Skip to content

deps: bump google.golang.org/grpc from 1.81.1 to 1.82.0#130

Closed
dependabot[bot] wants to merge 1350 commits into
mainfrom
dependabot/go_modules/google.golang.org/grpc-1.82.0
Closed

deps: bump google.golang.org/grpc from 1.81.1 to 1.82.0#130
dependabot[bot] wants to merge 1350 commits into
mainfrom
dependabot/go_modules/google.golang.org/grpc-1.82.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Bumps google.golang.org/grpc from 1.81.1 to 1.82.0.

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.82.0

Behavior Changes

  • server: Remove support for GRPC_GO_EXPERIMENTAL_DISABLE_STRICT_PATH_CHECKING environment varibale. Strict incoming RPC path validation (which has been the default since v1.79.3) can no longer be disabled. (#9112)
  • transport: Add environment variable to change the default max header list size from 16MB to 8KB. This may be enabled by setting GRPC_GO_EXPERIMENTAL_ENABLE_8KB_DEFAULT_HEADER_LIST_SIZE=true. This will be enabled by default in a subsequent release. (#9019)
  • balancer: Load Balancing policy registry is now case-sensitive. Set GRPC_GO_EXPERIMENTAL_CASE_SENSITIVE_BALANCER_REGISTRIES=false (and file an issue) to revert to case-insensitive behavior. (#9017)

New Features

  • experimental/stats: Expose a new API, NewContextWithLabelCallback, to register a callback that is invoked when telemetry labels are added. (#8877)
  • client: Return a portion of the response body in the error message, when the client receives an unexpected non-gRPC HTTP response, to make debugging easier. (#8929)
  • server: Add environment variable GRPC_GO_SERVER_GOROUTINE_LABELS that controls setting runtime/pprof.Labels on goroutines spawned by the server. Set GRPC_GO_SERVER_GOROUTINE_LABELS=grpc.method=true to add the grpc.method label on goroutines spawned to handle incoming requests. (#9082)

Bug Fixes

  • xds/server: Fix a memory leak of HTTP filter instances occurring when route configurations are updated in-place during a Route Discovery Service (RDS) update. (#9138)
  • grpc: In the deprecated gzip Compressor (used via the deprecated WithCompressor dial option), enforce the MaxRecvMsgSize limit on the decompressed message buffer, preventing excessive memory allocation from highly compressed payloads. (#9114)
  • stats/opentelemetry: Record retry attempts, grpc.previous-rpc-attempts, at the call level and not the attempt level. (#8923)
  • encoding: Ensure Close() is always called on readers returned from Compressor.Decompress if possible. (#9135)
  • channelz: Fix the LastMessageSentTimestamp and LastMessageReceivedTimestamp fields in SocketMetrics to ensure they contain correct timestamp values. (#9109)
Commits
  • bd23985 Change version to 1.82.0 (#9170)
  • 0f3086d Fix minor issues not covered by PR #9137 (#9147)
  • fef07fb internal: Split v3procservicepb import into pb and grpc for extproc (#9163)
  • 91dd64f transport: surface subsequent data when receiving non-gRPC header (#8929)
  • adc97de test/kokoro: add config for regional-td test (#9158)
  • 57c9ff1 xds: ensure full-string matching for RBAC Filter rules (#9148)
  • b58f32d server: Set a pprof label on new stream goroutines (#9082)
  • 6c98be3 refactor(transport): extract shared stream state handling logic in `loopyWrit...
  • bcaa6f4 rls: only reset backoff on recovery from TRANSIENT_FAILURE (#9137)
  • 429e6e0 balancer: expose endpoint weight and hostname as experimental APIs (#9074)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

omergk28 and others added 30 commits May 10, 2026 22:13
OpenCode's McpLocalConfig schema (in @opencode-ai/sdk) requires
`command` to be an Array<string> holding both the binary and its
arguments — there's no separate `args` field — and an `enabled`
boolean on the entry. The generator was emitting the Copilot CLI
shape (`command` as a string, `args` as a separate array), so
opencode startup rejected the file with:

  Configuration is invalid at /…/opencode.json
  ↳ Expected array, got "ctx" mcp.ctx.command
  ↳ Missing key mcp.ctx.enabled

Fold mcpServer.Command + Args() into a single command array, set
enabled: true, and drop the args field for the OpenCode path.
The Copilot CLI generator is unchanged — it still uses the
{command, args} split that mcp-config.json expects.

