Comparing changes

## Summary - Add machine-readable error metadata to all API error responses following RFC 9457 (Phase 1) - `ErrorCategory` (8-value StrEnum) and `ErrorCode` (15-value IntEnum) with 4-digit category-grouped codes - `ErrorDetail` frozen Pydantic model (`message`, `error_code`, `error_category`, `retryable`, `retry_after`, `instance`) - `error_detail` field on `ApiResponse` and `PaginatedResponse` envelopes (additive, backward-compatible) - Class-level `error_category`/`error_code`/`retryable` on `ApiError` hierarchy with `__init_subclass__` validation - Request correlation ID binding in `RequestLoggingMiddleware` via structlog contextvars - All 10 exception handlers populate `error_detail` via centralized `_build_error_response()` - Fix flaky rate limiter pause tests with mocked `time.monotonic()` (deterministic) ## Review coverage Pre-reviewed by **11 agents** (code-reviewer, python-reviewer, test-analyzer, silent-failure-hunter, type-design-analyzer, logging-audit, resilience-audit, conventions-enforcer, security-reviewer, docs-consistency, issue-resolution-verifier). **20 findings addressed** across source, tests, and documentation. Key fixes from review: - Security: `PERSISTENCE_ERROR` code no longer exposed to clients (uses generic `INTERNAL_ERROR`) - Security: Middleware uses `clear_correlation_ids()` for defensive cleanup - Robustness: `_get_instance_id()` wrapped in try/except (exception handlers must never crash) - Type safety: `ClassVar` annotations + `__init_subclass__` enforces code/category consistency - Conventions: `NotBlankStr` on `instance`, `Field(ge=0)` on `retry_after`, redundant overrides removed - Tests: Direct unit tests for `_get_instance_id`, `_category_for_status`, 5xx scrubbing, `ApiError` instantiation - Docs: CLAUDE.md, `docs/design/operations.md`, `docs/architecture/index.md` updated ## Test plan - [x] `uv run ruff check src/ tests/` — lint passes - [x] `uv run mypy src/ tests/` — type-check passes (975 files) - [x] `uv run python -m pytest tests/ -n auto --cov=synthorg --cov-fail-under=80` — 8068 passed, 94.50% coverage - [x] `uv run pre-commit run --all-files` — all hooks pass - [ ] CI pipeline passes (lint + mypy + pytest + coverage) - [ ] Verify `error_detail` appears in error responses via health check or manual test Closes #419

## Summary - Add `"force-tag-creation": true` to Release Please config — RP creates the git tag atomically with the draft release - Remove the 45-line manual "Create git tag for draft release" bash step from `release.yml` - Update CLAUDE.md to reflect the simplified pipeline ## Problem Every release triggered a bogus "release 0.2.0" PR from Release Please. Root cause: we created tags manually via the GitHub API (bypassing RP), so RP couldn't track its own releases and fell back to computing versions from scratch. ## Solution Release Please has a built-in `force-tag-creation` option specifically for `draft: true` setups. It creates the tag using the same PAT token, which also triggers downstream workflows. This is the official solution documented in the Release Please repo. ## Test plan - [ ] After merge, next release PR merges cleanly without bogus 0.2.0 PR appearing - [ ] Tag is created by Release Please (check tag creator in GitHub) - [ ] Docker + CLI workflows trigger from the tag push - [ ] finalize-release publishes the draft after both succeed

## Summary - Add stagnation detection that analyzes `TurnRecord` tool-call fingerprints across a sliding window, intervenes with corrective prompt injection, and terminates early with `STAGNATION` if correction fails - New `StagnationDetector` async protocol with `ToolRepetitionDetector` default implementation using dual-signal detection (repetition ratio + cycle detection) - `StagnationConfig` frozen model with configurable window_size, repetition_threshold, cycle_detection, max_corrections, min_tool_turns - `STAGNATION` termination reason + `tool_call_fingerprints` field on `TurnRecord` - Fingerprint computation: `name:sha256(canonical_json)[:16]`, sorted per-turn - ReactLoop integration (loop-scoped corrections counter) + PlanExecuteLoop integration (per-step scoped) - Shared `check_stagnation()` helper in `loop_helpers.py` with proper error handling (non-critical — logged and skipped on failure) - `AgentEngine` wiring via `stagnation_detector` parameter - Checkpoint resume path preserves stagnation_detector (and approval_gate) via new read-only properties - Observability events: `check_performed`, `detected`, `correction_injected`, `terminated` - Design spec: `docs/design/engine.md` stagnation detection section - CLAUDE.md: package structure + event constants updated ## Test plan - [x] 66 stagnation-specific tests (models, detector, fingerprints, cycle detection, Hypothesis properties) - [x] Extended loop_protocol, loop_helpers, react_loop, plan_execute_loop tests - [x] Protocol conformance test (`isinstance` check) - [x] Repetition ratio exact-value tests - [x] Direct `_detect_cycle` coverage (6 cases) - [x] PlanExecuteLoop step corrections counter increment test - [x] Full suite: 8072 passed, 94.49% coverage - [x] mypy strict: 0 errors - [x] ruff lint + format: clean ## Review coverage Pre-reviewed by **9 agents**, **14 findings** addressed: - 2 CRITICAL (checkpoint resume dropping detector, unguarded check() call) - 4 MAJOR (code duplication, function length, docs, warning message) - 6 MEDIUM (deep-copy details, cycle_length constraint, cross-field validator, test gaps, corrective message edge case) - 2 MINOR (protocol conformance test, step corrections counter test) Closes #415

