release: v0.4.0#53
Merged
Merged
Conversation
#50) v0.4.0 spec sync companion. Ships live check implementations for 11 new requirement IDs across P1, P2, P4, P6, and the brand-new P8 (skill bundle discoverability), suppresses `p6-must-sigterm` under `--audit-profile human-tui` to mirror `p6-sigpipe`'s rationale, and bumps the CLI from 0.3.1 to 0.4.0. - Add P1 secret-handling check (`p1-must-secret-non-leaky-path`): scans target CLIs' `--help` for secret-bearing flag families (`--token`, `--password`, `--api-key`, `--secret`, `--auth`, `--credential`) and verifies each has either a `--*-file` companion or stdin path advertised. Vacuous Pass when no secret-bearing flag is detected. - Add P2 schema trio (`p2-must-schema-print`, `p2-should-schema-file`, `p2-should-json-aliases`): runtime-discoverable output schema via `schema` subcommand or `--schema` flag, file-export of schemas (`schema/*.json`, `*.schema.json` at repo root), and `--json` / `--jsonl` short aliases for `--output`. - Add P4 closed-set rejection check (`p4-should-enumerate-valid-set`, Rust + Python): detects clap `ValueEnum`, `PossibleValuesParser`, `value_parser!`, and Python `argparse.choices=` / `click.Choice()`. - Add P6 lifecycle and naming checks (`p6-must-sigterm`, Rust + Python; `p6-may-standard-names`): SIGTERM-handler detection across `signal_hook`, `tokio::signal::unix`, `signal.signal`, and `loop.add_signal_handler`; community-standard-verb allow-list applied to top-level subcommands. - Add P8 skill-bundle suite (`p8-should-bundle-exists`, `p8-must-bundle-install`, `p8-may-install-all`, `p8-may-bundle-update`): repo-root detection of `AGENTS.md` / `SKILL.md` with YAML frontmatter, plus help-surface probes for `skill install`, `skill install --all`, and `skill update` / `skill upgrade`. Brand-new principle in the registry. - Bump CLI from 0.3.1 to 0.4.0 (MINOR; meaningful coverage growth across five principles, including a brand-new principle). - Document prose-scrubbing runbook in `RELEASES.md` for release-flow artifacts (PR bodies, `CHANGELOG.md`, release-PR bodies) using Vale + LanguageTool + unslop. - Add `## PR body` section to `RELEASES.md` codifying what belongs in PR bodies (NEW user-facing substance, six required template sections) and what does not (workflow recap, triple-diff output, pre-push gate results, CI status, AI attribution). - [x] `feat`: New feature (non-breaking change which adds functionality) - [ ] `fix`: Bug fix (non-breaking change which fixes an issue) - [ ] `refactor`: Code refactoring (no functional changes) - [ ] `perf`: Performance improvement - [ ] `docs`: Documentation update - [ ] `test`: Adding or updating tests - [ ] `chore`: Maintenance tasks (dependencies, config, etc.) - [ ] `ci`: CI/CD configuration changes - [ ] `style`: Code style/formatting changes - [ ] `build`: Build system changes - [ ] `BREAKING CHANGE`: Breaking API change (requires major version bump) - Story: agentnative-spec v0.4.0 (brettdavies/agentnative#25, brettdavies/agentnative#26) - Issue: n/a - Architecture: docs/plans/2026-05-07-001-feat-v0.4.0-spec-sync-plan.md - Related PRs: docs/plans/2026-05-07-002-feat-prose-tooling-import-plan.md (sibling, no governance deadline) **Modified:** - `Cargo.toml`, `Cargo.lock`: version 0.3.1 to 0.4.0 - `RELEASES.md`: prose-scrubbing runbook + new `## PR body` section - `docs/coverage-matrix.md`, `coverage/matrix.json`: regenerated for 57 requirements - `src/principles/spec/**`: vendored from agentnative-spec v0.4.0 - `src/principles/registry.rs`: counter bumps, principle range to `1..