Skip to content

Tags: AltimateAI/altimate-code

Tags

v0.7.3

Toggle v0.7.3's commit message 
release: v0.7.3

Telemetry-driven hardening release. Five P0 fixes from the
telemetry-analysis-2026-05-21 pass (#828 finops auto-pick,
#831 project_scan defensive spawn, #833 build-agent name normalization,
#837 tokens_input_total semantics, #839 webfetch 404 cache) plus a
multi-persona pre-release review that surfaced privacy/security
hardening: credential strip on git.remoteUrl, masked git stderr,
agent-name input hardening (control-char strip + NFKC + length cap),
auth-bearing query-param strip from the webfetch cache key, cache-hit
error prefix, warehouse_filter param description disambiguation,
DEFAULT_FINOPS_TYPES single source of truth, and docs alignment for
the auto-pick behavior.

34 adversarial tests pin every invariant.
4 deferred items filed as #840 #841 #842 #843.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

v0.7.2

Toggle v0.7.2's commit message 
release: v0.7.2 — install URL hotfix + upgrader hardening

Hotfix for v0.7.1's broken install endpoint plus a defensive pass on
the upgrade fetch surface (5-persona pre-release review caught two
P0s that PR #825 did not).

Fixed
- `Installation.upgradeCurl()` fetches from www.altimate.sh/install
  instead of the unreachable altimate.ai/install. (#825, closes #309)
- Published GitHub Action (`github/action.yml`) realigned with the
  v0.7.1 binary rename: cache + PATH use ~/.altimate/bin (was
  ~/.altimate-code/bin), binary invoked as `altimate` (was
  `altimate-code`). Action was broken on every cache miss for v0.7.1+
  even before this URL fix.
- 15s bounded timeout on the upgrader fetch via AbortSignal.timeout
  (CodeRabbit feedback on #825).

Changed
- Curl-upgrade fetch failures now surface an actionable error naming
  the URL + the manual re-install one-liner + the GitHub releases
  fallback, instead of a raw `AbortError: The operation was aborted`
  or `Error: Not Found`. HTTP non-2xx also includes the status code.
- `UPGRADE_INSTALL_URL` and `UPGRADE_FETCH_TIMEOUT_MS` extracted as
  named constants inside the `altimate_change` block, so a future
  timeout tune is a single edit.

Testing
- 30 adversarial tests in `release-v0.7.2-adversarial.test.ts`
  covering URL eradication, cross-file host consistency, named-
  constant invariants, error-surface invariants, action.yml
  alignment, marker integrity, migration recovery surface, and
  CHANGELOG presence.
- 529/529 tests pass across install/branding/v0.7.1/v0.7.2 suites.
- Full opencode test suite: 8100 pass / 503 skip / 0 fail.
- Pre-release sanity (`bun run pre-release`): all 4 checks pass.
- Marker guard (`script/upstream/analyze.ts --markers --base main
  --strict`): ok.

If you installed v0.7.1 via curl, your `altimate upgrade` will still
fail until you re-install manually once:

    curl -fsSL https://www.altimate.sh/install | bash

v0.7.2 and forward self-heal.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

v0.7.1

Toggle v0.7.1's commit message 
release: v0.7.1 — provider error pass + standalone binary fix

Combines two pre-release-reviewed passes since v0.7.0:

1. Provider error handling (PRs #789, #794 — already on main) — surfaces
   inner provider message instead of `Bad Request: {?:?}`, extracts Bedrock
   `errorMessage` shape, plain-text 429 retry detection, `model_not_found`
   retry-storm carve-out, telemetry maskString redacts emails + internal
   hostnames, metadata.url internal-host + basic-auth masking, 4KB
   responseBody cap. Documented in `docs/docs/reference/troubleshooting.md`.

2. Standalone binary fix + rename (PR #820 + 16 review-driven fixes added
   on top in this commit):
   - Curl-installed binary no longer crashes with
     `Cannot find module '@altimateai/altimate-core'` on first run. NAPI
     prebuild is embedded into bunfs via a per-target staged shim + Bun
     `onResolve` plugin. Result: 176 MB self-contained binary, no NODE_PATH
     dance.
   - Curl-install binary renamed `altimate-code` → `altimate` to match the
     npm primary `bin`. npm + Homebrew keep both names.
   - Alpine/musl + Windows-on-ARM hit clear early-exit across all four
     install surfaces (curl install, npm wrapper, npm postinstall, build).
   - Build matrix drops linux-*-musl + win32-arm64 (no NAPI prebuilds).
   - Curl install uses `curl --fail` so 404s exit non-zero (no more
     HTML-written-to-disk → tar dies "not in gzip format").

Post-review fixes layered on top of PR #820 (the user-approved 16):
   - `Installation.method()` recognises `~/.altimate/bin` as a curl install
     (was missing — would have broken curl-upgrade in the same release).
   - Install script: stale `altimate-code` cleanup, dual `check_version`
     probe, cp-on-self guard, explicit tar/zip member extraction, Rosetta
     notice, npm-on-musl gcompat clarification, get-started banner mirrors
     npm postinstall, docs URL alignment.
   - `build.ts`: `_requiredExports` JSON.parse + shape-check (prevents JS
     injection from a malicious altimate-core into shipped binary),
     resolved version assertion against package.json, pre-loop staging
     cleanup.
   - Smoke test filters `findLocalBinary` by host OS+arch (no more confused
     status:null from a stale Linux ELF on a Darwin host).
   - README documents the curl install option.
   - Troubleshooting doc covers all four install error classes.

Two 5-persona pre-release reviews drove the surface — provider-error pass
first, then binary-fix + rename pass. 48 new adversarial tests in
`release-v0.7.1-binary-adversarial.test.ts` pin the regression classes
(install-method detection, curl-install hardening, JSON.parse rejection,
version pinning, staging cleanup, build guards, smoke-test hermeticity,
npm-wrapper + postinstall parity, doc surface, cross-file invariants,
release.yml hermetic CI).

Deferred to follow-up issues: #821 (supply-chain hardening — sha256 verify
in install, npm audit signatures, SBOM, cosign), #822 (isMusl refactor),
#823 (build-guard test gaps), #824 (multi-binary PATH warning).

CHANGELOG entry: 10 Fixed / 3 Added / 9 Changed / 1 Removed / 3 Privacy /
3 Testing.

Closes #788 (provider error message surfacing).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

v0.7.0

Toggle v0.7.0's commit message 
release: v0.7.0

v0.6.1

Toggle v0.6.1's commit message 
chore: bump @altimateai/altimate-core to 0.3.1 for v0.6.1

Upstream patch release of the native SQL type-checker used by
`altimate_core_validate` and the cross-dialect data-parity engine.
Rolling into the v0.6.1 release so users pick it up with the BQ finops fix.

Verified:
- `bun run pre-release`: 4/4 green (externals resolved, build OK, binary boots)
- `bun turbo typecheck`: clean
- `bun test test/altimate/ test/skill/`: 3206 pass, 491 skipped (env-gated), 0 fail

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

v0.6.0

Toggle v0.6.0's commit message 
release: v0.6.0

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

v0.5.21

Toggle v0.5.21's commit message 
release: v0.5.21

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

v0.5.20

Toggle v0.5.20's commit message 
fix: add marker guards for provider log line to pass Marker Guard CI

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

v0.5.19

Toggle v0.5.19's commit message 
release: v0.5.19

v0.5.18

Toggle v0.5.18's commit message 
release: v0.5.18