) ## Summary - Add `ExecutionStatus` enum (idle/executing/paused) to `core/enums.py` - Add `AgentRuntimeState` frozen Pydantic model with status invariant validation, `idle()` and `from_context()` factories - Add `AgentStateRepository` protocol (save/get/get_active/delete) to persistence layer - Add `SQLiteAgentStateRepository` with v8 migration (`agent_states` table + status index) - Add 10 persistence event constants for structured logging - Wire through `PersistenceBackend` protocol, `SQLitePersistenceBackend`, and all re-exports - Update `FakePersistenceBackend` in API test fixtures with properly-filtered `get_active()` - Update CLAUDE.md package structure and logging event documentation ## Test plan - [x] 41 new tests (23 model + 15 repo + 3 review-driven additions) - [x] Protocol compliance test (`isinstance` check) - [x] Backend before-connect guard test - [x] V8 migration table + index creation tests - [x] Schema version constant updated in all test files - [x] `uv run python -m pytest tests/ -n auto --cov=synthorg --cov-fail-under=80` — 8042 passed, 94.52% coverage - [x] `uv run ruff check src/ tests/` — clean - [x] `uv run mypy src/ tests/` — clean ## Review coverage Pre-reviewed by 12 agents, 10 findings addressed: - Parameterized `ExecutionStatus.IDLE.value` in SQL instead of hardcoded string - `ValidationError` in `test_frozen` instead of bare `Exception` - `FakeAgentStateRepository.get_active()` properly filters by status - Parametrized idle-violation tests - Added `idle(" ")`, `from_context(cost_usd=0.0)`, and `get_active` corrupt-row tests - CLAUDE.md package structure + logging events updated Closes #261 🤖 Generated with [Claude Code](https://claude.com/claude-code)

## Summary - Add complete SEO infrastructure to the Astro landing page: OG/Twitter Card meta tags, canonical URLs, favicon reference, `@astrojs/sitemap` integration, `robots.txt`, and JSON-LD `SoftwareApplication` structured data - Add Formcarry-powered contact form (`ContactForm.astro`) with honeypot anti-spam, response body validation, error logging, and graceful fallbacks - Add early-access disclaimer banner between Hero and Proof Strip sections - Add Contact link to Footer community column - Optimize PageSpeed performance: non-render-blocking Google Fonts via `media="print" onload` pattern, preconnect to `api.github.com` - Fix accessibility: upgrade all `text-gray-500` to `text-gray-400` for WCAG AA contrast compliance (~7:1 vs ~3.6:1 on dark bg), add persistent underlines to all inline text links (color alone not sufficient) - Update CLAUDE.md to reflect new site components and SEO infrastructure ## Review coverage Pre-reviewed by 3 agents (docs-consistency, issue-resolution-verifier, silent-failure-hunter). 6 findings addressed: - CLAUDE.md package structure and documentation entries updated (2 findings) - ContactForm response body validation added — prevents data loss on false-positive HTTP 200 (1 finding) - Honeypot false-positive shows fake success instead of dead UI (1 finding) - Error catch block now logs to console for diagnostics (1 finding) - DOM element lookups use defensive guards with native form fallback (1 finding) ## Test plan - [ ] `npm --prefix site run build` passes (verified) - [ ] Build output includes `sitemap-index.xml`, `robots.txt`, `og-image.png` - [ ] View page source: confirm OG/Twitter/canonical/favicon/JSON-LD tags - [ ] Early-access banner visible below hero on index page - [ ] Contact form renders with all fields, submission works via Formcarry - [ ] Footer shows Contact link in Community column - [ ] PageSpeed: verify non-render-blocking fonts, preconnect hints - [ ] Accessibility: no `text-gray-500` remaining, all inline links underlined Closes #466

