@oorabona/release-it-preset 1.2.0 → 1.4.0

package/dist/scripts/doctor.js

@@ -13,8 +13,11 @@
  *   node dist/scripts/doctor.js --json
  */
 import { execSync } from 'node:child_process';
-import { existsSync, readFileSync } from 'node:fs';
-import { isValidSemver } from './lib/semver-utils.js';
+import { existsSync, readdirSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { isValidSemver, rangeIncludesVersion } from './lib/semver-utils.js';
+import { parsePnpmWorkspaceYaml, parseWorkspacesFromPackageJson, resolvePackagePaths, } from './lib/workspace-detect.js';
+import { hasGeneratedWorkflowMarker, normalizeWorkflowContent, readWorkflowTemplate, } from './lib/workflow-template.js';
 // ---------------------------------------------------------------------------
 // Helpers
 // ---------------------------------------------------------------------------
@@ -254,6 +257,911 @@ function detectWorkspaceIntegration(deps) {
         ].join('\n'),
     };
 }
+const WORKFLOW_DIR = join('.github', 'workflows');
+const WORKFLOW_FILE_NAME_REGEX = /^[A-Za-z0-9._-]+\.ya?ml$/;
+function listWorkflowFiles(deps) {
+    if (!deps.existsSync(WORKFLOW_DIR)) {
+        return { files: [], skippedFileNames: [], unreadableFilePaths: [] };
+    }
+    let entries;
+    try {
+        entries = deps.readdirSync(WORKFLOW_DIR);
+    }
+    catch (error) {
+        return {
+            files: [],
+            skippedFileNames: [],
+            unreadableFilePaths: [],
+            error: error instanceof Error ? error.message : 'workflow directory could not be read',
+        };
+    }
+    if (!Array.isArray(entries)) {
+        return {
+            files: [],
+            skippedFileNames: [],
+            unreadableFilePaths: [],
+            error: 'workflow directory listing did not return file names',
+        };
+    }
+    const files = [];
+    const skippedFileNames = [];
+    const unreadableFilePaths = [];
+    for (const entry of entries) {
+        if (typeof entry !== 'string' || !WORKFLOW_FILE_NAME_REGEX.test(entry)) {
+            skippedFileNames.push(String(entry));
+            continue;
+        }
+        const path = join(WORKFLOW_DIR, entry);
+        try {
+            files.push({
+                path,
+                content: deps.readFileSync(path, 'utf8'),
+            });
+        }
+        catch {
+            unreadableFilePaths.push(path);
+        }
+    }
+    return { files, skippedFileNames, unreadableFilePaths };
+}
+function formatSkippedWorkflowFiles(skippedFileNames) {
+    if (skippedFileNames.length === 0) {
+        return [];
+    }
+    return [
+        'Skipped workflow file name(s) outside the generated-template allowlist:',
+        ...skippedFileNames.map((name) => `- ${name}`),
+    ];
+}
+function formatUnreadableWorkflowFiles(unreadableFilePaths) {
+    if (unreadableFilePaths.length === 0) {
+        return [];
+    }
+    return [
+        'Unreadable workflow file(s) were not evaluated:',
+        ...unreadableFilePaths.map((path) => `- ${path}`),
+    ];
+}
+function classifyPublishWorkflowFreshness(context) {
+    if (context.scan.error)
+        return 'WORKFLOW_DIR_UNREADABLE';
+    if (context.scan.files.length === 0) {
+        return context.scan.unreadableFilePaths.length > 0 ? 'WORKFLOW_FILES_UNREADABLE' : 'NO_WORKFLOW_FILES';
+    }
+    if (context.generatedWorkflowPaths.length === 0) {
+        return context.scan.unreadableFilePaths.length > 0 ? 'WORKFLOW_FILES_UNREADABLE' : 'NO_GENERATED_WORKFLOW';
+    }
+    if (context.templateError)
+        return 'TEMPLATE_UNAVAILABLE';
+    if (context.templateMissingMarker)
+        return 'TEMPLATE_MISSING_MARKER';
+    if (context.staleWorkflowPaths.length > 0)
+        return 'GENERATED_WORKFLOWS_STALE';
+    // Skipped files (name outside the supported pattern) could hold a stale
+    // generated workflow — a clean PASS must never hide unscanned files.
+    if (context.scan.unreadableFilePaths.length > 0 || context.scan.skippedFileNames.length > 0) {
+        return 'WORKFLOW_FILES_UNREADABLE';
+    }
+    return 'GENERATED_WORKFLOWS_FRESH';
+}
+const PUBLISH_WORKFLOW_FRESHNESS_DECISIONS = {
+    WORKFLOW_DIR_UNREADABLE: (context) => ({
+        name: 'publish workflow freshness',
+        status: 'WARN',
+        value: 'workflow directory not evaluated',
+        detail: context.scan.error,
+    }),
+    WORKFLOW_FILES_UNREADABLE: (context) => ({
+        name: 'publish workflow freshness',
+        status: 'WARN',
+        value: 'workflow files partially evaluated',
+        detail: [
+            'One or more workflow files could not be read, so generated workflow freshness was not fully evaluated.',
+            ...formatUnreadableWorkflowFiles(context.scan.unreadableFilePaths),
+            ...formatSkippedWorkflowFiles(context.scan.skippedFileNames),
+        ].join('\n'),
+    }),
+    // Omitted, not PASS: no workflow files at all means the domain is absent
+    // (same not-applicable convention as the workspace ranges check).
