From 115dd383160526d7924de7e50903741546cd44f5 Mon Sep 17 00:00:00 2001 From: Christopher Plieger <917744+cplieger@users.noreply.github.com> Date: Fri, 10 Jul 2026 01:02:27 +0200 Subject: [PATCH] chore: update Renovate preset for stable TypeScript 7 and the web-terminal-kiro rename default.json: drop the @typescript/native-preview dev-channel followTag rule and the moot <7 typescript cap (typescript now aliases to @typescript/typescript6, 6.x-only); repoint the per-arch native-tsc SHA-bump rule to depName typescript scoped to cplieger/web-terminal-kiro; rename remaining vibecli references to web-terminal-kiro. Also carries pre-existing ROADMAP + assurance-case edits. --- ROADMAP.md | 10 +--------- assurance-case.md | 2 +- default.json | 35 +++++++++++++++-------------------- 3 files changed, 17 insertions(+), 30 deletions(-) diff --git a/ROADMAP.md b/ROADMAP.md index c1d2656..ef4e78e 100644 --- a/ROADMAP.md +++ b/ROADMAP.md @@ -3,7 +3,7 @@ This is the default roadmap for the `cplieger` repositories. It applies to the mature libraries, container images, and tools whose scope is stable. Actively evolving applications keep a repo-specific `ROADMAP.md` that takes precedence -(currently: `subflux`, `vibekit`, `vibecli`). +(currently: `subflux`, `vibekit`, `web-terminal-kiro`). Most of these projects are **feature-complete and in maintenance mode**: they do one thing, the public surface is intentionally small and stable, and "done" is a @@ -26,14 +26,6 @@ healthy rather than growing scope. - **Bug and security response.** Reported issues and vulnerabilities are triaged and fixed per [SECURITY.md](./SECURITY.md). -## Repositories with a TypeScript surface - -For repositories that ship or build TypeScript (the TS libraries and the -applications with a web frontend): **adopt the stable `tsgo` -([@typescript/native-preview](https://www.npmjs.com/package/@typescript/native-preview)) -release once it reaches general availability**, replacing the pinned preview -currently used for typechecking. - ## Scope changes New features are considered on their merits via GitHub Issues. Because the diff --git a/assurance-case.md b/assurance-case.md index 4b76f89..784a342 100644 --- a/assurance-case.md +++ b/assurance-case.md @@ -4,7 +4,7 @@ This document explains why the `cplieger` projects are considered _adequately secure_ for their intended use. It is the shared (default) assurance case for every public repository; repositories with a larger or more sensitive attack surface (for example `auth`, `ssrf`, `cert-converter`, `docker-age`, -`pg-autodump`, `subflux`, `vibekit`, `vibecli`) carry a repo-specific +`pg-autodump`, `subflux`, `vibekit`, `web-terminal-kiro`) carry a repo-specific `docs/assurance-case.md` that extends this one with details of their own threat model. diff --git a/default.json b/default.json index ed6d347..cbb9274 100644 --- a/default.json +++ b/default.json @@ -92,14 +92,6 @@ ], "semanticCommitScope": "devdeps" }, - { - "description": "tsgo / @typescript/native-preview (TypeScript 7 native compiler) is in active prerelease (7.0.0-dev.*); follow the latest dist-tag (Microsoft's curated channel, current Go-stdlib CVE fixes) and accept prereleases. Applies wherever the package appears (subflux/vibekit/vibecli); no-op elsewhere. Remove when TS7 ships a stable major.", - "matchPackageNames": [ - "@typescript/native-preview" - ], - "followTag": "latest", - "ignoreUnstable": false - }, { "description": "Adopt our own first-party libraries immediately (skip the config:best-practices minimum-release-age / stability-days wait). We author and release these ourselves (@cplieger/* on npm/JSR, github.com/cplieger/* Go modules); the release-to-Renovate-to-redeploy chain is intentional, so the bake window only adds friction and