Skip to content

SkillMeat v0.31.0 Release Notes

Release Date: 2026-04-15

Epic DVCS v2 release: enterprise backend parity, branch-aware patching, federation, RBAC/RLS enforcement, and created_by enforcement framework. Consolidates PRs #179, #180, #181, #182, #186, #187, #188.

Security

  • Enterprise RBAC/RLS Foundation — Wave 3A (Enterprise edition only)
  • Row-Level Security (RLS) policies enforced on 100% of tenant-scoped enterprise tables (57/57 total, 54 previously unprotected)
    • Batches A–B: 17 core identity tables (enterprise_artifacts, enterprise_users, enterprise_teams, enterprise_collections, enterprise_git_credentials, enterprise_memory_items, and 11 others) now have database-enforced 4-operation RLS policies (SELECT, INSERT, UPDATE, DELETE)
    • Batches C–G: 37 deployment, workflow, bundle, marketplace, context, and federation-event tables with policies enforcing tenant_id = current_setting('app.current_tenant_id')
    • Federation tables (federation_webhooks, federation_deletion_events) protected; cluster-scoped federation tables (federation_org_registry, federation_trust_policies) intentionally excluded
  • Alembic migrations ent_031 through ent_038 (PostgreSQL-only, dialect-guarded; SQLite is no-op)
  • PostgreSQL GUC (app.current_tenant_id) wired application-wide via TenantContextDep on all enterprise routers — enables GUC propagation for correct RLS evaluation
  • Cross-tenant isolation verification: CI integration test tests/enterprise/test_rls_isolation.py gates future enterprise changes with real PostgreSQL test harness (pytest -m "integration and postgres")

  • All policies use reusable _create_table_policies() pattern from ent_030, documented in context layer

  • Audit Trail (created_by) Backfill & Enforcement — Wave 4 Phase 2 (CC-4-AUTH, Superseded by PRD-2) (Enterprise edition only, Deferred)

  • ⚠️ Note: Wave 4 Phase 2 scope (AuthContext integration, GUC wiring, created_by backfill) superseded by PRD-2 created-by-backfill implementation plan (merged in PR #186)
  • Backfill heuristics, historical migration, NOT NULL promotion, and type normalization delivered via PRD-2 rather than reopened as Wave 4 work
  • See docs/project_plans/PRDs/infrastructure/created-by-backfill-prd2.md for delivery details; PRD-2 test phases TV-6.1 through TV-6.3 validate all success criteria

Changed

  • Authentication: TokenDep → AuthContextDep Migration (Enterprise edition)
  • All 22 enterprise router files migrated from legacy TokenDep bearer token extractor to AuthContextDep dependency injection
  • TokenDep usage across ~193 callsites replaced; routers now receive auth: AuthContextDep containing tenant_id, user_id, email, and edition (replaces bare token string)
  • Legacy AuthMiddleware removed; all routes now protected exclusively via AuthContextDep DI (eliminated dual-path auth inconsistency)

  • Service layer refactored to accept tenant_id / user_id from AuthContextDep instead of extracting from bearer token

  • Database Schema: created_by Column Addition (Enterprise edition)

  • ~50 tenant-scoped enterprise tables now have nullable created_by: UUID column for audit trails and RLS-aware record ownership
  • Schema-only change; population of created_by at write time deferred to PRD-2 (blocked on AuthContext wiring across all service layers)
  • Alembic migration ent_039 adds columns with nullable=True; SQLAlchemy models updated to include Optional[uuid.UUID] fields with explanatory comments

  • Existing write operations unaffected (no NOT NULL constraint; backward compatible)

  • Database Schema: created_by Enforcement & Audit (Enterprise edition)

