Releases: srbsa/diffgate
Releases · srbsa/diffgate
Release list
v0.7.7
Full Changelog: v0.7.6...v0.7.7
v0.7.6
v0.7.5
release: 0.7.5, republish with updated README after 0.7.4 publish
v0.7.4
feat: git history audit, gate hardening, and 0.7.4 rule coverage Squash of feat/check-history-scan (7 commits): - diffgate check can audit git history per-commit: --since/--range/--author/ --ai-authored/<sha>, --limit. Report-only, sourced from git objects (no checkout/mutation), honors --json/--fail-on. - diffgate check accepts space-separated flag values (--range A..B), not just --flag=value. - Silent-failure sweep: the gate path can no longer exit 0 on a failure to run (non-git dir, unresolvable --base/--range, invalid --fail-on all now exit 2); --json/--sarif/--github now carry the real gate exit code. - dangerous-exec (JS/TS) no longer flags RegExp.prototype.exec(); path-traversal (JS/TS) is guard-aware (path.basename wrapper, startsWith containment check). - permissive-cors extended to all 8 AST-precision languages (was JS/Python/PHP): Go, Ruby, Java, C#, Kotlin, covering both wildcard/allow-all configs and reflected-Origin writes; explicit allowlists are not flagged. - hardcoded-secret recognizes AI-era provider key formats (Anthropic, OpenAI, Hugging Face, GitLab, npm), kept in sync between the rule and classifySecret. - research/ (internal experiment scripts) untracked and gitignored — not part of the shipped tool. 769 tests green, typecheck clean, extension smoke passing. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
v0.7.3
chore: add .env.example for marginal/AI provider runs Documents the provider API-key env vars (read via the LLM registry, not inline process.env) and the custom-endpoint overrides for `diffgate marginal`. .gitignore gains `!.env.example` so the template is trackable while `.env`/`.env.*` stay ignored. The deterministic engine needs none of these. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
v0.7.2
v0.6.1
fix(vscode): dismiss/confirm false positives from the editor (0.6.1)
Patch on the released 0.6.0. The editor half of `diffgate feedback`: a
false positive can now be suppressed without leaving VS Code — via ⌘. /
Ctrl+. ("Dismiss as noise"), a hover-card link, or a one-click button in
the Deep Review inspector after a "likely safe" verdict — and "Confirm as
a real risk" records the opposite verdict for the `diffgate stats` signal
ratio. Both write the same committed `.diffgate/learnings.json` (hash of
the flagged snippet), so dismissals are team-shared via git and applied
in CI, with no inline `// disable` comments.
Closes a real bug surfaced while building it: the live-editor analysis
path (`analyzeText`) silently ignored learnings.json — only the git-diff
sidebar path applied it — so a CLI dismissal vanished from the sidebar
but reappeared in the gutter on open/edit. analyzeText now applies the
verdicts the same way reviewChanges does.
Bug-bash hardening:
- Cache merged learnings per folder (analysis runs per keystroke); the
prior change re-read disk on every edit. Invalidated on a recorded
verdict, an external learnings.json change, and config changes that
could alter learnings.shared.
- Refuse an empty flagged snippet (would hash to a constant and suppress
every empty-line finding of the rule), mirroring the CLI guard.
- Invalidate the cache before re-analysis so a dismissal takes effect
immediately.
Tests: new smoke scenario drives dismiss/confirm/cancel/no-op against a
real learnings.json. 481 core + extension smoke + root/ext typecheck green.
Docs: new CHANGELOG [0.6.1] section (0.6.0 left intact as released),
extension README, docs/TEAM.md. Version bumped to 0.6.1 in root + extension
manifests and both package-lock self-version fields (pre-existingly out of
sync: root lock 0.7.0, ext lock 0.1.2 — now 0.6.1).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
v0.6.0
docs(parity): refresh stale parity tables — Python at 4 AST classes, …
v0.5.2
Merge branch 'fix/openai-gpt5-params' (v0.5.2) OpenAI GPT-5/o-series model fix + four VS Code plugin fixes: - Lingering package.json/manifest findings (FILE rules bypassed diff gate) - Multi-repo workspaces only showing 1 repo (bounded discovery + grouped tree) - Redundant cache-folder reads (centralized ignore policy with framework caches) - Misc: .diffgate.json watcher in node_modules, MAX_BYTES UTF-16 vs bytes