@rainy-updates/cli 0.4.4 → 0.5.0-rc.2

package/CHANGELOG.md

@@ -2,6 +2,74 @@
 
 All notable changes to this project are documented in this file.
 
+## [0.5.0-rc.2] - 2026-02-27
+
+### Added
+
+- New fix-PR automation flags for CI branch workflows:
+  - `--fix-pr`
+  - `--fix-branch <name>`
+  - `--fix-commit-message <text>`
+  - `--fix-dry-run`
+  - `--no-pr-report`
+- New summary metadata for fix-PR execution:
+  - `fixPrApplied`
+  - `fixBranchName`
+  - `fixCommitSha`
+- New GitHub output values for fix-PR state:
+  - `fix_pr_applied`
+  - `fix_pr_branch`
+  - `fix_pr_commit`
+- Added command-specific help output for `check --help`.
+
+### Changed
+
+- `check --fix-pr` now executes update application flow to support branch+commit automation without requiring `upgrade`.
+- Default PR report path is auto-assigned when `--fix-pr` is enabled: `.artifacts/deps-report.md`.
+- CLI path-like options are resolved against the final effective `--cwd` value (stable behavior when option order varies).
+- Workspace discovery now supports recursive patterns (`**`) and negated patterns (`!pattern`) with safer directory traversal defaults.
+- Registry resolution now loads `.npmrc` scope mappings (`@scope:registry=...`) from user and project config.
+
+### Fixed
+
+- Prevented stale output contracts by writing fix-PR metadata into JSON/GitHub/SARIF artifact flow after git automation is resolved.
+
+### Tests
+
+- Added parser tests for fix-PR flags and final-cwd path resolution.
+- Added workspace discovery coverage for recursive and negated patterns.
+- Added fix-PR dry-run workflow test in temporary git repos.
+- Extended GitHub output tests for new fix-PR keys.
+
+## [0.5.0-rc.1] - 2026-02-27
+
+### Added
+
+- New CI rollout controls:
+  - `--fail-on none|patch|minor|major|any`
+  - `--max-updates <n>`
+- New baseline workflow command:
+  - `baseline --save --file <path>` to snapshot dependency state
+  - `baseline --check --file <path>` to detect dependency drift
+- New `init-ci --mode enterprise` template:
+  - Node runtime matrix (`20`, `22`)
+  - stricter default permissions
+  - artifact retention policy
+  - built-in rollout gate flags (`--fail-on`, `--max-updates`)
+
+### Changed
+
+- Dependency target selection now evaluates available package versions from registry metadata, improving `patch|minor|major` accuracy.
+- CLI parser now rejects unknown options and missing option values with explicit errors (safer CI behavior).
+- SARIF output now reports the actual package version dynamically.
+
+### Tests
+
+- Added baseline snapshot/diff tests.
+- Added enterprise workflow generation tests.
+- Added semver target selection tests using available version sets.
+- Added parser tests for baseline command, rollout flags, and unknown option rejection.
+
 ## [0.4.4] - 2026-02-27
 
 ### Changed

package/README.md

@@ -25,6 +25,7 @@ pnpm add -D @rainy-updates/cli
 - `check`: analyze dependencies and report available updates.
 - `upgrade`: rewrite dependency ranges in manifests, optionally install lockfile updates.
 - `warm-cache`: prefetch package metadata for fast and offline checks.
+- `baseline`: save and compare dependency baseline snapshots.
 
