Skip to content

Release candidate preflight

Source 0.1.33 retains the release evidence ledger introduced in 0.1.21 before promotion to 1.0.0-rc.1. Its purpose is to prevent a version from being labelled as a candidate on the basis of a partial local build only.

Controlled boundaries

The preflight covers four independent categories:

  1. the Bun lockfile exactly matches the direct dependencies in package.json;
  2. the twelve Playwright baselines referenced by the tests are present and hashed;
  3. the npm tarball, its manifest and SHA-256 match the source version;
  4. the manual accessibility and artifact review is complete.

The canonical plan is stored in:

txt
release/rc-plan.json

The manual review is recorded in:

txt
release/manual-accessibility-review.json

Both files belong to the complete development archive and are excluded from the npm package.

Verify the lockfile

bash
bun run lockfile:check

This check compares the dependencies and devDependencies groups from package.json with the root workspace in bun.lock, then verifies that every direct dependency has a resolved package entry.

After any dependency change:

bash
bun install
bun run lockfile:check
bun install --frozen-lockfile

Do not hand-edit package resolutions. The lockfile diff must be produced by Bun and reviewed before commit.

Prepare the manual review

In release/manual-accessibility-review.json, use a generic role rather than a personal name, for example qa-accessibility-reviewer. The review covers at least:

  • keyboard-only navigation;
  • browser zoom at 200%;
  • reflow at 320 CSS pixels;
  • NVDA with Chromium;
  • custom-theme contrast;
  • inspection of the tarball, manifest and bundle reports.

Each check must be passed, or exceptionally not-applicable with a justification in notes. The overall outcome must be passed, and reviewedSourceVersion must match package.json.

Generate the evidence ledger

After the quality gate, browser tests and package creation:

bash
bun run pack:artifact
bun run release:evidence:create

The following file is generated:

txt
.artifacts/release-candidate-evidence.json

It contains SHA-256 hashes for package.json, bun.lock, the public API manifest, the RC plan and the manual review, plus hashes for screenshots and the npm tarball. GitHub Actions metadata is included when available.

Generation does not claim that the release is ready. It emits status: "blocked" while prerequisites are missing and lists every blocker.

Strict verification

bash
bun run release:evidence:verify

The command fails if sources, screenshots or the package changed after evidence generation, if the lockfile is incomplete, if manual review is pending, or if the npm artifact no longer matches its manifest.

The complete gate is:

bash
bun run release:candidate:check

Run it only after visual baseline inspection and completion of the manual review. A successful result means that source 0.1.33 is ready for promotion to 1.0.0-rc.1; the version change and publication remain separate explicit actions.

Final locks before 1.0.0-rc.1

Preparing 1.0.0-rc.1 now requires four complementary pieces of evidence: a stable GitHub Actions matrix over three passes, manual accessibility review, Theme Builder/IconPicker bundle review, and integration in a distinct business application. The Final 1.0 locks page details the files to fill and the commands to run.

The persisted schema and theme migration contract is not a functional blocker anymore. Any future evolution must go through the public migration registry.

QForm Builder — Nuxt 4, Quasar and FormKit layer for dynamic forms.