• v0.0.1-rc.15 0113f9a390

    Carol v0.0.1-rc.15
    Some checks failed
    Secrets / gitleaks (push) Successful in 10s
    Release / Build, sign, and publish (push) Successful in 1m45s
    Release (Flatpak) / Build and attach .flatpak (push) Failing after 2m55s
    Release (Android) / Build, sign, attach (push) Successful in 11m38s
    Pre-release

    james released this 2026-06-24 16:26:30 +00:00 | 120 commits to main since this release

    Signed by james
    SSH key fingerprint: SHA256:vAv/s1UqS+brNCXATCv/JPKIc/j94WCgmQAszXM+m8s

    0.0.1-rc.15 — 2026-06-24

    Bug fixes

    • require expo/config-plugins re-export instead of undeclared @expo/config-plugins (#284) (c721954)
    • COPY patches/ into deps stage so pnpm install can apply patchedDependencies (#282) (2e8f4ae)

    Other

    • Merge pull request 'fix(android): require expo/config-plugins re-export from with-release-signing plugin' (#285) from 284-android-config-plugins-require into main (0113f9a)
    • Merge pull request 'fix(docker): COPY patches/ into deps stage for pnpm patchedDependencies' (#283) from 282-dockerfile-patches-copy into main (ae5e231)

    Verifying the image

    cosign verify \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:480ae2ff9689a170c4c789715a255aa9f2fd4ffed8376be75d856e90ae80da8c
    
    cosign verify-attestation \
      --type slsaprovenance1 \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:480ae2ff9689a170c4c789715a255aa9f2fd4ffed8376be75d856e90ae80da8c
    
    Downloads
  • v0.0.1-rc.13 dcea37d298

    Carol v0.0.1-rc.13
    Some checks failed
    Secrets / gitleaks (push) Successful in 10s
    Release / Build, sign, and publish (push) Successful in 1m45s
    Release (Flatpak) / Build and attach .flatpak (push) Failing after 2m48s
    Release (Android) / Build, sign, attach (push) Failing after 1m17s
    Pre-release

    james released this 2026-06-24 12:54:35 +00:00 | 126 commits to main since this release

    Signed by james
    SSH key fingerprint: SHA256:vAv/s1UqS+brNCXATCv/JPKIc/j94WCgmQAszXM+m8s

    0.0.1-rc.13 — 2026-06-24

    Bug fixes

    • use single-brace {count} in organisations count labels (#272) (87f39df)

    Features

    • convert Projects to display-first view with Edit toggle (#273) (58c81b4)
    • rename Account to Settings + pin to sidebar bottom (#271) (a41efde)
    • mount PWA update toast in root layout (#225) (3616ce3)
    • PWA update toast component (#225) (b07d752)
    • service worker update detection hook (#225) (4f8d53d)
    • service worker handles SKIP_WAITING message (#225) (ad36ad2)

    Other

    • Merge pull request 'feat(client): convert Projects to display-first view + Edit toggle (#273)' (#276) from 273-projects-display-first into main (dcea37d)
    • Merge pull request 'fix(i18n): use single-brace {count} in organisations count labels' (#275) from 272-orgs-count-interpolation into main (ea91b4b)
    • Merge pull request 'feat(client): rename Account to Settings + pin to sidebar bottom (#271)' (#274) from 271-settings-sidebar-bottom into main (be9de11)
    • Merge pull request 'feat(client): service-worker update toast (#225)' (#270) from 225-sw-update-toast into main (5a09537)

    Verifying the image

    cosign verify \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:3d8a6cd652d0f3c51d28fd1e806eb186e49f365f1cbfadba20fc192bd0d9fce5
    
    cosign verify-attestation \
      --type slsaprovenance1 \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:3d8a6cd652d0f3c51d28fd1e806eb186e49f365f1cbfadba20fc192bd0d9fce5
    
    Downloads
  • v0.0.1-rc.12 5ba43bdc6e

    Carol v0.0.1-rc.12
    Some checks failed
    Secrets / gitleaks (push) Successful in 10s
    Release / Build, sign, and publish (push) Successful in 59s
    Release (Android) / Build, sign, attach (push) Failing after 1m15s
    Release (Flatpak) / Build and attach .flatpak (push) Failing after 2m58s
    Pre-release

    james released this 2026-06-24 12:18:31 +00:00 | 137 commits to main since this release

    Signed by james
    SSH key fingerprint: SHA256:vAv/s1UqS+brNCXATCv/JPKIc/j94WCgmQAszXM+m8s

    0.0.1-rc.12 — 2026-06-24

    Features

    • network tabs and organization detail screen (#28) (97f64f1)
    • hooks for organization detail, links, key-people (#28) (93f67ad)
    • organizations routes for detail, links, key-people (#28) (ddebd82)
    • expand organizations schema with description, links, key-people (#28) (8d54269)

