@planu/cli 4.1.0 → 4.1.2

package/dist/tools/git/hook-ops.js

@@ -165,6 +165,36 @@ function buildPrePushScript(protectedBranches, stalenessThreshold, baseBranch) {
         '  fi',
         'fi',
         '',
+        '# Dependency freshness gate for pnpm projects',
+        'if command -v pnpm >/dev/null 2>&1 && [ -f "package.json" ] && [ -f "pnpm-lock.yaml" ]; then',
+        '  echo "[Planu] Checking dependency freshness..."',
+        '  pnpm install --frozen-lockfile --ignore-scripts >/dev/null || {',
+        '    echo "ERROR: package.json and pnpm-lock.yaml are not synchronized."',
+        '    echo "Run: pnpm install --lockfile-only --ignore-scripts"',
+        '    exit 1',
+        '  }',
+        '  pnpm audit --audit-level=high || {',
+        '    echo "ERROR: High or critical dependency vulnerabilities found."',
+        '    echo "Run: pnpm audit and update the affected packages before pushing."',
+        '    exit 1',
+        '  }',
+        '  OUTDATED_JSON=$(mktemp)',
+        '  OUTDATED_ERR=$(mktemp)',
+        '  pnpm outdated --format=json >"$OUTDATED_JSON" 2>"$OUTDATED_ERR"',
+        '  OUTDATED_STATUS=$?',
+        '  if [ "$OUTDATED_STATUS" -gt 1 ]; then',
+        '    echo "ERROR: Failed to query dependency freshness from the registry."',
+        '    cat "$OUTDATED_ERR"',
+        '    rm -f "$OUTDATED_JSON" "$OUTDATED_ERR"',
+        '    exit 1',
+        '  fi',
+        "  node -e \"const fs=require('fs');const raw=fs.readFileSync(process.argv[1],'utf8').trim();const data=raw?JSON.parse(raw):{};const count=Array.isArray(data)?data.length:Object.keys(data).length;if(count>0){console.error('ERROR: Outdated dependencies found. Run: bash scripts/check-updates.sh --apply, pnpm update, or update intentionally before pushing.');process.exit(1)}\" \"$OUTDATED_JSON\" || {",
+        '    rm -f "$OUTDATED_JSON" "$OUTDATED_ERR"',
+        '    exit 1',
+        '  }',
+        '  rm -f "$OUTDATED_JSON" "$OUTDATED_ERR"',
+        'fi',
+        '',
         'exit 0',
     ].join('\n');
 }
@@ -189,19 +219,33 @@ function buildPostCommitDriftScript() {
         '[ -z "$CHANGED" ] && exit 0',
         '',
         '# Build JSON array of file paths',
-        'FILES_JSON=$(echo "$CHANGED" | awk \'',
-        '  BEGIN { printf "[" }',
-        '  NR > 1 { printf "," }',
-        // eslint-disable-next-line no-useless-escape
-        '  { gsub(/"/, "\\\\\""); printf "\\"%s\\"", $0 }',
-        '  END { printf "]" }',
-        "')",
+        'FILES_JSON="["',
+        'FIRST=1',
+        'while IFS= read -r FILE_PATH; do',
+        '  ESCAPED=$(printf \'%s\' "$FILE_PATH" | sed \'s/\\\\/\\\\\\\\/g; s/"/\\\\"/g\')',
+        '  if [ "$FIRST" -eq 0 ]; then',
+        '    FILES_JSON="$FILES_JSON,"',
+        '  fi',
+        '  FILES_JSON="$FILES_JSON\\"$ESCAPED\\""',
+        '  FIRST=0',
+        'done <<PLANU_CHANGED_FILES',
+        '$CHANGED',
+        'PLANU_CHANGED_FILES',
+        'FILES_JSON="$FILES_JSON]"',
         '',
         "TS=$(date -u '+%Y-%m-%dT%H:%M:%SZ' 2>/dev/null || date -u)",
         '',
         '# Check for drift-worthy files (dep manifests or uncommon extensions)',
-        'HAS_DEP=$(echo "$CHANGED" | grep -cE \'(^|/)(package\\.json|go\\.mod|requirements\\.txt|Cargo\\.toml|pom\\.xml|build\\.gradle|pyproject\\.toml|Gemfile|composer\\.json)$\' 2>/dev/null || echo 0)',
-        "HAS_EXT=$(echo \"$CHANGED\" | grep -oE '\\.[a-zA-Z]+$' | grep -cvE '\\.(ts|tsx|js|jsx|mjs|cjs|json|md|mdx|sh|bash|txt|yaml|yml|toml|lock|sum|mod|py|go|rs|java|kt|rb|php|cs|dart|swift|html|css|scss|vue|svelte|env|sql|xml|csv)$' 2>/dev/null || echo 0)",
+        'if echo "$CHANGED" | grep -qE \'(^|/)(package\\.json|go\\.mod|requirements\\.txt|Cargo\\.toml|pom\\.xml|build\\.gradle|pyproject\\.toml|Gemfile|composer\\.json)$\' 2>/dev/null; then',
+        '  HAS_DEP=1',
+        'else',
+        '  HAS_DEP=0',
+        'fi',
+        "if echo \"$CHANGED\" | grep -oE '\\.[a-zA-Z]+$' | grep -qvE '\\.(ts|tsx|js|jsx|mjs|cjs|json|md|mdx|sh|bash|txt|yaml|yml|toml|lock|sum|mod|py|go|rs|java|kt|rb|php|cs|dart|swift|html|css|scss|vue|svelte|env|sql|xml|csv)$' 2>/dev/null; then",
+        '  HAS_EXT=1',
+        'else',
+        '  HAS_EXT=0',
+        'fi',
         '',
         '# Only write if there is something worth processing',
         'if [ "$HAS_DEP" -gt 0 ] || [ "$HAS_EXT" -gt 0 ]; then',

