snipIT v0.1.1 — capture-flow correctness release

snipIT v0.1.1 — capture-flow correctness release

Capture-flow correctness release. No schema, workflow, or security changes from v0.1.0.

Fixed

• Capture flow — exclude SnipIT's own widget / preview / tray windows from the capture target so they aren't baked into the frame (RAN-15). The v0.1.0 release notes listed this fix prematurely; the change actually ships in v0.1.1 (see RAN-68).

  • Adds Test-IsSelfWindowHandle / Resolve-WindowCaptureTarget pure helpers in the Core region (cross-platform unit-tested).
  • Maintains a $script:SelfWindowHandles registry; registers the console, hotkey form, floating widget, and preview window when they are created.
  • Adds IsWindowVisible / ShowWindow PInvoke + Hide-/Show-OwnSnipITWindowsForCapture helpers that hide every visible SnipIT-owned hwnd before CopyFromScreen and restore them via SW_SHOWNA after the snapshot. Wraps the snapshot in try/finally so a thrown exception still restores chrome.
  • Wires the helpers into Show-SmartOverlay, Invoke-FullScreenCapture, and Invoke-WindowCapture. Window capture now consults Resolve-WindowCaptureTarget and falls back to a full virtual-desktop capture (with chrome hidden) when the foreground window is SnipIT.

• Full-screen and window capture — route Invoke-FullScreenCapture and Invoke-WindowCapture through Invoke-CaptureLoop with a per-iteration capture factory, so the preview owns / disposes each bitmap and the chrome-hide runs every snapshot. Fixes the use-after-dispose blank/crash on iteration 2+ of the same capture session (RAN-14).

Security

No security-relevant fixes in v0.1.1. The OSS-CLI security stack landed in .github/workflows/security.yml (v0.1.0) is the gating channel for all future fixes; advisories will appear here under each release where they apply, alongside a GHSA link.

Documentation correction

The v0.1.0 GitHub Release body and signed tag annotation incorrectly listed the capture-flow exclusion as shipped under v0.1.0. The underlying commit (bc216cc) existed on the maintainer's local main but was never pushed before the v0.1.0 tag was cut. The v0.1.0 git tag annotation and Release body are immutable per OSPS evidence policy and have not been edited; the CHANGELOG.md [v0.1.0] entry now carries a Correction (2026-04-26) callout pointing readers at this release. v0.1.1 is the authoritative ship of the RAN-15 fix.

Tests

pwsh ./Test-SnipIT.ps1 — 111 / 111 pass (15 RAN-15 capture-target unit tests + 7 RAN-14 capture-loop contract tests + 6 new structural call-site guards + the rest of the suite).

Provenance

• Signed git tag (SSH, ed25519): v0.1.1
• Tag points at merge commit 7ca91eb
• Auto-merged via PR #9, tracked under RAN-68.

Full diff

v0.1.0...v0.1.1

snipIT v0.1.0 — initial signed release

First tagged release. Establishes the OpenSSF Best Practices passing baseline + supporting documentation surface for snipIT.

Added

• OpenSSF Best Practices passing baseline (RAN-54):
  • .github/workflows/scorecard.yml — ossf/scorecard-action on push to main + Mondays 06:00 UTC, SARIF → Security tab.
  • .github/workflows/security.yml — OSS-CLI security stack: Trivy filesystem scan, Semgrep (p/security-audit + p/owasp-top-ten), PSScriptAnalyzer (PowerShell language gate), Gitleaks full-history secret scan, jscpd duplication check, and SPDX + CycloneDX SBOM generation.
  • .github/dependabot.yml — weekly grouped GitHub Actions updates.
  • SECURITY.md — private vulnerability disclosure policy, supported versions, and scope.
  • .bestpractices.json — OpenSSF Best Practices self-assessment (project 12647).
  • CLAUDE.md — agent / contributor brief: build, test, run, conventions, OpenSSF Scorecard baseline + target.
  • shared/runbooks/engineering-standards.md — PowerShell variant of the company canonical engineering-standards runbook.
  • scripts/setup-git-signed.sh — one-shot signed-commit setup (SSH / OpenPGP / x509).
  • Branch protection on main — required signed commits, linear history, force-push and deletion blocked, eight required CI status checks.
  • Repo-level Dependabot security updates enabled.
• Canonical-schema rewrite of .bestpractices.json so the bestpractices.dev autofill robot can pre-fill the criteria page on board flip (RAN-59).
• CHANGELOG.md (this file) and docs/README.md index — addresses the release_notes and documentation_basics gaps surfaced by the bestpractices.dev autofill audit (RAN-64 / #5).
• CONTRIBUTING.md at repo root — conventional contribution-process entry point: §Reporting (Issues + SECURITY.md), §Development workflow, §What every PR must pass (8-row CI gate matrix with local commands), §Coding standards delegating to shared/runbooks/engineering-standards.md (PR #7).

Changed

• .github/workflows/test.yml — every action SHA-pinned (Scorecard Pinned-Dependencies); top-level permissions: read-all; PSScriptAnalyzer moved out into security.yml so the SAST/lint signals are co-located with the rest of the security stack.
• README.md — OpenSSF Best Practices, OpenSSF Scorecard, and Security workflow badges added at the top of the badge row; Project files table linked to docs/, CHANGELOG.md, SECURITY.md.
• .bestpractices.json — 5 SUGGESTED criteria flipped from ? to Met with concrete in-repo evidence (version_semver, version_tags, test_most, dynamic_analysis, dynamic_analysis_enable_assertions) (PR #6); 4 _url fields retargeted to conventional paths (README.md, CONTRIBUTING.md, SECURITY.md) so the bestpractices.dev autofill bot detects them (PR #7).

Fixed

• Capture flow — exclude SnipIT's own widget / preview / tray windows from the capture target so they aren't baked into the frame (RAN-15).
• Color-bar interaction — update the active swatch in-place instead of rebuilding the bar; close $pickColor over the swatch handler so the closure resolves correctly at click time.

Security

• No security-relevant fixes shipped under v0.1.0. The OSS-CLI security stack landed in .github/workflows/security.yml is the gating channel for all future fixes; advisories will appear in this section under each release where they apply, alongside a GHSA link.