Primary project checks:
./app.sh --smoke
./app.sh --verify
./app.sh --verify-sandboxExplicit matrix:
go test ./... -count=1
go test -race ./... -count=1
go test ./... -covermode=atomic -coverprofile=coverage.out
go tool cover -func=coverage.out
go test ./internal/... -covermode=atomic -coverprofile=coverage_internal.out
go tool cover -func=coverage_internal.out
GOOS=darwin GOARCH=arm64 go build ./...
GOOS=darwin GOARCH=amd64 go build ./...
GOOS=linux GOARCH=amd64 go build ./...
GOOS=linux GOARCH=arm64 go build ./..../app.sh --verify-sandbox is the release gate.
It runs verification in a temp sandbox with:
HOME=<temp>/homeXDG_CONFIG_HOME=<temp>/xdgCODEX_HOME=<temp>/codexCMA_DISABLE_KEYRING=1
It also compares host metadata before and after the run for:
~/.codex/auth.jsonif present~/.config/cmaif present
Pass criteria:
- full verify matrix passes
- coverage gates remain green
- host metadata is unchanged
Build artifacts with:
./app.sh --releaseExpected outputs:
dist/cma_<version>_darwin_amd64dist/cma_<version>_darwin_arm64dist/cma_<version>_linux_amd64dist/cma_<version>_linux_arm64dist/sha256sums.txt
Pass criteria:
- all four binaries exist
sha256sums.txtexists
Recommended draft-first path:
./app.sh --publish-release --draft --notes-file docs/release-notes.mdIf --notes-file is omitted, app.sh generates a short draft notes file automatically.
Publish checks:
ghis installedgh auth statussucceeds- sandbox verification passes
- release artifacts and checksums exist
- remote tag does not already exist
To publish a reviewed draft release:
gh release edit v$(cat cmd/VERSION) --draft=false- overall coverage:
>= 80% - internal coverage:
>= 80% internal/app >= 85%internal/infra/crypto >= 90%internal/infra/fs >= 85%internal/infra/store >= 80%internal/infra/usage >= 80%internal/tui >= 60%