@devtrack-solution/codesdd 1.2.3 → 1.2.4

package/dist/core/sdd/release-readiness.js

@@ -0,0 +1,767 @@
+import { existsSync } from 'node:fs';
+import { promises as fs } from 'node:fs';
+import { execFile } from 'node:child_process';
+import path from 'node:path';
+import { promisify } from 'node:util';
+import { parse as parseYaml } from 'yaml';
+import { SddCheckCommand } from './check.js';
+import { loadProjectSddConfig, loadStateSnapshot, resolveSddPaths, } from './state.js';
+import { evaluatePackageSecurityGates } from './package-security-gates.js';
+const execFileAsync = promisify(execFile);
+const CI_PARITY_COMMANDS = [
+    'pnpm run build',
+    'pnpm run sdd:schema:check',
+    'pnpm exec tsc --noEmit',
+    'pnpm run lint',
+    'pnpm run sdd:validate:no-build',
+    'pnpm exec vitest run --testTimeout 30000',
+    'pnpm run check:pack-version',
+];
+const REQUIRED_SCRIPTS = [
+    'build',
+    'sdd:schema:check',
+    'sdd:validate:no-build',
+    'lint',
+    'test',
+    'check:pack-version',
+    'quality:review',
+];
+const REQUIRED_SCHEMA_FILES = [
+    'workspace-catalog.schema.json',
+    '5-quality.schema.json',
+    'agent-runtime-command-plan.schema.json',
+    'agent-runtime-opencode-run-evidence.schema.json',
+];
+const COVERAGE_TARGET_PERCENT = 95;
+const CHECK_OWNERS = {
+    'sdd-health': 'codesdd/governance',
+    'active-features': 'codesdd/workspace',
+    'package-metadata': 'release/maintainers',
+    'release-scripts': 'ci/release',
+    'git-working-tree': 'operator/worktree',
+    'coverage-evidence': 'quality/owner',
+    'npmrc-secret-boundary': 'security/owner',
+    'package-security-gates': 'security/owner',
+    'provenance-sbom': 'release/security',
+    'tarball-smoke-rollback': 'release/operations',
+    'schema-artifacts': 'codesdd/schemas',
+    'release-docs': 'docs/release',
+};
+const CHECK_NEXT_ACTIONS = {
+    'sdd-health': 'Run `codesdd sdd check --render --strict` and fix listed blockers.',
+    'active-features': 'Finalize active FEAT workspaces with `codesdd sdd finalize --ref <FEAT-ID>`.',
+    'package-metadata': 'Align `package.json` name/license/bin to canonical release values.',
+    'release-scripts': 'Add missing scripts to `package.json` and rerun CI parity commands.',
+    'git-working-tree': 'Commit or clean non-release changes before running strict readiness.',
+    'coverage-evidence': 'Generate touched-scope coverage (`coverage/coverage-final.json`) at or above 95%.',
+    'npmrc-secret-boundary': 'Remove project-local `.npmrc` and keep it ignored by `.gitignore`.',
+    'package-security-gates': 'Fix package allowlist or secret-scan findings and rerun readiness.',
+    'provenance-sbom': 'Restore provenance/SBOM workflow, script and documentation evidence.',
+    'tarball-smoke-rollback': 'Restore CI tarball smoke and rollback documentation evidence.',
+    'schema-artifacts': 'Regenerate/export required files under `schemas/sdd`.',
+    'release-docs': 'Add missing `docs/release.md`, `docs/security.md` or `README.md`.',
+};
+const CHECK_DELTAS = {
+    'sdd-health': 'Canonical SDD check integrity for strict release gate.',
+    'active-features': 'No unfinished feature workspace can leak into release.',
+    'package-metadata': 'Canonical package identity and executable entrypoint.',
+    'release-scripts': 'Release scripts required for CI parity order are present.',
+    'git-working-tree': 'Release runs from a reproducible, inspectable repository state.',
+    'coverage-evidence': 'Touched source scope has measurable coverage at release threshold.',
+    'npmrc-secret-boundary': 'Project tree cannot carry local npm credentials.',
+    'package-security-gates': 'Package and secret scans must remain blocking.',
+    'provenance-sbom': 'Trusted publishing provenance and SBOM are verifiable.',
+    'tarball-smoke-rollback': 'Tarball smoke and rollback steps are executable and documented.',
+    'schema-artifacts': 'Required schema artifacts are present for consumers.',
+    'release-docs': 'Operator release and security docs are available.',
+};
+const SECTION_LABELS = {
+    governance: 'Governance',
+    tests: 'Tests',
+    release_readiness: 'Release Readiness',
+    git_cleanliness: 'Git Cleanliness',
+    runtime_env: 'Runtime Env',
+};
