Release Readiness Validation
What you'll find here
The repository-owned readiness record for Craik releases. The current
pre-release gate is 0.12.9; historical sign-offs remain below for
audit continuity.
v0.12.9 TUI Cutover
Gateway backend cleanup follow-up is in progress.
The current post-cutover goal creates a local Gateway session boundary for
audited prompt execution, JSONL stdio transport for TUI clients, CLI mirrors
for raw prompt execution, structured model profiles, and regression tests for
Claude Code marker routing and progress events. This work starts from
checkpoint commit c6cd81d checkpoint: pre-backend-cleanup.
runtime/backend/session.py owns raw prompt execution for provider and Claude Code marker paths and emits normalized lifecycle, working-state, progress, receipt, output, completion, and error events.craik.run_output artifact, giving clients replayable model, lifecycle, receipt, output, and completion evidence.craik tui-backend --jsonl accepts session.status, prompt.submit, slash.submit, model.set, approval.decide, run.interrupt, and close messages over stdio for Textual/Rust/frontend evaluation./run <prompt> and craik run prompt <prompt> share the audited Gateway path; backend-affecting slash mirrors are covered by regression tests.craik model set keeps legacy selectors while persisting provider/model profile metadata, display labels, backend preference, common provider options, and provider-specific passthrough knobs. Gateway prompt runs now pass the active profile options into provider runtime requests for OpenAI, Anthropic, Chat Completions, and Gemini payloads.ratatui replay prototype under crates/craik-tui-rs parses the same fixture and verifies lifecycle, working-state, run, task, receipt, and progress rendering.Gateway Cleanup Validation Commands
uv run pytest tests/test_backend_gateway_session.py tests/test_backend_jsonl.py tests/test_slash_cli_mirrors.py
uv run pytest tests/test_gateway_replay.py
cargo test --manifest-path crates/craik-tui-rs/Cargo.toml
uv run pytest tests/test_v010_agent_shell.py tests/test_v011_tui.py tests/test_v0122_slash_inline_execution.py tests/test_v0122_textual_app.py tests/test_v0123_multiline_input_methods.py tests/test_v0125_tui_polish.py tests/test_v0127_anthropic_claude_cli.py tests/test_provider_runner.py tests/test_provider_runtime.py tests/test_cli.py
uv run python scripts/generate_cli_reference.py --check
v0.12.9 completes the runtime consumption path for the CLI/TUI command contract.
0.12.9 wires the three TUI entry points to the contract dispatcher, routes
Textual slash output through the new renderer pipeline, replaces the legacy
dispatcher implementation with a compatibility shim, replaces the
hand-maintained slash metadata tuple with the live AutoSlashRegistry,
routes prompt-backed commands through canonical modals, and adds
runtime-consumption CI guards so future contract infrastructure cannot ship
without live TUI use.
v0.12.9 Acceptance Status
textual_app.py, tui.py, and agent_shell.py dispatch slash commands through craik.runtime.contract.dispatch.AutoSlashRegistry from the live Typer app plus shell-only slash built-ins.format_command_result(..., kind="tui")./auth login, /auth logout, and /receipts detail use canonical-composed modal screens under runtime/shell/modals/; the legacy textual_modals.py file is removed.interactive_prompts metadata now drives runtime behavior by intercepting typer.confirm and typer.prompt during contract-dispatch callback invocation.check_contract_dispatch_consumed.py, check_no_legacy_modal_pushes.py, check_no_slash_command_specs_consumption.py, and check_interactive_prompts_runtime_consumed.py verify runtime imports, block legacy cutover APIs, and assert contract-dispatch invocation across TUI entry points.v0.12.9 Validation Commands
Run the standard release gate from a clean checkout before signed tag creation:
uv run python scripts/check_version_consistency.py
uv run python scripts/check_release_version.py
uv run python scripts/check_release_readiness.py
uv run python scripts/check_cli_tui_contract.py
uv run python scripts/check_command_result_return.py
uv run python scripts/check_no_direct_stdout.py
uv run python scripts/check_contract_dispatch_consumed.py
uv run python scripts/check_no_legacy_modal_pushes.py
uv run python scripts/check_no_slash_command_specs_consumption.py
uv run python scripts/check_interactive_prompts_runtime_consumed.py
uv run python scripts/check_modal_screen_mappings.py
uv run python scripts/check_modal_screen_security.py
uv run python scripts/check_payload_shape_validity.py
uv run python scripts/check_next_actions_validity.py
uv run python scripts/check_format_flag_coverage.py
uv run python scripts/generate_snapshots.py /status --name status --width 80 --check
uv run python scripts/check_snapshot_coverage.py
uv run python scripts/check_dead_code.py
uv run python scripts/check_oauth_callback_safety.py
uv run python scripts/check_dock_bottom_snapshot_coverage.py
uv run python scripts/check_text_selection_wiring.py
python3 scripts/check_codebase_brand_hygiene.py
uv run python scripts/check_slash_command_registry.py
uv run python scripts/check_changed_file_strictness.py
uv run python scripts/check_public_docs_hygiene.py
uv run python scripts/check_doc_links.py
uv run python scripts/generate_cli_reference.py --check
uv run ruff check
uv run mypy
uv run pytest
uv run pytest --cov=craik --cov-report=term --cov-fail-under=80
(cd docs && npm run build)
v0.12.8 CLI/TUI Contract
v0.12.8 makes the shared command contract release-ready across CLI, slash, JSON, and TUI surfaces.