    Other

    • Merge pull request 'feat(api+client): organizations feature with links and key people (#28)' (#269) from 28-organizations-feature into main (5ba43bd)

    Verifying the image

    cosign verify \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:881779f0d9ae52138b7ce2986a547e9187e96e6eee4020c3bb4832e4982db77a
    
    cosign verify-attestation \
      --type slsaprovenance1 \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:881779f0d9ae52138b7ce2986a547e9187e96e6eee4020c3bb4832e4982db77a
    
    Downloads
  • v0.0.1-rc.11 837c9e90e6

    Carol v0.0.1-rc.11
    Some checks failed
    Secrets / gitleaks (push) Successful in 15s
    Release / Build, sign, and publish (push) Successful in 57s
    Release (Flatpak) / Build and attach .flatpak (push) Failing after 19m40s
    Release (Android) / Build, sign, attach (push) Failing after 20m15s
    Pre-release

    james released this 2026-06-24 02:20:45 +00:00 | 142 commits to main since this release

    Signed by james
    SSH key fingerprint: SHA256:vAv/s1UqS+brNCXATCv/JPKIc/j94WCgmQAszXM+m8s

    0.0.1-rc.11 — 2026-06-24

    Bug fixes

    • sidebar follows app theme; collapsed brand row is a single tap target (11aca71)
    • convert plural templates from ICU to i18next native format (9417737)

    Features

    • network screen + person detail (#27) (ed33886)
    • people + organizations hooks + regenerated typed client (#27) (db63dc9)
    • /api/people and /api/organizations CRUD with nested sub-resources (#27) (a5e5500)
    • people + organizations tables, repos, and dual-engine tests (#27) (b47dda0)
    • sidebar redesign per design package (79758dc)
    • page-level edit toggle on Profile (754046d)
    • add profile.edit.* keys for page-level edit toggle (895c6fc)
    • projects screen — list, create, edit, delete (#26) (f701111)
    • projects screen catalog (#26) (0c610d6)
    • projects hooks + regenerated typed client (#26) (940eba2)
    • /api/projects CRUD + zod DTOs + openapi (#26) (73ef109)
    • projects table + repository (#26) (9217c16)

    Other

    • Merge pull request 'feat(api+client): people feature with relatives, met-through, organizations, and notes (#27)' (#268) from 27-people-feature into main (837c9e9)
    • Merge pull request 'feat(client): sidebar redesign per design package' (#267) from sidebar-design-refresh into main (20452bc)
    • Merge pull request 'feat(client): page-level edit toggle on Profile (per design package)' (#266) from profile-page-level-edit into main (4f197af)
    • Merge pull request 'feat(api+client): projects feature (#26)' (#265) from 26-projects-feature into main (e8ebebf)
    • Merge pull request 'fix(i18n): convert plural templates from ICU to i18next native format' (#264) from fix-plural-templates into main (574b4d2)

    Verifying the image

    cosign verify \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:7f3cf72c8d0b54481961844805fa23f360121b93a0fd32b45d0f1acf96dac5b5
    
    cosign verify-attestation \
      --type slsaprovenance1 \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:7f3cf72c8d0b54481961844805fa23f360121b93a0fd32b45d0f1acf96dac5b5
    
    Downloads
  • v0.0.1-rc.10 951bc511e8

    Carol v0.0.1-rc.10
    Some checks failed
    Secrets / gitleaks (push) Successful in 12s
    Release / Build, sign, and publish (push) Successful in 2m16s
    Release (Android) / Build, sign, attach (push) Failing after 4m27s
    Release (Flatpak) / Build and attach .flatpak (push) Failing after 5m6s
    Pre-release

    james released this 2026-06-23 20:40:35 +00:00 | 161 commits to main since this release

    Signed by james
    SSH key fingerprint: SHA256:vAv/s1UqS+brNCXATCv/JPKIc/j94WCgmQAszXM+m8s