blocks propagation of our own versions. Third-party deps keep the inherited stability window.", "matchPackageNames": [ @@ -174,22 +166,25 @@ "minimumReleaseAge": "1 day" }, { - "description": "vibecli's Dockerfile (and the sister vibekit image, same approach) pins tsgo via @typescript/native-preview plus a per-arch sha256 (TSGO_SHA256_X64 / TSGO_SHA256_ARM64) of the platform-specific tarballs, which publish in lockstep at the same version. The generic Dockerfile customManager rewrites TSGO_VERSION but leaves the shas stale, fail-closing the build. Label the PR and embed the per-arch recompute commands. matchDepNames keeps it a no-op for repos without this pin.", + "description": "web-terminal-kiro's Dockerfile SHA-pins the TypeScript 7 native-compiler tarball per arch (TS_SHA256_X64 / TS_SHA256_ARM64) on top of the version pin; the two platform packages (@typescript/typescript-linux-{x64,arm64}) publish in lockstep at the same version. The generic Dockerfile customManager rewrites TS_VERSION but leaves the shas stale (npm exposes SHA-512 dist.integrity, not the SHA-256 the Dockerfile verifies), fail-closing the build. Label the PR and embed the per-arch recompute commands. Scoped by matchRepositories to the repos that carry this pin, so it never labels the ones that fetch tsc without a sha gate (subflux/vibekit/web-terminal-server).", "matchManagers": [ "custom.regex" ], "matchDepNames": [ - "@typescript/native-preview" + "typescript" + ], + "matchRepositories": [ + "cplieger/web-terminal-kiro" ], "addLabels": [ "manual-sha-bump" ], "prBodyNotes": [ - ":warning: **Manual SHA bump required.** Recompute both per-arch tsgo pins and paste them into the Dockerfile in this PR:\n\n```sh\n# TSGO_SHA256_X64\ncurl -fsSL \"https://registry.npmjs.org/@typescript/native-preview-linux-x64/-/native-preview-linux-x64-{{{newVersion}}}.tgz\" | sha256sum\n# TSGO_SHA256_ARM64\ncurl -fsSL \"https://registry.npmjs.org/@typescript/native-preview-linux-arm64/-/native-preview-linux-arm64-{{{newVersion}}}.tgz\" | sha256sum\n```" + ":warning: **Manual SHA bump required.** Recompute both per-arch tsc pins and paste them into the Dockerfile in this PR:\n\n```sh\n# TS_SHA256_X64\ncurl -fsSL \"https://registry.npmjs.org/@typescript/typescript-linux-x64/-/typescript-linux-x64-{{{newVersion}}}.tgz\" | sha256sum\n# TS_SHA256_ARM64\ncurl -fsSL \"https://registry.npmjs.org/@typescript/typescript-linux-arm64/-/typescript-linux-arm64-{{{newVersion}}}.tgz\" | sha256sum\n```" ] }, { - "description": "vibecli's Dockerfile pins the Nerd Font release tag plus the sha256 of Monaspace.tar.xz (NERDFONT_SHA256). GitHub release assets are mutable, so this gate is the real integrity anchor. The generic Dockerfile customManager rewrites NERDFONT_VERSION but leaves the sha stale, fail-closing the build. Label the PR and embed the recompute command. matchDepNames keeps it a no-op for repos without this pin.", + "description": "web-terminal-kiro's Dockerfile pins the Nerd Font release tag plus the sha256 of Monaspace.tar.xz (NERDFONT_SHA256). GitHub release assets are mutable, so this gate is the real integrity anchor. The generic Dockerfile customManager rewrites NERDFONT_VERSION but leaves the sha stale, fail-closing the build. Label the PR and embed the recompute command. matchDepNames keeps it a no-op for repos without this pin.", "matchManagers": [ "custom.regex" ], @@ -270,7 +265,7 @@ }, { "customType": "regex", - "description": "Go toolchain per-arch tarball sha256 pins (vibecli). Pairs with the golang-amd64 / golang-arm64 customDatasources to auto-update GO_SHA256_AMD64 / GO_SHA256_ARM64 alongside GO_VERSION, grouped into one 'golang toolchain' PR by the packageRule below — this replaced the former golang manual-sha-bump rule. The `# go` trailer on each