0.12.8 keeps migrated commands on the CommandResult contract, prevents
strictly migrated shared callbacks from writing directly to stdout during
slash dispatch, adds canonical modal metadata for prompt-backed commands,
expands slash snapshots across the standard width matrix, and adds CI gates so
future migrations stay aligned with the canonical renderer flow.
v0.12.8 Acceptance Status
@craik_command, return CommandResult, and use shared renderers.interactive_prompts metadata and modal mapping guards reject drift.CommandResult are documented with explicit legacy markers.v0.12.8 Validation Commands
Run the standard release gate from a clean checkout before signed tag creation:
uv run python scripts/check_version_consistency.py
uv run python scripts/check_release_version.py
uv run python scripts/check_release_readiness.py
uv run python scripts/check_cli_tui_contract.py
uv run python scripts/check_command_result_return.py
uv run python scripts/check_no_direct_stdout.py
uv run python scripts/check_modal_screen_mappings.py
uv run python scripts/check_modal_screen_security.py
uv run python scripts/check_payload_shape_validity.py
uv run python scripts/check_next_actions_validity.py
uv run python scripts/check_format_flag_coverage.py
uv run python scripts/generate_snapshots.py /status --name status --width 80 --check
uv run python scripts/check_snapshot_coverage.py
uv run python scripts/check_dead_code.py
uv run python scripts/check_oauth_callback_safety.py
uv run python scripts/check_dock_bottom_snapshot_coverage.py
uv run python scripts/check_text_selection_wiring.py
python3 scripts/check_codebase_brand_hygiene.py
uv run python scripts/check_slash_command_registry.py
uv run python scripts/check_changed_file_strictness.py
uv run python scripts/check_public_docs_hygiene.py
uv run python scripts/check_doc_links.py
uv run python scripts/generate_cli_reference.py --check
uv run ruff check
uv run mypy
uv run pytest
uv run pytest --cov=craik --cov-report=term --cov-fail-under=80
(cd docs && npm run build)
v0.12.7 Provider OAuth Suite
v0.12.7 completes the provider-specific OAuth adoption path that is usable without private client registrations.
0.12.7 adds OAuth auth-profile contracts, one-shot loopback PKCE
helpers, callback-safety CI coverage, OpenAI browser PKCE OAuth,
Anthropic Claude CLI delegation, Gemini/Vertex ADC and service-account
login through google-auth, provider-specific header handling, OAuth status
metadata, billing-surface status metadata, and explicit
craik auth login <provider> --mode=api-key|oauth|claude-cli selection.
v0.12.7 Validation Commands
Run the standard release gate from a clean checkout before signed tag creation:
uv run python scripts/check_version_consistency.py
uv run python scripts/check_release_version.py
uv run python scripts/check_release_readiness.py
uv run python scripts/check_cli_tui_contract.py
uv run python scripts/check_command_result_return.py
uv run python scripts/check_no_direct_stdout.py
uv run python scripts/generate_snapshots.py /status --name status --width 80 --check
uv run python scripts/check_snapshot_coverage.py
uv run python scripts/check_dead_code.py
uv run python scripts/check_oauth_callback_safety.py
uv run python scripts/check_dock_bottom_snapshot_coverage.py
uv run python scripts/check_text_selection_wiring.py
python3 scripts/check_codebase_brand_hygiene.py
uv run python scripts/check_slash_command_registry.py
uv run python scripts/check_changed_file_strictness.py
uv run python scripts/check_public_docs_hygiene.py
uv run python scripts/check_doc_links.py
uv run python scripts/generate_cli_reference.py --check
uv run ruff check
uv run mypy
uv run pytest
uv run pytest --cov=craik --cov-report=term --cov-fail-under=80
(cd docs && npm run build)
v0.12.6 Inherited Surface Sweep
v0.12.6 closes the inherited-surface sweep for channel ingress, slash-command payload shape, and TUI text selection.
0.12.6 sanitizes normalized messaging-channel text before runtime
boundaries, extends the slash-command registry guard to execute structured
payload smoke commands, and keeps TUI text-selection behavior documented,
styled, and covered by a release-readiness guard.
v0.12.6 Validation Commands
Run the standard release gate from a clean checkout before signed tag creation:
uv run python scripts/check_version_consistency.py
uv run python scripts/check_release_version.py
uv run python scripts/check_release_readiness.py
uv run python scripts/check_dead_code.py
uv run python scripts/check_dock_bottom_snapshot_coverage.py
uv run python scripts/check_text_selection_wiring.py
python3 scripts/check_codebase_brand_hygiene.py
uv run python scripts/check_slash_command_registry.py
uv run python scripts/check_changed_file_strictness.py
uv run python scripts/check_public_docs_hygiene.py
uv run python scripts/check_doc_links.py
uv run ruff check
uv run mypy
uv run pytest
uv run pytest --cov=craik --cov-report=term --cov-fail-under=80
(cd docs && npm run build)
v0.12.5 TUI Polish and Release Guards
v0.12.5 completes the terminal UI polish, receipt verification, and release-guard hardening pass for the v0.12 train.
