@oddessentials/repo-standards 2.1.0 → 3.1.0

package/dist/config/standards.rust.azure-devops.json

@@ -123,7 +123,7 @@
             "stage": "release"
           }
         },
-        "description": "Use MAJOR.MINOR.PATCH versioning with clear rules and automated changelog generation based on commit history.",
+        "description": "Use MAJOR.MINOR.PATCH versioning with clear rules and automated changelog generation based on commit history. Maintain a single canonical version source (for example, package.json or VERSION) that all release artifacts use.",
         "id": "semantic-versioning",
         "label": "Semantic Versioning",
         "stack": {
@@ -135,20 +135,65 @@
             "cargo-release",
             "semantic-release"
           ],
-          "notes": "Version is defined in Cargo.toml. Use cargo-release or semantic-release-cargo for automated versioning. Follow Conventional Commits for changelog generation.",
+          "notes": "Version is defined in Cargo.toml as the canonical source. Use cargo-release or semantic-release-cargo for automated versioning and GitHub release publishing, and follow Conventional Commits for changelog generation.",
+          "optionalFiles": [
+            "CHANGELOG.md"
+          ],
+          "requiredFiles": [
+            "Cargo.toml"
+          ],
+          "requiredScripts": [
+            "release"
+          ],
           "verification": "Check that Cargo.toml version follows SemVer and verify changelog generation from commit history."
         }
       },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "stage": "release"
+          }
+        },
+        "description": "Use a single CI release pipeline that publishes all artifacts (GitHub releases, packages, containers) from the same canonical version source.",
+        "id": "unified-release-workflow",
+        "label": "Unified Release Workflow",
+        "stack": {
+          "exampleConfigFiles": [
+            ".github/workflows/release.yml",
+            "azure-pipelines.yml"
+          ],
+          "exampleTools": [
+            "cargo-release",
+            "cargo publish",
+            "docker buildx"
+          ],
+          "notes": "Use a single release pipeline to publish crates.io packages, GitHub releases, and Docker images from the Cargo.toml version.",
+          "optionalFiles": [
+            "CHANGELOG.md"
+          ],
+          "requiredScripts": [
+            "release"
+          ],
+          "verification": "Trigger the release pipeline and confirm all artifacts share the same version number and tag."
+        }
+      },
       {
         "ciHints": {
           "azure-devops": {
             "stage": "quality"
           }
         },
-        "description": "Enforce structured commit messages such as Conventional Commits.",
+        "description": "Enforce structured commit messages such as Conventional Commits via commit-msg hooks and CI. This is required for deterministic versioning and changelog generation.",
         "id": "commit-linting",
         "label": "Commit Linting",
         "stack": {
+          "anyOfFiles": [
+            "commitlint.config.js",
+            "commitlint.config.cjs",
+            "commitlint.config.mjs",
+            "commitlint.config.json",
+            ".cz.toml"
+          ],
           "exampleConfigFiles": [
             "commitlint.config.js",
             ".cz.toml"
@@ -157,8 +202,11 @@
             "commitlint",
             "commitizen"
           ],
-          "notes": "Use commitlint with husky or pre-commit for enforcing Conventional Commits. Works consistently with cargo workspaces.",
-          "verification": "Test that non-conforming commit messages are rejected by the configured hooks or CI check."
+          "notes": "Use commitlint with husky or pre-commit for enforcing Conventional Commits and add a CI check to keep version/changelog automation deterministic.",
+          "requiredScripts": [
+            "commitlint"
+          ],
+          "verification": "Test that non-conforming commit messages are rejected by the configured hooks and CI check."
         }
       },
       {
@@ -269,7 +317,7 @@
             "stage": "quality"
           }
         },
-        "description": "Use static type checking to catch errors before runtime and enforce strictness on new code.",
+        "description": "Use static type checking to catch errors before runtime and enforce strictness on new code. For JS/TS stacks, require a TypeScript-first policy with strict mode and a CI typecheck step; allow JSDoc/checkJs migration for legacy JS.",
         "id": "type-checking",
         "label": "Type Checking",
         "stack": {
@@ -321,6 +369,91 @@
           "verification": "Cargo.lock is present; run 'cargo audit' or 'cargo deny check' to verify security scanning."
