v0.5.19

Full Changelog: v0.5.18...v0.5.19

v0.5.18

Full Changelog: v0.5.17...v0.5.18

v0.5.17

Changes

• fix: increase health check timeout to 90s for first container boot
• fix: resolve 8 critical/high grill findings
• fix: high-priority grill findings — persist, migrations, sentinels, metrics
• fix: medium-priority grill findings — security, resilience, testing
• fix: low-priority cleanup — redaction, sentinel errors, 5xx retry
• merge: fix all grill findings — 4 phases of improvements

Full Changelog: v0.5.16...v0.5.17

v0.5.16

Log — Fifth Domain Noun

Mecha now has five nouns: Events, Workers, Tasks, Policies, Logs.

Structured Audit Trail (internal/logs/)

• Schema V6: logs table with INTEGER PRIMARY KEY AUTOINCREMENT, trace_id for causal grouping, typed outcome/attempt/error columns, sparse JSON detail
• 14 action constants across 6 pipeline phases (webhook, match, dispatch, policy, writeback, worker)
• 5 outcome values: ok, fail, skip, retry, deny
• GET /logs API with filters: event, task, worker, action prefix, since, limit
• All detail fields redacted via RedactSecrets before write
• Fire-and-forget Record() — never blocks the pipeline

Package Rename — All Plural

• internal/event/ → internal/events/
• internal/worker/ → internal/workers/
• internal/task/ → internal/tasks/
• internal/policy/ → internal/policies/
• internal/logs/ — new (already plural)
• 160 files changed, pure rename + shadowing conflict resolution

Documentation — 100% Coverage

• 183/183 exported symbols documented in go-api.md
• Logs package: types, methods, 14 action constants, 5 outcome constants
• All audit findings fixed: version refs, secrets permissions, state diagrams, Gemini annotation

Domain Model

Five nouns: Events, Workers, Tasks, Policies, Logs
Pipeline: Event.arrive → Event.match → Task.create → Task.dispatch → Policy.filter → Respond
Audit: Log.record at every pipeline stage

Full Changelog: v0.5.15...v0.5.16

v0.5.15

Policy System Overhaul

• Bug fix: comment truncation now respects max_length (suffix included in limit)
• Bug fix: label blocklist is case-insensitive (matches GitHub/GitLab)
• Bug fix: deep-copy Result fields in policy filter (prevents aliasing)
• Bug fix: DenyAll now strips metadata, empty filtered labels return nil
• Bug fix: mecha-fire-event tool schema now includes event_type parameter
• Label allowlist: allowed: [bug, enhancement] for restrictive posture
• Status state validation: invalid states rejected by policy
• Commit diff size limit: max_size: 50000 blocks oversized diffs
• Metadata redaction: metadata: {allow: false} strips model/token info
• Managed worker policy warning logged when Docker workers lack policy

42 Integration Tests

Full pipeline coverage across 5 tiers:

• Pipeline (6): webhook→dispatch→write-back, policy filters, dedup, signatures
• Sources (4): Slack, Telegram, GitLab e2e, Slack URL verification
• MCP (4): task submit+status, worker list, task list, metrics
• Resilience (4): crash recovery, concurrent webhooks, worker offline
• Policy (6): allowlist, case-insensitive blocking, metadata, diff limit, status, all-denied
• Edge cases (7): timeout, empty/non-JSON result, auto:false, filter matching, write-back failure, body limit
• Must-haves (7): retry, rate limiter, adapter Ollama, cron, generic source, auth, round-robin

Documentation

• Fixed CRITICAL: cli.md config precedence contradiction
• Architecture diagram rewritten with full pipeline
• CronTrigger + GitLab write-back sections added to events.md
• 27 new symbols documented in go-api.md
• Version references updated, stale labels removed
• worker-yaml-spec.md now documents events + policy fields

Full Changelog: v0.5.14...v0.5.15

v0.5.14

What's New

MCP Orchestration Tools

• 8 new MCP tools: mecha-task, mecha-task-wait, mecha-task-status, mecha-workers, mecha-tasks, mecha-events, mecha-fire-event, mecha-metrics
• MCP server now serves 14 tools total (8 orchestration + 6 documentation)
• Proxies to mecha serve via HTTP — any MCP client can control the full pipeline

Server Config File

• New ~/.mecha/config.yml for persistent server configuration (addr, api_key)
• Read by both mecha serve and mecha-mcp — single source of truth
• Priority: CLI flag > config file > compiled default

10 Codebase Gaps Fixed

• Event dedup enforcement — active events with same dedup_key block duplicates
• Task retry with exponential backoff — 30s/60s/120s, dead-letter after 3 attempts
• Per-worker rate limiting — token bucket (2 req/s, burst 5)
• Persistent queue scanner — catches orphaned pending tasks every 60s
• Prometheus /metrics endpoint — zero-dependency text exposition
• Slack webhook source — HMAC-SHA256 verification, replay protection, URL verification
• Telegram bot source — secret token verification, 4 update types
• GitLab responder parity — labels, commit status, commit suggestions
• Background retry loop — re-enqueues tasks after backoff delay
• CI coverage targets — make cover, make cover-check (60% gate)

Testing

• 89.5% total coverage (up from ~64%)
• Policy 99.1%, Source 97.6%, Task 94.7%, Event 94.4%, Worker 93.1%
• Docker integration tests (full container lifecycle)
• TDD Guardian audit: all HIGH + MEDIUM findings fixed

Port Change

• Default listen address changed from :8080 to :21212

Docs

• Updated: server, CLI, events, secrets, MCP server pages
• New: Slack/Telegram source docs, config file docs, orchestration tool docs

Full Changelog: v0.5.13...v0.5.14

v0.5.13

Docker Integration Tests + Runtime Install Fixes

Tests

• 8 Docker integration tests covering runtime CLI install, Codex MCP detection, credential mounts, plugin env vars, health transitions
• 7 unit test files covering IsSensitivePath, deep copy, credentials+token exclusion, extractHost, ResolveCwd, plugin YAML parsing

Fixes

• Dockerfile: add HOME=/home/worker (Claude installer needs it)
• Dockerfile: add BUN_INSTALL for writable bun global dir
• Codex CLI installed via local bun add + symlink (bun install -g fails with EACCES as non-root)
• extractHost returns "" for unix:// sockets

Full changelog

bc63300 fix: Dockerfile HOME/BUN_INSTALL, Codex local install, test fixes
fcf4804 test: add Docker integration tests for runtime behavior
70e2726 test: add integration tests for v0.5.12 changes

Full Changelog: v0.5.12...v0.5.13

v0.5.12

Full Changelog: v0.5.11...v0.5.12

v0.5.11

Full Changelog: v0.5.9...v0.5.11

v0.5.10

What's New

• SSH Workers: Remote worker execution via SSH — run workers on any machine without Docker
• mecha doctor: System health diagnostics (database, secrets, Docker, worker health, cwd validation)
• Policy metadata: Metadata field on policy.Result for model/token/duration tracking
• MCP server: Documentation MCP server with GitHub webhook auto-reload
• Security hardening: Redaction fixes, context propagation, registry error handling, symlink validation

Fixes

• 4 Codex audit findings (timeout, docker host, stat error, sensitive paths)
• Grill findings (redaction, context, registry error, symlinks)
• 7 documentation coverage gaps
• Webhook secret handling (fail closed, guard nil sources)

Full Changelog

43 commits since v0.5.9 — see compare

Full Changelog: v0.5.9...v0.5.10