v0.11.0

[0.11.0] - 2026-04-16

Synchronized version bump for all @stackbilt/* packages to 0.11.0.

Added

• STACKBILT_API_KEY environment variable — charter run and charter architect now resolve the API key from STACKBILT_API_KEY first, falling back to stored credentials only if the env var is absent or blank. This lets users authenticate the commercial commands without writing a token to ~/.charter/credentials.json.
• STACKBILT_API_BASE_URL environment variable — companion to STACKBILT_API_KEY; sets a custom engine base URL for env-var-authenticated callers. Preserves parity with the stored-credentials path (charter login --url …).
• resolveApiKey() helper exported from @stackbilt/cli's credentials module (env-var precedence, trimmed, returns { apiKey, source: 'env' | 'credentials', baseUrl? }).
• analyze() + Zod schemas for @stackbilt/blast — new high-level analyze(input: BlastInput): BlastOutput entry point, plus BlastInputSchema, BlastOutputSchema, and DEFAULT_MAX_DEPTH exports. The Zod schemas are the authoritative input/output contract shared by the CLI and MCP tool adapters. Existing buildGraph / blastRadius / topHotFiles / extractImports exports preserved.
• charter_blast MCP tool — charter serve now registers a callable tool for blast-radius analysis, in addition to the existing resource-style governance tools. Agents can query the reverse dependency graph via MCP; tsconfig path aliases are auto-detected at the scan root.

Deprecated

• charter login — emits a deprecation notice on every invocation. Functionality unchanged; scheduled for removal in 1.0 when gateway-bound commands (login, run, architect, scaffold) move out of @stackbilt/cli into a separate @stackbilt/build package.

Changed

• Scaffold auth-error message now points users at STACKBILT_API_KEY as the primary path, with charter login marked deprecated.
• CLI README gains a short "Authentication (optional)" section documenting the env-var path.
• @stackbilt/blast gains zod (^3.24.1) as a runtime dependency. The "zero runtime dependencies" README claim is updated — Zod is the authoritative contract at the package boundary.
• topHotFiles ties now break deterministically by filename ascending, so output is stable across Node majors and filesystem scan order.
• charter blast CLI routes argv through BlastInputSchema — invalid --depth values surface as a structured Zod validation error instead of a hand-rolled check.

What's Changed

• docs: post-0.10.0 state refresh + http-client comment fix by @stackbilt-admin in #95
• feat(adf): typed-data-access policy module + named-scaffold registry (#69 Session 1) by @stackbilt-admin in #96
• feat(validate): ontology policy check (#69 Session 2) by @stackbilt-admin in #97
• fix(cli,blast): accept ea_ key prefix + exclude .claude/ from graph scan by @stackbilt-admin in #99
• chore(ci): bump actions/upload-artifact from 7.0.0 to 7.0.1 by @dependabot[bot] in #105
• chore(deps): bump vitest from 4.0.18 to 4.1.4 by @dependabot[bot] in #107
• chore(ci): bump softprops/action-gh-release from 2.6.1 to 3.0.0 by @dependabot[bot] in #106
• chore(deps): bump @types/node from 25.5.0 to 25.6.0 by @dependabot[bot] in #108
• feat(cli): STACKBILT_API_KEY env var auth; deprecate charter login by @stackbilt-admin in #111
• refactor(blast,cli,serve): Zod-Core-Out vertical slice (#109) by @stackbilt-admin in #110

Full Changelog: v0.10.0...v0.11.0

v0.10.0

[0.10.0] - 2026-04-09

Synchronized version bump for all @stackbilt/* packages to 0.10.0.

Added

• charter blast <files> — Compute blast radius for a set of seed files. Builds a reverse dependency graph by walking TS/JS imports and BFS-traverses up to a configurable depth. Reports affected files, hot files (most imported), and warns on ≥20-file blast radius as a CROSS_CUTTING signal.

  Import resolution handles: ES modules, CommonJS require, dynamic import(), re-exports, ESM .js → .ts rewrite, tsconfig path aliases (including extends chains), src/index.* monorepo fallback, package.json source/types/main fields, index files, cycles, and comment stripping. Zero runtime dependencies.

• charter surface — Extract the API surface of a project. Detects HTTP routes from Hono, Express, and itty-router (regex-based, requires / prefix to reduce false positives) and parses D1/SQLite CREATE TABLE statements with column flags (pk, unique, nullable, default). Strips block and line comments before scanning. Ignores __tests__/, *.test.*, *.spec.* files. Supports --markdown output for injection into .ai/ modules or AI mission briefs. Zero runtime dependencies.

• @stackbilt/blast — New standalone package exporting buildGraph, blastRadius, extractImports, resolveSpecifier, topHotFiles. 19 tests.

• @stackbilt/surface — New standalone package exporting extractSurface, extractRoutes, extractSchema, formatSurfaceMarkdown. 14 tests.

• .ai/analysis.adf — New on-demand ADF module documenting the analysis subsystem (blast + surface). Triggers on blast, surface, dependency graph, blast radius, route extraction, schema extraction.

Rationale

Originally inspired by analysis of the CodeSight project's blast-radius and route-detection patterns. Extracted the two highest-value algorithms into Charter as deterministic (no LLM) commands that feed into governance workflows: blast radius for CROSS_CUTTING classification, surface extraction for auto-generated .ai/surface.adf modules and cc-taskrunner mission-brief fingerprinting.

Validated on

Real-world dogfooding caught six bugs that made it into the first commit and were fixed before release:

1. Global CLI flags (--format, --config) being swept into positional seed list
2. JSDoc example strings matching as real routes
3. Test fixture routes matching as real routes
4. tsconfig extends chain not being followed, breaking monorepo alias resolution
5. Package alias resolving to compiled .d.ts instead of source .ts
6. ESM .js → .ts extension rewrite missing for TypeScript ESM projects

Validation runs:

• AEGIS web Worker (263 files): 95 routes + 50 D1 tables extracted in ~15s. dispatch.ts blast radius = 72, types.ts = 127, PWA fix files = 1.
• Charter monorepo (121 files): 0 routes (correctly identifies as CLI, not Worker). packages/types/src/index.ts blast radius = 27 files across cli/adf/git/validate/drift.

All 345 existing tests pass.

What's Changed

• [auto] [Issue #59] Suppress release.yml false-failure notifications by @stackbilt-admin in #62
• [auto] [Issue #61] Guided onboarding for charter init by @stackbilt-admin in #63
• [auto] fix: bootstrap --yes vs --force separation + backup + orphan detection by @stackbilt-admin in #67
• fix: sentinel awareness, fmt normalization, lifecycle-scaled scoring by @stackbilt-admin in #76
• chore(deps): bump @types/node from 25.2.3 to 25.5.0 by @dependabot[bot] in #84
• chore(ci): bump pnpm/action-setup from a15d269cd4658e1107c09f1fabf4cbd7bd1f308a to fc06bc1257f339d1d5d8b3a19a8cae5388b55320 by @dependabot[bot] in #78
• chore(ci): bump actions/upload-artifact from 4.6.2 to 7.0.0 by @dependabot[bot] in #77
• chore(deps): bump @modelcontextprotocol/sdk from 1.27.1 to 1.29.0 by @dependabot[bot] in #83
• docs: add WSL2 + Windows filesystem install guidance by @stackbilt-admin in #91
• fix(cli): vendor scaffold-response types, unblock 0.10.0 publish by @stackbilt-admin in #93

New Contributors

• @dependabot[bot] made their first contribution in #84

Full Changelog: v0.9.2...v0.10.0

v0.9.0 — stackbilt run

What's New

stackbilt run command

One command to architect and scaffold a Cloudflare Worker project:

npx @stackbilt/cli run "Multi-tenant SaaS API with auth and billing"

Animated 6-mode output (PRODUCT, UX, RISK, ARCHITECT, TDD, SPRINT) with real-time progress. Files written to disk immediately.

stackbilt binary alias

The CLI is now accessible as both charter and stackbilt:

# These are equivalent:
stackbilt run "My API"
charter run "My API"
npx @stackbilt/cli run "My API"

Full Changelog

See CHANGELOG.md for details.

v0.6.0

v0.6.0 — ADF Architecture & Bootstrap Stabilization

10 issues, 10 PRs, 251 tests across 4 phases.