         }
       },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "stage": "build"
+          }
+        },
+        "description": "Ensure builds are reproducible by pinning dependencies, base images, and tool/runtime versions. Avoid network/time variance and fail when lockfiles drift.",
+        "id": "deterministic-builds",
+        "label": "Deterministic & Hermetic Builds",
+        "stack": {
+          "exampleConfigFiles": [
+            "Cargo.lock",
+            "rust-toolchain.toml"
+          ],
+          "exampleTools": [
+            "cargo build --locked"
+          ],
+          "notes": "Commit Cargo.lock for binaries/services and pin Rust versions with rust-toolchain.toml. Use --locked in CI.",
+          "optionalFiles": [
+            "rust-toolchain.toml"
+          ],
+          "requiredFiles": [
+            "Cargo.lock"
+          ],
+          "verification": "Cargo.lock is present and CI uses --locked. Rust toolchain is pinned."
+        }
+      },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "stage": "security"
+          }
+        },
+        "description": "Produce SBOMs or provenance metadata, enable secret/code scanning, and sign tags or commits for critical repos.",
+        "id": "provenance-security",
+        "label": "Provenance & Security Metadata",
+        "stack": {
+          "exampleConfigFiles": [
+            ".github/workflows/codeql.yml",
+            ".github/workflows/provenance.yml"
+          ],
+          "exampleTools": [
+            "cargo-cyclonedx",
+            "syft",
+            "codeql",
+            "gitleaks",
+            "cosign"
+          ],
+          "notes": "Generate SBOM/provenance for crates and container artifacts, enable secret scanning, and sign tags/commits for critical repos.",
+          "optionalFiles": [
+            "SECURITY.md",
+            ".github/workflows/codeql.yml"
+          ],
+          "verification": "SBOM/provenance artifacts are published alongside releases, and CI runs secret/code scanning."
+        }
+      },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "stage": "ci"
+          }
+        },
+        "description": "Adopt standard CI templates and config samples to scale across repositories, minimizing bespoke pipeline logic.",
+        "id": "ci-templates-automation",
+        "label": "CI Templates & Automation",
+        "stack": {
+          "anyOfFiles": [
+            ".github/workflows/ci.yml",
+            "azure-pipelines.yml"
+          ],
+          "exampleConfigFiles": [
+            ".github/workflows/ci.yml",
+            "azure-pipelines.yml"
+          ],
+          "exampleTools": [
+            "GitHub Actions reusable workflows",
+            "Azure DevOps templates"
+          ],
+          "notes": "Use shared CI templates for build/test/release stages to standardize across Rust repos.",
+          "requiredScripts": [
+            "ci"
+          ],
+          "verification": "CI pipeline references a shared template or reusable workflow and follows the standard job naming."
+        }
+      },
       {
         "ciHints": {
           "azure-devops": {

package/dist/config/standards.rust.github-actions.json

@@ -123,7 +123,7 @@
             "job": "release"
           }
         },
-        "description": "Use MAJOR.MINOR.PATCH versioning with clear rules and automated changelog generation based on commit history.",
+        "description": "Use MAJOR.MINOR.PATCH versioning with clear rules and automated changelog generation based on commit history. Maintain a single canonical version source (for example, package.json or VERSION) that all release artifacts use.",
         "id": "semantic-versioning",
         "label": "Semantic Versioning",
         "stack": {
@@ -135,20 +135,65 @@
             "cargo-release",
             "semantic-release"
           ],
-          "notes": "Version is defined in Cargo.toml. Use cargo-release or semantic-release-cargo for automated versioning. Follow Conventional Commits for changelog generation.",
+          "notes": "Version is defined in Cargo.toml as the canonical source. Use cargo-release or semantic-release-cargo for automated versioning and GitHub release publishing, and follow Conventional Commits for changelog generation.",
+          "optionalFiles": [
+            "CHANGELOG.md"
+          ],
+          "requiredFiles": [
+            "Cargo.toml"
+          ],
+          "requiredScripts": [
+            "release"
+          ],
           "verification": "Check that Cargo.toml version follows SemVer and verify changelog generation from commit history."
         }
       },
+      {
+        "ciHints": {
+          "github-actions": {
+            "job": "release"
+          }
+        },
+        "description": "Use a single CI release pipeline that publishes all artifacts (GitHub releases, packages, containers) from the same canonical version source.",
+        "id": "unified-release-workflow",
+        "label": "Unified Release Workflow",
+        "stack": {
+          "exampleConfigFiles": [
+            ".github/workflows/release.yml",
+            "azure-pipelines.yml"
+          ],
+          "exampleTools": [
+            "cargo-release",
+            "cargo publish",
+            "docker buildx"
+          ],
+          "notes": "Use a single release pipeline to publish crates.io packages, GitHub releases, and Docker images from the Cargo.toml version.",
+          "optionalFiles": [
+            "CHANGELOG.md"
+          ],
+          "requiredScripts": [
+            "release"
+          ],
+          "verification": "Trigger the release pipeline and confirm all artifacts share the same version number and tag."