Add KeyEnabled constant; update the MCP regression test to assert
the new shape (command as []string of length 3, no args field,
enabled=true).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Signed-off-by: Omer Kocaoglu <omergk28@gmail.com>
…subdirectory)

OpenCode auto-loads only top-level .ts/.js files under
.opencode/plugins/; subdirectories are silently ignored. The
v0.7.x setup deployed the plugin to .opencode/plugins/ctx/index.ts,
so the entire OpenCode integration shipped in PR #72 — the
session/idle hooks, the post-commit nudge, the check-task
-completion nudge — was never actually loaded by OpenCode. The
file was correct; OpenCode's discovery rule made it dead code.

Verified by smoke-testing both layouts side-by-side:
.opencode/plugins/ctx/index.ts produced no trace events even
with --print-logs --log-level DEBUG. .opencode/plugins/ctx.ts
loaded immediately, factory-call invoked, tool.execute.after
fired with the expected args shape.

Changes:

- internal/cli/setup/core/opencode/plugin.go now writes the
  embedded index.ts content to .opencode/plugins/ctx.ts (flat).
- New cfgHook.FileOpenCodePluginDeploy = "ctx.ts" constant.
  cfgHook.FileIndexTs is kept as the embedded-asset key (the
  source-of-truth filename in the binary) and its docstring now
  spells out the flat-vs-subdir discovery rule for future
  maintainers.
- Drop internal/assets/integrations/opencode/plugin/package.json
  and its //go:embed directive: the plugin uses a type-only
  import of @opencode-ai/plugin (erased at compile time) and the
  host runtime injects PluginInput, so there is no runtime
  dependency tree to install.
- New errSetup.MissingEmbeddedAsset() helper with a matching text
  key, so the new asset lookup uses the err package rather than a
  naked fmt.Errorf (audit fix).
- specs/opencode-integration.md updated to describe the flat
  layout and a smoke-step that verifies a hook actually fires.
- LEARNINGS.md captures the discovery so future plugins for any
  editor verify load before debugging hook contracts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Signed-off-by: Omer Kocaoglu <omergk28@gmail.com>
…context

The MCP server registered by 'ctx setup opencode --write' failed
to hand-shake from OpenCode. Three failure modes, one root cause:
ctx requires CTX_DIR to be absolute (internal/rc.ContextDir's
"absolute-only hardline"), and OpenCode has no path templating
in opencode.json — neither environment.CTX_DIR=".context" nor a
literal absolute path that follows the user's checkout works.

Without an explicit pin, OpenCode forwards the parent shell's
CTX_DIR. A stale value (anchor drift) gives 'context directory
not found'; an unset value with overlapping .context candidates
gives 'multiple candidates visible'. Both kill the JSON-RPC
handshake before any tool can register, leaving 'ctx ✗ failed
MCP error -32000: Connection closed' in 'opencode mcp list'.

Verified: OpenCode launches MCP children with project root as
CWD and forwards parent env (incl. user CTX_DIR). Both confirmed
empirically with a debug shim that logged argv/cwd/env from
inside an opencode mcp list invocation.

Fix: emit ['sh', '-c', 'exec env CTX_DIR="$PWD/.context" ctx mcp
serve']. $PWD is set by sh to the project root OpenCode chose,
giving us an absolute path anchored to whichever checkout owns
this opencode.json. exec replaces the shell so OpenCode's
process tree has ctx directly, no lingering sh layer.

Verified end-to-end: 'opencode mcp list' shows '✓ ctx connected'
and a manual initialize+tools/list handshake against the same
launcher returns the 15 ctx tools.

