No repo is "done" until every applicable line is checked. Copy this into your repo root. Check items off per-release.
Tags: [all] every repo · [npm] [pypi] [vsix] [desktop] [container] published artifacts · [mcp] MCP servers · [cli] CLI tools
-
[all]SECURITY.md exists (report email, supported versions, response timeline) (2026-02-27) -
[all]README includes threat model paragraph (data touched, data NOT touched, permissions required) (2026-02-27) -
[all]No secrets, tokens, or credentials in source or diagnostics output (2026-02-27) -
[all]No telemetry by default — state it explicitly even if obvious (2026-02-27)
-
[cli|mcp|desktop]SKIP: no dangerous actions (kill/delete/restart) — trains models and exports files -
[cli|mcp|desktop]File operations constrained to known directories (2026-02-27) — safe_path() with traversal protection -
[mcp]SKIP: not an MCP server -
[mcp]SKIP: not an MCP server
-
[all]Errors follow the Structured Error Shape:code,message,hint,cause?,retryable?(2026-02-27) — exception hierarchy with message/details/suggestion -
[cli]Exit codes: 0 ok · 1 user error · 2 runtime error · 3 partial success (2026-02-27) -
[cli]No raw stack traces without--debug(2026-02-27) — only with --verbose -
[mcp]SKIP: not an MCP server -
[mcp]SKIP: not an MCP server -
[desktop]SKIP: not a desktop app -
[vscode]SKIP: not a VS Code extension
-
[all]README is current: what it does, install, usage, supported platforms + runtime versions (2026-02-27) -
[all]CHANGELOG.md (Keep a Changelog format) (2026-02-27) -
[all]LICENSE file present and repo states support status (2026-02-27) -
[cli]--helpoutput accurate for all commands and flags (2026-02-27) -
[cli|mcp|desktop]SKIP: --verbose flag exists; formal logging level tiers not applicable for a training library -
[mcp]SKIP: not an MCP server -
[complex]SKIP: not operationally complex
-
[all]verifyscript exists (test + build + smoke in one command) (2026-02-27) — verify.sh -
[all]Version in manifest matches git tag (2026-06-20) — 1.7.0 = v1.7.0 -
[all]Dependency scanning runs in CI (ecosystem-appropriate) (2026-02-27) — Bandit, pip-audit, Semgrep, Trivy (built-in secret scanner). TruffleHog removed v1.1.0 — see docs/ci-gates-triage-plan.md. -
[all]Automated dependency update mechanism exists (2026-02-27) — dependabot.yml monthly + groups -
[npm]PASS: @mcptoolshop/backpropagate@1.2.0 published with Sigstore provenance (2026-05-23). v1.3 retires the npm distribution path — the package remains published as a friendly-error shim redirecting operators to pipx / uv tool / pip perbin/backpropagate.js. -
[pypi]python_requiresset (2026-02-27) — >=3.10 -
[pypi]Clean wheel + sdist build (2026-02-27) — hatchling, twine check in CI -
[vsix]SKIP: not a VS Code extension -
[desktop]SKIP: not a desktop app
-
[all]Logo in README header (2026-02-27) -
[all]Translations (polyglot-mcp, 8 languages) (2026-02-27) -
[org]Landing page (@mcptoolshop/site-theme) (2026-02-27) -
[all]GitHub repo metadata: description, homepage, topics (2026-02-27)
Hard gate (A–D): Must pass before any version is tagged or published.
If a section doesn't apply, mark SKIP: with justification — don't leave it unchecked.
Soft gate (E): Should be done. Product ships without it, but isn't "whole."
Checking off:
- [x] `[all]` SECURITY.md exists (2026-02-27)
Skipping:
- [ ] `[pypi]` SKIP: not a Python project