@metasession.co/devaudit-cli 0.1.29 → 0.1.31

package/dist/index.js

@@ -8,6 +8,7 @@ import envPaths from 'env-paths';
 import { fileURLToPath, pathToFileURL } from 'url';
 import { validateManifest } from '@metasession.co/devaudit-plugin-sdk';
 import * as clack2 from '@clack/prompts';
+import { readdir, readFile, writeFile } from 'fs/promises';
 
 var DEFAULT_OPTIONS = { json: false, verbose: false, noColor: false };
 var currentLogger = build(DEFAULT_OPTIONS);
@@ -54,7 +55,7 @@ function emitJsonResult(payload) {
 
 // package.json
 var package_default = {
-  version: "0.1.29"};
+  version: "0.1.31"};
 
 // src/lib/version.ts
 var CLI_VERSION = package_default.version;
@@ -1046,7 +1047,7 @@ async function runAuthProbe(ctx) {
   const client = new DevAuditClient({ token: ctx.token, baseUrl: ctx.baseUrl });
   try {
     await client.listProjects();
-    return { step: "1/11 Authenticate", status: "ok", message: `PAT accepted at ${ctx.baseUrl}` };
+    return { step: "1/12 Authenticate", status: "ok", message: `PAT accepted at ${ctx.baseUrl}` };
   } catch (err) {
     if (err instanceof DevAuditApiError && (err.status === 401 || err.status === 403)) {
       throw new Error(
@@ -1101,7 +1102,7 @@ async function detectStack(ctx) {
 }
 function ok(stack, wd) {
   return {
-    step: "2/11 Detect stack",
+    step: "2/12 Detect stack",
     status: "ok",
     message: `stack=${stack} working_directory=${wd} host=railway`,
     data: { stack, workingDirectory: wd, host: "railway" }
@@ -1208,7 +1209,7 @@ var PYTHON_PATHS_IGNORE = [
 async function writeSdlcConfig(ctx, plan) {
   if (ctx.installMode === "developer") {
     return {
-      step: "4/11 Write sdlc-config.json",
+      step: "4/12 Write sdlc-config.json",
       status: "skipped",
       message: "developer mode \u2014 leaving sdlc-config.json untouched (the team config is already on disk from the project operator). Use --force-team-config if you need to refresh wizard-owned fields."
     };
@@ -1262,20 +1263,20 @@ async function writeSdlcConfig(ctx, plan) {
   if (ctx.dryRun) {
     const preserved = existing ? `preserves existing customizations (${Object.keys(existing).filter((k) => !(k in wizardOwned)).length} non-wizard fields)` : "fresh config";
     return {
-      step: "4/11 Write sdlc-config.json",
+      step: "4/12 Write sdlc-config.json",
       status: "planned",
       message: `would write ${outPath} (stack=${plan.stack}, slug=${plan.projectSlug}) \u2014 ${preserved}`
     };
   }
   await promises.writeFile(outPath, JSON.stringify(config, null, 2) + "\n", "utf-8");
-  return { step: "4/11 Write sdlc-config.json", status: "ok", message: `wrote ${outPath}` };
+  return { step: "4/12 Write sdlc-config.json", status: "ok", message: `wrote ${outPath}` };
 }
 
