1.0 stabilization directive (archived)

Archived 2026-05-27. This is the post-merge snapshot of .agent-state/directive.md from the codex/1.0-stabilization-phase-2 branch at commit 24b5082, captured immediately before that PR was squash-merged into main as commit 14c5f77. Preserved per F-Audit-6 so the historical record of WHY each 1.0 commit happened survives the directive reset.

Continuous Work Directive — declarative-hex-worlds

Status: ACTIVE Owner: jonbogaty@gmail.com Goal: Ship declarative-hex-worlds@1.0.0 to npm with the full quality posture defined in docs/PRD/1.0.md.

What CONTINUOUS means

Never stop for status reports the user didn’t ask for.
Never stop for scope caution.
Never stop to summarize — git log is the summary.
Never stop for context pressure — task-batch + PreCompact handle it.
Never stop because a task feels big — pick the next atomic commit.
Only stop on: explicit user halt, red CI blocking, genuine STOP_FAIL.

Operating loop

while queue has [ ] items: implement → verify → commit → dispatch reviewers (background, parallel) → mark [x] → next.

Forbidden phrases

Active queue — 1.0 stabilization

Source: docs/PRD/1.0.md. Items decompose to one commit each on this branch. Order is dependency-respecting.

Phase R — restructure (PRECEDES Phases A-G; remaining Phase A items are unblocked once R is done)

Product correction (2026-05-26): assets bootstrap, not bundle.

bootstrap becomes a first-class CLI subcommand + programmatic API. Assets are downloaded from KayKit GitHub or extracted from a user-supplied zip, mirroring the upstream Assets/gltf/ tree under <out>/addons/kaykit_medieval_hexagon_pack/Assets/gltf/.
gltf-only filter; ignore fbx/obj/mtl. Optional --include-source-formats.
Default <out> heuristic: public/assets/models (auto-detected with overrides).
Integrity sidecar .bootstrap.json (per-file SHA256, edition, library version, source url/zip).
Idempotent + verifiable via bootstrap --verify.
The tarball NO LONGER ships assets/free/ GLTFs. The manifest stays — as JSON metadata describing what the bootstrapped tree should look like.
Pre-R cleanup will include reviewing references/KayKit_Medieval_Hexagon_Pack_1.0_FREE/ AND any EXTRA zip variants under references/ to understand the exact upstream layout, then mirror it precisely.

Dependency policy that governs Phase R commits:

Phase RS — SimpleRPG as fully-functional test-driver game (lands during/after Phase R, before Phase RB)

SimpleRPG scope (clarified 2026-05-26): A fully-functional, very-precisely-scoped game whose only purpose is to exercise EVERY library capability end-to-end. No “real” gameplay purpose beyond coverage. Layout under tests/:

