Skip to content

Releases: jdutton/vibe-validate

Release v0.19.6

Choose a tag to compare

@github-actions github-actions released this 12 May 20:42
4289644

Fixed

  • vv pre-commit no longer blocks legitimate post-rebase commits. After git pull --rebase or a rebase against an updated base, your local branch is "diverged" from its tracking branch — both ahead and behind. The old check treated that state as "behind" and blocked the commit with an unhelpful error. pre-commit now distinguishes "purely behind" (legitimate stop — you're missing remote commits) from "diverged" (post-rebase shape — pass with an informational notice), and short-circuits the sync check entirely during a mid-flight rebase, mirroring the existing mid-merge handling. (#160)

  • vibe-validate works under pnpm strict isolation. The umbrella package's bin wrappers (vibe-validate, vv) used a hardcoded relative path to locate @vibe-validate/cli, which only resolves under flat-hoisted node_modules (npm classic, bun, yarn classic). Under pnpm's default strict isolation (node-linker=isolated), @vibe-validate/cli is a sibling of vibe-validate inside .pnpm/<id>/node_modules/ rather than nested, so every CLI command crashed with ERR_MODULE_NOT_FOUND. The wrappers now resolve the CLI via Node's module algorithm (createRequire), which works under every layout: npm flat, pnpm isolated, yarn berry PnP, and bun. (#161)

Release v0.19.5

Choose a tag to compare

@github-actions github-actions released this 12 May 12:14
ca60d5d

Added

  • Nested vv run pass-through — When a package.json script wraps a tool with vibe-validate run and is invoked from vibe-validate validate, the inner vv run now switches automatically to pass-through mode: it inherits the parent's stdio, propagates the exit code, and skips its own capture/extract/cache. The outer captures the real underlying tool's output (vitest, eslint, etc.) instead of an inner YAML summary, so error extraction runs on actual data and vv watch-pr can recover failures from CI logs. A depth cap of 3 fails loudly on recursive misconfiguration. Signaled via the new VV_PARENT_CONTEXT environment variable, set automatically by the parent.
  • vv doctor nested-invocation reporting — Doctor now reports Running inside parent vibe-validate (runId=…, depth=N, step="…") when invoked under a parent vv process, and fails loudly when VV_PARENT_CONTEXT is set but malformed.

Changed

  • generate-workflow — Generated workflows now use pnpm/action-setup@v5 (upgraded from v2). Existing users should re-run vv generate-workflow to pick up the new version and silence Node.js 20 deprecation warnings in CI.
  • Per-step env: is now actually applied to step subprocesses. The field was declared in the ValidationStep schema but silently dropped at execution time. Per-step env: takes precedence over config-level env:. (#157)

Fixed

  • Prevent silent corruption of the parent repository when validation steps shell out to git. (#157)

    When vv runs as a git pre-commit hook, git sets GIT_DIR, GIT_INDEX_FILE, GIT_WORK_TREE, and related vars on the hook process. These vars were inherited by every subprocess vv spawned, including multi-process step chains like npm run test → vitest → fork(worker). Inside those subprocesses, GIT_* vars override the cwd passed to git — so a validation step (typically a test) that creates a temp git repo with mkdtempSync + cwd: <tmpdir> and runs git init / git commit / git config would silently operate on the parent repository's .git/index and branch refs instead.

    vv now strips a focused blacklist of dangerous GIT_* env vars at two layers: (1) the runner adapter strips them when snapshotting process.env into the runner config, and (2) spawnCommand strips them from the final merged spawn env (parent ∪ caller-provided), so no caller can accidentally re-inject one via options.env. Together this guarantees no dangerous GIT_* reaches a step subprocess or anything it spawns. Everything else GIT_* (identity, editor, SSH/credentials, tracing, pager) is inherited normally.

    Stripped: GIT_DIR, GIT_INDEX_FILE, GIT_WORK_TREE, GIT_COMMON_DIR, GIT_OBJECT_DIRECTORY, GIT_ALTERNATE_OBJECT_DIRECTORIES, GIT_NAMESPACE, GIT_CEILING_DIRECTORIES, GIT_DISCOVERY_ACROSS_FILESYSTEM, GIT_CONFIG, GIT_CONFIG_GLOBAL, GIT_CONFIG_SYSTEM, GIT_CONFIG_NOSYSTEM, GIT_CONFIG_COUNT, all numbered GIT_CONFIG_KEY_* / GIT_CONFIG_VALUE_*, GIT_NOTES_REF, GIT_SHALLOW_FILE, GIT_GRAFT_FILE.

    This is not a regression — the risk has existed since vv first supported the pre-commit-hook workflow. This release closes the gap.

    Who was at risk: any repository where (1) vv runs as a git pre-commit hook, AND (2) a validation step shells out to git against a temp directory (commonly tests for tooling that itself wraps git — release orchestrators, scaffolders, plugin generators). The vast majority of validation steps (lint, typecheck, build, unit tests that don't touch git) were unaffected.

