1.0.0 Release Readiness Audit¶
Date: 2026-07-03
This audit checks whether Nuzo is ready to enter the 1.0.0 release process.
It does not prepare the source version, create a tag or GitHub release, publish
an npm package, or publish a host plugin.
Decision¶
Nuzo is ready for a focused 1.0.0 release pull request. No known open issue
currently blocks data integrity, scope isolation, confirmed capture,
migrations, supported hosts, or the documented package boundary.
The source checkout and current public release remain at 0.9.1. The
1.0.0 Stable Release milestone remains open until the exact stable artifacts
are published and post-release validation is complete.
Passed Pre-Release Evidence¶
Scope And Tracking¶
- No open
priority:p0,priority:p1, or other executable issue remained before this audit issue was opened. - All four implementation issues previously assigned to the
1.0.0 Stable Releasemilestone were closed with evidence; issue #255 tracks this final audit and closes with its documentation pull request. - The completed
0.9.0 Contract Stabilizationmilestone was closed with all 22 issues complete. - The public release remains
0.9.1; no1.0.0tag, package, or GitHub release was created during this audit.
Release Tooling And Artifacts¶
npm run release:rehearse -- 1.0.0passed in its isolated temporary checkout.- The official CI workflow-dispatch rehearsal
completed successfully, including the dedicated
Release rehearsaljob for1.0.0and the full validation matrix. - The rehearsal prepared and checked the synthetic
1.0.0version, generated both host plugins, and validated staged@nuzo/memory-core@1.0.0and@nuzo/memory@1.0.0tarballs. - Package policy selected only
@nuzo/memory-coreand@nuzo/memoryfor1.0.0; the legacy CLI and MCP npm packages remained retired. - The source worktree stayed at
0.9.1after the rehearsal.
Current Published Baseline¶
- Published CLI and MCP continuity smokes passed against
@nuzo/memory@0.9.1. - The published optional-semantics smoke passed its default no-model fallback.
- Both current public packages expose npm provenance attestations.
- The final
@nuzo/memory-cli@0.9.0and@nuzo/mcp-server@0.9.0packages carry migration deprecation messages.
Dependencies And Supply Chain¶
npm audit --audit-level=moderatereported zero vulnerabilities.npm audit signaturesverified registry signatures for 177 packages and attestations for 31 packages.npm outdatedfound no newer required dependency; the missing@huggingface/transformers@4.2.0entries are the intentional optional peer.- Workflow action inputs and reviewed npm tool inputs passed the repository supply-chain gate.
Repository Governance¶
mainrequires pull requests, strict current-branch checks, linear history, and enforcement for administrators.- Required checks are Node.js 22, Node.js 24, documentation validation, and CodeQL analysis.
- Dependabot security updates, secret scanning, and push protection are enabled.
- Dependabot and secret-scanning APIs reported zero open alerts.
- Merged same-repository branches are deleted automatically.
Supported Matrix¶
The required staged-artifact lanes pass for:
- Ubuntu x64 with Node.js 22 and 24;
- macOS x64 with Node.js 22 and 24;
- Windows x64 with Node.js 22 and 24.
The standard CI gates also cover package checks, tests, release consistency, recall and capture benchmarks, optional-semantics benchmarks, npm and plugin packaging, the developer-experience gate, native Codex marketplace installation, CLI recovery, lifecycle hooks, and Codex and Claude Code plugin smokes.
Required At Release Time¶
These steps cannot be completed by a no-release audit:
- Open a focused release pull request that creates the dated
1.0.0changelog section and runsnpm run release:prepare -- 1.0.0. - Re-run the complete release checklist against that exact release commit.
- Confirm
1.0.0is still absent from both npm packages and verify the two trusted-publisher settings immediately before publishing. - Publish
@nuzo/memory-core@1.0.0and then@nuzo/memory@1.0.0through the protectedrelease-npm.ymlOIDC workflow. - Run the published CLI, MCP, optional-semantics, Codex, Claude Code, and host
canaries against the exact
1.0.0artifacts. - Create the
v1.0.0tag and GitHub release from the matching changelog section, then complete the post-release validation record.
Until those steps pass, this audit means ready to release, not released.