npm - @metasession.co/devaudit-cli - Versions diffs - 0.1.21 → 0.1.23 - Mend

@metasession.co/devaudit-cli 0.1.21 → 0.1.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.js +201 -13
package/dist/index.js.map +1 -1
package/package.json +2 -2
package/sdlc/files/_common/0-project-setup.md +2 -0
package/sdlc/files/_common/implementing-an-sdlc-issue.md +1 -1
package/sdlc/files/_common/joining-an-existing-project.md +191 -0
package/sdlc/files/ci/check-release-approval.yml.template +39 -4

package/dist/index.js CHANGED Viewed

@@ -54,7 +54,7 @@ function emitJsonResult(payload) {
 // package.json
 var package_default = {
-  version: "0.1.21"};
+  version: "0.1.23"};
 // src/lib/version.ts
 var CLI_VERSION = package_default.version;
@@ -792,6 +792,14 @@ async function exists(path) {
     return false;
   }
 }
+async function isFile(path) {
+  try {
+    const stat = await promises.stat(path);
+    return stat.isFile();
+  } catch {
+    return false;
+  }
+}
 async function isDir(path) {
   try {
     const stat = await promises.stat(path);
@@ -888,6 +896,25 @@ var GitHubProvider = class {
       "Setting a GitHub repo secret without `gh` CLI requires sodium encryption (libsodium) \u2014 not implemented. Install `gh` CLI to use this command."
     );
   }
+  async hasSecret(cwd, name) {
+    if (this.preferGhCli && await ghAvailable()) {
+      const res2 = await execa("gh", ["secret", "list", "--json", "name"], { cwd, reject: false });
+      if (res2.exitCode !== 0) return false;
+      try {
+        const rows = JSON.parse(res2.stdout);
+        return rows.some((r) => r.name === name);
+      } catch {
+        return false;
+      }
+    }
+    const meta = await this.getRepoMeta(cwd);
+    if (!this.token) return false;
+    const res = await fetch(
+      `https://api.github.com/repos/${meta.owner}/${meta.name}/actions/secrets/${name}`,
+      { headers: this.authHeaders() }
+    );
+    return res.ok;
+  }
   async setVariable(cwd, name, value) {
     if (this.preferGhCli && await ghAvailable()) {
       await execa("gh", ["variable", "set", name, "--body", value], { cwd });
@@ -1179,6 +1206,13 @@ var PYTHON_PATHS_IGNORE = [
   "sdlc-config.json"
 ];
 async function writeSdlcConfig(ctx, plan) {
+  if (ctx.installMode === "developer") {
+    return {
+      step: "4/11 Write sdlc-config.json",
+      status: "skipped",
+      message: "developer mode \u2014 leaving sdlc-config.json untouched (the team config is already on disk from the project operator). Use --force-team-config if you need to refresh wizard-owned fields."
+    };
+  }
   const runtimeKey = plan.stack === "node" ? "node_version" : "python_version";
   const pathsIgnore = plan.stack === "node" ? NODE_PATHS_IGNORE : PYTHON_PATHS_IGNORE;
   const existing = await readSdlcConfig(ctx.projectPath) ?? null;
@@ -1270,6 +1304,13 @@ async function findOrCreateProject(ctx, plan) {
 // src/install/api-key.ts
 var KEY_NAME = "Onboarding-issued";
 async function issueApiKey(ctx, plan) {
+  if (ctx.installMode === "developer") {
+    return {
+      step: "6/11 Issue project API key",
+      status: "skipped",
+      message: "developer mode \u2014 leaving the project's 'Onboarding-issued' API key untouched (the team key is already configured by the project operator)."
+    };
+  }
   if (ctx.dryRun) {
     return {
       step: "6/11 Issue project API key",
@@ -1317,6 +1358,13 @@ function buildSkipped(plan) {
   return skipped;
 }
 async function setGithubSecrets(ctx, plan, provider) {
+  if (ctx.installMode === "developer") {
+    return {
+      step: "7/11 Set GitHub secrets and variables",
+      status: "skipped",
+      message: "developer mode \u2014 leaving DEVAUDIT_USER_TOKEN, DEVAUDIT_API_KEY, DEVAUDIT_BASE_URL, and the production-URL secret unchanged. Use --force-team-config to rotate them as the project operator."
