release: v5.10.0 — attune-author extraction + CVE sweep#139
Open
silversurfer562 wants to merge 8 commits intomainfrom
Open
release: v5.10.0 — attune-author extraction + CVE sweep#139silversurfer562 wants to merge 8 commits intomainfrom
silversurfer562 wants to merge 8 commits intomainfrom
Conversation
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Extract documentation authoring (generator, manifest, staleness, polish, doc-gen pipeline, maintenance, preamble, bootstrap, CLI) into a new sibling package `packages/attune-author/`. The `attune.help` module re-exports these types for backward compatibility, keeping existing imports stable. Adds: - `packages/attune-author/` — standalone authoring library with its own pyproject, tests, and Jinja2 meta templates - 254 lines of test coverage for MCP help handlers - New MCP smoke tests (`test_server.py`, `test_tool_schemas.py`) - `coach` plugin skill (replaces `learn` after the rename) - `scripts/qa_post_release.py` for post-publish validation - Refreshed help template content with better trigger keywords Updates: - `attune.help.preamble` — contextual rendering improvements - `attune.help.manifest` — `**` glob handling and trailing-slash resolution - `plugin/hooks/help_on_error.py` — minor UX polish Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Bumps dependency floors and refreshes the lockfile to clear every vulnerability surfaced by `pip-audit` (11 → 0). Direct dep changes (pyproject.toml): - PyJWT: >=2.8.0 → >=2.12.0 in `backend`, `enterprise`, `all` extras (GHSA-752w-5fwx-jx9f) Lockfile-only upgrades (transitive or already-allowed by spec): - cryptography 46.0.4 → 46.0.6 (CVE-2026-26007, CVE-2026-34073) - langchain-core 1.2.7 → 1.2.26 (CVE-2026-26013) - langgraph 1.0.7 → 1.0.10 (CVE-2026-28277) - langgraph-checkpoint 3.0.1 → 4.0.1 (CVE-2026-27794) - mcp 1.12.4 → 1.27.0 (CVE-2025-66416) - pygments 2.19.2 → 2.20.0 (CVE-2026-4539) - pyjwt 2.10.1 → 2.12.1 (matches the new floor) - requests 2.32.5 → 2.33.1 (CVE-2026-25645) - pydantic 2.10.6 → 2.12.5 (transitive via mcp) - pydantic-core 2.27.2 → 2.41.5 (transitive via pydantic) Also refreshes `.secrets.baseline` to drop stale paths from the pre-`empathy → attune` rename and rescans the current tree (274 findings across 107 files, all confirmed false positives). Smoke-tested core imports and ran the full unit suite (11013 passed, 0 failed) with the new versions. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Bumps attune-ai to 5.10.0 across all 7 canonical version files (pyproject, plugin manifests, marketplace JSONs, plugin core, CLAUDE.md). Adds CHANGELOG entries for both 5.9.0 (which shipped without one) and 5.10.0. Highlights of this release: - New `attune-author` sibling package extracts doc authoring (generator, manifest, staleness, polish, doc-gen pipeline) into a standalone library - All 11 known CVEs cleared (pip-audit clean) - 254 lines of new MCP help handler test coverage - Full unit suite green: 11013 passed, 0 failed Website is bumped from 5.9.0 to 5.10.0 to match. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Removes the hidden cross-package dependency that would break `pip install attune-ai` from PyPI: 1. Deletes the unused `attune_author` re-exports from `src/attune/help/__init__.py`. Nothing in `src/`, `plugin/`, or `tests/` imports the re-exported names (`GeneratedTemplate`, `FeatureManifest`, `check_staleness`, etc.) — every consumer imports the local submodules (`attune.help.bootstrap`, `attune.help.generator`, `attune.help.manifest`, `attune.help.staleness`, …) directly. Those submodules are self-contained and do not depend on `attune_author`. 2. Removes `attune-author>=0.1.0` from core dependencies in `pyproject.toml`. `attune-author` remains a workspace source under `[tool.uv.sources]` for in-repo development but is no longer a runtime requirement. Verified by importing `attune`, `attune.help`, every help submodule, the CLI, and the MCP server with a `MetaPathFinder` that blocks `attune_author` imports — all succeed. Full unit suite still green: 11013 passed, 0 failed. Also captures lessons learned from the v5.10.0 prep session in `.claude/CLAUDE.md` (pip-audit pyenv shim trap, broken SDK security-audit subagent aggregation, dev vs developer extra split, stash-pop schema-version revert, detect-secrets "fake" placeholder pragma). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Dev-only dependency. Surfaced by pip-audit after the previous CVE sweep — black is in the `dev` extra and not part of any end-user install path, but bumping it keeps the audit clean for future automation runs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds three new lessons from the release prep session: - Unused `__init__.py` re-exports become invisible runtime deps. This was the latent release blocker (lesson #3 from the previous session) — `attune.help.__init__.py` did `from attune_author.foo import Bar` purely as "backward-compat" re-exports that no caller in src/, plugin/, or tests/ ever consumed, but the import-time cost still required `attune_author` to exist for `import attune` to work. - Verify optional dep boundaries with a MetaPathFinder rather than uninstalling. Includes a copy-pasteable snippet for blocking a target package on `sys.meta_path` so `import my_pkg` is exercised against a missing dep without mutating the venv. - Removing one workspace dep can cascade to remove others. Dropping `attune-author` from core deps also evicted `attune-help` from the lockfile because the latter was only pulled in transitively. Always check what `uv lock` removes and verify the corresponding code paths have try/except fallbacks (in our case, `attune.help.preamble` already did). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Updates stale counts to match the actual state of the v5.10.0 codebase, verified against the source: - Tests: 15,446 → 14,929 passing (`pytest tests/ -q -n auto`, 189 skipped, 5 xfailed; one production-smoke test against the live website is unrelated and excluded) - Skills: 13 → 14 (verified via `ls plugin/skills/`) - MCP tools: 38 → 36 (verified via `tool_schemas.py`: workflow=20, utility=7, help=5, memory=4) - Templates: 540 → 633 (verified in `packages/attune-help/src/attune_help/templates/`) - `learn` skill → `coach` (the skill was renamed to avoid collision with Claude Code's built-in `/help`; the README still pointed at the old name) Also rewrites the "MCP Tools" section. The old listing totalled 33 tools across 7 categories — both the count and the categorisation were stale. The new section reflects the actual 4-category split exposed by `tool_schemas.py` and includes the 3 new help endpoints (`help_init`, `help_status`, `help_update`) added during v5.10.0 prep. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
github-actions
bot
added
documentation
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
attune-authorlibrary into a sibling package (packages/attune-author/) housing the documentation authoring code (generator, manifest, staleness, polish, doc-gen pipeline). The package is workspace-only for v5.10.0; PyPI publication will happen as a separate release.pip-audit11 → 0). Direct: PyJWT >=2.12.0 inbackend/enterprise/all. Lockfile: cryptography, langchain-core, langgraph, langgraph-checkpoint, mcp 1.12.4 → 1.27.0, pygments, requests, pydantic 2.10.6 → 2.12.5, plus dev-only black 26.1.0 → 26.3.1.attune.help.__init__.py's unusedattune_authorre-exports were removed (no caller insrc/,plugin/, ortests/consumed them) andattune-author>=0.1.0was removed from core deps. Verifiedimport attuneworks withattune_authorblocked onsys.meta_path.learnskill reference tocoach.Version bumped to 5.10.0 across all 7 canonical files (pyproject.toml, plugin manifests, marketplace JSONs, plugin core, CLAUDE.md).
Test plan
pip-auditclean: 0 known vulnerabilitiessrc/+packages/: 0 issuespytest tests/unit/— 11,013 passed, 0 failed, 129 skipped, 5 xfailed (66s)pytest tests/— 14,929 passed, 1 unrelated failure intests/test_production_smoke.py::test_debug_wizard_page_loads(live website content check, post-redesign drift)tests/unit/plugins/test_plugin_config_validation.py::test_all_versions_match— passingimport attune+ everyattune.help.*submodule succeeds whenattune_authoris blocked viasys.meta_pathpython scripts/qa_post_release.pyFiles NOT in this PR
The
packages/attune-author/plugin/work (Claude Code plugin scaffold + MCP server + 6 skills + agent + hook + 733 lines of new tests) is intentionally deferred to a follow-up PR. It's complete on local disk but the plugin tests can't run without the new[plugin]extra (in stash), the smoke test againstclaude --plugin-dirhasn't been executed, andattune-author 0.1.0isn't on PyPI yet. Shipping it under a CVE-sweep release would muddle the narrative.🤖 Generated with Claude Code