v0.3.0

[mattyhansen]

This pull request updates the project documentation and architecture to reflect a major recalibration of the code analysis rules, with a focus on governing AI-generated code for human verifiability. It introduces two new ADRs: one that formally states the project's mission, and another that removes the complexity.npath rule and tightens complexity thresholds to better align with that mission. The documentation and rule catalog are updated accordingly, including rule counts and severity adjustments.

Key changes:

Mission and Project Direction

• Added ADR-017, which formally defines the project's mission as governing AI-generated code so a human can read, verify, and trust it, with all rules and defaults justified by verifiability goals (legibility, security, and genuine testing). The mission is now referenced in .goat-flow/architecture.md and documented in docs/mission.md. [1] [2]

Complexity Rule Recalibration

• Added ADR-018, which retires the complexity.npath rule (breaking change), demotes halstead-volume and maintainability-index to advisory severity, tightens cognitive complexity (error at 20) and nesting depth (error at 4), and makes cyclomatic complexity a warning (at 20). This aligns the complexity pillar with the project's verifiability mission.

• Updated the rule catalog in .goat-flow/architecture.md to reflect the removal of complexity.npath (complexity pillar now has 4 rules, not 5), and updated the total rule count from 119 to 118. The description of complexity rules now matches the new severities and thresholds.

• Updated .goat-flow/code-map.md to remove the mapping for NpathComplexityRule.php, confirming the rule's retirement.

Documentation and Metadata Updates

• Updated the version constant in the architecture documentation to 0.2.0 and clarified the summary digest version for the summary command. [1] [2]

• Corrected the documentation of the Finding object's stableIdentity calculation to match implementation changes.

• Added documentation for the minimumSeverity config option, clarifying its usage and validation.

Summary by CodeRabbit

• New Features

  • Changed-region analysis (diff/since/changed-ranges) with symbol/hunk scopes; outputs suppressedCount, ignoredPathDetails, newFindingsCount, and failureReason.
  • New check-ignore command with authoritative ignore reporting and CI-friendly exit codes.
  • Baseline movement buckets and --baseline-include-absent; --fail-on-new gate for new-findings-only.

• Breaking Changes

  • Removed complexity.npath (configs referencing it will fail; baselines may need regeneration).

• Updates

  • Complexity recalibrated: cognitive 30→20, nesting-depth 6→4, cyclomatic → warning; Halstead & maintainability → advisory.
  • Added count-based failureConditions gates; CLI/tool version bumped to 1.0.0; mission/docs expanded.

---

Note

Medium Risk
Hook and settings changes affect agent command blocking and post-edit behavior repo-wide; misconfiguration or missing hook-lib could fail closed or skip guards until setup is rerun.

Overview
goat-flow 1.9.0 bumps every goat-* skill (and mirrored .claude/skills) and tightens how agents report evidence: critique, QA, and security outputs now require proof class tags (RUNTIME | CONTRACT-GREP | STATIC | NOT-REPRODUCED), risk-agent context uses grep-first footgun/lesson hits instead of whole-bucket reads, and goat-review PR mode adds an automated-reviewer overlap protocol (references/automated-review.md) with [overlap:bot] / [new] tagging plus richer gh pr view JSON.

Planning and QA get lighter wording in goat-plan (milestone filename/presentation examples) and goat-qa (condensed intake tables and proof-class columns in output templates). goat-security drops GEMINI.md from the agent-surface scan list and adds proof-class fields to findings and integrity sections.

Hooks: deny-dangerous.sh is rebuilt as a dispatcher that loads .goat-flow/hook-lib/ (patterns-shell, patterns-paths, patterns-writes), resolves repo root via git, supports Copilot and Antigravity JSON deny shapes, and delegates self-tests to .goat-flow/hook-lib/deny-dangerous-self-test.sh (replacing the inlined .claude/hooks/deny-dangerous.self-test.sh). New gruff-code-quality.sh runs gruff on changed lines only after Edit/Write/MultiEdit; .claude/settings.json wires it on PostToolUse and hardens PreToolUse hook paths with git-common-dir root resolution.

^{Reviewed by Cursor Bugbot for commit 23df30b. Bugbot is set up for automated code reviews on this repo. Configure here.}