=8`, `p6-sigterm` in `HumanTui` suppression - `src/types.rs`, `src/scorecard/mod.rs`: `CheckGroup::P8` variant + label/order - `src/checks/{behavioral,project,source/{rust,python}}/mod.rs`: register the 13 new check files - `tests/build_parser.rs`: integration test pin updated for v0.4.0 / 57 requirements **Created:** - `src/principles/spec/principles/p8-discoverable-skill-bundle.md` (vendored) - `src/checks/behavioral/secret_non_leaky_path.rs` (P1) - `src/checks/source/{rust,python}/enumerate_valid_set.rs` (P4) - `src/checks/behavioral/{schema_print,json_aliases}.rs`, `src/checks/project/schema_file.rs` (P2) - `src/checks/source/{rust,python}/sigterm.rs`, `src/checks/behavioral/standard_names.rs` (P6) - `src/checks/project/bundle_exists.rs`, `src/checks/behavioral/{bundle_install,install_all,bundle_update}.rs` (P8) **Renamed:** - None. **Deleted:** - None. - [x] Unit tests added/updated - [x] Integration tests added/updated - [x] Manual testing completed (dogfood `anc check .`) - [x] All tests passing **Test Summary:** 495 unit tests pass; 51 integration tests pass (including the spec-version drift sentry, the `convention_check_result_constructed_only_in_run_body` rule, the `dangling_cover_ids` detector, and the matrix artifact drift gate); clippy `-Dwarnings` clean; `anc generate coverage-matrix --check` exits 0.
## Summary Replaces `discover_rust_binaries()`'s always-prefer-release heuristic with mtime-newest-wins so dev workflows where `cargo run`/`cargo test` only refresh debug stop probing stale `target/release/<bin>` binaries. The v0.4.0 spec sync surfaced the trap on `p2-must-schema-print` against anc itself. ## Changelog ### Changed - Binary discovery in `src/project.rs::discover_rust_binaries` now picks the newer of `target/release/<bin>` and `target/debug/<bin>` by mtime when both exist. Ties and metadata failures fall back to debug (matches cargo's dev-flow default). CI scenarios where only one profile is built are unchanged. ### Documentation - Add Dogfooding Safety rule 3 to `CLAUDE.md` describing the mtime-based selection, with a `NEVER` directive against reverting to the always-prefer-release shape. ## Type of Change - [ ] `feat`: New feature (non-breaking change which adds functionality) - [x] `fix`: Bug fix (non-breaking change which fixes an issue) - [ ] `refactor`: Code refactoring (no functional changes) - [ ] `perf`: Performance improvement - [ ] `docs`: Documentation update - [ ] `test`: Adding or updating tests - [ ] `chore`: Maintenance tasks (dependencies, config, etc.) - [ ] `ci`: CI/CD configuration changes - [ ] `style`: Code style/formatting changes - [ ] `build`: Build system changes - [ ] `BREAKING CHANGE`: Breaking API change (requires major version bump) ## Related Issues/Stories - Story: stale `target/release/anc` masking `p2-must-schema-print` regressions during v0.4.0 spec sync - Issue: n/a - Architecture: `docs/solutions/test-failures/stale-release-binary-dogfood-fail-2026-05-07.md` - Related PRs: #50 (v0.4.0 spec sync, where the trap was surfaced and a temporary `PENDING_FAILS` allowlist for `p2-schema-print` was added in `tests/dogfood.rs`) ## Files Modified **Modified:** - `src/project.rs`: `discover_rust_binaries` switches from existence-only release-over-debug preference to mtime-based selection via a new `pick_newer_artifact` helper. Adds two unix-gated tests (`test_discover_picks_newer_artifact_by_mtime`, `test_discover_picks_release_when_newer`). - `CLAUDE.md`: Dogfooding Safety section gains rule 3 describing the new behavior; the `Rules for new behavioral checks` subsection gains a `NEVER` directive locking the new shape in. **Created:** - None. **Renamed:** - None. **Deleted:** - None. ## Testing - [x] Unit tests added/updated - [ ] Integration tests added/updated - [x] Manual testing completed (dogfood `anc check .` against this branch; `p2-schema-print` no longer needs a manual `cargo build --release` to flip from Fail to Pass) - [x] All tests passing **Test Summary:** `cargo test` reports 588 passed, 2 ignored across 7 suites. The two new unit tests use `tempfile`-style temp dirs and `File::set_modified` (stable since 1.75) to construct binaries with controlled mtimes; gated to `#[cfg(unix)]` because mtime semantics under Windows file-attribute caching are not the semantics this regression asserts against. Pre-push gate (fmt, clippy `-Dwarnings`, test, cargo-deny, Windows compat) passed before the push.