Changes:

- internal/cli/setup/core/opencode/mcp.go: emit the sh wrapper
  via a new launchCommand() helper; drop the broken
  environment.CTX_DIR field; comment captures the rejection
  reasoning so a future maintainer doesn't reintroduce the
  relative-path attempt.
- internal/cli/setup/core/opencode/mcp_test.go: assert the new
  shape — sh/-c prefix, script substrings (exec env, the quoted
  $PWD/.context expansion, the wrapped invocation), and an
  explicit assertion that 'environment' must NOT be present (the
  failure mode this commit fixes).
- internal/config/shell/shell.go: new CmdFlag ('-c') and
  FormatPOSIXSpawnRelativeCtxDir constants, keeping the
  inline-script template out of call sites per the magic-string
  audit.

Spec: specs/opencode-integration.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Signed-off-by: Omer Kocaoglu <omergk28@gmail.com>
Capture decision 2026-04-26-231517: the OpenCode plugin's
missing tool.execute.before hook is permanent, not deferred.
Promoting block-dangerous-commands to a ctx Go subcommand was
on the books as follow-up but has been ruled out — Cobra's
exit-1 / { blocked: true } interaction would brick OpenCode for
users without the Claude wrapper.

Marks the Phase-1 task '[-]' skipped with a reason pointer to
the new decision so future sessions don't believe a re-add is
pending.

Spec: specs/opencode-integration.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Signed-off-by: Omer Kocaoglu <omergk28@gmail.com>
Three of four lifecycle hooks were silently no-ops because they
used the wrong signatures for @opencode-ai/plugin v1.4.x:

- shell.env: declared as `() => env` (returns); actual contract
  is `(input, output) => void` (mutates output.env). CTX_DIR was
  never injected into the agent's bash tool, so every embedded
  `ctx system X` invocation fell back to ~/.context.
- event: declared as `event: { "session.created": fn, ... }`
  (object of named handlers); actual contract is a single
  dispatch function `event: ({event}) => void`. session.created
  and session.idle never fired.
- tool.execute.after: declared as `({tool, args}) => void`; the
  actual contract is `(input, output) => void`. The destructure
  worked by accident because tool/args live on input.

The plugin's own `ctx.$` subprocess calls also ran without
CTX_DIR, since shell.env only injects into the agent's shell
tool. Build a CTX_DIR-aware BunShell from `ctx.directory` once
and reuse it for every `ctx system` call.

Verified end-to-end: instrumented plugin in a sandbox project
captures factory invocation, all hook firings, and exit codes
+ stdout from each subprocess. session.created runs bootstrap
and `ctx agent --budget 4000` to exit 0; session.idle runs
check-persistence and check-task-completion to exit 0;
shell.env injects the absolute CTX_DIR for every shell call.

Stale messaging cleaned up alongside:
- ctx setup opencode (dry-run + post-write summary): drop
  references to .opencode/plugins/ctx/index.ts and the never-
  written package.json. The flat-layout fix landed in 8a15bd2
  but the user-facing strings were never updated.
- skip-reason for existing files: was "(ctx plugin exists,
  skipped)" even for opencode.json/AGENTS.md/skills. Now reads
  "(already present, skipped)".
- Go doc comments in opencode.go / doc.go: described the old
  ctx/index.ts + package.json subdirectory layout.
- specs/opencode-integration.md: dropped the stale
  "Add this back when block-dangerous-commands is promoted to
  the ctx Go binary" clause, which was contradicted by
  decision 2026-04-26-231517 making the omission permanent.

Spec: specs/opencode-integration.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Signed-off-by: Omer Kocaoglu <omergk28@gmail.com>
Three "I wish I knew this earlier" gotchas surfaced while
fixing PR #72. Persisting before they fade so the next
@opencode-ai/plugin bump (or anyone wiring a new editor
plugin) doesn't repeat them:

- event hook is a single dispatcher, not an object of named
  per-event handlers — asymmetric with neighboring named hooks
  in the same SDK
- multiple plugin hooks (shell.env, tool.execute.after,
  chat.params, chat.headers, ...) take (input, output) and
  mutate output; returned values are silently discarded
- shell.env env injection only reaches the agent's shell tool,
  not the plugin's own ctx.$ subprocess calls — those need a
  pre-configured BunShell built from ctx.directory

Spec: specs/opencode-integration.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Signed-off-by: Omer Kocaoglu <omergk28@gmail.com>
…ctx context across compaction

Smoke-testing PR #72 with oh-my-openagent@3.17.6 installed
revealed that ctx context survives /compact only by accident:
oh-my-openagent's pre-compaction handler builds a structured
summary template that happens to preserve .context/-prefixed
file paths in its "Active Working Context → Files" section.
Combined with our shell.env CTX_DIR injection, the agent had
enough breadcrumbs to re-read DECISIONS.md from disk after a
test compaction — quoted line 65 verbatim.