+        }
+      },
       {
         "ciHints": {
           "github-actions": {
             "job": "ci"
           }
         },
-        "description": "Enforce structured commit messages such as Conventional Commits.",
+        "description": "Enforce structured commit messages such as Conventional Commits via commit-msg hooks and CI. This is required for deterministic versioning and changelog generation.",
         "id": "commit-linting",
         "label": "Commit Linting",
         "stack": {
+          "anyOfFiles": [
+            "commitlint.config.js",
+            "commitlint.config.cjs",
+            "commitlint.config.mjs",
+            "commitlint.config.json",
+            ".cz.toml"
+          ],
           "exampleConfigFiles": [
             "commitlint.config.js",
             ".cz.toml"
@@ -157,8 +202,11 @@
             "commitlint",
             "commitizen"
           ],
-          "notes": "Use commitlint with husky or pre-commit for enforcing Conventional Commits. Works consistently with cargo workspaces.",
-          "verification": "Test that non-conforming commit messages are rejected by the configured hooks or CI check."
+          "notes": "Use commitlint with husky or pre-commit for enforcing Conventional Commits and add a CI check to keep version/changelog automation deterministic.",
+          "requiredScripts": [
+            "commitlint"
+          ],
+          "verification": "Test that non-conforming commit messages are rejected by the configured hooks and CI check."
         }
       },
       {
@@ -269,7 +317,7 @@
             "job": "ci"
           }
         },
-        "description": "Use static type checking to catch errors before runtime and enforce strictness on new code.",
+        "description": "Use static type checking to catch errors before runtime and enforce strictness on new code. For JS/TS stacks, require a TypeScript-first policy with strict mode and a CI typecheck step; allow JSDoc/checkJs migration for legacy JS.",
         "id": "type-checking",
         "label": "Type Checking",
         "stack": {
@@ -321,6 +369,91 @@
           "verification": "Cargo.lock is present; run 'cargo audit' or 'cargo deny check' to verify security scanning."
         }
       },
+      {
+        "ciHints": {
+          "github-actions": {
+            "job": "ci"
+          }
+        },
+        "description": "Ensure builds are reproducible by pinning dependencies, base images, and tool/runtime versions. Avoid network/time variance and fail when lockfiles drift.",
+        "id": "deterministic-builds",
+        "label": "Deterministic & Hermetic Builds",
+        "stack": {
+          "exampleConfigFiles": [
+            "Cargo.lock",
+            "rust-toolchain.toml"
+          ],
+          "exampleTools": [
+            "cargo build --locked"
+          ],
+          "notes": "Commit Cargo.lock for binaries/services and pin Rust versions with rust-toolchain.toml. Use --locked in CI.",
+          "optionalFiles": [
+            "rust-toolchain.toml"
+          ],
+          "requiredFiles": [
+            "Cargo.lock"
+          ],
+          "verification": "Cargo.lock is present and CI uses --locked. Rust toolchain is pinned."
+        }
+      },
+      {
+        "ciHints": {
+          "github-actions": {
+            "job": "security"
+          }
+        },
+        "description": "Produce SBOMs or provenance metadata, enable secret/code scanning, and sign tags or commits for critical repos.",
+        "id": "provenance-security",
+        "label": "Provenance & Security Metadata",
+        "stack": {
+          "exampleConfigFiles": [
+            ".github/workflows/codeql.yml",
+            ".github/workflows/provenance.yml"
+          ],
+          "exampleTools": [
+            "cargo-cyclonedx",
+            "syft",
+            "codeql",
+            "gitleaks",
+            "cosign"
+          ],
+          "notes": "Generate SBOM/provenance for crates and container artifacts, enable secret scanning, and sign tags/commits for critical repos.",
+          "optionalFiles": [
+            "SECURITY.md",
+            ".github/workflows/codeql.yml"
+          ],
+          "verification": "SBOM/provenance artifacts are published alongside releases, and CI runs secret/code scanning."