…ne pass (#52) ## Summary Imports the shared prose-check pipeline from `agentnative-spec` into this repo, lands the linter-channel voice doc, and runs an adjacent doc-hygiene pass (RELEASES split, new CONTRIBUTING.md, expanded issue templates). ## Changelog ### Added - New `PRODUCT.md` at repo root codifies linter-channel voice: second-person imperative register, three-part error shape (what failed, why, what to do), no marketing voice in CLI surface. Inherits universal rules from vendored `BRAND.md`. - New `CONTRIBUTING.md` documents the three-tier intake (signal / proposal / code), routes principle-level discussion to the spec repo, and names the dev-setup gates. - New `add-tool-to-registry` issue template for proposing CLI tools to the anc100 registry. ### Changed - `RELEASES.md` slims to operational runbook (95 lines); rationale moves to companion `RELEASES-RATIONALE.md` (243 lines). Each runbook section ends with a section-pointer at the rationale. - Issue-template config adds `agentnative-skill` as a fourth cross-repo destination; renames "CLI grading" to "grading findings" to match spec-repo terminology. ### Documentation - `AGENTS.md` gains a "Voice and prose rules" section pointing at `PRODUCT.md` for the linter-channel register and `scripts/prose-check.sh` for the local gate. - `scripts/SYNCS.md` documents the new `sync-prose-tooling.sh` row and the consumer-owned status of `scripts/prose-check.sh`. ## Type of Change - [x] `feat`: New feature (non-breaking change which adds functionality) ## Related Issues/Stories - Story: n/a - Issue: n/a - Architecture: `docs/plans/2026-05-07-002-feat-prose-tooling-import-plan.md` (this branch's execution log captures the deltas from the original plan) - Related PRs: tracks `agentnative-spec` `.context/.../010-pending-p0-prose-check-consumer-exclusion-config.md` for the upstream sidecar-config migration that will let the un-vendored orchestrator re-vendor. ## Files Modified **Modified:** - `.github/ISSUE_TEMPLATE/{00-blank,config}.yml`: surface the new tool-registry template, add skill repo destination. - `.gitignore`: exclude vale-runtime-fetched `styles/{proselint,write-good,.vale-config}/` (mirrors upstream). - `AGENTS.md`: voice-rules pointer at PRODUCT.md. - `CLAUDE.md`: backtick the `include!` macro reference (silenced LT.A_INFINITIVE). - `RELEASES.md`: slim to runbook; point prose-scrub at the `lt_check` helper. - `scripts/SYNCS.md`: new sync row, reference link, consumer-owned status for `prose-check.sh`. - `docs/plans/2026-05-07-002-feat-prose-tooling-import-plan.md`: execution log + unit status markers. **Created:** - `PRODUCT.md`, `CONTRIBUTING.md`, `RELEASES-RATIONALE.md`, `BRAND.md`, `.vale.ini` - `scripts/{sync-prose-tooling.sh,prose-check.sh,test-prose-check.mjs,generate-pack-readme.mjs}` - `styles/brand/{FillerAdjectives,HedgeWords,MarketingRegister}.yml` + `README.md` - `styles/config/vocabularies/{brand,cli}/{accept,reject}.txt` - `.github/ISSUE_TEMPLATE/add-tool-to-registry.yml` **Renamed:** - None. **Deleted:** - None. ## Testing - [x] Unit tests added/updated: n/a (no Rust changes). - [x] Integration tests added/updated: n/a. - [x] Manual testing completed: full local gate suite