GOWDKdocs

Engineering

v0.2 Release Checklist

This checklist tracks the completed v0.2 Public Truth and Release Trust work. v0.2 is an experimental 0.x release target, not a production-readiness claim. Future hardening work is tracked through the public GitHub project and GitHub milestones listed below, not through version-number planning buckets.

This checklist tracks the completed v0.2 Public Truth and Release Trust work. v0.2 is an experimental 0.x release target, not a production-readiness claim. Future hardening work is tracked through the public GitHub project and GitHub milestones listed below, not through version-number planning buckets.

Status Rules

  • [x]: current repository docs or observed release metadata support the item.
  • [ ]: not done, not verified, or requires a GitHub-side/manual action.
  • Release metadata and project board work may require GitHub UI or API actions outside the repository.

Release Metadata Audit

  • v0.1.5 release metadata was checked with:

    gh release view v0.1.5 --repo cssbruno/GOWDK \
  --json tagName,name,isDraft,isPrerelease,createdAt,publishedAt,url

  • Observed result on 2026-06-08:

    {
  "tagName": "v0.1.5",
  "name": "GOWDK v0.1.5",
  "isDraft": false,
  "isPrerelease": false,
  "createdAt": "2026-06-08T01:43:55Z",
  "publishedAt": "2026-06-08T01:54:18Z",
  "url": "https://github.com/cssbruno/GoWDK/releases/tag/v0.1.5"
}

  • Update v0.1.5 on GitHub so it is marked as a pre-release, or edit the release body to put the experimental/not-production-ready warning first.

  • Verified on 2026-06-08 after updating GitHub release metadata:

    {
  "tagName": "v0.1.5",
  "name": "GOWDK v0.1.5",
  "isDraft": false,
  "isPrerelease": true,
  "publishedAt": "2026-06-08T01:54:18Z",
  "url": "https://github.com/cssbruno/GoWDK/releases/tag/v0.1.5"
}

  • Verify future 0.x releases are created as visible pre-releases with downloadable assets.

    softprops/action-gh-release is configured with draft: false and prerelease: true in .github/workflows/release.yml.

Repo Truth Gates

  • docs/engineering/release-plan.md uses GitHub milestone buckets as the planning source of truth.
  • docs/engineering/release.md links to the open-ended 0.x hardening checklist.
  • .github/release-note-template.md exists and requires experimental, not-production-ready, known gaps, checksum, and attestation sections.
  • README.md includes an experimental 0.x warning and support matrix.
  • docs/getting-started.md starts with release install and explains source builds as the contributor/development path.
  • Root SECURITY.md matches the deeper security baseline and no longer says first-slice generated actions, CSRF, and guards are only planned.

Public Backlog Gates

  • Issue templates exist for compiler bugs, generated output bugs, runtime bugs, docs gaps, example requests, language proposals, and addon proposals.
  • Public security issue reporting is redirected to SECURITY.md.
  • Create the public GitHub project board 0.x Hardening.
  • Add board waves: Public truth, Release trust, Compiler spine, Go interop, Endpoint adapters, Secure runtime, SSR/hybrid, Components/islands, CSS/assets, DX/examples, and Ops/docs.
  • Convert current Partial requirements into public issues.
  • Convert current Planned roadmap items into public issues unless they are intentionally tracked only in docs.
  • Add labels listed in docs/engineering/release-plan.md.

Project board:

GitHub milestones verified on 2026-06-09:

MilestoneFocus
M2 - Compiler + Language ContractCompiler spine, diagnostics, source spans, parser/formatter hardening, and the current .gwdk language contract.
M3 - Route / Endpoint / Contract ReportsRoutes, endpoints, contracts, diagnostics, source maps, and editor-navigable reports.
M4 - Go InteropGo binding inspection, stubs, typed params, build/load contracts, and package resolution.
M5 - Secure Endpoint RuntimeStrict endpoint adapters, body/header/time limits, CSRF response contract, panic boundaries, and safe redirects.
M6 - Contracts Web AdapterStable g:command/g:query web adapters, contract role diagnostics, local outbox docs, and worker replay docs.
M7 - SSR / HybridRequest-time page lifecycle, load contracts, hybrid behavior, cache, guards, and route-local errors.
M8 - Components / Client LanguageComponent props, slots, events, client reactivity, SPA navigation, lifecycle, and WASM islands.
M9 - Assets / WASM / PackagingOptional adapters, CSS/assets, WASM ABI, cache manifests, generated app packaging, and dependency surface policy.
M10 - DX / Product ExperienceVS Code cockpit, examples, cookbook, flagship app, docs, operations, website, playground, CI, and learning path.
M11 - Auth Addon HardeningAuth crypto stance, password hashing, fail-closed session secrets, CSRF/session interplay, guard examples, and addon docs.
M12 - DB Addon Hardeningdatabase/sql plumbing maturity, migrations apply, transaction/health helpers, sqlc walkthrough docs, and real-driver tests.
M13 - WebSocket / Realtime AddonOpt-in WebSocket presentation-event fanout addon, config round-trip, and gowdk add wiring.
M14 - Realtime Reactivity WiringADR-gated server presentation events drive bounded live DOM updates without user JavaScript.

Project-board creation was tracked in https://github.com/cssbruno/GoWDK/issues/14 and closed after the board was created, made public, configured with the release-wave Wave field, and loaded with issues 1 through 114.

Partial PRD issues:

Planned roadmap issues:

Release-plan bucket and detailed backlog issues:

Focused follow-up issues created from the public backlog review:

Install And Verification Gates

  • scripts/install.sh exists and verifies Linux/macOS release artifacts against checksums.txt.
  • Getting started docs include pinned release install.
  • Getting started docs include direct Linux, macOS, and Windows artifact paths.
  • Getting started docs include checksum and attestation verification. Future gate, not part of v0.2: add gowdk doctor verification after the command exists.

Release Notes Gates

  • Draft docs/engineering/release-notes-v0.2.md from .github/release-note-template.md before tagging v0.2.
  • Release body begins with "Experimental 0.x release" and "Not production-ready."
  • Release body includes implemented, partial, planned, intentionally out of scope, required verification, and known gaps sections.
  • Release body includes generated-output instability notes.
  • Release body includes exact Go and Node versions.
  • Release body links to this checklist.

Verification Commands

Run from the repository root before a v0.2 release:

git diff --check
scripts/test-go-modules.sh
scripts/vulncheck-go-modules.sh
go build ./cmd/gowdk
./gowdk version --json
node --check editors/vscode/extension.js
node --check editors/vscode/extension-core.js
node --test editors/vscode/*.test.js

After publishing, run:

gh workflow run release-smoke.yml -f version=v0.2.0

The smoke workflow downloads each supported published CLI artifact, verifies it against checksums.txt, and runs gowdk version.

M1 Release Trust Gates

  • .github/workflows/release-smoke.yml verifies published Linux, macOS Intel, macOS ARM, and Windows CLI artifacts by checksum and gowdk version.
  • The release workflow checks Go and Node gates, builds CLI artifacts, checks gowdk version --json, packages the VS Code .vsix, verifies checksums.txt, and creates visible pre-releases.
  • The VS Code publish workflow supports manual Marketplace pre-release publishing and uploads the packaged .vsix as a workflow artifact.