 ## Quick usage
 
@@ -38,9 +39,16 @@ npx @rainy-updates/cli check --workspace --ci --format json --json-file .artifac
 # 3) Apply upgrades with workspace sync
 npx @rainy-updates/cli upgrade --target latest --workspace --sync --install
 
+# 3b) Generate a fix branch + commit for CI automation
+npx @rainy-updates/cli check --workspace --fix-pr --fix-branch chore/rainy-updates
+
 # 4) Warm cache for deterministic offline checks
 npx @rainy-updates/cli warm-cache --workspace --concurrency 32
 npx @rainy-updates/cli check --workspace --offline --ci
+
+# 5) Save and compare baseline drift in CI
+npx @rainy-updates/cli baseline --save --file .artifacts/deps-baseline.json --workspace
+npx @rainy-updates/cli baseline --check --file .artifacts/deps-baseline.json --workspace --ci
 ```
 
 ## What it does in production
@@ -108,7 +116,7 @@ Generate a workflow in the target project automatically:
 
 ```bash
 # strict mode (recommended)
-npx @rainy-updates/cli init-ci --mode strict --schedule weekly
+npx @rainy-updates/cli init-ci --mode enterprise --schedule weekly
 
 # lightweight mode
 npx @rainy-updates/cli init-ci --mode minimal --schedule daily
@@ -121,6 +129,7 @@ Generated file:
 Modes:
 
 - `strict`: warm-cache + offline check + artifacts + SARIF upload.
+- `enterprise`: strict checks + runtime matrix + retention policy + rollout gates.
 - `minimal`: fast check-only workflow for quick adoption.
 
 Schedule:
@@ -140,12 +149,19 @@ Schedule:
 - `--concurrency <n>`
 - `--cache-ttl <seconds>`
 - `--offline`
+- `--fail-on none|patch|minor|major|any`
+- `--max-updates <n>`
 - `--policy-file <path>`
 - `--format table|json|minimal|github`
 - `--json-file <path>`
 - `--github-output <path>`
 - `--sarif-file <path>`
 - `--pr-report-file <path>`
+- `--fix-pr`
+- `--fix-branch <name>`
+- `--fix-commit-message <text>`
+- `--fix-dry-run`
+- `--no-pr-report`
 - `--ci`
 
 ### Upgrade-only
@@ -154,6 +170,12 @@ Schedule:
 - `--pm auto|npm|pnpm`
 - `--sync`
 
+### Baseline-only
+
+- `--save`
+- `--check`
+- `--file <path>`
+
 ## Config support
 
 Configuration can be loaded from:
@@ -175,6 +197,7 @@ rainy-updates --version
 - Node.js 20+ runtime.
 - Works with npm and pnpm workflows.
 - Uses optional `undici` pool path for high-throughput HTTP.
+- Reads `.npmrc` default and scoped registries for private package environments.
 - Cache-first architecture for speed and resilience.
 
