npm - @ktpartners/dgs-platform - Versions diffs - 2.9.0 → 3.3.0 - Mend

@ktpartners/dgs-platform 2.9.0 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (166) hide show

package/CHANGELOG.md +197 -0
package/README.md +34 -2
package/agents/dgs-executor.md +124 -3
package/agents/dgs-idea-researcher.md +447 -0
package/agents/dgs-plan-checker.md +61 -3
package/agents/dgs-planner.md +51 -8
package/bin/install.js +44 -0
package/commands/dgs/abandon-quick.md +28 -0
package/commands/dgs/add-tests.md +2 -2
package/commands/dgs/audit-milestone.md +4 -3
package/commands/dgs/capture-principle.md +11 -11
package/commands/dgs/cleanup.md +2 -2
package/commands/dgs/complete-milestone.md +11 -11
package/commands/dgs/complete-quick.md +28 -0
package/commands/dgs/create-milestone-job.md +2 -2
package/commands/dgs/debug.md +3 -3
package/commands/dgs/develop-idea.md +1 -1
package/commands/dgs/diff-report.md +124 -0
package/commands/dgs/fast.md +3 -1
package/commands/dgs/health.md +1 -1
package/commands/dgs/map-codebase.md +6 -6
package/commands/dgs/new-milestone.md +5 -5
package/commands/dgs/new-project.md +8 -21
package/commands/dgs/package-scan.md +43 -0
package/commands/dgs/plan-milestone-gaps.md +1 -1
package/commands/dgs/progress.md +3 -3
package/commands/dgs/quick-abandon.md +8 -0
package/commands/dgs/quick-complete.md +8 -0
package/commands/dgs/quick.md +10 -3
package/commands/dgs/research-idea.md +3 -2
package/commands/dgs/research-phase.md +3 -3
package/commands/dgs/switch-project.md +14 -1
package/commands/dgs/write-spec.md +3 -3
package/deliver-great-systems/bin/dgs-tools.cjs +401 -32
package/deliver-great-systems/bin/lib/audit-tolerance.cjs +77 -0
package/deliver-great-systems/bin/lib/audit-tolerance.test.cjs +101 -0
package/deliver-great-systems/bin/lib/commands.cjs +626 -46
package/deliver-great-systems/bin/lib/commands.test.cjs +451 -0
package/deliver-great-systems/bin/lib/commit-verify.test.cjs +236 -0
package/deliver-great-systems/bin/lib/config.cjs +80 -6
package/deliver-great-systems/bin/lib/config.test.cjs +309 -0
package/deliver-great-systems/bin/lib/context.cjs +120 -0
package/deliver-great-systems/bin/lib/core.cjs +35 -14
package/deliver-great-systems/bin/lib/core.test.cjs +79 -1
package/deliver-great-systems/bin/lib/execution.cjs +49 -17
package/deliver-great-systems/bin/lib/fast-routing.cjs +199 -0
package/deliver-great-systems/bin/lib/fast-routing.test.cjs +108 -0
package/deliver-great-systems/bin/lib/final-commit-precondition.test.cjs +87 -0
package/deliver-great-systems/bin/lib/fixtures/package-scan/bundler-audit-gemfile.json +21 -0
package/deliver-great-systems/bin/lib/fixtures/package-scan/gate-parity-expected.md +186 -0
package/deliver-great-systems/bin/lib/fixtures/package-scan/gate-parity-runresult.json +235 -0
package/deliver-great-systems/bin/lib/fixtures/package-scan/govulncheck-import.json +3 -0
package/deliver-great-systems/bin/lib/fixtures/package-scan/npm-audit-v10.json +37 -0
package/deliver-great-systems/bin/lib/fixtures/package-scan/osv-clean.json +3 -0
package/deliver-great-systems/bin/lib/fixtures/package-scan/osv-vulns.json +77 -0
package/deliver-great-systems/bin/lib/fixtures/package-scan/pip-audit-requirements.json +28 -0
package/deliver-great-systems/bin/lib/fixtures/package-scan/snyk-lodash.json +30 -0
package/deliver-great-systems/bin/lib/fixtures/package-scan/snyk-workspaces.json +55 -0
package/deliver-great-systems/bin/lib/flat-migration.test.cjs +396 -0
package/deliver-great-systems/bin/lib/frontmatter.cjs +1 -1
package/deliver-great-systems/bin/lib/governance.cjs +211 -0