package/dist/tools/tool-registry/group-infra.js

@@ -14,6 +14,9 @@ import { safe, safeLicensed, safeTracked } from '../safe-handler.js';
 import { handleActivateLicense, handleDeactivateLicense } from '../activate-license.js';
 import { handleLicenseStatus } from '../license-status.js';
 import { LicenseStatusOutputSchema } from '../schemas/index.js';
+// ── OAuth tools (register-oauth-tools.ts / register-configure-oauth-tool.ts) ─
+import { handleStartOAuthFlow, handleOAuthStatus, StartOAuthFlowInputSchema, OAuthStatusInputSchema, } from '../oauth-handler.js';
+import { handleConfigureOAuth } from '../configure-oauth-handler.js';
 // ── Usage tools (register-usage-tools.ts) ────────────────────────────────────
 import { handleUsageStats } from '../usage-stats.js';
 import { handleUsageReport } from '../usage-report.js';
@@ -126,6 +129,25 @@ export function registerInfraGroupTools(server) {
         outputSchema: LicenseStatusOutputSchema,
         annotations: { title: 'License Status', readOnlyHint: true },
     }, safe(async (args) => handleLicenseStatus(args)));
+    // ── OAuth tools ────────────────────────────────────────────────────────────
+    server.registerTool('start_oauth_flow', {
+        description: 'Start guided OAuth setup for supported integrations such as Figma, GitHub, Sentry, or Supabase.',
+        inputSchema: StartOAuthFlowInputSchema,
+        annotations: { title: 'Start OAuth Flow', readOnlyHint: false },
+    }, safeLicensed('start_oauth_flow', async (args) => handleStartOAuthFlow(args)));
+    server.registerTool('oauth_status', {
+        description: 'Show which OAuth-backed integrations are connected for this project.',
+        inputSchema: OAuthStatusInputSchema,
+        annotations: { title: 'OAuth Status', readOnlyHint: true },
+    }, safeLicensed('oauth_status', async (args) => handleOAuthStatus(args)));
+    server.registerTool('configure_oauth', {
+        description: 'Inspect Planu MCP OAuth/API-key auth status or test a bearer token without exposing secrets.',
+        inputSchema: {
+            action: z.enum(['status', 'test']).describe('Action: status | test'),
+            token: z.string().max(4096).optional().describe('Bearer token to test when action=test'),
+        },
+        annotations: { title: 'Configure OAuth', readOnlyHint: true },
+    }, safe(async (args) => handleConfigureOAuth(args)));
     // ── Usage tools ────────────────────────────────────────────────────────────
     server.registerTool('usage_stats', {
         description: 'View your Planu usage statistics — tool calls, top tools, remaining daily calls. ' +

