Skip to content

Harden release schema bindings#24

Merged
GsCommand merged 1 commit into
mainfrom
codex/conduct-release-hardening-pass
Mar 21, 2026
Merged

Harden release schema bindings#24
GsCommand merged 1 commit into
mainfrom
codex/conduct-release-hardening-pass

Conversation

@GsCommand
Copy link
Copy Markdown
Contributor

@GsCommand GsCommand commented Mar 21, 2026

Motivation

  • Release-level validation was failing due to stale external schema source URLs that used the /refs/tags/v1.1.0/ raw-GitHub path form, blocking proof of external bindings during validate:release.
  • Publish-state surfaces and the legacy v1.0.0 dist-pin bundle needed auditing to ensure the repository did not overclaim publication or leave a broken release artifact.
  • Keep the existing v1.1.0 authority model and do not fabricate publication evidence while making the repo pin/tag-safe.

Description

  • Replaced stale raw GitHub source paths that used /refs/tags/v1.1.0/ with the correct tag-root form /v1.1.0/ across the canonical v1.1.0 agent cards and release metadata, including agents/v1.1.0/*, meta/manifest.json, meta/commons-agent.json, and meta/commercial-agent.json.
  • Updated the release-mode validator so scripts/validate-cards.mjs now expects the corrected raw-GitHub tag-root SOURCE_ROOTS pattern for both commons and commercial (keeps validator strict but aligned with repaired bindings).
  • Rebuilt the committed derivative publish bundle with node scripts/build-dist-pin.mjs and regenerated the repository/bundle checksum inventories with node scripts/generate-checksums.mjs so dist-pin/agent-cards/v1.1.0/ and checksums.txt match the repaired canonical artifacts.
  • Audited .well-known/*.json and meta/* publish-state fields and left them unchanged because they already use the conservative release_candidate_pending_validation value; left dist-pin/agent-cards/v1.0.0/ explicitly neutralized as archival-only.

Testing

  • Ran npm run validate and it completed successfully (local card/schema/manifest checks and checksums verification passed).
  • Ran node scripts/build-dist-pin.mjs and node scripts/generate-checksums.mjs to rebuild the derivative bundle and update checksums, and both commands succeeded.
  • Ran npm run validate:release and the repository-side validations (manifest alignment and bundle reproducibility) passed, while live external fetch checks to raw.githubusercontent.com could not be proven in this environment due to outbound CONNECT 403 proxy restrictions (network fetch step failed here); this is an environment network limitation, not a repo-side binding issue.
  • Confirmed there are no remaining in-repo occurrences of the old /refs/tags/v1.1.0/ pattern in the canonical files and validator (rg -n '/refs/tags/v1\.1\.0/' ... returned none).

Codex Task

@GsCommand GsCommand merged commit caaa846 into main Mar 21, 2026
1 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@GsCommand