+        }
+      },
+      {
+        "ciHints": {
+          "github-actions": {
+            "job": "ci"
+          }
+        },
+        "description": "Adopt standard CI templates and config samples to scale across repositories, minimizing bespoke pipeline logic.",
+        "id": "ci-templates-automation",
+        "label": "CI Templates & Automation",
+        "stack": {
+          "anyOfFiles": [
+            ".github/workflows/ci.yml",
+            "azure-pipelines.yml"
+          ],
+          "exampleConfigFiles": [
+            ".github/workflows/ci.yml",
+            "azure-pipelines.yml"
+          ],
+          "exampleTools": [
+            "GitHub Actions reusable workflows",
+            "Azure DevOps templates"
+          ],
+          "notes": "Use shared CI templates for build/test/release stages to standardize across Rust repos.",
+          "requiredScripts": [
+            "ci"
+          ],
+          "verification": "CI pipeline references a shared template or reusable workflow and follows the standard job naming."
+        }
+      },
       {
         "ciHints": {
           "github-actions": {

package/dist/config/standards.rust.json

@@ -138,7 +138,7 @@
             "job": "release"
           }
         },
-        "description": "Use MAJOR.MINOR.PATCH versioning with clear rules and automated changelog generation based on commit history.",
+        "description": "Use MAJOR.MINOR.PATCH versioning with clear rules and automated changelog generation based on commit history. Maintain a single canonical version source (for example, package.json or VERSION) that all release artifacts use.",
         "id": "semantic-versioning",
         "label": "Semantic Versioning",
         "stack": {
@@ -150,10 +150,51 @@
             "cargo-release",
             "semantic-release"
           ],
-          "notes": "Version is defined in Cargo.toml. Use cargo-release or semantic-release-cargo for automated versioning. Follow Conventional Commits for changelog generation.",
+          "notes": "Version is defined in Cargo.toml as the canonical source. Use cargo-release or semantic-release-cargo for automated versioning and GitHub release publishing, and follow Conventional Commits for changelog generation.",
+          "optionalFiles": [
+            "CHANGELOG.md"
+          ],
+          "requiredFiles": [
+            "Cargo.toml"
+          ],
+          "requiredScripts": [
+            "release"
+          ],
           "verification": "Check that Cargo.toml version follows SemVer and verify changelog generation from commit history."
         }
       },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "stage": "release"
+          },
+          "github-actions": {
+            "job": "release"
+          }
+        },
+        "description": "Use a single CI release pipeline that publishes all artifacts (GitHub releases, packages, containers) from the same canonical version source.",
+        "id": "unified-release-workflow",
+        "label": "Unified Release Workflow",
+        "stack": {
+          "exampleConfigFiles": [
+            ".github/workflows/release.yml",
+            "azure-pipelines.yml"
+          ],
+          "exampleTools": [
+            "cargo-release",
+            "cargo publish",
+            "docker buildx"
+          ],
+          "notes": "Use a single release pipeline to publish crates.io packages, GitHub releases, and Docker images from the Cargo.toml version.",
+          "optionalFiles": [
+            "CHANGELOG.md"
+          ],
+          "requiredScripts": [
+            "release"
+          ],
+          "verification": "Trigger the release pipeline and confirm all artifacts share the same version number and tag."
+        }
+      },
       {
         "ciHints": {
           "azure-devops": {
@@ -163,10 +204,17 @@
             "job": "ci"
           }
         },
-        "description": "Enforce structured commit messages such as Conventional Commits.",
+        "description": "Enforce structured commit messages such as Conventional Commits via commit-msg hooks and CI. This is required for deterministic versioning and changelog generation.",
         "id": "commit-linting",
         "label": "Commit Linting",
         "stack": {
+          "anyOfFiles": [
+            "commitlint.config.js",
+            "commitlint.config.cjs",
+            "commitlint.config.mjs",
+            "commitlint.config.json",
+            ".cz.toml"
+          ],
           "exampleConfigFiles": [
             "commitlint.config.js",
             ".cz.toml"
@@ -175,8 +223,11 @@
             "commitlint",
             "commitizen"
           ],
-          "notes": "Use commitlint with husky or pre-commit for enforcing Conventional Commits. Works consistently with cargo workspaces.",
-          "verification": "Test that non-conforming commit messages are rejected by the configured hooks or CI check."
+          "notes": "Use commitlint with husky or pre-commit for enforcing Conventional Commits and add a CI check to keep version/changelog automation deterministic.",
+          "requiredScripts": [
+            "commitlint"
+          ],
+          "verification": "Test that non-conforming commit messages are rejected by the configured hooks and CI check."
