@hiveai/cli 0.12.1 → 0.12.4

package/README.md

@@ -187,6 +187,35 @@ Autogenerated sensors are conservative: they start as `warn` and `autogen: true`
 high-confidence sensors to `severity: block`, which makes a deterministic pre-commit blocker when the
 sensor matches added diff lines.
 
+### `haive eval`
+
+Run the repeatable quality gate for hAIve itself or for a project using hAIve:
+
+```bash
+haive eval
+haive eval --semantic-only
+haive eval --spec .ai/eval/spec.json --fail-under 80
+```
+
+Without `--spec`, hAIve synthesizes retrieval cases from anchored memories. If `.ai/eval/spec.json`
+exists, it is loaded automatically and merged with those synthesized retrieval cases. Use that file
+for labeled sensor cases and hard retrieval probes so CI measures both “did the right memory surface?”
+and “did the executable guardrail fire?”.
+
+### `haive doctor`
+
+`doctor` is the first stop when hAIve feels inconsistent locally:
+
+```bash
+haive doctor
+haive doctor --json
+haive doctor --fix
+```
+
+It reports missing `pnpm`, stale workspace `dist` artifacts after a pull, global CLI/MCP version skew,
+outdated code-search indexes, memory-lint findings, and harness coverage. The output is intentionally
+actionable: every setup finding should carry the exact command to run next.
+
 ### `haive benchmark`
 
 Turn hAIve-vs-plain agent trials into a repeatable demo/report.

package/dist/index.js

@@ -2743,7 +2743,7 @@ ${SEED_FOOTER(stack)}` });
 }
 
 // src/commands/init.ts
-var HAIVE_GITHUB_ACTION_REF = `v${"0.12.1"}`;
+var HAIVE_GITHUB_ACTION_REF = `v${"0.12.4"}`;
 var PROJECT_CONTEXT_TEMPLATE = `# Project context
 
 > Generated by \`haive init\`. Run \`haive init --bootstrap\` to auto-fill from your codebase,
@@ -2778,7 +2778,7 @@ This repo uses **hAIve** for shared context. The map:
 1. **Before editing** for a goal, call \`get_briefing\` (task + files/symbols) to load ranked context \u2014 or \`mem_relevant_to\` if project context is already loaded this session.
 2. **When an approach fails**, call \`mem_tried\` right away so the next agent skips the dead end.
 3. **Before closing** a substantive session, run the \`post_task\` prompt to capture what was learned.
-4. **Before final response**, run \`haive enforce finish\`. If it blocks, commit/push, bump/tag shippable releases, then rerun it.
+4. **Before final response**, run \`haive enforce finish\`. If it blocks, commit/push, bump/tag shippable releases, wait for GitHub Actions to pass when applicable, then rerun it.
 
 If the haive MCP server is not available, tell the developer rather than silently skipping it.
 
@@ -2805,7 +2805,7 @@ This repository uses **hAIve**. Running \`haive init\` means the team expects ag
 
 - On failure: **\`mem_tried\`** immediately.
 - Before closing a substantive session: MCP prompt **\`post_task\`** when there is something worth capturing.
-- Before final response: **\`haive enforce finish\`** must pass; it checks commit/push and release version/tag protocol.
+- Before final response: **\`haive enforce finish\`** must pass; it checks commit/push, release version/tag protocol, and GitHub Actions success for pushed HEAD when the repo has a GitHub remote.
 
 ## If haive MCP is missing
 
@@ -7440,7 +7440,7 @@ This creates/updates a single rolling recap that **get_briefing automatically su
 
 Calling \`mem_session_end\` also **clears the pending-distill marker** (if any), confirming that this session's learnings have been properly captured rather than left as an auto-recap skeleton.
 
-### 7. Verify the git/release exit protocol \u2014 always
+### 7. Verify the git/release/pipeline exit protocol \u2014 always
 Run **\`haive enforce finish\`** before your final response.
 
 This executable gate checks the multi-agent git-sync decision:
@@ -7448,11 +7448,12 @@ This executable gate checks the multi-agent git-sync decision:
 - shippable package changes have a lockstep version bump
 - the release tag \`vX.Y.Z\` exists when a version was bumped
 - commits and tags have been pushed
+- the pushed HEAD's GitHub Actions workflow runs have completed successfully when the repo has a GitHub remote
 - agents never run \`npm publish\` (publication remains human-owned)
 
-If it blocks, fix the reported Git/version/tag/push issue before telling the developer the task is done.
+If it blocks, fix the reported Git/version/tag/push/pipeline issue before telling the developer the task is done.
 
