chore(main): release 1.0.0

[github-actions]

🤖 I have created a release beep boop

1.0.0 (2026-03-25)

Features

• add cross-platform wrappers and Makefile target for gen-dependabot (d00b7d2)
• add missing language runtime checks to check-env.sh (782ca74)
• add modular ABAP toolchain support (8ebf19a)
• add modular AWK toolchain support (00f1544)
• add modular Cap'n Proto toolchain support (6f24d7a)
• add modular Capacitor toolchain support (cbb95fc)
• add modular ClickHouse toolchain support (3c68fd8)
• add modular Dagger toolchain support (00d054f)
• add modular Dapr toolchain support (faac80a)
• add modular dbt toolchain support (aa51be4)
• add modular Django toolchain support (2b62b81)
• add modular FastAPI toolchain support (ee94b6c)
• add modular Gnuplot toolchain support (bea2a90)
• add modular Graphviz toolchain support (381c352)
• add modular LangChain toolchain support (676f9fb)
• add modular Laravel toolchain support (5d7be51)
• add modular Lit toolchain support (8a6487e)
• add modular MongoDB toolchain support (721f0e0)
• add modular NestJS toolchain support (276e1a6)
• add modular Next.js toolchain support (ad8f87f)
• add modular Nuxt toolchain support (5f53253)
• add modular OpenTelemetry toolchain support (010e242)
• add modular PlantUML toolchain support (4af0651)
• add modular PostgreSQL toolchain support (5d4fe9c)
• add modular PRQL toolchain support (b704017)
• add modular PyTorch toolchain support (3183a37)
• add modular Redis toolchain support (cfe0450)
• add modular Remix toolchain support (119bad3)
• add modular Sed toolchain support (ff0b4ea)
• add modular Spring Boot toolchain support (9262822)
• add modular Tailwind CSS toolchain support (5035046)
• add modular Temporal toolchain support (d4b73f9)
• add modular Vite toolchain support (62e282a)
• add modular Wasmer toolchain support (0a25428)
• add yarn support to the template toolchain (04e35e3)
• align language checks with langs directory (a9ff388)
• attempt quiet execution for mise shims when no version is active to prevent immediate fallback (ebe9514)
• audit: enforce mandatory version verification for Trivy (e5bed3c)
• ci: add automated approval and auto-merge for dependabot prs (c28e856)
• ci: add automated label branding and sync-labels script (eb5a1dd)
• ci: add cross-platform label branding and Makefile support (16fd0ef)
• ci: add docker buildx infrastructure with GHA caching boilerplate (7eeb95c)
• ci: add harden-runner in audit mode (7140604)
• ci: add multi-OS matrix and templates (8cda803)
• ci: add nightly security audit with automated issue reporting (a3c7468)
• ci: add smart dependabot config auto-generation (06e3b8e)
• ci: add universal language caching (01cbe91)
• ci: add visual job summary for dependabot sync (49b88fd)
• ci: enable universal SBOM coverage (a585298)
• ci: finalize GHA summaries and enhance dependabot limits (18e33e2)
• ci: implement automated PR labeling and lychee link caching (7195b07)
• ci: implement comprehensive SBOM coverage for all artifact types (57e126a)
• ci: implement supply chain security and unified test summaries (bd289a9)
• ci: implement universal dependency caching (fc3e763)
• ci: implement visual GHA Job Summaries for audit and check-env (4c792af)
• ci: integrate SARIF security reporting and zizmor hook (89fc7f8)
• deps: add full grouping for GitHub Actions updates (e767328)
• deps: add icons to Dependabot group names (3302d8c)
• deps: add private registry support placeholder to dependabot config (9096926)
• deps: add RHEL to Docker base image grouping (06cf541)
• deps: add Rocky Linux to Docker base image grouping (ff64d2b)
• deps: add snowdreamtech suite to Go grouping (8aa268b)
• deps: differentiate commit prefixes by ecosystem (4e8c8ff)
• deps: enable auto-rebase strategy and auto-assign reviewers (119882c)
• deps: extend specialized grouping to Infrastructure and Languages (a77d358)
• deps: implement comprehensive PR grouping in Dependabot (7fddf7d)
• deps: optimize Dependabot with tiered frequency, PR limits, and semantic labels (48ec1ae)
• deps: set security vulnerability threshold to high (353f9d9)
• enable google-java-format installation on ARM64 Linux by removing the skip condition (e85ad8f)
• implement advanced frontend and monorepo sector logic (turborepo, nx, biome, knip, lefthook, trpc, jotai, valtio, recoil, preact) (7ee120a)
• implement AI, data science and modern JVM sector logic (llamaindex, weaviate, polars, pandas, quarkus, micronaut) (db2c3a1)
• implement backend frameworks and ORM sector logic (axum, actix, echo, gorm, adonis, strapi, phoenix, symfony, tortoise) (c140a28)
• implement cloud native and messaging sector logic (traefik, istio, kong, linkerd, nats, pulsar) (7f606e7)
• implement data, backend and CMS sector logic (noco-db, mongoose, sequelize, kysely, payload-cms, directus, ghost, hardhat, foundry, polars-js) (913a4b4)
• implement distributed data and high-perf engine logic (neo4j, scylladb, cockroachdb, tidb, flink, beam, trino, typesense, tarantool, rocksdb) (46155c2)
• implement drizzle toolchain logic (d3a4ad1)
• implement enterprise build, monorepo and AI logic (bazel, buck2, pants, langgraph, crewai, ollama, localstack, lerna, single-spa, module-federation) (9c0bb67)
• implement expo toolchain logic (7ee1f29)
• implement express and fastify toolchain logic (3d4c51c)
• implement fiber toolchain logic (541ab57)
• implement flask toolchain logic (3d9c1af)
