strefethen
diff --git a/‎CHANGELOG.md‎
Lines changed: 77 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 77 additions & 0 deletions
diff --git a/‎Cargo.toml‎
Lines changed: 2 additions & 0 deletions b/‎Cargo.toml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎OSS-LAUNCH-PLAN.md‎
Lines changed: 274 additions & 0 deletions b/‎OSS-LAUNCH-PLAN.md‎
Lines changed: 274 additions & 0 deletions
@@ -0,0 +1,77 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.1.0] - 2026-02-23
+
+### Added
+
+#### CLI
+- `run` command — execute workflows with inputs, headers, timeout, dry-run, parallel, and trace options
+- `validate` command — parse and structurally validate Arazzo YAML specs
+- `list` command — list workflows in a spec
+- `catalog` command — discover specs across a directory tree
+- `show` command — display workflow details
+- `schema` command — print JSON Schema for any command's `--json` output
+- `--json` flag on all commands for structured output
+- `--trace <path>` execution trace output with automatic sensitive value redaction
+
+#### Expression Language
+- `$inputs.name` — workflow input parameters
+- `$steps.<id>.outputs.<name>` — previous step outputs
+- `$env.VAR_NAME` — environment variables (`.env` auto-loaded)
+- `$statusCode` — HTTP response status code
+- `$method` — HTTP method (GET, POST, etc.)
+- `$url` — fully constructed request URL
+- `$response.header.Name` — response header (case-insensitive)
+- `$response.body.path` — JSON dot-path body access
+- `$response.body#/json/pointer` — RFC 6901 JSON Pointer body access
+- `$request.header.Name` — request header introspection
+- `$request.query.Name` — request query parameter introspection
+- `$request.path.Name` — request path parameter introspection
+- `$request.body` / `$request.body.path` / `$request.body#/pointer` — request body introspection
+- `$outputs.name` — workflow outputs map (within `workflow.outputs`)
+- `$sourceDescriptions.{name}.url` — source description URL lookup
+- `{$expr}` interpolation in string values
+- `//xpath/expression` — XML/HTML body extraction
+- Condition operators: `==`, `!=`, `>`, `<`, `>=`, `<=`, `&&`, `||`, `contains`, `matches`, `in`
+
+#### Workflow Engine
+- HTTP execution with parameter types: header, query, path, cookie, body
+- Control flow via `onSuccess` / `onFailure` actions (goto, retry, end)
+- Workflow-level default `successActions` and `failureActions`
+- Workflow-level `parameters` with step-level override
+- Sub-workflow calls via `workflowId` with input/output passing
+- Multiple source descriptions with `{sourceName}./path` operationPath routing
+- Retry actions with configurable delay and limit
+- Parallel step execution via `--parallel`
+- Dry-run mode (`--dry-run`) — resolves requests without sending
+
+#### VS Code Debugger
+- Full Debug Adapter Protocol (DAP) implementation
+- Breakpoints on steps, success criteria, actions, and outputs
+- Conditional breakpoints using runtime expressions
+- Step Over, Step In, Step Out, Continue, Pause controls
+- Variable inspection: Locals, Request, Response, Inputs, Steps scopes
+- Watch expressions and hover evaluation
+- Call stack with sub-workflow depth tracking
+- Three-thread coordinator architecture (no deadlocks during slow HTTP)
+
+#### Crate Workspace
+- `arazzo-spec` — typed Arazzo 1.0.1 domain model
+- `arazzo-validate` — YAML parser with structural validation
+- `arazzo-expr` — expression parser/evaluator with proptest fuzzing
+- `arazzo-runtime` — execution engine with debug controller
+- `arazzo-cli` — CLI binary
+- `arazzo-debug-adapter` — DAP server
+
+#### Quality
+- `unsafe_code = "forbid"` across all crates
+- `unwrap_used = "deny"`, `expect_used = "deny"` via workspace clippy lints
+- Execution trace redaction for Authorization, Cookie, API keys, passwords
+- 199 tests, all hermetic (tiny_http test servers, no external API calls)
+- Proptest fuzzing on expression evaluator
+- CI: format, clippy, test, VS Code extension typecheck + build
@@ -13,6 +13,8 @@ resolver = "2"
 version = "0.1.0"
 edition = "2021"
 license = "MIT"
+repository = "https://github.com/strefethen/arazzo-cli"
+homepage = "https://github.com/strefethen/arazzo-cli"
 publish = false
 
 [workspace.lints.rust]
 
@@ -0,0 +1,274 @@
+# Open-Source Launch Plan — arazzo-cli
+
+## Current State
+
+- Readiness: ~72%
+- Spec coverage: ~91% (Phases 1-3 complete)
+- Codebase: 17,767 lines Rust, 199 tests passing, strict lints
+- CI: fmt + clippy + test + VS Code extension build
+- Gaps: packaging metadata, documentation, examples, distribution, testing breadth
+
+---
+
+## Phase A: Foundations (Tier 1 blockers)
+
+Low effort, high impact. All required before tagging v0.1.0.