  • SQLAlchemy before_insert listener (skillmeat/cache/event_listeners.py) automatically populates created_by from FastAPI PostgreSQL GUC (app.current_user_id) with current_user_id_var ContextVar fallback on all enterprise inserts; bypass_created_by() context manager for seeding operations
  • FastAPI middleware wires current_user from JWT/PAT tokens to PostgreSQL GUC per-request with configurable fallback
  • Enterprise seed/import commands (skillmeat enterprise seed, skillmeat enterprise import) wrap all inserts in bypass_created_by(SEEDER_SERVICE_ACCOUNT_UUID) for deterministic seeded-record attribution
  • Alembic migration ent_047 promotes created_by to NOT NULL across ~50 tables with type normalization (PostgreSQL-only; SQLite is no-op)
  • Belt-and-suspenders defense: ensure_created_by() helper explicitly assigns created_by in enterprise repository create() / update_or_create() paths independent of the event listener
  • Multi-tenant isolation verification: CI integration test tests/enterprise/test_multi_tenant_isolation.py with seed E2E coverage validates record ownership across concurrent user operations
  • Audit trail enablement: Record created_by now available for governance policies, retention rules, and RBAC ownership checks

Added

  • Enterprise Auth UI: Enhanced user authentication interface with header profile menu and tenant management features
  • User avatar and dropdown menu in application header showing identity info, workspace details, and sign-out option
  • Enterprise edition settings: Team memberships tab displaying user roles within teams
  • Enterprise settings: Tenant ID and edition badge on Account settings tab
  • Extended /auth/me API endpoint: Returns display_name, email, teams[], and edition fields for improved session management
  • useAuthSession hook: TanStack Query-backed React hook for auth session data with 30-second stale time

  • Full edition support: Graceful fallbacks for local edition with feature detection based on user session

  • DAG-Based Artifact Branching & Merge-Back: Distributed Version Control System (DVCS) foundation for collaborative artifact development with per-version branch tracking, content-aware merging, and enterprise branch protection

  • Branch model: branch_id and parent_branch_id on ArtifactVersion with main branch as default; BranchService provides CRUD and branch-aware version history queries; LocalBranchRepository enables production deployments
  • Content-aware 3-way merge engine with format-specific drivers: TextMergeDriver for plain text, YAMLMergeDriver with comment preservation (ruamel.yaml), and TOMLMergeDriver with structured format handling
  • MergeService with cherry-pick support for selective version backports and cross-branch integration
  • REST API suite: /branches CRUD endpoints, merge and cherry-pick operations, branch-scoped version history, and dvcs_branching_enabled feature flag for phased rollout
  • Frontend Time Machine DAG view visualizing branch topology and history; BranchConflictResolutionCard for merge conflict management; BranchMergeDialog for multi-step merge workflows; deploy-by-branch selector; branch status badges
  • Enterprise protected-branch enforcement with require_branch_permission RBAC integration for governance-aware deployments
  • Comprehensive observability: structured logs and OTel spans for branch operations (create, delete, merge, cherry-pick) enabling audit trails and performance monitoring
  • Branch-aware patching: POST /versions/patch accepts optional branch_name to target specific branches; POST /versions/batch-patch applies patches across multiple branches in a single call with per-branch status reporting (success/skipped/not_found)
  • Branch archival: POST /branches/{branch_name}/archive marks branches as read-only; archived branches reject further patches (HTTP 409); idempotent operation
  • Branch creation from tags: POST /branches/from-tag creates new branches pointing to tagged versions for maintenance/hotfix workflows
  • Branch-targeted deployment: Deploy endpoint accepts optional branch_name to deploy HEAD of a specific branch; deployment records track source branch for audit trail

  • dvcs_branch_aware_patching_enabled feature flag for phased rollout (default: enabled)

  • S3 Blob Tiering for Enterprise Edition (Enterprise-only, gated by dvcs_s3_tiering_enabled feature flag)

  • TieredBlobBackend composing PostgreSQL hot storage and S3-compatible object storage with local disk LRU cache
  • Automatic tiering job promoting cold blobs to S3 after configurable threshold (default 90 days), reducing database load and storage costs for large-scale artifact repositories
  • S3BlobBackend and BlobDiskCache implementations with concurrent read/write and atomic blob operations
  • REST API observability endpoints (GET /dvcs/tiering/status, POST /dvcs/tiering/run-now) for monitoring hot/cold distribution and triggering manual cycles
  • CLI command skillmeat dvcs tiering status for monitoring tier statistics

