Changelog

All notable changes to roam-code will be documented in this file.

The format is based on Keep a Changelog,

and this project adheres to Semantic Versioning.

[Unreleased]

[12.46] - 2026-05-07

CI fix — ruff lint cleanup on overnight files

Hotfix after 12.45. The ruff format-check passed in 12.45 but the

ruff LINT pass (separate) flagged 7 errors across the new files:

• json imported but unused in cmd_capabilities.py
• default_path assigned but never used in cmd_skill_generate.py

(the dead variable was a refactor leftover; the actual default-path

logic lives in the out = Path(output_path) if output_path else None

branch where the user-supplied path wins)

• reg assigned but never used in test_capability_registry.py (left

over from a refactor of the smoke test)

• 3 unused imports (os, Path, pytest) in test_sarif_enrichment.py

Applied ruff check --fix --unsafe-fixes. Whitespace + dead-code

removal only; all tests still green.

[12.45] - 2026-05-07

CI fix — ruff format on overnight files

Hotfix after 12.44. The 9 net-new files added during the overnight

push (capability.py, cmd_compare.py, cmd_skill_generate.py,

sarif.py edits, plus 4 test files) were not run through ruff format

before commit. CI's lint job ran ruff format --check and rejected.

Per the project's known-learning ("Ruff format check in CI: Always run

ruff format on new files before committing"), this should have been

caught locally. The hotfix runs the formatter and lands the

whitespace-only changes. No behavior change.

[12.44] - 2026-05-07

CI fix — register R5's two new detectors in the catalog

Hotfix after 12.43. The two new async detectors added in R5

(async-fire-and-forget-task, async-nested-run) were registered in

the detector dispatch table but missing from the catalog/tasks.py

CATALOG dict. test_math.py::test_detector_registry_covers_catalog

caught the mismatch on all 5 Python versions.

Adds full catalog entries for both new tasks: name, category, kind,

and the two-way ranked-solutions list that the rest of the algo

infrastructure expects. Bumps test_math.py's expected-task count

32 -> 34. No behavior change to the detectors themselves.

[12.43] - 2026-05-07

Major: Capability Registry + 4 new commands + landing-page launch

This release lands Phase 1 of the v2 monetization plan and bundles a

substantial overnight push (5 web passes + 12 R-phases). Companion to

the launch of the new commercial landing page at https://roam-code.com.

New commands (4)

• roam capabilities — Decorator-driven introspection. Emits the

capability manifest as YAML / JSON / text from any command marked

with @roam_capability. Drives Roam Review GitHub App routing +

MCP filtering. Phase 1 of the v2 monetization plan per

build_priorities.md.

• roam skill-generate — Generate an agent-runtime skill manifest

from the capability registry. 4 emitter targets: claude (SKILL.md),

cursor (.mdc rule), continue (config snippet), aider

(.aiderrc). Closes GitHub issue #14; supersedes the static SKILL.md

approach from PR #15 with dynamic generation. --ai-safe-only

default filters to capabilities marked safe for autonomous agents.

• roam compare — Structural delta between two indices. Symbols

added/removed/moved + per-file complexity deltas + IMPROVED /

SIDEWAYS / REGRESSED verdict. The "did this refactor actually

work?" tool. Useful for sprint-end measurement.

• @roam_capability decorator (not a CLI command but a public API)

— applied to the 3 Phase 0 commands (permit, postmortem,

article-12-check). Mark new commands with this so the registry

stays in sync with the codebase.

New detectors (2)

• async-fire-and-forget-task — asyncio.create_task() whose

return value is discarded. Counts total create_task calls,

subtracts stored ones (assignment, append, add, return, await),

reports the net leak. Python 3.11+ explicitly warns about this

footgun. High severity.

• async-nested-run — asyncio.run() invoked inside an async

function. Raises RuntimeError at runtime (event loop already

running). Fix is to await the coroutine directly. High severity.

SARIF output enrichment

• automationDetails block (id + guid + description) on each run for

GitHub Code Scanning re-ingest correlation.

• versionControlProvenance populated from git rev-parse when

available (revisionId, branch, repositoryUri).

• Driver metadata: informationUri, downloadUri, organization.
• Suppressions support: reads .roam/suppressions.json (list or

envelope shape), stamps matching results with the SARIF

suppressions array — so CI gates can respect documented FPs.

Rule packs

• Rust pack expanded from 12 → 30 rules (memory + concurrency +

error-handling + hygiene categories added).

• Swift pack created from scratch — 25 rules covering force-unwrap,

retain cycles, main-thread blocking, SwiftUI state misuse, etc.

Documentation

• New docs/site/cookbook/README.md — 10 high-value workflow recipes:

orient in a new codebase, audit a PR, set up a CI gate, find dead

code, generate Article 12 readiness, replay detectors against past

commits, wire roam into Claude Code, compare two indices, ship a

pre-commit verdict.

• dev/COMPETITOR-WATCH-2026-05-07.md — captured May 2026 competitor

state (GitNexus 10K stars, Codebase-Memory 66 langs, Qodo 2.0

multi-agent, Greptile v4 82% bug catch, CodeRabbit Autofix). Drives

next-session prioritisation.

Landing page (https://roam-code.com)

Major rework over 5 audit-and-fix passes after the domain went live

on 2026-05-07:

• 7-page site: home, /pricing, /compare, /docs, /privacy, /terms,

/refund. All under 10 KB Brotli per page.

• Plain-language H1: "Your AI writes the code. Roam tells you what

else it broke."