RS1 — ✅ commit (2026-05-26): tests/simple-rpg/ directory scaffold landed. Subdirs:
- assets-embedded/ (ignore-everything-except-self pattern, plus README explaining the EXTRA-pack-pieces convention + license note that EXTRA is paid content, never committed).
- assets-bootstrap-target/ (same ignore pattern, plus README documenting the RB-bootstrap layout written here during RS2 tests).
- game/index.ts (barrel re-exporting the existing R4-relocated driver at tests/integration/simple-rpg/simple-rpg.ts; RS3 decomposes the driver into per-domain siblings in this directory).
- Top-level README.md explaining the test-driver purpose, test surface map (integration / e2e GitHub-bootstrap / e2e local EXTRA), and the API coverage matrix that RS3 grows. Non-goals named explicitly (not consumer example, not benchmark, not visual gallery). Verified: tsc clean, lint clean, 331/6 tests unchanged.
RS2 — ✅ commit (2026-05-26): three test surfaces wired.
- tests/integration/simple-rpg/simple-rpg.test.ts — Node-side. 11 new tests assert the SimpleRPG driver’s full sync path: valid scenario / spawn-groups / patrol-routes / interop snapshot / simulation completion / actor-target inspection / runtime facade interaction / final-actor-tiles / quest completion / guide-API exercise coverage (40+ APIs, no missing or stale) / embedded executable smoke shape. Runs in default pnpm test. Surfaced + worked around the koota 16-world-cap by sharing one runSimpleRpgUsageExample() invocation across grouped assertions.
- tests/e2e/simple-rpg-ci.test.ts — Node-side, gated by HEX_WORLDS_E2E_GITHUB=1. Calls bootstrapKayKitAssets({ source: { kind: 'github' } }) against the live KayKit FREE repo, asserts verifyBootstrap() clean + file count ≥ manifest.counts.total.
- tests/e2e/simple-rpg-local-extra.test.ts — Node-side, gated by HEX_WORLDS_LOCAL_REFERENCES=1. Bootstraps from references/KayKit_Medieval_Hexagon_Pack_1.0_FREE.zip when present; asserts initial extraction + forced-rerun idempotence.
- Dedicated vitest.simple-rpg-e2e.config.ts extends the base unit config to include tests/e2e/simple-rpg-*.test.ts with a 180s timeout. EXTRA-edition bootstrap intentionally NOT tested (CC0 covers FREE only; EXTRA is paid).
- New package.json scripts: test:simple-rpg, test:simple-rpg:e2e:github, test:simple-rpg:e2e:local. Default pnpm test count grows to 342/6 (was 331/6, +11 from the new integration tests; e2e tests skip cleanly when env vars unset).
- Surfaced gap for RS3: tests/e2e/local-assets/third-party-assets.test.ts imports createFixedSimpleRpgGame from the driver but that function was never implemented. RS3’s game/ decomposition needs to add it as the fixed-scenario world-creation helper.
RS3 — ✅ commit (2026-05-26): tests/simple-rpg/game/index.ts gains createFixedSimpleRpgGame() returning GameboardScenarioGameRuntime (extends GameboardRuntime; exposes .world for spawn). Unblocks the broken tests/e2e/local-assets/third-party-assets.test.ts import that R4 left stale. The function uses the public createGameboardRuntimeFromScenario API against the packaged SimpleRPG fixture. Per-domain scenario / piece / system / render decomposition under game/scenarios/, game/pieces/, etc. lands incrementally when each F-Gallery feature page needs a dedicated scenario factory; the umbrella createFixedSimpleRpgGame is the stable entry point for the existing e2e + the upcoming gallery work.

Phase RB — asset bootstrap (replaces bundled assets; lands after Phase R)

