@bradygaster/squad-sdk 0.8.17 → 0.8.18

package/templates/workflows/squad-label-enforce.yml

@@ -0,0 +1,181 @@
+name: Squad Label Enforce
+
+on:
+  issues:
+    types: [labeled]
+
+permissions:
+  issues: write
+  contents: read
+
+jobs:
+  enforce:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Enforce mutual exclusivity
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const issue = context.payload.issue;
+            const appliedLabel = context.payload.label.name;
+
+            // Namespaces with mutual exclusivity rules
+            const EXCLUSIVE_PREFIXES = ['go:', 'release:', 'type:', 'priority:'];
+
+            // Skip if not a managed namespace label
+            if (!EXCLUSIVE_PREFIXES.some(p => appliedLabel.startsWith(p))) {
+              core.info(`Label ${appliedLabel} is not in a managed namespace — skipping`);
+              return;
+            }
+
+            const allLabels = issue.labels.map(l => l.name);
+
+            // Handle go: namespace (mutual exclusivity)
+            if (appliedLabel.startsWith('go:')) {
+              const otherGoLabels = allLabels.filter(l => 
+                l.startsWith('go:') && l !== appliedLabel
+              );
+
+              if (otherGoLabels.length > 0) {
+                // Remove conflicting go: labels
+                for (const label of otherGoLabels) {
+                  await github.rest.issues.removeLabel({
+                    owner: context.repo.owner,
+                    repo: context.repo.repo,
+                    issue_number: issue.number,
+                    name: label
+                  });
+                  core.info(`Removed conflicting label: ${label}`);
+                }
+
+                // Post update comment
+                await github.rest.issues.createComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: issue.number,
+                  body: `🏷️ Triage verdict updated → \`${appliedLabel}\``
+                });
+              }
+
+              // Auto-apply release:backlog if go:yes and no release target
+              if (appliedLabel === 'go:yes') {
+                const hasReleaseLabel = allLabels.some(l => l.startsWith('release:'));
+                if (!hasReleaseLabel) {
+                  await github.rest.issues.addLabels({
+                    owner: context.repo.owner,
+                    repo: context.repo.repo,
+                    issue_number: issue.number,
+                    labels: ['release:backlog']
+                  });
+
+                  await github.rest.issues.createComment({
+                    owner: context.repo.owner,
+                    repo: context.repo.repo,
+                    issue_number: issue.number,
+                    body: `📋 Marked as \`release:backlog\` — assign a release target when ready.`
+                  });
+
+                  core.info('Applied release:backlog for go:yes issue');
+                }
+              }
+
+              // Remove release: labels if go:no
+              if (appliedLabel === 'go:no') {
+                const releaseLabels = allLabels.filter(l => l.startsWith('release:'));
+                if (releaseLabels.length > 0) {
+                  for (const label of releaseLabels) {
+                    await github.rest.issues.removeLabel({
+                      owner: context.repo.owner,
+                      repo: context.repo.repo,
+                      issue_number: issue.number,
+                      name: label
+                    });
+                    core.info(`Removed release label from go:no issue: ${label}`);
+                  }
+                }
+              }
+            }
+
+            // Handle release: namespace (mutual exclusivity)
+            if (appliedLabel.startsWith('release:')) {
+              const otherReleaseLabels = allLabels.filter(l => 
+                l.startsWith('release:') && l !== appliedLabel
+              );
+
+              if (otherReleaseLabels.length > 0) {
+                // Remove conflicting release: labels
+                for (const label of otherReleaseLabels) {
+                  await github.rest.issues.removeLabel({
+                    owner: context.repo.owner,
+                    repo: context.repo.repo,
+                    issue_number: issue.number,
+                    name: label
+                  });
+                  core.info(`Removed conflicting label: ${label}`);
+                }
+
+                // Post update comment
+                await github.rest.issues.createComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: issue.number,
+                  body: `🏷️ Release target updated → \`${appliedLabel}\``
+                });
+              }
+            }
+
+            // Handle type: namespace (mutual exclusivity)
+            if (appliedLabel.startsWith('type:')) {
+              const otherTypeLabels = allLabels.filter(l => 
+                l.startsWith('type:') && l !== appliedLabel
+              );
+
+              if (otherTypeLabels.length > 0) {
+                for (const label of otherTypeLabels) {
+                  await github.rest.issues.removeLabel({
+                    owner: context.repo.owner,
+                    repo: context.repo.repo,
+                    issue_number: issue.number,
+                    name: label
+                  });
+                  core.info(`Removed conflicting label: ${label}`);
+                }
+
+                await github.rest.issues.createComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: issue.number,
+                  body: `🏷️ Issue type updated → \`${appliedLabel}\``
+                });
+              }
+            }
+
+            // Handle priority: namespace (mutual exclusivity)
+            if (appliedLabel.startsWith('priority:')) {
+              const otherPriorityLabels = allLabels.filter(l => 
+                l.startsWith('priority:') && l !== appliedLabel
+              );
+
+              if (otherPriorityLabels.length > 0) {
+                for (const label of otherPriorityLabels) {
+                  await github.rest.issues.removeLabel({
+                    owner: context.repo.owner,
+                    repo: context.repo.repo,
+                    issue_number: issue.number,
+                    name: label
+                  });
+                  core.info(`Removed conflicting label: ${label}`);
+                }
+
+                await github.rest.issues.createComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: issue.number,
+                  body: `🏷️ Priority updated → \`${appliedLabel}\``
+                });
+              }
+            }
+
+            core.info(`Label enforcement complete for ${appliedLabel}`);

