npm - @ktpartners/dgs-platform - Versions diffs - 2.9.0 → 3.3.0 - Mend

@ktpartners/dgs-platform 2.9.0 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (166) hide show

package/CHANGELOG.md +197 -0
package/README.md +34 -2
package/agents/dgs-executor.md +124 -3
package/agents/dgs-idea-researcher.md +447 -0
package/agents/dgs-plan-checker.md +61 -3
package/agents/dgs-planner.md +51 -8
package/bin/install.js +44 -0
package/commands/dgs/abandon-quick.md +28 -0
package/commands/dgs/add-tests.md +2 -2
package/commands/dgs/audit-milestone.md +4 -3
package/commands/dgs/capture-principle.md +11 -11
package/commands/dgs/cleanup.md +2 -2
package/commands/dgs/complete-milestone.md +11 -11
package/commands/dgs/complete-quick.md +28 -0
package/commands/dgs/create-milestone-job.md +2 -2
package/commands/dgs/debug.md +3 -3
package/commands/dgs/develop-idea.md +1 -1
package/commands/dgs/diff-report.md +124 -0
package/commands/dgs/fast.md +3 -1
package/commands/dgs/health.md +1 -1
package/commands/dgs/map-codebase.md +6 -6
package/commands/dgs/new-milestone.md +5 -5
package/commands/dgs/new-project.md +8 -21
package/commands/dgs/package-scan.md +43 -0
package/commands/dgs/plan-milestone-gaps.md +1 -1
package/commands/dgs/progress.md +3 -3
package/commands/dgs/quick-abandon.md +8 -0
package/commands/dgs/quick-complete.md +8 -0
package/commands/dgs/quick.md +10 -3
package/commands/dgs/research-idea.md +3 -2
package/commands/dgs/research-phase.md +3 -3
package/commands/dgs/switch-project.md +14 -1
package/commands/dgs/write-spec.md +3 -3
package/deliver-great-systems/bin/dgs-tools.cjs +401 -32
package/deliver-great-systems/bin/lib/audit-tolerance.cjs +77 -0
package/deliver-great-systems/bin/lib/audit-tolerance.test.cjs +101 -0
package/deliver-great-systems/bin/lib/commands.cjs +626 -46
package/deliver-great-systems/bin/lib/commands.test.cjs +451 -0
package/deliver-great-systems/bin/lib/commit-verify.test.cjs +236 -0
package/deliver-great-systems/bin/lib/config.cjs +80 -6
package/deliver-great-systems/bin/lib/config.test.cjs +309 -0
package/deliver-great-systems/bin/lib/context.cjs +120 -0
package/deliver-great-systems/bin/lib/core.cjs +35 -14
package/deliver-great-systems/bin/lib/core.test.cjs +79 -1
package/deliver-great-systems/bin/lib/execution.cjs +49 -17
package/deliver-great-systems/bin/lib/fast-routing.cjs +199 -0
package/deliver-great-systems/bin/lib/fast-routing.test.cjs +108 -0
package/deliver-great-systems/bin/lib/final-commit-precondition.test.cjs +87 -0
package/deliver-great-systems/bin/lib/fixtures/package-scan/bundler-audit-gemfile.json +21 -0
package/deliver-great-systems/bin/lib/fixtures/package-scan/gate-parity-expected.md +186 -0
package/deliver-great-systems/bin/lib/fixtures/package-scan/gate-parity-runresult.json +235 -0
package/deliver-great-systems/bin/lib/fixtures/package-scan/govulncheck-import.json +3 -0
package/deliver-great-systems/bin/lib/fixtures/package-scan/npm-audit-v10.json +37 -0
package/deliver-great-systems/bin/lib/fixtures/package-scan/osv-clean.json +3 -0
package/deliver-great-systems/bin/lib/fixtures/package-scan/osv-vulns.json +77 -0
package/deliver-great-systems/bin/lib/fixtures/package-scan/pip-audit-requirements.json +28 -0
package/deliver-great-systems/bin/lib/fixtures/package-scan/snyk-lodash.json +30 -0
package/deliver-great-systems/bin/lib/fixtures/package-scan/snyk-workspaces.json +55 -0
package/deliver-great-systems/bin/lib/flat-migration.test.cjs +396 -0
package/deliver-great-systems/bin/lib/frontmatter.cjs +1 -1
package/deliver-great-systems/bin/lib/governance.cjs +211 -0
package/deliver-great-systems/bin/lib/governance.test.cjs +339 -0
package/deliver-great-systems/bin/lib/health-untracked-phase.test.cjs +269 -0
package/deliver-great-systems/bin/lib/ideas.cjs +206 -91
package/deliver-great-systems/bin/lib/ideas.test.cjs +244 -1
package/deliver-great-systems/bin/lib/init.cjs +357 -61
package/deliver-great-systems/bin/lib/init.test.cjs +625 -8
package/deliver-great-systems/bin/lib/jobs.cjs +131 -25
package/deliver-great-systems/bin/lib/jobs.test.cjs +193 -74
