Merge pull request #9 from flyingrobots/release/v0.2.0

Release v0.2.0

Author: flyingrobots

AGENTS.md

@@ -112,6 +112,21 @@ Tasks are now tracked under docs/tasks/. See:
 - README refresh:
   - Added “GitHub Hosting” links, Environment Reference, Quick copy/paste commands, JSON-only `show` examples.
 
+### Daily Log – 2025-09-26
+
+- MVP docs + release
+  - Full features docs sweep; added docs/features/command-reference.md.
+  - test/README.md aligned with snapshot runner, timeouts, local sandbox.
+  - Tasks MoC generator (scripts/update-task-moc.sh) and populated docs/tasks/README.md; kept progress bars updated (scripts/update-task-progress.sh UTF‑8 fix).
+  - Opened and merged MVP PR (feat/github → main); tagged and pushed v0.1.0-mvp.
+- CI/CD signing
+  - Fixed shiplog-sign workflow to bind to the selected environment and read CI_SSH_PUBLIC_KEY from environment variables (vars.*) instead of env.*.
+- CLI improvements
+  - git shiplog write: new flags (--service/--reason/--status/--ticket/--region/--cluster/--namespace/--image/--tag/--run-url, --env), non-Bosun prompt fallbacks.
+  - Signing robustness: fixed unbound array expansion in sign_commit under set -u.
+- README
+  - Linked Command Reference; kept Overall bar mirrored from docs/tasks.
+
 ### Daily Log – 2025-09-24
 
 - Fixed Bosun non-TTY input hang: scripts/bosun now properly handles empty stdin in non-interactive environments by implementing timeout-based input detection (resolves issue where CI pipelines would hang indefinitely).
@@ -135,4 +150,4 @@ For the current backlog, active work, and completed items, see:
 - docs/tasks/active/
 - docs/tasks/complete/
 
-Progress bars are now maintained in `docs/tasks/README.md` (and mirrored into the root README) by `scripts/update-task-progress.sh`.
+Progress bars are now maintained in `docs/tasks/README.md` (and mirrored into the root README) by `scripts/update-task-progress.sh`.

CHANGELOG.md

@@ -0,0 +1,13 @@
+# Changelog
+
+## [0.2.0] – 2025-09-30
+**Codename:** The Cut of Your Jib
+
+- Added `git shiplog run` to wrap commands, capture logs, and record structured run metadata.
+- Added `git shiplog append` for non-interactive entries via `--json` / `--json-file` (stdin supported).
+- Added `git shiplog trust show` (table and `--json`) including signer inventory.
+- Documented the structured entry schema (`docs/reference/json-schema.md`).
+- Defaulted the namespace to the journal name when `SHIPLOG_NAMESPACE` is unset.
+
+## [0.1.0] – 2025-09-26
+- Initial tagged release.

README.md

@@ -1,10 +1,29 @@
 # SHIPLOG • 🚢🪵
-> _Git-native deployment ledger. Every release event is a signed commit for a tamper-evident, immutable audit trail, no new infra._
 
 <p align="center">
 <img src="https://repository-images.githubusercontent.com/1060619650/5194fe70-a78c-4c2d-85d9-b43e8beb8717" width="600" />
 </p>
 
+## TL;DR Shiplog: Your Git Repo is an Ops Flight Recorder
+
+### Your Deployment History Should Live in Git
+
+**Shiplog**: your deployment history should live in the same repo as your code. No external services. No API keys. No monthly bills. Just git, doing what it does best: preserving history with cryptographic integrity.
+
+### Git: An Immutable, Distributed Journal
+
+***Git is a data structure.*** It can do way more than just source control. Shiplog's uses git to create chains of  commits that hang off of `refs/_shiplog/*` refs, creating an append-only journal. 
+
+### Don't Trust; Verify
+
+Shiplog uses a trust roster that's stored right in git, that restricts who may write to the journal, and uses a "policy by commits that require a quorum to change. that commit authors sign their commits to establish cryptographic provenance of each record, perfect for scenarios where you need immutable, auditable deployment and live-ops histories.
+
+### It's just Git.
+
+And best of all, it's all just git! You can fetch, push, clone, and verify using tools and knowledge you already have. No new software, no extra services. Just git.
+
+---
+
 ## Friday, 3:17 PM
 