+const SECTION_ORDER = [
+    'governance',
+    'tests',
+    'release_readiness',
+    'git_cleanliness',
+    'runtime_env',
+];
+const CHECK_SECTION_MAP = {
+    'sdd-health': 'governance',
+    'active-features': 'governance',
+    'schema-artifacts': 'governance',
+    'release-docs': 'governance',
+    'coverage-evidence': 'tests',
+    'release-scripts': 'release_readiness',
+    'package-security-gates': 'release_readiness',
+    'provenance-sbom': 'release_readiness',
+    'tarball-smoke-rollback': 'release_readiness',
+    'git-working-tree': 'git_cleanliness',
+    'npmrc-secret-boundary': 'git_cleanliness',
+    'package-metadata': 'runtime_env',
+};
+export async function evaluateReleaseReadiness(projectRoot) {
+    const checks = [];
+    const packageJson = await readPackageJson(projectRoot);
+    const config = await loadProjectSddConfig(projectRoot);
+    const paths = resolveSddPaths(projectRoot, config);
+    const snapshot = await loadStateSnapshot(paths, config);
+    const sddCheck = await new SddCheckCommand().execute(projectRoot, { render: false, strict: true });
+    checks.push({
+        id: 'sdd-health',
+        status: sddCheck.valid ? 'pass' : 'fail',
+        summary: sddCheck.valid ? 'CodeSDD check is valid.' : 'CodeSDD check has blocking errors.',
+        evidence: sddCheck.valid ? undefined : sddCheck.errors.join(' | '),
+    });
+    const activeFeatures = snapshot.backlog.items.filter((item) => item.status === 'IN_PROGRESS').map((item) => item.id);
+    checks.push({
+        id: 'active-features',
+        status: activeFeatures.length === 0 ? 'pass' : 'fail',
+        summary: activeFeatures.length === 0 ? 'No active FEAT workspaces remain.' : 'Active FEAT workspaces remain.',
+        evidence: activeFeatures.join(', ') || undefined,
+    });
+    checks.push({
+        id: 'package-metadata',
+        status: packageJson.name === '@devtrack-solution/codesdd' &&
+            packageJson.license === 'MIT' &&
+            packageJson.bin?.codesdd === 'bin/codesdd.js'
+            ? 'pass'
+            : 'fail',
+        summary: 'Package name, license, and bin entry match release expectations.',
+        evidence: `${packageJson.name} ${packageJson.version}`,
+    });
+    const missingScripts = REQUIRED_SCRIPTS.filter((script) => !packageJson.scripts?.[script]);
+    checks.push({
+        id: 'release-scripts',
+        status: missingScripts.length === 0 ? 'pass' : 'fail',
+        summary: missingScripts.length === 0 ? 'Required release validation scripts are present.' : 'Required release validation scripts are missing.',
+        evidence: missingScripts.join(', ') || REQUIRED_SCRIPTS.join(', '),
+    });
+    checks.push(await evaluateGitWorkingTree(projectRoot));
+    checks.push(await evaluateCoverageEvidence(projectRoot));
+    checks.push(await evaluateNpmConfig(projectRoot));
+    checks.push(await evaluatePackageSecurity(projectRoot));
+    checks.push(await evaluateProvenanceAndSbom(projectRoot, packageJson));
+    checks.push(await evaluateTarballSmokeAndRollback(projectRoot, packageJson));
+    checks.push(await evaluateSchemaArtifacts(projectRoot));
+    checks.push(await evaluateReleaseDocs(projectRoot));
+    const exceptionLedger = await loadReleaseExceptionLedger(projectRoot, checks.map((check) => check.id));
+    for (const check of checks) {
+        const exceptionState = exceptionLedger.get(check.id) ?? { status: 'none' };
+        const classification = classifyCheck(check.status, exceptionState);
+        check.classification = classification;
+        check.owner = CHECK_OWNERS[check.id] ?? 'codesdd/owner';
+        check.delta = CHECK_DELTAS[check.id] ?? 'Release gate contract delta not documented.';
+        check.next_action = CHECK_NEXT_ACTIONS[check.id] ?? 'Review gate output and remediate before release.';
+        check.exception = exceptionState;
+        check.history = buildCheckHistory(check, exceptionState);
+    }
+    const blockers = checks
+        .filter((check) => check.classification === 'failed')
+        .map((check) => `${check.id}: ${check.summary}${check.evidence ? ` (${check.evidence})` : ''} [owner=${check.owner}; next=${check.next_action}]`);
+    const warnings = checks
+        .filter((check) => check.classification === 'follow_up' || check.classification === 'excepted')