+
+### A1. Commit `Cargo.lock`
+
+Rust best practice for binary crates — ensures reproducible builds.
+
+- [ ] Remove `/Cargo.lock` from `.gitignore` if present
+- [ ] `cargo generate-lockfile` if missing
+- [ ] Commit
+
+### A2. Crate publishing metadata
+
+Add to `[workspace.package]` in root `Cargo.toml`:
+
+- [ ] `description = "Standalone Arazzo 1.0 workflow executor and debugger"`
+- [ ] `repository = "https://github.com/strefethen/arazzo-cli"`
+- [ ] `homepage = "https://github.com/strefethen/arazzo-cli"`
+- [ ] `keywords = ["arazzo", "openapi", "workflow", "api", "cli"]`
+- [ ] `categories = ["command-line-utilities", "web-programming"]`
+- [ ] `readme = "README.md"`
+
+Per-crate overrides where needed:
+
+- [ ] `arazzo-spec`: description = "Typed Arazzo 1.0 domain model"
+- [ ] `arazzo-validate`: description = "Arazzo YAML parser and structural validator"
+- [ ] `arazzo-expr`: description = "Arazzo expression language parser and evaluator"
+- [ ] `arazzo-runtime`: description = "Arazzo workflow execution engine"
+- [ ] `arazzo-cli`: description = "CLI for executing Arazzo 1.0 API workflow specifications"
+- [ ] `arazzo-debug-adapter`: description = "Debug Adapter Protocol server for Arazzo workflows"
+
+### A3. Flip `publish` flag
+
+Decide which crates to publish:
+
+- [ ] `arazzo-spec` → `publish = true` (useful standalone)
+- [ ] `arazzo-validate` → `publish = true`
+- [ ] `arazzo-expr` → `publish = true`
+- [ ] `arazzo-runtime` → `publish = true`
+- [ ] `arazzo-cli` → `publish = true` (enables `cargo install arazzo-cli`)
+- [ ] `arazzo-debug-adapter` → keep `publish = false` (tightly coupled to CLI)
+
+### A4. Crate-level rustdoc
+
+Add `#![doc = "..."]` or `//!` module doc comments to each `lib.rs`:
+
+- [ ] `arazzo-spec/src/lib.rs` — overview of domain types, link to Arazzo spec
+- [ ] `arazzo-validate/src/lib.rs` — parsing entry point, error types
+- [ ] `arazzo-expr/src/lib.rs` — expression syntax reference, `EvalContext` usage
+- [ ] `arazzo-runtime/src/lib.rs` — engine lifecycle, `Engine::new` → `execute`
+- [ ] `arazzo-debug-adapter/src/lib.rs` — DAP architecture summary
+- [ ] Verify with `cargo doc --workspace --no-deps --open`
+
+### A5. CHANGELOG.md
+
+- [ ] Create `CHANGELOG.md` following [Keep a Changelog](https://keepachangelog.com/) format
+- [ ] Document v0.1.0 feature set:
+  - Arazzo 1.0.1 spec coverage (~91%)
+  - Expression language (all `$` expressions, `{$expr}` interpolation, operators)
+  - HTTP execution with parameter types (header, query, path, cookie, body)
+  - Control flow (onSuccess/onFailure, goto, retry, end)
+  - Workflow-level defaults (parameters, actions)
+  - Multiple source descriptions with `{name}./path` routing
+  - Sub-workflow calls via `workflowId`
+  - Dry-run mode, execution traces with redaction
+  - VS Code debugger (breakpoints, stepping, variables, watch, call stack)
+  - CLI commands: run, validate, list, catalog, show, schema
+
+### A6. Update README expression surface
+
+The Expression Language section is missing Phase 3 additions:
+
+- [ ] Add `$url`
+- [ ] Add `$request.header.Name`, `$request.query.Name`, `$request.path.Name`
+- [ ] Add `$request.body`, `$request.body.path`, `$request.body#/pointer`
+- [ ] Add `$sourceDescriptions.{name}.url`
+- [ ] Add `$outputs.name` (workflow outputs)
+- [ ] Add `$response.body#/json/pointer` (JSON Pointer syntax)
+- [ ] Add `{$expr}` interpolation notation
+- [ ] Add `{sourceName}./path` operationPath routing
+
+### A7. Verify `cargo publish --dry-run`
+
+- [ ] Run `cargo publish -p arazzo-spec --dry-run` for each publishable crate
+- [ ] Fix any packaging errors (missing fields, excluded files, etc.)