  • Comprehensive ops runbook at docs/dev/runbooks/dvcs-s3-tiering-rollout.md covering deployment, monitoring, and troubleshooting

  • Enterprise Federation Trust Model & Sync (Enterprise-only, gated by dvcs_federation_enabled feature flag)

  • PKI-based 2-tier certificate authority (root CA and issuing CA) for authenticating federated organizations
  • Trust policy CRUD API for managing federation policies: create, list, get, update, and delete federation trust policies per organization
  • Pull-based artifact sync protocol enabling subscriber organizations to pull artifacts from publisher organizations with policy-driven access control
  • 3-segment FQAN (Fully Qualified Artifact Name) extension supporting cross-organizational artifact resolution in format org-slug/namespace/artifact
  • Blob region tagging with data_region metadata on ingested artifacts for data sovereignty and compliance

  • GDPR deletion cascade with publisher-initiated deletion propagating to all subscribed organizations for privacy compliance

  • Enterprise Branch Repository & RLS (Wave 3B) (Enterprise edition only, DOC-001)

  • EnterpriseBranchRepository: Full implementation of IBranchRepository for enterprise with tenant-scoped queries and multi-tenant isolation
  • All 9 branch endpoints functional in enterprise edition (previously returned 501); supports branch CRUD, merge, cherry-pick, archive, and tag-based creation
  • Row-Level Security (RLS) policy applied to artifact_branches table (SELECT, INSERT, UPDATE, DELETE) enforcing tenant_id = current_setting('app.current_tenant_id')
  • Enterprise branch protection with require_branch_permission RBAC integration for governance-aware deployments
  • EnterpriseArtifactVersionRepository: Version-history queries now tenant-scope ArtifactVersion.branch_id joins for accurate branch-aware history
  • Comprehensive test coverage: 31 enterprise-specific test cases covering CRUD, multi-tenant isolation, protected-branch RBAC, and DI factory routing

  • dvcs_branching_enabled feature flag now safe for enterprise operator enablement

  • Enterprise Parity — Wave 3C (Sync + File Content + Metadata) (Enterprise edition only)

  • Sync — Conflict Resolution (SR-G4): POST /api/v1/enterprise/sync/conflicts/{conflict_id}/resolve endpoint enables conflict remediation via accept/reject with winning-side hash validation
  • Sync — Directional Divergence Classification (SR-G2): Enhanced sync-status dashboard distinguishes ahead / behind / diverged states with sentinel head_hash "0"*64 conservatively classified as diverged
  • File Content — Scope-Pair Fetch (FC-G3): Enterprise scope-pair fetch enables targeted content retrieval across hierarchical scopes with stub version marker handling
  • File Content — Tier-Sync Write Endpoint (FC-G4): POST /api/v1/enterprise/tier-sync/push applies cross-scope changes using existing push_changes semantics with owner derivation from scope parameter
  • File Content — Blob GC Endpoint (FC-G2): POST /api/v1/enterprise/blob-gc/run triggers enterprise blob garbage collection
  • Metadata — File List Tree Shape (META-G2): GET /api/v1/enterprise/files/list returns hierarchical tree by default; flat=true query param enables backward-compatible flat listing
  • Metadata — Audit Events (META-G10): Structured audit events emitted on admin tag/category/description/archive/restore mutations for governance audit trails
  • Metadata — Version Graph Tests (META-G5): Comprehensive integration test coverage for version graph and scope ancestry queries validating enterprise inheritance semantics

Added

  • Enterprise Testing Infrastructure & CI Integration — Wave 4 Cross-Cutting (CC-4-CI) (Enterprise edition only, gated by default CI behavior)
  • .github/workflows/enterprise-smoke.yml gates all PRs to main and pushes to main with full enterprise test suite against live PostgreSQL 15 (pytest -m "enterprise and integration")
  • Flaky-test quarantine infrastructure: @pytest.mark.flaky decorator in test files, corresponding enterprise-flaky.yml allow-failure workflow, triage policy documented in docs/dev/enterprise-testing.md (24h file SLA, 5d fix/escalate SLA)
  • Contributor guide: docs/dev/enterprise-testing.md covers local enterprise test setup (PostgreSQL 15 + Alembic), run commands, CI failure interpretation, flaky-test triage procedure, and escalation path
  • Branch protection rule registered on main with enterprise-smoke as required status check (enforced after 5+ consecutive green runs baseline confirmation)