That's a fragile property: depends on undocumented
serialization choices in another plugin. If oh-my-openagent
ever drops file-path preservation, swaps section names, or
condenses paths, the breadcrumbs disappear and ctx context
is lost without any signal.

Fix: register experimental.session.compacting in our plugin
and push `ctx system bootstrap` output to output.context. Per
the SDK contract, output.context is *additive* (appends to
the default compaction prompt), while output.prompt is
*destructive* (one plugin replaces another). Pushing to
context composes additively with primary compaction harnesses
like oh-my-openagent — neither plugin needs to know about the
other for the integration to work.

Verified: rebuilt binary embeds the new hook, lint clean
(0 issues), all tests pass. The deployed plugin in the
project's .opencode/ has been updated; relaunching OpenCode
will pick up the new hook on the next session start.

Also persisted as .context/LEARNINGS.md entry 2026-04-29-040000
so a future SDK or oh-my-openagent bump that breaks this
interop is easier to diagnose.

Spec: specs/opencode-integration.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Signed-off-by: Omer Kocaoglu <omergk28@gmail.com>
… into TUI

End users running OpenCode in a real ctx-managed project saw
chunks of `ctx agent --budget 4000` Markdown bleeding into the
TUI: section headers like `## Steering` and `# Product Context`,
followed by steering-template placeholder text like
`Describe the product...`. These are real strings from the
context packet that the session.created hook fires.

Root cause: BunShell's documented default behavior is to write
to the parent process's stdout/stderr in addition to buffering.
The plugin used the shell-level `2>/dev/null || true` to swallow
stderr and force exit 0, but stdout was untouched — so every
byte that `ctx agent` emitted got echoed to OpenCode's process
and surfaced through the TUI.

Fix: chain `.nothrow().quiet()` on every BunShell template
literal in the plugin. `.nothrow()` swallows non-zero exits at
the BunShell layer; `.quiet()` keeps stdout/stderr in the
buffer instead of writing to the parent process. Both modifiers
together let us drop the redundant shell-level `2>/dev/null || true`.

Five fire-and-forget callsites updated:
- session.created → bootstrap, agent --budget 4000
- session.idle → check-persistence, check-task-completion
- tool.execute.after (shell+git commit match) → post-commit
- tool.execute.after (edit/write) → check-task-completion

(experimental.session.compacting was already using .nothrow().quiet()
since commit 942304d — needed it for reading exitCode.)

Persisted as .context/LEARNINGS.md entry 2026-04-29-050000 so
this BunShell stdout-leak gotcha is documented for future plugin
work.

Spec: specs/opencode-integration.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Signed-off-by: Omer Kocaoglu <omergk28@gmail.com>
- Write MCP config to ~/.config/opencode/opencode.json (global) instead
  of project-local opencode.json so non-interactive shells find it.
- Resolve ctx binary to absolute path via exec.LookPath at setup time.
- Remove omitempty from ToolContent.Text to satisfy OpenCode's Zod schema.
- Extract .config to DirXDGConfig constant to pass audit checks.

Signed-off-by: Omer Kocaoglu <omergk28@gmail.com>
Standalone getting-started page targeting OpenCode users with
before/after pitch, one-command setup, lifecycle hook reference,
slash commands, and MCP tools table. Added to Get Started nav.