+    NO_WORKFLOW_FILES: () => null,
+    NO_GENERATED_WORKFLOW: (context) => ({
+        name: 'publish workflow freshness',
+        status: 'PASS',
+        value: 'custom workflow(s) not evaluated',
+        detail: [
+            'No workflow generated by release-it-preset init --with-workflows was detected.',
+            'Only files carrying the generated workflow marker are compared to the shipped template.',
+            ...formatSkippedWorkflowFiles(context.scan.skippedFileNames),
+            ...formatUnreadableWorkflowFiles(context.scan.unreadableFilePaths),
+        ].join('\n'),
+    }),
+    TEMPLATE_UNAVAILABLE: (context) => ({
+        name: 'publish workflow freshness',
+        status: 'WARN',
+        value: 'canonical template unavailable',
+        detail: context.templateError,
+    }),
+    TEMPLATE_MISSING_MARKER: () => ({
+        name: 'publish workflow freshness',
+        status: 'WARN',
+        value: 'canonical template not evaluated',
+        detail: 'The shipped workflow template does not carry the generated workflow marker.',
+    }),
+    GENERATED_WORKFLOWS_FRESH: (context) => ({
+        name: 'publish workflow freshness',
+        status: 'PASS',
+        value: `${context.generatedWorkflowPaths.length} generated workflow(s) fresh`,
+        detail: [
+            ...formatSkippedWorkflowFiles(context.scan.skippedFileNames),
+            ...formatUnreadableWorkflowFiles(context.scan.unreadableFilePaths),
+        ].join('\n') || undefined,
+    }),
+    GENERATED_WORKFLOWS_STALE: (context) => ({
+        name: 'publish workflow freshness',
+        status: 'WARN',
+        value: `${context.staleWorkflowPaths.length} generated workflow(s) stale`,
+        detail: [
+            'Generated workflow file(s) differ from the shipped release workflow template:',
+            ...context.staleWorkflowPaths.map((path) => `- ${path}`),
+            'Run release-it-preset init --with-workflows in a scratch directory and merge the generated workflow updates.',
+            ...formatSkippedWorkflowFiles(context.scan.skippedFileNames),
+            ...formatUnreadableWorkflowFiles(context.scan.unreadableFilePaths),
+        ].join('\n'),
+    }),
+};
+export function validatePublishWorkflowFreshness(deps) {
+    const scan = listWorkflowFiles(deps);
+    const generatedWorkflowPaths = scan.files
+        .filter((file) => hasGeneratedWorkflowMarker(file.content))
+        .map((file) => file.path);
+    const staleWorkflowPaths = [];
+    let templateError;
+    let templateMissingMarker = false;
+    if (generatedWorkflowPaths.length > 0) {
+        try {
+            const template = readWorkflowTemplate(deps).content;
+            if (!hasGeneratedWorkflowMarker(template)) {
+                templateMissingMarker = true;
+            }
+            else {
+                const normalizedTemplate = normalizeWorkflowContent(template);
+                for (const file of scan.files) {
+                    if (hasGeneratedWorkflowMarker(file.content) &&
+                        normalizeWorkflowContent(file.content) !== normalizedTemplate) {
+                        staleWorkflowPaths.push(file.path);
+                    }
+                }
+            }
+        }
+        catch (error) {
+            templateError = error instanceof Error ? error.message : 'canonical workflow template unavailable';
+        }
+    }
+    const context = {
+        scan,
+        generatedWorkflowPaths,
+        staleWorkflowPaths,
+        templateError,
+        templateMissingMarker,
+    };
+    const state = classifyPublishWorkflowFreshness(context);
+    return PUBLISH_WORKFLOW_FRESHNESS_DECISIONS[state](context);
+}
+function stripYamlComment(line) {
+    const commentIndex = line.indexOf('#');
+    return (commentIndex >= 0 ? line.slice(0, commentIndex) : line).trimEnd();
+}
+function countIndent(line) {
+    return line.match(/^\s*/)?.[0].length ?? 0;
+}
+function toYamlLines(content) {
+    const rawLines = content.split(/\r?\n/);
+    return {
+        rawLines,
+        lines: rawLines
+            .map((rawLine, index) => {
+            const text = stripYamlComment(rawLine);
+            return {
+                index,
+                text,
+                trimmed: text.trim(),
+                indent: countIndent(text),
+            };
+        })
+            .filter((line) => line.trimmed !== ''),
+    };
+}
+function parseYamlMapping(trimmed) {
+    if (trimmed.startsWith('- ')) {
+        return null;
+    }
+    const match = trimmed.match(/^("[^"]+"|'[^']+'|[A-Za-z0-9_-]+)\s*:\s*(.*)$/);
+    if (!match) {
+        return null;
+    }
+    const rawKey = match[1];
+    const key = (rawKey.startsWith('"') && rawKey.endsWith('"')) ||
+        (rawKey.startsWith("'") && rawKey.endsWith("'"))
+        ? rawKey.slice(1, -1)
+        : rawKey;
+    return {
+        key,
+        value: match[2].trim(),
+    };
+}
+function parseWorkflowJobs(content) {
+    const { rawLines, lines } = toYamlLines(content);
+    const jobsLines = lines.filter((line) => {
+        const mapping = parseYamlMapping(line.trimmed);
+        return line.indent === 0 && mapping?.key === 'jobs';
+    });
+    if (jobsLines.length === 0) {
+        return { ok: false, reason: 'top-level jobs block not detected' };
+    }
+    if (jobsLines.length > 1) {
+        return { ok: false, reason: 'multiple top-level jobs blocks detected' };
+    }
+    const jobsLine = jobsLines[0];
+    const jobsMapping = parseYamlMapping(jobsLine.trimmed);
+    if (!jobsMapping || jobsMapping.value !== '') {
+        return { ok: false, reason: 'top-level jobs block uses an inline or dynamic value' };
+    }
+    const firstAfterJobs = lines.findIndex((line) => line.index > jobsLine.index);
+    const jobsBlockEnd = firstAfterJobs === -1
+        ? rawLines.length
+        : (lines.slice(firstAfterJobs).find((line) => line.indent <= jobsLine.indent)?.index ??