ARG line is the load-bearing anchor that carries the version Renovate needs to look up that arch's digest; the arch is captured and routed to the matching custom datasource via datasourceTemplate. re2-safe (no lookbehind); GO_VERSION and the two sha lines are distinct non-overlapping lines, so grouped edits apply cleanly. A no-op in every repo without these `datasource=custom.golang-*` comments (vibekit / web-terminal-server pin only the version, so only the generic manager above fires there).", + "description": "Go toolchain per-arch tarball sha256 pins (web-terminal-kiro). Pairs with the golang-amd64 / golang-arm64 customDatasources to auto-update GO_SHA256_AMD64 / GO_SHA256_ARM64 alongside GO_VERSION, grouped into one 'golang toolchain' PR by the packageRule below — this replaced the former golang manual-sha-bump rule. The `# go` trailer on each ARG line is the load-bearing anchor that carries the version Renovate needs to look up that arch's digest; the arch is captured and routed to the matching custom datasource via datasourceTemplate. re2-safe (no lookbehind); GO_VERSION and the two sha lines are distinct non-overlapping lines, so grouped edits apply cleanly. A no-op in every repo without these `datasource=custom.golang-*` comments (vibekit / web-terminal-server pin only the version, so only the generic manager above fires there).", "managerFilePatterns": [ "/Dockerfile$/" ], @@ -282,7 +277,7 @@ }, { "customType": "regex", - "description": "Workflow + composite-action tool version pins (golangci-lint, shellcheck, trivy, markdownlint-cli2, ruff, git-cliff, tsgo, etc.) via a renovate comment + an optionally-prefixed VERSION= assignment. The optional uppercase prefix lets prefixed vars (CLIFF_VERSION, TSGO_VERSION) be tracked alongside a bare VERSION=, and the action.yml pattern covers composite actions under actions/**.", + "description": "Workflow + composite-action tool version pins (golangci-lint, shellcheck, trivy, markdownlint-cli2, ruff, git-cliff, etc.) via a renovate comment + an optionally-prefixed VERSION= assignment. The optional uppercase prefix lets prefixed vars (e.g. CLIFF_VERSION) be tracked alongside a bare VERSION=, and the action.yml pattern covers composite actions under actions/**.", "managerFilePatterns": [ "/^\\.github/workflows/.+\\.ya?ml$/", "/(^|/)action\\.ya?ml$/" @@ -293,7 +288,7 @@ }, { "customType": "regex", - "description": "kiro-cli version + sha256 pinned in entrypoint.sh (vibecli/vibekit)", + "description": "kiro-cli version + sha256 pinned in entrypoint.sh (web-terminal-kiro/vibekit)", "managerFilePatterns": [ "/entrypoint\\.sh$/" ], @@ -304,7 +299,7 @@ }, { "customType": "regex", - "description": "tools.json github entries (vibekit/vibecli)", + "description": "tools.json github entries (vibekit/web-terminal-kiro)", "managerFilePatterns": [ "/tools\\.json$/" ], @@ -315,7 +310,7 @@ }, { "customType": "regex", - "description": "tools.json gitlab entries (vibekit/vibecli)", + "description": "tools.json gitlab entries (vibekit/web-terminal-kiro)", "managerFilePatterns": [ "/tools\\.json$/" ], @@ -326,7 +321,7 @@ }, { "customType": "regex", - "description": "tools.json npm entries (vibekit/vibecli)", + "description": "tools.json npm entries (vibekit/web-terminal-kiro)", "managerFilePatterns": [ "/tools\\.json$/" ], @@ -337,7 +332,7 @@ }, { "customType": "regex", - "description": "tools.json gomod entries (vibekit/vibecli)", + "description": "tools.json gomod entries (vibekit/web-terminal-kiro)", "managerFilePatterns": [ "/tools\\.json$/" ], @@ -348,7 +343,7 @@ }, { "customType": "regex", - "description": "tools.json rubygems entries (vibekit/vibecli)", + "description": "tools.json rubygems entries (vibekit/web-terminal-kiro)", "managerFilePatterns": [ "/tools\\.json$/" ],