-When done, respond with a brief summary: "Saved N memories: [list of IDs]. Session recap saved. hAIve finish gate passed."
+When done, respond with a brief summary: "Saved N memories: [list of IDs]. Session recap saved. hAIve finish gate passed; GitHub Actions passed when applicable."
 `;
   return {
     description: "Post-task reflection: capture what you learned before closing the session",
@@ -7531,7 +7532,7 @@ When done, respond with: "Imported N memories: [list of IDs]" or "Nothing action
   };
 }
 var SERVER_NAME = "haive";
-var SERVER_VERSION = "0.12.1";
+var SERVER_VERSION = "0.12.4";
 function jsonResult(data) {
   return {
     content: [
@@ -12259,7 +12260,8 @@ function registerEval(program2) {
     }
     const k = Math.max(1, parseInt(opts.top ?? "8", 10) || 8);
     const ctx = { paths };
-    const spec = await resolveSpec(opts, paths.memoriesDir);
+    const resolvedSpec = await resolveSpec(opts, root, paths.memoriesDir);
+    const spec = resolvedSpec.spec;
     if ((spec.retrieval?.length ?? 0) === 0 && (spec.sensors?.length ?? 0) === 0) {
       ui.warn("No eval cases (no anchored memories and no --spec). Nothing to score.");
       return;
@@ -12284,9 +12286,9 @@ function registerEval(program2) {
     }
     const report = buildReport(retrievalAgg, sensorAgg);
     if (opts.json) {
-      console.log(JSON.stringify({ root, k, report }, null, 2));
+      console.log(JSON.stringify({ root, k, spec_source: resolvedSpec.source, report }, null, 2));
     } else {
-      const md = renderMarkdown2(root, k, report);
+      const md = renderMarkdown2(root, k, resolvedSpec.source, report);
       if (opts.out) {
         const outFile = path43.isAbsolute(opts.out) ? opts.out : path43.join(root, opts.out);
         await writeFile29(outFile, md, "utf8");
@@ -12307,14 +12309,31 @@ function registerEval(program2) {
     }
   });
 }
-async function resolveSpec(opts, memoriesDir) {
+async function resolveSpec(opts, root, memoriesDir) {
   if (opts.spec) {
     const file = path43.resolve(opts.spec);
     const raw = await readFile20(file, "utf8");
-    return JSON.parse(raw);
+    return { spec: JSON.parse(raw), source: file };
+  }
+  const defaultSpec = path43.join(root, ".ai", "eval", "spec.json");
+  if (existsSync64(defaultSpec)) {
+    const raw = await readFile20(defaultSpec, "utf8");
+    const explicit = JSON.parse(raw);
+    const memories2 = await loadMemoriesFromDir26(memoriesDir);
+    const synthesized = synthesizeSelfEvalCases(memories2, { includeFiles: !opts.semanticOnly });
+    return {
+      spec: {
+        retrieval: [...synthesized, ...explicit.retrieval ?? []],
+        sensors: explicit.sensors ?? []
+      },
+      source: ".ai/eval/spec.json + synthesized anchored retrieval"
+    };
   }
   const memories = await loadMemoriesFromDir26(memoriesDir);
-  return { retrieval: synthesizeSelfEvalCases(memories, { includeFiles: !opts.semanticOnly }) };
+  return {
+    spec: { retrieval: synthesizeSelfEvalCases(memories, { includeFiles: !opts.semanticOnly }) },
+    source: "synthesized anchored retrieval"
+  };
 }
 async function runRetrieval(c, k, ctx) {
   const out = await getBriefing(
@@ -12346,11 +12365,12 @@ async function runSensorCase(c, ctx) {
 function pct(n) {
   return `${Math.round(n * 100)}%`;
 }
-function renderMarkdown2(root, k, report) {
+function renderMarkdown2(root, k, source, report) {
   const lines = [
     "# hAIve eval report",
     "",
     `Project: \`${root}\` \xB7 top-k: ${k}`,
+    `Spec: ${source}`,
     "",
     `## Overall score: ${report.score}/100`,
     ""
@@ -12982,14 +13002,15 @@ function registerDoctor(program2) {
         fix: "Edit .ai/haive.config.json: set autoSessionEnd: true (or re-run `haive init` without --manual)."
       });
     }
-    findings.push(...await collectInstallFindings(root, "0.12.1"));
+    findings.push(...await collectInstallFindings(root, "0.12.4"));