+        .map((check) => `${check.id}: ${check.summary}${check.evidence ? ` (${check.evidence})` : ''} [classification=${check.classification}; next=${check.next_action}]`);
+    const handoffSections = buildHandoffSections(checks);
+    return {
+        schema_version: 1,
+        status: blockers.length > 0 ? 'blocked' : warnings.length > 0 ? 'warning' : 'ready',
+        generated_at: new Date().toISOString(),
+        blocker_classification: checks
+            .filter((check) => check.classification === 'failed' || check.classification === 'excepted')
+            .map((check) => ({
+            check_id: check.id,
+            classification: check.classification ?? 'failed',
+            owner: check.owner ?? 'codesdd/owner',
+            next_action: check.next_action ?? 'Review gate output and remediate before release.',
+            stale_exception: check.exception?.status === 'stale',
+        })),
+        blockers,
+        warnings,
+        checks,
+        handoff_sections: handoffSections,
+        ci_parity_commands: CI_PARITY_COMMANDS,
+    };
+}
+async function evaluateGitWorkingTree(projectRoot) {
+    if (!existsSync(path.join(projectRoot, '.git'))) {
+        return {
+            id: 'git-working-tree',
+            status: 'warn',
+            summary: 'Git working tree could not be verified because .git is absent.',
+            evidence: '.git',
+        };
+    }
+    try {
+        const { stdout } = await execFileAsync('git', ['status', '--porcelain=v1', '--untracked-files=all'], {
+            cwd: projectRoot,
+            maxBuffer: 1024 * 1024,
+        });
+        const entries = stdout.split(/\r?\n/u).filter(Boolean);
+        return {
+            id: 'git-working-tree',
+            status: entries.length === 0 ? 'pass' : 'fail',
+            summary: entries.length === 0 ? 'Working tree is clean.' : 'Working tree has uncommitted or untracked files.',
+            evidence: entries.slice(0, 12).join(' | ') || undefined,
+        };
+    }
+    catch (error) {
+        return {
+            id: 'git-working-tree',
+            status: 'warn',
+            summary: 'Git working tree could not be verified.',
+            evidence: error instanceof Error ? error.message : String(error),
+        };
+    }
+}
+async function evaluateCoverageEvidence(projectRoot) {
+    const coveragePath = path.join(projectRoot, 'coverage', 'coverage-final.json');
+    if (!existsSync(coveragePath)) {
+        return {
+            id: 'coverage-evidence',
+            status: 'fail',
+            summary: 'Coverage evidence is missing.',
+            evidence: 'coverage/coverage-final.json',
+        };
+    }
+    try {
+        const coverage = JSON.parse(await fs.readFile(coveragePath, 'utf-8'));
+        const changedSourceScope = await listChangedSourceScope(projectRoot);
+        const globalCoverage = summarizeCoverage(coverage, projectRoot);
+        const branchDisposition = globalCoverage.branches.percent < COVERAGE_TARGET_PERCENT
+            ? `; global branches ${globalCoverage.branches.percent}% tracked as ratchet`
+            : '';
+        if (changedSourceScope.size === 0) {
+            return {
+                id: 'coverage-evidence',
+                status: 'pass',
+                summary: 'Coverage evidence is present; no touched source scope detected for threshold gating.',
+                evidence: `no-touched-source; global statements ${globalCoverage.statements.percent}%, lines ${globalCoverage.lines.percent}%, functions ${globalCoverage.functions.percent}%${branchDisposition}`,
+            };
+        }
+        const touchedCoverage = summarizeCoverage(coverage, projectRoot, changedSourceScope);
+        const failingMetrics = ['statements', 'lines', 'functions'].filter((metric) => touchedCoverage[metric].percent < COVERAGE_TARGET_PERCENT);
+        const scopeFiles = [...changedSourceScope.keys()].sort();
+        const scope = `touched:${scopeFiles.join(',')}`;
+        return {
+            id: 'coverage-evidence',
+            status: failingMetrics.length === 0 ? 'pass' : 'fail',
+            summary: failingMetrics.length === 0
+                ? 'Coverage evidence meets release target for touched source scope.'
