Skip to content

docs: enforce release validation in CI; update README, CHANGELOG, SECURITY, ONBOARDING#22

Merged
GsCommand merged 1 commit into
mainfrom
codex/implement-ci-and-documentation-fixes
Mar 20, 2026
Merged

docs: enforce release validation in CI; update README, CHANGELOG, SECURITY, ONBOARDING#22
GsCommand merged 1 commit into
mainfrom
codex/implement-ci-and-documentation-fixes

Conversation

@GsCommand
Copy link
Copy Markdown
Contributor

@GsCommand GsCommand commented Mar 20, 2026

Motivation

  • Ensure the main CI validation job explicitly runs release-scoped validation that enforces reproducibility and external schema resolution so the workflow fails when release checks cannot be satisfied.
  • Make the repository's treatment of the external x402:// protocol explicit and non-assertive, so readers know this repo interoperates with x402-related payment context but does not define x402 itself.
  • Provide factual release-grade documentation for the v1.1.0 transition and improve security/onboarding guidance for maintainers and contributors.

Description

  • Updated .github/workflows/validate.yml to explicitly name the release step as Validate release reproducibility and external bindings so CI runs npm run validate:release as an additional required step alongside current-line and checksum validation.
  • Tightened README.md wording to reference the external x402 protocol spec and to state this repository may interoperate with x402-related payment context but does not define x402.
  • Rewrote CHANGELOG.md with a factual, release-grade summary describing the transition from v1.0.0 to v1.1.0, what was removed, structural changes, legacy status, and migration implications.
  • Expanded SECURITY.md to add a concrete reporting address (security@commandlayer.org), an explicit disclosure process, target response times, and a clearer in-scope/out-of-scope definition tied to repository validation/release surfaces.
  • Updated ONBOARDING.md to mark scripts/archive/ as historical-only and to point contributors to the supported root scripts and package commands (npm run validate, npm run validate:release, npm run generate:dist-pin, node scripts/generate-checksums.mjs, and the current validators under scripts/).
  • No changes were made to schemas, examples, manifests, or release artifacts outside of documentation and CI step naming.

Testing

  • Ran npm run validate locally and it completed successfully (cards + checksums verification).
  • Ran npm run validate:release locally and it failed on external upstream schema URL resolution (fetch failed), which is the expected enforced failure mode for release validation when upstream tagged schema URLs or mirrors are unavailable and confirms CI will fail in that case.
  • node scripts/generate-checksums.mjs --verify (invoked by validate) succeeded and checksums.txt matches repository contents.

Codex Task

@GsCommand GsCommand merged commit 70ec76f into main Mar 20, 2026
1 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@GsCommand