    0.0.1-rc.10 — 2026-06-23

    Bug fixes

    • switch Avatar to expo-image so source.headers reach the network (#256) (9869485)
    • use expo-file-system File for native picture upload (#253, fifth attempt) (d1705d7)
    • bypass URL rewriter for picture upload (#253, fourth attempt) (b9e3989)
    • strip wrong Content-Type on multipart so RN regenerates it (b71fbe8)
    • detect FormData via RN polyfill private field, not just Content-Type (d17bd65)
    • include oauth_inits in postgres teardown table list (4151e9c)
    • profile picture upload + display on android (#253, #256) — second pass (7c4fde0)
    • wire Enter-to-submit across form-bearing screens (#255) (2500c7a)
    • keyboard-aware scroll across form-bearing screens (#254) (3a3d3cc)
    • profile picture renders on android (#256) (9832f11)
    • profile picture upload works on android (#253) (60413aa)
    • drop literal tags from empty-state strings (fb82042)
    • configure i18next for single-brace {var} interpolation (4ca1356)
    • domain routes accept bearer tokens, not just session (4246d17)
    • give the sidebar shell flex: 1 so the nav list renders (ceb6780)
    • respect the status-bar inset in the mobile header (7c4c969)
    • /api/auth/me accepts bearer tokens, not session-only (a813f2a)
    • invalidate useMe cache after login (f7b33be)
    • iterate Headers explicitly when rewriting Request (69bb01e)
    • middlewares return undefined when not modifying (827ef5b)
    • explicitly copy request body in the off-origin rewriter (74c70c9)
    • rewrite relative URLs in the off-origin rewriter (745e3b1)
    • pin react-native to 0.85.3 via pnpm.overrides (f85521e)
    • pin react + react-dom to 19.2.3 via pnpm.overrides (ab2ed62)
    • loosen react pin so the bundle ships one copy (7546fd7)
    • make SPA catch-all optional so / serves index.html (#185) (bc045c0)
    • unwrap cursor pagination envelope on flat-list hooks (#184) (b9e72f6)
    • drop access_tokens + refresh_tokens before users in CI teardown (#180) (5d2e64a)
    • space note creates so cursor pagination is deterministic (#178) (c3b413c)
    • lazy-load openapi registry inside GET handler (#178) (db0ab48)
    • add tsx>esbuild to lavamoat.allowScripts as disabled (#178) (500c50a)
    • restore nested next-intl/@swc/helpers@0.5.23 in package-lock.json (#178) (31ec66b)
    • form inputs overflow their container on every screen (#24 follow-up) (2be45c9)

    Build / tooling

    • bundle the Expo Web client into the API image (#186) (54094bb)

    Chores

    • strip diagnostics from picture upload + display path (6521f57)
    • log Avatar source + load events to diagnose blank picture (dbd0fa1)
    • introspect FormData ctor + parts to diagnose native send (acb9e87)
    • log picker asset shape to diagnose FormDataPart error (16f9e35)
    • bump rewriter diagnostic from console.log to console.warn (8639d29)
    • instrument rewriter + upload catch to diagnose Android FormData path (9a54364)
    • teach package-age check to walk pnpm-lock.yaml (#213) (27a8bea)
    • ignore CVE-2026-12151 in Next.js bundled undici (0c8fedb)
    • add lucide-react-native + nav icons (#210) (3121888)
    • drop UI deps, prune public-route allowlist, refresh docs (#185) (f01f0fd)
    • drop next-intl request config and tanstack query client (#185) (93ea8a0)
    • delete root layout, providers, and PWA service worker (#185) (d9961e8)
    • delete pwa screens, components, and themes (#185) (b92ee95)
    • catalog keys for slice 2 screens (#184) (2382bfe)
    • add en keys for profile/skills/experience client screens (#184) (c629bfa)
    • bump vitest 2 → 4 + force vite 8 to clear OSV findings (#199) (0ebe643)
    • scaffold @carol/client — Expo SDK 56 + Router + RN Web (#183) (f752a5e)
    • scaffold @carol/api-client — package.json, tsconfig, vitest, eslint (#182) (d147811)
    • restructure into pnpm workspaces — apps/api + placeholders (#181) (6f626f5)
    • commit initial openapi.json (#178) (0182366)

    Documentation

    • note /api/contracts in the paginated-endpoints list (f0c3174)
    • fix the Expo Go recipe — don't pass --android (85ed67d)
    • add CONTRIBUTING.md with local dev + build recipes (f73958c)
    • refresh pagination section for #191 newly-paginated endpoints (d868427)
    • wire @carol/api-client into CI + conventions doc + CLAUDE.md (#182) (723c47b)
    • note bearer auth in CLAUDE.md, add ACCESS/REFRESH_TOKEN_TTL_SECONDS to README (#180) (665a2e9)
    • name the PWA bundle as a release artifact in idea.md (#177) (a4a4bb0)
    • adopt ADR-0027 for frontend/backend split (#177) (0de0ec9)