    Failure mode if hit: branch refs in the parent worktree get rewritten to test commits, .git/config may get test author identity written to it, and the user's real commits survive only in the reflog. The corruption is silent — no error is raised.

    See docs/skills/vibe-validate/git-hook-safety.md for details and the per-step opt-back-in mechanism.

Release v0.19.4

Choose a tag to compare

@github-actions github-actions released this 22 Apr 01:05
2a3f649

Changed

  • Claude Code skill — Split the monolithic vibe-validate skill into a thin router plus seven intent-scoped sub-skills (vv-validate-dev-loop, setting-up-projects, caching-and-locking, recovering-work, authoring-extractors, vv-watch-pr, integrating-agents). Adopters get more focused guidance and smaller context loads; the plugin now follows the VAT 0.1.33 router pattern.
  • generate-workflow — Generated workflows now use actions/checkout@v6 and actions/setup-node@v6 (upgraded from v4). Existing users should re-run vv generate-workflow to pick up the new versions.
  • vibe-agent-toolkit dependency — Bumped to ^0.1.33 (stable).

Fixed

  • Code duplication check on Windowspnpm duplication-check now runs on Windows instead of silently skipping. Fixed a path-handling bug in @jscpd/finder via a pnpm patch and normalized path separators in baseline comparison.
  • Windows Node 24+ compatibility (@vibe-validate/utils)safeExecSync / safeExecResult now build a single shell-quoted command string when invoking .cmd / .bat / .ps1 wrappers, instead of passing args as a separate array with shell: true. Silences Node.js DEP0190 deprecation warnings on Windows CI and future-proofs against the eventual hard error.
  • watch-pr --fail-fast — Now exits on first failure extraction instead of waiting for all failures, matching the documented "exit immediately" behavior.

Release v0.19.3

Choose a tag to compare

@github-actions github-actions released this 11 Apr 15:56
175dbbd

Fixed

  • Claude marketplace CI — Stable releases now update both claude-marketplace and claude-marketplace-next branches, matching npm's @latest/@next tag behavior

Changed

  • README — Added Claude Code plugin install instructions (marketplace, /plugin slash command, project-scope)

Release v0.19.2

Choose a tag to compare

@github-actions github-actions released this 11 Apr 12:06
d61dceb

Added

  • Claude marketplace distribution — Users can now install the vibe-validate skill directly from GitHub via claude plugin marketplace add jdutton/vibe-validate#claude-marketplace, no npm account required. Pre-release channel available via claude-marketplace-next branch.

Release v0.19.1

Choose a tag to compare

@github-actions github-actions released this 02 Apr 03:17

Added

  • ci.registryUrl config — Set registry-url on actions/setup-node for GitHub Packages authentication in generated workflows
  • ci.env config — Add workflow-level environment variables (e.g., NODE_AUTH_TOKEN) to generated workflows
  • ci.permissions config — Add GitHub Actions permissions: block to generated workflows for scoped token access
  • ci.concurrency config — Add concurrency: block to cancel in-progress CI runs on new pushes
  • ci.setupSteps config — Inject custom GitHub Actions steps (e.g., actions/setup-dotnet, Chrome install) after checkout in generated workflows
  • runScope step property — Set runScope: ci or runScope: local on validation steps to control where they run. CI-only steps are skipped locally (shown as "skipped"), local-only steps are skipped in CI.

Changed

  • Skill distribution migrated to vibe-agent-toolkit plugin system — Skills now install as Claude Code plugins via ~/.claude/plugins/ instead of flat files at ~/.claude/skills/. Upgrading from older versions automatically cleans up the legacy flat-skill install.

Fixed

  • generate-workflow hardeningci.permissions and ci.env are now applied to the validate and coverage jobs instead of at workflow level, so the all-validation-passed gate job no longer inherits unnecessary access (resolves SonarQube workflow-level permissions flag). contents: read is auto-injected when ci.permissions is set, since job-level permissions replace all defaults and actions/checkout always needs it. Also fixed check script indentation and build step auto-detection (no longer matches on step name substring — checks package.json for a build script instead).
  • watch-pr crashes on repos with non-main default branchfetchFileChanges hardcoded origin/main for git diff, causing failures on repos using master, develop, or other base branches. Now uses the PR's actual base branch from GitHub metadata.

Release v0.19.0

Choose a tag to compare

@github-actions github-actions released this 05 Mar 02:13

Breaking Changes

  • CI workflow generation now uses a single validate job. Run npx vibe-validate generate-workflow to regenerate your workflow file. The useMatrix option has been removed.
  • Cached failures are now returned instantly. vv validate returns the last cached result for the current tree hash, even if it failed — no more redundant re-runs. Use --force to bypass cache when needed.
  • TreeHashResult structure simplified for projects with submodules. Projects without submodules are unaffected. See Migration Guide below.