0.12.5 ships bottom-stack TUI ordering, text-selection support, inline
subcommand listings, TUI-shaped next-action guidance, standalone receipt
verification, coverage publishing, positioning documentation, AST-bound
dock-bottom snapshot coverage, all-theme TCSS dock scanning, and an 80%
coverage floor for release coverage publication.
v0.12.5 Validation Commands
Run the standard release gate from a clean checkout before signed tag creation:
uv run python scripts/check_version_consistency.py
uv run python scripts/check_release_version.py
uv run python scripts/check_release_readiness.py
uv run python scripts/check_dead_code.py
uv run python scripts/check_dock_bottom_snapshot_coverage.py
python3 scripts/check_codebase_brand_hygiene.py
uv run python scripts/check_slash_command_registry.py
uv run python scripts/check_changed_file_strictness.py
uv run python scripts/check_public_docs_hygiene.py
uv run python scripts/check_doc_links.py
uv run ruff check
uv run mypy
uv run pytest
uv run pytest --cov=craik --cov-report=term --cov-fail-under=80
(cd docs && npm run build)
v0.12.4 Command Surface Ergonomics
v0.12.4 completes the slash-command ergonomics and TUI hardening pass for the v0.12 train.
0.12.4 ships centralized slash-command schema metadata, structured
inline result rendering, argument-aware help and validation, current-session
transcript search, receipt detail modals with integrity status, bounded
toast notifications, destructive-action confirmations, inline action-key
dispatch, and release guards for command metadata and TUI brand hygiene.
v0.12.4 Validation Commands
Run the standard release gate from a clean checkout before signed tag creation:
uv run python scripts/check_version_consistency.py
uv run python scripts/check_release_version.py
uv run python scripts/check_release_readiness.py
uv run python scripts/check_dead_code.py
uv run python scripts/check_dock_bottom_snapshot_coverage.py
python3 scripts/check_codebase_brand_hygiene.py
uv run python scripts/check_slash_command_registry.py
uv run python scripts/check_changed_file_strictness.py
uv run ruff check
uv run mypy src/craik
uv run pytest
(cd docs && npm run build)
v0.12.3 Interactive Shell Refinement
v0.12.3 completes the interactive shell refinement pass for the v0.12 train.
0.12.3 ships terminal status-bar usage and quota indicators, reverse history
search, multi-line input alternatives, audited ! shell invocations,
session naming, theme controls, MCP discovery, CLI mistype recovery, and
TUI aesthetic polish.
v0.12.3 Validation Commands
Run the standard release gate from a clean checkout before signed tag creation:
uv run python scripts/check_version_consistency.py
uv run python scripts/check_release_version.py
uv run python scripts/check_release_readiness.py
uv run python scripts/check_dead_code.py
python3 scripts/check_codebase_brand_hygiene.py
uv run ruff check
uv run mypy
uv run pytest
(cd docs && npm run build)
v0.12.2 Canonical TUI Release
v0.12.2 is the canonical interactive-runtime release for the v0.12 train.
0.12.2 ships the Textual-based TUI, slash-command inline execution,
history and completion support, modal auth and approval flows, privacy
documentation, and the codebase brand-hygiene release guard.
v0.12.2 Validation Commands
Run the standard release gate from a clean checkout before signed tag creation:
uv run python scripts/check_version_consistency.py
uv run python scripts/check_release_version.py
uv run python scripts/check_release_readiness.py
uv run python scripts/check_dead_code.py
python3 scripts/check_codebase_brand_hygiene.py
uv run ruff check
uv run mypy
uv run pytest
(cd docs && npm run build)
v0.12.1 Patch Release
v0.12.1 is a patch-readiness release for the v0.12 train.
0.12.1 incorporates the post-release remediation PRs for README
current-state accuracy, provider auth and health-check UX, gateway and
doctor readiness, MCP validation, migration apply reporting,
localization polish, and CodeQL cleanup.
v0.12.1 Validation Commands
Run the standard release gate from a clean checkout before signed tag creation:
uv run python scripts/check_version_consistency.py
uv run python scripts/check_release_version.py
uv run python scripts/check_release_readiness.py
uv run python scripts/check_dead_code.py
uv run ruff check
uv run mypy src
uv run pytest -q
v0.12.0 Goal Workflow
Structural CI guard generalization starts the v0.12.0 release train.
0.12.0 begins with G0 before functional migration,
internationalization, and compatibility work. G0 strengthens the
release-readiness writer-coverage guard with qualified call
resolution, explicit dynamic-dispatch allowlisting, and a complementary
dead-code scan.
scripts/check_dead_code.py runs vulture at confidence 80 as a complementary dead-code gatecraik migrate inspect, plan, and dry-run import inspect adjacent agent-runtime JSON exports, map source records to proposed Craik target schemas, preserve source files, support text/JSON output, and report skipped secret-like fields without copying valuescraik migrate report emits deterministic safe-to-share review artifacts with summary counts, importable objects, manual actions, skipped secrets, security posture changes, unsupported capabilities, recommended next commands, validation checklist items, and source-to-target links without raw secret valuesCRAIK_LOCALE and --locale configure text output, missing translations fall back predictably, slash help and migration report headings localize, and translation contribution rules preserve machine-readable semanticscraik auth login captures provider keys through hidden prompt, writes keyring-ref profiles, reports backend-aware health, removes cached credentials on logout, migrates env-var profiles with consent, and shares auth status across slash commands, TUI, dashboard, and readiness statev0.12.0 Validation Commands
Run the structural gate from a clean checkout before starting functional v0.12.0 implementation goals:
uv run python scripts/check_release_readiness.py
uv run python scripts/check_dead_code.py
uv run pytest tests/test_release_readiness_guards.py tests/test_dead_code_check.py tests/test_auth_capture_and_cache.py -v
v0.11.0 Goal Workflow
Product surfaces and channel operations are ready for release prep.
