GOWDK v0.2.8

Experimental 0.x release: GOWDK v0.2

GOWDK v0.2 is an experimental 0.x compiler/runtime release.

Not production-ready. Public syntax, generated output, runtime packages, and
tooling contracts may change before a stable release.

Implemented

• BuildConfig.Scripts for global script tags in generated build-time and
  request-time HTML documents. Use Type: "module" for ES module bundles.
• Page and component js "./file.js", js "./file.ts", and inline js {}
  declarations for scoped browser module inclusion without loading those
  modules on unrelated pages.
• Open-ended 0.x hardening checklist with per-version planning buckets.
• v0.2 release checklist for Public Truth and Release Trust work.
• Release note template requiring experimental, not-production-ready, known
  gaps, checksum, and attestation sections.
• README experimental status, project shape, and current support matrix.
• Getting started release-install path with Linux, macOS, Windows, checksum,
  attestation, and VS Code .vsix verification notes.
• Root SECURITY.md aligned with the deeper repository security baseline.
• Public issue templates for compiler, generated output, runtime, docs,
  examples, language, addon, and non-sensitive security hardening reports.
• Release workflow support for version-specific release notes files.
• Automated release-note validation for the release template, v0.2 draft notes,
  and the selected release body in the release workflow.
• Published artifact smoke workflow for Linux, macOS Intel, macOS ARM, and
  Windows CLI artifacts.
• Release policy guard script for no production-ready claim, no hidden mandatory
  npm install in CI/release packaging, and visible pre-release metadata.
• gowdk version --json for release workflow verification.
• v0.1.5 GitHub release metadata corrected to pre-release with an
  experimental/not-production-ready warning at the top of the release body.
• Public hardening labels from docs/engineering/release-plan.md.
• Public backlog issues for current Partial PRDs:
  #1 through
  #13.
• Public backlog issues for selected Planned roadmap items:
  #15 through
  #35.
• Public release-plan bucket and detailed backlog issues:
  #36 through
  https://github.com/cssbruno/GoWDK/issues/70.
• Focused follow-up issues for optional dependencies, release trust, compiler
  spine, diagnostics, Go interop, endpoint/security hardening, components,
  VS Code, contracts, dev overlay, and the flagship example:
  #71 through
  #114.
• Public 0.x Hardening project board:
  https://github.com/users/cssbruno/projects/2.
• v0.2.3 release metadata: CLI/editor versions, optional module root-version
  requirements, root changelog, release-doc current-version examples, and
  GitHub milestone policy.
• Parser-style regular-expression cleanup across compiler, LSP, CSS/glob
  rewriting, runtime form scanning, and generated action validation paths.
• Optional framework/context bridge and nested optional adapter modules for
  Echo, Fiber, Gin, Redis Streams, NATS, and WebSocket fanout.
• v0.2.5 release metadata: CLI/editor versions, optional module root-version
  requirements, root changelog, and release-doc current-version examples.
• Explicit page access metadata: real page sources must declare
  @guard public for intentionally public pages or protected guard IDs for
  guarded pages.
• Thin native RBAC guard IDs through role:<name> and permission:<name>,
  backed by application-owned runtime/auth.Provider implementations.
• Generated guarded apps fail Go compilation when required backing hooks are
  missing: GOWDKGuardRegistry for custom guards and GOWDKAuthProvider for
  native RBAC guards.
• v0.2.6 release metadata: CLI/editor versions, optional module root-version
  requirements, root changelog, and release-doc current-version examples.
• Optional @page annotations with filename-derived page IDs, while keeping
  explicit @route and @guard metadata required.
• gowdk init now scaffolds the thinner route-first page shape and keeps
  public pages explicit through @guard public.
• Release packaging uploads dist/* as a GitHub Actions workflow artifact and
  verifies the selected tag release contains the expected download assets.
• v0.2.7 release metadata: CLI/editor versions, optional module root-version
  requirements, root changelog, and release-doc current-version examples.
• gowdk.Config.Env declares normal env vars and secrets separately, validates
  empty names, duplicate names, secret-looking normal vars, and required names
  that are unset or blank.
• Generated embedded apps and backend-only apps repeat required env checks
  before serving requests.
• gowdk inspect ir prints the validated compiler IR for M2 debugging.
• gowdk add wires built-in addons into gowdk.config.go.
• Batteries-included auth and database addons provide common auth/session,
  password hashing, and SQLC-style database wiring helpers.
• Runtime request boundaries now include a default per-request deadline, API
  request-body caps, recovered panic logging, and secret redaction.
• gowdk doctor checks the local Go/GOWDK toolchain, project config, source
  discovery, language validation, route metadata, and relevant optional tools
  without writing generated output.
• v0.2.8 release metadata: CLI/editor versions, optional module root-version
  requirements, root changelog, and release-doc current-version examples.
• Layout identity now comes from the .layout.gwdk file name. @layout inside
  a layout is optional and declares the parent layout(s) the layout inherits
  from instead of its own identity.
• Self-referential and cyclic layout inheritance are compile errors
  (layout_self_reference, cyclic_layout_reference), and an @layout parent
  that does not resolve reports unknown_layout_id.
• A layout must contain exactly one <slot /> placeholder; zero or multiple
  slots hard-error at validation time (layout_slot_count).