 *Bzzzt. Bzzzzzt. Bzzzzzzzzt.*
@@ -103,6 +122,21 @@ Pipe to tools:
 git shiplog export-json | jq .
 ```
 
+Wrap a command and capture its output automatically:
+
+```bash
+git shiplog run --service deploy --reason "Canary" -- env kubectl rollout status deploy/web
+```
+
+Append structured data non-interactively (great for automation):
+
+```bash
+printf '{"checks": {"canary": "green"}}' | \
+  git shiplog append --env prod --region us-west-2 --cluster prod-a \
+    --namespace frontend --service deploy --status success \
+    --reason "post-release smoke" --json -
+```
+
 ---
 
 ## 🔐 Policy & Security
@@ -135,8 +169,11 @@ Shiplog enforces policy as code, stored in Git itself.
 |---------|---------|
 | `git shiplog init` |	Setup refs & configs |
 | `git shiplog write` |	Record a deployment |
+| `git shiplog append` |	Record a deployment via JSON payload (stdin or file) |
+| `git shiplog run` |	Wrap a command, capture logs, and record result |
 | `git shiplog ls` |	List recent entries |
 | `git shiplog show` |	Show entry details |
+| `git shiplog trust show` |	Display trust roster and signer inventory |
 | `git shiplog verify` |	Verify signatures/allowlist |
 | `git shiplog export-json` |	Export NDJSON for tools |
 

docs/README.md

@@ -3,5 +3,7 @@
 - [Docker & Dev Container Strategy](docker.md)
 - [Trust Bootstrap and Enforcement](TRUST.md)
 - [Feature Guides](features)
+- [Structured Entry Schema](reference/json-schema.md)
+- [Release Notes](releases/v0.2.0.md)
 - [Bosun Helpers](bosun)
 - [Plugin Hooks](plugins.md)

docs/features/command-reference.md

@@ -30,6 +30,20 @@ A concise, code-sourced reference for Shiplog commands, flags, and examples. Glo
   - Env: `SHIPLOG_SERVICE`, `SHIPLOG_STATUS`, `SHIPLOG_REASON`, `SHIPLOG_TICKET`, `SHIPLOG_REGION`, `SHIPLOG_CLUSTER`, `SHIPLOG_NAMESPACE`, `SHIPLOG_IMAGE`, `SHIPLOG_TAG`, `SHIPLOG_RUN_URL`, `SHIPLOG_LOG`, `SHIPLOG_AUTO_PUSH`.
   - Effects: honors allowlists/signing per policy; pushes journal (+notes) to origin unless disabled.
 
+- `append [OPTIONS]`
+  - Purpose: append a new entry non-interactively by supplying a JSON payload via CLI, stdin, or file.
+  - Usage: `printf '{"deployment":"green"}' | git shiplog append --service deploy --status success --json -`
+  - Flags: mirrors `write` (`--service`, `--status`, `--reason`, `--ticket`, `--region`, `--cluster`, `--namespace`, `--image`, `--tag`, `--run-url`, `--log`, `--env`).
+  - Notes: sets `SHIPLOG_EXTRA_JSON` automatically with the provided object and runs `write` in boring/auto-confirm mode.
+
+- `run [OPTIONS] -- <command ...>`
+  - Purpose: wrap a shell command, tee its output (when interactive), and append a Shiplog entry describing the run.
+  - Usage:
+    - Success case: `git shiplog run --service deploy --reason "Smoke test" -- env printf hi`
+    - Failure case: `git shiplog run --service deploy --status-failure failed -- false`
+  - Flags: `--service`, `--reason`, `--status-success`, `--status-failure`, `--ticket`, `--region`, `--cluster`, `--namespace`, `--env`.
+  - Notes: captures stdout/stderr to a temporary log that is attached as a git note (skipped if empty) and merges `{run:{...}}` into the JSON trailer via `SHIPLOG_EXTRA_JSON`. See `docs/reference/json-schema.md` for the structured payload.
+
 - `ls [ENV] [LIMIT]`
   - Purpose: list recent entries.
   - Usage: `git shiplog ls prod 20`
@@ -71,6 +85,12 @@ A concise, code-sourced reference for Shiplog commands, flags, and examples. Glo
   - Purpose: sync allowed signers from a trust ref to a local file.
   - Usage: `git shiplog trust sync refs/_shiplog/trust/root .shiplog/allowed_signers`
 