0.11.0 moves Craik beyond command-only operation with a terminal UI,
authenticated dashboard, desktop companion, service-managed gateway,
real channel adapters, approval UX, diagnostics/update workflows, and
multimodal companion contracts. Each goal lands through its own issue
and PR before release prep; all v0.11.0 implementation goal issues are
closed.
craik:// handlers are documented as review-only with no direct mutating actionscraik --tui, craik tui, shared slash commands, multiline composer, status/model/session/approval/artifact/gateway/skill panels, autocomplete metadata, redacted approval modal fixture, tests, and guide docscraik dashboard, local-only default bind, token or active operator-session auth, status/provider/session/run/handoff/receipt/approval/gateway/skill/model pages, shared slash-command action route, route tests, and security docsX-Craik-Operator-Session to match the active operator session token, and preview output warns about the required headerjti, systemd gateway units tolerate executable paths with spaces, and Discord webhook diagnostics distinguish verifier unavailability from invalid signaturescraik desktop status, menu, action, approval notification, and update-check surfaces for local dashboard launch, gateway command actions, provider/auth health, doctor, and redacted notification deep linkscraik gateway install, uninstall, status, logs, doctor, stop, and restart with launchd/systemd generation, Windows plan, stale pid recovery, and log discoverycraik executable path resolved at install time/approvals, craik approvals list, show, approve, and deny, dashboard queue payloads, TUI approval modal/counts, desktop notifications, decision receipts, retry-path linkage, and lifecycle testscraik doctor, craik doctor --fix, craik update --check, expanded operator/provider/model/gateway/channel/security diagnostics, explicit dry-run fix plans, unsafe fix confirmation, JSON output, and fixture testsv0.11.0 Release Readiness
Status: ready for maintainer signing after release-prep PR lands.
The v0.11.0 milestone contains the TUI, authenticated dashboard, desktop companion, gateway service lifecycle, real channel adapters, approval UX, doctor/update workflow, multimodal companion contracts, and all follow-up remediation. Tagging remains gated on the final release-prep validation and maintainer-managed GPG signing.
v0.11.0 Validation Commands
Run the full release gate from a clean checkout before tagging
0.11.0:
uv run python scripts/check_version_consistency.py
uv run python scripts/check_release_version.py
uv run ruff check
uv run mypy
uv run python scripts/generate_cli_reference.py --check
uv run python scripts/check_doc_links.py
uv run python scripts/check_public_docs_hygiene.py
uv run python scripts/check_release_readiness.py
uv run python scripts/check_dead_code.py
uv run python scripts/check_changed_file_strictness.py
uv run python scripts/check_max_file_lines.py
uv run python scripts/quickstart_smoke.py
uv run pytest
v0.10.0 Goal Workflow
Agent shell and setup UX gate is ready for release prep.
0.10.0 turns the root CLI into a usable agent shell, adds progressive
setup guidance before auth is configured, introduces browser-assisted
provider login, and exposes model, session, profile, usage, and
learning-loop controls through operator-facing commands. The
implementation goal landed through a green PR tied to the v0.10.0
milestone before release prep begins.
craik chat, slash commands, readiness states, provider login, model/session/profile controls, and learning-loop command surfacesv0.10.0 Release Readiness
Status: ready for release checks after release-prep PR lands.
The v0.10.0 milestone contains the agent shell, progressive setup states, browser-assisted provider login, secure credential-storage posture reporting, model/session/profile UX, usage summaries, and learning-loop controls. Release prep owns the final version bump, changelog promotion, signed tag, package publication, docs publication, and post-release verification.
craik shell can launch before auth, one-shot chat works through craik chat and craik --one-shot, readiness states explain setup gaps, and slash commands route users toward setup, auth, provider, model, session, approval, and doctor actions.craik auth login provides browser-assisted provider setup for hosted providers and guided fallback for local models while keeping output redacted and surfacing credential-storage posture.v0.10.0 Validation Commands
Run the full release gate from a clean checkout before tagging
0.10.0:
uv run python scripts/check_version_consistency.py
uv run ruff check
uv run mypy
uv run python scripts/generate_cli_reference.py --check
uv run python scripts/check_doc_links.py
uv run python scripts/check_public_docs_hygiene.py
uv run python scripts/check_release_readiness.py
uv run python scripts/check_dead_code.py
uv run python scripts/check_changed_file_strictness.py
uv run python scripts/check_max_file_lines.py
uv run python scripts/quickstart_smoke.py
uv run pytest
Release Signing-Key Asset Gate
Every release must be cut from a signed annotated tag and must publish
the ASCII-armored public release signing key on the matching GitHub
Release as craik-release-signing-key.asc. This asset is the public
key operators can import or inspect; it is not a detached tag
signature. The embedded Git tag signature remains the integrity check
for the release commit.
git tag -v vX.Y.Z
git ls-remote --tags origin vX.Y.Z
gpg --show-keys --with-fingerprint craik-release-signing-key.asc
gh release view vX.Y.Z --repo eidetic-labs/craik --json assets --jq '.assets[].name'
Release prep is not complete until the fingerprint shown for
craik-release-signing-key.asc matches the key reported by
git tag -v vX.Y.Z.
v0.9.0 Goal Workflow
Persistent agent runtime gate is ready for release prep.