package/deliver-great-systems/bin/lib/migration.cjs +409 -1
package/deliver-great-systems/bin/lib/migration.test.cjs +158 -1
package/deliver-great-systems/bin/lib/milestone.cjs +154 -31
package/deliver-great-systems/bin/lib/milestone.test.cjs +203 -0
package/deliver-great-systems/bin/lib/package-adapters.cjs +530 -0
package/deliver-great-systems/bin/lib/package-adapters.test.cjs +618 -0
package/deliver-great-systems/bin/lib/package-ecosystems.cjs +350 -0
package/deliver-great-systems/bin/lib/package-ecosystems.test.cjs +348 -0
package/deliver-great-systems/bin/lib/package-runner.cjs +199 -0
package/deliver-great-systems/bin/lib/package-runner.test.cjs +198 -0
package/deliver-great-systems/bin/lib/package-scan-provenance.cjs +56 -0
package/deliver-great-systems/bin/lib/package-scan-provenance.test.cjs +103 -0
package/deliver-great-systems/bin/lib/package-scan-report.cjs +1140 -0
package/deliver-great-systems/bin/lib/package-scan-report.test.cjs +1963 -0
package/deliver-great-systems/bin/lib/package-scan-skill.cjs +96 -0
package/deliver-great-systems/bin/lib/package-scan-skill.test.cjs +136 -0
package/deliver-great-systems/bin/lib/package-scan.cjs +919 -0
package/deliver-great-systems/bin/lib/package-scan.test.cjs +2147 -0
package/deliver-great-systems/bin/lib/phase.cjs +146 -3
package/deliver-great-systems/bin/lib/phase.test.cjs +420 -0
package/deliver-great-systems/bin/lib/plan-number-validity.test.cjs +48 -0
package/deliver-great-systems/bin/lib/projects.cjs +65 -10
package/deliver-great-systems/bin/lib/projects.test.cjs +198 -2
package/deliver-great-systems/bin/lib/quick.cjs +739 -0
package/deliver-great-systems/bin/lib/quick.test.cjs +730 -0
package/deliver-great-systems/bin/lib/repos.cjs +37 -13
package/deliver-great-systems/bin/lib/review.cjs +1821 -0
package/deliver-great-systems/bin/lib/roadmap.cjs +34 -13
package/deliver-great-systems/bin/lib/specs.cjs +3 -81
package/deliver-great-systems/bin/lib/state-transition-gate.test.cjs +160 -0
package/deliver-great-systems/bin/lib/state.cjs +147 -55
package/deliver-great-systems/bin/lib/summary-frontmatter.cjs +54 -0
package/deliver-great-systems/bin/lib/summary-frontmatter.test.cjs +78 -0
package/deliver-great-systems/bin/lib/sweep-scope.test.cjs +263 -0
package/deliver-great-systems/bin/lib/sync.cjs +75 -0
package/deliver-great-systems/bin/lib/verify.cjs +198 -7
package/deliver-great-systems/bin/lib/verify.test.cjs +82 -0
package/deliver-great-systems/bin/lib/wave-0-template-rename.test.cjs +40 -0
package/deliver-great-systems/bin/lib/worktrees.cjs +790 -0
package/deliver-great-systems/bin/lib/worktrees.test.cjs +963 -0
package/deliver-great-systems/references/agent-step-reliability.md +60 -0
package/deliver-great-systems/references/conflict-resolution.md +4 -0
package/deliver-great-systems/references/context-tiers.md +4 -0
package/deliver-great-systems/references/package-scan-config.md +151 -0
package/deliver-great-systems/references/questioning.md +0 -30
package/deliver-great-systems/references/spec-review-loop.md +1 -2
package/deliver-great-systems/references/workflow-conventions.md +29 -0
package/deliver-great-systems/skills/dgs-tests/package-scan.md +44 -0
package/deliver-great-systems/templates/REVIEW.md +35 -0
package/deliver-great-systems/templates/VALIDATION.md +1 -1
package/deliver-great-systems/templates/claude-md.md +27 -0
package/deliver-great-systems/templates/package-scan-report.md +108 -0
package/deliver-great-systems/templates/project.md +6 -170
package/deliver-great-systems/templates/summary.md +3 -1
package/deliver-great-systems/workflows/abandon-quick.md +89 -0
package/deliver-great-systems/workflows/add-idea.md +3 -3
package/deliver-great-systems/workflows/add-phase.md +5 -0
package/deliver-great-systems/workflows/add-tests.md +14 -0
package/deliver-great-systems/workflows/add-todo.md +1 -0
package/deliver-great-systems/workflows/approve-spec.md +25 -4
package/deliver-great-systems/workflows/audit-milestone.md +66 -10
package/deliver-great-systems/workflows/audit-phase.md +15 -5
package/deliver-great-systems/workflows/cancel-job.md +2 -2
package/deliver-great-systems/workflows/check-todos.md +2 -3