Added

  • --retry-failed flag — Re-runs only failed validation steps while preserving passed results from cache. Detects and reports flaky tests when retried steps pass. Usage: vv validate --retry-failed
  • Dependency lock check — Verifies lock files are in sync before validation to prevent cache poisoning. Auto-detects your package manager (npm, pnpm, yarn, bun). Configure via ci.dependencyLockCheck.runOn.
  • watch-pr improvements:
    • Errors extracted and displayed immediately as CI checks fail (no waiting for final output)
    • Log files saved with paths included in YAML output for easy follow-up
  • VV_TEMP_DIR environment variable — Override the default temp directory for project-local storage, CI builds, or network storage
  • Flakiness detection — Warns when the same code produces different validation outcomes across runs

Performance

  • 19x faster pre-commit secret scanning — secretlint now scans only staged files (15s → 0.8s). Zero configuration required.
  • 10x faster ESLint — Caching enabled automatically (18s → 1.8s on warm runs)
  • Instant cached validation — History health checks and git notes listing optimized from hundreds of subprocess calls to single batch operations
  • Flattened temp directory structure — Reduces permission prompts in AI coding assistants to one approval per day

Changed

  • Cache messaging improved — Results displayed authoritatively ("Validation failed for this code") instead of defensive language ("Cached result: ...") that caused AI assistants to doubt cache validity
  • watch-pr default timeout reduced from 30 minutes to 10 minutes. Override with --timeout.
  • watch-pr output optimized — Stripped internal metadata to reduce token usage (~30-50 tokens saved per failed check)

Fixed

  • Validation now always runs from project root, regardless of which subdirectory you invoke vv validate from
  • Git submodule cache invalidation — Changes in submodule working trees now correctly invalidate the cache
  • Git notes storage fixed for submodules — Notes now store structured data instead of composite hashes that were incompatible with Git's SHA-1 object references
  • Validation history recording — Fixed bug where vv validate --force on the same tree hash would silently fail to record history
  • watch-pr --fail-fast now waits for error extraction to complete before exiting

Migration Guide

Projects with submodules:

  • Cache entries from v0.18.x are incompatible — first validation after upgrade will be a fresh run
  • Subsequent runs use the new cache format automatically

Projects without submodules:

  • Fully backward compatible, no action required

v0.18.4

Choose a tag to compare

@jdutton jdutton released this 31 Jan 15:31
069b280

Bug Fixes

  • Fixed validation locking race condition in pre-commit (Issue #110)
    • Migrated to proper-lockfile for 99.9% reliable locking
    • Prevents concurrent validation runs from interfering
    • Fixed worktree corruption in git integration tests
  • Windows compatibility: removed Unix-specific find command (PR #108)
    • Build commands now work cross-platform
  • Shift-left CHANGELOG validation to prevent publish failures
    • Added Check 11 to pre-publish-check: validates CHANGELOG.md has entry for current version
    • Prevents npm publish success followed by GitHub Release failure
    • Skips check in development mode (--skip-git-checks) for workflow flexibility

Internal

  • Turborepo integration for 79x faster cached builds (PR #108)
    • Cold build: 5.3s → Cached build: 67ms (79x speedup)
    • Intelligent content-based caching with parallel execution
    • Clean architecture: vibe-validate → turbo → tool
    • Error extraction works automatically through Turbo output
    • See docs/comparisons/turborepo.md for detailed comparison
  • Refactored dev tools to symmetric monorepo structure (PR #112)
    • Moved tools/ to packages/dev-tools/ for consistency with other packages
    • Enhanced pre-publish-check with 11 validation checks (up from 10)
    • Added --skip-git-checks flag to prevent circular dependencies
  • Reduced code duplication by 70% (4.73% → 0.86%)
  • Added comprehensive ESLint rules for code quality (custom rules for security and architecture enforcement)

Release v0.18.3

Choose a tag to compare

@github-actions github-actions released this 05 Jan 05:50
12a5610

Bug Fixes

  • CRITICAL: Fixed history recording failure due to YAML/JSON format mismatch (Issue #106, PR #107)
    • Problem: History recording failed silently when validating the same code twice, losing all previous runs
    • Root cause: mergeNotes() used JSON.parse/stringify but notes are written as YAML
    • Impact: Affected v0.18.1 and v0.18.2-rc.1 (Dec 28 - Jan 5)
    • Fix: Replace JSON operations with YAML operations in git notes merge logic
    • Testing: Added regression test "should merge YAML-formatted notes correctly"
    • Users can now validate the same code multiple times without losing history

Release v0.18.2

Choose a tag to compare

@github-actions github-actions released this 04 Jan 19:36

Bug Fixes

  • Complete atomic safety for concurrent worktrees (Issue #103, PR #105)
    • Implemented true atomic compare-and-swap (CAS) operations for git notes merge
    • Eliminates race condition from PR #104's optimistic locking approach
    • Uses git plumbing commands (hash-object, ls-tree, mktree, commit-tree, update-ref)
    • Guarantees zero data loss under any concurrency level
    • 7 git commands per conflict vs 3 (acceptable trade-off for 100% safety)