@outcomeeng/spx 0.6.4 → 0.6.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -54,7 +54,7 @@ spx validation literal # Source/test literal reuse detection
54
54
  # Scope and targeting
55
55
  spx validation all --scope production # Exclude tests/scripts
56
56
  spx validation all --fix # Auto-fix across all checks
57
- spx validation all --files src/session/ # Validate specific files or directories
57
+ spx validation all src/session/ # Validate specific files or directories
58
58
  ```
59
59
 
60
60
  All validation commands support `--quiet` for CI and `--json` for machine-readable output.
@@ -170,8 +170,9 @@ A Lefthook **pre-push** hook runs `sonar analyze --base origin/main` so SonarQub
170
170
 
171
171
  The project uses GitHub Actions for continuous integration and publishing:
172
172
 
173
- - `ci.yml` — Runs validate, test, and build on Node 22 and 24 for every push to `main` and every pull request. Includes dependency review to block PRs introducing vulnerable dependencies.
174
- - `publish.yml` — Triggered by `v*` tags. Uses OIDC Trusted Publishing (no stored npm tokens) with Sigstore provenance attestation. Requires manual approval via the `npm-publish` GitHub Environment.
173
+ - `deterministic-verification.yml` — Runs the deterministic verification suite (validation, circular dependencies, tests with the status projection, and packaged-CLI checks) as parallel jobs on Node 24 for every push to `main` and every pull request, skipping root instruction docs. Includes dependency review on pull requests to block PRs introducing vulnerable dependencies.
174
+ - `agentic-verification.yml` — Runs agentic verification (audit and review) over each pull request.
175
+ - `publish.yml` — Triggered by `v*` tags. Gates on `deterministic-verification.yml` and publishes its verified build via OIDC Trusted Publishing (no stored npm tokens) with Sigstore provenance attestation. Requires manual approval via the `npm-publish` GitHub Environment.
175
176
  - `scorecard.yml` — Weekly OpenSSF Scorecard assessment, results published to the GitHub Security tab.
176
177
 
177
178
  ### Publishing a Release