    Features

    • link-session token for native OAuth linking (#245) (be40c6f)
    • native clipboard via expo-clipboard (#218) (55fc1fc)
    • contracts tab in the experience screen (e14fdcd)
    • contracts catalog strings + contract_has_position key (6170cbb)
    • contracts hooks + shared cache invalidation (6b87f06)
    • contracts routes + DTOs + one-position invariant (3a0f86f)
    • jobs.is_contract column + contract-aware repository (563609a)
    • OAuth callback → bearer token handoff for native (#215) (08f177d)
    • profile picture upload via expo-image-picker (#217) (78f654e)
    • zod schema error messages → i18n catalog keys (#212) (5fc6bcb)
    • linked-identities panel on the account screen (#216) (32d0057)
    • show + change the configured server URL from the login screen (#235) (1da0a58)
    • forgejo workflow for flatpak release (#188) (4b19659)
    • flatpak manifest + desktop entry + icons (#188) (5ec858a)
    • tauri shell wraps the expo web bundle (#188) (5f67abf)
    • runtime URL plumbing distinguishes web vs tauri webview (#188) (85e37ec)
    • public-route allowlist for new SW + manifest paths (#208) (efdbfef)
    • service worker with precache + offline shell (#208) (f4d02cc)
    • expo web manifest + icons (#208) (4eb09d6)
    • tighter active-route + brand styling (#210) (8666916)
    • native drawer + mobile hamburger (#210) (22181ad)
    • theme + locale switchers in the sidebar footer (#210) (9c3ac74)
    • collapse + expand sidebar with persistence (#210) (ccab92d)
    • forgejo workflow for signed android release (#187) (0d407f3)
    • android build wiring (prebuild + signing config) (#187) (9a7bbd2)
    • runtime API URL settings + secure storage (#187) (cbf6819)
    • sidebar nav shell on the (app) layout (a6f543c)
    • port projects, applications, chat as placeholders (#184) (73da311)
    • add education section to experience screen (#184) (06b416b)
    • port network placeholder to expo router (#184) (15afc2a)
    • port account screen to expo router (#184) (9b426bd)
    • catch-all to serve the Expo Web bundle (#186) (fdb2982)
    • cursor pagination on /api/account/tokens (#191) (eac0a8e)
    • cursor pagination on /api/profile/contacts (#191) (24fa7f7)
    • cursor pagination on /api/educations (#191) (27e9a88)
    • adopt sort/filter on /api/notes (#192) (ea37116)
    • parseFilter helper (#192) (5616c38)
    • parseSort helper (#192) (d57ff40)
    • port experience (jobs) screen to expo router (#184) (ae699bf)
    • port skills screen to expo router (#184) (231f5c5)
    • port profile screen to expo router (#184) (ce9853f)
    • theme + i18n + auth glue + Notes reference + CI gates (#183) (1c32b55)
    • POST /api/auth/token + /api/auth/refresh, OpenAPI registration, tests (#180) (9a27217)
    • mint + verify access tokens, refresh-rotation w/ reuse detection (#180) (c96b512)
    • access + refresh token tables w/ family_id for reuse detection (#180) (b5273bc)
    • generate OpenAPI 3.1 spec from zod + CI drift gate (#178) (b62db24)
    • cursor pagination on /api/notes + conventions doc (#179) (b596155)
    • migrate user + settings DTOs to zod (#179) (f1c84b2)
    • adopt RFC 7807 Problem Details across all routes (#179) (168a2b0)
    • jobs, positions, contributions — three-tier career history (#24) (570f73f)