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@planu/cli",
-  "version": "4.1.0",
+  "version": "4.1.2",
   "description": "Planu — MCP Server for Spec Driven Development with native Rust acceleration for hot paths. Cross-platform (Linux/macOS/Windows, x64/arm64, glibc/musl).",
   "type": "module",
   "main": "dist/index.js",
@@ -32,12 +32,12 @@
     "packageName": "@planu/core"
   },
   "optionalDependencies": {
-    "@planu/core-darwin-arm64": "4.1.0",
-    "@planu/core-darwin-x64": "4.1.0",
-    "@planu/core-linux-arm64-gnu": "4.1.0",
-    "@planu/core-linux-arm64-musl": "4.1.0",
-    "@planu/core-linux-x64-gnu": "4.1.0",
-    "@planu/core-linux-x64-musl": "4.1.0"
+    "@planu/core-darwin-arm64": "4.1.2",
+    "@planu/core-darwin-x64": "4.1.2",
+    "@planu/core-linux-arm64-gnu": "4.1.2",
+    "@planu/core-linux-arm64-musl": "4.1.2",
+    "@planu/core-linux-x64-gnu": "4.1.2",
+    "@planu/core-linux-x64-musl": "4.1.2"
   },
   "engines": {
     "node": ">=24.0.0"
@@ -68,6 +68,7 @@
     "test:integration": "vitest run tests/integration",
     "check": "pnpm typecheck && pnpm lint && pnpm format:check",
     "check:strict": "pnpm typecheck && pnpm lint && pnpm format:check && pnpm audit:deadcode && pnpm audit:circular && pnpm audit:types && pnpm audit:security && pnpm audit:licenses && pnpm audit:i18n",
+    "check:deps:fresh": "bash scripts/check-dependency-freshness.sh",
     "audit:deadcode": "knip",
     "audit:circular": "madge --circular --extensions ts src/",
     "audit:types": "type-coverage --at-least 98 --ignore-catch --strict --ignore-files 'tests/**'",

package/dist/engine/escalator/index.d.ts

@@ -1,5 +0,0 @@
-export { RETRY_BUDGETS, nextDecision } from './policy.js';
-export { incrementCounter, readCounter, resetCounter } from './retry-counter.js';
-export type { RetryKey } from './retry-counter.js';
-export { withEscalation } from './with-escalation.js';
-//# sourceMappingURL=index.d.ts.map

package/dist/engine/escalator/index.js

@@ -1,5 +0,0 @@
-// engine/escalator/index.ts — SPEC-729: Public API re-exports
-export { RETRY_BUDGETS, nextDecision } from './policy.js';
-export { incrementCounter, readCounter, resetCounter } from './retry-counter.js';
-export { withEscalation } from './with-escalation.js';
-//# sourceMappingURL=index.js.map

package/dist/engine/freeze/retro-audit.d.ts

@@ -1,6 +0,0 @@
-import type { RetroAuditInput } from '../../types/index.js';
-/**
- * Record a retro-audit event for a frozen spec edit.
- */
-export declare function recordRetroAudit(input: RetroAuditInput): Promise<void>;
-//# sourceMappingURL=retro-audit.d.ts.map

