docs(changelog): add git-cliff and make changelog to documentation

matthew-on-git · claude · matthew-on-git · commit 5d3308813f12 · 2026-03-02T15:42:05.000-06:00
Update all make target references, OpenClaw/agent prompts, standards
pages, container docs, and retrofit guide with new changelog target.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/content/_index.md b/content/_index.md
@@ -28,7 +28,7 @@ Key rules:
    ghcr.io/devrail-dev/dev-toolchain:v1 container via `make` targets.
 4. Respect `.editorconfig` formatting rules.
 
-Available make targets: lint, format, test, security, scan, check (all).
+Available make targets: lint, format, test, security, scan, changelog, check (all).
 Languages are declared in `.devrail.yml`. See https://devrail.dev/docs/standards/
 for per-language tool details.
 ```
@@ -77,6 +77,7 @@ the retrofit guide at: https://devrail.dev/docs/getting-started/retrofit/
 - `make test`     — run tests
 - `make security` — run security scanners
 - `make scan`     — run trivy + gitleaks
+- `make changelog` — generate CHANGELOG.md from conventional commits
 - `make check`    — run all of the above
 - `make help`     — show available targets
 
diff --git a/content/docs/container/_index.md b/content/docs/container/_index.md
@@ -181,6 +181,7 @@ The dev-toolchain container includes all tools needed for every supported langua
 |---|---|
 | trivy | Vulnerability scanning (filesystem and images) |
 | gitleaks | Secret detection |
+| git-cliff | Changelog generation from conventional commits |
 | pre-commit | Git hook management |
 
 ## Running Tools Directly
diff --git a/content/docs/contributing/ecosystem.md b/content/docs/contributing/ecosystem.md
@@ -47,7 +47,7 @@ Repos never import code from each other. Integration happens through three mecha
 | Interface | Producer | Consumer | Contract |
 |---|---|---|---|
 | Container image | dev-toolchain | Templates (via Makefile) | `ghcr.io/devrail-dev/dev-toolchain:v1` with all tools installed |
-| Makefile targets | Templates | CI pipelines, agents, developers | `make lint/format/test/security/docs/check` |
+| Makefile targets | Templates | CI pipelines, agents, developers | `make lint/format/test/security/docs/changelog/check` |
 | `.devrail.yml` | Developer/agent | Makefile, CI | Language declarations, project settings |
 | Pre-commit hook | pre-commit-conventional-commits | Templates (via `.pre-commit-config.yaml`) | Conventional commit validation |
 | Agent instructions | DEVELOPMENT.md + shims | AI agents | Critical rules + pointer to full standards |
diff --git a/content/docs/getting-started/agents.md b/content/docs/getting-started/agents.md
@@ -68,6 +68,7 @@ If you do not want to commit DevRail files yet, you can paste instructions direc
 > - `make format` -- check formatting
 > - `make test` -- run tests
 > - `make security` -- run security scanners
+> - `make changelog` -- generate CHANGELOG.md from conventional commits
 > - `make check` -- run everything
 >
 > Languages are declared in `.devrail.yml`. The Makefile reads this file to determine which tools to run. See https://devrail.dev/docs/standards/ for per-language tool details.
@@ -162,6 +163,7 @@ the retrofit guide at: https://devrail.dev/docs/getting-started/retrofit/
 - `make test`     — run tests
 - `make security` — run security scanners
 - `make scan`     — run trivy + gitleaks
+- `make changelog` — generate CHANGELOG.md from conventional commits
 - `make check`    — run all of the above
 - `make help`     — show available targets
 
diff --git a/content/docs/getting-started/retrofit.md b/content/docs/getting-started/retrofit.md
@@ -134,7 +134,7 @@ git commit -m "chore: add DevRail development standards"
 
 If your project already has a Makefile, you have two options:
 
-1. **Merge targets.** Add DevRail's public targets (`lint`, `format`, `test`, `security`, `scan`, `docs`, `check`, `install-hooks`) to your existing Makefile. Keep your existing targets alongside them.
+1. **Merge targets.** Add DevRail's public targets (`lint`, `format`, `test`, `security`, `scan`, `docs`, `changelog`, `check`, `install-hooks`) to your existing Makefile. Keep your existing targets alongside them.
 
 2. **Replace.** If your existing Makefile only has basic targets, replace it entirely with the DevRail Makefile.