Signed-off-by: omergk28 <omergk28@gmail.com>
Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>

Signed-off-by: Omer Kocaoglu <omergk28@gmail.com>
Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>

Signed-off-by: Omer Kocaoglu <omergk28@gmail.com>
Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>

Signed-off-by: Omer Kocaoglu <omergk28@gmail.com>
Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>

Signed-off-by: Omer Kocaoglu <omergk28@gmail.com>
Spec: specs/opencode-integration.md
Signed-off-by: omergk28 <omergk28@gmail.com>
Spec: specs/opencode-integration.md
Signed-off-by: omergk28 <omergk28@gmail.com>
Spec: specs/opencode-integration.md
Signed-off-by: omergk28 <omergk28@gmail.com>
Spec: specs/opencode-integration.md
Signed-off-by: omergk28 <omergk28@gmail.com>
Spec: specs/opencode-integration.md
Signed-off-by: omergk28 <omergk28@gmail.com>
- Fix govet shadow: rename inner err to deployErr in agents_test.go
- Use computed globalConfigPath() in MCP warning instead of static constant
- Add troubleshooting section, compaction explanation, restart note,
  dangerous-command omission note, and global-config caveat to opencode.md
- Add OpenCode to multi-tool-setup.md, guide-your-agent.md, recipes/index.md

Signed-off-by: omergk28 <omergk28@gmail.com>
Add TestToolContentTextFieldAlwaysPresent so a future revert of the
omitempty drop on ToolContent.Text fails CI. The MCP spec requires
text present on type:"text" content; OpenCode's Zod validator enforces
it strictly. Verified live (PR #72) against Claude Code and Copilot
CLI v1.0.40 — both accept the always-present empty-string form.

Signed-off-by: omergk28 <omergk28@gmail.com>
Two factual fixes in docs/home/opencode.md:

- "How Compaction Works" referenced `ctx agent --budget 4000`; the
  plugin actually runs `ctx system bootstrap` (index.ts:69). Updated
  the description to match the breadcrumb-mediated reality the spec
  already documents.
- "This is the only ctx integration that writes a file outside the
  project root" was wrong — the Copilot CLI integration writes to
  ~/.copilot/mcp-config.json for the same non-interactive-shell reason.
  Reworded to drop the uniqueness claim and reference the parallel.

Signed-off-by: omergk28 <omergk28@gmail.com>
Third-pass review fixes — docs and assets only, no behavior change.

- docs/home/opencode.md & docs/operations/integrations.md: rewrite the
  hook table/list so it matches what the plugin actually does. Previous
  text implied session.created/session.idle output was visible to the
  user; in fact those calls run with .nothrow().quiet() and produce no
  observable side effect. Compaction text now correctly describes the
  breadcrumb mechanism (push bootstrap output into output.context).
- skills/ctx-status/SKILL.md: drop "/ctx-status --verbose" and
  "/ctx-status --json" examples — OpenCode slash commands don't pass
  args to the underlying CLI, so these taught a non-existent
  invocation form. Replaced with a note pointing the agent at
  "ctx status --verbose" / "--json" directly.
- plugin/index.ts: add a comment on extractCommand documenting the
  silent-no-op behavior if a future SDK bump sends `command` as an
  array instead of string.
- specs/opencode-integration.md: drop the bogus PluginPathOpenCode
  constant reference (constant doesn't exist; deploy path is composed
  from cfgHook constants at the call site) and update the package
  file inventory to include validate.go + test files.

Signed-off-by: omergk28 <omergk28@gmail.com>
- opencode.go: compose the skill warning path inline from
  cfgHook.DirOpenCode + cfgHook.DirOpenCodeSkills, matching how
  skill.go composes the actual deploy path. Eliminates the duplicate
  cfgSetup.SkillsPathOpenCode definition that could drift from the
  real path.
- config/setup/setup.go: drop SkillsPathOpenCode (now unused);
  document MCPConfigPathOpenCode as a fallback-only display string
  for warnings when globalConfigPath() can't resolve.
- skill.go: iterate skills in sorted order so partial-failure
  filesystem state is deterministic and tests that plant blocking
  files at a specific skill path observe stable behavior.

Signed-off-by: omergk28 <omergk28@gmail.com>
Adds an atomic same-directory temp + fsync + rename helper and
applies it to the two integrations that write MCP config files
outside the project root (opencode, copilot_cli). Without this, a
crash mid-write or two concurrent setup invocations could truncate
the host tool's config and silently wipe every other registered
MCP server on the next run.