• implement frontend and documentation sector logic (astro, sveltekit, solidstart, storybook, docusaurus) (887c9f5)
• implement gin toolchain logic (22623f5)
• implement hono toolchain logic (c341126)
• implement infra and search sector logic (ansible, nginx, caddy, elasticsearch, meilisearch) (660c082)
• implement ionic toolchain logic (374e436)
• implement languages, testing and devops sector logic (ef-core, grafana, loki, vector, fluentd, pytest, junit, mockito, uvicorn, gunicorn) (8091960)
• implement mobile and observability sector logic (kmp, nativescript, kafka, rabbitmq, prometheus) (44becb3)
• implement premium frontend and cloud native logic (cilium, falco, kyverno, opa, react-hook-form, tanstack-table, styled-components, emotion, vanilla-extract, husky) (d74ebcb)
• implement rails toolchain logic (76fa9f7)
• implement react-native toolchain logic (9ce6233)
• implement security, CI/CD and frontend sector logic (vault, semgrep, checkov, mage, tanstack-query, zustand, appium, testcafe) (8556173)
• implement self-update logic for yarn and bun, and skip global npm self-update (6cfa4ac)
• implement sqlalchemy toolchain logic (1db42d8)
• implement testing sector logic (playwright, vitest, cypress) (e08c31d)
• implement typeorm toolchain logic (5828646)
• license: add license management targets to Makefile (cd1b2f2)
• license: apply SnowdreamTech license headers to all source files (3f0247a)
• license: expand extension coverage for full-stack & mobile (40a6e7c)
• license: integrate license check into pre-commit quality gate (098d317)
• make: add fix target for automated infrastructure maintenance (3d18acc)
• make: add project version and git branch to help output (ae163ca)
• make: display architecture and shell in help message (2704a33)
• migrate pnpm and yarn to corepack and enhance mise version detection (2ea9a62)
• optimize CI-only tools by moving to env-based management in .mise.toml and setup.sh (26fc295)
• release: enhance release.sh to support docs/package.json and lockfile sync (a43c8c2)
• scaffold: enhance init-project.sh into a full onboarding engine (454952b)
• scripts: prioritize native package managers for tool installation (b5134b4)
• security: disable buildx binary caching in goreleaser.yml (8ee9b8e)
• security: globally lock GitHub Actions to latest verified SHAs (193eb0c)
• security: implement artifact signing with cosign and SBOM auditing (df86f8f)
• security: implement binary artifact audit to prevent poisoning (73cd7b3)
• security: implement OpenSSF Scorecard for continuous security health monitoring (8c5015a)
• security: implement platinum-standard CI/CD supply chain hardening (d101fe4)
• security: implement PR dependency review shield (16fd84e)
• security: integrate CycloneDX SBOM generation into audit script (5e9598a)
• security: re-enable buildx with --oci-worker-no-cache (1ed6882)
• setup: add AI setup module (ee4af4e)
• setup: add base setup module (ecca380)
• setup: add CUE setup module (e7bdafb)
• setup: add Docker setup module (47af5fd)
• setup: add Docs setup module (249af53)
• setup: add dynamic Go registration for on-demand installation (391f79b)
• setup: add dynamic registration for rust, java, dotnet, zig, bun, deno (29b98be)
• setup: add dynamic registry hooks for infra/runner linters (tflint, tofu, just, task) (e0d29c8)
• setup: add dynamic registry hooks for ktlint, swiftformat, and swiftlint (08f67ab)
• setup: add dynamic registry hooks for kube-linter, spectral, and buf (ad9ec55)
• setup: add dynamic registry hooks for security scanners (trivy, osv, cargo-audit) (45b5cdb)
• setup: add global forced setup mode for explicitly requested modules (338b954)
• setup: add Markdown setup module (29fa348)
• setup: add missing dynamic registry maps for language-specific linters (a47f26e)
• setup: add missing modules and implement concurrency guard (0ecda76)
• setup: add OpenAPI setup module (ca75ffc)
• setup: add ormolu to haskell toolchain bridging pre-commit dependency gap (75f6d83)
• setup: add Protobuf setup module (363d820)
• setup: add retry mechanism for remote downloads referencing rule 01 (5b22b6d)
• setup: add Runner setup module (a083e61)
• setup: add scalafmt to scala toolchain bridging pre-commit dependency gap (276773d)
• setup: add Security setup module (e5981e5)
• setup: add Shell setup module (b734fc2)
• setup: add SQL setup module (0484b8c)
• setup: add Testing setup module (462da3a)
• setup: add TOML setup module (a3a475e)
• setup: add YAML setup module (d7d3a5b)
• setup: align tool installation with CI/CD specifications (dc743eb)
• setup: align tool installation with CI/CD specifications (b0c1681)
• setup: configure native mise jar fallback for google-java-format on unsupported architectures (b8ef4b9)
• setup: consolidate Node.js based tools in node.sh (9f1b460)
• setup: define missing setup_registry mappers for secondary pre-commit tools (7572144)
• setup: hook rubocop, google-java-format, stylua into global registry (a88f360)
• setup: implement dynamic tool registration and performance-first engine (a49e23d)
• setup: implement LEAN mode to skip heavyweight tools by default (4b71ace)
• setup: implement project-local lockfile concurrency guard (62546d5)
• setup: restore dynamic architecture fallback wrapper for google-java-format exclusively in java.sh (db010f2)
• toolchain: elevate Go to first-class citizen in mise.toml (d39a9da)
• versions: introduce versions.sh as Tier 2 SSoT; migrate grain.sh (b615a30)