Partial

• Generated app HTTP smoke coverage remains narrower than the full runtime
  surface.

Planned

• Broader release smoke tests for generated app HTTP behavior.
• Automated docs link checking and Markdown lint.

Intentionally Out Of Scope

• Production-readiness claims.
• Migration guides.
• Framework comparison docs as core positioning.
• Mandatory npm, Tailwind, Gin, Echo, Fiber, Redis, NATS, or WebSocket
  dependencies.
• Replacing backend authorization with generated page guards.

Known Gaps

• v0.2 remains experimental and includes both release-trust work and early
  compiler/runtime feature slices.
• Generated output remains pre-1.0 and unstable unless a reference doc marks a
  surface stable.
• Guard metadata is a generated access redundancy layer and does not replace
  authorization in normal Go backend handlers and services.
• Env/secret metadata is a startup and config-load redundancy layer. Cloud
  platforms, containers, process managers, and secret managers still inject
  values, and backend authorization remains application-owned.

Breaking Or Unstable Generated Output

Generated output is pre-1.0. Treat generated Go, generated JavaScript,
manifests, build reports, route reports, and runtime package contracts as
unstable unless a reference doc explicitly marks a surface stable.

Required Release Verification

Run the full checklist before publishing:

• docs/engineering/v0.2-release-checklist.md

Required local gates:

git diff --check
scripts/test-go-modules.sh
scripts/vulncheck-go-modules.sh
go build ./cmd/gowdk
node --check editors/vscode/extension.js
node --check editors/vscode/extension-core.js
node --test editors/vscode/*.test.js

Artifact Verification

Download the CLI artifact for your platform and checksums.txt from the GitHub
release.

grep ' <artifact>$' checksums.txt | sha256sum -c -

On macOS, use:

shasum -a 256 <artifact>

Verify GitHub artifact attestations:

gh attestation verify <artifact> -R cssbruno/GOWDK

VS Code Extension

Install the packaged .vsix manually when the release includes one:

code --install-extension gowdk-vscode-<version>.vsix

Tool Versions

• Go: 1.26.4
• Node.js for extension checks: 24

GOWDK v0.2.7

Experimental 0.x release: GOWDK v0.2

GOWDK v0.2 is an experimental 0.x compiler/runtime release.

Not production-ready. Public syntax, generated output, runtime packages, and
tooling contracts may change before a stable release.

