated boilerplate docstring bloat from 40+ functions; removed restating comments; cleaned banner comments
  • Tests: Fixed test name collisions; added deterministic tests for validate_review_quality and exception types; added integration tests to testpaths; removed orphan test files
  • Dependencies: Removed scipy from infrastructure env check; resolved stale findings in psutil guards; moved matplotlib to optional dep group

Quality Gates (v0.6.0)

Gate Status
Desloppify blind reviews 26 rounds completed
Commits 161
Files changed 948
ruff check ✅ Enforced
mypy --strict ✅ 0 errors
bandit -ll ✅ 0 MEDIUM+ findings
pytest ✅ All pass

[3.0.0] — 2026-02-22

🎉 Production/Stable Release

Promoted from Beta to Production/Stable after completing comprehensive quality gates across all 8 infrastructure packages (126 source files).

Added (v3.0.0)

  • v2.12.0 — Ruff Format Enforcement: Auto-formatted 280 files; ruff format --check blocking CI gate
  • v2.13.0 — mypy Strict Enforcement: 140→0 errors in validation/ (22 files) + rendering/ (12 files); disallow_untyped_defs = true overrides
  • v2.14.0 — Security Hardening: 7→0 MEDIUM Bandit findings (CWE-400, CWE-502, CWE-377); pip-audit blocking CI gate; Bandit -ll threshold
  • v2.15.0 — CI & Container Modernization: Dockerfile python:3.12 + uv; mypy pre-commit hook; docker-compose healthchecks
  • v2.16.0 — E501 Line Length Enforcement: E501 removed from ruff ignore list; 342 code-line + 36 docstring per-file-ignores
  • v3.0.0 — Major Version Bump: mypy strict for all 8 infrastructure packages (126 files, 0 errors); version 3.0.0; Production/Stable classifier

Changed (v3.0.0)

  • pyproject.toml version: 2.0.03.0.0
  • Classifier: Development Status :: 4 - BetaDevelopment Status :: 5 - Production/Stable
  • Dockerfile: python:3.11-slim + pippython:3.12-slim + uv
  • docker-compose.yml: Removed deprecated version key; added Ollama healthcheck
  • .pre-commit-config.yaml: Added mypy hook; ruff v0.8.4v0.9.7; pre-commit-hooks v4.6.0v5.0.0
  • ci.yml: pip-audit now blocking; Bandit scans infrastructure/, scripts/, and (when present) the configured projects/ roots at MEDIUM+

Quality Gates (v3.0.0, all enforced in CI)

Gate Status
ruff check Enforced (E501 included)
ruff format --check Enforced
mypy --strict (validation, rendering) Enforced
mypy (all 8 packages) 0 errors
bandit -ll 0 MEDIUM+ findings
pip-audit Blocking gate
pytest (infra suite; workspace suites per CI matrix) All pass

[2.0.0] — 2026-02-18

Added (v2.0.0)

  • Two-layer layout (shared infrastructure + optional per-workspace trees)
  • Build pipeline with thin orchestrator pattern
  • Program-aware discovery of workspace roots under the configured projects/ layout
  • Executive reporting dashboard (multi-workspace orchestration)
  • Standalone workspace lifecycle pattern (promote / archive) for local trees