v0.27.1 — derived-project health cleanup

v0.27.1 is a patch release that clears derived-project health
warnings discovered during pk-resume, resolves outstanding
doctor/release hygiene issues, and keeps gateway-mode MCP configuration
quiet.

Fixed

• Fixed pk-doctor sensitive_data briefing examples so the checker no
  longer reports sensitive-data.url-credential against its own
  non-secret guidance text. Closes #64.
• Fixed pk-doctor sensitive_data false positives for documented
  placeholders, processkit timestamp/link examples, lexical-token helper
  code, and TeamMember PII that explicitly opts into committed identity
  fields. Closes #65.
• Added sqlite-vec to the pk-doctor MCP wrapper dependencies so the
  wrapper runtime matches the doctor subprocess and no longer reports
  missing semantic-index support. Closes #66.
• Fixed preauth_applied so managed gateway-mode projects treat
  mcp__processkit-gateway__* as covering proxied per-skill
  processkit tools for both Claude and Codex. Closes #67.
• Confirmed AGENTS.md hygiene preserves project-local pk-commands
  values while validating the command schema. Closes #68.
• Resolved pending/applied migration hygiene by applying the active
  migration, archiving old CLI migration briefings, and archiving applied
  Migration entities through processkit-owned archive paths. Closes #69.
• Reclassified absent supply-chain policy as informational advisory
  until a project opts into enforcement. Closes #70.

Verification

• uv run context/skills/processkit/pk-doctor/scripts/doctor.py --no-log
• uv run context/skills/processkit/pk-doctor/scripts/test_doctor.py
• uv run context/skills/processkit/release-audit/scripts/release_audit.py --json
• uv run scripts/smoke-test-servers.py

---

v0.27.0 - provider-neutral cleanup runbooks

v0.27.0 is a minor release that expands repository and runtime
cleanup planning for derived projects and fixes the supply-chain command
projection drift reported after v0.26.18.

Added

• Extended runtime-prune with provider-neutral cleanup scopes for
  repo-artifacts, tool-caches, action-artifacts,
  release-assets, and package-registry.
• Added provider-adapted external cleanup runbooks for GitHub, GitLab,
  Codeberg, Forgejo, Gitea, and generic/unknown forges. Each runbook
  now reports required_env, inventory_command, dry_run_command,
  apply_command, and space_estimate so a derived-project agent can
  advise before deletion and run the approved command when it has
  sufficient credentials.
• Added regression coverage for local artifact/cache allowlists,
  provider-neutral remote scopes, and GitHub/GitLab runbook adaptation.

Changed

• Documented runtime-prune as the canonical cleanup/space-recovery
  skill for local generated artifacts, tool caches, container cleanup
  planning, CI/action artifacts, release assets, and package/container
  registry versions.
• Remote cleanup remains outside MCP direct execution: plan_prune
  produces concrete dry-run/apply commands, while apply_prune returns
  host-action evidence for provider-owned scopes.

Fixed

• Fixed /pk-supply-chain command metadata so its command
  argument-hint matches metadata.processkit.commands[].args in both
  context/ and src/context/.
• Removed a stale tracked Codex command projection that caused
  commands_consistency.agent-only-command drift.

Verification

• python3 -m py_compile src/context/skills/processkit/runtime-prune/mcp/server.py src/context/skills/processkit/runtime-prune/scripts/test_runtime_prune.py
• uv run --with pytest --with mcp pytest -q src/context/skills/processkit/runtime-prune/scripts/test_runtime_prune.py
• uv run scripts/smoke-test-servers.py
• bash scripts/check-src-context-drift.sh --release-deliverable
• uv run context/skills/processkit/release-audit/scripts/release_audit.py --tree=src-context --repo-root .

---

v0.26.18 - typed MCP repair tools

v0.26.18 is a patch release that closes MCP repair-surface gaps for
derived projects and hardens process-instance creation.

Added

• Added workitem-management.update_workitem for scoped WorkItem
  repairs, including process_definition_artifact.
• Added binding-management.update_binding for scoped Binding repairs,
  including contract-bearing conditions updates.
• Added gate-management.update_gate for guarded Gate definition
  repairs, with force=True reserved for explicit emergency updates
  after evaluation history exists.
• Added focused regression tests for WorkItem process instances,
  Binding repairs, Gate repairs, and eval-gate partial-write behavior.

Fixed

• Fixed create_process_instance so it persists
  process_definition_artifact immediately and no longer treats short
  titles or step titles as invalid slug summaries.
• Fixed get_workitem to include full spec plus process-instance and
  process-step fields in its response.
• Fixed codify_eval so Gate validation happens before writing the
  eval-spec Artifact, avoiding stranded partial creations.
• Added pk-doctor repair guidance for v2 contract findings that can now
  be fixed through MCP tools instead of hand-editing entity files.

