Skip to content

Release 2.0.14 (2026-05-18)

Bug fixes

  • make desired_security_settings visibility-aware Returns None for GHAS-gated features (secret_scanning, secret_scanning_push_protection) on private repos.

  • record skipped fields in ConfigDiff during diff _diff_dataclass now appends to a skipped list when the desired value is None, instead of silently returning.

  • omit None security fields from apply PATCH body Prevents HTTP 422 when applying to private repos without GHAS.

  • render skipped fields in CLI audit/diff output Shows informational "skipped (requires GitHub Advanced Security)" messages for GHAS-gated features on private repos.

  • make skipped param required in diff helpers for full coverage All callers pass skipped, so the None default was dead code.

  • only print GHAS skip message for security fields Non-security skipped fields (e.g., allow_forking) are silently omitted, matching pre-change behavior.

Chores

  • bump version to 2.0.14

Documentation

  • add Vergil identity account setup guide
  • publish identity, credential, and permission architecture to site docs
  • clarify credential store setup as sequential browser-authenticated steps
  • rewrite defense-in-depth to distinguish client-side constraints from server-side security

  • apply pushback review to repo config audit design Resolved five issues from spec pushback:

  • Rename to vrg-github-repo-config (not vrg-repo-config) to reflect GitHub-specific API checks; drop --owner/--project flags to separate vrg-github-project-config tool

  • Require all four deny rule patterns including path-qualified variants
  • Remove zero-width space Unicode artifacts from template code blocks
  • Drop --local-only flag; both local and GitHub checks always run
  • Local filesystem checks are always read-only in apply mode; bootstrap logic scoped out to a separate init tool

Added Future Work section for vrg-github-project-config and repo init tool.

  • add implementation plan for repo config audit

  • rewrite repo config audit plan in TDD red/green/refactor format Alignment check found one stale --local-only reference (fixed) and a missing output format cross-reference (added). Then restructured all implementation tasks into TDD cycles:

  • Merged old Tasks 2+3 (library impl + tests) into Task 2 with five RED/GREEN/REFACTOR cycles, one per check group plus integration

  • Merged old Tasks 4+6 (CLI impl + tests) into Task 3 with three RED/GREEN/REFACTOR cycles for arg parsing, combined audit, and apply mode
  • Tasks that don't benefit from TDD (template creation, deletion, CLAUDE.md update, validation) kept as-is

  • Total tasks reduced from 8 to 6 with more structured internals

  • replace stale st- references with vrg- across docs and source Missed during the VERGIL rename: README, CLAUDE.md, AGENTS.md, site docs, mkdocs nav, worktree convention spec, and two source-code docstrings still referenced the old st-* command prefix. Ref #816

  • add implementation plan for private repo visibility gating (#826)

Features

  • add local config audit library, shared CLAUDE.md template, and vrg-github-repo-config CLI