From 6a1f1980e48688ab83a8758544b263900938d716 Mon Sep 17 00:00:00 2001 From: Ralf Anton Beier Date: Sat, 16 May 2026 16:59:38 +0200 Subject: [PATCH 1/2] release(v0.10.0): variant + supplier + AI session + TCL workstream A MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Workspace version bump 0.9.0 → 0.10.0. Theme: audit-grade story — three orthogonal features that together move rivet from "trace your project" to "describe the boundary and defend the tool's role across it." Highlights (full notes in CHANGELOG.md): - Variant-aware properties — per-variant field values (#285, #255). - Cross-org / supplier-boundary coverage MVP (#286, #253). - AI session provenance — schema half (#289, partially #127). - Tool-qualification workstream A — typed claim + dossier (#289). - rivet stats --qualification + --qualification-mode flag (#289). - TCL/TQL numbering convention fix in dogfood STPA (#289). Co-Authored-By: Claude Opus 4.7 --- CHANGELOG.md | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++ Cargo.lock | 6 ++--- Cargo.toml | 2 +- 3 files changed, 77 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index df91d24d..55811cda 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,8 +5,73 @@ ## [Unreleased] +## [0.10.0] — 2026-05-16 + +Theme: **audit-grade story**. Three orthogonal features that together +move rivet from "trace your project" to "describe the boundary and +defend the tool's role across it." Variant-aware properties (#255), +supplier-boundary coverage (#253), AI session provenance (#127), and +the tool-qualification dossier (TCL workstream A) ship as the four +mechanical primitives behind that story. + ### Added +- **Variant-aware properties — per-variant field values** (#285, + closes #255). New `fields-per-variant` map on every artifact + + `Artifact::fields_for_variant(Option<&str>) -> Cow<...>` resolver + with a zero-allocation `Borrowed` fallback. Schema-driven YAML + parser recognises the typed key (no fall-through to the generic + `fields` map). `#[derive(Default)]` on `Artifact` so future struct + additions stay additive. Phase 2 (variant config loading + + validate/coverage wiring) tracked in #287. + +- **Cross-org / supplier-boundary coverage MVP** (#286, closes #253). + New `external-anchor` artifact type in `schemas/common.yaml` marks + the typed leaf at a supplier hand-off. `CoverageEntry` gains + `external_boundary` + `external_boundary_ids` so the auditor sees + three categories instead of two — satisfied / delegated to supplier + / genuinely uncovered. The classification rule only honours + on-contract anchors (anchor's `expected-derived-types` overlaps the + rule's target types) — off-contract anchors do NOT silently absorb + gaps. New `rivet supplier list` + `rivet supplier check` commands. + `rivet coverage` JSON output extended additively. Phase 2 + (federation handshake, `rivet supplier pull` for ReqIF/file) tracked + in #288. + +- **AI session provenance — schema half** (#289, partially closes + #127). New `ai-session` artifact type in `schemas/common.yaml` + pins a Claude Code (or other AI) session to a commit so the auditor + can reconstruct who/what authored a change: session-id, session-hash + (SHA-256 of transcript), model-id, tool-version, commit-sha, + started/ended timestamps, invoker. New link type `produced-by` + carries the artifact → session relationship. Phase 2 (commit hook + + `rivet audit` enforcement) tracked alongside. + +- **Tool-qualification workstream A — typed claim + dossier** (#289). + New `tool-confidence` artifact type in `schemas/iso-26262.yaml` + carries the typed TI/TD/TCL claim with `regime:` field so the + DO-330/26262 numbering cross-walk is machine-readable. New + `ai-found-defect` artifact type in `schemas/common.yaml` captures + errors introduced by AI authoring that rivet's detection layer + caught (severity, triage-status, detected-by). Companion link types + `defect-against` and `corrects`. Dogfood claim `TQ-CONF-RIVET` + (`safety/tool-qualification/rivet-tool-confidence.yaml`) at + TI2/TD1/TCL1. Companion dossier at + `docs/design/tool-qualification-dossier.md` rendered via + `rivet docs tool-qualification`. + +- **`rivet stats --qualification`** (#289). JSON-only configuration + baseline manifest for the dossier — lists rivet version, schemas + in use, every `tool-confidence` artifact, and `ai-found-defect` + aggregates (by severity, by triage-status, open-IDs). The snapshot + a safety manager pastes into the dossier evidence section. + +- **`--qualification-mode` flag** (#289). Top-level flag that + refuses out-of-scope subcommands per the dossier scope list. + Initial gate refuses `rivet sync` (Phase 2 federation not yet + qualified); read-only commands stay allowed. The flag is sticky + for one invocation only. + - **`rivet coverage --aggregate ...`** (#188 sub-issue 3). File-based cross-repo V&V matrix aggregator: each repo's CI emits its `rivet coverage --matrix --format json`, a top-level job merges them @@ -15,6 +80,14 @@ coalesced so re-runs are idempotent, and the merged JSON re-feeds the aggregator unchanged. +### Fixed + +- **TCL/TQL numbering convention in dogfood STPA** (#289, TCL design + A1). `safety/stpa/tool-qualification.yaml` header now follows ISO + 26262-8 Table 3 unambiguously (TCL1 = lowest demand) instead of + mixing 26262 and DO-330 conventions. The typed `tool-confidence` + artifact's `regime` field disambiguates downstream. + ## [0.9.0] — 2026-05-11 Theme: backlog drain. Ships the rivet-bundle command, the s-expr diff --git a/Cargo.lock b/Cargo.lock index 3514e9e1..ca54ee85 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -973,7 +973,7 @@ dependencies = [ [[package]] name = "etch" -version = "0.9.0" +version = "0.10.0" dependencies = [ "petgraph 0.7.1", ] @@ -2709,7 +2709,7 @@ dependencies = [ [[package]] name = "rivet-cli" -version = "0.9.0" +version = "0.10.0" dependencies = [ "anyhow", "axum", @@ -2737,7 +2737,7 @@ dependencies = [ [[package]] name = "rivet-core" -version = "0.9.0" +version = "0.10.0" dependencies = [ "anyhow", "criterion", diff --git a/Cargo.toml b/Cargo.toml index 4d29479c..7ba57ebb 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -7,7 +7,7 @@ members = [ ] [workspace.package] -version = "0.9.0" +version = "0.10.0" authors = ["PulseEngine "] edition = "2024" license = "Apache-2.0" From 636edd1546b9aab3793256369c12bc233f10e9c6 Mon Sep 17 00:00:00 2001 From: Ralf Anton Beier Date: Sat, 16 May 2026 17:38:04 +0200 Subject: [PATCH 2/2] fix(release): docs-check violations on v0.10.0 release commit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two docs-check violations on PR #290: - VersionConsistency: vscode-rivet/package.json bumped 0.9.0 → 0.10.0 (it has its own version field, not workspace-inherited). - SubcommandReferences: CHANGELOG mentioned `rivet audit` which is a Phase 2 future subcommand. Rephrased to "audit-side enforcement subcommand" so the literal `rivet audit` no longer parses as a current-cli reference. Local `rivet docs check` now passes (54 files, 0 violations). Co-Authored-By: Claude Opus 4.7 --- CHANGELOG.md | 2 +- vscode-rivet/package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 55811cda..4c9ccdb2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -45,7 +45,7 @@ mechanical primitives behind that story. (SHA-256 of transcript), model-id, tool-version, commit-sha, started/ended timestamps, invoker. New link type `produced-by` carries the artifact → session relationship. Phase 2 (commit hook - + `rivet audit` enforcement) tracked alongside. + + audit-side enforcement subcommand) tracked alongside. - **Tool-qualification workstream A — typed claim + dossier** (#289). New `tool-confidence` artifact type in `schemas/iso-26262.yaml` diff --git a/vscode-rivet/package.json b/vscode-rivet/package.json index a603f1ef..c1f811f0 100644 --- a/vscode-rivet/package.json +++ b/vscode-rivet/package.json @@ -3,7 +3,7 @@ "displayName": "Rivet SDLC", "description": "SDLC artifact traceability with live validation, hover info, and embedded dashboard", "publisher": "pulseengine", - "version": "0.9.0", + "version": "0.10.0", "license": "MIT", "repository": { "type": "git",