chore(voyage): release v4.3.0 — finalize version-sync + docs (3 re-review findings deferred to v4.3.1)
Bumps .claude-plugin/plugin.json 4.2.0 -> 4.3.0 (package.json, package-lock.json, and the README badge were already at 4.3.0). Updates the v4.3.0 CHANGELOG entry with the verified test count (711 pass / 0 fail / 2 skipped, 713 total), a "Re-review remediation (Sesjon 13-18)" note covering the 11-finding cycle Waves 1-3 closed, and a "Known issues — deferred to v4.3.1" subsection listing the 3 new findings the Sesjon 18 re-review surfaced in the remediation code (87069b35 SECURITY_INJECTION defense-in- depth, 4cc3bfc9 PLAN_EXECUTE_DRIFT, c6c64a58 MISSING_TEST). Updates root CLAUDE.md (voyage v4.0.0 -> v4.3.0, seven-command + playground), root README + plugin README (test count, Known-limitations note, fixes the stale "trekplan@" install snippet -> "voyage@"), root marketplace.json (voyage description), and plugin CLAUDE.md (Playground paragraph). A plan-critic-reviewed Wave-4 remediation plan for the 3 deferred findings is ready (.claude/plans/, gitignored). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
parent
0810f0c4fa
commit
0f197f6ff6
7 changed files with 23 additions and 10 deletions
|
|
@ -28,7 +28,7 @@ The v4.2 playground proved the annotation loop. v4.3 rebuilds it from the ground
|
|||
|
||||
### Changed
|
||||
|
||||
- **Test count: 672 → 705 pass / 0 fail / 2 skipped** (+33 new node-test tests across Groups A/B/C; +4 Playwright tests run via `npm run test:e2e`).
|
||||
- **Test count: 672 → 711 pass / 0 fail / 2 skipped** (713 total — Groups A/B/C node-test additions from the rebuild and the Sesjon 13–18 re-review remediation; +5 Playwright e2e specs run via `npm run test:e2e`).
|
||||
- **Theme bootstrap IIFE** (Wave 2 Step 6) sets `data-theme="dark"` as default; respects `localStorage('voyage-theme')` → `prefers-color-scheme: dark` matchMedia → fallback `dark`. Theme-toggle button in topbar (Wave 2 Step 7) persists user choice.
|
||||
- **Page-shell pattern** (Wave 2 Step 9) — `page__eyebrow` + `page__title` + `page__lede` + `page__meta` matches DS reference.
|
||||
- **Annotation export filename** — `annotated-{target}.md` where target = brief|plan|review|artifact (derived from frontmatter).
|
||||
|
|
@ -39,20 +39,31 @@ The v4.2 playground proved the annotation loop. v4.3 rebuilds it from the ground
|
|||
- **Hard-coded WIP token strings** (Wave 1 Step 4) — voyage tokens normalized to canonical `--color-scope-voyage` + `--ds-color-*` tokens; literal pixel font-sizes replaced with DS scale.
|
||||
- **Plan-determinism test reference path** (Wave 0 Step 3) — `tests/synthetic/plan-determinism.test.mjs:115` updated to `plan-run-C.md` (alphabetic convention matching A/B).
|
||||
|
||||
### Re-review remediation (Sesjon 13–18)
|
||||
|
||||
After the rebuild, an independent `/trekreview` (Sesjon 13) flagged 11 findings (5 BLOCKER + 5 MAJOR + 1 MINOR). Waves 1–3 of remediation closed **all 11** with delivered code + tests — notably reinstating an **inline screenshots gallery** (`renderScreenshotGallery`, finding `31d28f65`; supersedes the original "deferred to v4.4" item below), wrapping `renderArtifact`'s `bodyHtml` in `DOMPurify.sanitize` (`1d3591d4`), converting the SC2 a11y spec to absolute zero-violation mode and removing `a11y-baseline.json` (`09132940`), documenting the Phase 9 `plan_critic` frontmatter injection (`906f155d`), and asserting the `.fleet-grid` 4-column CSS parity (`99707f51`). A Sesjon 18 re-review then found 3 **new** findings introduced by the remediation code itself — deferred to v4.3.1 (see *Known issues* below).
