Valinor is self-enforcing engineering discipline for agentic development — rubric-driven PR review, CI gates, and continuous audit. This is the running log of what each release brings to the teams adopting it.
Design craft gets the same teeth as code. Four new standards govern your UI — design tokens, interaction states, visual baselines, and the judgment layer — each found real defects on our own site the day it shipped. Plus the fixes from the first full consumer adoption run.
Improvements
A visual change can no longer slip past review unnoticed. Opt in with design.visualBaseline.enabled: true and every PR diffs your declared pages against committed baseline screenshots — an intended change re-records the baseline, with the why, in the same PR.
Every state of your UI is now someone's job. Declare design.interactionStates and valinor interaction-states-check fails CI on a light token with no dark twin, animation that ignores prefers-reduced-motion, or a hover state with no keyboard equivalent.
Your agents now design against the masters' bar. The new design-direction standard pins a ten-principle corpus, reviews every UI diff with the design-craft rule, and ships the valinor-design-loop skill — draft, screenshot, critique, revise until it passes.
Your design system now has a deterministic gate. Declare your tokens and valinor design-tokens-check asserts token-resolved colors, a sane type scale, WCAG-AA contrast (integrity-floored), the 4px spacing grid, and a 150–400ms motion envelope.
Your governance now shows its work. Every gate run feeds a live score-over-time view with zero setup, performance budgets become a real CI gate, and the workspace /audit page opens with whole-fleet health at a glance. Rounded out by a wave of fixes from real adoption runs.
Improvements
Gate-event telemetry is live by default — and introduces itself. Anonymous gate_run events power the score-over-time view with zero setup; your first interactive run prints the telemetry.* dials and the universal DO_NOT_TRACK opt-out.
Performance budgets on your live pages are now a real CI gate. Declare performance: { enabled: true, urls: [...] } and a zero-secret workflow measures them with Lighthouse and fails CI on a miss — an honestly-recorded baseline warns as dated debt instead.
The reusable gates.yml workflow runs on the public zero-auth launcher. It resolves @theappagency/valinor@^1, so it needs no npm auth on your runner.
The scheduled agent-dispatch now actually runs — and needs no Anthropic key. A scaffold bug invalidated the whole workflow file (re-run valinor init to fix it), and runs now acquire their key zero-secret via the Valinor broker — your own ANTHROPIC_API_KEY still wins.
The doc-freshness gate stops flagging plain English as dead CLI commands. The dead-reference check now reads only backticked commands and fenced code blocks, leaving your prose alone.
Your workspace's /audit page opens with whole-fleet health at a glance. Repos meeting the bar, the median grade, the biggest mover, a plain-prose digest, and one median trend line — repos with no audit yet counted honestly, never shown as errors.
Release notes you can scan in seconds. Every CHANGELOG bullet, RELEASES highlight, and changelog-site lead now has a written length budget, enforced by the tools that generate and review them.
Your audit trend can tell a richer story — opt in to labeled AI enrichment. Set narrative: { enrichment: enabled } and clearly-labeled advisory prose (never a finding, a path, or a snippet) layers over the deterministic story on your /audit page.
The typed Greptile verdict path works headlessly now. Score and review-wait reads reach Greptile's real API from CI, including the typed confidence score — fewer comment-scrape fallbacks, more authoritative merge-gate verdicts.
Valinor is 1.0. Any repo, in any supported stack, can adopt Valinor with one command and zero secrets — npx @theappagency/valinor init — and real production repos run their gates green on that path today. From here, 1.x means your configs and workflows keep working.
Improvements
Running Valinor needs zero setup — no tokens, no .npmrc, no secrets. The public launcher fetches a SHA-256-verified bundle from Valinor's own endpoint, every scaffolded workflow now runs on it, and a valinor init re-run migrates old workflows automatically.
Every workspace gets its own private site at <workspace>.valinorci.com. Behind a workspace password: a merged multi-repo changelog, a repo orientation page, and the /audit score-trend page — one shell with dark mode, data refreshed hourly.
