noormdev · damusix · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026
diff --git a/.changeset/fix-binary-bun-pin.md b/.changeset/fix-binary-bun-pin.md
@@ -0,0 +1,6 @@
+---
+"@noormdev/cli": patch
+---
+
+## Fixed
+* `fix(ci):` Pin bun to 1.3.11 in release binary workflow — bun 1.3.12 produces binaries that crash on startup (OOM kill, exit 137)
diff --git a/.changeset/sdk-protected-config-hardblock.md b/.changeset/sdk-protected-config-hardblock.md
@@ -0,0 +1,37 @@
+---
+"@noormdev/sdk": major
+---
+
+## Breaking Changes
+
+### `allowProtected` option removed
+
+The `allowProtected` option has been removed from `CreateContextOptions`. Passing it no longer has any effect — protected configs unconditionally block all destructive operations with no override.
+
+**Before:**
+```typescript
+// This no longer works — allowProtected is not a valid option
+const ctx = await createContext({ config: 'staging', allowProtected: true })
+await ctx.noorm.db.truncate() // would proceed
+```
+
+**After:**
+```typescript
+// Protected configs always block destructive ops — no override possible
+const ctx = await createContext({ config: 'staging' })
+await ctx.noorm.db.truncate() // throws ProtectedConfigError
+```
+
+To run a destructive operation against a protected config, set `config.protected = false` manually before running the operation, then restore it.
+
+### `checkProtectedConfig` signature changed
+
+The exported `checkProtectedConfig` guard function signature changed from `(config, operation, options)` to `(config, operation)`. If you call this function directly, remove the third argument.
+
+## New Behavior
+
+The following operations are now blocked on protected configs (in addition to `truncate`, `teardown`, and `reset`):
+
+- `ctx.noorm.dt.importFile()` — bulk data import is destructive
+- `ctx.noorm.changes.revert()` — schema rollbacks are destructive in production
+- `ctx.noorm.changes.rewind()` — batch schema rollbacks are destructive in production
diff --git a/.github/workflows/release-binary.yml b/.github/workflows/release-binary.yml
@@ -16,6 +16,8 @@ jobs:
 
             - name: Setup Bun
               uses: oven-sh/setup-bun@v2
+              with:
+                  bun-version: 1.3.11
 
             - name: Install dependencies
               run: bun install --frozen-lockfile

diff --git a/TODO.md b/TODO.md
@@ -10,9 +10,9 @@ Critical work before public release.
 
 Core SDK is implemented and packaged (`@noormdev/sdk`). Remaining:
 
-- [ ] **SDK test coverage** - Dedicated tests for SDK surface (`createContext`, lifecycle, operations)
-- [ ] **Test mode enforcement** - When `requireTest: true`, SDK must refuse to connect if `config.isTest !== true`
-- [ ] **Protected config hard block** - Destructive operations (destroy, truncate, teardown) on protected configs are denied with no override. User must perform manually. Remove `allowProtected` option entirely.
+- [x] **SDK test coverage** - Dedicated tests for SDK surface (`createContext`, lifecycle, operations)
+- [x] **Test mode enforcement** - When `requireTest: true`, SDK must refuse to connect if `config.isTest !== true`
+- [x] **Protected config hard block** - Destructive operations (destroy, truncate, teardown) on protected configs are denied with no override. User must perform manually. Remove `allowProtected` option entirely.
 
 
 ### Headless CLI Gaps