|
||||
|
||||
### Deferred to v4.4
|
||||
|
||||
- WCAG-violations fix (HTML FROZEN in Sesjon 6 per Wave 7 verification-only scope).
|
||||
- Inline screenshots-gallery component (Element 6 redefinition risk).
|
||||
- WCAG-violations fix (HTML FROZEN in Sesjon 6 per Wave 7 verification-only scope; superseded for the a11y-spec by the absolute zero-violation conversion in the Sesjon 13–18 remediation).
|
||||
- File System Access API (FSA) write-back (currently `Blob`-download only).
|
||||
- `<project>/design/`-folder traversal.
|
||||
- `IndexedDB` primary persistence (localStorage stays primary for v4.3).
|
||||
- Hybrid claude-design-skill → canvas → frontend-design workflow (research/02 deferred to v4.4+).
|
||||
|
||||
### Known issues — deferred to v4.3.1
|
||||
|
||||
The Sesjon 18 re-review surfaced 3 findings in code the Sesjon 13–18 remediation introduced. None is a live operator-facing exploit; they are deferred to a v4.3.1 patch (a ready Wave-4 remediation plan exists, plan-critic-reviewed, ALIGNED):
|
||||
|
||||
- **`87069b35` (SECURITY_INJECTION, defense-in-depth)** — `renderScreenshotGallery()` interpolates `screenshots[].dataUrl` raw into an `<img src>` attribute, and `renderDashboard`'s `innerHTML` (unlike `renderArtifact`'s) is not DOMPurify-wrapped. **Not exploitable from the operator file-load path** — `FileReader.readAsDataURL` of a `.png` File always yields a safe base64 `data:` URL; the only injection path is `window.__voyage.scheduleRender({ artifacts: { screenshots: [{ dataUrl: '" onerror="…' }] } })`, which requires JS already executing in the page. Fix: a `data:image/…;base64,…` allowlist in `renderScreenshotGallery`.
|
||||
- **`4cc3bfc9` (PLAN_EXECUTE_DRIFT)** — `commands/trekplan.md:745` uses a backtick template literal as an ES `import` specifier (a `SyntaxError`). An LLM running the Phase 9 snippet verbatim fails before `plan_critic` is written; the documented fallback is non-fatal, so `plan.md` is still produced — without the field. Fix: backtick → single quote.
|
||||
- **`c6c64a58` (MISSING_TEST)** — no test asserts that a non-`data:` `dataUrl` is neutralised before DOM injection, so `87069b35` is invisible to `npm test`. Fix: Group D Playwright runtime guard + Group A static-grep guard.
|
||||
|
||||
### Notes
|
||||
|
||||
- Brief, research (4 briefs), plan, and execute (6 sessions) all produced from the v4.3 pipeline itself. SC11 pipeline-self-eat gate continues to hold.
|
||||
- Path A/B/C decision (cache-first / sequential `--no-ff` waves / hybrid identical-tool) unchanged from v3.4.0 — Path B remains in production.
|
||||
- Plan quality score 86/100 Grade A APPROVE_WITH_NOTES (adversarial review Phase 9, 22 revisions documented in plan.md Revisions table).
|
||||
- Plan quality score 86/100 Grade A APPROVE_WITH_NOTES (adversarial review Phase 9, 22 revisions documented in plan.md Revisions table). Sesjon 13–18 remediation plans reviewed independently; Sesjon 18 re-review verdict BLOCK with 3 findings (now v4.3.1).
|
||||
|
||||
## v4.2.0 — 2026-05-09 — Annotation pipeline + first voyage playground
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue