Skip to content

Releases: tyroneross/build-loop

v0.36.4

Choose a tag to compare

@tyroneross tyroneross released this 12 Jul 01:03

v0.36.4 — Release reconciliation: security-gate reliability, eager inline Learn, hook classifier fix, isolation widening

First published release since v0.36.1. Two prior version bumps — 0.36.2
(2f3e007) and 0.36.3 (e5162fc) — updated only the plugin/marketplace
manifests and CHANGELOG; they were never tagged, never released on GitHub, and
never published to npm, and they left package.json, the lockfile, the Claude
marketplace metadata, and the README pins at 0.36.1. This release reconciles
every enforced surface to one version (scripts/verify_release_surface.py)
and ships everything on main since the v0.36.1 tag (bd883b9..673a7fa,
45 commits).

Highlights

  • Pre-push security gate scans the push delta, not the whole tree
    (06b392d, 33e2dc9, c401f68, 578dc7a — staged as 0.36.2). A
    pre-existing HIGH in an unrelated file no longer hard-blocks unrelated
    pushes; 9 false-negative closures plus a conservative-by-construction
    classifier.
  • perturbation_spotcheck --check-cmd runs as an argv list (shell=False)
    (a652cc6 — staged as 0.36.2), closing an A03/LLM02 shell-injection HIGH.
  • Eager Phase-6 Learn detector-pass for inline runs (02b4db6 — staged as
    0.36.3). stop_closeout.py runs the deterministic pattern detector at
    closeout and folds an owed "Phase-6 Learn drafting" item into the
    closeout-pending marker when runs[] >= 3 and a root-cause cluster has no
    experimental draft yet — inline runs no longer leave the learning loop dark.
  • Git-command classifier: segment-parse instead of substring glob
    (54268bd). The hook trigger tokenizes command segments, ending false-fires
    on prose, paths, or heredoc content that merely contains "git commit" /
    "git push".
  • Temporal-membership preflight for retrospectives (422a5c1). Records
    are checked for run-window membership before attachment, stopping wrong-run
    records from contaminating a run's retrospective.
  • Worktree-isolation doctrine widened to commit-less writers (e45cfa6).
    Any long-running background writer that edits files must use a dedicated
    worktree — commit authority is no longer the trigger. Motivated by a
    commit-less subagent that outlived its dispatch ~8h and re-applied stale
    edits onto the live checkout; lint rule wake-path-grew-a-file-edit added
    to scripts/worktree_isolation_lint.py.
  • Hook hardening follow-ups (93fe6c8, 673a7fa): wrapper-push
    detection, heredoc over-strip fix, audit-guard test, and idle-scan skip when
    an unterminated heredoc contains no git command.
  • runtime-parity-verification: doc↔interface parity checks for CLIs, tools, and flows (7dc1854)

Also included since v0.36.1: durable memory identity (stable project ID +
alias-walking registry, ad70a82), retro enforce-candidate triage +
implementation (d86b8c3, 0617c01), cost-ledger attribution activation
(869044e), native-marketplace-first install docs (718f361), four dormant
review producers activated (b36c7e9), and the release preflight CI gate
(2a1b433).

Versioning note

pyproject.toml (0.12.16) is the Python package's own version line and is
intentionally not part of the plugin release surface — it is not checked by
verify_release_surface.py and is unchanged here.

Verification

  • python3 scripts/verify_release_surface.py --version v0.36.4 --branch main
    with the CI-preflight skip set (tag/remote checks excluded pre-publish) — pass.
  • python3 scripts/test_verify_release_surface.py — pass.
  • python3 scripts/test_command_surface_policy.py — pass.
  • Tag/GitHub-release/npm-publish checks complete only after the user publishes
    (.github/workflows/publish-npm.yml gates the tag against package.json).

v0.36.1

Choose a tag to compare

@tyroneross tyroneross released this 06 Jul 17:46

Full Changelog: v0.36.0...v0.36.1

v0.36.0

Choose a tag to compare

@tyroneross tyroneross released this 06 Jul 17:21

Full Changelog: v0.35.0...v0.36.0

v0.35.0 — structural closeout + agent-spec hardening

Choose a tag to compare

@tyroneross tyroneross released this 13 Jun 01:54

Structural run-close (f6 arc)