package/deliver-great-systems/workflows/codereview.md +103 -9
package/deliver-great-systems/workflows/complete-milestone.md +218 -24
package/deliver-great-systems/workflows/complete-quick.md +106 -0
package/deliver-great-systems/workflows/consolidate-ideas.md +1 -1
package/deliver-great-systems/workflows/create-milestone-job.md +4 -4
package/deliver-great-systems/workflows/develop-idea.md +11 -11
package/deliver-great-systems/workflows/diagnose-issues.md +14 -0
package/deliver-great-systems/workflows/discuss-idea.md +1 -1
package/deliver-great-systems/workflows/discuss-phase.md +3 -2
package/deliver-great-systems/workflows/execute-phase.md +209 -33
package/deliver-great-systems/workflows/execute-plan.md +22 -22
package/deliver-great-systems/workflows/help.md +53 -20
package/deliver-great-systems/workflows/import-spec.md +65 -7
package/deliver-great-systems/workflows/init-product.md +45 -167
package/deliver-great-systems/workflows/new-milestone.md +140 -33
package/deliver-great-systems/workflows/new-project.md +60 -331
package/deliver-great-systems/workflows/package-scan.md +59 -0
package/deliver-great-systems/workflows/plan-phase.md +79 -1
package/deliver-great-systems/workflows/progress-all.md +133 -0
package/deliver-great-systems/workflows/quick-abandon.md +89 -0
package/deliver-great-systems/workflows/quick-complete.md +106 -0
package/deliver-great-systems/workflows/quick.md +328 -26
package/deliver-great-systems/workflows/refine-spec.md +1 -1
package/deliver-great-systems/workflows/research-idea.md +77 -139
package/deliver-great-systems/workflows/resume-project.md +2 -2
package/deliver-great-systems/workflows/run-job.md +29 -43
package/deliver-great-systems/workflows/settings.md +13 -77
package/deliver-great-systems/workflows/validate-phase.md +39 -1
package/deliver-great-systems/workflows/verify-work.md +14 -0
package/deliver-great-systems/workflows/write-spec.md +11 -13
package/hooks/dist/dgs-enforce-discipline.js +196 -0
package/package.json +1 -1
package/scripts/build-hooks.js +1 -0

package/deliver-great-systems/bin/lib/package-ecosystems.test.cjs ADDED Viewed

@@ -0,0 +1,348 @@
+/**
+ * package-ecosystems.test.cjs -- Unit tests for ecosystem detection
+ *
+ * Covers PKG-08 (manifest detection), PKG-09 (empty-result), PKG-10 (provenance),
+ * PKG-31 (monorepo workspace expansion with manifest_path).
+ */
+'use strict';
+const { test, describe, beforeEach, afterEach } = require('node:test');
+const assert = require('node:assert');
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const { detectEcosystems, ECOSYSTEM_MANIFESTS } = require('./package-ecosystems.cjs');
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+function writeFile(dir, rel, content) {
+  const abs = path.join(dir, rel);
+  fs.mkdirSync(path.dirname(abs), { recursive: true });
+  fs.writeFileSync(abs, content);
+}
+function makeNodeRepo(tmp, opts = {}) {
+  const pkg = Object.assign({ name: 'simple', version: '1.0.0' }, opts.pkgExtra || {});
+  writeFile(tmp, 'package.json', JSON.stringify(pkg, null, 2));
+  if (opts.packageLock !== false) {
+    writeFile(tmp, 'package-lock.json', '{}');
+  }
+}
+function makeWorkspaceRepo(tmp, { workspaces, rootDeps, useYarnField, extraWsFiles }) {
+  const rootPkg = {
+    name: 'monorepo',
+    version: '1.0.0',
+    private: true,
+  };
+  if (useYarnField) {
+    // Yarn-style plain array (same as npm)
+    rootPkg.workspaces = workspaces;
+  } else {
+    rootPkg.workspaces = workspaces;
+  }
+  if (rootDeps) {
+    rootPkg.dependencies = { ...rootDeps };
+  }
+  writeFile(tmp, 'package.json', JSON.stringify(rootPkg, null, 2));
+  const wsDirs = Array.isArray(workspaces) ? workspaces : (workspaces && workspaces.packages) || [];
+  for (const wsPath of wsDirs) {
+    const wsName = wsPath.replace(/\*/g, 'mock');
+    // For glob patterns like `packages/*`, create `packages/api/...` and `packages/web/...`
+    if (wsPath.endsWith('/*')) {
+      const baseDir = wsPath.replace(/\/\*$/, '');
+      writeFile(tmp, `${baseDir}/api/package.json`, JSON.stringify({ name: 'api', version: '1.0.0' }));
