What’s new in Valinor

Valinor is self-enforcing engineering discipline for agentic development — rubric-driven PR review, CI gates, and continuous audit. This is the running log of what each release brings to the teams adopting it.

DocumentationGitHubRSS

Built by Camber — Valinor is consumer #0 of its own gates.

Unreleased — landing since 0.2.2

The capabilities landed on main since the last cut. These are the headline things you can now do as a team adopting Valinor — the exhaustive per-change log lives in CHANGELOG.md.

Improvements

  • Valinor has a help-center docs site — a curated, searchable, user-facing place to learn the tool, separate from the contributor-facing developer guide. It opens with a getting-started walkthrough and covers Installation, a CLI reference, a Governance overview, and FAQ & troubleshooting.
  • A whole-repo audit is now a documented, end-to-end flow. Your agent runs the valinor-audit skill, which grades the entire rubric suite over your codebase, then three deterministic commands turn that into a verified, trended score — audit-verify (no unverified deliverable ever renders), audit-record (a grade-only, privacy-safe history), and audit-trend (the score-over-time table).
  • valinor init now ships the docs-coverage gate — it catches the empty doc placeholder before it rots, using a generic, repo-shape-agnostic default that never false-flags your docs (tighten it with a manifest when you're ready).
  • The governance triad now reaches the repos you govern in full. valinor init delivers the 17-rule PR-review rubric, three universal deterministic gates plus three opt-in ones (default-off), the agent-file guard, and the ~two-dozen valinor-audit-* skills bundled inside the package — rule, gate, and audit skill, all delivered and version-locked.
  • Per-gate severity dials and a legacy-onboarding path. Set each gate to error, warn, or off independently, and grandfather an existing repo's debt with a baseline so gates block only on new code — a documented, tested route onto a legacy app without a wall of red CI.
  • Security and accessibility now have real review teeth. New owasp-top-10 and a11y (WCAG 2.1 AA) review rules close the two quality dimensions that used to be manual-only, and the doctrine's Definition of DONE now points at them honestly.
  • A stakeholder-ready story over your rising score. The Orbit digest turns the deterministic score-trend table into a Linear-changelog-style narrative you can hand to a client or leadership — verifiable spine, clearly-labeled AI prose on top, never gating CI.

0.2.2

The scaffolded gates workflow now works out-of-the-box for consumer repos in any GitHub org — the Distribution-v2 cross-org auth lands cleanly.

Improvements

  • Fixed cross-org GitHub Packages auth: valinor init's workflow now mints its App token explicitly against the cmbrcreative org, so a consumer repo outside that org can resolve and pull @cmbrcreative/valinor instead of silently 401-ing into a non-blocking annotation.
  • Repositioned Valinor as "self-enforcing engineering discipline for agentic development" — rubric-driven PR review, CI gates, and continuous audit, the same ones Valinor enforces on itself.

0.2.1

Valinor is now installable as @cmbrcreative/valinor — the npm scope matches the GitHub org, and the GitHub Packages publish actually lands.

Improvements

  • Renamed the package so adoption is npm i -D @cmbrcreative/valinor from 0.2.1 forward (GitHub Packages requires the npm scope to map to a real GitHub org).

0.2.0

Valinor moves its publish target to GitHub Packages, and valinor init scaffolds a workflow that works for Camber consumers with no manual fixes.

Improvements

  • Publishes to GitHub Packages (npm.pkg.github.com) using the auto-injected token — no per-repo NPM_TOKEN to provision.
  • valinor init scaffolds a consumer-correct workflow out of the box: it pulls the published, versioned CLI from GitHub Packages (roughly 5× faster CI than clone-and-build), derives blocking behaviour from your adoption.mode, pins Node, and degrades gracefully to a ::warning:: when a credential is missing rather than turning CI red.

0.1.0 — Foundation

The first cut of Valinor as a layered, CI-native quality-governance product you can put on a Camber repo. Valinor is consumer #0 of its own gates — this repository is governed by the very claims, rubrics, and workflows it ships.

What you can do at 0.1.0

  • Declare your quality bar as code, and enforce it in CI. Write verifiable claims about your repo in claims.yml and let valinor claims-verify fail CI closed on any drift — sub-second, offline-safe file/grep/token checks.
  • Govern branch protection and repo settings as code — keep branch-protection.json and governance.config.yml in the repo and diff them against live GitHub, so the standard travels with the code.
  • Add an LLM-review rubric suite — a repo-versioned .greptile/ library of custom review rules (silent-failure, PII-in-logs, type-design, test-quality, comment-accuracy, doc-completeness, change-narrative), each with a documented dossier.
  • Run a whole-repo Codebase Audit — a composable skill system applies the rubric suite across an existing codebase and produces a graded (A–E), severity-weighted, honesty-disclosed report.
  • Adopt across greenfield → deep-legacy without red CI on day one — a maturity-aware onboarding dial plus a baseline engine grandfather a repo's pre-existing debt and enforce on new code only.