AppSurface Search
Section Releases
Release

Release 0.1.0-rc.4

Coordinated AppSurface release 0.1.0-rc.4, tagged on 2026-06-16.

Source of truth

View source Edit this page

Last updated

Status

Tagged

This page is the final narrative release note for AppSurface 0.1.0-rc.4.

Safe To Consume

Scope: Repository-wide. Packages, CLI tooling, examples, and docs-facing behavior ship in one coordinated version.

Freshness: Tagged on 2026-06-16.

Record

The matching compact ledger entry lives in CHANGELOG.md.

  • Release artifacts were generated by ./eng/release prepare.
  • Package release note paths are recorded in packages/package-index.yml.
  • The GitHub Release is created from the annotated tag commit.

This is the release note for AppSurface 0.1.0-rc.4 after 0.1.0-rc.3. This page is finalized on 2026-06-16.

What changed since RC 3

  • AppSurface CI can now prove the default full-solution coverage lane through the appsurface coverage run command, running from source via dotnet run --project, without waiting on matrix fan-in workflows.
  • Patch coverage gates can now use Git refs, unified diff files, or piped unified diff text without forcing full-history checkout.
  • Reader-intent relevance for AppSurface Docs search.
  • OS-backed local secrets for solo development before remote vault adoption.
  • Product-readiness evaluation now has a report-first lab and an Aspire AppHost verifier that proves local Postgres product-state persistence without claiming Durable Task backend ownership.
  • More trustworthy AppSurface Docs search typing for multi-word queries.
  • CodeQL JavaScript/TypeScript analysis now ignores the intentionally malformed parser-decision fixture while the docs tests still exercise the same parse-failure bytes.

Included in RC 4

Release and docs surface

  • AppSurface CI coverage now dogfoods the appsurface coverage run command, running from source via dotnet run --project, for the default full-solution lane. The lane preserves the existing merged Cobertura, managed JUnit, slow-test diagnostics, Codecov, and coverage gate evidence paths while scripts/coverage-solution.sh keeps legacy compatibility for grouped runs, group listing, merge-only runs, TEST_GROUP, and BUILD_SOLUTION=false.
  • Patch coverage gates now accept exactly one diff source: --diff-base for local Git history, --diff-file for CI-produced unified diff artifacts, or --diff-stdin for piped unified diff text. External diff artifacts are bounded, empty external diffs are treated as valid empty patches, malformed non-empty external diffs fail closed before coverage evaluation, and JSON plus Markdown reports record patch diff provenance.
  • appsurface coverage run now supports --test-results junit for AppSurface-managed top-level JUnit artifacts. --slow-test-diagnostics implies managed JUnit results and writes diagnostics from those files; junit is the only managed result format in this release, with TRX/TUnit compatibility reserved for #491.
  • Package artifact validation now runs a pre-publish consumer proof for the packed ForgeTrust.AppSurface.Cli tool. The proof installs the local artifact into an isolated clean fixture, runs coverage run, coverage merge, a passing coverage gate, and an intentionally failing coverage gate, then writes coverage-cli-consumer-proof.md so publish manifests are blocked when packaged consumer behavior breaks.
  • Coverage runs now emit slow-test-diagnostics.md and slow-test-diagnostics.json next to the merged coverage artifacts. The diagnostics rank project and JUnit test-case timings, preserve best-effort parser warnings without changing coverage exit codes, record metadata completeness, and report diagnostic aggregation overhead in seconds and as a percent of elapsed runner time at diagnostics generation.
  • AppSurface Docs search now hydrates MiniSearch candidates from the normalized docs payload and applies deterministic reader-intent ranking before both sidebar and full-page rendering. Exact title, path, source, alias, keyword, and entry-point matches stay protected; broad task queries prefer reader-facing guides; explicit API/internal filters override broad-task boosts; and contributor/internal docs are demoted unless the query asks for them directly.
  • Added ForgeTrust.AppSurface.Config.LocalSecrets for local secret source posture, not production vaulting. The package registers AppSurfaceLocalSecretsModule, named posture modes, structured local secret result states, OS-backed/local fake store seams, fail-closed provider-chain behavior where only Missing falls through, and paste-safe diagnostics. The CLI now includes appsurface secrets init|set|get|list|delete|doctor, and the docs cover local setup, migration from dotnet user-secrets and .env, CI/container alternatives, and the future remote-vault ladder.
  • The package chooser now resolves the public Intelligence package start-here link inside hosted AppSurface Docs by keeping top-level Intelligence READMEs inside the standalone harvest boundary.
  • examples/product-readiness-lab now gives adopters a SaaS-shaped local evaluator whose readiness report is the primary artifact. The paired examples/product-readiness-lab-apphost verifier starts local Postgres, probes the public readiness endpoint, and fails unless product/domain state becomes proven-locally; Durable Task worker/client startup, hosting, timers, late-event handling, and storage-provider boundaries stay documented as host-owned.
  • AppSurface Docs search now preserves multi-word spacing while readers type, so pausing after a separator in either the full-page search workspace or sidebar search no longer joins words together.
  • RazorWire now includes a hybrid-hosting guide for split-origin deployments that serve exported static pages from one origin while Cloud Run or another container host serves RazorWire streams, islands, and lazy anti-forgery forms from a live origin.
  • Package validation now treats redistributed package payload provenance as an enforced release gate. verify-packages reads packages/third-party-payloads.yml, proves notice, generated-first-party, or audited coverage for suspicious payloads, and renders package report rows with notice paths, evidence kind, version source, and suspicious payload counts.
  • AppSurface.Intelligence now acts as a reusable product-intelligence contract layer for host and package events. Hosts can register contract packs with RegisterEventContracts(...), compose them with the built-in AppSurface catalog through IAppSurfaceProductEventRegistry, validate token, bounded-text, boolean, integer, and allowed-value property shapes, require per-event allowlisting for experimental custom events, and opt into safe development exceptions without bypassing forbidden property names or unsafe value-shape filtering.
  • AppSurface Docs parser-decision fixtures now keep the deliberate malformed JavaScript sample under a non-JavaScript suffix so repository-level JavaScript/TypeScript scanners do not treat the negative parser test as product source.
  • RC 4 now includes the final pre-tag dependency refresh set: Aspire's transitive MessagePack graph is pinned to 2.5.301 with affected lock files refreshed, Web's esbuild development dependency is updated to 0.28.1, and the GitHub Actions workflow dependency group is refreshed before release evidence capture.

Migration watch

  • Record breaking or behavior-changing guidance here before it moves into the tagged release note.