+            rawLines.length);
+    const jobLines = lines.filter((line) => line.index > jobsLine.index && line.index < jobsBlockEnd);
+    if (jobLines.length === 0) {
+        return { ok: false, reason: 'jobs block is empty' };
+    }
+    const jobIndent = jobLines[0].indent;
+    if (jobIndent <= jobsLine.indent) {
+        return { ok: false, reason: 'jobs block has no nested job definitions' };
+    }
+    const jobStarts = [];
+    for (const line of jobLines) {
+        if (line.indent !== jobIndent) {
+            continue;
+        }
+        const mapping = parseYamlMapping(line.trimmed);
+        if (!mapping) {
+            return { ok: false, reason: 'jobs block contains an unsupported child entry' };
+        }
+        if (mapping.value !== '') {
+            return { ok: false, reason: `job "${mapping.key}" uses an inline or dynamic value` };
+        }
+        jobStarts.push({ id: mapping.key, index: line.index });
+    }
+    if (jobStarts.length === 0) {
+        return { ok: false, reason: 'jobs block has no supported job definitions' };
+    }
+    const jobs = jobStarts.map((job, index) => {
+        const nextJob = jobStarts[index + 1];
+        const endIndex = nextJob?.index ?? jobsBlockEnd;
+        return {
+            id: job.id,
+            content: rawLines.slice(job.index, endIndex).join('\n'),
+            indent: jobIndent,
+        };
+    });
+    return { ok: true, jobs };
+}
+function stripYamlQuotes(value) {
+    const trimmed = value.trim();
+    if ((trimmed.startsWith('"') && trimmed.endsWith('"')) ||
+        (trimmed.startsWith("'") && trimmed.endsWith("'"))) {
+        return trimmed.slice(1, -1);
+    }
+    return trimmed;
+}
+function inlinePermissionsMapHasIdTokenWrite(value) {
+    const trimmed = value.trim();
+    if (!trimmed.startsWith('{') || !trimmed.endsWith('}')) {
+        return null;
+    }
+    return /(?:^|,)\s*['"]?id-token['"]?\s*:\s*['"]?write['"]?\s*(?:,|$)/.test(trimmed.slice(1, -1));
+}
+function scalarPermissionsValueHasIdTokenWrite(value) {
+    const scalar = stripYamlQuotes(value);
+    if (scalar === 'write-all') {
+        return 'GRANTED';
+    }
+    if (scalar === 'read-all') {
+        return 'MISSING';
+    }
+    return null;
+}
+function isDynamicYamlValue(value) {
+    return (value.startsWith('*') ||
+        value.startsWith('&') ||
+        value.startsWith('[') ||
+        value.includes('${{'));
+}
+function evaluatePermissionsValue(value) {
+    const scalarResult = scalarPermissionsValueHasIdTokenWrite(value);
+    if (scalarResult !== null) {
+        return scalarResult;
+    }
+    const inlineResult = inlinePermissionsMapHasIdTokenWrite(value);
+    if (inlineResult !== null) {
+        return inlineResult ? 'GRANTED' : 'MISSING';
+    }
+    return isDynamicYamlValue(value) ? 'NOT_EVALUATED' : 'MISSING';
+}
+function evaluatePermissionsLine(lines, permissionsLine) {
+    const permissions = parseYamlMapping(permissionsLine.trimmed);
+    if (!permissions) {
+        return 'NOT_EVALUATED';
+    }
+    if (permissions.value !== '') {
+        return evaluatePermissionsValue(permissions.value);
+    }
+    const permissionChildLines = lines.filter((line) => line.index > permissionsLine.index);
+    const permissionBlockLines = [];
+    for (const line of permissionChildLines) {
+        if (line.indent <= permissionsLine.indent) {
+            break;
+        }
+        permissionBlockLines.push(line);
+    }
+    if (permissionBlockLines.length === 0) {
+        return 'MISSING';
+    }
+    const permissionChildIndent = permissionBlockLines[0].indent;
+    for (const line of permissionBlockLines) {
+        if (line.indent !== permissionChildIndent) {
+            continue;
+        }
+        const mapping = parseYamlMapping(line.trimmed);
+        if (!mapping || mapping.key === '<<' || isDynamicYamlValue(mapping.value)) {
+            return 'NOT_EVALUATED';
+        }
+        if (mapping.key === 'id-token' && stripYamlQuotes(mapping.value) === 'write') {
+            return 'GRANTED';
+        }
+    }
+    return 'MISSING';
+}
+function evaluateWorkflowIdTokenWritePermission(content) {
+    const { lines } = toYamlLines(content);
+    const permissionsLines = lines.filter((line) => {
+        const mapping = parseYamlMapping(line.trimmed);
+        return line.indent === 0 && mapping?.key === 'permissions';
+    });
+    if (permissionsLines.length === 0) {
+        return 'MISSING';
+    }
+    if (permissionsLines.length > 1) {