RB0 — Typed KayKitUpstreamLayout interface in src/manifest/upstream-layout.ts with FREE + EXTRA descriptors (folder name, gltf root, marker files, expected counts, texture set), plus detectKayKitLayout() runtime probe. Authoritative reference doc at docs-site/src/content/docs/reference/asset-bootstrap-layout.md documents both editions. Tsup entry + package.json export added under ./manifest/upstream-layout. Unit tests in src/manifest/__tests__/upstream-layout.test.ts cover synthetic FREE+EXTRA seeded trees plus skipif probes against references/. 10 new tests; 305 total green.
RB1 — bootstrapKayKitAssets({source, out, edition?, force?, includeSourceFormats?, outRoot?, fetchedAt?, libraryVersion?}) shipped at src/bootstrap/ (barrel + bootstrap.ts + bootstrap-target.ts). Two source modes: {kind: 'github', commit?} streams codeload.github.com/.../tar.gz via node:https + tar extractor; {kind: 'zip', path} extracts via yauzl with zip-slip guard. gltf-only filter (.gltf, .bin, .png, .jpg); --include-source-formats opt-in for .fbx/.obj/.mtl. Mirrors Assets/gltf/ into <out>/addons/kaykit_medieval_hexagon_pack/Assets/gltf/, copies edition’s declared Textures/ files, writes .bootstrap.json integrity sidecar (sha256 + bytes per file). verifyBootstrap(outRoot) re-hashes and returns drift list. Out-path jail rejects escape attempts. Surface re-exported from umbrella + ./bootstrap subpath. Smoke tests cover the public shape (6 tests); RB5 covers extraction. tar + yauzl added as runtime deps.
RB2 — bootstrap CLI subcommand wired into src/cli/cli.ts. Flags: --out (default heuristic prefers existing public/assets/models → assets/models → cwd; always routes through safeResolveOutput jail), --source github|zip, --zip <path>, --commit <sha>, --edition free|extra, --force, --verify, --include-source-formats, --json. Human-readable output shows file count + total bytes + paths; --json emits the structured BootstrapResult or BootstrapVerificationReport. Help text documents every flag under a dedicated “Bootstrap subcommand” section. 4 CLI smoke tests cover help text + the three input-validation error paths. 315 tests green.
RB3 — Runtime asset-root resolution layer added at src/runtime/asset-root.ts. resolveGameboardAssetRoot() honors the priority chain: setGameboardAssetRoot() → globalThis.HEX_WORLDS_ASSET_ROOT → process.env.HEX_WORLDS_ASSET_ROOT → public/assets/models default. gameboardAssetUrl(asset) builds <root>/addons/kaykit_medieval_hexagon_pack/Assets/gltf/<asset-relative> URLs. resolveManifestAssetUrl(asset, { bootstrapAssetRoot }) translates the legacy assets/<edition>/... modelPath shape into the bootstrap target shape (explicit baseUrl still wins). rewriteToBootstrapPath(asset) exposes the same translation for consumer-side rewriters. Constructor-level createWorld({assetRoot}) is deferred — it spans too many call sites to fold into RB3 without risking the 100% coverage gate; the runtime helpers cover every existing loader path. 10 new tests; 325 total green.
RB4 — package.json#files already gates to assets/free/manifest.json only (no assets/free/** wildcard); package.json#exports is already locked to ./assets/free/manifest.json (not the wildcard ./assets/free/*). scripts/audit-package.ts strengthened: it now rejects ANY .gltf/.bin/.fbx/.obj/.mtl in the tarball regardless of path, and restricts .png to docs/showcases/. The audit’s assertPackedConsumerSmokeCoversExports was broken by the D10 split refactor (it only read the orchestrator, missing every @jbcom/... import that moved to scripts/smoke/{pack-install,types,_shared}.ts); fixed by recursively walking local ./... imports and concatenating sources for the AST scan. New ./bootstrap and ./manifest/upstream-layout subpaths added to scripts/smoke/types.ts so the audit recognizes them as covered. Package description updated to reflect bootstrap-not-bundle reality. Also fixed the stale test:assets script assertion to match the current pnpm test:assets:free && pnpm test:reference-assets && pnpm test:manifest-drift shape. Audit now passes. 325 tests green.