Putting a workspace live is one command — valinor register-workspace (Camber-admin). It mints the password, registers the tenant and repos, adds the subdomain, prints the one DNS record to add, and verifies every write by reading it back.
Audit grades publish themselves — and tell their story. The scheduled dispatch keeps the grade-only ledger on a valinor/score-ledger data branch your /audit page reads, and every recorded grade carries a deterministic plain-language narrative of what moved and why.
valinorci.com is one redesigned site on one domain. The landing page, /docs, and /changelog now share one design system and navigation, every old subdomain URL redirects 1:1, and the RSS feed and dark mode carry over.
The standing Release PR works on every stack. It rolls your repo's real version source — composer.json, pyproject.toml, a Gradle versionName, a *.podspec, or tag-is-the-version for Swift — and stays a quiet draft until you mark it ready to cut.
Greptile reviews wait for green. Opt in with review-trigger: { enabled: true } and the canonical workflow posts the review trigger only once your PR's entire combined check state is green — exactly once per commit, zero secrets, never a deadlock.
The weekly config-drift sweep stops crying wolf about your review count. Drift checks honor the count your branch-protection.json declares, init scaffolds the pair consistent, and any disagreement prints a loud note — never a silent override.
Governance "concerns" are now called "standards." Your dials, CLI invocations, and gate names never carried the old word, and every stored artifact written under it keeps loading — a backlog finding keeps its identity across the rename.
The doctrine moves to v1.21.0. Agents now fix review findings the moment a review lands (only merges serialize) and maintain maximum collision-free parallelization (v1.20.0) — an idle lane is a defect; repos pick both up on the next valinor init re-run.
The token broker is live. Your CI presents GitHub's short-lived identity token and gets back a repo-scoped, permission-scoped, self-expiring Valinor token — nothing to create, nothing to leak, nothing to rotate.
Re-running valinor init reconciles early-adopter residue — loudly, never touching what's yours. It keeps your required-check job name, names any gate dial below today's warn defaults with the one-line fix, and audits now report by default.
valinor init hands your agents their toolbelt. It prints stack-specific npx skills find recommendations and bridges your repo's own skills/valinor-* into .claude/skills/ — one /skills away in every session.
Audit grades divide by production code only (formula v4). Test code is measured separately (testKlocs), so a big test suite no longer waters down the score — expect honest drops; audit-record --regrade migrates a stored audit.
A wave of fixes from real adoption runs. Stack detection has one brain (init and the audit can't disagree), valinor audit-record lands the score in the target repo from anywhere, and six init sharp edges around default branches, check names, and credentials are gone.
Valinor's stack matrix fills out. PHP/Laravel, Python, Kotlin/Android, Swift/iOS, React Native, and Rails are now fully supported, six deploy targets are verified to have actually landed, and audit grades get two honesty corrections.
Improvements
Six stacks are now fully supported. Run valinor init on a PHP/Laravel, Python, Rails, Kotlin/Android, Swift/iOS, or React Native repo and it just works — auto-detection, the right CI runtime, live dependency audits, and real per-language KLOC in the repo audit.
Deploys are verified to have actually landed — on six more targets. Railway, Heroku, AWS, Google Play, App Store Connect, and EAS jobs re-read the live platform and assert your exact commit is serving; what a platform can't attest is declared loudly, never assumed green.
Audit grades get two honesty corrections (formulas v2 + v3). Every finding now maps to a sub-score and weighs by its real occurrence count — 53 vulnerabilities can no longer hide inside 2 findings; inflated grades drop, and audit-record --regrade migrates stored audits.
Releases understand a Swift package's version IS its git tag.valinor release rolls your CHANGELOG and notes, skips the manifest edit with a printed note, and lets the tag carry the version.
