@outcomeeng/spx 0.6.3 → 0.6.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -54,7 +54,7 @@ spx validation literal # Source/test literal reuse detection
54
54
  # Scope and targeting
55
55
  spx validation all --scope production # Exclude tests/scripts
56
56
  spx validation all --fix # Auto-fix across all checks
57
- spx validation all --files src/session/ # Validate specific files or directories
57
+ spx validation all src/session/ # Validate specific files or directories
58
58
  ```
59
59
 
60
60
  All validation commands support `--quiet` for CI and `--json` for machine-readable output.
@@ -170,18 +170,29 @@ A Lefthook **pre-push** hook runs `sonar analyze --base origin/main` so SonarQub
170
170
 
171
171
  The project uses GitHub Actions for continuous integration and publishing:
172
172
 
173
- - `ci.yml` — Runs validate, test, and build on Node 22 and 24 for every push to `main` and every pull request. Includes dependency review to block PRs introducing vulnerable dependencies.
174
- - `publish.yml` — Triggered by `v*` tags. Uses OIDC Trusted Publishing (no stored npm tokens) with Sigstore provenance attestation. Requires manual approval via the `npm-publish` GitHub Environment.
173
+ - `deterministic-verification.yml` — Runs the deterministic verification suite (validation, circular dependencies, tests with the status projection, and packaged-CLI checks) as parallel jobs on Node 24 for every push to `main` and every pull request, skipping root instruction docs. Includes dependency review on pull requests to block PRs introducing vulnerable dependencies.
174
+ - `agentic-verification.yml` — Runs agentic verification (audit and review) over each pull request.
175
+ - `publish.yml` — Triggered by `v*` tags. Gates on `deterministic-verification.yml` and publishes its verified build via OIDC Trusted Publishing (no stored npm tokens) with Sigstore provenance attestation. Requires manual approval via the `npm-publish` GitHub Environment.
175
176
  - `scorecard.yml` — Weekly OpenSSF Scorecard assessment, results published to the GitHub Security tab.
176
177
 
177
178
  ### Publishing a Release
178
179
 
179
- 1. Run `pnpm run publish:check`
180
- 2. Bump the version in `package.json`
181
- 3. Commit and tag: `git tag vX.Y.Z`
182
- 4. Push: `git push origin main && git push origin vX.Y.Z`
183
- 5. Approve the deployment in the GitHub Actions `npm-publish` environment
184
- 6. Verify provenance with `npm audit signatures`
180
+ 1. Sync `main` with `origin/main`: `git pull --ff-only origin main`
181
+ 2. Bump the version with `pnpm version patch --no-git-tag-version`, unless the
182
+ release request specifies `minor`, `major`, or an exact version
183
+ 3. Run `pnpm run publish:check`
184
+ 4. Commit and tag:
185
+ `git add package.json`
186
+ `git commit -m "build(release): bump version to X.Y.Z"`
187
+ `git tag vX.Y.Z`
188
+ 5. Push: `git push origin main && git push origin vX.Y.Z`
189
+ 6. Approve the deployment in the GitHub Actions `npm-publish` environment
190
+ 7. Confirm the published version and provenance:
191
+
192
+ ```bash
193
+ npm view @outcomeeng/spx version
194
+ npm audit signatures
195
+ ```
185
196
 
186
197
  ## Technical Stack
187
198