package/templates/workflows/squad-main-guard.yml

@@ -0,0 +1,129 @@
+name: Squad Protected Branch Guard
+
+on:
+  pull_request:
+    branches: [main, preview, insider]
+    types: [opened, synchronize, reopened]
+  push:
+    branches: [main, preview, insider]
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  guard:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Check for forbidden paths
+        uses: actions/github-script@v7
+        with:
+          script: |
+            // Fetch all files changed - handles both PR and push events
+            let files = [];
+            
+            if (context.eventName === 'pull_request') {
+              // PR event: use pulls.listFiles API
+              let page = 1;
+              while (true) {
+                const resp = await github.rest.pulls.listFiles({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  pull_number: context.payload.pull_request.number,
+                  per_page: 100,
+                  page
+                });
+                files.push(...resp.data);
+                if (resp.data.length < 100) break;
+                page++;
+              }
+            } else if (context.eventName === 'push') {
+              // Push event: compare against base branch
+              const base = context.payload.before;
+              const head = context.payload.after;
+              
+              // If this is not a force push and base exists, compare commits
+              if (base && base !== '0000000000000000000000000000000000000000') {
+                const comparison = await github.rest.repos.compareCommits({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  base,
+                  head
+                });
+                files = comparison.data.files || [];
+              } else {
+                // Force push or initial commit: list all files in the current tree
+                core.info('Force push detected or initial commit, checking tree state');
+                const { data: tree } = await github.rest.git.getTree({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  tree_sha: head,
+                  recursive: 'true'
+                });
+                files = tree.tree
+                  .filter(item => item.type === 'blob')
+                  .map(item => ({ filename: item.path, status: 'added' }));
+              }
+            }
+
+            // Check each file against forbidden path rules
+            // Allow removals — deleting forbidden files from protected branches is fine
+            const forbidden = files
+              .filter(f => f.status !== 'removed')
+              .map(f => f.filename)
+              .filter(f => {
+                // .ai-team/** and .squad/** — ALL team state files, zero exceptions
+                if (f === '.ai-team' || f.startsWith('.ai-team/') || f === '.squad' || f.startsWith('.squad/')) return true;
+                // .ai-team-templates/** — Squad's own templates, stay on dev
+                if (f === '.ai-team-templates' || f.startsWith('.ai-team-templates/')) return true;
+                // team-docs/** — ALL internal team docs, zero exceptions
+                if (f.startsWith('team-docs/')) return true;
+                // docs/proposals/** — internal design proposals, stay on dev
+                if (f.startsWith('docs/proposals/')) return true;
+                return false;
+              });
+
+            if (forbidden.length === 0) {
+              core.info('✅ No forbidden paths found in PR — all clear.');
+              return;
+            }
+
+            // Build a clear, actionable error message
+            const lines = [
+              '## 🚫 Forbidden files detected in PR to main',
+              '',
+              'The following files must NOT be merged into `main`.',
+              '`.ai-team/` and `.squad/` are runtime team state — they belong on dev branches only.',
+              '`.ai-team-templates/` is Squad\'s internal planning — it belongs on dev branches only.',
+              '`team-docs/` is internal team content — it belongs on dev branches only.',
+              '`docs/proposals/` is internal design proposals — it belongs on dev branches only.',
+              '',
+              '### Forbidden files found:',
+              '',
+              ...forbidden.map(f => `- \`${f}\``),
+              '',
+              '### How to fix:',
+              '',
+              '```bash',
+              '# Remove tracked .ai-team/ files (keeps local copies):',
+              'git rm --cached -r .ai-team/',
+              '',
+              '# Remove tracked .squad/ files (keeps local copies):',
+              'git rm --cached -r .squad/',
+              '',
+              '# Remove tracked team-docs/ files:',
+              'git rm --cached -r team-docs/',
+              '',
+              '# Commit the removal and push:',
+              'git commit -m "chore: remove forbidden paths from PR"',
+              'git push',
+              '```',
+              '',
+              '> ⚠️ `.ai-team/` and `.squad/` are committed on `dev` and feature branches by design.',
+              '> The guard workflow is the enforcement mechanism that keeps these files off `main` and `preview`.',
+              '> `git rm --cached` untracks them from this PR without deleting your local copies.',
+            ];
+
+            core.setFailed(lines.join('\n'));