Implemented

• BuildConfig.Scripts for global script tags in generated build-time and
  request-time HTML documents. Use Type: "module" for ES module bundles.
• Page and component js "./file.js", js "./file.ts", and inline js {}
  declarations for scoped browser module inclusion without loading those
  modules on unrelated pages.
• Open-ended 0.x hardening checklist with per-version planning buckets.
• v0.2 release checklist for Public Truth and Release Trust work.
• Release note template requiring experimental, not-production-ready, known
  gaps, checksum, and attestation sections.
• README experimental status, project shape, and current support matrix.
• Getting started release-install path with Linux, macOS, Windows, checksum,
  attestation, and VS Code .vsix verification notes.
• Root SECURITY.md aligned with the deeper repository security baseline.
• Public issue templates for compiler, generated output, runtime, docs,
  examples, language, addon, and non-sensitive security hardening reports.
• Release workflow support for version-specific release notes files.
• Automated release-note validation for the release template, v0.2 draft notes,
  and the selected release body in the release workflow.
• Published artifact smoke workflow for Linux, macOS Intel, macOS ARM, and
  Windows CLI artifacts.
• Release policy guard script for no production-ready claim, no hidden mandatory
  npm install in CI/release packaging, and visible pre-release metadata.
• gowdk version --json for release workflow verification.
• v0.1.5 GitHub release metadata corrected to pre-release with an
  experimental/not-production-ready warning at the top of the release body.
• Public hardening labels from docs/engineering/release-plan.md.
• Public backlog issues for current Partial PRDs:
  #1 through
  #13.
• Public backlog issues for selected Planned roadmap items:
  #15 through
  #35.
• Public release-plan bucket and detailed backlog issues:
  #36 through
  https://github.com/cssbruno/GoWDK/issues/70.
• Focused follow-up issues for optional dependencies, release trust, compiler
  spine, diagnostics, Go interop, endpoint/security hardening, components,
  VS Code, contracts, dev overlay, and the flagship example:
  #71 through
  #114.
• Public 0.x Hardening project board:
  https://github.com/users/cssbruno/projects/2.
• v0.2.3 release metadata: CLI/editor versions, optional module root-version
  requirements, root changelog, release-doc current-version examples, and
  GitHub milestone policy.
• Parser-style regular-expression cleanup across compiler, LSP, CSS/glob
  rewriting, runtime form scanning, and generated action validation paths.
• Optional framework/context bridge and nested optional adapter modules for
  Echo, Fiber, Gin, Redis Streams, NATS, and WebSocket fanout.
• v0.2.5 release metadata: CLI/editor versions, optional module root-version
  requirements, root changelog, and release-doc current-version examples.
• Explicit page access metadata: real page sources must declare
  @guard public for intentionally public pages or protected guard IDs for
  guarded pages.
• Thin native RBAC guard IDs through role:<name> and permission:<name>,
  backed by application-owned runtime/auth.Provider implementations.
• Generated guarded apps fail Go compilation when required backing hooks are
  missing: GOWDKGuardRegistry for custom guards and GOWDKAuthProvider for
  native RBAC guards.
• v0.2.6 release metadata: CLI/editor versions, optional module root-version
  requirements, root changelog, and release-doc current-version examples.
• Optional @page annotations with filename-derived page IDs, while keeping
  explicit @route and @guard metadata required.
• gowdk init now scaffolds the thinner route-first page shape and keeps
  public pages explicit through @guard public.
• Release packaging uploads dist/* as a GitHub Actions workflow artifact and
  verifies the selected tag release contains the expected download assets.
• v0.2.7 release metadata: CLI/editor versions, optional module root-version
  requirements, root changelog, and release-doc current-version examples.
• gowdk.Config.Env declares normal env vars and secrets separately, validates
  empty names, duplicate names, secret-looking normal vars, and required names
  that are unset or blank.
• Generated embedded apps and backend-only apps repeat required env checks
  before serving requests.
• gowdk inspect ir prints the validated compiler IR for M2 debugging.
• gowdk add wires built-in addons into gowdk.config.go.
• Batteries-included auth and database addons provide common auth/session,
  password hashing, and SQLC-style database wiring helpers.
• Runtime request boundaries now include a default per-request deadline, API
  request-body caps, recovered panic logging, and secret redaction.

Partial

• gowdk doctor is referenced as planned install verification but is not
  implemented yet.

Planned

• Broader release smoke tests for generated app HTTP behavior.
• Automated docs link checking and Markdown lint.

Intentionally Out Of Scope

• Production-readiness claims.
• Migration guides.
• Framework comparison docs as core positioning.
• Mandatory npm, Tailwind, Gin, Echo, Fiber, Redis, NATS, or WebSocket
  dependencies.
• Replacing backend authorization with generated page guards.