 // src/install/project.ts
 async function findOrCreateProject(ctx, plan) {
   if (ctx.dryRun) {
     return {
-      step: "5/11 Find or create DevAudit project",
+      step: "5/12 Find or create DevAudit project",
       status: "planned",
       message: `would create or find project slug='${plan.projectSlug}' on ${ctx.baseUrl}`
     };
@@ -1285,7 +1286,7 @@ async function findOrCreateProject(ctx, plan) {
   if (existing) {
     plan.projectId = existing.id;
     return {
-      step: "5/11 Find or create DevAudit project",
+      step: "5/12 Find or create DevAudit project",
       status: "ok",
       message: `project '${plan.projectSlug}' already exists (id ${existing.id.slice(0, 8)}\u2026) \u2014 skipping creation`,
       data: { projectId: existing.id, created: false }
@@ -1294,7 +1295,7 @@ async function findOrCreateProject(ctx, plan) {
   const created = await client.createProject(plan.projectSlug, plan.projectSlug);
   plan.projectId = created.id;
   return {
-    step: "5/11 Find or create DevAudit project",
+    step: "5/12 Find or create DevAudit project",
     status: "ok",
     message: `project '${plan.projectSlug}' created (id ${created.id.slice(0, 8)}\u2026)`,
     data: { projectId: created.id, created: true }
@@ -1306,14 +1307,14 @@ var KEY_NAME = "Onboarding-issued";
 async function issueApiKey(ctx, plan) {
   if (ctx.installMode === "developer") {
     return {
-      step: "6/11 Issue project API key",
+      step: "6/12 Issue project API key",
       status: "skipped",
       message: "developer mode \u2014 leaving the project's 'Onboarding-issued' API key untouched (the team key is already configured by the project operator)."
     };
   }
   if (ctx.dryRun) {
     return {
-      step: "6/11 Issue project API key",
+      step: "6/12 Issue project API key",
       status: "planned",
       message: `would issue API key named '${KEY_NAME}' on project '${plan.projectSlug}' (if not already present)`
     };
@@ -1326,7 +1327,7 @@ async function issueApiKey(ctx, plan) {
   const live = existing.find((k) => k.name === KEY_NAME && k.revoked_at === null);
   if (live) {
     return {
-      step: "6/11 Issue project API key",
+      step: "6/12 Issue project API key",
       status: "warn",
       message: `'${KEY_NAME}' API key already exists \u2014 revoke it in the portal and re-run, or set DEVAUDIT_API_KEY manually`
     };
@@ -1334,7 +1335,7 @@ async function issueApiKey(ctx, plan) {
   const issued = await client.issueApiKey(plan.projectId, KEY_NAME);
   plan.apiKey = issued.plainTextKey;
   return {
-    step: "6/11 Issue project API key",
+    step: "6/12 Issue project API key",
     status: "ok",
     message: `issued (will be stored as repo secret DEVAUDIT_API_KEY)`
   };
@@ -1360,7 +1361,7 @@ function buildSkipped(plan) {
 async function setGithubSecrets(ctx, plan, provider) {
   if (ctx.installMode === "developer") {
     return {
-      step: "7/11 Set GitHub secrets and variables",
+      step: "7/12 Set GitHub secrets and variables",
       status: "skipped",
       message: "developer mode \u2014 leaving DEVAUDIT_USER_TOKEN, DEVAUDIT_API_KEY, DEVAUDIT_BASE_URL, and the production-URL secret unchanged. Use --force-team-config to rotate them as the project operator."
     };
@@ -1369,7 +1370,7 @@ async function setGithubSecrets(ctx, plan, provider) {
   if (ctx.dryRun) {
     const summary = operations.map((op) => `${op.kind}:${op.name}`).join(", ");
     return {
-      step: "7/11 Set GitHub secrets and variables",
+      step: "7/12 Set GitHub secrets and variables",
       status: "planned",
       message: `would set ${summary} via ${provider.name} provider`
     };
@@ -1383,7 +1384,7 @@ async function setGithubSecrets(ctx, plan, provider) {
   }
   const skipped = buildSkipped(plan);
   const detail = `${operations.length} item(s) set${skipped.length > 0 ? ` (skipped: ${skipped.join("; ")})` : ""}`;
-  return { step: "7/11 Set GitHub secrets and variables", status: "ok", message: detail };
+  return { step: "7/12 Set GitHub secrets and variables", status: "ok", message: detail };
 }
 async function commandExists(cmd) {
   try {
@@ -1405,7 +1406,7 @@ async function bootstrapHooks(ctx, plan) {
   if (ctx.dryRun) {
     const action = plan.stack === "python" ? "pre-commit install" : "npx husky init";
     return {
-      step: "8/11 Bootstrap hook framework",
+      step: "8/12 Bootstrap hook framework",
       status: "planned",
       message: `would run \`${action}\` in ${ctx.projectPath}`
     };
@@ -1416,29 +1417,29 @@ async function bootstrapHooks(ctx, plan) {
 async function bootstrapPython(ctx) {
   if (!await commandExists("pre-commit")) {
     return {
-      step: "8/11 Bootstrap hook framework",
+      step: "8/12 Bootstrap hook framework",
       status: "warn",
       message: "pre-commit not on PATH \u2014 run `pip install pre-commit && pre-commit install` manually"
     };
   }
   await execa("pre-commit", ["install"], { cwd: ctx.projectPath, stdio: "inherit" });
   await execa("pre-commit", ["install", "--hook-type", "commit-msg"], { cwd: ctx.projectPath, stdio: "inherit" });
-  return { step: "8/11 Bootstrap hook framework", status: "ok", message: "pre-commit hooks installed" };
+  return { step: "8/12 Bootstrap hook framework", status: "ok", message: "pre-commit hooks installed" };
 }
 async function bootstrapNode(ctx) {
   const huskyDir = join(ctx.projectPath, ".husky");
   if (await dirExists(huskyDir)) {
-    return { step: "8/11 Bootstrap hook framework", status: "ok", message: ".husky/ already exists" };
+    return { step: "8/12 Bootstrap hook framework", status: "ok", message: ".husky/ already exists" };
   }
   if (!await commandExists("npx")) {
     return {
-      step: "8/11 Bootstrap hook framework",
+      step: "8/12 Bootstrap hook framework",
       status: "warn",
       message: "npx not on PATH \u2014 run `npx husky init` manually"
     };
   }
   await execa("npx", ["husky", "init"], { cwd: ctx.projectPath, stdio: "inherit" });
-  return { step: "8/11 Bootstrap hook framework", status: "ok", message: ".husky/ bootstrapped" };
+  return { step: "8/12 Bootstrap hook framework", status: "ok", message: ".husky/ bootstrapped" };
 }
 