package/deliver-great-systems/bin/lib/governance.test.cjs +339 -0
package/deliver-great-systems/bin/lib/health-untracked-phase.test.cjs +269 -0
package/deliver-great-systems/bin/lib/ideas.cjs +206 -91
package/deliver-great-systems/bin/lib/ideas.test.cjs +244 -1
package/deliver-great-systems/bin/lib/init.cjs +357 -61
package/deliver-great-systems/bin/lib/init.test.cjs +625 -8
package/deliver-great-systems/bin/lib/jobs.cjs +131 -25
package/deliver-great-systems/bin/lib/jobs.test.cjs +193 -74
package/deliver-great-systems/bin/lib/migration.cjs +409 -1
package/deliver-great-systems/bin/lib/migration.test.cjs +158 -1
package/deliver-great-systems/bin/lib/milestone.cjs +154 -31
package/deliver-great-systems/bin/lib/milestone.test.cjs +203 -0
package/deliver-great-systems/bin/lib/package-adapters.cjs +530 -0
package/deliver-great-systems/bin/lib/package-adapters.test.cjs +618 -0
package/deliver-great-systems/bin/lib/package-ecosystems.cjs +350 -0
package/deliver-great-systems/bin/lib/package-ecosystems.test.cjs +348 -0
package/deliver-great-systems/bin/lib/package-runner.cjs +199 -0
package/deliver-great-systems/bin/lib/package-runner.test.cjs +198 -0
package/deliver-great-systems/bin/lib/package-scan-provenance.cjs +56 -0
package/deliver-great-systems/bin/lib/package-scan-provenance.test.cjs +103 -0
package/deliver-great-systems/bin/lib/package-scan-report.cjs +1140 -0
package/deliver-great-systems/bin/lib/package-scan-report.test.cjs +1963 -0
package/deliver-great-systems/bin/lib/package-scan-skill.cjs +96 -0
package/deliver-great-systems/bin/lib/package-scan-skill.test.cjs +136 -0
package/deliver-great-systems/bin/lib/package-scan.cjs +919 -0
package/deliver-great-systems/bin/lib/package-scan.test.cjs +2147 -0
package/deliver-great-systems/bin/lib/phase.cjs +146 -3
package/deliver-great-systems/bin/lib/phase.test.cjs +420 -0
package/deliver-great-systems/bin/lib/plan-number-validity.test.cjs +48 -0
package/deliver-great-systems/bin/lib/projects.cjs +65 -10
package/deliver-great-systems/bin/lib/projects.test.cjs +198 -2
package/deliver-great-systems/bin/lib/quick.cjs +739 -0
package/deliver-great-systems/bin/lib/quick.test.cjs +730 -0
package/deliver-great-systems/bin/lib/repos.cjs +37 -13
package/deliver-great-systems/bin/lib/review.cjs +1821 -0
package/deliver-great-systems/bin/lib/roadmap.cjs +34 -13
package/deliver-great-systems/bin/lib/specs.cjs +3 -81
package/deliver-great-systems/bin/lib/state-transition-gate.test.cjs +160 -0
package/deliver-great-systems/bin/lib/state.cjs +147 -55
package/deliver-great-systems/bin/lib/summary-frontmatter.cjs +54 -0
package/deliver-great-systems/bin/lib/summary-frontmatter.test.cjs +78 -0
package/deliver-great-systems/bin/lib/sweep-scope.test.cjs +263 -0
package/deliver-great-systems/bin/lib/sync.cjs +75 -0
package/deliver-great-systems/bin/lib/verify.cjs +198 -7
package/deliver-great-systems/bin/lib/verify.test.cjs +82 -0
package/deliver-great-systems/bin/lib/wave-0-template-rename.test.cjs +40 -0
package/deliver-great-systems/bin/lib/worktrees.cjs +790 -0
package/deliver-great-systems/bin/lib/worktrees.test.cjs +963 -0
package/deliver-great-systems/references/agent-step-reliability.md +60 -0
package/deliver-great-systems/references/conflict-resolution.md +4 -0
package/deliver-great-systems/references/context-tiers.md +4 -0
package/deliver-great-systems/references/package-scan-config.md +151 -0
package/deliver-great-systems/references/questioning.md +0 -30
package/deliver-great-systems/references/spec-review-loop.md +1 -2