+    };
+  }
   const operations = buildOperations(ctx, plan);
   if (ctx.dryRun) {
     const summary = operations.map((op) => `${op.kind}:${op.name}`).join(", ");
@@ -1400,6 +1448,13 @@ var REQUIRED_CHECKS = [
   "Quality Gates"
 ];
 async function configureBranchProtection(ctx, provider) {
+  if (ctx.installMode === "developer") {
+    return {
+      step: "9/11 Configure branch protection",
+      status: "skipped",
+      message: "developer mode \u2014 leaving branch protection unchanged. Use --force-team-config to re-apply as the project operator."
+    };
+  }
   let meta;
   try {
     meta = await provider.getRepoMeta(ctx.projectPath);
@@ -2082,6 +2137,37 @@ async function syncTemplates(ctx) {
 // src/install/done-report.ts
 function doneReport(ctx, plan) {
+  if (ctx.installMode === "developer") {
+    const lines2 = [
+      "",
+      `  ${ctx.projectName} \u2014 local developer setup complete.`,
+      "",
+      "  What ran:",
+      "    - Templates re-synced from DevAudit-Installer (SDLC/, scripts/, .husky/, \u2026).",
+      "    - Git hooks bootstrapped.",
+      "",
+      "  What was deliberately skipped (developer mode):",
+      "    - sdlc-config.json (team config \u2014 already on disk).",
+      "    - 'Onboarding-issued' API key (team-owned by the project operator).",
+      "    - GitHub repo secrets (DEVAUDIT_USER_TOKEN, DEVAUDIT_API_KEY, DEVAUDIT_BASE_URL).",
+      "    - Branch protection rules.",
+      "",
+      "  Verify your local install:",
+      "    devaudit auth status      # confirm your personal mctok_\u2026 is valid",
+      "    devaudit status .         # check framework files are present",
+      "    devaudit doctor           # node \u226522, git, gh, jq, curl",
+      "",
+      "  See SDLC/joining-an-existing-project.md for the full second-developer guide.",
+      "  Rotate team secrets only as the project operator: `devaudit install --force-team-config`.",
+      ""
+    ];
+    return {
+      step: "11/11 Done (developer mode)",
+      status: "ok",
+      message: lines2.join("\n"),
+      data: { mode: "developer" }
+    };
+  }
   const branch = "feat/sdlc-onboarding";
   const lines = [
     "",
@@ -2106,7 +2192,7 @@ function doneReport(ctx, plan) {
     step: "11/11 Done",
     status: "ok",
     message: lines.join("\n"),
-    data: { nextBranch: branch }
+    data: { nextBranch: branch, mode: "operator" }
   };
 }
@@ -2120,33 +2206,37 @@ async function runInstall(options) {
   const projectName = basename(projectPath);
   const auth = await resolveTokenForInstall(options);
   const installerRoot = await resolveInstallerRoot();
-  const ctx = {
+  const tentativeCtx = {
     projectPath,
     projectName,
     installerRoot,
     token: auth.token,
     baseUrl: auth.baseUrl,
     dryRun: Boolean(options.dryRun),
-    nonInteractive: Boolean(options.nonInteractive)
+    nonInteractive: Boolean(options.nonInteractive),
+    installMode: "operator"
   };
-  banner(ctx);
+  banner(tentativeCtx);
   const steps = [];
-  steps.push(await record(log, runAuthProbe(ctx)));
+  steps.push(await record(log, runAuthProbe(tentativeCtx)));
   const plugins = options.plugins ?? (await discoverPlugins()).loaded;
-  if (plugins.length > 0 && !ctx.dryRun) {
-    const pluginCtx = await buildPluginContext({ projectPath: ctx.projectPath });
+  if (plugins.length > 0 && !tentativeCtx.dryRun) {
+    const pluginCtx = await buildPluginContext({ projectPath: tentativeCtx.projectPath });