+                : 'Coverage evidence is below release target for touched source scope.',
+            evidence: `${scope}; statements ${touchedCoverage.statements.percent}%, lines ${touchedCoverage.lines.percent}%, functions ${touchedCoverage.functions.percent}%${branchDisposition}`,
+        };
+    }
+    catch (error) {
+        return {
+            id: 'coverage-evidence',
+            status: 'fail',
+            summary: 'Coverage evidence could not be parsed.',
+            evidence: error instanceof Error ? error.message : String(error),
+        };
+    }
+}
+export function formatReleaseReadinessReport(report) {
+    const lines = [`Release readiness: ${report.status}`, `Generated at: ${report.generated_at}`];
+    if (report.handoff_sections.length > 0) {
+        lines.push('Executable handoff sections:');
+        for (const section of report.handoff_sections) {
+            lines.push(`- [${section.id}] ${section.title}: ${section.status} (owner=${section.owner}; next=${section.next_action})`);
+            for (const snapshotLine of section.evidence.human_snapshot) {
+                lines.push(`  ${snapshotLine}`);
+            }
+        }
+    }
+    if (report.blocker_classification.length > 0) {
+        lines.push('Blocker classification:');
+        for (const blocker of report.blocker_classification) {
+            lines.push(`- ${blocker.check_id}: ${blocker.classification} (owner=${blocker.owner}; stale_exception=${blocker.stale_exception ? 'yes' : 'no'}; next=${blocker.next_action})`);
+        }
+    }
+    if (report.blockers.length > 0) {
+        lines.push('Blockers:');
+        for (const blocker of report.blockers)
+            lines.push(`- ${blocker}`);
+    }
+    if (report.warnings.length > 0) {
+        lines.push('Warnings:');
+        for (const warning of report.warnings)
+            lines.push(`- ${warning}`);
+    }
+    lines.push('Checks:');
+    for (const check of report.checks) {
+        lines.push(`- ${check.id}: ${check.status}/${check.classification ?? 'passed'} - ${check.summary}${check.evidence ? ` (${check.evidence})` : ''}${check.next_action ? ` [next=${check.next_action}]` : ''}`);
+    }
+    lines.push('CI parity commands:');
+    for (const command of report.ci_parity_commands)
+        lines.push(`- ${command}`);
+    return lines.join('\n');
+}
+function classifyCheck(status, exceptionState) {
+    if (status === 'pass')
+        return 'passed';
+    if (exceptionState.status === 'active')
+        return 'excepted';
+    if (status === 'warn')
+        return 'follow_up';
+    return 'failed';
+}
+function buildHandoffSections(checks) {
+    return SECTION_ORDER.map((sectionId) => {
+        const sectionChecks = checks.filter((check) => {
+            const mapped = CHECK_SECTION_MAP[check.id];
+            return mapped ? mapped === sectionId : sectionId === 'release_readiness';
+        });
+        const status = summarizeSectionStatus(sectionChecks);
+        const actionableCheck = sectionChecks.find((check) => check.classification === 'failed')
+            ?? sectionChecks.find((check) => check.classification === 'excepted' || check.classification === 'follow_up')
+            ?? sectionChecks[0];
+        const owner = actionableCheck?.owner ?? 'codesdd/owner';
+        const nextAction = actionableCheck?.next_action ?? 'No pending action.';
+        const jsonSnapshotChecks = sectionChecks.map((check) => ({
+            id: check.id,
+            status: check.status,
+            classification: check.classification ?? 'passed',
+            owner: check.owner ?? 'codesdd/owner',
+            next_action: check.next_action ?? 'Review gate output and remediate before release.',
+            evidence: check.evidence,
+        }));
+        const humanSnapshot = sectionChecks.map((check) => `- ${check.id}: ${check.status}/${check.classification ?? 'passed'} (owner=${check.owner ?? 'codesdd/owner'}; next=${check.next_action ?? 'Review gate output and remediate before release.'})`);
+        return {
+            id: sectionId,
+            title: SECTION_LABELS[sectionId],
+            status,
+            owner,
+            next_action: nextAction,
+            checks: sectionChecks,
+            evidence: {
+                json_snapshot: {
+                    section_id: sectionId,
+                    status,