+        return 'NOT_EVALUATED';
+    }
+    return evaluatePermissionsLine(lines, permissionsLines[0]);
+}
+function evaluateJobIdTokenWritePermission(job) {
+    const { lines } = toYamlLines(job.content);
+    const childLines = lines.filter((line) => line.index > 0 && line.indent > job.indent);
+    if (childLines.length === 0) {
+        return 'INHERIT';
+    }
+    const childIndent = childLines[0].indent;
+    const permissionsLines = childLines.filter((line) => {
+        const mapping = parseYamlMapping(line.trimmed);
+        return line.indent === childIndent && mapping?.key === 'permissions';
+    });
+    if (permissionsLines.length === 0) {
+        return 'INHERIT';
+    }
+    if (permissionsLines.length > 1) {
+        return 'NOT_EVALUATED';
+    }
+    return evaluatePermissionsLine(childLines, permissionsLines[0]);
+}
+function resolveJobIdTokenWritePermission(job, workflowPermission) {
+    const jobPermission = evaluateJobIdTokenWritePermission(job);
+    return jobPermission === 'INHERIT' ? workflowPermission : jobPermission;
+}
+export function workflowHasIdTokenWritePermission(content) {
+    const parsed = parseWorkflowJobs(content);
+    if (!parsed.ok) {
+        return false;
+    }
+    const workflowPermission = evaluateWorkflowIdTokenWritePermission(content);
+    return parsed.jobs.some((job) => resolveJobIdTokenWritePermission(job, workflowPermission) === 'GRANTED');
+}
+function contentWithoutYamlComments(content) {
+    return content
+        .split(/\r?\n/)
+        .map((line) => stripYamlComment(line))
+        .join('\n');
+}
+function workflowHasNpmPublishIntent(content) {
+    const body = contentWithoutYamlComments(content);
+    return (/\bNPM_PUBLISH\s*:\s*(?:['"]?true['"]?|\$\{\{)/.test(body) ||
+        /\bretry-publish(?![-\w])/.test(body) ||
+        /\bnpm\s+publish\b/.test(body));
+}
+function evaluateWorkflowNpmProvenance(content) {
+    if (!workflowHasNpmPublishIntent(content)) {
+        return {
+            publishJobIds: [],
+            idTokenJobIds: [],
+            missingJobIds: [],
+        };
+    }
+    const parsed = parseWorkflowJobs(content);
+    if (!parsed.ok) {
+        return {
+            publishJobIds: [],
+            idTokenJobIds: [],
+            missingJobIds: [],
+            notEvaluatedReason: parsed.reason,
+        };
+    }
+    const publishJobs = parsed.jobs.filter((job) => workflowHasNpmPublishIntent(job.content));
+    if (publishJobs.length === 0) {
+        return {
+            publishJobIds: [],
+            idTokenJobIds: [],
+            missingJobIds: [],
+            notEvaluatedReason: 'npm-publish signal is present, but no concrete publishing job could be identified',
+        };
+    }
+    const idTokenJobIds = [];
+    const missingJobIds = [];
+    const notEvaluatedJobIds = [];
+    const workflowPermission = evaluateWorkflowIdTokenWritePermission(content);
+    for (const job of publishJobs) {
+        const permission = resolveJobIdTokenWritePermission(job, workflowPermission);
+        if (permission === 'GRANTED') {
+            idTokenJobIds.push(job.id);
+        }
+        else if (permission === 'MISSING') {
+            missingJobIds.push(job.id);
+        }
+        else {
+            notEvaluatedJobIds.push(job.id);
+        }
+    }
+    return {
+        publishJobIds: publishJobs.map((job) => job.id),
+        idTokenJobIds,
+        missingJobIds,
+        notEvaluatedReason: notEvaluatedJobIds.length > 0
+            ? `resolved permissions not evaluated for: ${notEvaluatedJobIds.join(', ')}`
+            : undefined,
+    };
+}
+function classifyNpmProvenanceReadiness(context) {
+    if (context.npmPublish !== 'true')
+        return 'NPM_PUBLISH_DISABLED';
+    if (context.scan.error)
+        return 'WORKFLOW_DIR_UNREADABLE';
+    if (context.scan.files.length === 0 && context.scan.unreadableFilePaths.length === 0) {
+        return 'NO_WORKFLOW_FILES';
+    }
+    if (context.scan.unreadableFilePaths.length > 0)
+        return 'WORKFLOW_FILES_UNREADABLE';
+    if (context.notEvaluatedWorkflowDetails.length > 0)
+        return 'PUBLISHING_JOB_NOT_EVALUATED';
+    if (context.publishJobRefs.length === 0)
+        return 'NO_NPM_PUBLISH_WORKFLOW';
+    if (context.missingJobRefs.length > 0)
+        return 'ID_TOKEN_WRITE_MISSING';
+    // A skipped file (name outside the supported pattern) could contain an
+    // ungated publishing job — a clean PASS must never hide unscanned files.