         }
       },
       {
@@ -302,7 +353,7 @@
             "job": "ci"
           }
         },
-        "description": "Use static type checking to catch errors before runtime and enforce strictness on new code.",
+        "description": "Use static type checking to catch errors before runtime and enforce strictness on new code. For JS/TS stacks, require a TypeScript-first policy with strict mode and a CI typecheck step; allow JSDoc/checkJs migration for legacy JS.",
         "id": "type-checking",
         "label": "Type Checking",
         "stack": {
@@ -357,6 +408,100 @@
           "verification": "Cargo.lock is present; run 'cargo audit' or 'cargo deny check' to verify security scanning."
         }
       },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "stage": "build"
+          },
+          "github-actions": {
+            "job": "ci"
+          }
+        },
+        "description": "Ensure builds are reproducible by pinning dependencies, base images, and tool/runtime versions. Avoid network/time variance and fail when lockfiles drift.",
+        "id": "deterministic-builds",
+        "label": "Deterministic & Hermetic Builds",
+        "stack": {
+          "exampleConfigFiles": [
+            "Cargo.lock",
+            "rust-toolchain.toml"
+          ],
+          "exampleTools": [
+            "cargo build --locked"
+          ],
+          "notes": "Commit Cargo.lock for binaries/services and pin Rust versions with rust-toolchain.toml. Use --locked in CI.",
+          "optionalFiles": [
+            "rust-toolchain.toml"
+          ],
+          "requiredFiles": [
+            "Cargo.lock"
+          ],
+          "verification": "Cargo.lock is present and CI uses --locked. Rust toolchain is pinned."
+        }
+      },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "stage": "security"
+          },
+          "github-actions": {
+            "job": "security"
+          }
+        },
+        "description": "Produce SBOMs or provenance metadata, enable secret/code scanning, and sign tags or commits for critical repos.",
+        "id": "provenance-security",
+        "label": "Provenance & Security Metadata",
+        "stack": {
+          "exampleConfigFiles": [
+            ".github/workflows/codeql.yml",
+            ".github/workflows/provenance.yml"
+          ],
+          "exampleTools": [
+            "cargo-cyclonedx",
+            "syft",
+            "codeql",
+            "gitleaks",
+            "cosign"
+          ],
+          "notes": "Generate SBOM/provenance for crates and container artifacts, enable secret scanning, and sign tags/commits for critical repos.",
+          "optionalFiles": [
+            "SECURITY.md",
+            ".github/workflows/codeql.yml"
+          ],
+          "verification": "SBOM/provenance artifacts are published alongside releases, and CI runs secret/code scanning."
+        }
+      },
+      {
+        "ciHints": {
+          "azure-devops": {
+            "stage": "ci"
+          },
+          "github-actions": {
+            "job": "ci"
+          }
+        },
+        "description": "Adopt standard CI templates and config samples to scale across repositories, minimizing bespoke pipeline logic.",
+        "id": "ci-templates-automation",
+        "label": "CI Templates & Automation",
+        "stack": {
+          "anyOfFiles": [
+            ".github/workflows/ci.yml",
+            "azure-pipelines.yml"
+          ],
+          "exampleConfigFiles": [
+            ".github/workflows/ci.yml",
+            "azure-pipelines.yml"
+          ],
+          "exampleTools": [
+            "GitHub Actions reusable workflows",
+            "Azure DevOps templates"
+          ],
+          "notes": "Use shared CI templates for build/test/release stages to standardize across Rust repos.",
+          "requiredScripts": [
+            "ci"
+          ],
+          "verification": "CI pipeline references a shared template or reusable workflow and follows the standard job naming."
+        }
+      },
       {
         "ciHints": {
           "azure-devops": {

package/dist/config/standards.schema.json

@@ -447,10 +447,10 @@
       "type": "object"
     }
   },
-  "$id": "https://oddessentials.com/schemas/repo-standards/v3/standards.schema.json",
+  "$id": "https://oddessentials.com/schemas/repo-standards/v2/standards.schema.json",
   "$schema": "http://json-schema.org/draft-07/schema#",
   "additionalProperties": false,
-  "description": "Schema for repo-standards master configuration (v3+). Enforces strict validation with additionalProperties: false.",
+  "description": "Schema for repo-standards master configuration (v2+). Enforces strict validation with additionalProperties: false.",
   "properties": {
     "checklist": {
       "$ref": "#/$defs/Checklist"
@@ -481,8 +481,8 @@
       "type": "object"
     },
     "version": {
-      "description": "Schema version. Must be 3+ for strict validation with additionalProperties: false.",
-      "minimum": 3,
+      "description": "Schema version. Must be 2+ for strict validation with additionalProperties: false.",
+      "minimum": 2,
       "type": "integer"
     }
   },