package/dist/engine/freeze/retro-audit.js

@@ -1,24 +0,0 @@
-// engine/freeze/retro-audit.ts — SPEC-747: Append retro_audit entries to transition log
-import { appendTransitionEvent } from '../../storage/transition-log.js';
-/**
- * Record a retro-audit event for a frozen spec edit.
- */
-export async function recordRetroAudit(input) {
-    await appendTransitionEvent({
-        projectId: input.projectId,
-        specId: input.specId,
-        eventType: 'retro_audit',
-        from: 'done',
-        to: 'done',
-        actor: input.actor ?? 'system',
-        reason: input.reason,
-        sessionId: input.sessionId,
-        modelId: input.modelId,
-        meta: {
-            specVersionBefore: input.versionBefore,
-            specVersionAfter: input.versionAfter,
-            forceEdit: input.forceEdit ?? false,
-        },
-    });
-}
-//# sourceMappingURL=retro-audit.js.map

package/dist/engine/heal/backup.d.ts

@@ -1,9 +0,0 @@
-/**
- * Create a backup of `filePath` at `<filePath>.bak.<unix-ms>`.
- * Must be called BEFORE the atomic rename of the new content.
- *
- * @returns The backup file path.
- * @throws If the source file doesn't exist or the copy fails.
- */
-export declare function backupFile(filePath: string, timestampMs?: number): Promise<string>;
-//# sourceMappingURL=backup.d.ts.map

package/dist/engine/heal/backup.js

@@ -1,21 +0,0 @@
-// engine/heal/backup.ts — SPEC-745
-// Creates timestamped backup files before any tier-1 heal.
-import { copyFile } from 'node:fs/promises';
-import { existsSync } from 'node:fs';
-/**
- * Create a backup of `filePath` at `<filePath>.bak.<unix-ms>`.
- * Must be called BEFORE the atomic rename of the new content.
- *
- * @returns The backup file path.
- * @throws If the source file doesn't exist or the copy fails.
- */
-export async function backupFile(filePath, timestampMs) {
-    const ts = timestampMs ?? Date.now();
-    const backupPath = `${filePath}.bak.${ts}`;
-    if (!existsSync(filePath)) {
-        throw new Error(`Cannot backup non-existent file: ${filePath}`);
-    }
-    await copyFile(filePath, backupPath);
-    return backupPath;
-}
-//# sourceMappingURL=backup.js.map

package/dist/engine/idioma-validator/index.d.ts

@@ -1,17 +0,0 @@
-export type IdiomaVerdict = 'es' | 'en' | 'mixed' | 'unknown' | 'abstain';
-export interface IdiomaResult {
-    verdict: IdiomaVerdict;
-    reason?: string;
-    wordCount?: number;
-    esScore?: number;
-    enScore?: number;
-}
-/**
- * Detect the language of a spec's prose content.
- *
- * - Strips fenced code blocks before analysis.
- * - Abstains when prose word count is below 50 (SPEC-724: avoids noise on early drafts).
- * - Returns 'mixed' when both ES and EN markers exceed threshold.
- */
-export declare function detectIdioma(text: string): IdiomaResult;
-//# sourceMappingURL=index.d.ts.map

