Skip to content

SHIP_GATE.md

Latest commit

 

History

History
70 lines (51 loc) · 3.23 KB

SHIP_GATE.md

File metadata and controls

70 lines (51 loc) · 3.23 KB

Ship Gate

No repo is "done" until every applicable line is checked. Copy this into your repo root. Check items off per-release.

Tags: [all] every repo · [npm] [pypi] [vsix] [desktop] [container] published artifacts · [mcp] MCP servers · [cli] CLI tools

A. Security Baseline

  • [all] SECURITY.md exists (report email, supported versions, response timeline) (2026-02-27)
  • [all] README includes threat model paragraph (data touched, data NOT touched, permissions required) (2026-02-27)
  • [all] No secrets, tokens, or credentials in source or diagnostics output (2026-02-27)
  • [all] No telemetry by default — state it explicitly even if obvious (2026-02-27)

Default safety posture

  • [cli|mcp|desktop] SKIP: CLI operates on local brand assets only — no destructive actions
  • [cli|mcp|desktop] File operations constrained to known directories (logos/, manifest.json, README files) (2026-02-27)
  • [mcp] SKIP: not an MCP server
  • [mcp] SKIP: not an MCP server

B. Error Handling

  • [all] Errors follow the Structured Error Shape: code, message, hint, cause?, retryable? (2026-02-27)
  • [cli] Exit codes: 0 ok · 1 user error · 2 runtime error · 3 partial success (2026-02-27)
  • [cli] No raw stack traces without --debug (2026-02-27)
  • [mcp] SKIP: not an MCP server
  • [mcp] SKIP: not an MCP server
  • [desktop] SKIP: not a desktop application
  • [vscode] SKIP: not a VS Code extension

C. Operator Docs

  • [all] README is current: what it does, install, usage, supported platforms + runtime versions (2026-02-27)
  • [all] CHANGELOG.md (Keep a Changelog format) (2026-02-27)
  • [all] LICENSE file present and repo states support status (2026-02-27)
  • [cli] --help output accurate for all commands and flags (verify, manifest, audit, migrate) (2026-02-27)
  • [cli|mcp|desktop] SKIP: CLI tool — no logging levels needed
  • [mcp] SKIP: not an MCP server
  • [complex] Handbook exists (docs/handbook.md — migration lessons learned) (2026-02-27)

D. Shipping Hygiene

  • [all] verify script exists (vitest) (2026-02-27)
  • [all] Version in manifest matches git tag (2026-02-27)
  • [all] Dependency scanning runs in CI (ecosystem-appropriate) (2026-02-27)
  • [all] Automated dependency update mechanism exists (2026-02-27)
  • [npm] npm pack --dry-run includes: dist/, README.md, LICENSE (2026-02-27)
  • [npm] engines.node set (>=18) (2026-02-27)
  • [npm] SKIP: no lockfile needed — CLI published to npm
  • [vsix] SKIP: not a VS Code extension
  • [desktop] SKIP: not a desktop application

E. Identity (soft gate — does not block ship)

  • [all] Logo in README header (2026-02-27)
  • [all] Translations (polyglot-mcp, 7 languages) (2026-02-27)
  • [org] Landing page (@mcptoolshop/site-theme) (2026-02-27)
  • [all] GitHub repo metadata: description, homepage, topics (2026-02-27)

Gate Rules

Hard gate (A–D): Must pass before any version is tagged or published. If a section doesn't apply, mark SKIP: with justification — don't leave it unchecked.

Soft gate (E): Should be done. Product ships without it, but isn't "whole."