Bug Fixes

• align editorconfig with gitattributes and unify line endings to LF (410d546)
• audit: add lockfile existence check before osv-scanner (f795bce)
• audit: correct GIT_CONFIG_PARAMETERS format for diff.renameLimit (f58eeea)
• audit: force zizmor offline mode in CI to prevent 403 abuse rate limits (50f7664)
• audit: remove gitleaks --verbose and suppress git rename warnings (9c0ed75)
• audit: restrict heavy scans to CI environment (b9e359c)
• audit: use absolute paths for tools and pass GITHUB_TOKEN to zizmor (fa43ae8)
• audit: use NPM_CONFIG_REGISTRY env var instead of hardcoded npmjs.org (981542c)
• audit: use official registry for pnpm audit; downgrade osv-scanner to warning (a039e9e)
• avoid GitHub API rate limits during mise tool registration (4c62a14)
• bootstrap: append PID to fallback temp directory for concurrent safety (b7a3642)
• bootstrap: skip installing 'usage' CLI on CI environments to prevent Windows hang (b47ee7e)
• build: resolve linter and verification test failures (8d96594)
• cd: remove redundant pnpm version in action-setup (829eb00)
• check-env: move CI-only guard before command -v in check_tool_version (4ae3803)
• check-env: resolve shellcheck version detection and pnpm alignment (6291eaf)
• check-env: use fully qualified mise tool keys for version lookups (8216590)
• chore: dynamically disable domestic mirrors in CI to prevent timeouts (ce1e7e2)
• ci: call zizmor via mise exec to resolve PATH issue (56ce57a)
• ci: correct trivy-action version tag to fix zizmor 403 limit and restore commit.sh error handling (667741f)
• ci: force zizmor offline mode for SARIF export (f661c65)
• ci: forward GITHUB_TOKEN at bootstrap and fix Bats on Windows (7b4c937)
• ci: improve markdown table formatting for dependabot summary (b3b9495)
• ci: increase MISE_FETCH_REMOTE_VERSIONS_TIMEOUT to 30s (c207e80)
• ci: make GITHUB_TOKEN rate limit check robust against DNS failures (4cf7d90)
• ci: optimize security tooling to avoid 403 API rate limits (5a5e0b3)
• ci: pin CodeQL action to verified underlying commit SHA (11cb79b)
• ci: rename commitlint.config.js to .cjs for ES module compatibility (ec7a59e)
• ci: update gh cli version to 2.66.1 and use mise x in Makefile (9f9977c)
• codeql: pin action to verified underlying commit SHA (422a8c6)
• common: get_mise_tool_version now falls back to VER_* env vars before 'latest' (99c25a0)
• common: increase run_mise timeout from 60s to 120s and handle exit code 124 (e299a6f)
• common: optimize GITHUB_TOKEN handling in run_mise for CI (4db707a)
• common: prioritize active mise versions in get_version to avoid dormant mismatches (d1af77d)
• common: resolve_bin returns robust executable paths and prevents 127 errors (e598805)
• docker: ensure entrypoint.d exclusion takes precedence in .dockerignore (a5144a2)
• docs: add package.json with vitepress dependency (67c80cb)
• docs: install dependencies before building VitePress (4541cf5)
• docs: skip dependency checks in dry-run mode (e8bf2cf)
• docs: use mise exec for vitepress build in pages workflow (9bac105)
• ensure FastAPI logic module is executable (7bb0c74)
• ensure pnpm availability in CI by managing it via mise and robustifying PATH augmentation (f93ca6b)
• git: prevent .gitignore from ignoring entrypoint.d directories (df6b4e6)
• ignore revision suffixes during tool version comparison to avoid false positives (be159eb)
• lint: allow CRLF line endings for Windows batch files (29a2194)
• lint: final project-wide quality alignment and version fixes (a51531b)
• lint: prevent silent failure in lint-wrapper and relax markdown formatting in editorconfig (b846ae8)
• lint: run zizmor pre-commit hook in offline mode (d1b07e2)