 ## CI/CD included

package/dist/bin/cli.js

@@ -8,6 +8,8 @@ import { check } from "../core/check.js";
 import { upgrade } from "../core/upgrade.js";
 import { warmCache } from "../core/warm-cache.js";
 import { initCiWorkflow } from "../core/init-ci.js";
+import { diffBaseline, saveBaseline } from "../core/baseline.js";
+import { applyFixPr } from "../core/fix-pr.js";
 import { renderResult } from "../output/format.js";
 import { writeGitHubOutput } from "../output/github.js";
 import { createSarifReport } from "../output/sarif.js";
@@ -34,22 +36,47 @@ async function main() {
                 : `CI workflow already exists at ${workflow.path}. Use --force to overwrite.\n`);
             return;
         }
-        const result = parsed.command === "upgrade"
-            ? await upgrade(parsed.options)
-            : parsed.command === "warm-cache"
-                ? await warmCache(parsed.options)
-                : await check(parsed.options);
-        const rendered = renderResult(result, parsed.options.format);
-        process.stdout.write(rendered + "\n");
-        if (parsed.options.jsonFile) {
-            await fs.mkdir(path.dirname(parsed.options.jsonFile), { recursive: true });
-            await fs.writeFile(parsed.options.jsonFile, JSON.stringify(result, null, 2) + "\n", "utf8");
+        if (parsed.command === "baseline") {
+            if (parsed.options.action === "save") {
+                const saved = await saveBaseline(parsed.options);
+                process.stdout.write(`Saved baseline at ${saved.filePath} (${saved.entries} entries)\n`);
+                return;
+            }
+            const diff = await diffBaseline(parsed.options);
+            const changes = diff.added.length + diff.removed.length + diff.changed.length;
+            if (changes === 0) {
+                process.stdout.write(`No baseline drift detected (${diff.filePath}).\n`);
+                return;
+            }
+            process.stdout.write(`Baseline drift detected (${diff.filePath}).\n`);
+            if (diff.added.length > 0) {
+                process.stdout.write(`Added: ${diff.added.length}\n`);
+            }
+            if (diff.removed.length > 0) {
+                process.stdout.write(`Removed: ${diff.removed.length}\n`);
+            }
+            if (diff.changed.length > 0) {
+                process.stdout.write(`Changed: ${diff.changed.length}\n`);
+            }
+            process.exitCode = 1;
+            return;
         }
+        const result = await runCommand(parsed);
         if (parsed.options.prReportFile) {
             const markdown = renderPrReport(result);
             await fs.mkdir(path.dirname(parsed.options.prReportFile), { recursive: true });
             await fs.writeFile(parsed.options.prReportFile, markdown + "\n", "utf8");
         }
+        if (parsed.options.fixPr && (parsed.command === "check" || parsed.command === "upgrade")) {
+            const fixResult = await applyFixPr(parsed.options, result, parsed.options.prReportFile ? [parsed.options.prReportFile] : []);
+            result.summary.fixPrApplied = fixResult.applied;
+            result.summary.fixBranchName = fixResult.branchName;
+            result.summary.fixCommitSha = fixResult.commitSha;
+        }
+        if (parsed.options.jsonFile) {
+            await fs.mkdir(path.dirname(parsed.options.jsonFile), { recursive: true });
+            await fs.writeFile(parsed.options.jsonFile, JSON.stringify(result, null, 2) + "\n", "utf8");
+        }
         if (parsed.options.githubOutputFile) {
             await writeGitHubOutput(parsed.options.githubOutputFile, result);
         }
@@ -58,13 +85,9 @@ async function main() {
             await fs.mkdir(path.dirname(parsed.options.sarifFile), { recursive: true });
             await fs.writeFile(parsed.options.sarifFile, JSON.stringify(sarif, null, 2) + "\n", "utf8");
         }
-        if (parsed.options.ci && result.updates.length > 0) {
-            process.exitCode = 1;
-            return;
-        }
-        if (result.errors.length > 0) {
-            process.exitCode = 2;
-        }
+        const rendered = renderResult(result, parsed.options.format);
+        process.stdout.write(rendered + "\n");
+        process.exitCode = resolveExitCode(result, parsed.options.failOn, parsed.options.maxUpdates, parsed.options.ci);
     }
     catch (error) {
         process.stderr.write(`rainy-updates: ${String(error)}\n`);
@@ -74,6 +97,34 @@ async function main() {
 void main();
 function renderHelp(command) {
     const isCommand = command && !command.startsWith("-");
+    if (isCommand && command === "check") {
+        return `rainy-updates check [options]
+
+Detect available dependency updates.
+
+Options:
+  --workspace
+  --target patch|minor|major|latest
+  --filter <pattern>
+  --reject <pattern>
+  --dep-kinds deps,dev,optional,peer
+  --concurrency <n>
+  --cache-ttl <seconds>
+  --policy-file <path>
+  --offline
+  --fix-pr
+  --fix-branch <name>
+  --fix-commit-message <text>
+  --fix-dry-run
+  --no-pr-report
+  --json-file <path>
+  --github-output <path>
+  --sarif-file <path>
+  --pr-report-file <path>
+  --fail-on none|patch|minor|major|any
+  --max-updates <n>
+  --ci`;
+    }
     if (isCommand && command === "warm-cache") {
         return `rainy-updates warm-cache [options]
 
@@ -106,6 +157,11 @@ Options:
   --target patch|minor|major|latest
   --policy-file <path>
   --concurrency <n>
+  --fix-pr
+  --fix-branch <name>
+  --fix-commit-message <text>
+  --fix-dry-run
+  --no-pr-report
   --json-file <path>
   --pr-report-file <path>`;
     }
@@ -117,8 +173,21 @@ Create a GitHub Actions workflow template at:
 