+
+**Readiness after Phase A: ~85%**
+
+---
+
+## Phase B: Examples & Testing (Tier 2)
+
+Medium effort. Establishes credibility and demonstrates capability breadth.
+
+### B1. Example specs
+
+Each should be self-contained with a comment header explaining what it demonstrates.
+
+- [ ] `examples/multi-api-orchestration.arazzo.yaml` — two source descriptions, `{sourceName}./path` routing, `$sourceDescriptions.{name}.url` in outputs
+- [ ] `examples/auth-flow.arazzo.yaml` — cookie parameters, `{$expr}` interpolation in Authorization header, chained auth → data flow
+- [ ] `examples/error-handling-retry.arazzo.yaml` — onFailure with retry action, workflow-level failureActions as fallback, success criteria
+- [ ] `examples/sub-workflow.arazzo.yaml` — parent workflow calling child via `workflowId`, passing inputs, reading child outputs
+- [ ] Move or copy relevant parts of `testdata/error-handling.arazzo.yaml` into examples if appropriate
+
+### B2. CLI integration tests
+
+Using `assert_cmd` or `trycmd`:
+
+- [ ] Add `assert_cmd` and `predicates` to `arazzo-cli` dev-dependencies
+- [ ] Test `validate` command with valid spec → exit 0, JSON output
+- [ ] Test `validate` command with invalid spec → exit non-zero, error message
+- [ ] Test `list` command → outputs workflow IDs
+- [ ] Test `catalog` command on `examples/` directory
+- [ ] Test `run --dry-run` → outputs planned requests without network
+- [ ] Test `schema` command → valid JSON Schema output
+- [ ] Test `--json` flag produces valid JSON on all commands
+
+### B3. arazzo-spec serde round-trip tests
+
+- [ ] Parse each example spec → serialize back → parse again → assert equality
+- [ ] Test that unknown fields are rejected or preserved as expected
+- [ ] Test default values for optional fields
+
+### B4. `cargo audit` in CI
+
+- [ ] Add step to `ci.yml` after test:
+  ```yaml
+  - name: Security audit
+    run: cargo install cargo-audit && cargo audit
+  ```
+- [ ] Or use `actions-rs/audit-check@v1`
+
+### B5. Cross-platform CI
+
+- [ ] Add matrix to `ci.yml`:
+  ```yaml
+  strategy:
+    matrix:
+      os: [ubuntu-latest, macos-latest, windows-latest]
+  ```
+- [ ] Windows may need special handling for `tiny_http` tests (firewall prompts)
+
+### B6. MSRV policy
+
+- [ ] Decide on MSRV (recommend: current stable minus 2, e.g., 1.78)
+- [ ] Add `rust-version = "1.78"` to `[workspace.package]`
+- [ ] Add MSRV CI job using `dtolnay/rust-toolchain` with the MSRV version
+- [ ] Document in README
+
+**Readiness after Phase B: ~93%**
+
+---
+
+## Phase C: Distribution (Tier 2)
+
+Medium effort. Makes the project installable without cloning.