+    if (context.scan.skippedFileNames.length > 0)
+        return 'WORKFLOW_FILES_SKIPPED';
+    return 'ID_TOKEN_WRITE_FOUND';
+}
+function npmProvenanceMissingDetail(context) {
+    return [
+        'NPM_PUBLISH=true is set, but no evaluated publishing job declares permissions: id-token: write.',
+        'Add id-token: write under top-level permissions or jobs.<publishing-job>.permissions; job-level permissions override workflow-level permissions.',
+        ...context.missingJobRefs.map((ref) => `- missing on ${ref}`),
+        ...formatSkippedWorkflowFiles(context.scan.skippedFileNames),
+        ...formatUnreadableWorkflowFiles(context.scan.unreadableFilePaths),
+    ].join('\n');
+}
+const NPM_PROVENANCE_READINESS_DECISIONS = {
+    // Omitted, not PASS: matches the not-applicable convention of the
+    // workspace ranges check and the documented "when NPM_PUBLISH=true" gate.
+    NPM_PUBLISH_DISABLED: () => null,
+    WORKFLOW_DIR_UNREADABLE: (context) => ({
+        name: 'npm provenance readiness',
+        status: 'WARN',
+        value: 'workflow directory not evaluated',
+        detail: context.scan.error,
+    }),
+    WORKFLOW_FILES_UNREADABLE: (context) => ({
+        name: 'npm provenance readiness',
+        status: 'WARN',
+        value: 'workflow files not evaluated',
+        detail: [
+            'One or more workflow files could not be read, so npm provenance readiness was not fully evaluated.',
+            ...formatUnreadableWorkflowFiles(context.scan.unreadableFilePaths),
+            ...formatSkippedWorkflowFiles(context.scan.skippedFileNames),
+        ].join('\n'),
+    }),
+    NO_WORKFLOW_FILES: (context) => ({
+        name: 'npm provenance readiness',
+        status: 'WARN',
+        value: 'id-token: write not detected',
+        detail: npmProvenanceMissingDetail(context),
+    }),
+    NO_NPM_PUBLISH_WORKFLOW: (context) => ({
+        name: 'npm provenance readiness',
+        status: 'WARN',
+        value: 'npm publish workflow not detected',
+        detail: [
+            'NPM_PUBLISH=true is set, but no allowlisted workflow file contains a supported npm-publish signal.',
+            'Supported signals: NPM_PUBLISH, retry-publish, or npm publish.',
+            ...formatSkippedWorkflowFiles(context.scan.skippedFileNames),
+            ...formatUnreadableWorkflowFiles(context.scan.unreadableFilePaths),
+        ].join('\n'),
+    }),
+    WORKFLOW_FILES_SKIPPED: (context) => ({
+        name: 'npm provenance readiness',
+        status: 'WARN',
+        value: 'workflow files partially evaluated',
+        detail: [
+            'Evaluated publishing jobs all resolve to id-token: write, but some workflow files were skipped because their name is outside the supported pattern, so they may contain an unverified publishing job.',
+            ...formatSkippedWorkflowFiles(context.scan.skippedFileNames),
+            'Rename the skipped file(s) to a simple name (letters, digits, dot, underscore, dash) or review their permissions manually.',
+        ].join('\n'),
+    }),
+    PUBLISHING_JOB_NOT_EVALUATED: (context) => ({
+        name: 'npm provenance readiness',
+        status: 'WARN',
+        value: 'publishing job permissions not evaluated',
+        detail: [
+            'NPM_PUBLISH=true is set, but one or more npm-publish workflow structures or permissions could not be evaluated.',
+            'Doctor passes this check when the publishing job resolves to permissions: id-token: write, either directly or by inheriting workflow-level permissions.',
+            'Not evaluated:',
+            ...context.notEvaluatedWorkflowDetails.map((detail) => `- ${detail}`),
+            ...context.missingJobRefs.map((ref) => `- missing on ${ref}`),
+            ...formatSkippedWorkflowFiles(context.scan.skippedFileNames),
+        ].join('\n'),
+    }),
+    ID_TOKEN_WRITE_FOUND: (context) => ({
+        name: 'npm provenance readiness',
+        status: 'PASS',
+        value: `id-token: write detected on ${context.idTokenJobRefs.length} publishing job(s)`,
+        detail: context.idTokenJobRefs.map((ref) => `- ${ref}`).join('\n'),
+    }),
+    ID_TOKEN_WRITE_MISSING: (context) => ({
+        name: 'npm provenance readiness',
+        status: 'WARN',
+        value: 'id-token: write not detected',
+        detail: npmProvenanceMissingDetail(context),
+    }),
+};
+export function validateNpmProvenanceReadiness(deps) {
+    const scan = listWorkflowFiles(deps);
+    const publishJobRefs = [];
+    const idTokenJobRefs = [];
+    const missingJobRefs = [];
+    const notEvaluatedWorkflowDetails = [];
+    for (const file of scan.files) {
+        const evaluation = evaluateWorkflowNpmProvenance(file.content);
+        publishJobRefs.push(...evaluation.publishJobIds.map((jobId) => `${file.path}#${jobId}`));
+        idTokenJobRefs.push(...evaluation.idTokenJobIds.map((jobId) => `${file.path}#${jobId}`));
+        missingJobRefs.push(...evaluation.missingJobIds.map((jobId) => `${file.path}#${jobId}`));
+        if (evaluation.notEvaluatedReason) {
+            notEvaluatedWorkflowDetails.push(`${file.path}: ${evaluation.notEvaluatedReason}`);
+        }
+    }
+    const context = {
+        scan,
+        publishJobRefs,
+        idTokenJobRefs,
+        missingJobRefs,
+        notEvaluatedWorkflowDetails,
+        npmPublish: deps.getEnv('NPM_PUBLISH'),
+    };
+    const state = classifyNpmProvenanceReadiness(context);