package/deliver-great-systems/references/workflow-conventions.md +29 -0
package/deliver-great-systems/skills/dgs-tests/package-scan.md +44 -0
package/deliver-great-systems/templates/REVIEW.md +35 -0
package/deliver-great-systems/templates/VALIDATION.md +1 -1
package/deliver-great-systems/templates/claude-md.md +27 -0
package/deliver-great-systems/templates/package-scan-report.md +108 -0
package/deliver-great-systems/templates/project.md +6 -170
package/deliver-great-systems/templates/summary.md +3 -1
package/deliver-great-systems/workflows/abandon-quick.md +89 -0
package/deliver-great-systems/workflows/add-idea.md +3 -3
package/deliver-great-systems/workflows/add-phase.md +5 -0
package/deliver-great-systems/workflows/add-tests.md +14 -0
package/deliver-great-systems/workflows/add-todo.md +1 -0
package/deliver-great-systems/workflows/approve-spec.md +25 -4
package/deliver-great-systems/workflows/audit-milestone.md +66 -10
package/deliver-great-systems/workflows/audit-phase.md +15 -5
package/deliver-great-systems/workflows/cancel-job.md +2 -2
package/deliver-great-systems/workflows/check-todos.md +2 -3
package/deliver-great-systems/workflows/codereview.md +103 -9
package/deliver-great-systems/workflows/complete-milestone.md +218 -24
package/deliver-great-systems/workflows/complete-quick.md +106 -0
package/deliver-great-systems/workflows/consolidate-ideas.md +1 -1
package/deliver-great-systems/workflows/create-milestone-job.md +4 -4
package/deliver-great-systems/workflows/develop-idea.md +11 -11
package/deliver-great-systems/workflows/diagnose-issues.md +14 -0
package/deliver-great-systems/workflows/discuss-idea.md +1 -1
package/deliver-great-systems/workflows/discuss-phase.md +3 -2
package/deliver-great-systems/workflows/execute-phase.md +209 -33
package/deliver-great-systems/workflows/execute-plan.md +22 -22
package/deliver-great-systems/workflows/help.md +53 -20
package/deliver-great-systems/workflows/import-spec.md +65 -7
package/deliver-great-systems/workflows/init-product.md +45 -167
package/deliver-great-systems/workflows/new-milestone.md +140 -33
package/deliver-great-systems/workflows/new-project.md +60 -331
package/deliver-great-systems/workflows/package-scan.md +59 -0
package/deliver-great-systems/workflows/plan-phase.md +79 -1
package/deliver-great-systems/workflows/progress-all.md +133 -0
package/deliver-great-systems/workflows/quick-abandon.md +89 -0
package/deliver-great-systems/workflows/quick-complete.md +106 -0
package/deliver-great-systems/workflows/quick.md +328 -26
package/deliver-great-systems/workflows/refine-spec.md +1 -1
package/deliver-great-systems/workflows/research-idea.md +77 -139
package/deliver-great-systems/workflows/resume-project.md +2 -2
package/deliver-great-systems/workflows/run-job.md +29 -43
package/deliver-great-systems/workflows/settings.md +13 -77
package/deliver-great-systems/workflows/validate-phase.md +39 -1
package/deliver-great-systems/workflows/verify-work.md +14 -0
package/deliver-great-systems/workflows/write-spec.md +11 -13
package/hooks/dist/dgs-enforce-discipline.js +196 -0
package/package.json +1 -1
package/scripts/build-hooks.js +1 -0

package/deliver-great-systems/bin/lib/package-runner.test.cjs ADDED Viewed

@@ -0,0 +1,198 @@
+/**
+ * package-runner.test.cjs -- Unit tests for exit-code-aware tool invocation
+ *
+ * Covers PKG-11 exit-code layer (findings vs tool_failure vs missing vs timeout),
+ * 50 MB buffer handling (PITFALLS.md execSync 1 MiB truncation), Snyk/OSV/govulncheck
+ * exit-code edge cases, env passthrough, and ECOSYSTEM_OVERRIDES export.