     await runHook(plugins, "beforeInstall", pluginCtx);
   }
-  const { result: detectResult, detected } = await detectStack(ctx);
+  const { result: detectResult, detected } = await detectStack(tentativeCtx);
   steps.push(await record(log, Promise.resolve(detectResult)));
-  const plan = await collectPlan(ctx, detected);
+  const plan = await collectPlan(tentativeCtx, detected);
   const planStep = planSummary(plan);
   steps.push(planStep);
   log.success(`[${planStep.step}] ${planStep.message ?? ""}`);
+  const providerResolution = await resolveProvider(options, tentativeCtx);
+  const detection = await detectInstallMode(tentativeCtx, plan, providerResolution.provider, options);
+  if (detection.notice) log.info(detection.notice);
+  const ctx = { ...tentativeCtx, installMode: detection.mode };
   steps.push(await record(log, writeSdlcConfig(ctx, plan)));
   steps.push(await record(log, findOrCreateProject(ctx, plan)));
   steps.push(await record(log, issueApiKey(ctx, plan)));
-  const providerResolution = await resolveProvider(options, ctx);
   if (providerResolution.provider) {
     steps.push(await record(log, setGithubSecrets(ctx, plan, providerResolution.provider)));
   } else {
@@ -2181,6 +2271,58 @@ async function runInstall(options) {
   }
   return { project: projectName, projectPath, dryRun: ctx.dryRun, steps };
 }
+async function detectInstallMode(ctx, plan, provider, options) {
+  if (options.forceTeamConfig) {
+    return {
+      mode: "operator",
+      allBitsMatched: false,
+      notice: "--force-team-config: running operator-mode (will rewrite repo secrets + branch protection)."
+    };
+  }
+  if (options.mode === "developer") {
+    return {
+      mode: "developer",
+      allBitsMatched: true,
+      notice: "mode=developer (pinned): destructive steps will skip \u2014 use `devaudit install --force-team-config` from the project's onboarding operator if you need to rotate team secrets."
+    };
+  }
+  if (options.mode === "operator") {
+    return { mode: "operator", allBitsMatched: false };
+  }
+  if (ctx.dryRun) {
+    return { mode: "operator", allBitsMatched: false };
+  }
+  const sdlcConfigExisted = await isFile(`${ctx.projectPath}/sdlc-config.json`);
+  if (!sdlcConfigExisted) return { mode: "operator", allBitsMatched: false };
+  let projectExists = false;
+  let keyExists = false;
+  try {
+    const client = new DevAuditClient({ token: ctx.token, baseUrl: ctx.baseUrl });
+    const existing = await client.getProjectBySlug(plan.projectSlug);
+    if (existing) {
+      projectExists = true;
+      const keys = await client.listApiKeys(existing.id);
+      keyExists = keys.some((k) => k.name === "Onboarding-issued" && k.revoked_at === null);
+    }
+  } catch {
+    return { mode: "operator", allBitsMatched: false };
+  }
+  if (!projectExists || !keyExists) return { mode: "operator", allBitsMatched: false };
+  let hasUserTokenSecret = false;
+  if (provider) {
+    try {
+      hasUserTokenSecret = await provider.hasSecret(ctx.projectPath, "DEVAUDIT_USER_TOKEN");
+    } catch {
+      hasUserTokenSecret = false;
+    }
+  }
+  if (!hasUserTokenSecret) return { mode: "operator", allBitsMatched: false };
+  return {
+    mode: "developer",
+    allBitsMatched: true,
+    notice: "developer mode auto-detected (project + Onboarding-issued key + DEVAUDIT_USER_TOKEN secret all present): destructive steps (4, 6, 7, 9) will skip. Use --force-team-config to rotate team secrets."