 // src/install/branch-protection.ts
@@ -1450,7 +1451,7 @@ var REQUIRED_CHECKS = [
 async function configureBranchProtection(ctx, provider) {
   if (ctx.installMode === "developer") {
     return {
-      step: "9/11 Configure branch protection",
+      step: "9/12 Configure branch protection",
       status: "skipped",
       message: "developer mode \u2014 leaving branch protection unchanged. Use --force-team-config to re-apply as the project operator."
     };
@@ -1460,7 +1461,7 @@ async function configureBranchProtection(ctx, provider) {
     meta = await provider.getRepoMeta(ctx.projectPath);
   } catch (err) {
     return {
-      step: "9/11 Configure branch protection",
+      step: "9/12 Configure branch protection",
       status: "warn",
       message: `could not resolve git repo (${err.message}) \u2014 configure manually`
     };
@@ -1468,7 +1469,7 @@ async function configureBranchProtection(ctx, provider) {
   const repo = `${meta.owner}/${meta.name}`;
   if (ctx.dryRun) {
     return {
-      step: "9/11 Configure branch protection",
+      step: "9/12 Configure branch protection",
       status: "planned",
       message: `would apply branch protection on ${repo}:${meta.defaultBranch} with checks=${JSON.stringify(REQUIRED_CHECKS)}`
     };
@@ -1476,13 +1477,13 @@ async function configureBranchProtection(ctx, provider) {
   const result = await provider.applyBranchProtection(ctx.projectPath, meta.defaultBranch, REQUIRED_CHECKS);
   if (result.applied) {
     return {
-      step: "9/11 Configure branch protection",
+      step: "9/12 Configure branch protection",
       status: "ok",
       message: `required checks on ${meta.defaultBranch}: ${REQUIRED_CHECKS.join(", ")}`
     };
   }
   return {
-    step: "9/11 Configure branch protection",
+    step: "9/12 Configure branch protection",
     status: "warn",
     message: `${result.message ?? "branch-protection apply failed"} \u2014 configure manually`
   };
@@ -1857,7 +1858,13 @@ var CI_TEMPLATES = [
   "check-release-approval.yml.template",
   "post-deploy-prod.yml.template",
   "compliance-evidence.yml.template",
-  "close-out-release.yml.template"
+  "close-out-release.yml.template",
+  // DevAudit-Installer#98 WS3: quarterly cron → auto-PR with the
+  // periodic-review.md regenerated from local stats.
+  "periodic-review.yml.template",
+  // DevAudit-Installer#98 WS4: fires on `label:incident` issue close →
+  // auto-PR with the issue exported to compliance/governance/.
+  "incident-export.yml.template"
 ];
 var OLD_WORKFLOWS_TO_REMOVE = ["test-on-pr.yml", "check-uat-approval.yml"];
 function indentEnvBlock(env, indent) {
@@ -2121,19 +2128,68 @@ async function syncAll(projectPaths) {
 async function syncTemplates(ctx) {
   if (ctx.dryRun) {
     return {
-      step: "10/11 Sync SDLC templates",
+      step: "10/12 Sync SDLC templates",
       status: "planned",
       message: `would run native syncProject() against ${ctx.projectPath}`
     };
   }
   const report = await syncProject(ctx.projectPath);
   return {
-    step: "10/11 Sync SDLC templates",
+    step: "10/12 Sync SDLC templates",
     status: "ok",
     message: `synced ${report.totalFilesSynced} files across ${report.sections.length} sections`,
     data: { totalFilesSynced: report.totalFilesSynced }
   };
 }
+var STEP = "11/12 Bootstrap governance docs";
+var SOURCE_REL = "sdlc/files/_common/governance";
+var TARGET_REL = "compliance/governance";
+async function bootstrapGovernanceDocs(ctx) {
+  const sourceDir = resolve(ctx.installerRoot, SOURCE_REL);
+  const targetDir = resolve(ctx.projectPath, TARGET_REL);
+  let templates = [];
+  try {
+    templates = (await readdir(sourceDir)).filter((name) => name.endsWith(".md.template")).sort();
+  } catch (err) {
+    return {
+      step: STEP,
+      status: "warn",
+      message: `source directory not found: ${sourceDir} (${err.message})`
+    };
+  }
+  if (templates.length === 0) {
+    return { step: STEP, status: "warn", message: `no .md.template files in ${sourceDir}` };
+  }
+  if (ctx.dryRun) {
+    return {
+      step: STEP,
+      status: "planned",
+      message: `would copy ${templates.length} starter(s) to ${TARGET_REL}/ (skip-if-exists)`,
+      data: { templates: [...templates] }
+    };
+  }
+  await ensureDir(targetDir);
+  const copied = [];
+  const skipped = [];
+  for (const template of templates) {
+    const targetName = template.replace(/\.template$/, "");
+    const targetPath = join(targetDir, targetName);
+    if (await isFile(targetPath)) {
+      skipped.push(targetName);
+      continue;
+    }
+    const body = await readFile(join(sourceDir, template), "utf8");
+    await writeFile(targetPath, body, "utf8");
+    copied.push(targetName);
+  }
+  const detail = skipped.length === 0 ? `${copied.length} starter(s) copied to ${TARGET_REL}/` : `${copied.length} copied, ${skipped.length} kept (already on disk)`;
+  return {
+    step: STEP,
+    status: "ok",
+    message: `${detail} \u2014 STARTERS, edit before production (see docs/governance-templates.md)`,
+    data: { copied, skipped, targetDir: TARGET_REL }
+  };
+}
 