+    findings.push(...await collectToolchainFindings(root));
     try {
       const legacyRaw = execSync3("haive-mcp --version", {
         encoding: "utf8",
         timeout: 3e3,
         stdio: ["ignore", "pipe", "ignore"]
       }).trim();
-      const cliVersion = "0.12.1";
+      const cliVersion = "0.12.4";
       if (legacyRaw && legacyRaw !== cliVersion) {
         findings.push({
           severity: "warn",
@@ -13266,6 +13287,7 @@ function isSearchTool(name) {
 async function collectInstallFindings(root, expectedVersion) {
   const findings = [];
   findings.push(...await collectWorkspaceVersionFindings(root, expectedVersion));
+  findings.push(...await collectDistFreshnessFindings(root, expectedVersion));
   const haiveBins = listHaiveBins();
   if (haiveBins.length === 0) {
     findings.push({
@@ -13329,6 +13351,71 @@ which -a haive`
   }
   return findings;
 }
+async function collectToolchainFindings(root) {
+  const findings = [];
+  const pkg = await readJson(
+    path46.join(root, "package.json")
+  );
+  const wantsPnpm = pkg?.packageManager?.startsWith("pnpm@") || Object.values(pkg?.scripts ?? {}).some((script) => /\bpnpm\b/.test(script));
+  if (!wantsPnpm) return findings;
+  const expected = pkg?.packageManager?.replace(/^pnpm@/, "") ?? "9.14.2";
+  if (!commandExists2("pnpm", ["--version"])) {
+    const corepackAvailable = commandExists2("corepack", ["--version"]);
+    findings.push({
+      severity: "warn",
+      code: "pnpm-not-on-path",
+      message: `This workspace uses pnpm${expected ? ` ${expected}` : ""}, but no pnpm binary is available on PATH. Local build/test commands may fail even though CI works.`,
+      fix: corepackAvailable ? `corepack prepare pnpm@${expected} --activate` : `npx pnpm@${expected} install --frozen-lockfile`,
+      section: "Agent coverage"
+    });
+  }
+  return findings;
+}
+async function collectDistFreshnessFindings(root, expectedVersion) {
+  const findings = [];
+  const isHaiveWorkspace = (await readJson(path46.join(root, "package.json")))?.name === "haive-monorepo";
+  if (!isHaiveWorkspace) return findings;
+  const cliDist = path46.join(root, "packages/cli/dist/index.js");
+  if (!existsSync67(cliDist)) {
+    findings.push({
+      severity: "warn",
+      code: "workspace-dist-missing",
+      message: "packages/cli/dist/index.js is missing; local hAIve smoke commands cannot reflect source changes.",
+      fix: "pnpm -r build",
+      section: "Agent coverage"
+    });
+    return findings;
+  }
+  const distVersion = versionForNodeEntrypoint(cliDist);
+  if (distVersion && distVersion !== expectedVersion) {
+    findings.push({
+      severity: "warn",
+      code: "workspace-dist-version-mismatch",
+      message: `packages/cli/dist/index.js reports ${distVersion}, but this source build expects ${expectedVersion}. Run a fresh workspace build after pull before trusting local doctor/enforce output.`,
+      fix: "pnpm -r build\npnpm check:artifacts",
+      section: "Agent coverage"
+    });
+  }
+  const sourceFiles = [
+    "packages/core/src/index.ts",
+    "packages/mcp/src/server.ts",
+    "packages/cli/src/index.ts"
+  ].map((rel) => path46.join(root, rel)).filter(existsSync67);
+  if (sourceFiles.length > 0) {
+    const distMtime = statSync2(cliDist).mtimeMs;
+    const newestSource = Math.max(...sourceFiles.map((file) => statSync2(file).mtimeMs));
+    if (newestSource > distMtime + 1e3) {
+      findings.push({
+        severity: "info",
+        code: "workspace-dist-older-than-source",
+        message: "Built CLI artifacts are older than key source files; rebuild before running release smoke checks.",
+        fix: "pnpm -r build\npnpm check:artifacts",
+        section: "Agent coverage"
+      });
+    }
+  }
+  return findings;
+}
 async function collectWorkspaceVersionFindings(root, expectedVersion) {
   const findings = [];
   const rootPkg = await readJson(path46.join(root, "package.json"));