Valinor tells you when it breaks — and lets you measure your gates. Two strictly-advisory telemetry channels: privacy-whitelisted crash reports and gate_run events to your own PostHog key — DO_NOT_TRACK silences both, a failing send never breaks a build.
Govern a whole folder of repos at once.valinor init-workspace adopts Valinor across every git checkout under a directory, and doctrine-check-all / audit-all sweep them with honest rollups — an ungoverned repo can't hide inside a green workspace.
check-dependency-health works in a local working tree. When CI's report files are absent and you're not in CI, the gate runs npm audit --json itself, per manifest — the same verdict CI would give.
Gates no longer crash on broken symlinks.audit-data, doc-freshness, docs-coverage, and site-freshness now skip dangling symlinks (fresh CocoaPods clones) instead of crashing on ENOENT.
valinor init sets up ~/.npmrc for you. It probes your gh token for read:packages and writes the registry + auth lines itself — the most common first-install failure, gone; re-runs are a no-op.
The doctrine block always lands at the top of your AGENTS.md / CLAUDE.md.init moves a drifted block to the top on every run, and a doctrine-check position guard enforces it.
The Capabilities page is cleaner — and eight governance IDs are renamed for clarity. Meta checks collapse into their own section, each row shows one posture pill, and renamed doc-freshness/docs-coverage dials auto-migrate on a valinor init re-run.
The valinor audit launcher's printed instructions work end-to-end.audit-show valinor-audit now resolves to the bundled orchestrator skill.
Valinor now installs and runs cleanly on every repo. v0.8.0 shipped broken for installers — any command crashed on a missing build-only typescript. This release fixes it and hardens the release pipeline so the class can never publish again.
Improvements
The v0.8.0 installer crash is fixed — and the class can't publish again.typescript now loads only for the one feature needing it, and the release pipeline packs and runs the package in a clean dependency-free install before publishing — a broken build fails the release.
Your governance grows a memory and a canary. The audit now tracks each finding across runs, a scheduled conformance canary catches your deployed API the moment it stops matching its spec, and a new Capabilities page doubles as an interactive governance.config.yml builder.
Improvements
A new Capabilities page shows everything Valinor does to your repo. Every gate is a collapsible row generated from Valinor's own registry; dial each Off · Advisory · Enforced and copy the resulting governance.config.yml — at /docs/capabilities.
A scheduled canary catches your deployed API the moment it breaks its spec. Opt in with api.liveConformance: { enabled: true } and a read-only check verifies live responses against your committed spec — conform, breach, or a loud couldn't-check, never a silent green.
Your audit now has a memory.valinor audit-reconcile tracks each finding as new → still-open → resolved → reopened, ranks the backlog by severity × ease × age, and remembers your accepted/false-positive triage — privacy-safe by construction.
The doc-freshness gate stops false-flagging forward-looking plans. A file a docs/plans/ or docs/research/ entry names before it exists is no longer reported as a dead reference.
Your scheduled agent loop has a budget — and a brake. Every run records its spend to a committed ledger, a per-run cap stops a runaway, and a monthly agent-dispatch.budget circuit-breaker skips runs once spend hits the cap — failing safe, never spending blind.
Valinor runs its own scheduled agent-dispatch — consumer #0 of the cron'd agent it ships. A weekly headless run turns a due release into an opened PR and anything riskier into a filed issue — never a merge, never a push to main.
The release loop can't open a spurious empty Release PR — and verifies it actually published. A cut with nothing in [Unreleased] refuses to roll, and the publish installs the just-published package back and runs it — a broken publish fails loudly.
The 5/5 merge bar reaches your repo. The strict "5/5 or it doesn't merge" score gate now propagates to every governed repo, valinor init scaffolds a release pipeline and a config-drift sweep, and the new valinor cadence command tells you when a release is due.
Improvements
The strict 5/5-or-no-merge rule is enforced on YOUR repo.valinor init scaffolds a zero-secret workflow that posts a greptile-score-verify status — green at 5/5, red below, failing closed — reading the score only from the reviewer's own attributed comments.