+  };
+}
 async function resolveProvider(options, ctx) {
   if (options.provider) return { provider: options.provider };
   try {
@@ -2236,6 +2378,31 @@ async function runInstallCommand(options) {
   const log = logger();
   try {
     await runInstall({
+      ...options.path !== void 0 ? { path: options.path } : {},
+      ...options.token !== void 0 ? { token: options.token } : {},
+      ...options.baseUrl !== void 0 ? { baseUrl: options.baseUrl } : {},
+      ...options.dryRun !== void 0 ? { dryRun: options.dryRun } : {},
+      ...options.yes !== void 0 ? { nonInteractive: options.yes } : {},
+      ...options.forceTeamConfig !== void 0 ? { forceTeamConfig: options.forceTeamConfig } : {}
+    });
+  } catch (err) {
+    log.error(err.message);
+    process.exit(1);
+  }
+}
+async function runJoinCommand(options) {
+  const log = logger();
+  const projectPath = resolve(options.path ?? process.cwd());
+  const sdlcConfigExists = await isFile(`${projectPath}/sdlc-config.json`);
+  if (!sdlcConfigExists) {
+    log.error(
+      `No sdlc-config.json at ${projectPath}. This project hasn't been onboarded yet \u2014 the project operator should run \`devaudit install\`. See SDLC/joining-an-existing-project.md (synced into onboarded repos) for the second-developer guide.`
+    );
+    process.exit(7);
+  }
+  try {
+    await runInstall({
+      mode: "developer",
       ...options.path !== void 0 ? { path: options.path } : {},
       ...options.token !== void 0 ? { token: options.token } : {},
       ...options.baseUrl !== void 0 ? { baseUrl: options.baseUrl } : {},
@@ -2476,9 +2643,30 @@ async function main(argv) {
     "DevAudit CLI \u2014 installs, syncs, and operates the Metasession SDLC across consumer projects."
   ).version(CLI_VERSION, "-V, --version");
   applyCommonFlags(program);
-  program.command("install [path]").description("Interactive onboarding for a consumer project (native TS implementation)").option("--token <token>", "PAT to use (otherwise reads DEVAUDIT_USER_TOKEN env or ~/.config/devaudit/auth.json)").option("--base-url <url>", "override portal URL (defaults to DEVAUDIT_BASE_URL env or production)").action(async (path, cmdOpts, cmd) => {
+  program.command("install [path]").description("Interactive onboarding for a consumer project (operator flow). On an already-onboarded project a second dev auto-routes to developer mode; use `devaudit join` for the explicit second-dev entry point.").option("--token <token>", "PAT to use (otherwise reads DEVAUDIT_USER_TOKEN env or ~/.config/devaudit/auth.json)").option("--base-url <url>", "override portal URL (defaults to DEVAUDIT_BASE_URL env or production)").option("--force-team-config", "Re-run the destructive steps (write sdlc-config, issue API key, set GH secrets, apply branch protection) even when dev-mode detection would have skipped them. The operator-only rotation lane.").action(
+    async (path, cmdOpts, cmd) => {
+      const globals = cmd.optsWithGlobals();
+      await runInstallCommand({
+        ...path !== void 0 ? { path } : {},
+        ...cmdOpts.token !== void 0 ? { token: cmdOpts.token } : {},
+        ...cmdOpts.baseUrl !== void 0 ? { baseUrl: cmdOpts.baseUrl } : {},
+        ...cmdOpts.forceTeamConfig !== void 0 ? { forceTeamConfig: Boolean(cmdOpts.forceTeamConfig) } : {},
+        ...globals.dryRun !== void 0 ? { dryRun: Boolean(globals.dryRun) } : {},
+        ...globals.yes !== void 0 ? { yes: Boolean(globals.yes) } : {}
+      });
+    }
+  );
+  program.command("join [path]").description(
+    "Second-developer entry point: re-sync framework templates + run hook bootstrap locally on an already-onboarded project. Skips the operator-only steps (sdlc-config write, API key issuance, GitHub secret writes, branch protection) so the team CI token is never rotated. See SDLC/joining-an-existing-project.md."
+  ).option(
+    "--token <token>",
+    "PAT to use (otherwise reads DEVAUDIT_USER_TOKEN env or ~/.config/devaudit/auth.json)"
+  ).option(
+    "--base-url <url>",
+    "override portal URL (defaults to DEVAUDIT_BASE_URL env or production)"
+  ).action(async (path, cmdOpts, cmd) => {
     const globals = cmd.optsWithGlobals();
-    await runInstallCommand({
+    await runJoinCommand({
       ...path !== void 0 ? { path } : {},
       ...cmdOpts.token !== void 0 ? { token: cmdOpts.token } : {},
       ...cmdOpts.baseUrl !== void 0 ? { baseUrl: cmdOpts.baseUrl } : {},