+      writeFile(tmp, `${baseDir}/web/package.json`, JSON.stringify({ name: 'web', version: '1.0.0' }));
+    } else {
+      writeFile(tmp, `${wsPath}/package.json`, JSON.stringify({ name: wsName, version: '1.0.0' }));
+    }
+  }
+  if (extraWsFiles) {
+    for (const [rel, body] of Object.entries(extraWsFiles)) {
+      writeFile(tmp, rel, body);
+    }
+  }
+}
+function makeMavenRepo(tmp, { modules, rootDeps, missing }) {
+  const moduleXml = (modules || []).map(m => `    <module>${m}</module>`).join('\n');
+  const depsXml = rootDeps
+    ? `
+  <dependencies>
+    <dependency>
+      <groupId>org.example</groupId>
+      <artifactId>lib</artifactId>
+      <version>1.0.0</version>
+    </dependency>
+  </dependencies>`
+    : '';
+  const modulesBlock = modules && modules.length ? `
+  <modules>
+${moduleXml}
+  </modules>` : '';
+  const rootPom = `<?xml version="1.0" encoding="UTF-8"?>
+<project>
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>org.example</groupId>
+  <artifactId>parent</artifactId>
+  <version>1.0.0</version>
+  <packaging>pom</packaging>${modulesBlock}${depsXml}
+</project>`;
+  writeFile(tmp, 'pom.xml', rootPom);
+  for (const m of (modules || [])) {
+    if (missing && missing.includes(m)) continue;
+    const childPom = `<?xml version="1.0" encoding="UTF-8"?>
+<project>
+  <modelVersion>4.0.0</modelVersion>
+  <artifactId>${m}</artifactId>
+</project>`;
+    writeFile(tmp, `${m}/pom.xml`, childPom);
+  }
+}
+function makeGoWorkspaceRepo(tmp, { modules, includeRootGoMod }) {
+  const useBlock = modules.length > 0
+    ? `use (\n${modules.map(m => `    ${m}`).join('\n')}\n)\n`
+    : '';
+  writeFile(tmp, 'go.work', `go 1.21\n\n${useBlock}`);
+  if (includeRootGoMod) {
+    writeFile(tmp, 'go.mod', 'module example.com/root\n');
+  }
+  for (const m of modules) {
+    const dir = m.replace(/^\.\//, '');
+    writeFile(tmp, `${dir}/go.mod`, `module example.com/${dir.replace(/\//g, '-')}\n`);
+  }
+}
+const ALLOWED_ECOSYSTEMS = new Set(['node', 'python', 'go', 'ruby', 'java']);
+// ─── Tests ───────────────────────────────────────────────────────────────────
+describe('detectEcosystems - simple repos (PKG-08)', () => {
+  let tmpDir;
+  beforeEach(() => { tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'dgs-ecos-')); });
+  afterEach(() => { fs.rmSync(tmpDir, { recursive: true, force: true }); });
+  test('detects node repo with package.json + package-lock.json', () => {
+    makeNodeRepo(tmpDir);
+    assert.deepStrictEqual(detectEcosystems(tmpDir), [
+      { ecosystem: 'node', manifest_path: null },
+    ]);
+  });
+  test('detects node repo with yarn.lock', () => {
+    writeFile(tmpDir, 'package.json', JSON.stringify({ name: 'x', version: '1.0.0' }));
+    writeFile(tmpDir, 'yarn.lock', '# yarn\n');
+    assert.deepStrictEqual(detectEcosystems(tmpDir), [
+      { ecosystem: 'node', manifest_path: null },
+    ]);
+  });
+  test('detects python repo with requirements.txt', () => {
+    writeFile(tmpDir, 'requirements.txt', 'requests==2.20.0\n');
+    assert.deepStrictEqual(detectEcosystems(tmpDir), [
+      { ecosystem: 'python', manifest_path: null },
+    ]);
+  });
+  test('detects python repo with poetry.lock', () => {
+    writeFile(tmpDir, 'pyproject.toml', '[tool.poetry]\nname="x"\n');
+    writeFile(tmpDir, 'poetry.lock', '# generated\n');
+    assert.deepStrictEqual(detectEcosystems(tmpDir), [
+      { ecosystem: 'python', manifest_path: null },
+    ]);
+  });
+  test('detects go repo with go.mod', () => {
+    writeFile(tmpDir, 'go.mod', 'module example.com/x\n');
+    assert.deepStrictEqual(detectEcosystems(tmpDir), [
+      { ecosystem: 'go', manifest_path: null },
+    ]);
+  });
+  test('detects ruby repo with Gemfile.lock', () => {
+    writeFile(tmpDir, 'Gemfile', "source 'https://rubygems.org'\n");
+    writeFile(tmpDir, 'Gemfile.lock', 'GEM\n');
+    assert.deepStrictEqual(detectEcosystems(tmpDir), [
+      { ecosystem: 'ruby', manifest_path: null },
+    ]);
+  });
+  test('detects java repo with pom.xml', () => {