0.9.0 adds provider-backed persistent sessions, guided provider
setup, Gemini and local model routes, provider certification, explicit
failure recovery, and a deterministic persistent-agent launch demo.
All implementation goals landed through green PRs tied to the v0.9.0
milestone before release prep begins.
cli_*.py module and stateful CLI commands require the canonical operator session check, with explicit bootstrap/demo/CI policy-test exemptionsv0.9.0 Release Readiness
Status: ready for pre-release checks after docs reconciliation lands.
The v0.9.0 milestone now contains provider setup, Gemini runtime support, local model presets, provider-backed persistent sessions, provider certification, explicit failure recovery, a launch demo, persistent-agent security boundaries, MCP routing decisions, sandbox backend tracking, browser/tool boundary tracking, sandbox policy validation, and environment capability receipts. Release prep remains responsible for the version bump, final changelog section, signed tag, publish, and post-publish verification.
v0.9.0 Validation Commands
Run the full release gate from a clean checkout before promoting
0.9.0 into release prep:
uv run python scripts/check_version_consistency.py
uv run ruff check
uv run mypy
uv run python scripts/generate_cli_reference.py --check
uv run python scripts/check_doc_links.py
uv run python scripts/check_public_docs_hygiene.py
uv run python scripts/check_release_readiness.py
uv run python scripts/check_changed_file_strictness.py
uv run pytest tests/test_provider_cli.py tests/test_provider_runtime.py tests/test_local_model_presets.py tests/test_agent_sessions.py tests/test_agent_session_integrity.py tests/test_provider_certification.py tests/test_cli_agents.py tests/test_cli_operator_auth.py tests/test_release_readiness_guards.py tests/test_demos.py tests/test_environment_receipts.py tests/test_sandbox_policy_boundaries.py -q
uv run pytest
v0.8.0 Goal Workflow
Operator integrations and always-on gateway gate.
0.8.0 ships a foreground gateway daemon, setup/diagnostics/update
operator commands, channel contracts, messaging fixture ingress,
identity pairing, allowlists, channel policy envelopes, webhook
validation, scheduled automations, and gateway receipts. Each
remediation issue shipped implementation, tests, docs, validation, a
green PR, merge, issue closure, and branch pruning before release prep.
craik gateway start, pid-file lock, /health, and persisted lifecycle transitionsv0.8.0 Release Readiness
Status: ready for release prep after docs reconciliation lands.
All implementation remediation goals are closed. The shipped daemon is a foreground local service with health checks and persisted lifecycle state; hosted public operation, production dispatch loops, and broad third-party channel adapters remain future surfaces.
tests/test_v0_8_0_gateway_pipeline_e2e.py for the integrated flow.v0.8.0 Validation Commands
Run the full release gate from a clean checkout before promoting
0.8.0 into release prep:
uv run python scripts/check_version_consistency.py
uv run ruff check
uv run mypy
uv run python scripts/generate_cli_reference.py --check
uv run python scripts/check_doc_links.py
uv run python scripts/check_public_docs_hygiene.py
uv run python scripts/check_release_readiness.py
uv run python scripts/check_changed_file_strictness.py
uv run pytest tests/test_v0_8_0_gateway_pipeline_e2e.py tests/test_gateway.py tests/test_webhook_ingress.py tests/test_channel_identity.py tests/test_channel_allowlist.py tests/test_channel_policy.py tests/test_scheduled_automations.py tests/test_schedules.py tests/test_gateway_receipts.py tests/test_store.py -q
uv run pytest
v0.7.0 Goal Workflow
Operator experience gate.
0.7.0 ships a read-only operator surface for inspecting project
state without reading raw logs. Each goal issue must ship
implementation, tests, docs, validation, a green PR, merge, issue
closure, and branch pruning before the next goal begins.
craik operator overview · read-only snapshot and formatter contractcraik operator contradictions · contradiction and operator-attention queuecraik operator evidence · evidence and assumptions kept separatecraik operator instructions · sources, snapshots, provenance, proposals, and reviewscraik operator quality · handoff, evidence, critic, and red-team signalsv0.7.0 Release Readiness
Status: ready for release prep.