+    return NPM_PROVENANCE_READINESS_DECISIONS[state](context);
+}
+const DEPENDENCY_FIELDS = [
+    'dependencies',
+    'devDependencies',
+    'peerDependencies',
+    'optionalDependencies',
+];
+function isStringRecord(value) {
+    if (typeof value !== 'object' || value === null || Array.isArray(value)) {
+        return false;
+    }
+    return Object.values(value).every((v) => typeof v === 'string');
+}
+function collectDependencyRanges(pkg) {
+    const dependencies = [];
+    for (const field of DEPENDENCY_FIELDS) {
+        const entries = pkg[field];
+        if (!isStringRecord(entries)) {
+            continue;
+        }
+        for (const [name, range] of Object.entries(entries)) {
+            dependencies.push({ field, name, range });
+        }
+    }
+    return dependencies;
+}
+function isSupportedWorkspacePattern(pattern) {
+    if (/[?{}[\]]/.test(pattern)) {
+        return false;
+    }
+    const starCount = (pattern.match(/\*/g) ?? []).length;
+    if (starCount === 0) {
+        return true;
+    }
+    return starCount === 1 && pattern.endsWith('/*');
+}
+function classifyWorkspacePatterns(patterns) {
+    const supportedPatterns = [];
+    const unsupportedPatterns = [];
+    const negatedPatterns = [];
+    for (const pattern of patterns) {
+        if (pattern.startsWith('!')) {
+            negatedPatterns.push(pattern);
+        }
+        else if (isSupportedWorkspacePattern(pattern)) {
+            supportedPatterns.push(pattern);
+        }
+        else {
+            unsupportedPatterns.push(pattern);
+        }
+    }
+    return { supportedPatterns, unsupportedPatterns, negatedPatterns };
+}
+function formatUnsupportedPatternDetails(patterns) {
+    if (patterns.length === 0) {
+        return [];
+    }
+    return [
+        'Unsupported workspace pattern(s) were not evaluated:',
+        ...patterns.map((pattern) => `- ${pattern}: pattern not supported by this check`),
+    ];
+}
+function formatNegatedPatternDetails(patterns) {
+    return [
+        'Negated workspace pattern(s) are not supported by this check; internal dependency ranges were not evaluated.',
+        ...patterns.map((pattern) => `- ${pattern}: exclusion pattern not supported`),
+        'Remove negated workspace patterns or verify internal dependency ranges manually.',
+    ].join('\n');
+}
+function formatUnreadableManifestDetail(unreadableManifestCount) {
+    return unreadableManifestCount > 0
+        ? `${unreadableManifestCount} manifest(s) unreadable; those packages were not evaluated.`
+        : undefined;
+}
+function readWorkspacePatterns(deps) {
+    if (deps.existsSync('pnpm-workspace.yaml')) {
+        try {
+            const content = deps.readFileSync('pnpm-workspace.yaml', 'utf8');
+            return { patterns: parsePnpmWorkspaceYaml(content) };
+        }
+        catch (error) {
+            const reason = error instanceof Error ? error.message : 'unknown parser error';
+            return {
+                patterns: [],
+                error: [
+                    'pnpm-workspace.yaml could not be parsed; internal dependency ranges were not verified.',
+                    reason,
+                ].join('\n'),
+            };
+        }
+    }
+    if (!deps.existsSync('package.json')) {
+        return null;
+    }
+    try {
+        const content = deps.readFileSync('package.json', 'utf8');
+        const patterns = parseWorkspacesFromPackageJson(content);
+        return patterns.length > 0 ? { patterns } : null;
+    }
+    catch (error) {
+        return {
+            patterns: [],
+            error: [
+                'package.json workspaces field could not be read; internal dependency ranges were not verified.',
+                error instanceof Error ? error.message : 'unknown parser error',
+            ].join('\n'),
+        };
+    }
+}
+function readWorkspacePackages(packageDirs, deps) {
+    const packages = [];
+    let unreadableManifestCount = 0;
+    for (const packageDir of packageDirs) {
+        try {
+            const raw = deps.readFileSync(join(packageDir, 'package.json'), 'utf8');
+            const parsed = JSON.parse(raw);
+            if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
+                unreadableManifestCount += 1;
+                continue;
+            }
+            const pkg = parsed;
+            if (typeof pkg.name !== 'string' || typeof pkg.version !== 'string') {
+                unreadableManifestCount += 1;
+                continue;
+            }
+            if (!isValidSemver(pkg.version)) {
+                unreadableManifestCount += 1;
+                continue;
+            }
+            packages.push({
+                name: pkg.name,
+                version: pkg.version,
+                dependencies: collectDependencyRanges(pkg),
+            });
+        }
+        catch {
+            unreadableManifestCount += 1;
+        }
+    }
+    return { packages, unreadableManifestCount };
+}
+export function validateWorkspaceDependencyRanges(deps) {
+    const workspacePatterns = readWorkspacePatterns(deps);
+    if (workspacePatterns === null) {
+        return null;
+    }
+    if (workspacePatterns.error) {
+        return {
+            name: 'Workspace dependency ranges',
+            status: 'WARN',
+            value: 'workspace configuration not evaluated',
+            detail: workspacePatterns.error,
+        };