+    writeFile(tmpDir, 'pom.xml', '<?xml version="1.0"?>\n<project><modelVersion>4.0.0</modelVersion></project>\n');
+    assert.deepStrictEqual(detectEcosystems(tmpDir), [
+      { ecosystem: 'java', manifest_path: null },
+    ]);
+  });
+  test('mixed node + python at root emits two entries, both manifest_path:null', () => {
+    makeNodeRepo(tmpDir);
+    writeFile(tmpDir, 'requirements.txt', 'requests==2.20.0\n');
+    const result = detectEcosystems(tmpDir);
+    assert.strictEqual(result.length, 2);
+    assert.deepStrictEqual(result, [
+      { ecosystem: 'node', manifest_path: null },
+      { ecosystem: 'python', manifest_path: null },
+    ]);
+  });
+});
+describe('detectEcosystems - empty case (PKG-09)', () => {
+  let tmpDir;
+  beforeEach(() => { tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'dgs-ecos-')); });
+  afterEach(() => { fs.rmSync(tmpDir, { recursive: true, force: true }); });
+  test('repo with no recognised manifest returns []', () => {
+    writeFile(tmpDir, 'README.md', '# readme');
+    writeFile(tmpDir, 'Makefile', 'all:\n\ttrue\n');
+    assert.deepStrictEqual(detectEcosystems(tmpDir), []);
+  });
+  test('empty directory returns []', () => {
+    assert.deepStrictEqual(detectEcosystems(tmpDir), []);
+  });
+  test('repo with only src/pyproject.toml (PKG-42 deferred) returns []', () => {
+    writeFile(tmpDir, 'src/pyproject.toml', '[project]\nname="x"\n');
+    assert.deepStrictEqual(detectEcosystems(tmpDir), []);
+  });
+});
+describe('detectEcosystems - ecosystem provenance (PKG-10)', () => {
+  let tmpDir;
+  beforeEach(() => { tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'dgs-ecos-')); });
+  afterEach(() => { fs.rmSync(tmpDir, { recursive: true, force: true }); });
+  test('every entry has exactly one ecosystem field drawn from the allow-list', () => {
+    makeNodeRepo(tmpDir);
+    writeFile(tmpDir, 'go.mod', 'module example.com/x\n');
+    writeFile(tmpDir, 'Gemfile', "source 'https://rubygems.org'\n");
+    writeFile(tmpDir, 'pom.xml', '<?xml version="1.0"?>\n<project><modelVersion>4.0.0</modelVersion></project>\n');
+    writeFile(tmpDir, 'requirements.txt', 'x\n');
+    const result = detectEcosystems(tmpDir);
+    assert.ok(result.length >= 5);
+    for (const entry of result) {
+      assert.ok(ALLOWED_ECOSYSTEMS.has(entry.ecosystem), `bad ecosystem: ${entry.ecosystem}`);
+      assert.ok('manifest_path' in entry);
+    }
+  });
+});
+describe('detectEcosystems - monorepo workspaces (PKG-31)', () => {
+  let tmpDir;
+  beforeEach(() => { tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'dgs-ecos-')); });
+  afterEach(() => { fs.rmSync(tmpDir, { recursive: true, force: true }); });
+  test('npm workspaces via packages/*/package.json glob emits one entry per workspace', () => {
+    makeWorkspaceRepo(tmpDir, { workspaces: ['packages/*'] });
+    const result = detectEcosystems(tmpDir);
+    const wsEntries = result.filter(e => e.manifest_path);
+    const paths = wsEntries.map(e => e.manifest_path).sort();
+    assert.deepStrictEqual(paths, ['packages/api/package.json', 'packages/web/package.json']);
+    for (const e of wsEntries) assert.strictEqual(e.ecosystem, 'node');
+    // No root entry because no root deps
+    assert.strictEqual(result.length, 2);
+  });
+  test('pnpm workspaces declared in pnpm-workspace.yaml emits one entry per declared workspace', () => {
+    writeFile(tmpDir, 'package.json', JSON.stringify({ name: 'root', private: true }));
+    writeFile(tmpDir, 'pnpm-workspace.yaml', "packages:\n  - 'apps/*'\n");
+    writeFile(tmpDir, 'apps/api/package.json', JSON.stringify({ name: 'api' }));
+    writeFile(tmpDir, 'apps/web/package.json', JSON.stringify({ name: 'web' }));
+    const result = detectEcosystems(tmpDir);
+    const paths = result.map(e => e.manifest_path).filter(Boolean).sort();
+    assert.deepStrictEqual(paths, ['apps/api/package.json', 'apps/web/package.json']);
+  });
+  test('Yarn workspaces declared in root package.json workspaces field emits one entry per workspace', () => {
+    // Yarn array form is identical to npm — a plain array under `workspaces`.