+ *
+ * All fabrications use `node -e` so tests run without any security tool installed.
+ */
+'use strict';
+const { test, describe } = require('node:test');
+const assert = require('node:assert');
+const {
+  runTool,
+  FINDINGS_EXIT_CODES,
+  ECOSYSTEM_OVERRIDES,
+  DEFAULT_TIMEOUT_MS,
+  DEFAULT_MAX_BUFFER,
+} = require('./package-runner.cjs');
+const NODE = process.execPath;
+const fakeExitCode = (code, stdout = '', stderr = '') =>
+  [NODE, '-e', `process.stdout.write(${JSON.stringify(stdout)}); process.stderr.write(${JSON.stringify(stderr)}); process.exit(${code})`];
+const fakeTimeout = (ms) =>
+  [NODE, '-e', `setTimeout(() => {}, ${ms});`];
+const fakeLargeStdout = (bytes) =>
+  [NODE, '-e', `const s = 'x'.repeat(${bytes}); process.stdout.write(JSON.stringify({ buf: s }));`];
+const fakeEnvEcho = (varName) =>
+  [NODE, '-e', `process.stdout.write(process.env[${JSON.stringify(varName)}] || '');`];
+const fakeMissingBinary = () => ['definitely-not-a-binary-xxx-' + Date.now()];
+describe('runTool - outcome mapping', () => {
+  test('exitCode 0 with stdout -> outcome: "ok"', () => {
+    const r = runTool(process.cwd(), 'snyk', fakeExitCode(0, '{}'));
+    assert.strictEqual(r.outcome, 'ok');
+    assert.strictEqual(r.exitCode, 0);
+    assert.strictEqual(r.stdout, '{}');
+  });
+  test('Snyk exit 1 (findings) -> outcome: "ok" because 1 in FINDINGS_EXIT_CODES.snyk', () => {
+    const r = runTool(process.cwd(), 'snyk', fakeExitCode(1, '{"vulns":[]}'));
+    assert.strictEqual(r.outcome, 'ok');
+    assert.strictEqual(r.exitCode, 1);
+  });
+  test('Snyk exit 2 -> outcome: "tool_failure", stderr preserved', () => {
+    const r = runTool(process.cwd(), 'snyk', fakeExitCode(2, '', 'boom'));
+    assert.strictEqual(r.outcome, 'tool_failure');
+    assert.strictEqual(r.exitCode, 2);
+    assert.strictEqual(r.stderr, 'boom');
+  });
+  test('npm-audit exit 1 -> outcome: "ok"', () => {
+    const r = runTool(process.cwd(), 'npm-audit', fakeExitCode(1, '{}'));
+    assert.strictEqual(r.outcome, 'ok');
+  });
+  test('pip-audit exit 1 -> outcome: "ok"', () => {
+    const r = runTool(process.cwd(), 'pip-audit', fakeExitCode(1, '{}'));
+    assert.strictEqual(r.outcome, 'ok');
+  });
+  test('bundler-audit exit 1 -> outcome: "ok"', () => {
+    const r = runTool(process.cwd(), 'bundler-audit', fakeExitCode(1, '{}'));
+    assert.strictEqual(r.outcome, 'ok');
+  });
+  test('osv-scanner exit 1 -> outcome: "ok"', () => {
+    const r = runTool(process.cwd(), 'osv-scanner', fakeExitCode(1, '{}'));
+    assert.strictEqual(r.outcome, 'ok');
+  });
+  test('osv-scanner exit 128 -> outcome: "ok" (no-packages-found legitimate)', () => {
+    const r = runTool(process.cwd(), 'osv-scanner', fakeExitCode(128, '{}'));
+    assert.strictEqual(r.outcome, 'ok');
+  });
+  test('govulncheck exit 0 -> outcome: "ok" (always)', () => {
+    const r = runTool(process.cwd(), 'govulncheck', fakeExitCode(0, '{}'));