Also wraps raw stdlib errors in opencode/mcp.go through the
existing errFs/errSetup constructors per CONVENTIONS.md, and adds
a test for the LookPath-success branch in launchCommand that the
existing QuotesBinaryPath test deliberately skips.

- internal/io/security.go: SafeWriteFileAtomic (write-temp + sync
  + close + chmod + rename, with cleanup on every failure path).
- internal/io/security_test.go: cover create / overwrite / temp
  cleanup / perm application.
- internal/config/file/name.go: TempSuffixPattern constant for
  the os.CreateTemp pattern suffix.
- internal/cli/setup/core/opencode/mcp.go: route raw errors
  through errFs.FileRead/FileWrite/Mkdir + errSetup.MarshalConfig;
  use SafeWriteFileAtomic for the merged config write.
- internal/cli/setup/core/copilot_cli/mcp.go: use
  SafeWriteFileAtomic for the same exposure.
- internal/cli/setup/core/opencode/mcp_test.go: add
  TestEnsureMCPConfig_ResolvesBinaryToAbsolutePath, which seeds
  a fake `ctx` binary on PATH so the LookPath success path is
  actually exercised.

Signed-off-by: omergk28 <omergk28@gmail.com>
Adds OpenCode to docs/cli/setup.md — the canonical user-facing
reference page that lists every tool ctx setup supports — and
includes a corresponding example in the examples block.

Closes the last documentation gap from PR #72 review: hooks.yaml
gained the hook.opencode entry but the generated reference page
that surfaces tool support to users wasn't updated alongside it.

Signed-off-by: omergk28 <omergk28@gmail.com>
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.80.0 to 1.81.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.80.0...v1.81.0)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-version: 1.81.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
….golang.org/grpc-1.81.0

deps: Bump google.golang.org/grpc from 1.80.0 to 1.81.0
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.44.0 to 0.45.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.44.0...v0.45.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-version: 0.45.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
….org/x/tools-0.45.0

deps: bump golang.org/x/tools from 0.44.0 to 0.45.0
josealekhine and others added 22 commits July 3, 2026 18:19
…hain

The design-to-implementation chain had an unowned artifact:
/ctx-plan disclaims implementation planning, /ctx-spec commits the
what/why at spec altitude, and /ctx-implement opens with "use when
you have a plan document" that nothing in the chain produced.
/ctx-task-out decomposes a committed spec into a per-milestone plan
at specs/plans/<milestone>.md - data model, contracts, invariant
test matrix, and commit-sized tasks with falsifiable acceptance
criteria - and enforces refusal gates instead of degrading:
blocking-TBD, rolling-wave, and milestone boundaries owned by the
spec. The plan is the execution ledger; TASKS.md carries epic
anchors only.

Changes:
- new skill (claude + copilot-cli parity), registered in the
  permissions allowlist and init workflow tips
- chain diagrams updated to 5 steps across skills, playbook
  templates, and docs
- /ctx-spec gains the tasking handoff in interactive and --brief
  flows; /ctx-implement names the plan artifact, redirects bare
  multi-milestone specs, refuses Status: Blocked plans, and owns
  plan checkbox updates
- project template specs-README lifecycle gains the task-out step
- docs: skills reference (including the missing /ctx-plan section
  and its dead anchor), common-workflows, integrations, recipes

Spec: specs/ctx-task-out.md
Signed-off-by: Jose Alekhinne <jose@ctx.ist>
ModelContextWindow recognized 1M windows only via the [1m] suffix
or the opus substring, so claude-fable-5 sessions fell through to
the 200k default and every consumer of EffectiveContextWindow -
the check-context-size hook, heartbeat, nudges, provenance -
computed against the wrong window (a 21%-used 1M session warned
"104% full"). Map the always-1M families: fable, mythos, and
sonnet-5 (1M as standard per the current model catalog; earlier
Sonnets keep the [1m] opt-in path, deliberately unchanged).

Spec: specs/model-context-window-fable.md
Signed-off-by: Jose Alekhinne <jose@ctx.ist>
Lockfile hash additions picked up by the Go toolchain; no
dependency changes in go.mod/go.work.