• mise: add zizmor to Tier1 (pre-commit hook invokes it directly) (0cf96c8)
• mise: correct broken tool versions and remove invalid asdf:move plugin (f288622)
• mise: prefix legacy tools with asdf: to resolve registry warnings (37f5b77)
• mise: remove url_replacements to restore GitHub download functionality (fcf0996)
• mise: replace asdf: plugins with cross-platform github: equivalents (9c76f98)
• mise: resolve TOML duplication and improve version lookup (2627226)
• mise: restore bats to Tier1; set COREPACK_INTEGRITY_KEYS=0 for Windows (472fb70)
• mise: unify non-core tools under asdf: provider prefix (ded0f88)
• mise: update google-java-format to v1.35.0 and refine asset matching (23ebf92)
• node: add DRY-RUN guard to install_vitepress, install_commitizen, install_stylelint (eb9b3b8)
• node: export COREPACK_INTEGRITY_KEYS=0 before corepack calls (a3d2caf)
• node: improve corepack resilience in CI with fallback to npm (5c9e544)
• orchestration: ensure CI-only tools have active mise shims (f7e5c63)
• orchestration: fallback to 'latest' for missing tool versions (f600aab)
• orchestration: restore environment compatibility for language scripts (c6a2d23)
• orchestration: robust namespaced tool resolution for CI (b2434ad)
• prevent mise shim errors during setup summary by using safer version checks (c6e1d98)
• release: bump pnpm to 10.30.3 in release-please workflow (c3dcf5e)
• release: fallback to secrets.PAT for release-please-action token (96d80af)
• release: use x-access-token for git push to satisfy zizmor (41fba83)
• remediate security audit failure by updating commitlint dependencies (a3c8d9e)
• resolve editorconfig-checker binary name mismatch via symlink (49778be)
• resolve lockfile coexistence and CI audit path issue (re-implementation on dev) (c53eecb)
• resolve lockfile coexistence by prioritizing lockfiles in detection (cb671ad)
• rules: replace file:// relative links with standard markdown links in shell.md (3c88e8f)
• scorecard: pin action to verified underlying commit SHA (5f6a357)
• script: ensure idempotency for pipx installation in setup.sh (ab06718)
• script: ensure proxy fallback and safe version matching in common.sh (c43f2ef)
• script: ensure shfmt covers all nested shell scripts in format.sh (1fa5e0a)
• script: null-parameter hardening in check-env.sh (35fb367)
• script: prevent perl regex crash when replacing paths with slashes (3761c35)
• scripts: add fault-tolerance to resolve_bin assignments to prevent set -e crashes (49be60a)
• scripts: add missing set -e to lint-wrapper.sh (7cd20c8)
• scripts: only match files in has_lang_files to avoid false positives on directories (934f9de)
• scripts: prevent install_pre_commit from executing and logging twice (cfc090b)
• scripts: refactor mktemp lifecycles with global traps to prevent tmpdir leaks (76f5060)
• scripts: remove redundant run_with_timeout for run_mise calls (d096afe)
• scripts: resolve false-positive setup warnings for Go, Pipx, and Shellcheck (68d7af0)
• scripts: resolve missing llvm version stopping c/c++ toolchain setup (9df2462)
• scripts: resolve unknown module errors by synchronizing setup mappings (96f094f)
• scripts: robust version detection for mocks and system tools (3c6055e)
• script: suppress SC2086 shellcheck warning for unquoted NPM audit registry arg (81bbd94)
• security: achieve 100% harden-runner coverage across all workflows (9fdd8f3)
• security: complete universal egress sync and bootstrap hardening (1f7aea5)
• security: disable GHA credential persistence to resolve zizmor findings (2f255b5)
• security: expand container registry whitelist for harden-runner (a389e2d)
• security: extend mise.lock with Windows-x64 checksums for full cross-platform security (8da506e)