Known Gaps

• v0.2 remains experimental and includes both release-trust work and early
  compiler/runtime feature slices.
• Generated output remains pre-1.0 and unstable unless a reference doc marks a
  surface stable.
• Guard metadata is a generated access redundancy layer and does not replace
  authorization in normal Go backend handlers and services.
• Env/secret metadata is a startup and config-load redundancy layer. Cloud
  platforms, containers, process managers, and secret managers still inject
  values, and backend authorization remains application-owned.

Breaking Or Unstable Generated Output

Generated output is pre-1.0. Treat generated Go, generated JavaScript,
manifests, build reports, route reports, and runtime package contracts as
unstable unless a reference doc explicitly marks a surface stable.

Required Release Verification

Run the full checklist before publishing:

• docs/engineering/v0.2-release-checklist.md

Required local gates:

git diff --check
scripts/test-go-modules.sh
scripts/vulncheck-go-modules.sh
go build ./cmd/gowdk
node --check editors/vscode/extension.js
node --check editors/vscode/extension-core.js
node --test editors/vscode/*.test.js

Artifact Verification

Download the CLI artifact for your platform and checksums.txt from the GitHub
release.

grep ' <artifact>$' checksums.txt | sha256sum -c -

On macOS, use:

shasum -a 256 <artifact>

Verify GitHub artifact attestations:

gh attestation verify <artifact> -R cssbruno/GOWDK

VS Code Extension

Install the packaged .vsix manually when the release includes one:

code --install-extension gowdk-vscode-<version>.vsix

Tool Versions

• Go: 1.26.4
• Node.js for extension checks: 24

GOWDK v0.2.6

Experimental 0.x release: GOWDK v0.2

GOWDK v0.2 is an experimental 0.x compiler/runtime release.

Not production-ready. Public syntax, generated output, runtime packages, and
tooling contracts may change before a stable release.

Implemented

• BuildConfig.Scripts for global script tags in generated build-time and
  request-time HTML documents. Use Type: "module" for ES module bundles.
• Page and component js "./file.js", js "./file.ts", and inline js {}
  declarations for scoped browser module inclusion without loading those
  modules on unrelated pages.
• Open-ended 0.x hardening checklist with per-version planning buckets.
• v0.2 release checklist for Public Truth and Release Trust work.
• Release note template requiring experimental, not-production-ready, known
  gaps, checksum, and attestation sections.
• README experimental status, project shape, and current support matrix.
• Getting started release-install path with Linux, macOS, Windows, checksum,
  attestation, and VS Code .vsix verification notes.
• Root SECURITY.md aligned with the deeper repository security baseline.
• Public issue templates for compiler, generated output, runtime, docs,
  examples, language, addon, and non-sensitive security hardening reports.
• Release workflow support for version-specific release notes files.
• Automated release-note validation for the release template, v0.2 draft notes,
  and the selected release body in the release workflow.
• Published artifact smoke workflow for Linux, macOS Intel, macOS ARM, and
  Windows CLI artifacts.
• Release policy guard script for no production-ready claim, no hidden mandatory
  npm install in CI/release packaging, and draft/pre-release release metadata.
• gowdk version --json for release workflow verification.
• v0.1.5 GitHub release metadata corrected to pre-release with an
  experimental/not-production-ready warning at the top of the release body.
• Public hardening labels from docs/engineering/release-plan.md.
• Public backlog issues for current Partial PRDs:
  #1 through
  #13.
• Public backlog issues for selected Planned roadmap items:
  #15 through
  #35.
• Public release-plan bucket and detailed backlog issues:
  #36 through
  https://github.com/cssbruno/GoWDK/issues/70.
• Focused follow-up issues for optional dependencies, release trust, compiler
  spine, diagnostics, Go interop, endpoint/security hardening, components,
  VS Code, contracts, dev overlay, and the flagship example:
  #71 through
  #114.
• Public 0.x Hardening project board:
  https://github.com/users/cssbruno/projects/2.
• v0.2.3 release metadata: CLI/editor versions, optional module root-version
  requirements, root changelog, release-doc current-version examples, and
  GitHub milestone policy.
• Parser-style regular-expression cleanup across compiler, LSP, CSS/glob
  rewriting, runtime form scanning, and generated action validation paths.
• Optional framework/context bridge and nested optional adapter modules for
  Echo, Fiber, Gin, Redis Streams, NATS, and WebSocket fanout.
• v0.2.5 release metadata: CLI/editor versions, optional module root-version
  requirements, root changelog, and release-doc current-version examples.
• Explicit page access metadata: real page sources must declare
  @guard public for intentionally public pages or protected guard IDs for
  guarded pages.
• Thin native RBAC guard IDs through role:<name> and permission:<name>,
  backed by application-owned runtime/auth.Provider implementations.
• Generated guarded apps fail Go compilation when required backing hooks are
  missing: GOWDKGuardRegistry for custom guards and GOWDKAuthProvider for
  native RBAC guards.
• v0.2.6 release metadata: CLI/editor versions, optional module root-version
  requirements, root changelog, and release-doc current-version examples.
• Optional @page annotations with filename-derived page IDs, while keeping
  explicit @route and @guard metadata required.
• gowdk init now scaffolds the thinner route-first page shape and keeps
  public pages explicit through @guard public.
• Release packaging uploads dist/* as a GitHub Actions workflow artifact and
  verifies the selected tag release contains the expected download assets.