• "What's in the free CLI" section showing the complete product

(190+ commands, 136 MCP tools, 27 languages, real OSS adoption

numbers fetched from GitHub + pypistats).

• "How it works" section with the MCP-server angle (your AI agent

talks to Roam, gets back graph-grounded answers).

• "What Roam looks like in practice" — terminal demo + GitHub PR

comment mockup (HTML/CSS, no images).

• Comparison table vs CodeRabbit / Greptile / Qodo / SonarQube,

with verified-against-vendor-pricing-pages methodology.

• Pain band citing PocketOS / Amazon Treadwell / Faros AI 2026 /

Kudelski's CodeRabbit RCE writeup, with "Roam catches this class

of bug" tie-back lines.

• Pre-MRR legal pages: GDPR-compliant Privacy, Terms with

limitation-of-liability + Greek governing law, Refund policy with

EU consumer-rights notice.

• Self-hosted fonts (42 KB total, 86% reduction from prior cold-load).
• Strict CSP with hash-allowlisted JSON-LD, COOP/CORP, HSTS preload.
• Email contacts (hello@/security@) + .well-known/security.txt.

Surface counts

• CLI commands: 190 → 193 (+ capabilities, skill-generate, compare)
• Modules: 180 → 183
• Detectors: 54 → 56 (+ async-fire-and-forget, async-nested-run)
• Rule packs: 7 → 8 (+ Swift)
• Tests added: 32 (capability 11 + sarif 7 + skill 7 + compare 7)
• Documentation: + cookbook (10 recipes)

What was deferred to next session

R4 (Dart Tier 1 extractor), R11 (migration-plan CLI), R13 (parallel

parse for monorepos), R14 (LLM-augmented MCP tool), R15 (why-slow CLI

via runtime traces), R16 (open-issues sweep), R18 (GraphQL bridge),

R19 (incremental MCP hot-reload). Each documented in the project task

list with notes on scope + risk.

[12.42] - 2026-05-06

CI fix — landscape.json self-row version stamp

Hotfix after 12.41. The 12.41 release bumped pyproject + MCP cards

+ competitor_site_data but missed docs/site/data/landscape.json's

self-row, which tests/test_doc_consistency.py::test_landscape_json_self_row_version_matches

guards (major.minor must match pyproject). Bumped 12.40 → 12.42 in

that file. No behavior change.

[12.41] - 2026-05-06

CI fix — README surface consistency for Phase 0 commands

Hotfix release after 12.40. The README's command listing did not yet

include permit, postmortem, and article-12-check, which broke

tests/test_readme_surface_consistency.py::test_readme_covers_all_canonical_cli_commands

on all 5 Python versions in the matrix. Added one-line entries for

each of the three new commands in the canonical command table. No

behavior change; documentation-only fix to restore CI green.

[12.40] - 2026-05-06

Pivot to monetization — Phase 0 free-OSS funnel artifacts + commercial landing page

After 8 CI iterations restoring the matrix to green (12.31 → 12.39),

this release pivots from polish to monetization-aligned shipping.

Lands the Phase 0 commands from build_priorities.md plus a

starter landing-page implementation for the roam.review umbrella.

New commands (3 — Phase 0 of v2 monetization plan)

• roam permit — structural-permission verdict facade for AI

agents. Returns {verdict, reason, allowed_actions, blocked_actions}

over staged changes (--staged), an arbitrary diff (--input), or

a target symbol (--symbol). Wraps roam critique + roam preflight.

Exit codes: 0=ALLOW, 5=BLOCK, 6=REVIEW. Drops into Cursor rules,

Claude Code permission hooks, pre-commit, GitHub Actions branch

protection. **Engine reused by the Roam Review GitHub App at PR

time.**

• roam postmortem — replays current detectors

against past commits. Walks HEAD~30..HEAD (or any range), runs

roam critique against each commit's diff, reports findings that

would have surfaced pre-merge. The single highest-conversion buyer-

meeting demo per the v2 plan: *"if it retroactively catches my Q1

incidents, signed PO by Friday."*

• roam article-12-check — EU AI Act Article 12 readiness

assessment. 6-item checklist (audit-trail dir, trail records,

retention policy, technical docs, attestation surface, high-risk

classification heuristic) → 1-page Markdown report (or PDF with

--pdf out.pdf if reportlab installed). Captures Article-12-curious

leads before they pick another vendor.

Commercial landing page (starter)

New directory templates/distribution/landing-page/ with:

• index.html — hero + 3 product cards + buyer-pain band citing

PocketOS / Amazon Treadwell / DORA 2025 + audit upsell + trust

strip + FAQ + footer

• landing.css — single 6KB stylesheet, IBM Plex Mono + Space

Grotesk fonts (matches docs/site visual language)

• README.md — domain priority list (roam.review recommended

primary, with roamreview.com / roam.cloud / roamaudit.com

as backups), 3 deploy paths (Cloudflare Pages / Vercel / GitHub

Pages), content TODOs before going live

templates/distribution/landing-page-spec.md updated to reflect

the new domain recommendation.

Surface counts

• 187 → 190 commands (+permit, +postmortem, +article-12-check)
• README + llms-install + landscape.json updated

Tests

• tests/test_pivot_phase0_commands.py — 7 tests covering happy-

path + verdict-decision-tree for permit, no-commits-found path

for postmortem, JSON envelope shape + markdown render + file-

output for article-12-check. All pass on Python 3.9-3.13.

For older releases, see the complete CHANGELOG on GitHub or browse release tags.