    Other

    • Merge pull request 'fix(client): profile picture upload + display on android (#253, #256)' (#263) from fix-formdata-detection into main (951bc51)
    • Merge pull request 'feat(api+client): link-session token for native OAuth linking (#245)' (#262) from 245-native-oauth-link-session into main (0b350ac)
    • Merge pull request 'fix(test): include oauth_inits in postgres teardown table list' (#261) from fix-postgres-tests-oauth-inits into main (1d3207a)
    • Merge pull request 'fix(client): profile picture upload + display on android (#253, #256) — second pass' (#260) from 253-256-android-profile-picture-2 into main (25df282)
    • Merge pull request 'fix(client): keyboard-aware scroll + Enter-to-submit on forms (#254, #255)' (#258) from 254-255-keyboard-form-ux into main (dd5adea)
    • Merge pull request 'fix(client): profile picture upload + display on android (#253, #256)' (#257) from 253-android-profile-picture into main (052daf3)
    • Merge pull request 'feat(client): native clipboard via expo-clipboard (#218)' (#247) from 218-native-clipboard into main (b479d9c)
    • Merge pull request 'fix(i18n): drop literal tags from empty-state strings' (#252) from 251-em-tags into main (a458673)
    • Merge pull request 'feat(api+client): contracts feature (#25)' (#250) from 25-contracts into main (e20a9e8)
    • Merge pull request 'feat(api+client): OAuth callback → bearer token handoff for native (#215)' (#249) from 215-oauth-native-bearer into main (55f24fb)
    • Merge pull request 'feat(client): profile picture upload via expo-image-picker (#217)' (#248) from 217-profile-picture-upload into main (2f06806)
    • Merge pull request 'feat(api): zod schema error messages → i18n catalog keys (#212)' (#246) from 212-zod-i18n into main (38e5459)
    • Merge pull request 'feat(api+client): linked-identities panel on the account screen (#216)' (#244) from 216-linked-identities-panel into main (d525373)
    • Merge pull request 'chore(ci): teach package-age check to walk pnpm-lock.yaml (#213)' (#242) from 213-pnpm-lock-package-ages into main (425d9cb)
    • Merge pull request 'chore(security): ignore CVE-2026-12151 in Next.js bundled undici' (#240) from trivyignore-next-undici into main (542dfd6)
    • Merge pull request 'feat(client): show + change the configured server URL from the login screen (#235)' (#238) from 235-login-server-url into main (55277f7)
    • Merge pull request 'fix(deps): pin react-native to 0.85.3 via pnpm.overrides' (#232) from fix-rn-dedupe into main (729f10c)
    • Merge pull request 'docs: add CONTRIBUTING.md with local dev + build recipes' (#231) from contributing-md into main (0ee4841)
    • Merge pull request 'feat(client): linux flatpak via tauri shell (#188)' (#222) from 188-linux-flatpak into main (e75e5aa)
    • Merge pull request 'feat(client): restore PWA install + offline shell via Expo (#208)' (#223) from 208-pwa-install-offline into main (270d9ff)
    • Merge pull request 'feat(client): nav shell — icons, collapse, switchers, native drawer (#210)' (#211) from 210-nav-shell-features into main (af8da7a)
    • Merge pull request 'feat(client): signed Android APK build with runtime API URL (#187)' (#207) from 187-android-build into main (5a47d9f)
    • Merge pull request 'chore(api): decommission Next.js UI (#185)' (#209) from 185-decommission-nextjs-ui into main (983dd57)
    • Merge pull request 'feat(client): port projects, applications, chat as placeholders (#184)' (#206) from 184-projects-applications-chat into main (efb63f7)
    • Merge pull request 'feat(client): port account, network, education screens (#184)' (#205) from 184-people-account-slice into main (bb3851d)
    • Merge pull request 'feat: single-container deployment — API serves the Expo Web bundle (#186)' (#204) from 186-single-container-deployment into main (c6de397)
    • Merge pull request 'feat(api): cursor pagination on remaining flat lists (#191)' (#203) from 191-pagination-remaining-lists into main (ae02f45)
    • Merge pull request 'feat(api): parseSort + parseFilter query helpers (#192)' (#202) from 192-sort-filter-helpers into main (f3ecfd2)
    • Merge pull request 'feat(client): port profile/skills/experience screens (#184)' (#201) from 184-career-core-screens into main (9cd4f7d)
    • Merge pull request 'chore(deps): bump vitest 2 → 4 + force vite 8 to clear OSV findings (#199)' (#200) from 199-bump-vitest-vite into main (f2320c6)
    • Merge pull request 'feat(client): scaffold @carol/client — Expo Router + RN Web (#183)' (#198) from 183-expo-client-scaffolding into main (8527d2a)
    • Merge pull request 'feat(api-client): generated typed client + TanStack Query hooks (#182)' (#197) from 182-generated-api-client into main (ecf7f8c)
    • Merge pull request 'chore: restructure into pnpm workspaces — apps/api + placeholders (#181)' (#195) from 181-workspace-restructure into main (511fc71)
    • Merge pull request 'feat(api): token-based auth — bearer + refresh (#180)' (#194) from 180-token-auth into main (2851492)
    • Merge pull request 'feat(api): OpenAPI 3.1 spec generation + /api/openapi.json + CI drift gate (#178)' (#193) from 178-openapi-spec-generation into main (54b936f)
    • Merge pull request 'feat(api): contract hardening — Problem Details, zod, pagination (#179)' (#190) from 179-api-contract-hardening into main (826e340)
    • Merge pull request 'docs(adr): adopt ADR-0027 for frontend/backend split (#177)' (#189) from 177-adr-frontend-backend-split into main (062daea)
    • Merge pull request 'feat(service+pwa): jobs, positions, contributions — three-tier career history (#24)' (#175) from 24-jobs-positions-contributions into main (c2f3834)
    • Merge pull request 'refactor(pwa): add semantic colour tokens + migrate primitives off inlined hex (#149)' (#174) from 149-semantic-color-tokens into main (20e7302)

    Performance

    • cache the access token in memory (a5930f8)

    Refactor

    • add semantic colour tokens + migrate primitives off inlined hex (#149) (62e8b2b)

    Tests

    • wipe jobs/positions/contributions between Postgres runs (#24 follow-up) (ed5b9e7)

