@outcomeeng/spx 0.6.3 → 0.6.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +20 -9
- package/dist/cli.js +2487 -1137
- package/dist/cli.js.map +1 -1
- package/package.json +4 -4
package/README.md
CHANGED
|
@@ -54,7 +54,7 @@ spx validation literal # Source/test literal reuse detection
|
|
|
54
54
|
# Scope and targeting
|
|
55
55
|
spx validation all --scope production # Exclude tests/scripts
|
|
56
56
|
spx validation all --fix # Auto-fix across all checks
|
|
57
|
-
spx validation all
|
|
57
|
+
spx validation all src/session/ # Validate specific files or directories
|
|
58
58
|
```
|
|
59
59
|
|
|
60
60
|
All validation commands support `--quiet` for CI and `--json` for machine-readable output.
|
|
@@ -170,18 +170,29 @@ A Lefthook **pre-push** hook runs `sonar analyze --base origin/main` so SonarQub
|
|
|
170
170
|
|
|
171
171
|
The project uses GitHub Actions for continuous integration and publishing:
|
|
172
172
|
|
|
173
|
-
- `
|
|
174
|
-
- `
|
|
173
|
+
- `deterministic-verification.yml` — Runs the deterministic verification suite (validation, circular dependencies, tests with the status projection, and packaged-CLI checks) as parallel jobs on Node 24 for every push to `main` and every pull request, skipping root instruction docs. Includes dependency review on pull requests to block PRs introducing vulnerable dependencies.
|
|
174
|
+
- `agentic-verification.yml` — Runs agentic verification (audit and review) over each pull request.
|
|
175
|
+
- `publish.yml` — Triggered by `v*` tags. Gates on `deterministic-verification.yml` and publishes its verified build via OIDC Trusted Publishing (no stored npm tokens) with Sigstore provenance attestation. Requires manual approval via the `npm-publish` GitHub Environment.
|
|
175
176
|
- `scorecard.yml` — Weekly OpenSSF Scorecard assessment, results published to the GitHub Security tab.
|
|
176
177
|
|
|
177
178
|
### Publishing a Release
|
|
178
179
|
|
|
179
|
-
1.
|
|
180
|
-
2. Bump the version
|
|
181
|
-
|
|
182
|
-
|
|
183
|
-
|
|
184
|
-
|
|
180
|
+
1. Sync `main` with `origin/main`: `git pull --ff-only origin main`
|
|
181
|
+
2. Bump the version with `pnpm version patch --no-git-tag-version`, unless the
|
|
182
|
+
release request specifies `minor`, `major`, or an exact version
|
|
183
|
+
3. Run `pnpm run publish:check`
|
|
184
|
+
4. Commit and tag:
|
|
185
|
+
`git add package.json`
|
|
186
|
+
`git commit -m "build(release): bump version to X.Y.Z"`
|
|
187
|
+
`git tag vX.Y.Z`
|
|
188
|
+
5. Push: `git push origin main && git push origin vX.Y.Z`
|
|
189
|
+
6. Approve the deployment in the GitHub Actions `npm-publish` environment
|
|
190
|
+
7. Confirm the published version and provenance:
|
|
191
|
+
|
|
192
|
+
```bash
|
|
193
|
+
npm view @outcomeeng/spx version
|
|
194
|
+
npm audit signatures
|
|
195
|
+
```
|
|
185
196
|
|
|
186
197
|
## Technical Stack
|
|
187
198
|
|