 // src/install/done-report.ts
 function doneReport(ctx, plan) {
@@ -2162,7 +2218,7 @@ function doneReport(ctx, plan) {
       ""
     ];
     return {
-      step: "11/11 Done (developer mode)",
+      step: "12/12 Done (developer mode)",
       status: "ok",
       message: lines2.join("\n"),
       data: { mode: "developer" }
@@ -2189,7 +2245,7 @@ function doneReport(ctx, plan) {
     ""
   ];
   return {
-    step: "11/11 Done",
+    step: "12/12 Done",
     status: "ok",
     message: lines.join("\n"),
     data: { nextBranch: branch, mode: "operator" }
@@ -2241,7 +2297,7 @@ async function runInstall(options) {
     steps.push(await record(log, setGithubSecrets(ctx, plan, providerResolution.provider)));
   } else {
     const skipped = {
-      step: "7/11 Set GitHub secrets and variables",
+      step: "7/12 Set GitHub secrets and variables",
       status: "skipped",
       message: providerResolution.reason ?? "no git provider available"
     };
@@ -2253,7 +2309,7 @@ async function runInstall(options) {
     steps.push(await record(log, configureBranchProtection(ctx, providerResolution.provider)));
   } else {
     const skipped = {
-      step: "9/11 Configure branch protection",
+      step: "9/12 Configure branch protection",
       status: "skipped",
       message: providerResolution.reason ?? "no git provider available"
     };
@@ -2261,6 +2317,7 @@ async function runInstall(options) {
     log.warn(`[${skipped.step}] SKIPPED ${skipped.message}`);
   }
   steps.push(await record(log, syncTemplates(ctx)));
+  steps.push(await record(log, bootstrapGovernanceDocs(ctx)));
   const done = doneReport(ctx, plan);
   steps.push(done);
   log.success(`[${done.step}]`);
@@ -2356,7 +2413,7 @@ async function record(log, p) {
 }
 function planSummary(plan) {
   return {
-    step: "3/11 Configure",
+    step: "3/12 Configure",
     status: "ok",
     message: `slug=${plan.projectSlug} runtime=${plan.runtimeVersion}`,
     data: { ...plan }