Phase 1 — Fix Blocking Bugs

• fix(bootstrap): on-demand ADF modules missing after bootstrap (#4, #14)
• fix(adf): adf init --module additive when .ai/ exists (#5, #13)

Phase 2 — Bootstrap/Migrate Features

• feat(adf): migrate classifies rules into on-demand modules (#6, #15)
• feat(setup): --preset docs for non-code workspaces (#3, #16)
• feat(bootstrap): integrate adf migrate into bootstrap flow (#7, #17)

Phase 3 — ADF Architecture (P0)

• refactor(adf): split bundler into manifest.ts, merger.ts, bundler.ts (#8, #18)
• feat(adf): unified evaluateEvidence() pipeline (#9, #19)

Phase 4 — ADF Architecture (P1/P2)

• refactor(adf): patcher handler map + shared helpers (#12, #20)
• feat(adf): configurable ClassifierConfig and StrengthConfig (#11, #21)
• refactor(adf): types.ts split into 6 domain-owned modules (#10, #22)

Full details in CHANGELOG.md.

v0.5.0

Highlights

• Cross-platform parity: Unified git-helpers.ts module with shell: true resolves WSL/CMD/PowerShell PATH issues — hook install, audit, validate, and why commands now work consistently across all platforms.
• charter adf metrics recalibrate: New subcommand to re-measure LOC, propose ceilings with headroom, and update baselines with required rationale trail.
• ADX-005 bug fixes: 5 findings resolved (hook install git detection, migrate prose sections, doctor thin pointer false positive, EPERM hint, audit no-HEAD guard).

What's Changed

Added

• Cross-platform git helpers module replacing ~6 duplicated implementations
• charter adf metrics recalibrate with budget rationale trail
• EPERM/EACCES retry hint in bootstrap install step
• No-HEAD guard in audit command
• ADX-005 feedback paper and papers directory restructure
• Papers lint script for frontmatter validation
• Custom /commit Claude Code skill

Fixed

• Hook install "not inside git repo" on WSL/PowerShell (F2)
• adf migrate ADD_BULLET on prose/text sections (F3)
• Doctor false positive on .cursorrules thin pointers (F4)

Changed

• Stale baseline detection in adf evidence with structured warnings
• README updated with cross-platform support section and bootstrap docs
• All packages bumped 0.4.2 → 0.5.0

Full Changelog: v0.4.2...v0.5.0

---

Published packages: @stackbilt/cli, @stackbilt/adf, @stackbilt/core, @stackbilt/types, @stackbilt/git, @stackbilt/validate, @stackbilt/classify, @stackbilt/drift, @stackbilt/ci — all at 0.5.0

v0.4.2

[0.4.2] - 2026-02-27

Added

• charter doctor --adf-only mode: New mode runs strict ADF wiring validation only (manifest, required default-load wiring, module parseability, thin pointer integrity, sync lock status) for clean CI/pre-commit gating in repos that may not use .charter/ policy artifacts.
• ADF governance workflow hardening: setup --ci github workflow template now includes ADF Wiring & Pointer Integrity (doctor --adf-only --ci) and ADF Evidence (adf evidence --auto-measure --ci) steps when .ai/manifest.adf is present.
• Setup script sync expanded: setup now also syncs verify:adf, charter:doctor, and charter:adf:bundle scripts (in addition to detect/setup), so post-setup agent loops have first-class commands for ongoing governance.
• Repository adoption guardrails: setup docs/templates now include PR validation guidance (verify:adf) and .ai/* CODEOWNERS review ownership for explicit policy-change review.

Changed

• Pre-commit gate upgraded: charter hook install --pre-commit now prefers pnpm run verify:adf when available and otherwise enforces doctor --adf-only --ci + adf evidence --auto-measure --ci. This shifts enforcement from ceiling-only to full ADF routing + ceiling integrity.
• adf init scaffolding upgraded: now creates starter frontend.adf and backend.adf module stubs to avoid fatal missing-module experiences on first bundle.
• adf bundle missing on-demand behavior: missing ON_DEMAND module files are now reported as warnings (missingModules in JSON) instead of hard failures; missing DEFAULT_LOAD modules remain hard errors.
• adf sync --write empty-sync behavior clarified: when manifest has no SYNC entries, --write now writes an empty .adf.lock and reports tracked source semantics explicitly.

v0.4.1

[0.4.1] - 2026-02-27

Added

• charter doctor agent config pointer check: When .ai/manifest.adf exists, doctor now scans for agent config files (CLAUDE.md, .cursorrules, agents.md, AGENTS.md, GEMINI.md, copilot-instructions.md) that contain stack rules instead of thin pointers. Flags them with [warn] and suggests charter adf migrate --dry-run. Recognizes both pointer marker phrasings.

v0.4.0

[0.4.0] - 2026-02-26

Added

• charter hook install --pre-commit: New flag installs a git pre-commit hook that runs charter adf evidence --auto-measure --ci before each commit. Only gates when .ai/manifest.adf exists -- no-op otherwise. Uses npx charter for consuming repos. Both --commit-msg and --pre-commit can be passed together. Same skip/overwrite pattern with independent markers per hook type.
• Evidence pre-commit gate (this repo): .githooks/pre-commit now runs ADF evidence checks after typecheck, preventing LOC ceiling breaches from being committed. This is the self-regulating mechanism for unattended agent builds.