    Verifying the image

    cosign verify \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:f5cc22626146df70ae94061ff19e36a55060d75d7164bd43d38c9ade925e461b
    
    cosign verify-attestation \
      --type slsaprovenance1 \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:f5cc22626146df70ae94061ff19e36a55060d75d7164bd43d38c9ade925e461b
    
    Downloads
  • v0.0.1-rc.9 3eaa296527

    Carol v0.0.1-rc.9
    All checks were successful
    Secrets / gitleaks (push) Successful in 15s
    Release / Build, sign, and publish (push) Successful in 1m37s
    Pre-release

    james released this 2026-06-20 04:09:19 +00:00 | 315 commits to main since this release

    Signed by james
    SSH key fingerprint: SHA256:vAv/s1UqS+brNCXATCv/JPKIc/j94WCgmQAszXM+m8s

    0.0.1-rc.9 — 2026-06-20

    Bug fixes

    • wire favicon + apple-touch-icon to existing /icon assets (521b34c)
    • give the page lede breathing room from the h1 (#141) (edd63a4)
    • disable Renovate grouping; one PR per dep (#127) (93d98b2)
    • update npm production deps to ^0.17.0 (73204f5)

    Build / tooling

    • pin local + CI tool versions in .tool-versions (#157) (ccfdde2)
    • regenerate lockfile under npm 10 to add @swc/helpers peer dep (1aec334)

    CI

    • flag <30d-old packages introduced by a PR (#136) (ce97680)

    Chores

    • update sigstore/cosign-installer action to v3.10.1 (0af2c12)
    • update actions/checkout digest to df4cb1c (aa40645)
    • update docker/login-action digest to c94ce9f (ff0f9fd)
    • update docker/dockerfile docker tag to v1.24 (b2ce901)
    • update dockerfile base images to v24 (ac69d61)

    Documentation

    • adopt Carol's voice in user-facing copy (#145) (8ab67c5)
    • compact CLAUDE.md by offloading restated detail (#151) (e741d1e)
    • document APP_URL requirement for reverse-proxied deployments (#99) (8c336e7)
    • self-hoster setup + env-var reference; CLAUDE.md convention to keep it current (#114) (e074562)

    Features

    • rebuild /experience with subnav + view/edit toggle (#144) (e4b1068)
    • rebuild /skills against DS primitives + view/edit toggle (#143) (82be92b)
    • rebuild /profile against DS primitives + view/edit toggle (#142) (724f3a7)
    • rebuild /account/tokens against DS primitives + tokens (#141) (f40f12b)
    • rebuild /account against DS primitives + tokens (#141) (ae69bb0)
    • collapsable sidebar with narrow-viewport drawer (#162) (7c56d3b)
    • replace top-nav with left sidebar app shell (#140) (66a6159)
    • adopt next-intl + migrate every visible string (#146) (c40623a)
    • in-tree component primitives + /dev/components showcase (#139) (e729a7d)
    • adopt Carol DS token surface with --color-* bridge (#138) (da2c7b8)
    • Personal Access Tokens — agent-runtime authentication (#49) (be3710c)
    • Education feature — per-user education history (#23) (fda4a04)
    • Skills feature — user-orderable sections + nested skills (f71a259)

