v1.0.12

Keep Paperclip's Skills catalog available in the stable image.

Stable Paperclip 2026.618.0 resolves the Skills catalog through a monorepo path that the npm install layout does not provide. This release bundles @paperclipai/skills-catalog@0.3.1 into Paperclip's local node_modules and links the expected packages/skills-catalog path until upstream PR #8327 reaches a stable Paperclip release.

Constraint: paperclipai@2026.618.0 is current stable and does not declare @paperclipai/skills-catalog as a server dependency.

Constraint: Issue #6 reports GET /api/skills/catalog 500 from missing @paperclipai/packages/skills-catalog/generated/catalog.json.

Rejected: Pin Paperclip canary | the canary line has the upstream fix but is not stable enough for the default image.

Rejected: Symlink only | the stable image must also include the target catalog package.

Confidence: high

Scope-risk: narrow

Directive: Remove the Dockerfile shim after a stable Paperclip release includes paperclipai/paperclip#8327 and the image test still loads a non-empty catalog.

Tested: npm dist-tags for paperclipai and @paperclipai/skills-catalog@0.3.1; npx js-yaml .github/workflows/pr-validation.yml; git diff --check; docker build -t holycode:issue6-skills-catalog .; image catalog manifest check; listCatalogSkills returned 8 skills; Paperclip smoke container started with ENABLE_PAPERCLIP=true and logs did not contain the missing-manifest, EACCES, or /root config errors.

Not-tested: Authenticated browser setup flow for the Paperclip Skills page; unauthenticated GET /api/skills/catalog returns 401 in authenticated mode.

Related: #6

Related: paperclipai/paperclip#8327

v1.0.10

Refresh HolyCode's pinned runtime and tooling baseline while keeping the bundled services bootable after upstream changes.

The image stays on Node 22 LTS, refreshes the current stable npm, PyPI, GitHub-release, and git-tag pins, updates workflow/Renovate maintenance, and documents the remaining audit caveats. Hermes and Paperclip needed runtime fixes because their latest releases changed first-boot/API behavior.

Constraint: User requested v1.0.10 even though the github-ops rollover policy normally prefers single-digit version segments

Constraint: Node's June 18, 2026 security notice mentions v22.23.1 in one section, but node:22.23.1-bookworm-slim was not published; node:22.23.0-bookworm-slim is published and reports npm 10.9.8

Rejected: Move to Node 24 | broader runtime migration than this maintenance release

Rejected: json-server 1.0.0-beta.15 | npm latest is a beta, so the stable 0.17.4 pin stays

Rejected: Remove advisory-heavy CLIs | would change the bundled product surface instead of refreshing it

Confidence: high

Scope-risk: moderate

Directive: Keep Hermes supervised with --no-supervise under HolyCode s6 and require API_SERVER_KEY for the API server

Directive: Keep Paperclip first boot on the lan bind preset unless upstream changes Docker reachability

Tested: docker build -t holycode:v1.0.10-local .

Tested: Default container health became healthy; web returned 200 on port 4096; /workspace was writable

Tested: Hermes listened on port 8642 with API_SERVER_KEY set; / returned 404 as expected

Tested: Paperclip returned 200 on port 3100; config existed; embedded Postgres compatibility symlink existed

Tested: Plugin toggles wrote opencode.json entries and OpenCode reported opencode-claude-auth and oh-my-openagent installed

Tested: Renovate config validator passed; local dry-run extracted 65 dependencies

Tested: npm audit temp lock reported 84 total advisories and 0 critical; OSV direct PyPI check reported 0 vulnerabilities

Tested: Workflow YAML parsed; git diff --check passed

Not-tested: trivy, osv-scanner, and pip-audit were not installed locally

Not-tested: Published Docker tags and release workflow before tag push