• security: finalize comprehensive container registry whitelist (3ffd2d6)
• security: finalize global SHA-1 pinning for all 16 workflows (2a14204)
• security: finalize SHA-1 pinning sweep for ci.yml (0154a7e)
• security: formalize mise toolchain integrity standards (fcc6026)
• security: globally harmonize platinum-standard egress whitelists (38f583c)
• security: implement fail-safe offline fallback for zizmor and fix binary scan logic (35a0cd7)
• security: implement MISE_LOCKED to prevent toolchain poisoning (3aca5fa)
• security: implement mise.lock for cryptographic toolchain integrity (14515fe)
• security: implement robust stealth binary detection in audit engine (1c0f20d)
• security: pin all CI actions to immutable SHA-1 hashes (bf7b42d)
• security: pin CD and Release actions to immutable SHA-1 hashes (86881c2)
• security: pin mise-action to immutable SHA-1 hash (239ad6c)
• security: prune broad cloud wildcards from egress whitelist (4ff0cb9)
• security: reach 100% universal platinum-standard egress sync (1917d82)
• security: remediate zizmor finding and fix audit script (b847843)
• security: resolve esbuild vulnerability (GHSA-67mh-4wv8-2f99) (e971dca)
• security: resolve literal newline artifact in scorecard.yml (4b6a3af)
• security: resolve Scorecard imposter commit error (88e8bed)
• security: resolve Scorecard Pinned-Dependencies and Token-Permissions warnings (d5238a6)
• security: resolve syntax error in audit engine (c222674)
• security: robustify zizmor token handling and binary audit logic (2a327aa)
• security: universally synchronize egress whitelists with perfect formatting (6ce96d8)
• security: universally synchronize language repo whitelists (e4b39ed)
• security: widen egress whitelists for multi-distro linux support (99dba63)
• setup/java,kotlin: add fast-path version checks to install_java_lint and install_ktlint (656478c)
• setup/security: add CI-only guards to osv-scanner, trivy, cargo-audit (680e36f)
• setup: avoid hang on interruption and show progress for large installs (1b09c61)
• setup: avoid unsetting valid github tokens on network timeouts (9e5dde4)
• setup: correctly source modules in install.sh and fix k8s mapping (62546d5)
• setup: eliminate redundant installs with prefix matching and caching (4e20246)
• setup: ensure dry-run reports planned actions even if silent fast-path is active (0cf8f66)
• setup: expand HEAVY_MODULES skip list for local dev mode (0bc150b)
• setup: guard command -v in get_version to handle missing tools (15beebb)
• setup: implement command timeouts and session-level caching to prevent infinite hangs (e822901)
• setup: resolve mise warnings, missing dependencies, and performance bottlenecks (1e80d7b)
• setup: resolve two root causes of make setup stalling (a37b8ca)
• setup: skip go/rust runtime detection unless project files exist (0ac8315)
• setup: skip google-java-format on linux/arm64 due to missing prebuilt binary (8b5c055)
• setup: use exact key matching in get_version to prevent false matches (e0993fc)
• shell: add DRY-RUN guard to install_shfmt and install_shellcheck (ab97ddd)
• skip heavy linting tools locally and refine resolve_bin for hollow shims (bd07483)
• test: auto-install bats vendor libraries when missing (30d7097)
• test: optimize setup dry-run and correct pre-commit tags (c4578fa)
• test: relocate bats vendor to tests/vendor and fix load paths (20e9f69)
• test: respect ENABLE_GITHUB_PROXY to prevent proxy timeouts in CI (a912165)
• test: update lifecycle.bats grep patterns to match table output (608ee76)
• test: use GITHUB_PROXY and retry for bats vendor library clones (208a104)
• unify prettier configuration and stabilize formatters (81ca044)
• use cross-platform temp path and OS detection for token cache (a787d48)

