From e7bfbf6ca15552f2167962895b83019b8449bbc3 Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Sat, 2 May 2026 08:56:01 +0100 Subject: [PATCH] docs: prepare 0.3.0 release --- CHANGELOG.md | 37 ++++++++++++++++++++----------------- docs/operations.md | 22 ++++++++++++++++++---- package.json | 2 +- worker/package-lock.json | 4 ++-- worker/package.json | 2 +- 5 files changed, 42 insertions(+), 25 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4a3b998..0aa7033 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,56 +1,56 @@ # Changelog -## 0.3.0 - Unreleased +## 0.3.0 - 2026-05-02 -Crabbox 0.3.0 adds trusted AWS image lifecycle, stable timing JSON, durable run events, stronger coordinator auth, and hardened AWS and Blacksmith remote-validation paths. +Crabbox 0.3.0 makes brokered runs much easier to observe and debug, adds +trusted AWS image lifecycle commands, improves AWS and Blacksmith reliability, +and tightens coordinator auth boundaries. ### Added +- Added early durable run session handles and append-only run events, plus `crabbox events ` for inspecting the coordinator event log. +- Added `crabbox attach ` for following recorded events from active runs, plus `--after` and `--limit` pagination for `crabbox events`. Thanks @stainlu. - Added `--timing-json` for `warmup`, `actions hydrate`, and `run` so provider comparisons can read stable sync, command, total, exit-code, and Actions run timing from one JSON record. - Added `--market spot|on-demand` to `warmup` and `run` so AWS capacity market choice no longer requires environment-only overrides. -- Added best-effort AWS vCPU quota preflight for brokered launch fallback, with concise quota-code attempt metadata when a requested instance type cannot fit the applied quota. -- Added coordinator-orphan hints to human `crabbox list` output when provider machines carry no active coordinator lease. -- Added Blacksmith Testbox timing JSON output that reports delegated sync in the same schema as AWS and Hetzner runs. -- Added the Access-protected coordinator route `https://crabbox-access.openclaw.ai` for service-token proof and hardened automation. -- Added separate coordinator admin-token auth so shared operator tokens no longer grant admin routes. -- Added Cloudflare Access JWT verification before Access identity can affect bearer-token ownership. -- Added optional GitHub team allowlisting for browser-login tokens with `CRABBOX_GITHUB_ALLOWED_TEAMS`. Thanks @stainlu. -- Added Cloudflare Access service-token headers for coordinator CLI requests. Thanks @stainlu. - Added `crabbox image create --id --name [--wait]` for trusted operators to create AWS AMIs from active brokered AWS leases. - Added `crabbox image promote ` for trusted operators to promote an available AMI as the coordinator default for future brokered AWS leases. - Added JSON output and wait polling for image creation, including `--wait-timeout` and `--no-reboot` controls. +- Added best-effort AWS vCPU quota preflight for brokered launch fallback, with concise quota-code attempt metadata when a requested instance type cannot fit the applied quota. +- Added Blacksmith Testbox timing JSON output that reports delegated sync in the same schema as AWS and Hetzner runs. +- Added coordinator-orphan hints to human `crabbox list` output when provider machines carry no active coordinator lease. +- Added the Access-protected coordinator route `https://crabbox-access.openclaw.ai` for service-token proof and hardened automation. +- Added Cloudflare Access service-token headers for coordinator CLI requests. Thanks @stainlu. +- Added optional GitHub team allowlisting for browser-login tokens with `CRABBOX_GITHUB_ALLOWED_TEAMS`. Thanks @stainlu. +- Added separate coordinator admin-token auth so shared operator tokens no longer grant admin routes. +- Added Cloudflare Access JWT verification before Access identity can affect bearer-token ownership. - Added coordinator image routes for admin-token callers: `POST /v1/images`, `GET /v1/images/{ami-id}`, and `POST /v1/images/{ami-id}/promote`. - Added AWS provider support for `CreateImage` and `DescribeImages`, with Crabbox-owned AMI tags. - Added `docs/commands/image.md` and linked the image command from the CLI docs, command index, docs site, and source map. - Added `npm run docs:check` with internal Markdown link validation plus docs-site generation, and wired it into CI. - Added `scripts/live-smoke.sh` for opt-in AWS, Hetzner, and Blacksmith Testbox live smoke coverage from a real repository checkout. - Added `scripts/live-auth-smoke.sh` for opt-in live proof that shared tokens cannot call admin routes, admin tokens can, Access edge auth works, and raw Access identity headers are ignored. -- Added early durable run session handles and append-only run events, plus `crabbox events ` for inspecting the coordinator event log. -- Added `crabbox attach ` for following recorded events from active runs, plus `--after` and `--limit` pagination for `crabbox events`. Thanks @stainlu. - Added `scripts/deploy-worker-smoke.sh` to run the Worker gate, deploy the coordinator, verify public health routes, and optionally include a short AWS lease smoke. ### Changed +- Hydrated runs now skip the expensive Git base-ref hydration fetch when the remote base is already current enough for the local base SHA. - Brokered AWS class requests now fall back through provider candidates, account-policy launch rejections, and a small burstable fallback instead of failing on the first Free Tier-ineligible high-core type. - Brokered AWS fallback now skips known quota-impossible candidates before calling `RunInstances`, while preserving explicit `--type` failure semantics. - Brokered lease records now keep the requested AWS instance type plus concise provisioning-attempt metadata when fallback chooses a different type. -- Hydrated runs now skip the expensive Git base-ref hydration fetch when the remote base is already current enough for the local base SHA. - Coordinator run history now records the resolved lease provider/class/type when a lease exists, avoiding stale