Spec: specs/meta/chores.md
Signed-off-by: Jose Alekhinne <jose@ctx.ist>
add /ctx-task-out — close the spec→implement gap in the canonical chain
Signed-off-by: Jose Alekhinne <jose@ctx.ist>
First real consumer (zhc/os m0a) surfaced two gaps the skill's own
checklist could not catch: the plan-structure template listed task-table
columns without the state cell its ledger paragraph required — template
beats prose, so the generated table was unauditable — and step 7's
epic anchors carried no partition or completion semantics, letting id
ranges double-count across the plan and TASKS.md with no reconciliation
rule. Fix: st column ([ ]/[x]/[o]) added to the template, step 4, the
ledger rule, and the amendments wording; step 7 now requires a disjoint
id partition with a sum check and a stated completion rule; the quality
checklist gains both as boxes. Copilot mirror synced; work order's
dry-run acceptance box closed with the evidence.

Spec: specs/ctx-task-out.md
Signed-off-by: Jose Alekhinne <jose@ctx.ist>
Close the execution end of the ledger loop ctx-task-out defines. The
skill never mentioned the st column, TASKS.md epic projection, or DoD
independence — and its checkpoint step actively said "check off
completed tasks and DoD items", instructing the implementer to derive
DoD from task completion, which is exactly what the rolling-wave gate
forbids. New Ledger Duties section: st flips to [x] only on
demonstrated acceptance ([o] via amendment, never silently backwards);
DoD is measurement- or user-confirmed only; epics in TASKS.md are
projected one-way when their disjoint id range completes; criterion
changes route through task-out amendment mode, with measurement gates
stopping execution of dependent tasks. Acceptance criteria join the
step-verification map; checklist gains the duties; step-numbering typo
(two 3s) fixed. Copilot mirror and plugin cache synced; work order
Status extended.

Spec: specs/ctx-task-out.md
Signed-off-by: Jose Alekhinne <jose@ctx.ist>
First real consumption of the 5-step chain (zhc/os m0a) showed the
operator reverse-engineering the pipeline's mental model from skill
texts: /ctx-plan is absent from design-before-coding.md's TL;DR, and
nothing documents brief-per-bet vs plan-per-milestone altitude, the
rolling-wave and blocking-TBD gates from the operator's seat, the
ledger/projection two-surface rule, or when a new brief is warranted.
Seven-point recipe task added to Misc (priority high). Follow-up
surfaced by the ctx-task-out work order's first consumer; documenting
the chain it completed inherits its spec.

Spec: specs/ctx-task-out.md
Signed-off-by: Jose Alekhinne <jose@ctx.ist>
The machine-readiness question ("can this box build, lint, site-render,
and reach the MCP servers?") had no single answer; gaps surfaced
mid-task instead of up front — a doc-link session discovered zensical
and pipx missing only after the source edits were done, and this very
machine could not run make lint until today. One manifest
(hack/tool-versions.txt) pins minimums; one script probes PATH
binaries, npm drift, and claude-registered MCP servers and prints one
verdict table. Required failures (go, git, golangci-lint) exit
non-zero; optional ones warn; probes degrade to SKIP without network
or the claude CLI, never hang.

Spec: specs/check-tools.md
Signed-off-by: Jose Alekhinne <jose@ctx.ist>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
A reported 404 on recipes/activating-context/ turned out to be one of
four breakage classes: two nav entries pointing at recipes deleted by
the cwd-anchored change, six absolute ctx.ist URLs stranded by old
restructures (README's manifesto/cli-reference/context-files/
integrations links, a blog autonomous-loop link, configuration.md's
self-reference), ten intra-doc anchors orphaned when commands were
re-homed to their own CLI pages, and a /ctx-prompt row surviving the
prompt-template removal. Every replacement URL was verified live
before the edit; zensical's build-time anchor checker now reports
zero issues.