green (pre-push hook covers fmt, clippy, test, deny, Windows compat, Windows cross-clippy). - [x] All tests passing. **Test Summary:** - `cargo test`: 588 passing across 7 binaries, 0 failed, 2 ignored. - `cargo fmt --check`: clean. - `cargo clippy -Dwarnings`: clean. - `cargo deny check`: advisories ok, bans ok, licenses ok, sources ok. - Windows libc grep + `cargo clippy --target x86_64-pc-windows-gnu`: clean. - `bash scripts/sync-prose-tooling.sh --check`: byte-equal upstream `main` @ `1625416`. - `bash scripts/prose-check.sh`: 0 blocking, 457 stylistic warnings (non-blocking). - `bash scripts/test-prose-check.mjs`: vendored harness from upstream, runs clean. - `shellcheck -S warning` on all bash scripts: clean. - `actionlint`: clean. - `anc generate coverage-matrix --check`: clean. ## Breaking Changes - [x] No breaking changes ## Deployment Notes - [x] No special deployment steps required `scripts/prose-check.sh` now sources `~/dotfiles/config/shell/languagetool.sh` for the LanguageTool integration. Contributors without the dotfiles checkout get a clear pointer (exit 2 with path to brettdavies/dotfiles) rather than a confusing sourcing error. CI is unaffected since it doesn't run prose-check yet; that gate is deferred to a future PR. ## Checklist - [x] Code follows project conventions and style guidelines - [x] Commit messages follow [Conventional Commits](https://www.conventionalcommits.org/) - [x] Self-review of code completed - [x] Tests added/updated and passing - [x] No new warnings or errors introduced - [x] Changes are backward compatible ## Additional Context `scripts/prose-check.sh` is intentionally consumer-owned (un-vendored 2026-05-13). The orchestrator's `find`-expression exclusions are CLI-LOCAL (`src/principles/spec/`, `docs/ideation/`, `tests/fixtures/`, `coverage-matrix.md`) and cannot live in the upstream until the spec-side sidecar-config migration lands. Universal pipeline changes (new check stage, severity routing) require coordinated PRs across spec + site + cli + skill until then. `scripts/generate-pack-readme.mjs` carries a one-line CLI-LOCAL adaptation (drops `spec` from `DEFAULT_PACKS` since this repo doesn't vendor `styles/spec/`); the sync `--check` skips it the same way it used to skip the un-vendored `prose-check.sh`.
Two plan files came along with the squash-merge cherry-pick of #50 (v0.4.0 spec sync) and would trip `guard-main-docs.yml`. Plans live on `dev` only.
7 tasks
brettdavies
added a commit
that referenced
this pull request
May 21, 2026
…tmatter; fix badge slug + P8 filter (#54) ## Summary Closes the dogfood gaps surfaced by `anc check .` at the v0.4.0 release candidate, plus the silent slug-derivation bug behind the scorecard's badge URLs. Self-check after this branch: 44 checks, 37 pass, 3 warn, 0 fail, 0 error. Score 93% (up from 85% at the v0.4.0 RC). ## Changelog ### Added - Add `anc schema` top-level subcommand. Prints the embedded JSON Schema (draft 2020-12) describing the shape of `anc check --output json` scorecards. Closes the `p2-must-schema-print` FAIL surfaced by self-check. - Add `schema/scorecard.schema.json` committed at the repo root and embedded into the binary via `include_str!