 Options:
   --force
-  --mode minimal|strict
+  --mode minimal|strict|enterprise
   --schedule weekly|daily|off`;
+    }
+    if (isCommand && command === "baseline") {
+        return `rainy-updates baseline [options]
+
+Save or compare dependency baseline snapshots.
+
+Options:
+  --save
+  --check
+  --file <path>
+  --workspace
+  --dep-kinds deps,dev,optional,peer
+  --ci`;
     }
     return `rainy-updates <command> [options]
 
@@ -127,6 +196,7 @@ Commands:
   upgrade     Apply updates to manifests
   warm-cache  Warm local cache for fast/offline checks
   init-ci     Scaffold GitHub Actions workflow
+  baseline    Save/check dependency baseline snapshots
 
 Global options:
   --cwd <path>
@@ -138,6 +208,13 @@ Global options:
   --sarif-file <path>
   --pr-report-file <path>
   --policy-file <path>
+  --fail-on none|patch|minor|major|any
+  --max-updates <n>
+  --fix-pr
+  --fix-branch <name>
+  --fix-commit-message <text>
+  --fix-dry-run
+  --no-pr-report
   --concurrency <n>
   --cache-ttl <seconds>
   --offline
@@ -145,6 +222,24 @@ Global options:
   --help, -h
   --version, -v`;
 }
+async function runCommand(parsed) {
+    if (parsed.command === "upgrade") {
+        return await upgrade(parsed.options);
+    }
+    if (parsed.command === "warm-cache") {
+        return await warmCache(parsed.options);
+    }
+    if (parsed.options.fixPr) {
+        const upgradeOptions = {
+            ...parsed.options,
+            install: false,
+            packageManager: "auto",
+            sync: false,
+        };
+        return await upgrade(upgradeOptions);
+    }
+    return await check(parsed.options);
+}
 async function readPackageVersion() {
     const currentFile = fileURLToPath(import.meta.url);
     const packageJsonPath = path.resolve(path.dirname(currentFile), "../../package.json");
@@ -152,3 +247,22 @@ async function readPackageVersion() {
     const parsed = JSON.parse(content);
     return parsed.version ?? "0.0.0";
 }
+function resolveExitCode(result, failOn, maxUpdates, ciMode) {
+    if (result.errors.length > 0)
+        return 2;
+    if (typeof maxUpdates === "number" && result.updates.length > maxUpdates)
+        return 1;
+    const effectiveFailOn = failOn && failOn !== "none" ? failOn : ciMode ? "any" : "none";
+    if (!shouldFailForUpdates(result.updates, effectiveFailOn))
+        return 0;
+    return 1;
+}
+function shouldFailForUpdates(updates, failOn) {
+    if (failOn === "none")
+        return false;
+    if (failOn === "any" || failOn === "patch")
+        return updates.length > 0;
+    if (failOn === "minor")
+        return updates.some((update) => update.diffType === "minor" || update.diffType === "major");
+    return updates.some((update) => update.diffType === "major");
+}

package/dist/cache/cache.d.ts

@@ -5,5 +5,5 @@ export declare class VersionCache {
     static create(customPath?: string): Promise<VersionCache>;
     getValid(packageName: string, target: TargetLevel): Promise<CachedVersion | null>;
     getAny(packageName: string, target: TargetLevel): Promise<CachedVersion | null>;
-    set(packageName: string, target: TargetLevel, latestVersion: string, ttlSeconds: number): Promise<void>;
+    set(packageName: string, target: TargetLevel, latestVersion: string, availableVersions: string[], ttlSeconds: number): Promise<void>;
 }