  • Stop-hook closeout: inline runs are recorded to runs[] with no human prompt; judgment_gate WARN surfaces when a stakes-gated run skipped the Frontier judgment layer; closeout-pending marker surfaces once at next SessionStart.
  • Crash-orphan sweep: SIGKILL/529-killed runs get recorded at the next session start (stale-heartbeat gate; live peers never touched).
  • Terminal identity release: a recorded pass closes the run identity (archived to historicalExecutions) so the next effort mints fresh instead of silently resuming a finished run; partial/blocked keep identity for crash-resume; collapse_run recovers worktrees from the archive.
  • state_finalize honors both phase conventions (orchestrator execution.phase + inline top-level phase) and stamps at most once; fresh-mint clears stale per-run state (phase/triggers/execution residue).

Agent-spec hardening (2026 enterprise-agent research pass)

  • activation-map-required plan-verify rule: plans proposing event-driven components (hooks, cron, watchers, webhooks) must map each to a real trigger + verified-live state — targets the dormant-machinery failure class (4 live instances motivated it; rule probed against their exact phrasing).
  • acceptance-criteria as the 7th MECE brief field: hard-linted at dispatch (brief_mece_validator); optional-but-validated on rally packets (mece_gate).
  • Role-taxonomy corrections: core = verdict-contingent; tier follows role; no-sub-sub-agents documented as a delegation-depth-2 security cap; C5 = the sanctioned handoff detection phase.
  • Codex Stop/SessionStart hooks now ship in-repo (.codex/hooks.json tracked; repo-level firing verified dormant under codex exec 0.139.0 — documented honestly in AGENTS.md).

All changes Fable-audited (two adversarial passes + closure verification with independent repros). Full battery: plan-verify suite, 79 pytest, 19 rally hook tests, self-mod gate 149/0.

v0.34.0

Choose a tag to compare

@tyroneross tyroneross released this 12 Jun 08:52

First release since v0.30.3 — publishes the accumulated 0.33.0-line work as 0.34.0 to npmjs + GitHub Packages.

Highlights

  • Rally coordination: rally_poll_gate.py (poll-after-post enforcement + poster-side fallback), rally_merge_gate.py (pre-merge conflict gate), .rally excluded from plugin-cache sync.
  • Telemetry + tier enforcement: Phase-5 item_iteration producer (exec_state.py) recording tier/model, judgment_gate.py enforcing Frontier (Fable) judgment dispatch at Review-G, cross-vendor model registry.
  • build-loop-memory: self-contained, privacy-safe seed folder (templates/memory/) — templates + complete structure spec + README; private store still ships nothing.
  • Plugin manifests (claude + codex) + npm package all aligned at 0.34.0.

v0.30.3

Choose a tag to compare

@tyroneross tyroneross released this 08 Jun 07:05

$Build Loop 0.30.3 publishes the current main build after the v0.30.2 tag.\n\n- Bumps npm, Claude, Codex, and Agents release surfaces to 0.30.3.\n- Keeps the package aligned with current main.\n- Excludes Python bytecode cache artifacts from the published package tarball.\n\nValidation: npm run build; npm test; npm publish --dry-run; .venv/bin/python -m pytest tests/test_phase_6_gating_docs.py scripts/test_verify_release_surface.py scripts/test_check_private_slugs.py.

v0.12.16 — Rally Point: Cross-Session Agent Coordination

Choose a tag to compare

@tyroneross tyroneross released this 26 May 02:43

v0.12.16 — Rally Point: Cross-Session Agent Coordination

Headline

Build-loop becomes multi-session-aware. Rally Point is a new substrate that lets concurrent build-loop runs across Claude Code, Codex, and CI discover each other, coordinate ownership of files via MECE handoff, lease leadership, and surface escalations — without colliding, double-editing, or losing run identity. Phase 1 Assess and Phase 4 Review now consume it automatically. Companion: an independent commit auditor with parallel research+trajectory context, a capability registry that keeps Phase 1 inside Anthropic's ≤8-candidate Tool Search guidance, and a hardened security posture (private-slug guard + SEC-001 through SEC-011 remediation).

What changed

Rally Point — multi-session coordination substrate

The headline subsystem. Renamed from the original "app-pulse" prototype to rally_point/ (R1 C10). Solves the silent-collision problem when 2+ build-loop runs operate on the same repo concurrently.