`. Hand-written coverage of the 0.5 shape (Scorecard plus ToolInfo, AncInfo, RunInfo, PlatformInfo, TargetInfo, BadgeInfo, LevelCounts, CoverageSummary, Summary, CheckResultView). Closes the `p2-should-schema-file` WARN. - Add YAML frontmatter to `AGENTS.md` naming the tool, binary, description, homepage, and repository so agent runtimes can index the bundle. Closes the `p8-should-bundle-exists` WARN. ### Changed - `derive_tool_name` now follows the four-tier fallback chain `command_name -> binary basename -> manifest package name -> directory basename`. The old shape returned the project directory basename, producing 404-bound badge URLs for any tool whose registry slug differed from its directory name. `anc check .` now emits `badge_url: https://anc.dev/badge/anc.svg` (HTTP 200, matches the site's `registry.yaml`). - `matches_principle` gains the `(CheckGroup::P8, 8)` arm. Pre-fix, `--principle 8` silently filtered out every P8 check because the match table predated the new principle. - README refreshed for v0.4.0: principle count 7 -> 8 with a P8 row, "Example Output" rewritten against the current 44-check self-check (P2 schema, P6 standard-names + SIGTERM, P8 bundle results), "Three Check Layers" lists Python alongside Rust under Source, JSON sample dropped the stale `anc.commit` field. README em-dash density scrubbed from 20.5/1000 to 0/1000. - README "Reporting issues" section folded into "Contributing" as a three-tier intake (signal / proposal / code) that points at the shipped `CONTRIBUTING.md` for the full breakdown. Cross-repo routing preserved. ### Documentation - Update `--principle <PRINCIPLE>` doc from `(1-7)` to `(1-8)` in both README and `src/cli.rs`. ## Type of Change - [x] `feat`: New feature (non-breaking change which adds functionality) ## Related Issues/Stories - Story: n/a - Issue: n/a - Architecture: Schema follow-up plan on `dev` at `docs/plans/2026-04-30-002-feat-scorecard-json-schema-plan.md` (full schemars-derive implementation; this PR ships the hand-written first cut). - Related PRs: #50, #51, #52, #53 ## Testing - [x] Unit tests added/updated - [x] Integration tests added/updated - [x] Manual testing completed - [x] All tests passing **Test Summary:** - New `src/main.rs::tests` module covers all four tiers of `derive_tool_name_inner` (command, binary, `Cargo.toml` manifest, `pyproject.toml` manifest, directory fallback). - `cargo test`: 593 passed, 2 ignored across 7 suites. - `cargo clippy --release --all-targets -- -Dwarnings`: clean. - `cargo fmt --check`: clean. - `./target/release/anc check .`: 44 checks, 37 pass, 3 warn, 0 fail, 4 skip, 0 error. Score 93%. - Live URL probe: `https://anc.dev/badge/anc.svg` returns 200. ## Files Modified **Modified:** - `AGENTS.md`, `README.md`, `src/cli.rs`, `src/main.rs`. - All five `completions/anc.*` files (regenerated for the new `schema` subcommand). **Created:** - `schema/scorecard.schema.json`. **Renamed:** - None. **Deleted:** - None. ## Breaking Changes - [x] No breaking changes ## Deployment Notes - [x] No special deployment steps required. After merge to `dev`, cherry-pick the squash commit onto `release/v0.4.0` (PR #53) and regenerate `CHANGELOG.md` before the release tag.