RB5 — src/bootstrap/__tests__/bootstrap.test.ts: 17 tests covering the full zip-source pipeline against a synthetic FREE pack zip authored on the fly via yazl. Coverage: layout mirroring (every category dir lands), gltf-only default filter (.fbx/.obj/.mtl excluded), includeSourceFormats flag, integrity sidecar shape (schemaVersion + per-file sha256 + bytes, sorted), verifyBootstrap OK + tampering + missing-sidecar paths, idempotent re-run with force=true produces byte-identical sidecar, refuses non-empty target without force, edition-mismatch rejection (EXTRA zip with FREE flag), unknown-pack rejection, missing-zip rejection, EXTRA-from-GitHub rejection (CC0 licensing), out-path escape rejection, reproducible builds with libraryVersion + fetchedAt overrides, directory-shape preservation. yazl + @types/yazl added as devDeps. 342 tests green.
RB6 — tests/integration/bootstrap/bootstrap-end-to-end.test.ts. Builds a synthetic FREE zip from the locally extracted references/KayKit_Medieval_Hexagon_Pack_1.0_FREE/ reference using yazl, runs bootstrapKayKitAssets({kind:'zip'}) against it, asserts: (a) verifyBootstrap clean, (b) every asset in the bundled FREE manifest (221 items) resolves to a real file under the bootstrap target via gameboardAssetUrl after setGameboardAssetRoot(outRoot), (c) total file count ≥ manifest counts.total. Skipif the local reference is absent so CI without the reference passes silently. vitest.config.ts extended to include tests/integration/**. Vitest-browser screenshot assertion deferred to a follow-up — the manifest-asset-resolution check covers the contract end-to-end without requiring a render harness wired up in this commit. 343 tests green.
RB7 — .github/workflows/bootstrap-nightly.yml. Scheduled daily (04:00 UTC) + manual workflow_dispatch. Runs pnpm install + pnpm build + node dist/cli.js bootstrap --source github --json against the live KayKit FREE upstream tarball, then bootstrap --verify and asserts fileCount >= 221. Uploads the JSON BootstrapResult as a 14-day-retention artifact. Per-PR pipeline keeps using the synthetic-zip integration test from RB6 (no network dep). audit-workflows passes (new file is additive — existing assertions unaffected).
RB8 — README “Install” section rewritten to pnpm add declarative-hex-worlds && pnpm exec declarative-hex-worlds bootstrap, with a clear “asset-bootstrapping not asset-bundled” framing and pointers to the docs-site. Two new Starlight guides: docs-site/src/content/docs/guides/getting-started.md (install + bootstrap + first scenario + render) and docs-site/src/content/docs/guides/asset-bootstrap.md (full workflow: FREE-from-GitHub, EXTRA-from-zip, reproducible builds via libraryVersion+fetchedAt, --verify drift detection, runtime asset-root wiring, troubleshooting). RB0 layout reference at docs-site/src/content/docs/guides/kaykit-upstream-layout.md (moved out of reference/ because that subdir is typedoc-owned). Fixed a typedoc gotcha — relative .md links in JSDoc + README get copied into docs/api/media/, which broke pnpm docs:build because the copied file referenced Starlight-only routes; switched the README link to the live jbcom.github.io/.../guides/asset-bootstrap/ URL. pnpm docs:build + pnpm test:package both pass. 343 tests green.