  • Channel resolver (scripts/rally_point/channel_paths.py) — worktree-aware channel path resolution, honors policy on legacy mirror vs canonical-only.
  • Append-only change log + fcntl-locked monotonic revision counter (T2/T3) — every state mutation is auditable and ordered.
  • Presence + reaper + per-session cursor (T4) — sessions register on SessionStart, stale sessions are reaped, each session reads only what it hasn't seen.
  • Active session_probe + announce-and-listen hook — R2 auto-invoke wires a hook into SessionStart so fresh agents announce themselves and discover existing peers before acting.
  • MECE handoff validator (R1 C4) — scripts/rally_point/post.py rejects malformed handoff payloads at write time; rejections counted and surfaced via rejection_count in status (R1 C8 follow-up).
  • Lease-based leadership (G1) — agents lease leadership of a chunk; lead-* and escalation kinds added; leadership wired into the orchestrator + slash command (G1 integration).
  • Tool-level lateral limits (G2) — handoff packets capped per tool to prevent runaway broadcast.
  • Escalation salience (G3) — coordination_status surfaces escalations prominently.
  • Host-neutral CLI (scripts/agent_rally.py, G4) — same command surface for Claude Code, Codex, and CI.
  • Relevance-aware capability lifecycle (G5) — registry weights decay; unused capabilities demoted.
  • Discovery bridge + producer metadata (β1, β1.2) — fresh agents discover channels via rally where; producer metadata tags every record with what produced it (orthogonal to run identity).
  • build_loop_id run-identity layer — stable per-run handle (bl-<TS>-<tool>-<6digit>) attached to rally records as top-level fields. Closes the 37% run_id=unknown gap observed during β1. Generated/resumed via scripts/rally_point/build_loop_id.py; orthogonal to producer_metadata.
  • Post-cutover channel_paths audit — verifies cutover invariants hold after the legacy-mirror window closes.
  • CLI ergonomicsagent-rally-preflight wired into AGENTS.md + CLAUDE.md; rally where delegates to agent-rally-point discover for canonical resolution.
  • Coordination cache parity check — guards against drift between in-memory and on-disk coordination state.

Independent commit auditor

Two-tier review at every commit boundary:

  • Deterministic boundary hook (primary)scripts/audit_before_commit.py runs as a PreToolUse hook on every git commit. It gathers diff scope, owned-files, intent/PRD/constitution snapshot, and prior judge decisions into a context packet, then emits a verdict in the four-option taxonomy (clean | warn | block | escalate).
  • independent-auditor agent (escalation)agents/independent-auditor.md is the LLM-grade deep read invoked only when the orchestrator wants a second opinion (e.g., before squash-merging a multi-chunk build, or when a chunk's diff is unusually large or crosses an architectural boundary).
  • Parallel research + trajectory context (#46) — research-arm and trajectory-arm run in parallel; anti-bias reconciliation gates the verdict; hook-path persistence keeps audits available across resumed sessions.
  • Consolidation (#47) — old commit-auditor agent collapsed into independent-auditor as the single source of truth.

Capability registry + native architecture

  • Native architecture packagesrc/build_loop/architecture/ (scanner, analysis, digest, enrich, diagram, lessons, adapter). Invoked as python -m build_loop.architecture <subcmd> for scan, impact, trace, rules, dead, connections. Escalates to NavGator (--mode=navgator) only for llm-map, schema, diagram — capabilities not yet ported.
  • architecture-scout agent — read-only dispatcher for five Phase 1/2/4/6 task types (baseline, chunk-impact, review-rules, iterate-subgraph, learn-sync, plus enrich and schema-map). Decides native-vs-NavGator per task; returns a ≤500-word structured JSON envelope.
  • Freshness state managerscripts/architecture_freshness.py tracks staleFiles and lastFreshAt in state.json.architecture; wired into hooks/hooks.json so Phase 1 fan-out and Phase 2 chunk-impact analysis only re-scan when needed.
  • Capability registry (scripts/build_capability_registry.py) + shortlist (scripts/capability_shortlist.py) — Phase 1 Assess loads ≤8 candidates per Anthropic Tool Search guidance, with trigger-aware demotion and plugin-surface collapse (P13).
  • Memory facade (scripts/memory_facade.py) — unified recall(query, kind=None, project=None, limit=10) over four backends: .build-loop/state.json.runs[], .episodic/decisions/*.md, agent_memory.<schema>.semantic_facts (Postgres), and the claude-code-debugger MCP search tool. Graceful degradation when a backend is missing.