…tmatter; fix badge slug + P8 filter (#54) ## Summary Closes the dogfood gaps surfaced by `anc check .` at the v0.4.0 release candidate, plus the silent slug-derivation bug behind the scorecard's badge URLs. Self-check after this branch: 44 checks, 37 pass, 3 warn, 0 fail, 0 error. Score 93% (up from 85% at the v0.4.0 RC). ## Changelog ### Added - Add `anc schema` top-level subcommand. Prints the embedded JSON Schema (draft 2020-12) describing the shape of `anc check --output json` scorecards. Closes the `p2-must-schema-print` FAIL surfaced by self-check. - Add `schema/scorecard.schema.json` committed at the repo root and embedded into the binary via `include_str!`. Hand-written coverage of the 0.5 shape (Scorecard plus ToolInfo, AncInfo, RunInfo, PlatformInfo, TargetInfo, BadgeInfo, LevelCounts, CoverageSummary, Summary, CheckResultView). Closes the `p2-should-schema-file` WARN. - Add YAML frontmatter to `AGENTS.md` naming the tool, binary, description, homepage, and repository so agent runtimes can index the bundle. Closes the `p8-should-bundle-exists` WARN. ### Changed - `derive_tool_name` now follows the four-tier fallback chain `command_name -> binary basename -> manifest package name -> directory basename`. The old shape returned the project directory basename, producing 404-bound badge URLs for any tool whose registry slug differed from its directory name. `anc check .` now emits `badge_url: https://anc.dev/badge/anc.svg` (HTTP 200, matches the site's `registry.yaml`). - `matches_principle` gains the `(CheckGroup::P8, 8)` arm. Pre-fix, `--principle 8` silently filtered out every P8 check because the match table predated the new principle. - README refreshed for v0.4.0: principle count 7 -> 8 with a P8 row, "Example Output" rewritten against the current 44-check self-check (P2 schema, P6 standard-names + SIGTERM, P8 bundle results), "Three Check Layers" lists Python alongside Rust under Source, JSON sample dropped the stale `anc.commit` field. README em-dash density scrubbed from 20.5/1000 to 0/1000. - README "Reporting issues" section folded into "Contributing" as a three-tier intake (signal / proposal / code) that points at the shipped `CONTRIBUTING.md` for the full breakdown. Cross-repo routing preserved. ### Documentation - Update `--principle <PRINCIPLE>` doc from `(1-7)` to `(1-8)` in both README and `src/cli.rs`. ## Type of Change - [x] `feat`: New feature (non-breaking change which adds functionality) ## Related Issues/Stories - Story: n/a - Issue: n/a - Architecture: Schema follow-up plan on `dev` at `docs/plans/2026-04-30-002-feat-scorecard-json-schema-plan.md` (full schemars-derive implementation; this PR ships the hand-written first cut). - Related PRs: #50, #51, #52, #53 ## Testing - [x] Unit tests added/updated - [x] Integration tests added/updated - [x] Manual testing completed - [x] All tests passing **Test Summary:** - New `src/main.rs::tests` module covers all four tiers of `derive_tool_name_inner` (command, binary, `Cargo.toml` manifest, `pyproject.toml` manifest, directory fallback). - `cargo test`: 593 passed, 2 ignored across 7 suites. - `cargo clippy --release --all-targets -- -Dwarnings`: clean. - `cargo fmt --check`: clean. - `./target/release/anc check .`: 44 checks, 37 pass, 3 warn, 0 fail, 4 skip, 0 error. Score 93%. - Live URL probe: `https://anc.dev/badge/anc.svg` returns 200. ## Files Modified **Modified:** - `AGENTS.md`, `README.md`, `src/cli.rs`, `src/main.rs`. - All five `completions/anc.*` files (regenerated for the new `schema` subcommand). **Created:** - `schema/scorecard.schema.json`. **Renamed:** - None. **Deleted:** - None. ## Breaking Changes - [x] No breaking changes ## Deployment Notes - [x] No special deployment steps required. After merge to `dev`, cherry-pick the squash commit onto `release/v0.4.0` (PR #53) and regenerate `CHANGELOG.md` before the release tag.
…+ Three Check Layers Quick Start gains two worked examples (`anc . --binary`, `anc . --source`) plus an `anc schema` pointer. "Three Check Layers" annotates each layer with its isolation flag and explains when to reach for one (CI step for source quality, release-gate against the compiled artifact). Project layer is called out as running alongside the others with no isolation flag. No prose floor regression: unslop 0/100, Vale clean.
