npm - @jnyross/code-factory - Versions diffs - 1.1.0 → 1.1.3 - Mend

@jnyross/code-factory 1.1.0 → 1.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -7,6 +7,7 @@ This template implements the full pattern:
 - risk-policy gate before expensive CI fanout
 - current-head SHA review discipline
 - canonical rerun comment dedupe
+- optional deterministic remediation agent loop
 - bot-only thread auto-resolve after clean rerun
 - browser evidence verification for UI/user-flow changes
 - incident -> harness-gap loop with weekly metrics
@@ -17,8 +18,10 @@ All control-plane policy lives in `ARCHITECTURE.yaml` under `control_plane`:
 - `mergePolicy`
 - `docsDriftRules`
 - `reviewAgent`
+- `remediationAgent`
 - `browserEvidence`
 - `harnessGapLoop`
+- `branchProtection`
 ## Workflow Order
 `Control Plane` workflow (`.github/workflows/preflight.yml`) runs jobs in this order:
@@ -26,8 +29,12 @@ All control-plane policy lives in `ARCHITECTURE.yaml` under `control_plane`:
 2. fanout: `CI Pipeline`, `harness-smoke`, `Browser Evidence`
 3. `risk-policy-finalize`
+For `high` tier changes, the gate auto-applies the PR label `high-risk`.
 `Code Review Agent` workflow (`.github/workflows/auto-review.yml`) runs in parallel and is enforced by SHA-aware policy checks.
+`remediation-agent` workflow (`.github/workflows/remediation-agent.yml`) can be enabled for in-branch automated fixes after actionable review findings.
 ## SHA Discipline and Reruns
 `scripts/control-plane/risk-policy-gate.mjs` enforces:
 - review check must be for current PR head SHA
@@ -46,6 +53,8 @@ npm run harness:ui:capture-browser-evidence
 npm run harness:ui:verify-browser-evidence
 ```
+In CI, capture + verify are both run in `Browser Evidence` job.
 ## Harness Gap Loop
 `harness-gap-loop` workflow:
 - creates a `harness-gap` issue when a `production-regression` issue appears
@@ -57,12 +66,37 @@ npm run typecheck
 npm test
 npm run build:ci --if-present
 npm run harness:legal-chat:smoke
+npm run harness:ui:pre-pr
 npm run harness:ui:capture-browser-evidence
 npm run harness:ui:verify-browser-evidence
 npm run harness:risk-tier
 npm run harness:weekly-metrics
 ```
+## Branch Protection
+Merge blocking is enforced via GitHub branch protection requiring `risk-policy-finalize`.
+- `code-factory --github` now applies this automatically.
+- For repos created from GitHub template UI, run:
+```bash
+node scripts/control-plane/apply-branch-protection.mjs owner/repo
+```
+Note: GitHub may require a paid plan (or public repo) for private-repo branch protection.
+## Remediation Agent
+Optional, disabled by default:
+- add a self-hosted runner for the repo
+- set repository variable `ENABLE_REMEDIATION=true`
+- optional variables: `REMEDIATION_ENGINE`, `REMEDIATION_CODEX_MODEL`, `REMEDIATION_VALIDATE_CMD`
+When enabled, failed review-agent runs can trigger deterministic in-branch remediation:
+1. read current-head actionable findings
+2. run local CLI agent (`codex`/`claude`/`opencode`/custom)
+3. run validation command
+4. commit + push fix to same PR branch
 ## Agent Loop Files
 - `ARCHITECTURE.yaml`
 - `AGENTS.md`