package/dist/engine/idioma-validator/index.js

@@ -1,89 +0,0 @@
-// engine/idioma-validator/index.ts — SPEC-724: Spanish/English mixing detector for spec prose.
-// Skips fenced code blocks and abstains when prose word count is below 50 words.
-import { stripFencedBlocks } from '../spec-format/text-fences.js';
-const SPANISH_MARKERS = [
-    'de',
-    'del',
-    'la',
-    'el',
-    'en',
-    'con',
-    'para',
-    'por',
-    'una',
-    'los',
-    'las',
-    'al',
-    'se',
-    'que',
-    'es',
-    'son',
-    'fue',
-    'está',
-    'este',
-    'esta',
-    'estos',
-    'estas',
-    'un',
-    'unos',
-    'unas',
-];
-const ENGLISH_MARKERS = [
-    'the',
-    'and',
-    'for',
-    'with',
-    'that',
-    'this',
-    'are',
-    'from',
-    'have',
-    'has',
-    'will',
-    'should',
-    'must',
-    'when',
-    'where',
-    'which',
-];
-/**
- * Detect the language of a spec's prose content.
- *
- * - Strips fenced code blocks before analysis.
- * - Abstains when prose word count is below 50 (SPEC-724: avoids noise on early drafts).
- * - Returns 'mixed' when both ES and EN markers exceed threshold.
- */
-export function detectIdioma(text) {
-    const prose = stripFencedBlocks(text);
-    const words = prose.split(/\s+/).filter(Boolean);
-    const wordCount = words.length;
-    // SPEC-724: abstain on short prose stubs — not enough signal for reliable detection
-    if (wordCount < 50) {
-        return { verdict: 'abstain', reason: 'INSUFFICIENT_PROSE', wordCount };
-    }
-    const lower = prose.toLowerCase();
-    const tokens = lower.split(/[\s\W]+/).filter((t) => t.length > 0);
-    const totalTokens = tokens.length || 1;
-    const esHits = tokens.filter((t) => SPANISH_MARKERS.includes(t)).length;
-    const enHits = tokens.filter((t) => ENGLISH_MARKERS.includes(t)).length;
-    const esScore = esHits / totalTokens;
-    const enScore = enHits / totalTokens;
-    const THRESHOLD = 0.03; // >3% hit rate = language present
-    const hasEs = esScore > THRESHOLD;
-    const hasEn = enScore > THRESHOLD;
-    let verdict;
-    if (hasEs && hasEn) {
-        verdict = 'mixed';
-    }
-    else if (hasEs) {
-        verdict = 'es';
-    }
-    else if (hasEn) {
-        verdict = 'en';
-    }
-    else {
-        verdict = 'unknown';
-    }
-    return { verdict, wordCount, esScore, enScore };
-}
-//# sourceMappingURL=index.js.map

package/dist/engine/saga/index.d.ts

@@ -1,4 +0,0 @@
-export { runSaga } from './cascade-saga.js';
-export { runTransitionCascadeSaga } from './transition-cascade.js';
-export type { TransitionCascadeCtx, TransitionCascadeResult } from '../../types/saga.js';
-//# sourceMappingURL=index.d.ts.map

package/dist/engine/saga/index.js

@@ -1,4 +0,0 @@
-// engine/saga/index.ts — SPEC-735: Saga barrel exports
-export { runSaga } from './cascade-saga.js';
-export { runTransitionCascadeSaga } from './transition-cascade.js';
-//# sourceMappingURL=index.js.map

package/dist/engine/spec-state-machine/index.d.ts

@@ -1,3 +0,0 @@
-export type { TransitionTrigger, TransitionContext, TransitionRecord } from './transition-spec.js';
-export { transitionSpec } from './transition-spec.js';
-//# sourceMappingURL=index.d.ts.map

package/dist/engine/spec-state-machine/index.js

@@ -1,2 +0,0 @@
-export { transitionSpec } from './transition-spec.js';
-//# sourceMappingURL=index.js.map

package/dist/engine/spec-summary-html/dashboard-renderer.d.ts

@@ -1,6 +0,0 @@
-import type { Spec } from '../../types/index.js';
-export declare function getInlineCss(): string;
-export declare function getInlineScript(): string;
-/** Generate the full dashboard HTML document. */
-export declare function generateDashboardHtml(specs: Spec[], availablePages?: string[]): string;
-//# sourceMappingURL=dashboard-renderer.d.ts.map