+                    checks: jsonSnapshotChecks,
+                },
+                human_snapshot: humanSnapshot,
+            },
+        };
+    });
+}
+function summarizeSectionStatus(checks) {
+    if (checks.some((check) => check.classification === 'failed'))
+        return 'blocked';
+    if (checks.some((check) => check.classification === 'excepted' || check.classification === 'follow_up')) {
+        return 'warning';
+    }
+    return 'ready';
+}
+function buildCheckHistory(check, exceptionState) {
+    const history = [`check:${check.status}`];
+    if (check.classification) {
+        history.push(`classification:${check.classification}`);
+    }
+    if (exceptionState.status === 'active') {
+        history.push('exception:active');
+        if (exceptionState.review_deadline) {
+            history.push(`exception-review-deadline:${exceptionState.review_deadline}`);
+        }
+    }
+    else if (exceptionState.status === 'stale') {
+        history.push('exception:stale-reblocked');
+        if (exceptionState.review_deadline) {
+            history.push(`exception-expired:${exceptionState.review_deadline}`);
+        }
+    }
+    return history;
+}
+async function loadReleaseExceptionLedger(projectRoot, knownCheckIds) {
+    const ledger = new Map();
+    for (const area of ['active', 'planned']) {
+        const areaRoot = path.join(projectRoot, '.sdd', area);
+        if (!existsSync(areaRoot))
+            continue;
+        const features = await fs.readdir(areaRoot, { withFileTypes: true }).catch(() => []);
+        for (const feature of features) {
+            if (!feature.isDirectory())
+                continue;
+            const qualityPath = path.join(areaRoot, feature.name, '5-quality.yaml');
+            if (!existsSync(qualityPath))
+                continue;
+            const entries = await readQualityExceptionEntries(qualityPath, knownCheckIds);
+            for (const [checkId, entry] of entries) {
+                const previous = ledger.get(checkId);
+                if (!previous || (previous.status !== 'stale' && entry.status === 'stale')) {
+                    ledger.set(checkId, {
+                        status: entry.status,
+                        source: entry.source,
+                        scope: entry.scope,
+                        reason: entry.reason,
+                        accepted_risk: entry.accepted_risk,
+                        compensating_control: entry.compensating_control,
+                        review_deadline: entry.review_deadline,
+                        approver: entry.approver,
+                    });
+                }
+            }
+        }
+    }
+    return ledger;
+}
+async function readQualityExceptionEntries(qualityPath, knownCheckIds) {
+    const byCheck = new Map();
+    const raw = await fs.readFile(qualityPath, 'utf-8').catch(() => '');
+    if (!raw.trim())
+        return byCheck;
+    const parsed = parseYaml(raw);
+    const exceptions = Array.isArray(parsed?.exceptions) ? parsed.exceptions : [];
+    for (const exception of exceptions) {
+        if (!exception || typeof exception !== 'object')
+            continue;
+        const entry = exception;
+        const checkIds = resolveExceptionCheckIds(entry, knownCheckIds);
+        if (checkIds.length === 0)
+            continue;
+        const reviewDeadline = readString(entry.review_deadline)
+            ?? readString(entry.deadline)
+            ?? readString(entry.expires_at)
+            ?? readString(entry.expires_on);
+        const stale = isDeadlineStale(reviewDeadline);
+        const normalized = {
+            status: stale ? 'stale' : 'active',
+            source: qualityPath,
+            scope: readString(entry.scope),
+            reason: readString(entry.reason),
+            accepted_risk: readString(entry.accepted_risk),
+            compensating_control: readString(entry.compensating_control),
+            review_deadline: reviewDeadline,
+            approver: readString(entry.approver),
+        };
+        for (const checkId of checkIds) {
+            byCheck.set(checkId, normalized);
+        }
+    }
+    return byCheck;
+}
+function resolveExceptionCheckIds(entry, knownCheckIds) {
+    const explicit = [
+        ...readStringArray(entry.check_ids),
+        ...readStringArray(entry.check_id),