package/bin/code-factory.mjs CHANGED Viewed

@@ -21,6 +21,8 @@ Options:
   --owner <owner>       GitHub owner/org for --github (defaults to gh auth user)
   --repo <name|owner/name>
                         GitHub repo name override (default: slugified project name)
+  --no-branch-protection
+                        Skip automatic main branch protection setup for --github
   --template-url <url>  Override template repository URL for this run
   -h, --help            Show help
@@ -61,6 +63,7 @@ function parseArgs(rawArgs) {
     visibility: "private",
     owner: null,
     repo: null,
+    branchProtection: true,
     templateUrl: DEFAULT_TEMPLATE_URL
   };
@@ -107,6 +110,11 @@ function parseArgs(rawArgs) {
       continue;
     }
+    if (arg === "--no-branch-protection") {
+      options.branchProtection = false;
+      continue;
+    }
     if (arg === "-h" || arg === "--help") {
       usage(0);
     }
@@ -149,6 +157,43 @@ function deriveGitHubRepo(projectName, options) {
   return { owner, repo };
 }
+function configureBranchProtection({ owner, repo }) {
+  const requiredChecks = ["risk-policy-finalize"];
+  const payload = {
+    required_status_checks: {
+      strict: true,
+      contexts: requiredChecks
+    },
+    enforce_admins: false,
+    required_pull_request_reviews: {
+      dismiss_stale_reviews: true,
+      require_code_owner_reviews: false,
+      required_approving_review_count: 1
+    },
+    restrictions: null,
+    required_conversation_resolution: true,
+    allow_force_pushes: false,
+    allow_deletions: false
+  };
+  execFileSync(
+    "gh",
+    [
+      "api",
+      "--method",
+      "PUT",
+      `repos/${owner}/${repo}/branches/main/protection`,
+      "--input",
+      "-"
+    ],
+    {
+      stdio: ["pipe", "inherit", "inherit"],
+      input: JSON.stringify(payload),
+      encoding: "utf8"
+    }
+  );
+}
 function createProject(projectName, destinationDir, options) {
   const targetPath = resolve(destinationDir, projectName);
@@ -161,6 +206,7 @@ function createProject(projectName, destinationDir, options) {
   run("git", ["-C", targetPath, "init", "-q"]);
   run("git", ["-C", targetPath, "add", "."]);
   run("git", ["-C", targetPath, "commit", "-q", "-m", "Initial commit from Code Factory template"]);
+  run("git", ["-C", targetPath, "branch", "-M", "main"]);
   if (options.github) {
     const { owner, repo } = deriveGitHubRepo(projectName, options);
@@ -169,6 +215,18 @@ function createProject(projectName, destinationDir, options) {
     run("gh", ["repo", "create", fullRepo, visibilityFlag, "--source", targetPath, "--remote", "origin", "--push"]);
     console.log(`GitHub repo created: https://github.com/${fullRepo}`);
+    if (options.branchProtection) {
+      try {
+        configureBranchProtection({ owner, repo });
+        console.log("Main branch protection applied (required check: risk-policy-finalize).");
+      } catch (error) {
+        console.warn(
+          "Warning: failed to apply branch protection automatically. " +
+            "Run scripts/control-plane/apply-branch-protection.mjs in the new repo."
+        );
+      }
+    }
   }
   console.log("Your new Code Factory project is ready!");

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@jnyross/code-factory",
-  "version": "1.1.0",
+  "version": "1.1.3",
   "description": "Bootstrap new repos from the Code Factory template.",
   "type": "module",
   "license": "MIT",
@@ -25,10 +25,12 @@
     "new-project": "bin/code-factory.mjs"
   },
   "scripts": {
+    "control-plane:apply-branch-protection": "node scripts/control-plane/apply-branch-protection.mjs",
     "harness:risk-tier": "node scripts/control-plane/risk-tier.mjs",
     "harness:legal-chat:smoke": "node scripts/control-plane/harness-smoke.mjs",
     "harness:ui:capture-browser-evidence": "node scripts/control-plane/capture-browser-evidence.mjs",
     "harness:ui:verify-browser-evidence": "node scripts/control-plane/verify-browser-evidence.mjs",
+    "harness:ui:pre-pr": "npm run harness:ui:capture-browser-evidence && npm run harness:ui:verify-browser-evidence",
     "harness:weekly-metrics": "node scripts/control-plane/weekly-metrics.mjs"
   },
   "files": [