@@ -13432,6 +13519,30 @@ function versionForBinary(bin) {
     return null;
   }
 }
+function versionForNodeEntrypoint(file) {
+  try {
+    const out = execFileSync(process.execPath, [file, "--version"], {
+      encoding: "utf8",
+      timeout: 3e3,
+      stdio: ["ignore", "pipe", "ignore"]
+    }).trim();
+    return out.match(/\d+\.\d+\.\d+/)?.[0] ?? null;
+  } catch {
+    return null;
+  }
+}
+function commandExists2(command, args) {
+  try {
+    execFileSync(command, args, {
+      encoding: "utf8",
+      timeout: 3e3,
+      stdio: ["ignore", "pipe", "ignore"]
+    });
+    return true;
+  } catch {
+    return false;
+  }
+}
 function extractAbsoluteHaiveBins(text) {
   const out = /* @__PURE__ */ new Set();
   const re = /(["'\s])((?:\/[^"'\s]+)*\/haive)\b/g;
@@ -14261,6 +14372,7 @@ async function buildFinishReport(dir) {
       code: "release-version-not-required",
       message: "No shippable package code changed since upstream; no version/tag required."
     });
+    findings.push(...await verifyGithubActionsForHead(root, status));
     return finishReport(root, initialized, mode, findings, config);
   }
   findings.push({
@@ -14347,6 +14459,7 @@ async function buildFinishReport(dir) {
       impact: 10
     });
   }
+  findings.push(...await verifyGithubActionsForHead(root, status));
   return finishReport(root, initialized, mode, findings, config);
 }
 function finishReport(root, initialized, mode, findings, config) {
@@ -14490,7 +14603,7 @@ async function buildEnforcementReport(dir, stage, sessionId) {
       findings: [{ severity: "info", code: "enforcement-off", message: "hAIve enforcement is disabled." }]
     });
   }
-  findings.push(...await inspectIntegrationVersions(root, "0.12.1"));
+  findings.push(...await inspectIntegrationVersions(root, "0.12.4"));
   if (config.enforcement?.requireBriefingFirst !== false && stage !== "ci") {
     const hasBriefing = await hasRecentBriefingMarker2(paths, sessionId);
     findings.push(hasBriefing ? { severity: "ok", code: "briefing-loaded", message: "A recent hAIve briefing marker exists." } : {
@@ -14628,6 +14741,15 @@ async function verifyDecisionCoverage(paths, stage, sessionId) {
     }];
   }
   const marker = await readRecentBriefingMarker(paths, sessionId);
+  if (stage === "ci" && !marker) {
+    return [{
+      severity: "ok",
+      code: "decision-coverage-ci-pass",
+      message: `CI surfaced ${relevant.length} relevant anchored decision/polic${relevant.length === 1 ? "y" : "ies"} for ${changedFiles.length} changed file(s). Runtime briefing markers are local-only and are not expected on GitHub Actions.`,
+      memory_ids: relevant.slice(0, 20).map((memory2) => memory2.frontmatter.id),
+      affected_files: changedFiles.slice(0, 10)
+    }];
+  }
   const consulted = new Set(marker?.memory_ids ?? []);
   const missing = relevant.filter((memory2) => !consulted.has(memory2.frontmatter.id));
   if (missing.length === 0) {
@@ -15033,6 +15155,108 @@ async function remoteTagExists(root, tag) {
     return null;
   }
 }
+async function verifyGithubActionsForHead(root, status) {
+  if (!status.upstream) return [];
+  if (status.ahead > 0) {
+    return [{
+      severity: "info",
+      code: "github-actions-waiting-for-push",
+      message: "GitHub Actions verification waits until HEAD is pushed."
+    }];
+  }
+  const remote = await githubRemoteForCurrentBranch(root);
+  if (!remote) {
+    return [{
+      severity: "info",
+      code: "github-actions-not-applicable",
+      message: "No GitHub remote was detected; GitHub Actions pipeline verification was skipped."
+    }];
+  }
+  const sha = (await runCommand4("git", ["rev-parse", "HEAD"], root).catch(() => "")).trim();
+  if (!sha) {
+    return [{
+      severity: "error",
+      code: "github-actions-head-unreadable",
+      message: "Could not read HEAD SHA for GitHub Actions verification.",