+        ...readStringArray(entry.release_check_ids),
+        ...readStringArray(entry.release_check_id),
+    ];
+    if (explicit.length > 0) {
+        return explicit.filter((value) => knownCheckIds.includes(value));
+    }
+    const scope = readString(entry.scope);
+    if (!scope)
+        return [];
+    const normalizedScope = scope.toLowerCase();
+    return knownCheckIds.filter((checkId) => normalizedScope.includes(checkId.toLowerCase()));
+}
+function readString(value) {
+    return typeof value === 'string' && value.trim().length > 0 ? value.trim() : undefined;
+}
+function readStringArray(value) {
+    if (Array.isArray(value)) {
+        return value.flatMap((entry) => (typeof entry === 'string' && entry.trim().length > 0 ? [entry.trim()] : []));
+    }
+    if (typeof value === 'string' && value.trim().length > 0) {
+        return [value.trim()];
+    }
+    return [];
+}
+function isDeadlineStale(reviewDeadline) {
+    if (!reviewDeadline)
+        return false;
+    const parsed = Date.parse(reviewDeadline);
+    if (Number.isNaN(parsed))
+        return false;
+    return parsed < Date.now();
+}
+async function readPackageJson(projectRoot) {
+    const content = await fs.readFile(path.join(projectRoot, 'package.json'), 'utf-8');
+    return JSON.parse(content);
+}
+async function listChangedSourceScope(projectRoot) {
+    const changed = new Map();
+    if (!existsSync(path.join(projectRoot, '.git')))
+        return changed;
+    try {
+        const { stdout: status } = await execFileAsync('git', ['status', '--porcelain=v1', '--untracked-files=all'], {
+            cwd: projectRoot,
+            maxBuffer: 1024 * 1024,
+        });
+        for (const line of status.split(/\r?\n/u).filter(Boolean)) {
+            const statusCode = line.slice(0, 2);
+            const relativePath = line
+                .slice(3)
+                .trim()
+                .split(' -> ')
+                .at(-1) || '';
+            if (!/^src\/.*\.tsx?$/u.test(relativePath))
+                continue;
+            changed.set(path.normalize(relativePath), statusCode === '??' ? null : new Set());
+        }
+        await addDiffSourceLines(projectRoot, changed, ['diff', '--unified=0', '--', 'src']);
+        if (changed.size === 0) {
+            const upstreamBase = await resolveUpstreamDiffBase(projectRoot);
+            if (upstreamBase) {
+                await addDiffSourceLines(projectRoot, changed, ['diff', '--unified=0', `${upstreamBase}...HEAD`, '--', 'src']);
+            }
+        }
+    }
+    catch {
+        return changed;
+    }
+    return changed;
+}
+async function resolveUpstreamDiffBase(projectRoot) {
+    try {
+        const { stdout: upstreamStdout } = await execFileAsync('git', ['rev-parse', '--abbrev-ref', '--symbolic-full-name', '@{upstream}'], {
+            cwd: projectRoot,
+            maxBuffer: 1024 * 1024,
+        });
+        const upstream = upstreamStdout.trim();
+        if (!upstream)
+            return undefined;
+        const [{ stdout: baseStdout }, { stdout: headStdout }] = await Promise.all([
+            execFileAsync('git', ['merge-base', 'HEAD', upstream], {
+                cwd: projectRoot,
+                maxBuffer: 1024 * 1024,
+            }),
+            execFileAsync('git', ['rev-parse', 'HEAD'], {
+                cwd: projectRoot,
+                maxBuffer: 1024 * 1024,
+            }),
+        ]);
+        const base = baseStdout.trim();
+        const head = headStdout.trim();
+        return base && base !== head ? base : undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+async function addDiffSourceLines(projectRoot, changed, diffArgs) {
+    const { stdout: diff } = await execFileAsync('git', diffArgs, {
+        cwd: projectRoot,
+        maxBuffer: 1024 * 1024,
+    });
+    let currentFile = '';
+    let newLine = 0;
+    for (const line of diff.split(/\r?\n/u)) {
+        if (line.startsWith('+++ b/')) {
+            currentFile = path.normalize(line.slice('+++ b/'.length));
+            if (/^src[/\\].*\.tsx?$/u.test(currentFile) && !changed.has(currentFile)) {
+                changed.set(currentFile, new Set());
+            }
+            continue;
+        }
+        const hunk = line.match(/^@@ -\d+(?:,\d+)? \+(\d+)(?:,\d+)? @@/u);
+        if (hunk) {
+            newLine = Number(hunk[1]);