+    }
+    const { patterns } = workspacePatterns;
+    if (patterns.length === 0) {
+        return {
+            name: 'Workspace dependency ranges',
+            status: 'PASS',
+            value: 'no workspace packages declared',
+        };
+    }
+    const { supportedPatterns, unsupportedPatterns, negatedPatterns } = classifyWorkspacePatterns(patterns);
+    if (negatedPatterns.length > 0) {
+        return {
+            name: 'Workspace dependency ranges',
+            status: 'WARN',
+            value: 'not evaluated',
+            detail: formatNegatedPatternDetails(negatedPatterns),
+        };
+    }
+    let packageDirs;
+    try {
+        packageDirs =
+            supportedPatterns.length > 0
+                ? resolvePackagePaths(supportedPatterns, deps.cwd(), {
+                    existsSync: deps.existsSync,
+                    readdirSync: deps.readdirSync,
+                })
+                : [];
+    }
+    catch (error) {
+        return {
+            name: 'Workspace dependency ranges',
+            status: 'WARN',
+            value: 'not evaluated',
+            detail: [
+                error instanceof Error ? error.message : 'Could not resolve workspace package paths',
+                ...formatUnsupportedPatternDetails(unsupportedPatterns),
+            ].join('\n'),
+        };
+    }
+    if (packageDirs.length === 0) {
+        if (unsupportedPatterns.length > 0) {
+            return {
+                name: 'Workspace dependency ranges',
+                status: 'WARN',
+                value: 'workspace ranges partially evaluated',
+                detail: [
+                    supportedPatterns.length > 0
+                        ? 'Supported workspace pattern(s) did not resolve any package directories; ranges were not evaluated.'
+                        : 'No supported workspace patterns were available; ranges were not evaluated.',
+                    ...formatUnsupportedPatternDetails(unsupportedPatterns),
+                ].join('\n'),
+            };
+        }
+        return {
+            name: 'Workspace dependency ranges',
+            status: 'WARN',
+            value: 'workspace packages not resolved — ranges not evaluated',
+            detail: [
+                'Declared workspace pattern(s) did not resolve any package directories.',
+                ...supportedPatterns.map((pattern) => `- ${pattern}`),
+            ].join('\n'),
+        };
+    }
+    const { packages, unreadableManifestCount } = readWorkspacePackages(packageDirs, deps);
+    if (packages.length === 0) {
+        return {
+            name: 'Workspace dependency ranges',
+            status: 'WARN',
+            value: 'workspace manifests unreadable — ranges not evaluated',
+            detail: [
+                'Resolved workspace package path(s) did not contain readable, valid package.json manifests.',
+                formatUnreadableManifestDetail(unreadableManifestCount),
+                ...formatUnsupportedPatternDetails(unsupportedPatterns),
+            ].filter(Boolean).join('\n'),
+        };
+    }
+    const versionByName = new Map(packages.map((pkg) => [pkg.name, pkg.version]));
+    const staleRanges = [];
+    const skippedRanges = [];
+    let coherentRangeCount = 0;
+    let internalRangeCount = 0;
+    for (const pkg of packages) {
+        for (const dependency of pkg.dependencies) {
+            const internalVersion = versionByName.get(dependency.name);
+            if (!internalVersion) {
+                continue;
+            }
+            internalRangeCount += 1;
+            const includesVersion = rangeIncludesVersion(dependency.range, internalVersion);
+            if (includesVersion === true) {
+                coherentRangeCount += 1;
+            }
+            else if (includesVersion === false) {
+                staleRanges.push(`${pkg.name} ${dependency.field}.${dependency.name}="${dependency.range}" does not include ${internalVersion}`);
+            }
+            else {
+                skippedRanges.push(`${pkg.name} ${dependency.field}.${dependency.name}="${dependency.range}"`);
+            }
+        }
+    }
+    if (staleRanges.length > 0) {
+        return {
+            name: 'Workspace dependency ranges',
+            status: 'WARN',
+            value: `${staleRanges.length} stale internal range(s)`,
+            detail: [
+                ...staleRanges.slice(0, 10).map((item) => `- ${item}`),
+                staleRanges.length > 10 ? `- ...and ${staleRanges.length - 10} more` : '',
+                'Update the range to include the current internal package version, or use the workspace: protocol.',
+                formatUnreadableManifestDetail(unreadableManifestCount),
+                ...formatUnsupportedPatternDetails(unsupportedPatterns),
+            ].filter(Boolean).join('\n'),
+        };
+    }
+    const partialEvaluationDetails = [
+        formatUnreadableManifestDetail(unreadableManifestCount),
+        ...formatUnsupportedPatternDetails(unsupportedPatterns),
+    ].filter(Boolean);
+    if (partialEvaluationDetails.length > 0) {
+        return {
+            name: 'Workspace dependency ranges',
+            status: 'WARN',
+            value: 'workspace ranges partially evaluated',
+            detail: [
+                internalRangeCount === 0
+                    ? 'No internal package dependencies were found in readable workspace manifests.'