    Other

    • Merge pull request 'docs(pwa): adopt Carol's voice in user-facing copy (#145)' (#173) from 145-voice-rewrite into main (3eaa296)
    • Merge pull request 'feat(pwa): rebuild /experience with subnav + view/edit toggle (#144)' (#172) from 144-experience-ds-rebuild into main (1ebc4aa)
    • Merge pull request 'feat(pwa): rebuild /skills against DS primitives + view/edit toggle (#143)' (#170) from 143-skills-ds-rebuild into main (d24a0f9)
    • Merge pull request 'fix(pwa): wire favicon + apple-touch-icon to existing /icon assets' (#171) from chore-favicon-metadata into main (0f6e3ce)
    • Merge pull request 'feat(pwa): rebuild /profile against DS primitives + view/edit toggle (#142)' (#169) from 142-profile-ds-rebuild into main (ea6f724)
    • Merge pull request 'feat(pwa): rebuild /account against DS primitives + tokens (#141)' (#167) from 141-account-ds-rebuild into main (b7dfc87)
    • Merge pull request 'feat(pwa): collapsable sidebar + narrow-viewport drawer (#162)' (#166) from 162-sidebar-collapse into main (fca6d75)
    • Merge pull request 'feat(pwa): replace top-nav with left sidebar app shell (#140)' (#161) from 140-app-shell-sidebar into main (f7aed4d)
    • Merge pull request 'chore(deps): update sigstore/cosign-installer action to v3.10.1' (#159) from renovate-sigstore-cosign-installer-3.x into main (eae5b94)
    • Merge pull request 'chore(deps): update actions/checkout digest to df4cb1c' (#154) from renovate-actions-checkout-digest into main (238742e)
    • Merge pull request 'chore(deps): update docker/login-action digest to c94ce9f' (#155) from renovate-docker-login-action-digest into main (4ca8e8c)
    • Merge pull request 'chore(deps): update docker/dockerfile docker tag to v1.24' (#156) from renovate-docker-dockerfile-1.x into main (6c0996d)
    • Merge pull request 'build: pin local + CI tool versions in .tool-versions (#157)' (#158) from 157-pin-tool-versions into main (05f24c2)
    • Merge pull request 'feat(i18n): adopt next-intl + migrate every visible string (#146)' (#153) from 146-i18n into main (8c96b92)
    • Merge pull request 'docs: compact CLAUDE.md by offloading restated detail (#151)' (#152) from 151-compact-claudemd into main (f1d1919)
    • Merge pull request 'feat(ui): in-tree component primitives + /dev/components showcase (#139)' (#148) from 139-ui-primitives into main (17437cd)
    • Merge pull request 'feat(themes): adopt Carol DS token surface with --color-* bridge (#138)' (#147) from 138-ds-tokens into main (d109c8b)
    • Merge pull request 'ci(security): flag <30d-old packages introduced by a PR (#136)' (#137) from 136-package-age-check into main (7cb066f)
    • Merge pull request 'feat(auth): Personal Access Tokens — agent-runtime authentication (#49)' (#135) from 49-personal-access-tokens into main (f323e17)
    • Merge pull request 'fix(ci): disable Renovate grouping; one PR per dep (#127)' (#130) from 126-renovate-no-grouping into main (1817228)
    • Merge pull request 'feat: Education feature — per-user education history (#23)' (#128) from 23-education into main (c88bf0c)
    • Merge pull request 'feat: Skills feature — user-orderable sections + nested skills (#22)' (#126) from 22-skills into main (06be170)
    • Merge pull request 'chore(deps): update dockerfile base images (major)' (#122) from renovate-major-dockerfile-base-images into main (a9eaa8f)
    • Merge pull request 'docs(auth): document APP_URL requirement for reverse-proxied deployments (#99)' (#125) from 99-app-url-docs into main (fc501f0)
    • Merge pull request 'fix(deps): update npm production deps to ^0.17.0' (#121) from renovate-npm-production-deps into main (751310d)
    • Merge pull request 'docs(readme): self-hoster setup + env-var reference; CLAUDE.md convention to keep it current (#114)' (#118) from 114-readme-config into main (276ee6a)

    Verifying the image

    cosign verify \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:37c359579ef30693a2fa23d30ece5116b7b26c22d98401b902927593a745e564
    
    cosign verify-attestation \
      --type slsaprovenance1 \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:37c359579ef30693a2fa23d30ece5116b7b26c22d98401b902927593a745e564
    
    Downloads
  • v0.0.1-rc.8 bcf1f92808

    Carol v0.0.1-rc.8
    All checks were successful
    Secrets / gitleaks (push) Successful in 11s
    Release / Build, sign, and publish (push) Successful in 25s
    Pre-release

    james released this 2026-06-18 14:20:46 +00:00 | 370 commits to main since this release

    Signed by james
    SSH key fingerprint: SHA256:vAv/s1UqS+brNCXATCv/JPKIc/j94WCgmQAszXM+m8s

    0.0.1-rc.8 — 2026-06-18

    Features

    • per-instance opt-out for the email_verified strict check (a8167cc)

    Other

    • Merge pull request 'feat(auth): per-instance opt-out for the email_verified strict check (#115)' (#117) from 115-oidc-email-verified-optional into main (bcf1f92)

    Verifying the image

    cosign verify \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:6d2b01d694c0be175d62a7bfbc668b5419c06fabf5c3a7353f2b5ac0e0e3db57
    
    cosign verify-attestation \
      --type slsaprovenance1 \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:6d2b01d694c0be175d62a7bfbc668b5419c06fabf5c3a7353f2b5ac0e0e3db57
    
    Downloads
  • v0.0.1-rc.7 dd99a7faa3

    Carol v0.0.1-rc.7
    All checks were successful
    Secrets / gitleaks (push) Successful in 10s
    Release / Build, sign, and publish (push) Successful in 21s
    Pre-release

    james released this 2026-06-18 13:49:03 +00:00 | 372 commits to main since this release

    Signed by james
    SSH key fingerprint: SHA256:vAv/s1UqS+brNCXATCv/JPKIc/j94WCgmQAszXM+m8s