Partial

• gowdk doctor is referenced as planned install verification but is not
  implemented yet.

Planned

• Broader release smoke tests for generated app HTTP behavior.
• Automated docs link checking and Markdown lint.

Intentionally Out Of Scope

• Production-readiness claims.
• Migration guides.
• Framework comparison docs as core positioning.
• Mandatory npm, Tailwind, Gin, Echo, Fiber, Redis, NATS, or WebSocket
  dependencies.
• Replacing backend authorization with generated page guards.

Known Gaps

• v0.2 remains experimental and includes both release-trust work and early
  compiler/runtime feature slices.
• Generated output remains pre-1.0 and unstable unless a reference doc marks a
  surface stable.
• Guard metadata is a generated access redundancy layer and does not replace
  authorization in normal Go backend handlers and services.

Breaking Or Unstable Generated Output

Generated output is pre-1.0. Treat generated Go, generated JavaScript,
manifests, build reports, route reports, and runtime package contracts as
unstable unless a reference doc explicitly marks a surface stable.

Required Release Verification

Run the full checklist before publishing:

• docs/engineering/v0.2-release-checklist.md

Required local gates:

git diff --check
scripts/test-go-modules.sh
scripts/vulncheck-go-modules.sh
go build ./cmd/gowdk
node --check editors/vscode/extension.js
node --check editors/vscode/extension-core.js
node --test editors/vscode/*.test.js

Artifact Verification

Download the CLI artifact for your platform and checksums.txt from the GitHub
release.

grep ' <artifact>$' checksums.txt | sha256sum -c -

On macOS, use:

shasum -a 256 <artifact>

Verify GitHub artifact attestations:

gh attestation verify <artifact> -R cssbruno/GOWDK

VS Code Extension

Install the packaged .vsix manually when the release includes one:

code --install-extension gowdk-vscode-<version>.vsix

Tool Versions

• Go: 1.26.4
• Node.js for extension checks: 24

v0.2.5

chore: prepare v0.2.5 release

GOWDK v0.2.0

Experimental 0.x release: GOWDK v0.2

GOWDK v0.2 is an experimental 0.x compiler/runtime release.

Not production-ready. Public syntax, generated output, runtime packages, and
tooling contracts may change before a stable release.