+- `trust show [REF] [--json]`
+  - Purpose: display trust metadata (ID, threshold, maintainer roster, signer list and count).
+  - Usage:
+    - Human readable: `git shiplog trust show`
+    - JSON: `git shiplog trust show --json`
+
 - `refs root show|set`
   - Purpose: view or set the Shiplog ref root.
   - Usage:
@@ -91,4 +111,3 @@ A concise, code-sourced reference for Shiplog commands, flags, and examples. Glo
 - Features docs: init, write, ls, show, export-json, validate-trailer, verify, policy, setup, notes.
 - Modes and signing policy: `docs/features/modes.md`
 - GitHub hosting and protections: `docs/hosting/github.md`, `docs/runbooks/github-protection.md`
-

docs/features/run.md

@@ -0,0 +1,49 @@
+# Run Command
+
+## Summary
+`git shiplog run` wraps a shell command, captures its stdout/stderr, and records the execution as a Shiplog journal entry. The command output is saved as a git note, and the structured trailer gains a `run` payload describing the invocation.
+
+## Usage
+```bash
+git shiplog run --service deploy --reason "Smoke test" -- env printf hi
+```
+
+- `--service` is required in non-interactive mode (and highly recommended in general).
+- Place the command to execute after `--`. All arguments are preserved and logged.
+- Successful runs inherit `--status-success` (default `success`); failures use `--status-failure` (default `failed`).
+
+## Behavior
+- Captures stdout/stderr to a temporary file. When not in boring mode, output is also streamed to your terminal via `tee`.
+- Sets `SHIPLOG_BORING=1` and `SHIPLOG_ASSUME_YES=1` while calling `git shiplog write` so no prompts fire.
+- Populates `SHIPLOG_EXTRA_JSON` with:
+  ```json
+  {
+    "run": {
+      "argv": ["env", "printf", "hi"],
+      "cmd": "env printf hi",
+      "exit_code": 0,
+      "status": "success",
+      "duration_s": 1,
+      "started_at": "2025-09-30T00:00:00Z",
+      "finished_at": "2025-09-30T00:00:01Z",
+      "log_attached": true
+    }
+  }
+  ```
+- Attaches the captured log as a git note under `refs/_shiplog/notes/logs` when the entry is written successfully.
+- Returns the wrapped command’s exit code so it can be chained in scripts or CI pipelines.
+
+## Options
+- `--env <name>` — Target journal environment (defaults to `SHIPLOG_ENV` or `prod`).
+- `--service <name>` — Service/component; required when prompts are disabled.
+- `--reason <text>` — Optional free-form description.
+- `--status-success <status>` — Status recorded when the command exits 0. Default `success`.
+- `--status-failure <status>` — Status recorded when the command fails. Default `failed`.
+- `--ticket <id>`, `--region <r>`, `--cluster <c>`, `--namespace <ns>` — Override standard write metadata.
+- When there is no output, log attachment is skipped and `log_attached=false` is recorded in the trailer.
+
+## See Also
+- `docs/features/write.md`
+- `docs/reference/env.md`
+- `docs/notes/codex-feedback-on-shiplog.md`
+- `docs/reference/json-schema.md`

docs/features/write.md

@@ -18,6 +18,7 @@ SHIPLOG_BORING=1 git shiplog --yes write prod --service release --reason "MVP re
 ## Behavior
 - Validates the author against the resolved allowlist and performs a signing precheck when signatures are required.
 - Prompts for service, status, change details, and artifact information. You can prefill or bypass prompts with flags (`--service`, `--reason`, etc.) or environment variables listed below.
+- Defaults the namespace to the journal environment when left blank (e.g., `prod`).
 - Generates both a human-readable header and a JSON trailer; optionally attaches NDJSON logs via `SHIPLOG_LOG`.
