From 1b182d5b06c288792286059b07ba7105a886335a Mon Sep 17 00:00:00 2001 From: Talgat Ryshmanov Date: Tue, 31 Mar 2026 15:04:38 -0400 Subject: [PATCH] chore: finalize changelog for v1.1.0 --- CHANGELOG.md | 62 +++++++++++++++++++++++++++++++++------------------- 1 file changed, 40 insertions(+), 22 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f788c83..1190dfe 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,26 +8,11 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and ### Added -- [semver:minor] Added an `assessment` scan profile that sharpens govern-first action-path output for customer readouts while keeping raw findings and proof artifacts unchanged. -- [semver:minor] Added an AI-first assessment summary to report output so customer readouts lead with governable paths, top control targets, and offline proof location. -- [semver:minor] Added identity exposure summaries and first-review or first-revoke recommendations for non-human execution identities backing risky govern-first paths. -- [semver:minor] Action paths now classify the business state they can change and flag shared or standing-privilege identity reuse on repeated risky paths. -- [semver:minor] Added grouped `exposure_groups` summaries so repeated risky paths can be reviewed as stable report clusters without hiding raw path detail. +- (none yet) ### Changed -- Release prep now uses `scripts/finalize_release_changelog.py` to promote `## [Unreleased]` entries into a dated versioned section and reset `Unreleased` for the next cycle. -- Tag workflows now use `scripts/validate_release_changelog.py` to fail closed when the prepared versioned changelog section does not match the release tag. -- `scripts/resolve_release_version.py` now validates explicit release versions against the changelog-derived semver bump instead of accepting mismatched manual versions. -- Planning skills now require every story to declare changelog impact, target changelog section, and draft `Unreleased` entry so release semver can be derived deterministically from implemented work. -- Implementation skills now apply those planned changelog fields to `CHANGELOG.md` `## [Unreleased]` instead of re-deciding release-note scope during implementation. -- Org scans now stream deterministic progress events to stderr during execution while preserving stdout JSON contracts. -- Scan and report summaries now prioritize govern-first AI action paths ahead of generic supporting findings when risky paths are present. -- Govern-first `recommended_action` output now differentiates inventory, approval, proof, and control based on path context instead of collapsing most paths to approval. -- Clarified the public `action_paths[*].path_id` contract and aligned docs and contract tests with the shipped deterministic identifier format. -- Clarified scan and report wording so Wrkr's customer-facing output stays explicitly scoped to static posture, risky paths, and offline-verifiable proof. -- Govern-first summaries now highlight ownership quality and ownerless exposure so unresolved or conflicting ownership is explicit in top action paths. -- Updated scan, evidence, campaign, and extension-detector docs plus regression coverage to match the hardened contract and boundary behavior. +- (none yet) ### Deprecated @@ -39,12 +24,11 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and ### Fixed -- Deduplicated govern-first `action_paths` so each deterministic action path emits one unique `path_id` row per scan. -- Priority detectors now surface permission and stat failures consistently in scan output so incomplete visibility is explicit. -- Made scan artifact publication transactional so failed late writes no longer leave mixed state, proof, and manifest generations on disk. -- `wrkr campaign aggregate` now rejects non-scan JSON and incomplete artifacts with stable `invalid_input` errors instead of summarizing them as posture evidence. -- Repo-local extension detectors now stay on additive finding surfaces by default and no longer create implicit tool identities, action paths, or regress state. +- (none yet) + +### Security +- (none yet) ## Changelog maintenance process @@ -54,6 +38,40 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and 4. Keep entries concise and operator-facing: what changed, why it matters, and any migration/action notes. 5. Link release notes and tag artifacts to the finalized changelog section. +## [v1.1.0] - 2026-03-31 + + +### Added + +- Added an `assessment` scan profile that sharpens govern-first action-path output for customer readouts while keeping raw findings and proof artifacts unchanged. +- Added an AI-first assessment summary to report output so customer readouts lead with governable paths, top control targets, and offline proof location. +- Added identity exposure summaries and first-review or first-revoke recommendations for non-human execution identities backing risky govern-first paths. +- Action paths now classify the business state they can change and flag shared or standing-privilege identity reuse on repeated risky paths. +- Added grouped `exposure_groups` summaries so repeated risky paths can be reviewed as stable report clusters without hiding raw path detail. + +### Changed + +- Release prep now uses `scripts/finalize_release_changelog.py` to promote `## [Unreleased]` entries into a dated versioned section and reset `Unreleased` for the next cycle. +- Tag workflows now use `scripts/validate_release_changelog.py` to fail closed when the prepared versioned changelog section does not match the release tag. +- `scripts/resolve_release_version.py` now validates explicit release versions against the changelog-derived semver bump instead of accepting mismatched manual versions. +- Planning skills now require every story to declare changelog impact, target changelog section, and draft `Unreleased` entry so release semver can be derived deterministically from implemented work. +- Implementation skills now apply those planned changelog fields to `CHANGELOG.md` `## [Unreleased]` instead of re-deciding release-note scope during implementation. +- Org scans now stream deterministic progress events to stderr during execution while preserving stdout JSON contracts. +- Scan and report summaries now prioritize govern-first AI action paths ahead of generic supporting findings when risky paths are present. +- Govern-first `recommended_action` output now differentiates inventory, approval, proof, and control based on path context instead of collapsing most paths to approval. +- Clarified the public `action_paths[*].path_id` contract and aligned docs and contract tests with the shipped deterministic identifier format. +- Clarified scan and report wording so Wrkr's customer-facing output stays explicitly scoped to static posture, risky paths, and offline-verifiable proof. +- Govern-first summaries now highlight ownership quality and ownerless exposure so unresolved or conflicting ownership is explicit in top action paths. +- Updated scan, evidence, campaign, and extension-detector docs plus regression coverage to match the hardened contract and boundary behavior. + +### Fixed + +- Deduplicated govern-first `action_paths` so each deterministic action path emits one unique `path_id` row per scan. +- Priority detectors now surface permission and stat failures consistently in scan output so incomplete visibility is explicit. +- Made scan artifact publication transactional so failed late writes no longer leave mixed state, proof, and manifest generations on disk. +- `wrkr campaign aggregate` now rejects non-scan JSON and incomplete artifacts with stable `invalid_input` errors instead of summarizing them as posture evidence. +- Repo-local extension detectors now stay on additive finding surfaces by default and no longer create implicit tool identities, action paths, or regress state. + ## [v1.0.11] - 2026-03-26