+                    : `${coherentRangeCount}/${internalRangeCount} internal range(s) coherent in readable workspace manifests.`,
+                ...partialEvaluationDetails,
+            ].join('\n'),
+        };
+    }
+    if (internalRangeCount === 0) {
+        return {
+            name: 'Workspace dependency ranges',
+            status: 'PASS',
+            value: 'no internal package dependencies',
+        };
+    }
+    return {
+        name: 'Workspace dependency ranges',
+        status: 'PASS',
+        value: skippedRanges.length > 0
+            ? `${coherentRangeCount}/${internalRangeCount} internal range(s) coherent; ${skippedRanges.length} skipped`
+            : `${coherentRangeCount}/${internalRangeCount} internal range(s) coherent`,
+        detail: skippedRanges.length > 0
+            ? `Skipped unsupported range syntax: ${skippedRanges.slice(0, 5).join(', ')}`
+            : undefined,
+    };
+}
 export function validateConfiguration(deps) {
     const checks = [];
     const changelogPath = deps.getEnv('CHANGELOG_FILE') ?? 'CHANGELOG.md';
@@ -267,41 +1175,54 @@ export function validateConfiguration(deps) {
     }
     else {
         checks.push({ name: `${changelogPath} exists`, status: 'PASS', value: 'yes' });
-        const content = deps.readFileSync(changelogPath, 'utf8');
-        const hasKacHeader = /^# Changelog/m.test(content);
-        if (!hasKacHeader) {
-            checks.push({
-                name: 'Keep a Changelog format',
-                status: 'FAIL',
-                value: 'invalid',
-                detail: 'CHANGELOG.md must start with "# Changelog" (Keep a Changelog format)',
-            });
-        }
-        else {
-            checks.push({ name: 'Keep a Changelog format', status: 'PASS', value: 'valid' });
+        let content = null;
+        try {
+            content = deps.readFileSync(changelogPath, 'utf8');
         }
-        const unreleasedMatch = content.match(/## \[Unreleased\]([\s\S]*?)(?=## \[|$)/);
-        if (!unreleasedMatch) {
+        catch (error) {
             checks.push({
-                name: '[Unreleased] section',
-                status: 'FAIL',
-                value: 'missing',
-                detail: 'Add "## [Unreleased]" section — run: release-it-preset update',
+                name: 'Keep a Changelog format',
+                status: 'WARN',
+                value: 'not evaluated',
+                detail: `${changelogPath} could not be read: ${error instanceof Error ? error.message : String(error)}`,
             });
         }
-        else {
-            const unreleasedContent = unreleasedMatch[1].trim();
-            const hasChanges = /^-/m.test(unreleasedContent);
-            if (!unreleasedContent || !hasChanges) {
+        if (content !== null) {
+            const hasKacHeader = /^# Changelog/m.test(content);
+            if (!hasKacHeader) {
+                checks.push({
+                    name: 'Keep a Changelog format',
+                    status: 'FAIL',
+                    value: 'invalid',
+                    detail: 'CHANGELOG.md must start with "# Changelog" (Keep a Changelog format)',
+                });
+            }
+            else {
+                checks.push({ name: 'Keep a Changelog format', status: 'PASS', value: 'valid' });
+            }
+            const unreleasedMatch = content.match(/## \[Unreleased\]([\s\S]*?)(?=## \[|$)/);
+            if (!unreleasedMatch) {
                 checks.push({
                     name: '[Unreleased] section',
-                    status: 'WARN',
-                    value: 'empty',
-                    detail: 'No entries yet — run: release-it-preset update',
+                    status: 'FAIL',
+                    value: 'missing',
+                    detail: 'Add "## [Unreleased]" section — run: release-it-preset update',
                 });
             }
             else {
-                checks.push({ name: '[Unreleased] section', status: 'PASS', value: 'has content' });
+                const unreleasedContent = unreleasedMatch[1].trim();
+                const hasChanges = /^-/m.test(unreleasedContent);
+                if (!unreleasedContent || !hasChanges) {
+                    checks.push({
+                        name: '[Unreleased] section',
+                        status: 'WARN',
+                        value: 'empty',
+                        detail: 'No entries yet — run: release-it-preset update',
+                    });
+                }
+                else {
+                    checks.push({ name: '[Unreleased] section', status: 'PASS', value: 'has content' });
+                }
             }
         }
     }
@@ -396,6 +1317,18 @@ export function validateConfiguration(deps) {
         }
     }
     checks.push(detectWorkspaceIntegration(deps));
+    const workspaceDependencyRanges = validateWorkspaceDependencyRanges(deps);
+    if (workspaceDependencyRanges) {
+        checks.push(workspaceDependencyRanges);
+    }
+    const publishWorkflowFreshness = validatePublishWorkflowFreshness(deps);
+    if (publishWorkflowFreshness) {
+        checks.push(publishWorkflowFreshness);
+    }
+    const npmProvenanceReadiness = validateNpmProvenanceReadiness(deps);
+    if (npmProvenanceReadiness) {
+        checks.push(npmProvenanceReadiness);
+    }
     for (const result of validateReleaseItPeer(deps)) {
         checks.push(result);
     }
@@ -654,8 +1587,10 @@ if (import.meta.url === `file://${process.argv[1]}`) {
     const deps = {
         execSync,
         existsSync,
+        readdirSync,
         readFileSync,
         getEnv: (key) => process.env[key],
+        cwd: () => process.cwd(),
     };
     const report = runDoctor(deps);
     if (isJson) {