All v0.7.0 operator-experience goals have shipped implementation, tests, docs, validation, a green PR, merge, issue closure, and branch pruning. No known release blockers remain as of 2026-05-21.
craik operator commands cover overview, work graph, handoffs, receipts, contradictions, evidence, delegations, budget, instructions, quality, memory impact, traps, and run deltas.v0.7.0 Validation Commands
Run the full release gate from a clean checkout before promoting
0.7.0 into release prep:
uv run python scripts/check_version_consistency.py
uv run ruff check
uv run mypy src
uv run python scripts/generate_cli_reference.py --check
uv run python scripts/check_doc_links.py
uv run python scripts/check_public_docs_hygiene.py
uv run python scripts/check_release_readiness.py
find src -name '*.py' -print0 | xargs -0 uv run python scripts/check_max_file_lines.py
uv run pytest tests/test_cli_operator_auth.py tests/test_cli_operator_scoping.py tests/test_operator_view_sanitization.py tests/test_release_readiness_guards.py -q
uv run pytest
v0.6.0 Goal Workflow
Skills, plugins, and ecosystem foundations gate.
0.6.0 ships reusable skill contracts and governed plugin ecosystem
contracts without weakening Craik's no-ambient-authority runtime
model. Each goal issue shipped implementation, tests, docs, validation,
a green PR, merge, issue closure, and branch pruning before the next
goal began.
craik.skill_package · semantic package versions and no runtime authoritycraik.skill_registry · active entry and precedence invariantscraik.skill_invocation_context · package context requirements and redacted invocation recordscraik.plugin_descriptor · trust boundary, capabilities, docs, security notes, and compatibilitycraik.plugin_probation · evidence-backed criteria and decisions before durable trustcraik.plugin_capability_grant · explicit operations, scoped targets, approvals, expiry, and authorization helpercraik.plugin_receipt · redacted descriptor, grant, probation, evidence, and handoff linkscraik.adapter_package · semantic versions, runner modes, Python/platform compatibility, docs, and provenancecraik.reference_integration · safe reproducible skill, plugin, and adapter examplesv0.6.0 Release Readiness
Ready for release prep.
The v0.6.0 skills, plugins, and ecosystem foundations surface is implemented in typed contracts, local-store persistence, validation helpers, operator-visible receipt formatting, reference documentation, and community guides. Release prep still owns the version bump, generated docs lockfile, release heading promotion, full release validation, tag creation, PyPI publish, docs deployment, and GitHub Release verification.
skill_package · skill_registry · skill_invocation_context · plugin_descriptor · plugin_probation · plugin_capability_grant · plugin_receipt · adapter_package · reference_integration.uv run python scripts/check_version_consistency.py, uv run ruff check, uv run mypy src, uv run python scripts/check_doc_links.py, uv run python scripts/check_public_docs_hygiene.py, uv run python scripts/check_release_readiness.py, and full uv run pytest with loopback access enabled for local HTTP-server tests.0.6.0, regenerate generated docs artifacts if required, promote the changelog heading to 0.6.0 — 2026-05-21, run the full release validation suite, create the signed tag, publish to PyPI, verify the docs site, and verify GitHub Release creation.v0.5.0 Goal Workflow
Quality, continuity, and recovery gate.
0.5.0 starts with one goal issue for each roadmap capability plus a
release-readiness issue. Each issue must ship implementation, tests,
docs, and requirement validation before the milestone closes.
v0.5.0 Release Readiness
Remediated and release-ready.
The v0.5.0 quality, continuity, and recovery surface is implemented in typed contracts, local-store persistence, runtime helpers, operator views, capture CLI surfaces, recovery/delta operator gates, and reference documentation. The post-readiness remediation closed the gap between contract definitions and production capture paths. Release prep updates the version declarations, changelog heading, generated docs lockfile, package verification, tag checks, PyPI publish, docs deployment verification, and GitHub release verification.
recovery_session · run_delta · runtime_critic_finding · red_team_finding · handoff_quality_score · evidence_coverage_score · context_debt_record · tool_result_attestation · knowledge_freshness_probe · scratchpad_record · known_trap · negative_knowledge · unknown_record · context_request · exit_discipline_check.craik knowledge captures scratchpad, unknown, context-request, known-trap, and negative-knowledge records, and resolves unknown, context-request, and context-debt records with operator receipt linkage; craik review captures critic and red-team findings; craik run recover and craik run delta expose recovery and changed-since-last-time summaries from local durable state behind an active operator session.uv run pytest tests/test_v0_5_0_pipeline_e2e.py plus the focused readiness slice: uv run pytest tests/test_recovery.py tests/test_critics.py tests/test_quality_scores.py tests/test_context_debt.py tests/test_freshness.py tests/test_known_traps.py tests/test_scratchpad.py tests/test_exit_discipline.py tests/test_operator_views.py tests/test_store.py.0.5.0 version declarations, release notes, and docs lockfile are prepared in the release-prep branch. The release tag, PyPI package, docs deployment, and GitHub Release are verified after the release-prep PR lands.v0.4.0 Release Readiness
Runtime instruction distillation gate.