+      fix: "Run `git rev-parse HEAD`, then verify GitHub Actions manually before finishing.",
+      impact: 30
+    }];
+  }
+  let runs;
+  try {
+    const raw = await runCommand4("gh", [
+      "run",
+      "list",
+      "--commit",
+      sha,
+      "--limit",
+      "50",
+      "--json",
+      "conclusion,databaseId,name,status,workflowName"
+    ], root);
+    runs = JSON.parse(raw);
+  } catch {
+    return [{
+      severity: "error",
+      code: "github-actions-unverified",
+      message: "Could not verify GitHub Actions runs for HEAD.",
+      fix: "Install/authenticate GitHub CLI, then run `gh run list --commit $(git rev-parse HEAD)` and ensure every workflow is successful before finishing.",
+      reason: `Detected GitHub remote ${remote}, but hAIve could not query workflow runs.`,
+      impact: 50
+    }];
+  }
+  if (runs.length === 0) {
+    return [{
+      severity: "error",
+      code: "github-actions-runs-missing",
+      message: "No GitHub Actions runs were found for HEAD.",
+      fix: "Wait for GitHub to create the workflow runs, or verify that the push was not skipped by a `[skip ci]` head commit; rerun `haive enforce finish` after the runs appear.",
+      impact: 50
+    }];
+  }
+  const pending = runs.filter((run) => run.status !== "completed");
+  if (pending.length > 0) {
+    return [{
+      severity: "error",
+      code: "github-actions-pending",
+      message: `${pending.length}/${runs.length} GitHub Actions workflow run(s) for HEAD are still pending: ${formatGithubRunNames(pending)}.`,
+      fix: "Wait for the runs to finish (`gh run watch <run-id> --exit-status`), then rerun `haive enforce finish`.",
+      impact: 50
+    }];
+  }
+  const failed = runs.filter((run) => run.conclusion !== "success");
+  if (failed.length > 0) {
+    return [{
+      severity: "error",
+      code: "github-actions-failed",
+      message: `${failed.length}/${runs.length} GitHub Actions workflow run(s) for HEAD did not pass: ${formatGithubRunNames(failed)}.`,
+      fix: "Inspect the failed run logs with `gh run view <run-id> --log`, fix the issue, push the fix, then rerun `haive enforce finish`.",
+      impact: 80
+    }];
+  }
+  return [{
+    severity: "ok",
+    code: "github-actions-pass",
+    message: `All ${runs.length} GitHub Actions workflow run(s) for HEAD completed successfully.`
+  }];
+}
+async function githubRemoteForCurrentBranch(root) {
+  const branch = (await runCommand4("git", ["branch", "--show-current"], root).catch(() => "")).trim();
+  const branchRemote = branch ? (await runCommand4("git", ["config", "--get", `branch.${branch}.remote`], root).catch(() => "")).trim() : "";
+  const remoteName = branchRemote || "origin";
+  const remoteUrl = (await runCommand4("git", ["config", "--get", `remote.${remoteName}.url`], root).catch(() => "")).trim();
+  if (!isGithubRemoteUrl(remoteUrl)) return null;
+  return remoteUrl;
+}
+function isGithubRemoteUrl(url) {
+  return /(^git@github\.com:|github\.com[/:])/.test(url);
+}
+function formatGithubRunNames(runs) {
+  return runs.slice(0, 6).map((run) => {
+    const label = run.workflowName ?? run.name ?? "workflow";
+    return run.databaseId ? `${label}#${run.databaseId}` : label;
+  }).join(", ");
+}
 function buildScore(findings, threshold = 80) {
   const checks = {
     total: findings.length,
@@ -15489,7 +15713,7 @@ function shellQuote(value) {
 
 // src/index.ts
 var program = new Command56();
-program.name("haive").description("hAIve - repo-native memory and context policy for coding-agent harnesses").version("0.12.1").option("--advanced", "show maintenance and experimental commands in help");
+program.name("haive").description("hAIve - repo-native memory and context policy for coding-agent harnesses").version("0.12.4").option("--advanced", "show maintenance and experimental commands in help");
 registerInit(program);
 registerWelcome(program);
 registerResolveProject(program);