Phase A — foundation gates

Determinism additions to CI (user direction 2026-05-26):

Phase B — performance criticals (publish-blocking)

B1 (re-scoped 2026-05-26) — ✅ delivered via three landed commits (no new commit needed):
1. Drift gate — scripts/audit-manifest-drift.ts (A3b) regenerates the manifest + asserts byte-identity vs the committed bytes. Runs in pnpm test:assets → CI.
2. modelPath rooting — RB3 added rewriteToBootstrapPath at URL-resolution time rather than rewriting modelPath in the manifest. Same downstream semantics; avoids churning every test that asserts the current modelPath shape. The manifest’s modelPath stays at assets/free/...; consumer-facing URLs resolve through the bootstrap-aware rewriter.
3. Per-asset SHA256 — lives in .bootstrap.json (RB1’s integrity sidecar) rather than the manifest. The manifest describes what should be produced; the sidecar describes what was actually produced. Two homes would duplicate + drift.
B2 — REJECTED. freeManifest stays on the umbrella; bundled-out-of-box is the product. Replacement: keep the umbrella export, but expose lazy variants alongside (e.g. loadFreeManifest()) for consumers that explicitly want async/lazy. Both shapes ship.
B2b — ✅ commit (2026-05-26): loadFreeManifest() ships alongside freeManifest from src/manifest/free.ts (autogenerated by writeManifestModule; drift gate updated). Identity-stable — every call returns the same in-memory reference as the eager export. Surface added to src/index.ts umbrella too. Lets async-first consumers keep their loader contract stable once a future RB-era refactor moves the manifest to an on-disk JSON load.
B3 — ✅ commit (2026-05-26): src/cli/cli.ts (4,550 LOC) decomposed into a 134-LOC dispatcher + src/cli/_shared.ts (helpers, types, printers, run* engines) + src/cli/usage.ts (help text) + src/cli/commands/*.ts (34 per-subcommand handlers, ~20 LOC mean). Dispatcher uses dynamic import('./commands/<name>') per command and import('./usage') for --help/unknown — headless paths never pull _shared.ts (which transitively imports the freeManifest + blueprint + simulation surface). doctor and validate are fully self-contained (only import validateSourceRoot + expectedModelCount from ../ingest). bench:cli-cold-start ratchets from 117 ms → 64 ms mean (under the PRD E5 80 ms budget). Tests at 353/6 unchanged; test:cli + test:consumer clean. CLI behavior byte-identical (no observable stdout/stderr/exit-code drift).
B4 — ✅ commit (2026-05-26): gameboardPlanIndex(plan) helper materializes tilesByKey + placementsByTile once per plan via a module-local WeakMap. The 6 in-call new Map(plan.tiles.map(...)) rebuilds in coordinates/layout.ts (4) + interop/interop.ts (2) replaced with destructuring calls to the helper. Memoization test asserts the second call returns the same Index reference (so subsequent callers pay O(1) lookup instead of O(N) rebuild). Public surface unchanged — GameboardPlan shape is identical; the index is derived.
B5 (part 1) ✅ commit (2026-05-26) — P-H1: Single-pass readGameboardActorTargets reducer (actors.ts:940-953 + :1085-1093).
B6 ✅ commit (2026-05-26) — P-H2: Add tryParseHexKey(key): HexCoordinates | undefined in coordinates.ts; migrate interop.ts/scenario.ts try { parseHexKey } catch { undefined } sites.
B7 — ✅ commit (2026-05-26): useStableOptions<T>(options) hook added to src/react/react.ts; uses JSON.stringify to compute a structural-equality key over the options object and returns a reference that stays stable until that key changes. Applied to all 8 selector hooks (useGameboardRuntimeSnapshot, useGameboardInteractionTarget, useGameboardInteractionCommand, useGameboardInteractionCommandPreview, useGameboardTileInspection, useGameboardNeighborhoodInspection, useGameboardActorSelection, useGameboardActorTargets, useGameboardActorTargetCommand). Callers can now pass fresh literal options every render without triggering the useMemo cache miss.
B8 ✅ commit (2026-05-26) — P-H5: Replace JSON.parse(JSON.stringify(...)) in simulation.ts:5212 with structuredClone.

Phase C — security criticals (publish-blocking)

C1 ✅ commit (2026-05-26) — S-H1: safeResolveOutput(value, outRoot=defaultOutRoot()) added to src/cli/cli.ts. Jail root defaults to process.cwd(); tests/smoke harnesses opt into a wider jail via HEX_WORLDS_OUT_ROOT. 79 --out* write sites refactored to flow through the helper — ../../../etc/passwd and absolute escapes throw before any writeFileSync. extract gained a --force flag: non-empty destinations refuse to be rmSync-wiped without it. Behavior tests pin both the jail escape and --force semantics.
C2 ✅ commit (2026-05-26) — S-H2: Harden listFiles in ingest.ts:310 — skip entry.isSymbolicLink(), verify realpathSync(child).startsWith(realRoot) before descending. Cycle-safe.
C3 ✅ commit (2026-05-26) — S-M1: Prototype-pollution guard in readPieceSourceRoots; return Object.create(null)-backed map; use JSON.parse reviver to strip __proto__.
C4 ✅ commit b3837f0 (2026-05-26) — S-M2: Fix extract-kaykit-guide.ts:129 sh -c quoting via positional args.
C5 — ✅ commit (2026-05-26): relativizePath() helper added to src/cli/cli.ts. Applied to 19 path-bearing error messages (Recipe ${path}..., Scenario ${scenarioPath}..., Simulation script ${path}..., etc.). Falls back to original string if the path leaves cwd or doesn’t resolve — never throws. Absolute paths no longer leak the developer’s directory layout into CI/CD logs.
C6 ✅ commit 07d4b72 (2026-05-26) — S-M5: Gate full stack traces behind HEX_WORLDS_DEBUG=1; keep terse default.
C7 ✅ commit (2026-05-26) — S-M6: Block source-map publish via "!dist/**/*.map" in files or sourcemap: false for publish build.

