All notable changes to qctx are documented here. Format follows Keep a Changelog; the project follows Semantic Versioning.
0.1.0 — 2026-05-19
Initial release. Single static Go binary that gathers SonarQube + Nexus IQ + GitLab MR/pipeline context for AI-driven fix workflows.
qctx fetch— live JSON bundle to stdout for interactive AI agents.qctx snapshot --out PATH.jsonl— JSONL artifact for GitLab pipeline jobs (type-discriminated records:meta,sonar.issue,sonar.hotspot,sonar.measure,sonar.quality_gate,nexus.violation,gitlab.mr,gitlab.mr.diff_summary,gitlab.mr.discussion,gitlab.pipeline,gitlab.job,error).qctx version— print version banner with build-timeVersion/Commit/Datefrom ldflags.- SonarQube client: paginated
/api/issues/searchand/api/hotspots/search,/api/measures/component,/api/qualitygates/project_status, in-memory rule-description cache. - GitLab client: MR meta + diff summary + discussions, MR pipelines, jobs, job-trace tail (Range bytes=-N).
- Auto-discovery: scrapes pipeline job traces for
-Dsonar.projectKey=…orsonar.projectKey=…so users do not have to re-configure the project key the pipeline already declares. - Nexus IQ JSON reader: parses policy-evaluation results into normalized
model.Violation(component coords, CVEs, threat level, remediationtoVersion, waiver status). - Enterprise-first networking: per-source
--{sonar,gitlab}-url(and env vars) with no public-cloud defaults;--ca-certadds to the system trust pool;--insecurefor dev (stderr warning every run);HTTP_PROXY/HTTPS_PROXY/NO_PROXYhonored; repeatable--header 'Name: value'for SSO proxies;--{sonar,gitlab}-token-filefor CI secret-file mounts. - Filters:
--severity(repeatable),--type(repeatable),--branch,--all,--include-resolved,--no-sonar/--no-gitlab/--no-nexus/--no-mr/--no-pipeline. - Partial-success policy: one source's failure does not abort the whole run; per-source
source_statusand error records are emitted.--strictopts into all-or-nothing. Secrettype redacts tokens in logs and%vformatting.--log-level LEVELCLI flag (debug/info/warn/error); also honorsQCTX_LOG_LEVELenv var.--config PATHCLI flag to point at a specific config YAML; overrides$QCTX_CONFIGand~/.qctx.yaml.- Make targets:
doctor(verify required + optional tools),help(auto-extracted target index),cover-check(per-package ≥80% coverage gate, wired intomake ci). - GoReleaser config: linux/darwin/windows × amd64/arm64 tarballs/zip + checksums + distroless Docker image.
- GitHub Actions workflows:
ci.yml(lint → test + cover-check → build → e2e → release on tag),security.yml(gosec, govulncheck, Trivy),sonar.yml(SonarCloud scan with Go coverage). - GitLab CI pipeline (
.gitlab-ci.yml): lint → test+cover → build → e2e → release-on-tag.
gosecclean;--insecurewarns every run; tokens are wrapped in a redactingSecrettype.- GitHub Code Scanning enabled (default setup runs CodeQL); SARIF uploads from gosec and Trivy land on the Security tab.
README.md— install, both modes, filters table, JSONL schema overview, auto-discovery, links to enterprise docs, for-the-badge build/Sonar/coverage/license/release badges.CONTRIBUTING.md— build, test, commit conventions, enterprise-host policy, ADR pointers.SECURITY.md— supported versions, reporting, threat model.docs/enterprise.md— custom URLs, CA bundles, proxy, SSO header injection,--insecure,--config,--log-level.docs/examples/gitlab-ci.yml— drop-in pipeline job for downstream projects.docs/examples/docker-run.sh— Docker invocation against self-hosted Sonar/GitLab with corporate CA.docs/adr/— ADRs 0001–0007: JSONL schema, enterprise networking, partial-success policy,Secrettype, cobra CLI framework, JSONL byte-stitching, retryablehttp choice.docs/superpowers/specs/2026-05-19-qctx-design.md— full design spec.docs/superpowers/plans/2026-05-19-qctx.md— 36-task implementation plan.