…tor, Sigstore verification (#465) ## Summary - **Self-update fix**: Add `release-assets.githubusercontent.com` to allowed download hosts — GitHub started routing release assets through this domain, breaking `synthorg update` - **`synthorg config show`**: Displays current CLI configuration with masked JWT secret. Warns if not initialized - **`synthorg completion-install`**: Auto-detects shell (bash/zsh/fish/powershell) and installs tab-completion. Idempotent. Leaves Cobra's built-in `completion` command untouched - **Enhanced `synthorg doctor`**: Adds compose file validation, port conflict detection, Docker image availability checks, container detail parsing from compose ps JSON, Docker/Compose minimum version warnings - **Native disk info**: Replaces `fsutil`/`df` subprocess with Go syscalls (`GetDiskFreeSpaceExW` on Windows, `Statfs` on Unix) — fixes "unavailable" on non-admin Windows - **Sigstore bundle verification**: Self-update now downloads and verifies `checksums.txt.sigstore.json` against Sigstore's public good transparency log, checking that the signing identity matches the GitHub Actions OIDC issuer for this repo. Uses `sigstore/sigstore-go` (new dependency) - **Review fixes**: 15 findings from 5 review agents addressed — idiomatic iota, f.Close() error handling, function size splits, CLAUDE.md docs updates, PowerShell path validation, test cleanup Closes #234 ## Test plan - [ ] `cd cli && go vet ./...` — clean - [ ] `cd cli && golangci-lint run` — 0 issues - [ ] `cd cli && go test ./...` — all pass - [ ] `cd cli && go build -o synthorg ./main.go` — builds - [ ] `./synthorg config show` — displays config or "not initialized" - [ ] `./synthorg completion-install` — detects shell, installs completions - [ ] `./synthorg completion-install` (again) — reports "already installed" - [ ] `./synthorg doctor` — shows compose file, images, disk info sections - [ ] `./synthorg completion bash` — Cobra built-in still works ## Review coverage Pre-reviewed by 5 agents (go-reviewer, go-security-reviewer, go-conventions-enforcer, docs-consistency, issue-resolution-verifier). 15 findings addressed, 1 deferred (log secret redaction — user decision). 🤖 Generated with [Claude Code](https://claude.com/claude-code)

## Summary - **reCAPTCHA v3**: Add invisible reCAPTCHA integration to contact form — hidden `g-recaptcha-response` field + fresh token generated before each submission. Fixes Formcarry "Google reCAPTCHA Validation Failed" error. - **`<main>` landmark**: Wrap page content in `<main>` tag — fixes PageSpeed "Document does not have a main landmark" accessibility warning. - **Docs sitemap**: Add `https://synthorg.io/docs/sitemap.xml` to `robots.txt` so Google discovers the 35 documentation pages built by Zensical. - **Block `/_assets/`**: Prevent indexing of Astro's hashed CSS/JS build artifacts. ## Test plan - [ ] Submit contact form — no reCAPTCHA validation error - [ ] Form submission reaches email - [ ] No visible CAPTCHA widget (v3 is invisible) - [ ] PageSpeed: "Document does not have a main landmark" warning gone - [ ] Google Search Console: docs sitemap discovered via robots.txt

🤖 I have created a release *beep* *boop* --- ## [0.2.6](v0.2.5...v0.2.6) (2026-03-15) ### Features * add intra-loop stagnation detector ([#415](#415)) ([#458](#458)) ([8e9f34f](8e9f34f)) * add RFC 9457 structured error responses (Phase 1) ([#457](#457)) ([6612a99](6612a99)), closes [#419](#419) * implement AgentStateRepository for runtime state persistence ([#459](#459)) ([5009da7](5009da7)) * **site:** add SEO essentials, contact form, early-access banner ([#467](#467)) ([11b645e](11b645e)), closes [#466](#466) ### Bug Fixes * CLI improvements — config show, completion install, enhanced doctor, Sigstore verification ([#465](#465)) ([9e08cec](9e08cec)) * **site:** add reCAPTCHA v3, main landmark, and docs sitemap ([#469](#469)) ([fa6d35c](fa6d35c)) * use force-tag-creation instead of manual tag creation hack ([#462](#462)) ([2338004](2338004)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Comparing changes

Open a pull request

Commits on Mar 15, 2026

This comparison is taking too long to generate.

Uh oh!