Phase D — architectural debt (publish-blocking)

Phase E — test debt (publish-blocking, raises floor to 100%)

Floor is 100 / 100 / 100 / 100 across statements / branches / functions / lines for src/, examples/, and scripts/. Anything less is unacceptable. Baseline at the start of 1.0 work: 86.2 % stmts / 76.5 % branches / 93.2 % funcs / 85.9 % lines.

Phase F — documentation (publish-blocking)

Restructured 2026-05-26 from a flat F1d–F13d list into four sub-epics (see PRD §Epic F). The sub-epics land in order: F-Site scaffolds the Astro Starlight site first (so every later doc has a home), then F-Gallery wires SimpleRPG-produced screenshots, then F-README rebuilds the front door, then F-Audit sweeps every legacy doc in the repo. Items are one-commit atomic.

Sub-epic F-Site — Astro Starlight docs site at `docs-site/`

Sub-epic F-Gallery — SimpleRPG-driven feature pages with embedded screenshots

Each item builds the SimpleRPG scenario, the vitest-browser screenshot test that captures it, and the Astro feature page that consumes the screenshot. One commit per feature page; depends on Phase RS being done so SimpleRPG can host the scenarios.

Sub-epic F-README — README as marketing front door

F-README-1 — ✅ commit (2026-05-26): README demolished and rebuilt. Was 2,582 lines of feature enumeration; now 133 lines structured as tagline → quickstart → why → module map → docs grid → CLI → tarball boundary → contributing → license. Stripped every metric-heavy enumeration that belongs on a docs-site feature page; audit-docs-contract.ts updated to no longer require those phrases on README.md (still required on pillar 05 + recipes guide where they belong).
F-README-2 (partial) — F-Gallery-1 harness exists but only screenshots fixed-harbor today; hero set (harbors / multi-depth / cross-kit) needs the harness to add multi-depth-cliff + cross-kit-village scenarios first. Tracked as a continuation step that lands when those scenarios + their generated PNGs commit.
F-README-3 — ✅ commit (2026-05-26): 30-line quickstart block lives in the new README. Shape: pnpm add → pnpm exec declarative-hex-worlds bootstrap → minimal Provider + Canvas + tick component. The snippet IS the React component a consumer would copy-paste. pnpm test:readme-snippet compile-gate to land alongside F-README-2.
F-README-4 — ✅ commit (2026-05-26): “Why this exists” 3 bullets: declarative API, deterministic seeds, first-class React + Three (not peers).
F-README-5 — ✅ commit (2026-05-26): Module map table covers umbrella + 11 most-used subpaths with one-line purposes. Links into the full API reference for the rest.
F-README-6 — ✅ commit (2026-05-26): docs link grid as a 3-column markdown table (Get started / Features / Reference). All 12 cells link to docs-site pages.
F-README-7 — ✅ commit (2026-05-26): badge row across CI status, npm version, license, types-included. Coverage / FREE-asset-count / EXTRA-asset-count badges to add once the cd.yml release deploys to GitHub Pages and a shields.io endpoint can read from the published coverage ledger.

Sub-epic F-Audit — thorough audit of every doc in the repo

Each item is one commit. The audit happens last because it can’t be done well until the new docs-site shape exists to absorb content.