package/templates/workflows/squad-preview.yml

@@ -0,0 +1,55 @@
+name: Squad Preview Validation
+
+on:
+  push:
+    branches: [preview]
+
+permissions:
+  contents: read
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+
+      - name: Validate version consistency
+        run: |
+          VERSION=$(node -e "console.log(require('./package.json').version)")
+          if ! grep -q "## \[$VERSION\]" CHANGELOG.md 2>/dev/null; then
+            echo "::error::Version $VERSION not found in CHANGELOG.md — update CHANGELOG.md before release"
+            exit 1
+          fi
+          echo "✅ Version $VERSION validated in CHANGELOG.md"
+
+      - name: Run tests
+        run: node --test test/*.test.js
+
+      - name: Check no .ai-team/ or .squad/ files are tracked
+        run: |
+          FOUND_FORBIDDEN=0
+          if git ls-files --error-unmatch .ai-team/ 2>/dev/null; then
+            echo "::error::❌ .ai-team/ files are tracked on preview — this must not ship."
+            FOUND_FORBIDDEN=1
+          fi
+          if git ls-files --error-unmatch .squad/ 2>/dev/null; then
+            echo "::error::❌ .squad/ files are tracked on preview — this must not ship."
+            FOUND_FORBIDDEN=1
+          fi
+          if [ $FOUND_FORBIDDEN -eq 1 ]; then
+            exit 1
+          fi
+          echo "✅ No .ai-team/ or .squad/ files tracked — clean for release."
+
+      - name: Validate package.json version
+        run: |
+          VERSION=$(node -e "console.log(require('./package.json').version)")
+          if [ -z "$VERSION" ]; then
+            echo "::error::❌ No version field found in package.json."
+            exit 1
+          fi
+          echo "✅ package.json version: $VERSION"