+            continue;
+        }
+        if (!currentFile || !changed.has(currentFile) || changed.get(currentFile) === null)
+            continue;
+        if (line.startsWith('+') && !line.startsWith('+++')) {
+            changed.get(currentFile)?.add(newLine);
+            newLine += 1;
+        }
+        else if (!line.startsWith('-')) {
+            newLine += 1;
+        }
+    }
+}
+function summarizeCoverage(coverage, projectRoot, changedSourceScope = new Map()) {
+    const totals = {
+        statements: { covered: 0, total: 0, percent: 100 },
+        branches: { covered: 0, total: 0, percent: 100 },
+        functions: { covered: 0, total: 0, percent: 100 },
+        lines: { covered: 0, total: 0, percent: 100 },
+    };
+    for (const [absolutePath, fileCoverage] of Object.entries(coverage)) {
+        const relativePath = path.normalize(path.relative(projectRoot, fileCoverage.path || absolutePath));
+        const isSource = relativePath.startsWith(`src${path.sep}`) && /\.tsx?$/u.test(relativePath);
+        if (!isSource)
+            continue;
+        const changedLines = changedSourceScope.get(relativePath);
+        if (changedSourceScope.size > 0 && changedLines === undefined)
+            continue;
+        const lineHits = new Map();
+        for (const [statementId, count] of Object.entries(fileCoverage.s || {})) {
+            const line = fileCoverage.statementMap?.[statementId]?.start?.line;
+            if (changedLines && (line === undefined || !changedLines.has(line)))
+                continue;
+            totals.statements.total += 1;
+            if (count > 0)
+                totals.statements.covered += 1;
+            if (line !== undefined) {
+                lineHits.set(line, (lineHits.get(line) || 0) + (count > 0 ? 1 : 0));
+            }
+        }
+        for (const [functionId, count] of Object.entries(fileCoverage.f || {})) {
+            const line = fileCoverage.fnMap?.[functionId]?.decl?.start?.line || fileCoverage.fnMap?.[functionId]?.loc?.start?.line;
+            if (changedLines && (line === undefined || !changedLines.has(line)))
+                continue;
+            totals.functions.total += 1;
+            if (count > 0)
+                totals.functions.covered += 1;
+        }
+        for (const counts of Object.values(fileCoverage.b || {})) {
+            for (const count of counts) {
+                totals.branches.total += 1;
+                if (count > 0)
+                    totals.branches.covered += 1;
+            }
+        }
+        for (const count of lineHits.values()) {
+            totals.lines.total += 1;
+            if (count > 0)
+                totals.lines.covered += 1;
+        }
+    }
+    for (const metric of Object.values(totals)) {
+        metric.percent = roundPercent(metric.covered, metric.total);
+    }
+    return totals;
+}
+function roundPercent(covered, total) {
+    return total === 0 ? 100 : Number(((covered / total) * 100).toFixed(2));
+}
+async function evaluateNpmConfig(projectRoot) {
+    const npmrcPath = path.join(projectRoot, '.npmrc');
+    const gitignorePath = path.join(projectRoot, '.gitignore');
+    const gitignore = await fs.readFile(gitignorePath, 'utf-8').catch(() => '');
+    const npmrcIgnored = gitignore.split(/\r?\n/u).some((line) => line.trim() === '.npmrc');
+    if (existsSync(npmrcPath)) {
+        return {
+            id: 'npmrc-secret-boundary',
+            status: 'fail',
+            summary: 'Project-local .npmrc exists and must not be present for release readiness.',
+            evidence: '.npmrc',
+        };
+    }
+    return {
+        id: 'npmrc-secret-boundary',
+        status: npmrcIgnored ? 'pass' : 'warn',
+        summary: npmrcIgnored ? '.npmrc is absent and ignored.' : '.npmrc is absent but not explicitly ignored.',
+        evidence: npmrcIgnored ? undefined : '.gitignore',
+    };
+}
+async function evaluatePackageSecurity(projectRoot) {
+    const report = await evaluatePackageSecurityGates(projectRoot);
+    const issues = [
+        ...report.package_allowlist.issues,
+        ...report.secret_scan.issues,
+    ];
+    return {
+        id: 'package-security-gates',
+        status: report.status === 'pass' ? 'pass' : 'fail',
+        summary: report.status === 'pass'
+            ? 'Package allowlist and high-confidence secret scan passed.'