+    assert.strictEqual(r.outcome, 'ok');
+  });
+  test('govulncheck exit 1 (hypothetical failure) -> outcome: "tool_failure"', () => {
+    const r = runTool(process.cwd(), 'govulncheck', fakeExitCode(1, '', 'fail'));
+    assert.strictEqual(r.outcome, 'tool_failure');
+  });
+  test('exitCode 127 -> outcome: "missing"', () => {
+    const r = runTool(process.cwd(), 'snyk', fakeExitCode(127, '', 'not found'));
+    assert.strictEqual(r.outcome, 'missing');
+  });
+  test('ENOENT spawn error -> outcome: "missing"', () => {
+    const r = runTool(process.cwd(), 'snyk', fakeMissingBinary());
+    assert.strictEqual(r.outcome, 'missing');
+    assert.strictEqual(r.exitCode, 127);
+  });
+  test('timeout (SIGTERM after timeoutMs) -> outcome: "timeout", timedOut: true, duration >= timeoutMs', () => {
+    const r = runTool(process.cwd(), 'snyk', fakeTimeout(60000), { timeoutMs: 300 });
+    assert.strictEqual(r.outcome, 'timeout');
+    assert.strictEqual(r.timedOut, true);
+    assert.ok(r.duration >= 200, `expected duration >= 200, got ${r.duration}`);
+  });
+  test('toolKey null -> outcome: "no_native_tool_for_ecosystem", spawnSync NOT invoked', () => {
+    const start = Date.now();
+    const r = runTool(process.cwd(), null, [NODE, '-e', 'process.exit(0)']);
+    const dt = Date.now() - start;
+    assert.strictEqual(r.outcome, 'no_native_tool_for_ecosystem');
+    // spawnSync not called: must return essentially instantly (<50ms) and duration: 0
+    assert.strictEqual(r.duration, 0);
+    assert.ok(dt < 100, `no-spawn branch should be immediate, got ${dt}ms`);
+  });
+  test('toolKey undefined -> outcome: "no_native_tool_for_ecosystem"', () => {
+    const r = runTool(process.cwd(), undefined, [NODE, '-e', 'process.exit(0)']);
+    assert.strictEqual(r.outcome, 'no_native_tool_for_ecosystem');
+  });
+});
+describe('runTool - buffer and env', () => {
+  test('10 MB stdout is captured intact (no truncation)', () => {
+    const bytes = 10 * 1024 * 1024;
+    const r = runTool(process.cwd(), 'snyk', fakeLargeStdout(bytes));
+    assert.strictEqual(r.outcome, 'ok');
+    assert.ok(r.stdout.length >= bytes, `expected stdout.length >= ${bytes}, got ${r.stdout.length}`);
+  });
+  test('opts.env is merged into child process env (child can read injected var)', () => {
+    const r = runTool(process.cwd(), 'snyk', fakeEnvEcho('DGS_TEST_INJECT'), {
+      env: { DGS_TEST_INJECT: 'hello-world' },
+    });
+    assert.strictEqual(r.outcome, 'ok');
+    assert.strictEqual(r.stdout, 'hello-world');
+  });
+  test('process.env is inherited (e.g., child sees PATH)', () => {
+    const r = runTool(process.cwd(), 'snyk', fakeEnvEcho('PATH'));
+    assert.strictEqual(r.outcome, 'ok');
+    assert.ok(r.stdout.length > 0, 'PATH should be inherited and non-empty');
+  });
+});
+describe('runTool - JSON parsing', () => {
+  test('on ok with expectJson and well-formed JSON, parsed field is populated', () => {