+    makeWorkspaceRepo(tmpDir, { workspaces: ['services/*'], useYarnField: true });
+    const result = detectEcosystems(tmpDir);
+    const paths = result.map(e => e.manifest_path).filter(Boolean).sort();
+    assert.deepStrictEqual(paths, ['services/api/package.json', 'services/web/package.json']);
+  });
+  test('npm workspace root with root-level dependencies emits root entry + workspace entries', () => {
+    makeWorkspaceRepo(tmpDir, { workspaces: ['packages/*'], rootDeps: { lodash: '^4' } });
+    const result = detectEcosystems(tmpDir);
+    const paths = result.map(e => e.manifest_path);
+    assert.ok(paths.includes('package.json'), 'root package.json entry expected');
+    assert.ok(paths.includes('packages/api/package.json'));
+    assert.ok(paths.includes('packages/web/package.json'));
+    assert.strictEqual(result.length, 3);
+    // Root entry LAST in its ecosystem group
+    assert.strictEqual(result[result.length - 1].manifest_path, 'package.json');
+  });
+  test('npm workspace root without root-level dependencies emits workspace entries only', () => {
+    makeWorkspaceRepo(tmpDir, { workspaces: ['packages/*'] });
+    const result = detectEcosystems(tmpDir);
+    const paths = result.map(e => e.manifest_path);
+    assert.ok(!paths.includes('package.json'));
+    assert.strictEqual(result.length, 2);
+  });
+  test('Maven <modules> declares api, web -> emits api/pom.xml + web/pom.xml entries', () => {
+    makeMavenRepo(tmpDir, { modules: ['api', 'web'] });
+    const result = detectEcosystems(tmpDir);
+    const paths = result.map(e => e.manifest_path).sort((a, b) => (a === null) - (b === null) || a.localeCompare(b));
+    assert.deepStrictEqual(
+      result.map(e => e.manifest_path),
+      ['api/pom.xml', 'web/pom.xml']
+    );
+    assert.strictEqual(result.length, 2);
+  });
+  test('Maven <modules> plus root <dependencies> -> emits root pom.xml entry alongside workspace entries', () => {
+    makeMavenRepo(tmpDir, { modules: ['api', 'web'], rootDeps: true });
+    const result = detectEcosystems(tmpDir);
+    const paths = result.map(e => e.manifest_path);
+    assert.ok(paths.includes('api/pom.xml'));
+    assert.ok(paths.includes('web/pom.xml'));
+    assert.ok(paths.includes('pom.xml'));
+    assert.strictEqual(paths[paths.length - 1], 'pom.xml'); // root entry LAST
+  });
+  test('Maven <modules> declaring a module not present on disk is skipped without throwing', () => {
+    makeMavenRepo(tmpDir, { modules: ['api', 'ghost'], missing: ['ghost'] });
+    const result = detectEcosystems(tmpDir);
+    const paths = result.map(e => e.manifest_path);
+    assert.deepStrictEqual(paths, ['api/pom.xml']);
+  });
+  test('Go workspace with use (./api ./worker) emits api/go.mod + worker/go.mod, no root entry', () => {
+    makeGoWorkspaceRepo(tmpDir, { modules: ['./api', './worker'], includeRootGoMod: true });
+    const result = detectEcosystems(tmpDir);
+    assert.strictEqual(result.length, 2);
+    const paths = result.map(e => e.manifest_path).sort();
+    assert.deepStrictEqual(paths, ['api/go.mod', 'worker/go.mod']);
+    // No root entry even when root has go.mod
+    assert.ok(!paths.some(p => p === null || p === 'go.mod'));
+  });
+  test('Gradle-only repo with build.gradle.kts emits single { java, manifest_path: null }', () => {
+    writeFile(tmpDir, 'build.gradle.kts', '// gradle\n');
+    writeFile(tmpDir, 'settings.gradle.kts', 'include("api", "web")\n'); // should be IGNORED (PKG-41 deferred)
+    writeFile(tmpDir, 'api/build.gradle.kts', '// subproject\n');
+    const result = detectEcosystems(tmpDir);
+    assert.deepStrictEqual(result, [{ ecosystem: 'java', manifest_path: null }]);
+  });
+  test('manifest_path is always repo-relative POSIX (forward slashes)', () => {
+    makeWorkspaceRepo(tmpDir, { workspaces: ['packages/*'] });
+    const result = detectEcosystems(tmpDir);
+    for (const e of result) {
+      if (e.manifest_path) {
+        assert.ok(!e.manifest_path.includes('\\'), `backslash in manifest_path: ${e.manifest_path}`);
+        assert.ok(!path.isAbsolute(e.manifest_path), `absolute path: ${e.manifest_path}`);
+      }
+    }
+  });
+});
+describe('detectEcosystems - module exports', () => {
+  test('ECOSYSTEM_MANIFESTS is exported and has all 5 ecosystems', () => {
+    assert.ok(Array.isArray(ECOSYSTEM_MANIFESTS));
+    const ecos = ECOSYSTEM_MANIFESTS.map(e => e.eco).sort();
+    assert.deepStrictEqual(ecos, ['go', 'java', 'node', 'python', 'ruby']);
+  });
+});

package/deliver-great-systems/bin/lib/package-runner.cjs ADDED Viewed

@@ -0,0 +1,199 @@
+/**
+ * package-runner.cjs -- Exit-code-aware external security tool runner
+ *
+ * Wraps spawnSync with a 50 MB maxBuffer and a per-tool FINDINGS_EXIT_CODES
+ * allow-list, distinguishing ok / tool_failure / missing / timeout /
+ * no_native_tool_for_ecosystem outcomes. Modelled on core.execGit but
+ * extended for the additional outcomes security tools require.
+ *
+ * Exports:
+ *   runTool(cwd, toolKey, argv, opts) -- returns structured outcome
+ *   FINDINGS_EXIT_CODES               -- per-tool findings-exit allow-list
+ *   ECOSYSTEM_OVERRIDES               -- tool-for-ecosystem forcing (yarn -> osv)
+ *   DEFAULT_TIMEOUT_MS, DEFAULT_MAX_BUFFER
+ *
+ * Covers roadmap requirement PKG-11 exit-code layer. Does NOT own JSON
+ * structural validation (adapters do that). Does NOT read config
+ * (orchestrator passes timeoutMs via opts).
+ *
+ * SPAWNSYNC ONLY: the shell-based sync helpers in child_process have a 1 MiB
+ * maxBuffer default that silently truncates multi-MB JSON at brace boundaries.
+ * This module uses spawnSync with an explicit 50 MB maxBuffer. Enforced by
+ * test: the corresponding invariant is gated in package-runner.test.cjs.
+ */
+'use strict';
+const { spawnSync } = require('child_process');
+const DEFAULT_TIMEOUT_MS = 300_000;
+const DEFAULT_MAX_BUFFER = 50 * 1024 * 1024;
+const FINDINGS_EXIT_CODES = Object.freeze({
+  snyk: Object.freeze([1]),
+  'npm-audit': Object.freeze([1]),
+  'osv-scanner': Object.freeze([1, 128]),
+  'pip-audit': Object.freeze([1]),
+  govulncheck: Object.freeze([]),
+  'bundler-audit': Object.freeze([1]),
+});
+const ECOSYSTEM_OVERRIDES = Object.freeze({
+  yarn: Object.freeze({ force_tool: 'osv', reason: 'Yarn Berry NDJSON schema instability' }),
+});
+// ─── Internal helpers ─────────────────────────────────────────────────────────
+/**
+ * Classify a process exit code against a tool's FINDINGS_EXIT_CODES allow-list.
+ *
+ * The three branches, in priority order:
+ *   - 127            -> missing  (shell convention for "command not found")
+ *   - 0              -> ok       (success, nothing to report)
+ *   - allow-list hit -> ok       (tool-specific findings-present exit code)
+ *   - otherwise      -> tool_failure
+ *
+ * Extracted as a pure helper so tests can exercise the classifier directly
+ * once the runner lands (not part of the public API — kept private).