 - Accepts `--yes` to skip confirmation prompts (sets `SHIPLOG_ASSUME_YES=1`).
 - Fast-forwards the journal ref; aborts if the ref is missing or would require a force update.
@@ -51,3 +52,18 @@ SHIPLOG_BORING=1 git shiplog --yes write prod --service release --reason "MVP re
 - `test/02_write_and_ls_show.bats:22`
 - `test/05_verify_authors.bats:9`
 - `test/10_boring_mode.bats:31`
+- `test/17_append_and_trust.bats`
+
+## Programmatic Append
+
+Need to script entries without prompts? Use `git shiplog append`:
+
+```bash
+printf '{"checks": {"canary": "green"}}' | \
+  git shiplog append --service deploy --status success \
+    --reason "Post-release smoke" --json -
+```
+
+- Accepts the same metadata flags as `write` but runs in boring/auto-confirm mode.
+- `--json` (or `--json-file path`) must contain a JSON object; Shiplog merges it into the structured trailer via `SHIPLOG_EXTRA_JSON`.
+- Attach logs with `--log <path>` if desired.

docs/notes/codex-feedback-on-shiplog.md

@@ -0,0 +1,90 @@
+# Shiplog DX Notes — September 2025
+
+I took Shiplog for a (manual) spin today in order to integrate it with the PF3 deploy orchestrator. These are the rough notes I’d want any future maintainer to have — both what felt rock-solid and what I’d polish next.
+
+---
+
+## Overall Impression
+
+Shiplog already feels *production ready* for the git-native audit log niche it targets. The primitives — signed commits under `refs/_shiplog/journal/<env>` with structured trailers — map perfectly onto the “what happened in prod?” question we ask ourselves during incidents. Once trust/bootstrap is in place, `git shiplog write` feels just as natural as `git commit`.
+
+I’d happily depend on it for:
+
+- Deploy receipts (start → step → finish)
+- Maintenance mode toggles (with reasons / reminders)
+- RBAC changes (added admin, revoked key)
+- Trust rotations & secret rotations
+- Ad-hoc scripts with log capture (once `shiplog run` lands)
+
+In other words: if an operator does something that changes prod, Shiplog is the canonical place to record it. That’s exactly what I want from an operational journal.
+
+---
+
+## Things That Felt Great
+
+- **Git-first workflow**: No extra service. Journals are just refs. Easy to mirror, easy to inspect.
+- **Signing/Policy hooks**: Guard rails are strong. Missing trust ref immediately fails with a helpful message. SSH signing plays nicely with modern git.
+- **Structured trailers**: The JSON we get back from `git shiplog show --json` is deliciously parseable. Perfect for piping into dashboards or incident bots.
+- **Trust tooling**: `shiplog-bootstrap-trust.sh` + `shiplog-trust-sync.sh` made the initial setup straightforward. Non-interactive flags mean we can script it.
+- **Docs/AGENTS discipline**: The repo has clearly codified expectations (test in Docker, etc.). Easy to onboard to.
+
+---
+
+## Opportunities / DX Wishlist
+
+### 1. `git shiplog run` (on deck)
+Exactly what we’re about to build: wrap a command, tee stdout/stderr, and attach the log as a note. I’d ship it with:
+- `--service`, `--reason`, `--status-success/failed` overrides.
+- Structured `run` payload: `argv`, `cmd`, `exit_code`, `status`, `duration_s`, `started_at`, `finished_at`.
+- Boring mode by default; interactive tee for humans.
+- Respects `SHIPLOG_NAMESPACE`, `SHIPLOG_TICKET`, etc., so we can categorize maintenance vs deploy vs misc.
+
+### 2. Programmatic API helper
+Either a `git shiplog append --json payload` or a tiny shell helper that sets `SHIPLOG_EXTRA_JSON` and calls `write`. That would keep deploy-orchestrator code simpler.
+
+### 3. Namespace defaults