Spec: specs/docs-link-integrity.md
Signed-off-by: Jose Alekhinne <jose@ctx.ist>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Prose shipped from AI-assisted sessions carries recognizable tells
(significance inflation, brochure language, forced triplets, em-dash
density, chatbot residue) and readers increasingly discount text that
pattern-matches to machine output; hack/detect-ai-typography.sh flags
the typography but nothing fixed the writing. The skill splits a
1,024-line first draft into a ~200-line rule sheet (invariants, modes,
protected content, cluster-based detection) and an on-demand
28-pattern before/after catalog under references/. Guardrails a live
test shaped: voice additions must trace to the author's material,
filler deletion is not coverage loss, removing fake attribution must
not silently strengthen a claim, and the em-dash ban is verified by
grep rather than eyeball.

Spec: specs/ctx-humanize.md
Signed-off-by: Jose Alekhinne <jose@ctx.ist>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
A session's cost and context pressure were invisible while it runs;
ctx usage reports tokens only after the fact. ctx system statusline
renders the statusLine stdin payload as one sanitized line
(user@host dir | model | ctx: N% | $C.CC) and ctx init wires it into
settings.local.json, backing up any pre-existing statusLine to
.context/state/ and restoring it on statusline.enabled: false. The
line is deliberately informational: no spend alarms and no
model-switch nudges, because a family-substring rule has no task
context and cost-per-turn is the wrong unit (the spec's Decisions
section records the full rationale).

Also fixes a latent data-loss bug this feature would have tripped:
the permissions merge round-tripped settings.local.json through a
typed struct, silently dropping every key ctx does not model (env,
statusLine, ...) on re-init. Both merges now do raw-map surgery so
unmodeled keys survive byte-for-byte.

Includes the rebuilt site/ for this session's docs changes.

Spec: specs/statusline.md
Signed-off-by: Jose Alekhinne <jose@ctx.ist>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This repository is public but is developed alongside internal
tooling, and tracked files had accumulated identifiers that do not
belong in a public tree: internal hostnames and a mirror-repo name in
two archived specs and DECISIONS.md, and internal-lineage notes in a
task entry, a spec cross-reference, and the experimental-skill
headers. Redactions preserve each sentence's meaning and every
structure invariant (tasks edited in place, decisions keep their
rationale); designs stay described on their own merits, without
attribution. TASKS.md also carries this session's ledger entries
(check-tools, ctx-humanize, delta analysis, statusline: all closed).

Spec: specs/public-repo-hygiene.md
Signed-off-by: Jose Alekhinne <jose@ctx.ist>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The deployed CLAUDE.md and Copilot INSTRUCTIONS treated a missing ctx
binary as fatal ("CRITICAL, not optional": relay, STOP), which
punishes exactly the contributor the templates first meet: someone
who cloned a ctx-using project without installing ctx got an agent
that refused ordinary work. Both templates now distinguish not-found
(mention the setup once, then proceed with the task; the Claude
variant recommends installing the plugin from a local clone since
marketplace releases lag the repository) from installed-but-erroring
(unchanged: relay verbatim, STOP, recovery is the user's decision).

Spec: specs/optional-ctx-onboarding.md
Signed-off-by: Jose Alekhinne <jose@ctx.ist>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Signed-off-by: Jose Alekhinne <jose@ctx.ist>
add /ctx-task-out — close the spec→implement gap in the canonical chain
…g.org/x/tools-0.47.0

deps: bump golang.org/x/tools from 0.46.0 to 0.47.0
…ctions/checkout-7

deps: bump actions/checkout from 6 to 7
fix(connect): close TOCTOU race in connect sync lock acquisition
fix(hack): guard empty-array expansion in lint-drift for bash 3.2
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.81.1 to 1.82.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.81.1...v1.82.0)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-version: 1.82.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jul 6, 2026
@dependabot dependabot Bot requested a review from bilersan as a code owner July 6, 2026 02:24
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jul 6, 2026
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 6, 2026

Copy link
Copy Markdown

Deploying ctx with  Cloudflare Pages  Cloudflare Pages

Latest commit: c4549c3
Status: ✅  Deploy successful!
Preview URL: https://0502a226.ctx-bhl.pages.dev
Branch Preview URL: https://dependabot-go-modules-google-ebod.ctx-bhl.pages.dev

View logs

@dependabot @github

dependabot Bot commented on behalf of github Jul 7, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/go_modules/google.golang.org/grpc-1.82.0 branch July 7, 2026 04:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants