xcodethink · xcodethink · Jun 2, 2026 · Jun 2, 2026
diff --git a/docs/releases/2026-06-02-v1.3.0.md b/docs/releases/2026-06-02-v1.3.0.md
@@ -0,0 +1,80 @@
+# Release v1.3.0 — Security hardening, MCP test coverage, Node 20
+
+- **Version**: 1.3.0
+- **Date**: 2026-06-02
+- **Previous**: v1.2.1 (2026-05-12)
+- **Tag**: `v1.3.0` → commit `86405bef2d5ea73c8cb2551b9442a0cc6c901236` (merge of #46)
+- **npm**: [`pixelcheck@1.3.0`](https://www.npmjs.com/package/pixelcheck/v/1.3.0) — `latest`, published 2026-06-02T15:11:02Z **with provenance**
+- **Tarball**: 3.74 MB unpacked / 420 files — https://registry.npmjs.org/pixelcheck/-/pixelcheck-1.3.0.tgz
+- **GitHub Release**: https://github.com/xcodethink/pixelcheck/releases/tag/v1.3.0
+- **Publish workflow**: `release.yml` run [26828955136](https://github.com/xcodethink/pixelcheck/actions/runs/26828955136) — success (`npm publish --provenance`)
+
+## Summary
+
+Production-grade audit (2026-06-02) remediation, shipped. **No public-API
+breaking changes**; the one compatibility change is the runtime floor (Node
+20+, see below). Full notes in CHANGELOG.md `[1.3.0]`.
+
+Headlines:
+- **Requires Node 20+** (`engines.node` `>=18` → `>=20`). Node 18 is EOL
+  (2025-04-30) and was never actually exercised (CI is 20/22). `npm` treats
+  `engines` as a warning, so it is discouraged-not-blocked for Node-18 holdouts.
+- **Supply chain**: vendored `stealth-core` now has a committed SHA-256
+  integrity manifest enforced on every CI runner (`check:vendor-integrity`).
+- **SSRF**: guard coverage locked across all 8 MCP URL tools (regression).
+- **Tests**: flagship MCP surface + observer 5–10% → 20–94%; coverage floor
+  ratcheted 74/62/75/75 → 76/64/77/77 (ADR-017).
+- **Honesty**: 17 low advisories disclosed in SECURITY.md (one root cause:
+  `@ai-sdk/provider-utils`); the false "0 vulnerabilities" CI comment fixed.
+
+## Code changes (merged to `main`)
+
+| PR | Title |
+|---|---|
+| #43 | security+reliability hardening (audit 2026-06-02): supply-chain, MCP, liveness, cost, persona, lint |
+| #44 | audit follow-ups: H1 broken init, H2 GHA newline, C2 redaction, E3/E4/E5 cost + D4-D8/E6-E9/H3-H9 + F4-F7 + G3 + G4 |
+| #46 | chore(release): v1.3.0 (version bump + CHANGELOG + SARIF golden fixture) |
+
+Governance applied this cycle: `main` branch protection enabled
+(`enforce_admins`, no force-push, no deletions, required checks =
+`Test (ubuntu-latest · Node 20/22)` + `Playwright integration (real chromium)`
++ `Coverage gate (ADR-017 ratchet)`, PRs required).
+
+## Database migrations
+
+None. Existing `~/.pixelcheck/history.db` is forward-compatible.
+
+## Production verification
+
+| Check | Result |
+|---|---|
+| `npm view pixelcheck version` | ✅ `1.3.0` (`latest`) |
+| `npm view pixelcheck dist-tags` | ✅ `latest: 1.3.0` |
+| `release.yml` run 26828955136 | ✅ success — `Publish (with provenance)` ✅ |
+| Pre-publish audit (skill 16) | ✅ clean — tracked grep / tarball list / bundled assets / `.env.example` |
+| Full unit suite (local, pre-tag) | ✅ 2320 passed / 1 skipped |
+| Required CI checks on #46 | ✅ all 4 green |
+
+## Rollback plan
+
+npm tarballs **cannot be unpublished after 72h**; rollback = publish a fix-forward
+patch, not an unpublish.
+
+- **Code**: `git revert -m 1 86405bef` (the #46 merge) on a branch → PR → merge.
+  For the deeper audit changes, revert #44 then #43 merges similarly. Do **not**
+  `reset --hard` (protected branch + shared history).
+- **npm (within 72h, emergencies only)**: `npm unpublish pixelcheck@1.3.0` then
+  re-point `latest`: `npm dist-tag add pixelcheck@1.2.1 latest`.
+- **npm (after 72h)**: `npm deprecate pixelcheck@1.3.0 "use 1.3.1"` and ship a
+  patched 1.3.1; consumers pinned to `latest` move forward.
+- **Re-point latest without unpublish**: `npm dist-tag add pixelcheck@1.2.1 latest`.
+
+## Follow-ups
+
+- **NPM_TOKEN** is a 90-day granular token (expires ~2026-08-31). Rotate before
+  expiry, or migrate to npm **Trusted Publishing** (OIDC, no stored secret) —
+  npm's recommended path; would drop the `NODE_AUTH_TOKEN` dependency in
+  `release.yml`.
+- The SARIF golden fixture (`docs/integration/fixture-sarif.json`) pins the
+  package version, so it needs a one-line bump each release; consider
+  normalizing the version field in `wcag-axe.test.ts` to remove that papercut.