Performance Improvements

• ci: cache mise binary in lint workflow (b8e9917)
• ci: cache mise binary in pages workflow (b52535f)
• ci: cache mise binary in test workflow (6333d0b)
• ci: cache mise binary in verify workflow (baacd48)
• ci: enforce offline mode for environment health checks (2b95934)
• ci: implement advanced caching and offline modes (bce1aa0)
• ci: implement advanced caching and offline modes (3faa417)
• ci: implement incremental gitleaks scanning for PRs (b3852c2)
• disable mise plugin auto-updates and remote version fetching (e50ec33)
• ensure 100% silent setup by making commitlint guard robust (80e72a9)
• extend silent fast-path guards to all remaining binary tools (14e398b)
• fix version mismatches for pipx and npm tools in setup guards (3c71f1e)
• implement audit mode for comprehensive environment health checks (43ab8a8)
• implement mise state caching and fast-path guards for core tools and runtimes (71183f6)
• implement mise state caching and fast-path guards for core tools and runtimes (a20c84e)
• license: switch to incremental check in pre-commit (fc4a166)
• mise: remove unused asdf runtimes for a leaner setup (62546d5)
• reduce GitHub API requests with mise update check and token cache (f7cbe25)
• resolve duplicate commitlint function and finalize silent setup (92e2759)
• script: optimize find -exec rm efficiently with + (5d60a0b)
• setup: add run_with_timeout helper and apply to security/helm modules (4b71ace)
• setup: optimize finds and get_version for faster initialization (62546d5)
• setup: optimize get_version using mise cache for installed tools (56eaadd)
• setup: optimize has_lang_files find by pruning AI/IDE hidden dirs (3b86a01)
• silence final binary tools and align version drift (95b8d1c)
• toolchain: optimize pnpm installation via npm registry (6179f8d)

---

This PR was generated with Release Please. See documentation.