Implemented

• Open-ended 0.x hardening checklist with per-version planning buckets.
• v0.2 release checklist for Public Truth and Release Trust work.
• Release note template requiring experimental, not-production-ready, known
  gaps, checksum, and attestation sections.
• README experimental status, project laws, and current support matrix.
• Getting started release-install path with Linux, macOS, Windows, checksum,
  attestation, and VS Code .vsix verification notes.
• Root SECURITY.md aligned with the deeper repository security baseline.
• Public issue templates for compiler, generated output, runtime, docs,
  examples, language, addon, and non-sensitive security hardening reports.
• Release workflow support for version-specific release notes files.
• v0.1.5 GitHub release metadata corrected to pre-release with an
  experimental/not-production-ready warning at the top of the release body.
• Public hardening labels from docs/engineering/release-plan.md.
• Public backlog issues for current Partial PRDs:
  #1 through
  #13.
• Public backlog issues for selected Planned roadmap items:
  #15 through
  #35.
• Public release-plan bucket and detailed backlog issues:
  #36 through
  https://github.com/cssbruno/GoWDK/issues/70.
• Focused follow-up issues for optional dependencies, release trust, compiler
  spine, diagnostics, Go interop, endpoint/security hardening, components,
  VS Code, contracts, dev overlay, and the flagship example:
  #71 through
  #114.
• Public 0.x Hardening project board:
  https://github.com/users/cssbruno/projects/2.

Partial

• gowdk doctor is referenced as planned install verification but is not
  implemented yet.

Planned

• Automated release body validation for experimental warning,
  not-production-ready warning, known gaps, checksum instructions, and
  attestation instructions.
• Broader release smoke tests for generated app HTTP behavior.
• Automated docs link checking and Markdown lint.

Intentionally Out Of Scope

• Production-readiness claims.
• Migration guides.
• Framework comparison docs as core positioning.
• Mandatory npm, Tailwind, Gin, Echo, Fiber, Redis, NATS, or WebSocket
  dependencies.
• New compiler syntax or runtime feature expansion.

Known Gaps

• v0.2 is primarily a trust/docs/release hygiene slice, not a compiler feature
  release.
• Generated output remains pre-1.0 and unstable unless a reference doc marks a
  surface stable.

Breaking Or Unstable Generated Output

Generated output is pre-1.0. Treat generated Go, generated JavaScript,
manifests, build reports, route reports, and runtime package contracts as
unstable unless a reference doc explicitly marks a surface stable.

Required Release Verification

Run the full checklist before publishing:

• docs/engineering/v0.2-release-checklist.md

Required local gates:

git diff --check
go test ./...
go run golang.org/x/vuln/cmd/govulncheck@latest ./...
go build ./cmd/gowdk
node --check editors/vscode/extension.js
node --check editors/vscode/extension-core.js
node --test editors/vscode/*.test.js

Artifact Verification

Download the CLI artifact for your platform and checksums.txt from the GitHub
release.

grep ' <artifact>$' checksums.txt | sha256sum -c -

On macOS, use:

shasum -a 256 <artifact>

Verify GitHub artifact attestations:

gh attestation verify <artifact> -R cssbruno/GOWDK

VS Code Extension

Install the packaged .vsix manually when the release includes one:

code --install-extension gowdk-vscode-<version>.vsix

Tool Versions

• Go: 1.26.4
• Node.js for extension checks: 24

GOWDK v0.1.5

Experimental 0.x release

Not production-ready. Public syntax, generated output, runtime packages, and tooling contracts may change before a stable release.

GOWDK v0.1.5 is part of the experimental 0.x pre-release line. Treat generated Go, generated JavaScript, manifests, and runtime package contracts as unstable unless the documentation explicitly marks a surface stable.

Known gaps and hardening work are tracked in the repository docs, including docs/engineering/release-plan.md and docs/engineering/v0.2-release-checklist.md.

GOWDK v0.1.0

GOWDK v0.1.0 is the first public 0.x release line.

This is pre-release compiler/runtime scaffolding, not a production-readiness claim. Until the full feature set is complete, public releases advance by minor version only: v0.1.0, v0.2.0, v0.3.0, and so on.

Included artifacts:

• gowdk-linux-amd64
• gowdk-linux-arm64
• gowdk-darwin-amd64
• gowdk-darwin-arm64
• gowdk-windows-amd64.exe
• checksums.txt
• gowdk-vscode-0.1.3.vsix

Highlights:

• Source-build CLI version set to 0.1.0.
• Static output, generated app, binary, and WASM deploy documentation updated.
• Missing-work checklist restored.
• Obsolete .llm plan documents removed.
• CI and release gates passed for this tag.