….0 dogfood split New `## Scoring` section sits between Three Check Layers and CLI Reference. Three tables: - **Status rubric** — five statuses (pass/warn/fail/skip/error) and which ones count toward the badge ratio. Includes the explicit `score_pct = round(pass / (pass + warn + fail) * 100)` formula and the 80% badge floor. - **Tier mapping** — MUST/SHOULD/MAY -> result-status mapping with a concrete check ID for each tier. - **v0.4.0 dogfood** — live results for `--binary` (18 checks, 81%), `--source` (26 checks, 100%), and full mode (44 checks, 93%), plus a one-line note naming the three full-mode warnings. Plain Vale + unslop pass: 0 errors, 0/100 (clean).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Cuts v0.4.0 by cherry-picking four PRs from
dev: #50 (spec sync, 11 new requirement IDs across P1/P2/P4/P6/P8), #51(binary-discovery mtime fix), #52 (prose pipeline import + un-vendor of orchestrator + doc-hygiene pass), and #54
(post-RC dogfood fixes that lift score from 85% to 93%). Adds an entire new principle (P8 Discoverable Skill Bundle), a
P1 secret-handling check, the
anc schemasubcommand backing P2's runtime-discoverable-schema MUST, and a fix for thesilent badge-slug bug uncovered during release polish.
Changelog
Added
p1-must-secret-non-leaky-path): scans target CLIs'--helpfor secret-bearing flag families (--token,--password,--api-key,--secret,--auth,--credential) and verifies each has either a--*-filecompanion or stdin path advertised. Vacuous Pass when no secret-bearing flag is detected.p2-must-schema-print,p2-should-schema-file,p2-should-json-aliases): runtime-discoverable output schema viaschemasubcommand or--schemaflag, file-export of schemas (schema/*.json,*.schema.jsonat repo root), and--json/--jsonlshort aliases for--output.p4-should-enumerate-valid-set, Rust + Python): detects clapValueEnum,PossibleValuesParser,value_parser!, and Pythonargparse.choices=/click.Choice().p6-must-sigterm, Rust + Python;p6-may-standard-names): SIGTERM-handler detection acrosssignal_hook,tokio::signal::unix,signal.signal, andloop.add_signal_handler; community-standard-verb allow-list applied to top-level subcommands.p8-should-bundle-exists,p8-must-bundle-install,p8-may-install-all,p8-may-bundle-update): repo-root detection ofAGENTS.md/SKILL.mdwith YAML frontmatter, plus help-surface probes forskill install,skill install --all, andskill update/skill upgrade. Brand-new principle in the registry.anc schematop-level subcommand. Prints the embedded JSON Schema (draft 2020-12) describing the shape ofanc check --output jsonscorecards. Closes thep2-must-schema-printFAIL surfaced byanc check .self-check.schema/scorecard.schema.jsoncommitted at the repo root and embedded into the binary viainclude_str!. Hand-written coverage of the 0.5 shape (Scorecard plus ToolInfo, AncInfo, RunInfo, PlatformInfo, TargetInfo, BadgeInfo, LevelCounts, CoverageSummary, Summary, CheckResultView). Closes thep2-should-schema-fileWARN.AGENTS.mdnaming the tool, binary, description, homepage, and repository so agent runtimes can index the bundle. Closes thep8-should-bundle-existsWARN.Changed
src/project.rs::discover_rust_binariesnow picks the newer oftarget/release/<bin>andtarget/debug/<bin>by mtime when both exist. Ties and metadata failures fall back to debug (matches cargo's dev-flow default). CI scenarios where only one profile is built are unchanged.RELEASES.mdslims to operational runbook; rationale moves to companionRELEASES-RATIONALE.md. Each runbook section ends with a section-pointer at the rationale.derive_tool_namenow follows the four-tier fallback chaincommand_name -> binary basename -> manifest package name -> directory basename. The old shape returned the project directory basename, producing 404-bound badge URLs for any tool whose registry slug differed from its directory name.anc check .now emitsbadge_url: https://anc.dev/badge/anc.svg(HTTP 200, matches the site'sregistry.yaml).matches_principlegains the(CheckGroup::P8, 8)arm. Pre-fix,--principle 8silently filtered out every P8 check because the match table predated the new principle.anc.commitfield. README em-dash density scrubbed from 20.5/1000 to 0/1000.CONTRIBUTING.md. Cross-repo routing preserved.Documentation
PRODUCT.mdat repo root codifies linter-channel voice: second-person imperative register, three-part error shape (what failed, why, what to do), no marketing voice in CLI surface. Inherits universal rules from vendoredBRAND.md.CONTRIBUTING.mddocuments the three-tier intake (signal / proposal / code), routes principle-level discussion to the spec repo, and names the dev-setup gates.add-tool-to-registryissue template for proposing CLI tools to the anc100 registry.RELEASES.mdfor release-flow artifacts using Vale + LanguageTool + unslop.AGENTS.mdgains a "Voice and prose rules" section pointing atPRODUCT.mdfor the linter-channel register andscripts/prose-check.shfor the local gate.scripts/SYNCS.mddocuments the newsync-prose-tooling.shrow and the consumer-owned status ofscripts/prose-check.sh.--principle <PRINCIPLE>doc from(1-7)to(1-8)in both README andsrc/cli.rs.Type of Change
feat: New feature (non-breaking change which adds functionality)Related Issues/Stories
agentnative-spec@v0.4.0(vendored atsrc/principles/spec/). Scorecard JSON Schemafollow-up plan lives on
devatdocs/plans/2026-04-30-002-feat-scorecard-json-schema-plan.md(full schemars-deriveimplementation; this release ships the hand-written first cut).