+ *
+ * @param {number} exitCode
+ * @param {string} toolKey
+ * @returns {'ok'|'missing'|'tool_failure'}
+ */
+function _classifyExitCode(exitCode, toolKey) {
+  if (exitCode === 127) return 'missing';
+  if (exitCode === 0) return 'ok';
+  const allowed = FINDINGS_EXIT_CODES[toolKey] || [];
+  if (allowed.includes(exitCode)) return 'ok';
+  return 'tool_failure';
+}
+/**
+ * Detect whether a spawnSync result represents a missing-binary failure.
+ * node surfaces ENOENT via `result.error.code === 'ENOENT'` on POSIX and
+ * via `result.error.message` containing `ENOENT` on Windows; both are
+ * accepted here.
+ */
+function _isMissingBinary(result) {
+  if (!result || !result.error) return false;
+  if (result.error.code === 'ENOENT') return true;
+  const msg = result.error.message || '';
+  return /ENOENT/.test(msg);
+}
+/**
+ * Detect whether a spawnSync result represents a timeout. spawnSync signals
+ * this by setting `signal === 'SIGTERM'` once the timeout expires. The
+ * 100 ms slack absorbs clock-skew on slower CI runners.
+ */
+function _isTimeout(result, duration, timeoutMs) {
+  return result.signal === 'SIGTERM' && duration >= timeoutMs - 100;
+}
+/**
+ * Run an external security tool with structured outcome classification.
+ *
+ * @param {string} cwd - Working directory for the child process
+ * @param {string|null} toolKey - One of: 'snyk' | 'npm-audit' | 'osv-scanner' |
+ *   'pip-audit' | 'govulncheck' | 'bundler-audit' | null.
+ *   Passing null triggers the `no_native_tool_for_ecosystem` outcome
+ *   without invoking spawnSync.
+ * @param {string[]} argv - Full argv array: argv[0] is the binary, argv[1..] are args.
+ * @param {{ timeoutMs?: number, maxBuffer?: number, env?: object, expectJson?: boolean }} [opts]
+ * @returns {{
+ *   exitCode: number,
+ *   stdout: string,
+ *   stderr: string,
+ *   timedOut: boolean,
+ *   duration: number,
+ *   outcome: 'ok'|'tool_failure'|'missing'|'timeout'|'no_native_tool_for_ecosystem',
+ *   parsed?: any
+ * }}
+ */
+function runTool(cwd, toolKey, argv, opts = {}) {
+  if (toolKey == null) {
+    return {
+      exitCode: -1,
+      stdout: '',
+      stderr: '',
+      timedOut: false,
+      duration: 0,
+      outcome: 'no_native_tool_for_ecosystem',
+    };
+  }
+  const {
+    timeoutMs = DEFAULT_TIMEOUT_MS,
+    maxBuffer = DEFAULT_MAX_BUFFER,
+    env = {},
+    expectJson = false,
+  } = opts;
+  const started = Date.now();
+  const result = spawnSync(argv[0], argv.slice(1), {
+    cwd,
+    encoding: 'utf-8',
+    timeout: timeoutMs,
+    maxBuffer,
+    env: { ...process.env, ...env },
+  });
+  const duration = Date.now() - started;
+  // Missing-binary detection (ENOENT or spawn ENOENT)
+  if (_isMissingBinary(result)) {
+    return {
+      exitCode: 127,
+      stdout: '',
+      stderr: result.error.message || '',
+      timedOut: false,
+      duration,
+      outcome: 'missing',
+    };
+  }
+  // Timeout detection (SIGTERM issued by spawnSync when timeout expires)
+  if (_isTimeout(result, duration, timeoutMs)) {
+    return {
+      exitCode: 124,
+      stdout: result.stdout || '',
+      stderr: result.stderr || '',
+      timedOut: true,
+      duration,
+      outcome: 'timeout',
+    };
+  }
+  const exitCode = result.status != null ? result.status : 1;
+  const stdout = result.stdout != null ? result.stdout : '';
+  const stderr = result.stderr != null ? result.stderr : '';
+  // Classify outcome via the pure helper.
+  const outcome = _classifyExitCode(exitCode, toolKey);
+  const out = {
+    exitCode,
+    stdout,
+    stderr,
+    timedOut: false,
+    duration,
+    outcome,
+  };
+  // Optional JSON parse on ok outcomes
+  if (expectJson && outcome === 'ok' && stdout) {
+    try {
+      out.parsed = JSON.parse(stdout);
+    } catch (e) {
+      out.outcome = 'tool_failure';
+      out.stderr = (stderr ? stderr + '\n' : '') + `[JSON parse error]: ${e.message}`;
+    }
+  }
+  return out;
+}
+module.exports = {
+  runTool,
+  FINDINGS_EXIT_CODES,
+  ECOSYSTEM_OVERRIDES,
+  DEFAULT_TIMEOUT_MS,
+  DEFAULT_MAX_BUFFER,
+};