SharetoBoard
v0.3.0 release candidate

What is tested—and what still remains.

This page separates completed automated checks from the live Poppy, MCP-client, and publication work still required before release.

Still in progress: live Poppy testing for all six tools, end-to-end testing in each supported MCP client, final package review, approval, and public release.

Current release-candidate evidence

Completed

  • Six MCP tool contracts and a local stdio server
  • Four first-party skills and setup guides for four MCP clients
  • HTTPS host allowlist, key-file checks, safe doctor summary, and recursive redaction
  • Request and response limits, timeouts, bounded retries, redirect denial, and destination allowlists
  • 24 tests passing on Python 3.10-3.12
  • Clean production dependency audit and clean-install test
  • Reproducible runtime and skill packages, CycloneDX software bill of materials, and verified SHA-256 checksums

Still in progress

  • Live compatibility with all six Poppy operations
  • Codex, OpenClaw, Claude, and Hermes end-to-end testing
  • Final approval against the release packages
  • Public source, tag, and release publication

Gate 1: source and repository hygiene

Generated caches and build output have been removed, release exclusions are defined, the four-skill catalogue is consistent, and public migration material is vendor-neutral. Final source review remains required before publication.

Gate 2: automated checks

CheckRequired resultCurrent result
Code qualityClean release candidatePassed
Automated testsAll tests pass on supported Python versions24 passed on Python 3.10, 3.11, and 3.12
Build/installClean runtime/source build and isolated installationPassed; dependency consistency check clean
Dependency auditNo unresolved known production vulnerability at release thresholdPassed; none reported
Package contentsOnly approved source and release filesPassed; reproducible bundles produced
Skill validationAll four skills packaged and negative tests passPassed
SBOM/checksumsGenerated and verified for release packagesCycloneDX 1.6 and SHA-256 verification passed

Gate 3: live Poppy acceptance

  1. Use a dedicated disposable board/chat and test-only key file.
  2. Run --doctor and confirm no board content or credential is printed.
  3. Call version, boards, chats, one-time ask, create conversation, and continue conversation in order.
  4. Record redacted schemas, status, latency, credits fields when returned, and any endpoint/field corrections.
  5. Run adversarial cases: missing/unreadable key, denied board/chat, redirect, timeout, malformed response, oversized payload, retryable status, unsafe ID.
  6. Confirm prompt/response bodies and key are absent from Tentaclaw logs.

Gate 4: client testing

Each client must pass the same end-to-end workflow before we describe it as tested with Tentaclaw.

ClientSetup guideEnd-to-end result
CodexTOML / client UI guide availableIn progress
Claude Code/DesktopCLI / JSON guide availableIn progress
OpenClawMCP registry guide availableIn progress
Hermes AgentYAML guide availableIn progress

Gate 5: artifact and publication set

GO criteria

A named approver records GO against the exact commit and artifact checksums. Release copy is limited to tested clients and observed behavior. Rollback artifacts are retained. Any credential leak, unresolved high-risk finding, live API incompatibility, failed client startup, missing checksum/SBOM, or public exposure path keeps the release at NO-GO.