Testing
Test Summary:
docs/; phantom-commit count consistent with prior squash-merge history.cargo test: 593 passed, 2 ignored across 7 suites. Newsrc/main.rs::testsmodule covers all four tiers ofderive_tool_name_inner(command, binary,Cargo.tomlmanifest,pyproject.tomlmanifest, directory fallback).cargo clippy --release --all-targets -- -Dwarnings: clean.cargo fmt --check: clean.cargo run -- generate coverage-matrix --check: exits 0 against the committed artifacts.bash scripts/sync-skill-fixture.sh --check: confirms fixture matchesagentnative-site@devhead (4efa8ec)../target/release/anc check .: 44 checks, 37 pass, 3 warn, 0 fail, 4 skip, 0 error. Score 93%.https://anc.dev/badge/anc.svgreturns 200.-Dwarnings, test, cargo-deny, Windows compatibility check) passes.Files Modified
Modified:
Cargo.lock,CHANGELOG.md,AGENTS.md,CLAUDE.md,README.md,RELEASES.md,Cargo.toml,coverage/matrix.json,docs/coverage-matrix.md,scripts/SYNCS.md.src/cli.rs,src/main.rs,src/principles/registry.rs,src/project.rs,src/scorecard/mod.rs,src/types.rs.src/checks/{behavioral,project,source/{python,rust}}/mod.rs.src/principles/spec/CHANGELOG.md,src/principles/spec/VERSION,src/principles/spec/principles/p1-p7*.md.completions/anc.*files..github/ISSUE_TEMPLATE/{00-blank.yml,config.yml},.gitignore.tests/build_parser.rs,tests/dogfood.rs.Created:
BRAND.md,PRODUCT.md,CONTRIBUTING.md,RELEASES-RATIONALE.md,.vale.ini..github/ISSUE_TEMPLATE/add-tool-to-registry.yml.scripts/prose-check.sh,scripts/sync-prose-tooling.sh,scripts/generate-pack-readme.mjs,scripts/test-prose-check.mjs.schema/scorecard.schema.json.src/checks/behavioral/{bundle_install,bundle_update,install_all,json_aliases,schema_print,secret_non_leaky_path,standard_names}.rs.src/checks/project/{bundle_exists,schema_file}.rs.src/checks/source/python/{enumerate_valid_set,sigterm}.rs,src/checks/source/rust/{enumerate_valid_set,sigterm}.rs.src/principles/spec/principles/p8-discoverable-skill-bundle.md.styles/brand/{FillerAdjectives,HedgeWords,MarketingRegister}.yml,styles/brand/README.md.styles/config/vocabularies/{brand,cli}/{accept,reject}.txt.Renamed:
Deleted:
Breaking Changes
Deployment Notes
v0.4.0, push, then run./scripts/sync-dev-after-release.sh v0.4.0to backport release artifacts todev.