+    const r = runTool(process.cwd(), 'snyk', fakeExitCode(0, '{"ok":true,"count":3}'), { expectJson: true });
+    assert.strictEqual(r.outcome, 'ok');
+    assert.deepStrictEqual(r.parsed, { ok: true, count: 3 });
+  });
+  test('on ok with expectJson and malformed JSON, outcome downgrades to tool_failure', () => {
+    const r = runTool(process.cwd(), 'snyk', fakeExitCode(0, 'not json {'), { expectJson: true });
+    assert.strictEqual(r.outcome, 'tool_failure');
+    assert.ok(/JSON parse error/.test(r.stderr));
+  });
+  test('on ok without expectJson, parsed is not set', () => {
+    const r = runTool(process.cwd(), 'snyk', fakeExitCode(0, '{"a":1}'));
+    assert.strictEqual(r.outcome, 'ok');
+    assert.strictEqual(r.parsed, undefined);
+  });
+  test('govulncheck NDJSON-style multi-object stream is NOT parsed by runner (runner treats it as raw)', () => {
+    // govulncheck emits NDJSON — runner should deliver stdout untouched when expectJson is false.
+    const ndjson = '{"message":{"type":"osv"}}\n{"message":{"type":"finding"}}';
+    const r = runTool(process.cwd(), 'govulncheck', fakeExitCode(0, ndjson), { expectJson: false });
+    assert.strictEqual(r.outcome, 'ok');
+    assert.strictEqual(r.stdout, ndjson);
+    assert.strictEqual(r.parsed, undefined);
+  });
+});
+describe('runTool - exports', () => {
+  test('ECOSYSTEM_OVERRIDES exports yarn: { force_tool: "osv", reason: string }', () => {
+    assert.ok(ECOSYSTEM_OVERRIDES.yarn);
+    assert.strictEqual(ECOSYSTEM_OVERRIDES.yarn.force_tool, 'osv');
+    assert.strictEqual(typeof ECOSYSTEM_OVERRIDES.yarn.reason, 'string');
+    assert.ok(ECOSYSTEM_OVERRIDES.yarn.reason.length > 0);
+  });
+  test('FINDINGS_EXIT_CODES exports all 6 tool keys with correct code arrays', () => {
+    assert.deepStrictEqual(Array.from(FINDINGS_EXIT_CODES.snyk), [1]);
+    assert.deepStrictEqual(Array.from(FINDINGS_EXIT_CODES['npm-audit']), [1]);
+    assert.deepStrictEqual(Array.from(FINDINGS_EXIT_CODES['osv-scanner']), [1, 128]);
+    assert.deepStrictEqual(Array.from(FINDINGS_EXIT_CODES['pip-audit']), [1]);
+    assert.deepStrictEqual(Array.from(FINDINGS_EXIT_CODES.govulncheck), []);
+    assert.deepStrictEqual(Array.from(FINDINGS_EXIT_CODES['bundler-audit']), [1]);
+  });
+  test('DEFAULT_TIMEOUT_MS is 300000', () => {
+    assert.strictEqual(DEFAULT_TIMEOUT_MS, 300_000);
+  });
+  test('DEFAULT_MAX_BUFFER is 50 * 1024 * 1024', () => {
+    assert.strictEqual(DEFAULT_MAX_BUFFER, 50 * 1024 * 1024);
+  });
+});

package/deliver-great-systems/bin/lib/package-scan-provenance.cjs ADDED Viewed

@@ -0,0 +1,56 @@
+'use strict';
+/**
+ * package-scan-provenance.cjs — PKG-33
+ *
+ * Resolves the commit that introduced a dependency manifest entry by running
+ * `git log --format=%H%x00%s -S <packageName> -- <manifestPath>` in the repo
+ * directory, then extracts a DGS plan-id (NNN-NN) from the commit subject.
+ *
+ * Pure module modulo the spawnFn seam: caller injects spawnSync for tests.