Observability + auto-version-bump

  • judge_decisions envelope (#42) — every judge run emits a structured envelope; Phase 4G writes .build-loop/judge-decisions.json and folds the entries into state.json.runs[-1].judge_decisions[]. Dispatch-path-independent — fires every time, regardless of how the orchestrator was invoked (Skill, Agent tool, per-commit, resume). Reports MUST end with a ## Judge decisions block sourced verbatim from the envelope.
  • Plugin-drift SessionStart hook (#43) — warns when the installed plugin version drifts from the repo manifest.
  • Auto-version-bump in Phase 4G (#43) — patch-segment only; runs LAST before any push/merge when plugin.json or .claude-plugin/plugin.json is present; bumps only when changed paths fall outside docs/, tests/, *.md. Also updates every locally-known .claude-plugin/marketplace.json that references this plugin. Minor/major bumps remain user-initiated.
  • Report evidence enforcement — Phase 4 Report fails if claimed metrics lack observer=... method=... artifact=....

Synthesis methodology

  • systemic-rca-doe (PR #53) — Design-of-Experiments evaluation harness for systemic root-cause analysis. Includes golden corpus (docs/test-fixtures/systemic-rca/golden-corpus.json), factor matrix, negative-example test (shallow-actor-blame), and eval scripts (scripts/systemic_rca_doe.py, scripts/systemic_rca_eval.py).
  • IBR explicit-only policy (PR #53) — IBR is no longer auto-routed into the build; Sub-step B uses the project-native ui-validator first. IBR remains available via explicit invocation.
  • Recent design structures gate — when uiTarget != null, the design-contract specialist consults skills/build-loop/references/recent-design-structures.md after the UI input/output contract exists. Backed by long-term memory decision 0094-2026-05-24-build-loop-design-structure-memory-policy in build-loop-memory/decisions/build-loop/, which keeps cross-project UI structure history outside the build-loop repo so it survives project deletion.

MCP + attribution + security

  • Stage-aware MCP security model (#40) — MCP tools gated by build phase; api-registry doc-cache bridge replaces direct vendor lookups where a registered source exists.
  • Canonical Apache 2.0 attribution (#41) — Tyrone Ross, Jr + GitHub noreply email tail; REUSE 3.3 + NOTICE + canary markers; auto-applied by build-loop's attribution-standard skill + Phase 1 detector.
  • Private-slug guard + CI enforcement — pre-commit + GitHub Actions guard scrubs private app slugs from this open-source repo; secret-driven denylist with re.escape hardening; SEC-001 through SEC-011 remediated.

Apple/SourceKit triage

  • SourceKit ghost-diagnostic triage helper (R2 Wave 2) — distinguishes the two Xcode 26 false-positive modes (new-file-not-in-pbxproj vs cross-file index lag) so the build doesn't chase ghost errors.

Migration

For users on v0.10.0:

# 1. Pull the latest build-loop and update the plugin cache
cd ~/dev/git-folder/build-loop && git pull origin main

# 2. Reinstall the plugin so .codex-plugin/ and .claude-plugin/ sync
#    (Claude Code: /plugin reinstall build-loop@rosslabs-ai-toolkit)
#    The SessionStart hook will auto-invoke rally_point.session_probe on
#    the next session — no manual probe call is needed.

# 3. Install the per-repo post-commit hook so commits land in rally
python3 scripts/rally_point/install_git_hook.py --workdir .

# 4. (Optional) Inspect coordination state from any host
python3 scripts/agent_rally.py status --session-id <your-session-id>
python3 scripts/agent_rally.py where

No data migration required for v0.10.0's repo-episodic-memory store — that subsystem is unchanged. The long-term memory repo at build-loop-memory/ (per-project decisions under decisions/<project>/) continues to receive captures via the existing stop hook.