Verification

• python3 -m py_compile context/skills/processkit/binding-management/mcp/server.py context/skills/processkit/gate-management/mcp/server.py context/skills/processkit/eval-gate-authoring/mcp/server.py context/skills/processkit/workitem-management/mcp/server.py context/skills/processkit/pk-doctor/scripts/checks/v2_contracts.py
• uv run --with mcp --with pyyaml --with jsonschema context/skills/processkit/binding-management/scripts/test_binding_management.py
• uv run --with mcp --with pyyaml --with jsonschema context/skills/processkit/gate-management/scripts/test_gate_management.py
• uv run --with mcp --with pyyaml --with jsonschema context/skills/processkit/eval-gate-authoring/scripts/test_eval_gate_authoring.py
• uv run --with mcp --with pyyaml --with jsonschema context/skills/processkit/workitem-management/scripts/test_workitem_management.py
• uv run context/skills/processkit/pk-doctor/scripts/test_doctor.py
• uv run context/skills/processkit/pk-doctor/scripts/doctor.py --category=v2_contracts --json
• uv run scripts/smoke-test-servers.py
• uv run context/skills/processkit/release-audit/scripts/release_audit.py --tree=both --repo-root .
• bash scripts/check-src-context-drift.sh --release-deliverable

---

v0.26.17 - supply-chain audit surface

v0.26.17 is a patch release that adds the supply-chain audit
surface and tightens privacy/security advisory checks for derived
projects.

Added

• Added supply-chain-audit with /pk-supply-chain, a
  processkit-supply-chain-audit MCP server, offline npm lockfile
  inventory, license policy classification, JSON reporting, and
  CycloneDX-like SBOM export.
• Added opt-in supply-chain Phase 2 probes for local npm audit and
  npm outdated orchestration, plus Phase 3 supplier-quality advisory
  signals derived from local dependency metadata.
• Added pk-doctor supply_chain coverage for manifest/lockfile
  inventory, missing project supply-chain policy, license risk,
  vulnerability signals, outdated signals, and supplier-quality
  advisories.
• Added pk-doctor sensitive_data coverage with deterministic
  secret/PII patterns plus agent-facing deterministic and probabilistic
  briefing examples.

Changed

• Added release-process guidance requiring root LICENSE coverage in
  release tarballs, GitHub release assets, and the shipped release
  process template.
• Added a README license notice stating the maintainers' intent that
  the MIT License applies retroactively to historical repository commits,
  tags, and release artifacts unless a file states otherwise.

Verification

• python3 -m py_compile context/skills/processkit/supply-chain-audit/scripts/supply_chain_audit.py context/skills/processkit/supply-chain-audit/mcp/server.py src/context/skills/processkit/supply-chain-audit/scripts/supply_chain_audit.py src/context/skills/processkit/supply-chain-audit/mcp/server.py
• uv run context/skills/processkit/supply-chain-audit/scripts/test_supply_chain_audit.py
• uv run context/skills/processkit/pk-doctor/scripts/test_doctor.py
• uv run context/skills/processkit/pk-doctor/scripts/doctor.py --category=supply_chain --json
• uv run context/skills/processkit/release-audit/scripts/release_audit.py --tree=both --repo-root .
• bash scripts/check-src-context-drift.sh --release-deliverable

---

v0.26.16 — TeamMember privacy defaults

v0.26.16 is a patch release that hardens TeamMember privacy defaults
so derived projects do not commit ambient human identity data by default.

Changed

• Human TeamMember creation and update now store repo-visible identity as
  alias-only metadata by default: the committed display name is the slug,
  and email/handle are dropped unless the caller explicitly passes
  allow_committed_pii=true.
• The human TeamMember template now uses a generic human-user alias,
  disables memory and export by default, and omits personal contact
  placeholders.
• Team-manager guidance now states that humans must not be auto-created
  from ambient host, git, or harness identity.

Fixed

• Added a team.privacy.committed_pii consistency warning, surfaced
  through pk-doctor's team_consistency category, for legacy human
  TeamMembers that still contain repo-visible personal identity fields
  without explicit opt-in.

Verification

• python3 -m py_compile context/skills/processkit/team-manager/mcp/server.py context/skills/processkit/team-manager/scripts/consistency.py context/skills/processkit/pk-doctor/scripts/checks/team_consistency.py
• uv run --with pyyaml --with jsonschema --with pytest --with mcp pytest context/skills/processkit/team-manager/scripts/test_team_manager.py -q
• uv run --with pyyaml --with jsonschema --with pytest --with mcp pytest src/context/skills/processkit/team-manager/scripts/test_team_manager.py -q
• uv run context/skills/processkit/pk-doctor/scripts/doctor.py --category=team_consistency
• bash scripts/check-src-context-drift.sh --release-deliverable

---

v0.26.15

Patch release for pk-doctor downstream policy diagnostics.\n\nFixed:\n- Classify legacy runtime Migration IDs as historical runtime-producer filenames and report them as INFO/non-actionable. Closes #62.\n- Keep Binding filename policy strict while improving mixed Binding filename repair advice for timestamped role-slot-fill bindings. Closes #60.\n- Keep MCP manifest responsibility in processkit release packaging and track installer preservation separately. Closes #61.\n\nVerification:\n- pk-doctor focused tests passed.\n- release deliverable guard passed.\n- release tarball and checksum built successfully.

v0.26.14 — TeamMember runtime launch and reconciliation fixes

v0.26.14 is a patch release that closes the TeamMember runtime
dispatch gap and hardens derived-project reconciliation paths reported
by pk-doctor.