  • Stable baseline with <5min timeout, 2x infrastructure retry, and clear pass/fail job summaries

  • Enterprise RLS Full Coverage — Wave 4 Cross-Cutting (CC-4-RLS) (Enterprise edition only)

  • tests/enterprise/test_rls_cross_workstream.py (195 tests, 82% tenant-table coverage) validates RLS isolation across all workstreams: set tenant_id to Tenant A, modify rows, switch to Tenant B, assert zero cross-tenant leakage on SELECT/INSERT/UPDATE/DELETE
  • Comprehensive multi-tenant isolation test suite covering identity tables, artifact/version tables, deployment/workflow/bundle tables, marketplace tables, context/federation tables

  • Manual QA checklist: docs/dev/qa/enterprise-tenant-isolation-qa.md with tenant A/B isolation scenarios, operation matrices (read/write/delete per scope), and created_by field verification

  • Skill Specification Convention — Formal SPEC.md convention for all custom skills

  • New meta-spec: .claude/specs/skill-spec-convention.md defines frontmatter schema, required sections (Purpose & Scope, Capability Coverage, Invariants, Enhancement Backlog, Changelog, Integration Points, Success Signals), and maturity states (draft → stable → deprecated)
  • Fillable template: .claude/specs/skill-spec-template.md
  • Centralized discovery: .claude/specs/skills-index.md catalogs all 40+ skills with version, status, and owner
  • skill_spec added to artifact-tracking doc_type enum
  • skill-creator and skill-builder now require SPEC.md authoring as part of their creation workflow

Changed

  • skillmeat-cli Skill Refresh — Aligned with current CLI surface (~49 commands, 15 groups)
  • New .claude/skills/skillmeat-cli/SPEC.md (stable v1.0) with capability coverage matrix mapping user intents to workflows and canonical CLI docs
  • SKILL.md rewritten as concise route-table (<150 lines); points to canonical docs/user/guides/cli/commands.md and docs/user/guides/cli/reference.md
  • Workflow files consolidated 13 → 11 (each ≤400 lines): discovery, deployment, management, bundle-and-scaffold, memory-context, error-handling, supply-chain (bom + attest), versioning (snapshot + history + rollback), auth (login + token + logout), enterprise (migrate + verify)
  • 7 speculative workflows archived under archive/ with rationale README: rating-system, caching, confidence-integration, context-boosting, gap-detection, advanced-integration, agent-self-enhancement
  • command-quick-reference.md simplified to a pointer doc; capability-router.md updated to route to 8 core workflows
  • CLAUDE.md — Added pointer to skill-spec convention under Command-Skill Bindings section

Fixed

  • Artifact modal: Collections tab — Display explicit empty state when artifact has no collections; cache invalidation on add/remove refreshes tab immediately.
  • Artifact modal: Links tab — Added React Query key factory (['artifact', id, 'linked-artifacts']) with symmetric invalidation on create/delete; new links appear without manual refresh.
  • Artifact modal: Similar tab — Composite IDs (e.g., agent:ai-artifacts-engineer) now work end-to-end; backend returns 200 with empty list on missing embeddings instead of 500.
  • Backend: composite artifact IDs/artifacts/{id}/linked-artifacts and /artifacts/{id}/similar handle URL-encoded composite IDs (deployment_set%3APlanning, agent%3Aai-artifacts-engineer) reliably with 200 / 404 responses.
  • Sync Status tab — Consolidated duplicate button groups; Pull / Push / Deploy / Merge / Apply actions now in single canonical footer with ArtifactFlowBanner showing status chips only.
  • Sync Status diff viewer — Bounded height with scroll so large diffs no longer push modal footer offscreen at 1280×800; scroll containers keyboard-focusable.