Non-JavaScript repos are checked where they were silently waved through. Repo hygiene knows each stack's build artifacts, three AI-review rules now read non-JS tests, UI, and types, and init installs the vulnerability scanner for Python and Kotlin.
One command tells you when a release is due.valinor cadence rolls every overdue standing obligation — release cadence, dated tool re-checks, the standing sweeps — into one advisory summary with a loud OVERDUE headline.
Valinor can act on what's overdue. An opt-in scheduled agent turns a due release into an opened PR and anything riskier into a filed issue — inside a hard safety boundary that never merges, never pushes to main, and is cost-capped.
Changelog and marketing copy now ship draft-then-review. The writing-quality standard records a two-step pipeline — draft with a copywriting skill, QA with a copy-editing pass — keeping the command names and config keys that make dev-tool notes credible.
A release can no longer publish a "fill me in" placeholder on your changelog site. The cut derives a real, publishable headline from the release's own highlights — sharpen it later if you like, but deploy is never blocked on it.
Cutting releases is turnkey on YOUR repo.valinor init scaffolds a standing Release PR pipeline that tags, verifies, and optionally publishes with a post-publish install-back proof — zero secrets, on a protected main, per-stack publish steps included.
Valinor watches your repo's GitHub settings for drift on a schedule. A scaffolded weekly sweep diffs live branch protection and repo settings against your declared baseline on the built-in token — admin-locked fields read ⚠ UNVERIFIABLE, never pretended green.
Rails joins the governed stacks — and your reviewer reads finished work. The merge gate now holds every PR in draft until its quality gates pass, and Valinor continuously re-proves its own review rules still fire — the governance you adopt can't silently rot.
Improvements
Your PRs stay in draft until they're ready for review. A scaffolded workflow marks a PR ready the moment its pre-review checks go green (merge-gate.pre-review-checks) — fail-open, and it never yanks a PR back to draft.
Valinor continuously proves its AI-review rules still fire. On a schedule each rule is re-run against a known-bad and a clean example; a stale verification turns the gate red, so the rules you inherit are proven to fire.
Agents orient before they work (doctrine v1.18.0). Before exploring or planning, an agent must fetch, confirm its branch, and check its standing against origin/main — never researching against a stale checkout.
Ruby on Rails is a documented, selectable stack — audited for real.valinor init --stack rails provisions the Ruby runtime and the gem vulnerability scanner, a missing scanner fails loudly, and Heroku/Railway deploy verification is documented.
Cutting a release is push-button again. The roll projects the new release onto your changelog site automatically, and the Release PR's CI checks now fire (its push uses Valinor's GitHub App) — merging the Release PR is the whole release.
The setup docs name the one manual Greptile step. Install the App and activate your repo for review — the rest is Greptile's own defaults plus the single re-review opt-in valinor init already configures.
A stack-reach release. Valinor's enforcement now works across your real stack — PHP/Laravel, Swift, Kotlin, React Native, and Python, not just npm and Node — and a new standard keeps your API spec honest against your code.
Improvements
Enforcement works across your real stack. Dependency health audits Composer, pip/Poetry/uv, SwiftPM, Gradle, and Maven; valinor init scaffolds per-stack CI; and where a stack has no tool, Valinor reports UNVERIFIABLE loudly instead of a false all-clear.
A new standard keeps your API spec tracked against your implementation. The opt-in spec-contract gate verifies your OpenAPI/GraphQL/protobuf spec still matches what your code produces — a clean no-op for a repo with no API.
Security review is current — OWASP Top 10:2025. Dependency risk reframes as Software Supply Chain Failures, Security Misconfiguration gains coverage, and every versioned external standard now carries a verify-by date so it can't silently age.
Releases and deploys are verified to have actually landed. A published package is installed back to confirm it resolves and runs; each deployed site is confirmed live, by commit, after it ships.
Copy-ready starters for all three client surfaces. License-clean Next.js scaffolds for a help center and a changelog join the API-docs template — stand up a surface from a working base, not a blank page.
The help center leads with how Valinor levels up your agent. A new agent-governance page tells the under-told story: adopting Valinor hands every agent a disciplined methodology, not just code gates.
The doctrine moves to v1.17.0, threading stack-agnosticism, spec-contract, deploy verification, and OWASP-2025 into the always-on methodology your agents read.
A governance-hardening release. The release flow becomes a true one-click Release PR on a locked-down main, your compliance posture gains an auditor-readable evidence trail, and the doctrine moves to v1.14.0 — every "manual" promise now backed by a gate.
Improvements
Cutting a release is a true one-click PR — on a locked-down main. A standing Release PR carries the whole roll (version, changelog, notes, lockfile); merging it is the release, with only the version tag pushed after.
Valinor generates the compliance evidence an auditor asks for.valinor sbom produces a CycloneDX SBOM and valinor compliance-evidence maps your live controls onto SOC 2, ISO 27001, NIST-SSDF, and the EU CRA — evidence, never attestation.
Valinor checks your product ships the legal documents its nature needs. The compliance-check gate flags a missing or incomplete privacy policy or ToS however you ship it, and valinor compliance-seed drops a starter — never legal advice.
Dependency health and repo hygiene cover your whole repo. Every tracked manifest is audited uniformly, a secret scanner (gitleaks) sweeps the repo and its git history, and valinor remote-hygiene flags stale branches and abandoned PRs.
Adopting Valinor on an existing repo catches contradicting settings. The opt-in reconcile-check gate surfaces brownfield priors that fight the methodology — each one a decision you make, with the non-negotiable invariants unwaivable.
Two more Definition-of-DONE promises get real gates.backwards-compat fails any change that would break an adopted repo's public surface, and logging-presence reviews whether your significant operations are actually observable.
Valinor reviews whether your client-facing prose is well-written. The editorial-quality standard holds your help center to Diátaxis, your CLI docs to the Google developer style, and your changelog to benefit-framed copy.
The doctrine moves to v1.14.0. Every shipped promise now points at its real gate, dependencies must be resolved to their live latest before adoption, and releasing is reframed two-tier around the standing Release PR.
Plus several smaller improvements — the audit sweeps deployed sub-projects, a new valinor-roadmapping skill generates next-best work from repo signals, integrity-class gates are code-floored to blocking, and Valinor audited itself and fixed what it found.
Releasing is now one command and your release event is verified end-to-end, two new governance standards keep your committed tree tidy and your shipped workflow templates from rotting, and an agent adopting Valinor on your repo is walked through every opt-in decision deliberately.
Improvements
Cutting a release is one command — and verified consistent.valinor release --minor rolls version, changelog, and notes in one transaction, and the new release-integrity standard's valinor release-check gate proves version, changelog, notes, and tag agree.
A new gate keeps your committed repo tidy. The on-by-default repo-hygiene standard flags tracked build output, dependency folders, OS clutter, real .env secrets, and oversized files — and confirms your .gitignore covers your stack.
Shipped workflow templates can't silently rot. The opt-in check-workflow-templates gate verifies every bundled template parses, carries a well-formed header, and references only real commands.
valinor audit-report turns a finished audit into a shareable report. One command renders the graded run as clean Markdown or a self-contained HTML page — deterministic, so it can never disagree with the evidence behind it.
An adopting agent is walked through every opt-in decision.valinor init ends with a capabilities summary, the valinor onboard wizard flips them on, and the bundled valinor-onboard skill is the agent counterpart — all reading one authoritative list.
Re-running valinor init keeps your config current. It additively weaves missing gates at their intended defaults while leaving every dial, value, and comment you wrote untouched.
Valinor now governs whether your repo stands up the right client-facing surfaces — not just whether the ones you have stay fresh. It also ships two new agent procedures and a one-command audit launcher, and weaves its governance into the files you already have.
Improvements
Valinor governs whether your repo carries the right client-facing surfaces (doctrine v1.12.0). Declare a surfaces: block and the opt-in surface-provisioning gate flags a warranted surface you haven't built — never blocking a CLI app over a missing API site.
Your agent can ask Valinor how to plan and how to build. Two bundled action skills — valinor-planning and valinor-execution — are runnable, version-locked procedures; discover them with npx valinor action-list.
Kicking off a whole-repo audit is one command.valinor audit prints the applicable checks, the measured inventory, and the orchestration instructions — read-only, never printing a line of your source.
The audit measures your codebase instead of taking it on trust.valinor audit-data prints a deterministic inventory — stack, packages, in-scope files, real line counts — so the grade computes from reproducible facts.
valinor init merges into the .greptile/config.json or claims.yml you already have. It weaves by id, preserving everything you added and refreshing Valinor's entries — adopting on an existing repo no longer leaves you half-governed.
Adoption prerequisites are spelled out honestly, everywhere you'd look. The README, the help center's Prerequisites page, and the FAQ now state plainly what Greptile review requires; the authoritative contract is the Prerequisites guide.
The site-freshness discipline is a complete, opt-in standard. The rubric, the deterministic gate, and a whole-repo audit skill ship together — run the same valinor site-freshness gate against your own sites.
Valinor's own sites are healthier — and right-sized. The help center and changelog moved under one sites/ folder on current Next.js with green deploys; the standalone API-reference site retired (Valinor has no programmatic API).
The scaffolded gates workflow now works out-of-the-box for consumer repos in any GitHub org — the Distribution-v2 cross-org auth lands cleanly.
Improvements
Cross-org GitHub Packages auth is fixed. The scaffolded workflow mints its App token against the cmbrcreative org, so a consumer repo in any org can pull @cmbrcreative/valinor.
Repositioned as "self-enforcing engineering discipline for agentic development." Rubric-driven PR review, CI gates, and continuous audit — the same ones Valinor enforces on itself.
Valinor is now installable as @cmbrcreative/valinor — the npm scope matches the GitHub org, and the GitHub Packages publish actually lands.
Improvements
Installable as @cmbrcreative/valinor from 0.2.1 forward. GitHub Packages requires the npm scope to map to a real GitHub org, so the package is renamed to match.
Valinor moves its publish target to GitHub Packages, and valinor init scaffolds a workflow that works for Camber consumers with no manual fixes.
Improvements
Publishes to GitHub Packages. The auto-injected token does the publish — no per-repo NPM_TOKEN to provision.
valinor init scaffolds a consumer-correct workflow out of the box. It pulls the published CLI from GitHub Packages (~5× faster CI), derives blocking behaviour from your adoption.mode, and degrades to a warning on a missing credential.
The first cut of Valinor as a layered, CI-native quality-governance product you can put on a Camber repo. Valinor is consumer #0 of its own gates — this repository is governed by the very claims, rubrics, and workflows it ships.
What you can do at 0.1.0
Declare your quality bar as code, and enforce it in CI. Write verifiable claims about your repo in claims.yml and let valinor claims-verify fail CI closed on any drift — sub-second, offline-safe file/grep/token checks.
Govern branch protection and repo settings as code — keep branch-protection.json and governance.config.yml in the repo and diff them against live GitHub, so the standard travels with the code.
Add an LLM-review rubric suite — a repo-versioned .greptile/ library of custom review rules (silent-failure, PII-in-logs, type-design, test-quality, comment-accuracy, doc-completeness, change-narrative), each with a documented dossier.
Run a whole-repo Codebase Audit — a composable skill system applies the rubric suite across an existing codebase and produces a graded (A–E), severity-weighted, honesty-disclosed report.
Adopt across greenfield → deep-legacy without red CI on day one — a maturity-aware onboarding dial plus a baseline engine grandfather a repo's pre-existing debt and enforce on new code only.