github Priivacy-ai/spec-kitty v3.2.0a1
on GitHub

pre-release3 hours ago

Added

  • Mutation testingmutmut 3.5.0 added to [project.optional-dependencies.test] and configured in [tool.mutmut] as a local-only quality gate. Includes a curated doctrine set: tactic:mutation-testing-workflow, styleguide:mutation-aware-test-design, and language-specific toolguides for Python (mutmut) and TypeScript (stryker), all anchored to DIRECTIVE_034 in the DRG graph. ADR 2026-04-20-1-mutation-testing-as-local-only-quality-gate.md records the decision, the sandbox constraints, and the two-marker exclusion taxonomy.
  • non_sandbox / flaky pytest markers — registered in pytest.ini and pyproject.toml[tool.pytest.ini_options].markers. Per-file --ignore= entries for sandbox-incompatible tests have been migrated to module-level pytestmark declarations; [tool.mutmut].pytest_add_cli_args now deselects via -m "not non_sandbox and not flaky ...". Directory-level ignores remain only where tests fail during pytest collection (import errors that markers cannot intercept). 1 test is currently marked flaky as debt to be root-caused.
  • docs/how-to/run-mutation-tests.md — Contributor how-to covering local mutmut run invocation, the kill-the-survivor workflow, equivalent-mutant suppression, and the non_sandbox / flaky marker taxonomy.
  • Charter synthesizer now has a real harness-owned operator path: the new generated-artifact adapter reads agent-authored YAML from .kittify/charter/generated/ and promotes validated doctrine into the live .kittify/doctrine/ tree.
  • spec-kitty charter resynthesize --list-topics now lists valid project-artifact selectors, DRG URNs, and interview-section selectors, including hyphenated aliases for section names.
  • spec-kitty charter status --provenance now reports synthesis generation state, evidence summary, manifest health, and per-artifact provenance visibility alongside the older charter sync surface.
  • ADR 2026-04-19-6-harness-owned-generated-artifact-charter-handoff.md now records the host-side charter handoff contract: exact file layout, identity rules, and CLI sequence.
  • architecture/2.x/06_migration_and_shim_rules.md — Authoritative compatibility shim lifecycle
    rulebook covering 4 rule families: schema/version gating, bundle/runtime migration authoring contract,
    shim lifecycle (with copy-paste template), and removal plans/registry contract. Required reading for
    all future extraction missions (#615).
  • architecture/2.x/shim-registry.yaml — Machine-readable registry of all known compatibility
    shims. Starts empty (zero-shim baseline confirmed at mission-615 start). Future shims must be
    registered here before merging. Validated by spec-kitty doctor shim-registry (#615).
  • spec-kitty doctor shim-registry — New CI enforcement subcommand that classifies each
    registered shim as pending, overdue, grandfathered, or removed. Exits 1 when any shim
    is overdue; exits 2 on configuration error. Supports --json for machine-readable CI output (#615).

Changed

  • spec-kitty charter synthesize and spec-kitty charter resynthesize now default to the generated-artifact adapter. --adapter fixture remains available only for deterministic offline regression runs.
  • spec-kitty charter synthesize --dry-run is now a real stage-and-validate pass: it writes the staged artifact set, runs project DRG validation and neutrality gating, and only skips the final promote step.
  • Shared contract-library pins now align with the current released pair consumed across the CLI and SaaS surfaces: spec-kitty-events==3.2.0 and spec-kitty-tracker==0.4.2.
  • Release pipeline now generates and attaches a CycloneDX SBOM (sbom.cdx.json) to every GitHub Release. The SBOM is an environment-snapshot of the fully resolved dependency tree at build time, making it straightforward for enterprise users to ingest the inventory into tools like Dependency-Track for continuous CVE monitoring without rescanning the package themselves.

Fixed

  • Directive provenance now records canonical URNs (directive:PROJECT_<NNN>) instead of slug-based placeholders, which restores correct directive filenames, provenance reload, and directive:PROJECT_<NNN> resynthesis.
  • Bounded resynthesis now preserves evidence inputs end-to-end, so regenerated provenance entries keep the correct evidence_bundle_hash and corpus_snapshot_id.
  • Generated-artifact synthesis errors now point to the exact expected file path and exact expected artifact id, which makes harness handoff mistakes easier to diagnose.
  • Charter neutrality lint now scans mission templates/ directories in addition to command-templates/, so banned terms in generic mission prompt files are caught by the default repo scan (#653 tripwire).
  • Bump requests floor to >=2.33.0 (CVE-2026-25645).
  • Bump pytest floor to >=9.0.3 (CVE-2025-71176).
  • Pin pygments>=2.20.0 explicitly to resolve CVE-2026-4539 in the transitive dependency pulled in via rich.
  • auth refresh now treats HTTP 401 responses with invalid_grant or session_invalid error codes identically to HTTP 400, and clears the locally stored session on server-side refresh rejection so auth status no longer reports stale credentials as authenticated.

Removed

  • spec-kitty auth whoami — removed. Scripts using this command for canary preflight identity checks should switch to spec-kitty auth status.
  • specify_cli.charter compatibility shim — The re-export shim at src/specify_cli/charter/ has been
    removed. External code importing specify_cli.charter.* must migrate to the canonical package:
    from charter import <name>. See
    architecture/2.x/05_ownership_map.md for the full
    charter slice entry and the reference exemplar pattern. Closes #611.
Check out latest releases or
releases around Priivacy-ai/spec-kitty v3.2.0a1

Don't miss a new spec-kitty release

NewReleases is sending notifications on new releases.

Get notifications