    0.0.1-rc.7 — 2026-06-18

    Bug fixes

    • use execFileSync for git diff in coverage script (92e4c55)
    • drop per-rule rangeStrategy from npm-majors packageRule (#94) (7c601e6)
    • route scanner-comment API calls via internal Forgejo URL (#104) (ac39bcb)
    • post-callback redirect honors APP_URL (reverse-proxy) (c3777b9)

    CI

    • coverage report with soft targets as sticky PR comment (f02519a)
    • add workflow_dispatch workflow for ad-hoc feature-branch images (#108) (6352947)

    Features

    • name, contact details, picture, title statement, brief (#21) (052393a)
    • OIDC userinfo fallback for email / email_verified (a694e94)

    Other

    • Merge pull request 'ci(test): coverage report with soft targets as sticky PR comment (#110)' (#111) from 110-ci-coverage into main (dd99a7f)
    • Merge pull request 'fix(ci): drop per-rule rangeStrategy from npm-majors packageRule (#94)' (#112) from 94-renovate-config-fix into main (ceb8282)
    • Merge pull request 'feat(profile): name, contact details, picture, title statement, brief (#21)' (#113) from 21-profile into main (de86751)
    • Merge pull request 'ci(build): add workflow_dispatch workflow for ad-hoc feature-branch images (#108)' (#109) from 108-feature-branch-image-workflow into main (ae98e91)
    • Merge pull request 'fix(ci): route scanner-comment API calls via internal Forgejo URL (#104)' (#107) from 99-forgejo-api-url-override into main (b19de99)
    • Merge pull request 'feat(auth): OIDC userinfo fallback for email / email_verified (#105)' (#106) from 105-oidc-userinfo-fallback into main (4de8b7c)
    • Merge pull request 'fix(auth): post-callback redirect honors APP_URL (reverse-proxy) (#102)' (#103) from 102-redirect-honor-app-url into main (5afe834)

    Verifying the image

    cosign verify \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:716a7334db60b1292a475238db30b45aee926cab9ee8fc3a3306fa6e354be00e
    
    cosign verify-attestation \
      --type slsaprovenance1 \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:716a7334db60b1292a475238db30b45aee926cab9ee8fc3a3306fa6e354be00e
    
    Downloads
  • v0.0.1-rc.6 73ddb10ed5

    Carol v0.0.1-rc.6
    All checks were successful
    Secrets / gitleaks (push) Successful in 15s
    Release / Build, sign, and publish (push) Successful in 1m36s
    Pre-release

    james released this 2026-06-18 03:51:27 +00:00 | 387 commits to main since this release

    Signed by james
    SSH key fingerprint: SHA256:vAv/s1UqS+brNCXATCv/JPKIc/j94WCgmQAszXM+m8s

    0.0.1-rc.6 — 2026-06-18

    Features

    • surface OIDC callback errors with distinct codes + log cause (6fd6509)

    Other

    • Merge pull request 'feat(auth): surface OIDC callback errors with distinct codes + log cause (#100)' (#101) from 100-oauth-callback-diagnostics into main (73ddb10)

    Verifying the image

    cosign verify \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:61a8f71badb030717e690d038c0291feb9af0bdc7bdde1c33198f2426c58ceed
    
    cosign verify-attestation \
      --type slsaprovenance1 \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:61a8f71badb030717e690d038c0291feb9af0bdc7bdde1c33198f2426c58ceed
    
    Downloads
  • v0.0.1-rc.5 fbcd7051c0

    Carol v0.0.1-rc.5
    All checks were successful
    Secrets / gitleaks (push) Successful in 13s
    Release / Build, sign, and publish (push) Successful in 38s
    Pre-release

    james released this 2026-06-18 03:20:52 +00:00 | 389 commits to main since this release

    Signed by james
    SSH key fingerprint: SHA256:vAv/s1UqS+brNCXATCv/JPKIc/j94WCgmQAszXM+m8s

    0.0.1-rc.5 — 2026-06-18

    Features

    • generic OIDC provider with discovery + per-endpoint overrides (72a5af9)

    Other

    • Merge pull request 'feat(auth): generic OIDC provider with discovery + per-endpoint overrides (#85)' (#96) from 85-oidc into main (fbcd705)
    • Merge pull request 'ci(security): post scanner findings as sticky PR comments (#68)' (#95) from 68-sticky-scanner-comments into main (dd2f321)

    Verifying the image

    cosign verify \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:2cde81b89e65aa2f5f6c1f0dd3a173ee1ef8fef0a5bfe132b66b546e8f575730
    
    cosign verify-attestation \
      --type slsaprovenance1 \
      --key https://forge.wynning.tech/james/carol/raw/branch/main/cosign.pub \
      forge.wynning.tech/james/carol@sha256:2cde81b89e65aa2f5f6c1f0dd3a173ee1ef8fef0a5bfe132b66b546e8f575730
    
    Downloads