+ *
+ * Exports:
+ *   provenanceLookup({ repoDir, manifestPath, packageName, spawnFn })
+ *     -> { commit: string|null, plan: string|null }
+ *   _extractPlanIdFromSubject(subject) -> string|null
+ */
+const { spawnSync } = require('child_process');
+const PLAN_ID_REGEX = /\b(\d{3}-\d{2})\b/;
+function _extractPlanIdFromSubject(subject) {
+  if (subject === null || subject === undefined) return null;
+  const m = String(subject).match(PLAN_ID_REGEX);
+  return m ? m[1] : null;
+}
+function provenanceLookup(args) {
+  const { repoDir, manifestPath, packageName } = args || {};
+  const spawnFn = (args && args.spawnFn) || spawnSync;
+  if (!repoDir || !manifestPath || !packageName) {
+    return { commit: null, plan: null };
+  }
+  let result;
+  try {
+    result = spawnFn('git', ['log', '--format=%H%x00%s', '-S', packageName, '--', manifestPath], {
+      cwd: repoDir,
+      encoding: 'utf-8',
+      timeout: 5000,
+    });
+  } catch {
+    return { commit: null, plan: null };
+  }
+  if (!result || result.error || typeof result.stdout !== 'string' || result.stdout.length === 0) {
+    return { commit: null, plan: null };
+  }
+  const lines = result.stdout.split('\n').filter(l => l.length > 0);
+  if (lines.length === 0) return { commit: null, plan: null };
+  // git log emits newest-first; the oldest commit is the LAST non-empty line.
+  const oldestLine = lines[lines.length - 1];
+  const [fullSha, subject] = oldestLine.split('\u0000');
+  if (!fullSha) return { commit: null, plan: null };
+  const shortSha = String(fullSha).slice(0, 7);
+  const planId = _extractPlanIdFromSubject(subject || '');
+  return { commit: shortSha, plan: planId };
+}
+module.exports = { provenanceLookup, _extractPlanIdFromSubject };

package/deliver-great-systems/bin/lib/package-scan-provenance.test.cjs ADDED Viewed

@@ -0,0 +1,103 @@
+'use strict';
+const test = require('node:test');
+const assert = require('node:assert');
+const { provenanceLookup, _extractPlanIdFromSubject } = require('./package-scan-provenance.cjs');
+test.describe('_extractPlanIdFromSubject (PKG-33)', () => {
+  test.test('feat(149-01): ... → 149-01', () => {
+    assert.strictEqual(_extractPlanIdFromSubject('feat(149-01): implement scanner'), '149-01');
+  });
+  test.test('test(152-03): ... → 152-03', () => {
+    assert.strictEqual(_extractPlanIdFromSubject('test(152-03): add gate-parity describe block'), '152-03');
+  });
+  test.test('commit with inline 149-01 → 149-01', () => {
+    assert.strictEqual(_extractPlanIdFromSubject('Merge branch feature/149-01-foundation'), '149-01');
+  });
+  test.test('three-digit phase: feat(999-42) → 999-42', () => {
+    assert.strictEqual(_extractPlanIdFromSubject('feat(999-42): something'), '999-42');
+  });
+  test.test('missing zero pad: 149-1 → null', () => {
+    assert.strictEqual(_extractPlanIdFromSubject('feat(149-1): ...'), null);
+  });
+  test.test('wrong digit count: 12-345 → null', () => {
+    assert.strictEqual(_extractPlanIdFromSubject('feat(12-345): ...'), null);
+  });
+  test.test('random text → null', () => {
+    assert.strictEqual(_extractPlanIdFromSubject('random commit message'), null);
+  });
+  test.test('empty subject → null', () => {
+    assert.strictEqual(_extractPlanIdFromSubject(''), null);
+  });
+  test.test('null subject → null', () => {
+    assert.strictEqual(_extractPlanIdFromSubject(null), null);
+  });
+  test.test('undefined subject → null', () => {
+    assert.strictEqual(_extractPlanIdFromSubject(undefined), null);
