v0.3.0 release candidateWhat is tested—and what still remains.
This page separates completed automated checks from the live Poppy, MCP-client, and publication work still required before release.
Still in progress: live Poppy testing for all six tools, end-to-end testing in each supported MCP client, final package review, approval, and public release.
Current release-candidate evidence
Completed
- Six MCP tool contracts and a local stdio server
- Four first-party skills and setup guides for four MCP clients
- HTTPS host allowlist, key-file checks, safe doctor summary, and recursive redaction
- Request and response limits, timeouts, bounded retries, redirect denial, and destination allowlists
- 24 tests passing on Python 3.10-3.12
- Clean production dependency audit and clean-install test
- Reproducible runtime and skill packages, CycloneDX software bill of materials, and verified SHA-256 checksums
Still in progress
- Live compatibility with all six Poppy operations
- Codex, OpenClaw, Claude, and Hermes end-to-end testing
- Final approval against the release packages
- Public source, tag, and release publication
Gate 1: source and repository hygiene
Generated caches and build output have been removed, release exclusions are defined, the four-skill catalogue is consistent, and public migration material is vendor-neutral. Final source review remains required before publication.
Gate 2: automated checks
| Check | Required result | Current result |
|---|
| Code quality | Clean release candidate | Passed |
| Automated tests | All tests pass on supported Python versions | 24 passed on Python 3.10, 3.11, and 3.12 |
| Build/install | Clean runtime/source build and isolated installation | Passed; dependency consistency check clean |
| Dependency audit | No unresolved known production vulnerability at release threshold | Passed; none reported |
| Package contents | Only approved source and release files | Passed; reproducible bundles produced |
| Skill validation | All four skills packaged and negative tests pass | Passed |
| SBOM/checksums | Generated and verified for release packages | CycloneDX 1.6 and SHA-256 verification passed |
Gate 3: live Poppy acceptance
- Use a dedicated disposable board/chat and test-only key file.
- Run
--doctor and confirm no board content or credential is printed. - Call version, boards, chats, one-time ask, create conversation, and continue conversation in order.
- Record redacted schemas, status, latency, credits fields when returned, and any endpoint/field corrections.
- Run adversarial cases: missing/unreadable key, denied board/chat, redirect, timeout, malformed response, oversized payload, retryable status, unsafe ID.
- Confirm prompt/response bodies and key are absent from Tentaclaw logs.
Gate 4: client testing
Each client must pass the same end-to-end workflow before we describe it as tested with Tentaclaw.
| Client | Setup guide | End-to-end result |
|---|
| Codex | TOML / client UI guide available | In progress |
| Claude Code/Desktop | CLI / JSON guide available | In progress |
| OpenClaw | MCP registry guide available | In progress |
| Hermes Agent | YAML guide available | In progress |
Gate 5: artifact and publication set
tentaclaw_mcp-0.3.0-py3-none-any.whl- Source distribution
- Individual ZIPs for all four skills plus complete skill bundle
- Client examples with placeholders only
- SPDX or CycloneDX SBOM
SHA256SUMS- Release notes, changelog, license, security policy, support policy
- Install, migration, rotation, rollback, incident, troubleshooting, and live-verification records
- Public repository tag and release page
GO criteria
A named approver records GO against the exact commit and artifact checksums. Release copy is limited to tested clients and observed behavior. Rollback artifacts are retained. Any credential leak, unresolved high-risk finding, live API incompatibility, failed client startup, missing checksum/SBOM, or public exposure path keeps the release at NO-GO.