requested-type entries after fallback. - Brokered AWS lease creation now uses the promoted AWS image when no explicit `awsAMI` or `CRABBOX_AWS_AMI` override is supplied. -- Image route validation now rejects noncanonical lease IDs, invalid AMI IDs, invalid AMI names, non-AWS leases, and promotion attempts before an image reaches `available`. - Moved the deployed coordinator route to the OpenClaw Cloudflare account at `https://crabbox.openclaw.ai` and scoped default broker org/auth settings to `openclaw`. - User config writes now force `0600` permissions, and `crabbox doctor` reports overly broad config permissions. +- Image route validation now rejects noncanonical lease IDs, invalid AMI IDs, invalid AMI names, non-AWS leases, and promotion attempts before an image reaches `available`. ### Fixed - Recorded durable `run.failed` events reliably for coordinator-backed pre-command failures such as lease claim, bootstrap, sync, and remote workdir errors. +- Fixed retained run-log tails under concurrent stdout/stderr writes so `crabbox logs` does not drop lines while run events are being recorded. - Included the GitHub Actions hydration run URL in `crabbox run --timing-json` output when an Actions-hydrated workspace marker carries a run ID. -- Fixed the generated docs-site mobile menu icon so the hamburger bars remain visible on narrow iOS/Safari viewports. - Preserved explicit AWS `--type` requests as exact instance-type requests; Crabbox now fails clearly instead of silently falling back when the user asked for a specific type. - Fixed AWS On-Demand launches by omitting Spot request tag specifications when no Spot request is created. - Fixed Blacksmith Testbox JSON list output so the CLI returns an empty array when Blacksmith reports no active testboxes. -- Warned before running JavaScript package-manager commands on an unhydrated raw box when the repo declares an Actions hydration workflow. -- Fixed responsive padding on the generated docs-site frontpage body content. - Fixed brokered AWS security-group creation by sending EC2's required `GroupDescription` parameter, restoring first-run AWS provisioning in fresh accounts. - Fixed coordinator warmup waits to keep touching the lease during slow bootstrap so short idle timeouts do not release a box while the foreground CLI is still waiting. - Fixed SSH known-host handling for macOS config paths containing spaces, restoring per-lease known-host isolation under `Library/Application Support`. @@ -58,6 +58,9 @@ Crabbox 0.3.0 adds trusted AWS image lifecycle, stable timing JSON, durable run - Fixed `crabbox list --provider blacksmith-testbox --json` to return parsed JSON instead of rejecting the shared `--json` flag. - Prevented caller-supplied Access identity headers from overriding signed GitHub user token identity. Thanks @stainlu. - Canceled SSH bootstrap waits when the coordinator lease disappears or becomes inactive, and made wait progress include elapsed and remaining time. +- Warned before running JavaScript package-manager commands on an unhydrated raw box when the repo declares an Actions hydration workflow. +- Fixed the generated docs-site mobile menu icon so the hamburger bars remain visible on narrow iOS/Safari viewports. +- Fixed responsive padding on the generated docs-site frontpage body content. - Documented self-hosted GitHub OAuth setup so external coordinator deployments can avoid `Invalid redirect_uri` login failures. ## 0.2.0 - 2026-05-01 diff --git a/docs/operations.md b/docs/operations.md index fce4876..c0b08fb 100644 --- a/docs/operations.md +++ b/docs/operations.md @@ -188,10 +188,24 @@ Cost is an estimate for compute leases, not an invoice. See [Cost And Usage](fea ## Release Checklist -Before handing off: +Before tagging a release: -- `go test ./...` -- Worker format, lint, typecheck, tests, and build. +- Reorder `CHANGELOG.md` with the user-facing changes first, date the release + section, and keep contributor thanks/co-author notes intact. +- Update package metadata that carries the project version, including + `package.json`, `worker/package.json`, and `worker/package-lock.json`. +- `go vet ./...` +- `go test -race ./...` +- `go build -trimpath -o bin/crabbox ./cmd/crabbox` +- `scripts/check-go-coverage.sh 85.0` +- Worker format, lint, typecheck, tests, and build: + `npm run format:check --prefix worker && npm run lint --prefix worker && npm run check --prefix worker && npm test --prefix worker && npm run build --prefix worker` - `npm run docs:check` - `git diff --check` -- live `crabbox doctor` if broker credentials are available. +- Live smoke at least one coordinator-backed `crabbox run`, then verify + `crabbox attach`, `crabbox events`, `crabbox logs`, and lease cleanup. +- Push, pull, and wait for CI green on the release commit. +- Tag and push `vX.Y.Z`, then wait for the release workflow. +- Verify the GitHub release assets and Homebrew formula update. +- `brew update`, install or upgrade `openclaw/tap/crabbox`, run + `crabbox --version`, and run a short live smoke from the installed binary. diff --git a/package.json b/package.json index cf2b698..86ae895 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@openclaw/crabbox-plugin", - "version": "0.2.0", + "version": "0.3.0", "description": "OpenClaw plugin for running Crabbox remote testbox workflows", "license": "MIT", "type": "module", diff --git a/worker/package-lock.json b/worker/package-lock.json index 52e82a0..0513b2e 100644 --- a/worker/package-lock.json +++ b/worker/package-lock.json @@ -1,12 +1,12 @@ { "name": "@openclaw/crabbox-worker", - "version": "0.2.0", + "version": "0.3.0", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@openclaw/crabbox-worker", - "version": "0.2.0", + "version": "0.3.0", "dependencies": { "aws4fetch": "^1.0.20", "fast-xml-parser": "^5.7.2" diff --git a/worker/package.json b/worker/package.json index 06a5373..1e4d543 100644 --- a/worker/package.json +++ b/worker/package.json @@ -1,6 +1,6 @@ { "name": "@openclaw/crabbox-worker", - "version": "0.2.0", + "version": "0.3.0", "private": true, "type": "module", "scripts": {