0.4.0 lands the declared-instruction pipeline that turns project
instruction files into typed, provenance-linked, reviewable
constraints. Sources are registered explicitly, snapshots drive stale
invalidation, extracted statements carry line/range provenance,
categories and contradiction reports keep review queues explainable,
approval receipts are required before a constraint becomes governing,
and active constraints flow into case files and compiled prompts.
pyproject.toml, src/craik/init.py, docs/package.json, and docs/package-lock.json declare 0.4.0.new, unchanged, changed, or missing; changed, missing, newly observed, or omitted sources defer derived proposals.Active instruction constraints section with ordered items, provenance annotations, empty-state behavior, and stale-exclusion warnings.craik instructions register, ingest, list, approve, reject, and show expose source registration, pipeline execution, proposal review, approval decisions, rejection decisions, and provenance-aware item inspection through the active operator session.docs/reference/instruction-sources.md, docs/reference/distilled-instructions.md, docs/reference/instruction-approval.md, and docs/guides/managing-instructions.md document the shipped v0.4.0 operator surface and link through the sidebars.v0.4.0 is tagged, published to PyPI, and represented by the GitHub Release. The GitHub milestone is closed with zero open issues.v0.4.0 Verification Commands
Run these before release prep and again before tagging:
uv run python scripts/check_version_consistency.py
uv run python scripts/check_release_readiness.py
uv run python scripts/check_doc_links.py
uv run python scripts/check_public_docs_hygiene.py
uv run pytest tests/test_instruction_sources.py tests/test_instruction_ingestion.py tests/test_instruction_provenance.py tests/test_instruction_distillation.py tests/test_instruction_invalidation.py tests/test_instruction_contradictions.py tests/test_instruction_promotion.py tests/test_instruction_runtime_context.py tests/test_instruction_workflow_docs.py tests/test_instruction_pipeline_e2e.py tests/test_case_files.py tests/test_prompts.py tests/test_contracts.py -q
v0.4.0 Security Notes
The v0.4.0 trust boundary is also documented in SECURITY.md.
- Instruction sources must be registered explicitly and remain confined to the registered project root before ingestion.
- Raw source files and distilled proposals are evidence, not authority; only governing constraints backed by approval receipts enter case files and compiled prompts.
- Stale or contradicted approvals require an explicit override and rationale, and review receipts record whether stale or contradiction guards were bypassed.
- Approval receipt HMACs, backed by an owner-only local secret, are verified before governing constraints are rendered into case files, onboarding context, handoffs, or compiled prompts.
- Release workflows pin GitHub Actions to immutable SHAs and attest package provenance before PyPI publish.
- Stale governing items are excluded from compiled prompt context and surfaced as distillation warnings instead of silent authority.
- Contradiction detection opens reviewable reports for cross-source policy, boundary, command, instruction, and security-rule conflicts.
v0.3.0 Release Readiness
Multi-agent review and coordination gate.
0.3.0 lands the governed multi-agent surface: authenticated mailbox
messages, intent-lock coordination across simultaneous runs, structured
debate with adjudication, cross-agent review, human delegation pause and
resume, scope-change decisions, and live work-graph coordination. The same
release tightens the security boundary: identity-isolated handoff
consumption, role-allowlist dispatch, operator-bound delegation resolution,
and authenticated mailbox sends.
pyproject.toml, src/craik/init.py, docs/package.json, and docs/package-lock.json declare 0.3.0.craik agent-message and local-store helpers send and receive authenticated typed messages linked to tasks, runs, handoffs, and roles. Senders are authenticated against the run's role state, message bodies are bounded, and same-subject repeats get unique IDs instead of overwriting.craik scope-change decide for explicit expand, sibling-task, handoff, or denial decisions before continuing.craik task resume --from-handoff creates a follow-up task, case file, and pending run that record source handoff provenance while requiring an explicit consumer credential and operator identity.craik run execute --role records a policy-checked specialist role assignment, dispatch receipt, and run-level role metadata. Role dispatch requires explicit role allowlists and gates runner overrides behind the role.runner.override policy capability.v0.3.0, run the protected publish workflow, then verify PyPI and docs after publication.v0.3.0 Verification Commands
Run these before tagging:
uv run python scripts/check_version_consistency.py
uv run python scripts/check_release_version.py
uv run python scripts/check_release_readiness.py
uv run python scripts/check_release_tag.py --tag v0.3.0 --expected-version 0.3.0
uv run pytest tests/test_agent_mailbox.py tests/test_intent_lock_coordination.py tests/test_role_dispatch.py tests/test_scope_changes.py tests/integration/test_multi_agent_v030_flow.py -q
v0.3.0 Security Notes
- Delegation resolution requires resolver operator identity and rejects attempts to resume a paused run opened by another operator.
- Mailbox sends authenticate
from_agentagainst the sender run's role state before storing the message or receipt. - Role dispatch requires explicit role allowlists and gates runner
overrides behind the
role.runner.overridepolicy capability. - Mailbox message bodies are bounded and repeated same-subject messages receive unique IDs instead of overwriting the latest message.
- Handoff consumption records an explicit consumer credential and operator assignment, rejects producer identity reuse by default, and requires an explicit continuation flag plus rationale when reuse is intentional.
v0.2.0 Release Readiness
Durable execution continuity gate.