Phase G — release readiness (final gate)

G1 — ✅ commit (2026-05-26): release.yml packs the tarball via npm pack --json, then actions/attest-build-provenance@v3 cryptographically attests it under SLSA L3. The published tarball is the exact same bytes that were attested (the publish step hands the same filename to npm publish). Consumers verify via npm audit signatures or gh attestation verify. permissions: attestations: write added.
G2 — ✅ commit (2026-05-26): same release.yml runs npx @cyclonedx/cyclonedx-npm to produce a CycloneDX 1.6 JSON SBOM of the prod-dep tree. The SBOM + the tarball both attach to the GitHub release via softprops/action-gh-release@v2. Release consumers get a complete dependency manifest for SCA tooling.
G3 — ✅ commit (2026-05-26): .github/dependabot.yml extended with 4 new entries — / daily security-updates group + /docs-site weekly + /docs-site daily security-updates group. Each daily-security entry uses applies-to: security-updates so it picks up GitHub’s advisory database; open-pull-requests-limit: 10 so a heavy CVE week doesn’t get throttled. PRs from these channels carry the security label for filtering.
G4 — ✅ commit (2026-05-26): pnpm verify brought to CI parity. Added pnpm audit --prod --audit-level=high (was CI-only in the package job) and pnpm test:coverage:enforce (was CI-only in the check matrix). Browser/e2e gates stay out of the default verify chain because they need Chromium + are slow; their dedicated scripts (test:browser:free, test:e2e:local-assets, docs-site:build) are runnable on demand. The default pnpm verify chain now: lint → typecheck → audit → docs-contract → api-docs → docs:build → assets (incl manifest drift) → workspace → workflows → build → cli smoke → expectations → tests → coverage threshold → package audit → packed-consumer smoke → pack:dry-run. Mirrors what CI catches except for the browser-Chromium steps.
G5 — ✅ commit (2026-05-26): pnpm verify runs clean end-to-end on codex/1.0-stabilization-phase-2. Full 17-step chain completes: lint → typecheck → audit (no high+ vulns) → docs-contract → api-docs (0 TypeDoc warnings) → docs:build → assets (incl manifest drift) → workspace → workflows → build → cli smoke → expectations → 342 tests pass → coverage threshold met → package audit → packed-consumer smoke → pack:dry-run (134 files, 2.3 MB tarball). audit-package.ts updated to assert the new chain shape so the audit can’t drift from the script.
G6 — ✅ commit (2026-05-26): rather than hand-editing package.json#version (release-please owns the version field), set release-as: "1.0.0" in release-please-config.json’s package config. When the first feat:/fix: commit lands on main after this PR merges, release-please will propose a 1.0.0 release PR. The manifest version (.release-please-manifest.json) stays at 0.1.0 — release-please bumps it on its own when the release PR merges. This is the canonical release-please flow for promoting pre-1.0 → 1.0.
[WAIT] G7 — PR #4 (codex/1.0-stabilization-phase-2 → main) is fully CI green as of 6abc1b1 (lint/typecheck/build/test/test:coverage:enforce/docs/docs-site/npm Pack/Semgrep/Dependency Review/CodeQL all pass). Merge to main is BLOCKED on maintainer review + branch-protection authorization — destructive merge needs explicit user go-ahead per autonomy contract.
[WAIT] G8 — Post-merge: release-please runs on main, sees release-as: "1.0.0" (PRD G6), opens a release PR with the 1.0.0 changelog. Maintainer merges the release PR → release-please tags v1.0.0 (no v prefix per config) → release.yml fires on the release event → builds, attests SLSA L3 (G1), generates CycloneDX SBOM (G2), publishes to npm with OIDC provenance. Verify post-publish: npm audit signatures declarative-hex-worlds reports the provenance attestation, the release page shows the SBOM + tarball assets.

Self-assessment after each commit

Before flipping [ ] → [x]:

What did I just ship? Did the visual / behavior match the spec doc?
What did the just-finished work surface about the next item? Encode in directive notes if non-trivial.
Did this commit introduce any banned pattern? (run gates locally — pnpm lint && pnpm typecheck)
Did I update relevant docs in the same commit? Drift is a bug.

Notes

This directive is the authoritative work queue. PRD in docs/PRD/1.0.md explains the why.
Reviewer trio dispatched per commit: comprehensive-review:full-review (background), security-scanning:security-sast (background), code-simplifier (background).
Visuals: any commit touching react.ts / three.ts / examples/ requires a screenshot via vitest-browser before commit.