Compatibility

  • Wire-format: rally records carry build_loop_id, build_loop_started_at, build_loop_run_label as top-level fields starting this release. Older records without them ...
Read more

v0.10.0 — Repo-Episodic-Memory Framework

Choose a tag to compare

@tyroneross tyroneross released this 05 May 19:26

Headline

Episodic memory framework migrated from per-repo .episodic/decisions/ + per-project Postgres schema to a global private repo (build-loop-memory) + single personal_memory schema, tagged by project. Lessons learned now survive project deletion and are scoped via project tags rather than directory boundaries.

What changed

New: global path/schema resolver

  • scripts/_paths.py — single source of truth for agent_memory_root(), decisions_dir_for_project(project), default_schema(). Env-overridable via $AGENT_MEMORY_ROOT, $AGENT_MEMORY_SCHEMA.
  • scripts/project_resolver.py — maps cwd → project tag via <root>/.config/projects.yaml. Longest-prefix-match; falls back to _unscoped.
  • New --all-projects flag on recall.py. Default scope: current project + _unscoped (universal lessons always visible).

SQL parameterization

  • init_agent_memory_schema.sql and migrate_schema_to_1024.sql now take :schema as a psql variable. Default: personal_memory. Apply with psql -d agent_memory -v schema=<name> -f scripts/init_agent_memory_schema.sql.

Codex plugin parity

  • .codex-plugin/plugin.json synced to current version (was stuck at 0.4.0). New manifest-parity test enforces Claude/Codex sync going forward.

Security hardening

  • SQL injection allowlist on recall.py field filters.
  • Path-traversal guard + canonical-root assertion on decisions_dir_for_project.
  • Test suite isolated from real memory store via _test_helpers.MemIsolationMixin.
  • Personal data leaks (private paths in SQL comments, hardcoded test paths, project names in test fixtures) replaced with generic placeholders.
  • Remaining medium/low findings tracked in docs/SECURITY_FOLLOWUP_2026-05-05.md.

Migration

For existing users: run once to bootstrap the global memory store.

# 1. Create the private memory repo (or use any path via $AGENT_MEMORY_ROOT)
mkdir -p ~/dev/git-folder/build-loop-memory/decisions/_unscoped
mkdir -p ~/dev/git-folder/build-loop-memory/.config

# 2. Create the projects.yaml mapping
cat > ~/dev/git-folder/build-loop-memory/.config/projects.yaml <<YAML
default: _unscoped
projects:
  - path: ~/dev/git-folder/your-project
    project: your-project
YAML

# 3. Bootstrap the personal_memory Postgres schema
psql -d agent_memory -v schema=personal_memory -f scripts/init_agent_memory_schema.sql

# 4. (Optional) Migrate existing .episodic/decisions/ from per-repo to global
cp -r ~/your-project/.episodic/decisions/*.md ~/dev/git-folder/build-loop-memory/decisions/your-project/
python3 scripts/sync_db_from_files.py --workdir ~/dev/git-folder/build-loop-memory --include-history

Compatibility

  • Stop hook command in hooks/hooks.json unchanged — fires scan_transcript_for_decisions.py which now writes to the global location automatically.
  • Scripts honor $AGENT_MEMORY_ROOT for testing/staging environments.
  • Phase D 7-day soak in progress; legacy build_loop_memory Postgres schema and per-repo .episodic/decisions/ retained as backup until checkpoint passes (~2026-05-12).

Files

  • 24 changed files in scripts/, +884/-91 over the v0.9.0 release.
  • New: _paths.py, project_resolver.py, test_project_resolver.py, _test_helpers.py, SECURITY_FOLLOWUP_2026-05-05.md, HANDOFF_2026-05-05_repo-episodic-memory.md.

🤖 Generated with Claude Code

v0.2.0

Choose a tag to compare

@tyroneross tyroneross released this 18 Apr 04:16

Install

/plugin marketplace add tyroneross/build-loop
/plugin install build-loop@build-loop

What is build-loop?

An orchestrated 8-phase development loop for Claude Code: assess → define → plan → execute → validate → iterate → fact-check → report.

Built-in eval grading, fact verification, mock data scanning, and Sonnet-heavy execution with adversarial critic pass. Typical build: Opus plans once, Sonnet handles bounded execution and adversarial review, Haiku does pattern matching — estimated 4x cheaper than single-pass Opus.

Changes

  • Dropped pre-release designation — build-loop is now stable at v0.2.0
  • No breaking changes from 0.2.0-alpha