 
diff --git a/content/docs/standards/_index.md b/content/docs/standards/_index.md
@@ -19,7 +19,7 @@ The following table shows the default tool for each concern per language. These
 | Tests | pytest | bats | terratest | molecule | rspec | go test | vitest |
 | Type Check | mypy | -- | -- | -- | sorbet | -- | tsc |
 | Docs | -- | -- | terraform-docs | -- | -- | -- | -- |
-| Universal | trivy, gitleaks | trivy, gitleaks | trivy, gitleaks | trivy, gitleaks | trivy, gitleaks | trivy, gitleaks | trivy, gitleaks |
+| Universal | trivy, gitleaks, git-cliff | trivy, gitleaks, git-cliff | trivy, gitleaks, git-cliff | trivy, gitleaks, git-cliff | trivy, gitleaks, git-cliff | trivy, gitleaks, git-cliff | trivy, gitleaks, git-cliff |
 
 A `--` entry means the concern does not apply to that language. Universal tools run for all projects regardless of declared languages.
 
@@ -35,6 +35,7 @@ Each Makefile target runs the relevant tools for all languages declared in `.dev
 | `make security` | bandit, semgrep, tfsec, checkov, brakeman, bundler-audit, govulncheck, npm audit |
 | `make scan` | trivy, gitleaks (universal -- all projects) |
 | `make docs` | terraform-docs |
+| `make changelog` | git-cliff (generate CHANGELOG.md from conventional commits) |
 | `make check` | All of the above in sequence |
 
 ## Per-Language Pages
@@ -46,7 +47,7 @@ Each Makefile target runs the relevant tools for all languages declared in `.dev
 - [Ruby Standards](/docs/standards/ruby/) -- rubocop, brakeman, bundler-audit, rspec, reek, sorbet
 - [Go Standards](/docs/standards/go/) -- golangci-lint, gofumpt, govulncheck, go test
 - [JavaScript Standards](/docs/standards/javascript/) -- eslint, prettier, npm audit, vitest, tsc
-- [Universal Security](/docs/standards/universal/) -- trivy, gitleaks
+- [Universal Security](/docs/standards/universal/) -- trivy, gitleaks, git-cliff
 
 ## Consistent Page Structure
 
diff --git a/content/docs/standards/universal.md b/content/docs/standards/universal.md
@@ -2,17 +2,18 @@
 title: "Universal Security"
 linkTitle: "Universal Security"
 weight: 50
-description: "Universal security tools that run for every project: trivy and gitleaks."
+description: "Universal tools that run for every project: trivy, gitleaks, and git-cliff."
 ---
 
-These tools run for every DevRail-managed project regardless of declared languages. They provide baseline vulnerability scanning and secret detection.
+These tools run for every DevRail-managed project regardless of declared languages. They provide baseline vulnerability scanning, secret detection, and changelog generation.
 
 ## Tools
 
 | Category | Tool | Purpose |
 |---|---|---|
 | Vulnerability Scanning | trivy | Container image and filesystem vulnerability scanning |
 | Secret Detection | gitleaks | Detect secrets in git history and staged changes |
+| Changelog | git-cliff | Generate CHANGELOG.md from conventional commits |
 
 All tools are pre-installed in the dev-toolchain container. Do not install them on the host.
 
@@ -55,13 +56,22 @@ Recommended `.gitleaks.toml`:
 
 gitleaks detects secrets (API keys, tokens, passwords) in git history and staged changes. Use the allowlist only for verified false positives.
 
+### git-cliff
+
+Config file: `cliff.toml` at repository root. The DevRail templates include a default configuration that groups commits by conventional commit type.
+
+git-cliff reads your git log and generates a `CHANGELOG.md` following the [Keep a Changelog](https://keepachangelog.com/) format. It requires conventional commit messages to produce meaningful output.
+
+Run `make changelog` to regenerate the changelog from the full commit history.
+
 ## Makefile Targets
 
 | Target | Command | Description |
 |---|---|---|
 | `make scan` | `trivy fs .` | Filesystem vulnerability scan |
 | `make scan` | `trivy image <image>` | Container image vulnerability scan |
 | `make scan` | `gitleaks detect --source .` | Secret detection in repository |
+| `make changelog` | `git-cliff -o CHANGELOG.md` | Generate changelog from conventional commits |
 
 The `make scan` target is separate from `make security`. The `security` target runs language-specific scanners (bandit, tfsec, etc.), while `scan` runs universal scanners that apply to all projects.
 
@@ -91,4 +101,5 @@ repos:
 - **gitleaks runs both locally and in CI.** The local pre-commit hook catches secrets immediately; CI provides a final safety net.
 - **Findings at any severity level cause a non-zero exit code.** Do not suppress findings without explicit justification in `.trivyignore` or `.gitleaks.toml` allowlist.
 - **Both tools produce JSON output in CI** for artifact collection and reporting.
+- **`git-cliff` runs as part of `make changelog`**, which is separate from both `make scan` and `make check`. It generates a `CHANGELOG.md` from conventional commits and requires a `cliff.toml` configuration file.
 - **All tools are pre-installed in the dev-toolchain container.** Do not install them on the host.