package/templates/workflows/squad-promote.yml

@@ -0,0 +1,121 @@
+name: Squad Promote
+
+on:
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: 'Dry run — show what would happen without pushing'
+        required: false
+        default: 'false'
+        type: choice
+        options: ['false', 'true']
+
+permissions:
+  contents: write
+
+jobs:
+  dev-to-preview:
+    name: Promote dev → preview
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Configure git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Fetch all branches
+        run: git fetch --all
+
+      - name: Show current state (dry run info)
+        run: |
+          echo "=== dev HEAD ===" && git log origin/dev -1 --oneline
+          echo "=== preview HEAD ===" && git log origin/preview -1 --oneline
+          echo "=== Files that would be stripped ==="
+          git diff origin/preview..origin/dev --name-only | grep -E "^(\.(ai-team|squad|ai-team-templates|squad-templates)|team-docs/|docs/proposals/)" || echo "(none)"
+
+      - name: Merge dev → preview (strip forbidden paths)
+        if: ${{ inputs.dry_run == 'false' }}
+        run: |
+          git checkout preview
+          git merge origin/dev --no-commit --no-ff -X theirs || true
+
+          # Strip forbidden paths from merge commit
+          git rm -rf --cached --ignore-unmatch \
+            .ai-team/ \
+            .squad/ \
+            .ai-team-templates/ \
+            .squad-templates/ \
+            team-docs/ \
+            "docs/proposals/" || true
+
+          # Commit if there are staged changes
+          if ! git diff --cached --quiet; then
+            git commit -m "chore: promote dev → preview (v$(node -e "console.log(require('./package.json').version)"))"
+            git push origin preview
+            echo "✅ Pushed preview branch"
+          else
+            echo "ℹ️ Nothing to commit — preview is already up to date"
+          fi
+
+      - name: Dry run complete
+        if: ${{ inputs.dry_run == 'true' }}
+        run: echo "🔍 Dry run complete — no changes pushed."
+
+  preview-to-main:
+    name: Promote preview → main (release)
+    needs: dev-to-preview
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Configure git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Fetch all branches
+        run: git fetch --all
+
+      - name: Show current state
+        run: |
+          echo "=== preview HEAD ===" && git log origin/preview -1 --oneline
+          echo "=== main HEAD ===" && git log origin/main -1 --oneline
+          echo "=== Version ===" && node -e "console.log('v' + require('./package.json').version)"
+
+      - name: Validate preview is release-ready
+        run: |
+          git checkout preview
+          VERSION=$(node -e "console.log(require('./package.json').version)")
+          if ! grep -q "## \[$VERSION\]" CHANGELOG.md 2>/dev/null; then
+            echo "::error::Version $VERSION not found in CHANGELOG.md — update before releasing"
+            exit 1
+          fi
+          echo "✅ Version $VERSION has CHANGELOG entry"
+
+          # Verify no forbidden files on preview
+          FORBIDDEN=$(git ls-files | grep -E "^(\.(ai-team|squad|ai-team-templates|squad-templates)/|team-docs/|docs/proposals/)" || true)
+          if [ -n "$FORBIDDEN" ]; then
+            echo "::error::Forbidden files found on preview: $FORBIDDEN"
+            exit 1
+          fi
+          echo "✅ No forbidden files on preview"
+
+      - name: Merge preview → main
+        if: ${{ inputs.dry_run == 'false' }}
+        run: |
+          git checkout main
+          git merge origin/preview --no-ff -m "chore: promote preview → main (v$(node -e "console.log(require('./package.json').version)"))"
+          git push origin main
+          echo "✅ Pushed main — squad-release.yml will tag and publish the release"
+
+      - name: Dry run complete
+        if: ${{ inputs.dry_run == 'true' }}
+        run: echo "🔍 Dry run complete — no changes pushed."

package/templates/workflows/squad-release.yml

@@ -0,0 +1,77 @@
+name: Squad Release
+
+on:
+  push:
+    branches: [main]
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+
+      - name: Run tests
+        run: node --test test/*.test.js
+
+      - name: Validate version consistency
+        run: |
+          VERSION=$(node -e "console.log(require('./package.json').version)")
+          if ! grep -q "## \[$VERSION\]" CHANGELOG.md 2>/dev/null; then
+            echo "::error::Version $VERSION not found in CHANGELOG.md — update CHANGELOG.md before release"
+            exit 1
+          fi
+          echo "✅ Version $VERSION validated in CHANGELOG.md"
+
+      - name: Read version from package.json
+        id: version
+        run: |
+          VERSION=$(node -e "console.log(require('./package.json').version)")
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+          echo "tag=v$VERSION" >> "$GITHUB_OUTPUT"
+          echo "📦 Version: $VERSION (tag: v$VERSION)"
+
+      - name: Check if tag already exists
+        id: check_tag
+        run: |
+          if git rev-parse "refs/tags/${{ steps.version.outputs.tag }}" >/dev/null 2>&1; then
+            echo "exists=true" >> "$GITHUB_OUTPUT"
+            echo "⏭️ Tag ${{ steps.version.outputs.tag }} already exists — skipping release."
+          else
+            echo "exists=false" >> "$GITHUB_OUTPUT"
+            echo "🆕 Tag ${{ steps.version.outputs.tag }} does not exist — creating release."
+          fi
+
+      - name: Create git tag
+        if: steps.check_tag.outputs.exists == 'false'
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git tag -a "${{ steps.version.outputs.tag }}" -m "Release ${{ steps.version.outputs.tag }}"
+          git push origin "${{ steps.version.outputs.tag }}"
+
+      - name: Create GitHub Release
+        if: steps.check_tag.outputs.exists == 'false'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release create "${{ steps.version.outputs.tag }}" \
+            --title "${{ steps.version.outputs.tag }}" \
+            --generate-notes \
+            --latest
+
+      - name: Verify release
+        if: steps.check_tag.outputs.exists == 'false'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release view "${{ steps.version.outputs.tag }}"
+          echo "✅ Release ${{ steps.version.outputs.tag }} created and verified."