0.2.0 hardens the provider-backed loop into durable execution: resumable
phase boundaries, wall-clock and provider-token budgets, sandboxed shell tool
dispatch, run recovery commands, tool-result attestations, and local-store
migrations.
pyproject.toml, src/craik/init.py, docs/package.json, and docs/package-lock.json declare 0.2.0.craik run resume continues unfinished provider-backed runs.craik run show, craik run cancel, craik run delta, and persisted exit-discipline checks expose continuity state and handoff readiness.v0.2.0, run the protected publish workflow, then verify PyPI and docs after publication.v0.2.0 Verification Commands
Run these before tagging:
uv run python scripts/check_version_consistency.py
uv run python scripts/check_release_version.py
uv run python scripts/check_release_readiness.py
uv run python scripts/check_release_tag.py --tag v0.2.0 --expected-version 0.2.0
uv run pytest tests/test_loop.py tests/test_local_process_backend.py tests/test_loop_tool_dispatch.py tests/test_store.py tests/test_cli.py tests/test_handoffs.py tests/test_provider_runner.py -q
v0.2.0 Security Notes
- Shell execution remains policy-gated and only registered command references are routed to the local-process sandbox backend.
- The local-process backend avoids shell expansion and propagates cancellation to in-flight subprocesses.
- Budget checks happen before provider calls and immediately before tool dispatch, preventing exhausted runs from producing new side effects.
- Tool-result attestations hash redacted replay payloads and link each dispatched result to its side-effect receipt.
v0.1.0 Release Readiness
In-repo green.
All in-repo readiness gates are passing. The remaining work is the
maintainer-driven v0.1.0 tag and the protected publication workflow.
Snapshot
Code health
CI on main
Latest ci.yml run on main completed success: run 26010629626.
CodeQL
Latest codeql.yml run on main completed success: run 26010629612.
Code scanning
Zero open alerts via gh api repos/eidetic-labs/craik/code-scanning/alerts.
Version consistency
uv run python scripts/check_release_version.py.
File-size budget
find src -name "*.py" -print0 | xargs -0 uv run python scripts/check_max_file_lines.py.
craik --version
Prints 0.1.0 via uv run craik --version.
craik doctor
Runs to completion against a fresh CRAIK_HOME. An entirely empty home correctly reports missing local state.
Package artifacts
uv build produced dist/craik-0.1.0.tar.gz and dist/craik-0.1.0-py3-none-any.whl.
Test coverage
tests/integration/test_http_transport_round_trip.pytest_auth_api_key_source.py, test_auth_local_cli_oauth.py, test_auth_cli_bridge.py, test_auth_secret_ref.py, test_auth_profiles.py, test_auth_credential_pool.py, test_provider_runtime.py.test_oidc_operator.py, test_operator_session_store.py, test_workload_identity.py, test_oidc_exchange_secret_manager.py.alg=none, unknown kid, tampered payloads, asymmetric/symmetric confusion (test_oidc_operator.py).test_provider_runtime.py, test_policy.py, test_loop.py, test_case_files.py, test_redaction.py, test_handoffs.py.Focused readiness set: ran the combined readiness subset with
uv run pytest tests/integration/test_http_transport_round_trip.py tests/test_auth_api_key_source.py tests/test_auth_local_cli_oauth.py tests/test_auth_cli_bridge.py tests/test_auth_secret_ref.py tests/test_auth_profiles.py tests/test_auth_credential_pool.py tests/test_oidc_operator.py tests/test_operator_session_store.py tests/test_workload_identity.py tests/test_oidc_exchange_secret_manager.py tests/test_provider_runtime.py tests/test_policy.py tests/test_case_files.py tests/test_handoffs.py -q — all passed.
Security hygiene
Secret-pattern grep
No raw secret patterns in tests or scripts: grep -rE "sk-[a-zA-Z0-9]{20,}|xoxb-|ghp_|ANTHROPIC.{0,5}=.{20,}" tests/ scripts/.
Operator session file
Owner-only 0o600 writes in src/craik/runtime/auth/operator/store.py.
Auth profiles store
auth-profiles.json writes are file-locked and atomic via fcntl.flock + tempfile + os.replace in src/craik/runtime/auth/store.py.
Credential pool store
Pool writes are file-locked and atomic in src/craik/runtime/auth/pool.py.
Resolver errors
Reference-level error wording such as secret reference could not be resolved — never raw values.
Documentation
Roadmap gates
Exactly 12 release gates v0.1.0–v0.12.0, no gaps.
Roadmap auth scope
docs/roadmap.md states v0.1.0 includes OIDC, pluggable credentials, operator + credential identity on receipts, policy-bound auth, approval-gated first use, expiry risk, per-credential redaction, handoff identity bookkeeping.
Changelog
CHANGELOG.md ## 0.1.0 - 2026-05-17 narrates Phase A and Phase B.
README
"What Works Today" names OIDC and typed credential profiles.
Auth on-ramp
docs/guides/authentication.md exists and is linked from docs/index.md. docs/guides/quickstart.md covers it.
Limitations honesty
docs/limitations.md no longer treats shipped auth capabilities as future work.
MVP docs
docs/mvp.md and docs/mvp-roadmap.md reflect the expanded v0.1.0 scope including OIDC and credential profiles.
Docs build
npm run build from docs/ succeeds.
Operational state
Milestones
v0.1.0–v0.12.0 exist with titles matching the roadmap.
v0.1.0 milestone
22 closed issues · 0 open issues.
Blockers
No open PRs or open issues currently blocking the release.
Dependabot
Alert #1 fixed.
Tag posture
Tag v0.1.0 does not exist locally. Tagging is a maintainer release action and should happen only after this report is accepted.
External release actions
v0.1.0