+`git shiplog ls` shows `Env` as `?` unless `SHIPLOG_NAMESPACE` is set. Defaulting the namespace to the journal name (or providing a `--namespace` flag) would make the table friendlier.
+
+### 4. Trust roster visibility
+A `git shiplog trust show` command that prints threshold and maintainer list would be handy during audits.
+
+### 5. Docs: runbook for operators
+Once `shiplog run` is available, a short runbook (“How to log maintenance mode”, “How to record an incident”, “How to rotate trust”) would accelerate adoption.
+
+---
+
+## Integration Notes (PF3)
+
+For PF3 we intend to:
+- Emit a Shiplog entry when a deploy plan is approved (status=started + plan JSON).
+- Append entries after each step (`status` `in_progress`, `reason` summarizing action, structured run payload).
+- Finish with a `status=success|failed` entry containing maintenance flag, failure reason, etc.
+- Use `shiplog run` for ad-hoc maintenance toggles or recovery scripts so we capture raw command output automatically.
+
+That will replace our ad-hoc JSON journal with a tamper-evident history.
+
+---
+
+## Misc Observations
+
+- **Trust bootstrap** refused to run outside a repo. Nice guard! Perhaps the script could detect this earlier and print “run inside target repo” with the resolved path.
+- **Preview output** always prints (even in `--yes`). I like that, but a `SHIPLOG_NO_PREVIEW=1` toggle might be nice for CI logs.
+- **`SHIPLOG_EXTRA_JSON`** hook was easy to splice in once I noticed trailers are composed in `compose_message`. Reusing `shiplog_json_escape` will keep it tidy when I refactor the helper.
+- **Testing** via `make test` (Docker) was smooth. Love that the AGENTS doc shouts *not* to run tests directly.
+
+---
+
+## Other Potential Use Cases
+
+- **Incident timeline**: `git shiplog run --service incident --reason "Declared SEV-1" -- env true` to mark major steps.
+- **Access review**: Append entries whenever someone is added/removed from Supabase roles or GitHub teams.
+- **Secrets rotation**: Wrap rotation scripts with `shiplog run` so we have an audit trail of the exact CLI output.
+- **Schema migrations**: Each `supabase db push` could be wrapped to capture the migration log.
+- **Build provenance**: If we wanted to record Docker image builds (“built ghcr.io/app@sha…”) we could make `shiplog run` a standard part of the release pipeline.
+
+---
+
+## Closing Thoughts
+
+Shiplog is already delivering on the “black box recorder for ops” promise. The biggest DX win on the horizon is the command wrapper — once we have that, we can eliminate a ton of bespoke logging code across projects. Happy to help keep pushing it forward!
+

docs/reference/env.md

@@ -43,6 +43,7 @@ This is a compact reference for key `SHIPLOG_*` environment variables. Most can
 - `SHIPLOG_REGION`, `SHIPLOG_CLUSTER`, `SHIPLOG_NAMESPACE`
 - `SHIPLOG_IMAGE`, `SHIPLOG_TAG`, `SHIPLOG_RUN_URL`
 - `SHIPLOG_LOG` — Path to NDJSON log to attach as a git note
+- `SHIPLOG_EXTRA_JSON` — *(internal)* Raw JSON object merged into the structured trailer; set automatically by `git shiplog run`/`git shiplog append`. Do not export this manually—provide custom data with `git shiplog append --json '{...}'` or `git shiplog append --json-file payload.json` (these flags populate the internal value for you).
 
 See: docs/features/write.md for full semantics and examples.
 
@@ -69,4 +70,3 @@ See: docs/features/write.md for full semantics and examples.
 - `TEST_TIMEOUT_SECS` — In-container Bats timeout (seconds). Default: `180`.
 - `BATS_FLAGS` — Extra flags for Bats (e.g., `--print-output-on-failure -T`).
 - `SHIPLOG_USE_LOCAL_SANDBOX` — `1` to avoid network clones in tests (default `1`).
-