+            : 'Package allowlist or high-confidence secret scan failed.',
+        evidence: issues.length > 0
+            ? issues.map((issue) => `${issue.code}:${issue.path}`).join(', ')
+            : `${report.package_allowlist.allowed_files.length} package entries; ${report.secret_scan.scanned_files} files scanned`,
+    };
+}
+async function evaluateSchemaArtifacts(projectRoot) {
+    const missing = REQUIRED_SCHEMA_FILES.filter((fileName) => !existsSync(path.join(projectRoot, 'schemas', 'sdd', fileName)));
+    return {
+        id: 'schema-artifacts',
+        status: missing.length === 0 ? 'pass' : 'fail',
+        summary: missing.length === 0 ? 'Required SDD schema artifacts are present.' : 'Required SDD schema artifacts are missing.',
+        evidence: missing.join(', ') || REQUIRED_SCHEMA_FILES.join(', '),
+    };
+}
+async function evaluateProvenanceAndSbom(projectRoot, packageJson) {
+    const workflowPath = path.join(projectRoot, '.github', 'workflows', 'release-prepare.yml');
+    const releaseDocPath = path.join(projectRoot, 'docs', 'release.md');
+    const securityDocPath = path.join(projectRoot, 'docs', 'security.md');
+    const workflow = await fs.readFile(workflowPath, 'utf-8').catch(() => '');
+    const releaseDoc = await fs.readFile(releaseDocPath, 'utf-8').catch(() => '');
+    const securityDoc = await fs.readFile(securityDocPath, 'utf-8').catch(() => '');
+    const docText = `${releaseDoc}\n${securityDoc}`;
+    const missing = [];
+    if (packageJson.publishConfig?.provenance !== true) {
+        missing.push('publishConfig.provenance=true');
+    }
+    if (!packageJson.scripts?.['release:sbom']) {
+        missing.push('scripts.release:sbom');
+    }
+    if (!/id-token:\s*write/u.test(workflow)) {
+        missing.push('release workflow id-token: write');
+    }
+    if (!/changesets\/action|npm\s+publish/u.test(workflow)) {
+        missing.push('release workflow publish step');
+    }
+    if (!/SBOM|Software Bill of Materials|npm sbom|CycloneDX|SPDX/iu.test(docText)) {
+        missing.push('SBOM documentation');
+    }
+    if (!/trusted publishing|OIDC|provenance/iu.test(docText)) {
+        missing.push('trusted publishing/provenance documentation');
+    }
+    return {
+        id: 'provenance-sbom',
+        status: missing.length === 0 ? 'pass' : 'fail',
+        summary: missing.length === 0
+            ? 'Trusted publishing provenance and SBOM evidence are configured.'
+            : 'Trusted publishing provenance or SBOM evidence is incomplete.',
+        evidence: missing.join(', ') || 'publishConfig.provenance, release:sbom, OIDC workflow, docs/release.md, docs/security.md',
+    };
+}
+async function evaluateTarballSmokeAndRollback(projectRoot, packageJson) {
+    const workflowPath = path.join(projectRoot, '.github', 'workflows', 'ci.yml');
+    const releaseDocPath = path.join(projectRoot, 'docs', 'release.md');
+    const workflow = await fs.readFile(workflowPath, 'utf-8').catch(() => '');
+    const releaseDoc = await fs.readFile(releaseDocPath, 'utf-8').catch(() => '');
+    const missing = [];
+    if (!packageJson.scripts?.['check:pack-version']) {
+        missing.push('scripts.check:pack-version');
+    }
+    if (!/pnpm\s+run\s+check:pack-version/u.test(workflow)) {
+        missing.push('CI check:pack-version step');
+    }
+    if (!/(npm|pnpm)\s+pack/u.test(workflow)) {
+        missing.push('CI tarball pack step');
+    }
+    if (!/npm\s+install\s+-g\s+\.\/.*--force/u.test(workflow.replace(/\s+/gu, ' '))) {
+        missing.push('CI global tarball install step');
+    }
+    if (!/codesdd\s+--version/u.test(workflow)) {
+        missing.push('CI CLI version smoke');
+    }
+    if (!/codesdd\s+install\s+--tools\s+none/u.test(workflow)) {
+        missing.push('CI bootstrap install smoke');
+    }
+    if (!/(manual fallback release|tarball)/iu.test(releaseDoc)) {
+        missing.push('tarball fallback release docs');
+    }
+    if (!/npm\s+deprecate\s+@devtrack-solution\/codesdd@<broken-version>/u.test(releaseDoc)) {
+        missing.push('npm deprecate rollback command');
+    }
+    if (!/(rollback strategy|cut a patch release|publish and update release notes)/iu.test(releaseDoc)) {
+        missing.push('rollback operator steps');
+    }
+    return {
+        id: 'tarball-smoke-rollback',
+        status: missing.length === 0 ? 'pass' : 'fail',
+        summary: missing.length === 0
+            ? 'Tarball install smoke and rollback evidence are configured.'
+            : 'Tarball install smoke or rollback evidence is incomplete.',
+        evidence: missing.join(', ') || '.github/workflows/ci.yml, docs/release.md, scripts.check:pack-version',
+    };
+}
+async function evaluateReleaseDocs(projectRoot) {
+    const required = ['docs/release.md', 'docs/security.md', 'README.md'];
+    const missing = required.filter((relativePath) => !existsSync(path.join(projectRoot, relativePath)));
+    return {
+        id: 'release-docs',
+        status: missing.length === 0 ? 'pass' : 'fail',
+        summary: missing.length === 0 ? 'Release and security documentation are present.' : 'Release or security documentation is missing.',
+        evidence: missing.join(', ') || required.join(', '),
+    };
+}
+//# sourceMappingURL=release-readiness.js.map