Skip to content

ota-run/ota](https:

v1.4.19 Breaking

This release includes 3 breaking changes for platform teams planning a safe upgrade.

Published 1mo Developer Productivity
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

cli configuration contracts developer-tools infrastructure ota
+5 more
productivity repo-readiness rust validation workspace

Affected surfaces

auth rbac breaking_upgrade

Summary

AI summary

Redesigned env resolution around env.vars, env.sources, and typed policy values; removed redundant Suggestions title from zsh completion menus.

Full changelog
  • removed the redundant Suggestions title from zsh completion menus while keeping commands and tasks ahead of global --flags
  • redesigned env resolution end to end around env.vars, env.sources, and typed policy values at policies.env.values, making dotenv loading explicit, org policy values explicit, and the precedence surface honest across repo, workspace, and execution output.
  • added declared dotenv source resolution to ota doctor, ota env, ota run, and execution summaries, including ordered source precedence, must_exist readiness checks, and winning-source provenance such as dotenv:.env.
  • updated the contract/env docs, JSON env schema reference, and shipped examples so the public contract, command output, and repo fixtures all use the new env-source model consistently.
  • added php-composer as a workflow-shaped starter pack for explicit Composer-managed PHP repos, including pack-catalog discovery, Composer-backed advisory matching, and a review-first does_not_infer boundary instead of a vague language-level PHP pack.
  • expanded the explicit starter-pack catalog with dotnet, seeding a conventional dotnet restore / dotnet build / dotnet test first draft plus dotnet-aware advisory matching from global.json, solution, and project signals.
  • extended ota init --packs so each catalog entry now exposes explicit does_not_infer boundaries in both text and JSON, making the starter-pack scope visible without inventing fake pack knobs.
  • enriched ota init --pack ... --json advisories with explicit selected-versus-suggested signal scores plus structured weighted signal details, and mirrored the same strength summary in text output.
  • clarified human ota init --pack ... advisories so text output now explains why the mismatch exists, shows weighted signal markers directly, and keeps the explicit review step obvious without weakening pack authority.
  • removed the remaining native fallback branches from explicit ota up --mode container provisioning resolution, so container mode now fails in preconditions instead of ever escaping into host provisioning or host setup.
  • added explicit ota init --pack knobs for the first conventional starter variants: --package-manager npm|pnpm|yarn|bun on the Node pack and --test-runner pytest|unittest on the Python pack, including catalog metadata, JSON pack_options for explicit overrides only, and variant-specific provenance.
  • tightened background update-notice delivery so successful interactive commands keep the short non-blocking wait budget instead of riding the full release-check timeout on slow or offline networks.
  • made explicit ota init --pack ... advisories compare distinct repo-signal strength instead of suppressing warnings as soon as the selected pack has any incidental match.
  • replaced runtime/tool OS scoping via platforms.<os>.required with a cleaner only_on contract surface, while keeping root required as the blocking-vs-warning control and platforms for per-OS value overrides only.
  • upgraded the advanced full-contract example and its .ota/org-policy.yaml to dogfood only_on, Java runtime distributions, explicit version_policy, policy-backed provisioning, and adapter bootstrap, and added example validation coverage for shipped org policy examples and policy-doc YAML.

Breaking Changes

  • Removed the redundant `Suggestions` title from zsh completion menus while keeping commands and tasks ahead of global `--flags`.
  • Redesigned env resolution end‑to‑end around `env.vars`, `env.sources`, and typed policy values at `policies.env.values`, changing precedence surface and making dotenv loading explicit.
  • Replaced runtime/tool OS scoping via `platforms.required` with a cleaner `only_on` contract surface, while keeping root `required` as the blocking‑vs‑warning control.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track ota-run/ota](https:

Get notified when new releases ship.

Sign up free

About ota-run/ota](https:

All releases →

Related context

Earlier breaking changes

  • v1.6.16 Enforce `metadata.ota.minimum_version` at contract load time across all commands.

Beta — feedback welcome: [email protected]