Changed

• adf.ts split into 4 files: adf.ts (966 LOC) refactored into adf.ts (412), adf-bundle.ts (153), adf-sync.ts (203), and adf-evidence.ts (262). Each file is independently tracked by its own METRICS ceiling. No behavioral changes -- purely structural.
• METRICS expanded from 4 to 8 entries: manifest.adf and core.adf now track adf_commands_loc, adf_bundle_loc, adf_sync_loc, adf_evidence_loc, adf_migrate_loc, bundler_loc, parser_loc, cli_entry_loc with appropriately sized ceilings.
• hook install error message updated: Now accepts --commit-msg and/or --pre-commit (previously required --commit-msg only).
• 178 tests across 12 test files (unchanged).

v0.3.3

[0.3.3] - 2026-02-26

Added

• charter bootstrap command: One-command repo onboarding that orchestrates detect → setup → ADF init → install → doctor in a single frictionless flow. Supports --ci github, --preset, --skip-install, --skip-doctor, and --format json for full machine-readable output including next-step plans.
• Thin pointer generation: charter adf init --emit-pointers (and bootstrap) generates thin CLAUDE.md, .cursorrules, and agents.md files that redirect to .ai/ — preventing rule duplication across agent config files.
• Rule-routing decision tree: adf init scaffold now includes a commented decision tree in core.adf guiding agents on where rules belong (CLAUDE.md vs core.adf vs domain modules), derived from ADX-002 agent DX feedback.
• Section taxonomy documentation: Generated core.adf template documents the open section taxonomy (CONTEXT, CONSTRAINTS, ADVISORY, METRICS), weight tags ([load-bearing], [advisory]), and custom section rules.
• charter adf sync --explain: New flag outputs the .adf.lock schema documentation (format, hash algorithm, commands, purpose) in both text and JSON, eliminating lockfile archaeology friction reported in ADX-001.
• Agent DX feedback papers: ADX-002 (rule routing friction), ADX-003 (install automation friction), and RM-001 (vNext roadmap draft) added to papers/.
• GitHub Actions governance workflow: Bootstrap and setup now generate .github/workflows/charter-governance.yml for PR governance checks.

Changed

• Scaffold templates shared: ADF scaffold constants (MANIFEST_SCAFFOLD, CORE_SCAFFOLD, STATE_SCAFFOLD) and pointer templates are now exported from the adf command module and shared with bootstrap, eliminating template drift.
• Setup functions exported: detectStack(), loadPackageContexts(), detectPackageManager(), and other setup utilities are now exported for reuse by the bootstrap command.

v0.3.2

[0.3.2] - 2026-02-26

Added

• Lockfile types exported: AdfLockfile and AdfSyncStatus interfaces now exported from @stackbilt/adf public API, giving agents .d.ts visibility into the .adf.lock schema without reverse-engineering compiled output.
• Lockfile schema documented: .adf.lock format (flat JSON map of filename → sha256-prefix-16) documented in the @stackbilt/adf README.
• pnpm run dev watch script: New tsc --build --watch dev script for incremental rebuilds during local development via tsconfig.build.json.
• Research papers directory: papers/ with versioned white papers (CSA-001: Context-as-Code v1.1, CSA-002: Greenfield measurement rubric draft) and Architect v2 integration brief.

Changed

• Build uses tsconfig.build.json: Root build script replaced hardcoded 9-path tsc --build invocation with a tsconfig.build.json reference file. TypeScript resolves build order from project references automatically.
• Publish workflow simplified: PUBLISHING.md no longer instructs manual workspace:^ replacement — PNPM handles this at publish time. Publish commands no longer need --access public flag.
• publishConfig.access: "public" declared in all 9 packages (previously only cli and adf).
• sideEffects: false declared in all 9 packages for bundler tree-shaking.