+
+### C1. Release automation with `cargo-dist`
+
+- [ ] `cargo install cargo-dist`
+- [ ] `cargo dist init` — generates `.github/workflows/release.yml`
+- [ ] Configure targets: `x86_64-unknown-linux-gnu`, `aarch64-apple-darwin`, `x86_64-apple-darwin`, `x86_64-pc-windows-msvc`
+- [ ] Test with `cargo dist build`
+- [ ] Commit the generated workflow
+
+### C2. Tag and publish v0.1.0
+
+Order matters — publish library crates before the binary crate:
+
+- [ ] `cargo publish -p arazzo-spec`
+- [ ] `cargo publish -p arazzo-validate`
+- [ ] `cargo publish -p arazzo-expr`
+- [ ] `cargo publish -p arazzo-runtime`
+- [ ] `cargo publish -p arazzo-cli`
+- [ ] `git tag v0.1.0 && git push --tags` → triggers release workflow
+
+### C3. Homebrew tap (optional)
+
+- [ ] Create `homebrew-tap` repo
+- [ ] Add formula pointing to GitHub Release tarball
+- [ ] Document `brew install strefethen/tap/arazzo-cli` in README
+
+**Readiness after Phase C: ~97%**
+
+---
+
+## Phase D: Polish (Tier 3)
+
+Lower priority. Long-term maturity items.
+
+### D1. Doc-tests on public APIs
+
+- [ ] Add `/// # Examples` blocks to key public functions in arazzo-expr, arazzo-validate, arazzo-runtime
+- [ ] Ensure `cargo test --doc --workspace` passes
+- [ ] Hosted docs auto-publish on docs.rs after crates.io publish
+
+### D2. Clean up stale internal docs
+
+- [ ] Review `docs/rust-migration-plan.md` — likely stale, remove or archive
+- [ ] Review `docs/weekwise-plans.md` — planning artifact, not user-facing
+- [ ] Review `docs/30-ideas.md`, `docs/5-best-ideas.md` — brainstorm artifacts
+- [ ] Keep: architecture, debugger, trace schema, extension guide, internal API
+
+### D3. Phase 4 spec features (v0.2.0 milestone)
+
+Coverage: 91% → 96%
+
+- [ ] `$workflows.{id}.inputs.{name}` / `$workflows.{id}.outputs.{name}`
+- [ ] `!` (NOT) operator in conditions
+- [ ] `()` grouping in conditions
+- [ ] `Retry-After` response header override
+
+### D4. Phase 5 spec features (v0.3.0 milestone)
+
+Coverage: 96% → 100%
+
+- [ ] `dependsOn` — inter-workflow dependency ordering with cycle detection
+- [ ] Payload Replacement Object — RFC 6901 JSON Pointer mutation in request bodies
+
+**Readiness after Phase D: ~100%**
+
+---
+
+## Execution Order
+
+| Step | Phase | Effort | Depends On |
+|------|-------|--------|------------|
+| A1. Commit Cargo.lock | A | Trivial | — |
+| A2. Crate metadata | A | Low | — |
+| A3. Flip publish flag | A | Trivial | A2 |
+| A4. Crate-level rustdoc | A | Low | — |
+| A5. CHANGELOG.md | A | Low | — |
+| A6. Update README | A | Low | — |
+| A7. Verify publish dry-run | A | Low | A2, A3, A4 |
+| B1. Example specs | B | Medium | — |
+| B2. CLI integration tests | B | Medium | — |
+| B3. Spec round-trip tests | B | Low | — |
+| B4. cargo audit in CI | B | Low | — |
+| B5. Cross-platform CI | B | Medium | — |
+| B6. MSRV policy | B | Low | — |
+| C1. Release automation | C | Medium | A7 |
+| C2. Tag v0.1.0 | C | Low | A (all), C1 |
+| C3. Homebrew tap | C | Low | C2 |
+| D1. Doc-tests | D | Medium | A4 |
+| D2. Clean stale docs | D | Low | — |
+| D3. Phase 4 spec | D | High | — |
+| D4. Phase 5 spec | D | Very High | D3 |
+
+---
+
+## Success Criteria
+
+- `cargo publish --dry-run` succeeds for all publishable crates
+- `cargo doc --workspace --no-deps` produces clean docs with crate-level summaries
+- `cargo test --workspace` passes (including new CLI integration tests)
+- `cargo audit` reports no known vulnerabilities
+- CI passes on Linux, macOS, and Windows
+- 5+ example specs covering distinct feature categories
+- CHANGELOG documents all v0.1.0 features
+- GitHub Release exists with pre-built binaries for 3 platforms
+- `cargo install arazzo-cli` works from crates.io