Added

• Added first-class TeamMember runtime launch/status tools:
  launch_team_member, launch_workitem_assignee,
  get_team_member_runtime, list_team_member_runtimes, and
  stop_team_member_runtime. Runtime records persist separately from
  TeamMember and WorkItem state at context/team/runtime-sessions.json
  and include harness, provider/model/effort, write scope, MCP/context
  write policy, runtime state, and an opaque runtime handle. Closes
  #59.
• Added harness dispatch payloads for TeamMember launches. Claude
  payloads refresh/use .claude/agents/<slug>.md and return
  subagent_type; Codex, Aider, and OpenCode receive explicit
  outer-harness dispatch requests with resolved TeamMember identity and
  scoped write policy.

Fixed

• Added canonical pk-doctor reconciliation for schema-invalid or
  filename-drifted append-only LogEntries by emitting append-only
  logentry.corrected records instead of requiring direct mutation.
• Added canonical pk-doctor reconciliation for root-level CLI migration
  briefing files that are not Migration entities, moving uncompleted
  briefings out of the Migration entity lifecycle tree while keeping
  completed briefings as historical notes.

Verification

• uv run --with pyyaml --with jsonschema --with pytest --with mcp pytest context/skills/processkit/team-manager/scripts/test_team_manager.py -q
• uv run --with mcp --with pyyaml --with jsonschema --with httpx --with sqlite-vec --with pytest pytest context/skills/processkit/processkit-gateway/scripts -q
• python3 -m py_compile context/skills/processkit/team-manager/mcp/server.py src/context/skills/processkit/team-manager/mcp/server.py
• PYTHONDONTWRITEBYTECODE=1 uv run context/skills/processkit/pk-doctor/scripts/doctor.py --json
• uv run context/skills/processkit/release-audit/scripts/release_audit.py --tree=both
• bash scripts/check-src-context-drift.sh --release-deliverable
• UV_CACHE_DIR=/tmp/uv-cache PYTHONDONTWRITEBYTECODE=1 uv run scripts/smoke-test-servers.py

---

v0.26.13 - Regression coverage and boundary guidance

v0.26.13 is a patch release that hardens recent fixes with
regression coverage and keeps processkit guidance separated from
aibox host orchestration.

Fixed

• Kept aibox host orchestration out of processkit skills, commands, and
  MCP output so derived projects receive pk-doctor guidance inside the
  container without being told to run aibox doctor.

Tests

• Added pk-doctor regression coverage for v1_entity_drift,
  runtime_health, and historical id_vocabulary actionability.
• Added a processkit-diff.sh regression test for migration
  affected_files entries with new, changed, and removed upstream
  files. Covers
  #48.

Verification

• uv run context/skills/processkit/pk-doctor/scripts/test_doctor.py
• uv run src/context/skills/processkit/pk-doctor/scripts/test_doctor.py
• uv run --with pytest pytest scripts/test_processkit_diff.py -q
• bash -n scripts/processkit-diff.sh
• git diff --check

---

v0.26.12 - Repo reconciliation skill

Patch release adding the repo-management skill, /pk-repo-reconcile command, and processkit-repo-management MCP server. Also includes remediation-first /pk-doctor and /pk-resume guidance plus runtime_health pk-doctor probes.

v0.26.11 - derived-project doctor and runtime-prune fixes

v0.26.11 is a patch release that clears the remaining derived-project
pk-doctor false positives and makes runtime-prune usable for low-risk
in-container cleanup without requiring the aibox CLI.

Fixed

• Accepted gateway MCP mode in pk-doctor preauth checks. Codex and
  Claude configurations that intentionally expose only the
  processkit-gateway proxy now satisfy the per-skill processkit MCP
  preauth surface. Closes
  #52.
• Derived MCP drift checks from the shippable skill tree. pk-doctor
  MCP-config and server-header drift checks now scan both dogfood
  context/ and shipped src/context/ skill trees, using consumer-facing
  paths for comparison so source-only shipped skills do not report false
  drift.
• Allowed runtime-prune to clean low-risk allowlist targets directly.
  runtime-home and build-cache apply paths now remove only explicit
  processkit-owned cache/build targets after confirmation, while
  containers, companion state, and agent worktrees still delegate to
  aibox prune. Closes
  #53.
• Matched the current aibox prune CLI shape. Delegated runtime-prune
  commands now use aibox prune <scope> --dry-run|--yes instead of stale
  repeatable --scope and --json arguments.

Verification

• pk-doctor: 0 errors, 0 warnings, 0 actionable infos
• pk-release-audit --tree=both
• uv run scripts/smoke-test-servers.py
• uv run context/skills/processkit/pk-doctor/scripts/test_doctor.py
• uv run src/context/skills/processkit/pk-doctor/scripts/test_doctor.py
• uv run --with pytest --with 'mcp[cli]>=1.0' pytest -q src/context/skills/processkit/runtime-prune/scripts/test_runtime_prune.py

---