+  });
+});
+test.describe('provenanceLookup (PKG-33)', () => {
+  test.test('empty git log output => {commit:null, plan:null}', () => {
+    const spawnFn = () => ({ status: 0, stdout: '', stderr: '' });
+    const r = provenanceLookup({ repoDir: '/tmp/x', manifestPath: 'package.json', packageName: 'lodash', spawnFn });
+    assert.deepStrictEqual(r, { commit: null, plan: null });
+  });
+  test.test('git log returns one commit with plan-id => {commit:<7sha>, plan:<plan-id>}', () => {
+    const spawnFn = () => ({
+      status: 0,
+      stdout: 'abc1234567890def1234567890\u0000feat(152-03): add gate-parity describe block\n',
+      stderr: '',
+    });
+    const r = provenanceLookup({ repoDir: '/tmp/x', manifestPath: 'package.json', packageName: 'lodash', spawnFn });
+    assert.strictEqual(r.commit, 'abc1234');
+    assert.strictEqual(r.plan, '152-03');
+  });
+  test.test('git log returns multiple commits => picks OLDEST (last line)', () => {
+    const spawnFn = () => ({
+      status: 0,
+      stdout: 'newSHA99999999999999999999\u0000feat(153-01): update\n' +
+              'oldSHA1111111111111111111\u0000feat(149-01): add lodash dep\n',
+      stderr: '',
+    });
+    const r = provenanceLookup({ repoDir: '/tmp/x', manifestPath: 'package.json', packageName: 'lodash', spawnFn });
+    assert.strictEqual(r.commit, 'oldSHA1');
+    assert.strictEqual(r.plan, '149-01');
+  });
+  test.test('git log commit without plan-id => {commit:<sha>, plan:null}', () => {
+    const spawnFn = () => ({
+      status: 0,
+      stdout: 'def5678901234567890123456\u0000chore: bump deps\n',
+      stderr: '',
+    });
+    const r = provenanceLookup({ repoDir: '/tmp/x', manifestPath: 'package.json', packageName: 'lodash', spawnFn });
+    assert.strictEqual(r.commit, 'def5678');
+    assert.strictEqual(r.plan, null);
+  });
+  test.test('git not found / spawn error => {commit:null, plan:null}', () => {
+    const spawnFn = () => ({ error: new Error('ENOENT'), status: null, stdout: '', stderr: '' });
+    const r = provenanceLookup({ repoDir: '/tmp/x', manifestPath: 'package.json', packageName: 'lodash', spawnFn });
+    assert.deepStrictEqual(r, { commit: null, plan: null });
+  });
+  test.test('missing manifestPath => {commit:null, plan:null} (no-op)', () => {
+    const spawnFn = () => { throw new Error('should not be called'); };
+    const r = provenanceLookup({ repoDir: '/tmp/x', manifestPath: null, packageName: 'lodash', spawnFn });
+    assert.deepStrictEqual(r, { commit: null, plan: null });
+  });
+  test.test('missing packageName => {commit:null, plan:null} (no-op)', () => {
+    const spawnFn = () => { throw new Error('should not be called'); };
+    const r = provenanceLookup({ repoDir: '/tmp/x', manifestPath: 'package.json', packageName: null, spawnFn });
+    assert.deepStrictEqual(r, { commit: null, plan: null });
+  });
+  test.test('spawnFn receives argv: ["git", "log", "--format=%H%x00%s", "-S", packageName, "--", manifestPath]', () => {
+    let capturedArgv = null;
+    let capturedOpts = null;
+    const spawnFn = (cmd, argv, opts) => {
+      capturedArgv = [cmd, ...argv];
+      capturedOpts = opts;
+      return { status: 0, stdout: '', stderr: '' };
+    };
+    provenanceLookup({ repoDir: '/tmp/r', manifestPath: 'package.json', packageName: 'lodash', spawnFn });
+    assert.deepStrictEqual(capturedArgv, ['git', 'log', '--format=%H%x00%s', '-S', 'lodash', '--', 'package.json']);
+    assert.strictEqual(capturedOpts.cwd, '/tmp/r');
+  });
+});