package/dist/cache/cache.js

@@ -9,7 +9,13 @@ class FileCacheStore {
     async get(packageName, target) {
         const entries = await this.readEntries();
         const key = this.getKey(packageName, target);
-        return entries[key] ?? null;
+        const entry = entries[key];
+        if (!entry)
+            return null;
+        return {
+            ...entry,
+            availableVersions: Array.isArray(entry.availableVersions) ? entry.availableVersions : [entry.latestVersion],
+        };
     }
     async set(entry) {
         const entries = await this.readEntries();
@@ -39,31 +45,63 @@ class SqliteCacheStore {
         package_name TEXT NOT NULL,
         target TEXT NOT NULL,
         latest_version TEXT NOT NULL,
+        available_versions TEXT NOT NULL,
         fetched_at INTEGER NOT NULL,
         ttl_seconds INTEGER NOT NULL,
         PRIMARY KEY (package_name, target)
       );
     `);
+        this.ensureSchema();
     }
     async get(packageName, target) {
-        const row = this.db
-            .prepare(`SELECT package_name, target, latest_version, fetched_at, ttl_seconds FROM versions WHERE package_name = ? AND target = ?`)
-            .get(packageName, target);
+        let row;
+        try {
+            row = this.db
+                .prepare(`SELECT package_name, target, latest_version, available_versions, fetched_at, ttl_seconds FROM versions WHERE package_name = ? AND target = ?`)
+                .get(packageName, target);
+        }
+        catch {
+            row = this.db
+                .prepare(`SELECT package_name, target, latest_version, fetched_at, ttl_seconds FROM versions WHERE package_name = ? AND target = ?`)
+                .get(packageName, target);
+        }
         if (!row)
             return null;
         return {
             packageName: row.package_name,
             target: row.target,
             latestVersion: row.latest_version,
+            availableVersions: parseJsonArray(row.available_versions ?? row.latest_version, row.latest_version),
             fetchedAt: row.fetched_at,
             ttlSeconds: row.ttl_seconds,
         };
     }
     async set(entry) {
-        this.db
-            .prepare(`INSERT OR REPLACE INTO versions (package_name, target, latest_version, fetched_at, ttl_seconds)
-         VALUES (?, ?, ?, ?, ?)`)
-            .run(entry.packageName, entry.target, entry.latestVersion, entry.fetchedAt, entry.ttlSeconds);
+        try {
+            this.db
+                .prepare(`INSERT OR REPLACE INTO versions (package_name, target, latest_version, available_versions, fetched_at, ttl_seconds)
+           VALUES (?, ?, ?, ?, ?, ?)`)
+                .run(entry.packageName, entry.target, entry.latestVersion, JSON.stringify(entry.availableVersions), entry.fetchedAt, entry.ttlSeconds);
+        }
+        catch {
+            this.db
+                .prepare(`INSERT OR REPLACE INTO versions (package_name, target, latest_version, fetched_at, ttl_seconds)
+           VALUES (?, ?, ?, ?, ?)`)
+                .run(entry.packageName, entry.target, entry.latestVersion, entry.fetchedAt, entry.ttlSeconds);
+        }
+    }
+    ensureSchema() {
+        try {
+            const columns = this.db.prepare("PRAGMA table_info(versions);").all();
+            const hasAvailableVersions = columns.some((column) => column.name === "available_versions");
+            if (!hasAvailableVersions) {
+                this.db.exec("ALTER TABLE versions ADD COLUMN available_versions TEXT;");
+            }
+            this.db.exec("UPDATE versions SET available_versions = latest_version WHERE available_versions IS NULL;");
+        }
+        catch {
+            // Best-effort migration.
+        }
     }
 }
 export class VersionCache {
@@ -92,11 +130,12 @@ export class VersionCache {
     async getAny(packageName, target) {
         return this.store.get(packageName, target);
     }
-    async set(packageName, target, latestVersion, ttlSeconds) {
+    async set(packageName, target, latestVersion, availableVersions, ttlSeconds) {
         await this.store.set({
             packageName,
             target,
             latestVersion,
+            availableVersions,
             fetchedAt: Date.now(),
             ttlSeconds,
         });
@@ -115,3 +154,17 @@ async function tryCreateSqliteStore(dbPath) {
     }
     return null;
 }
+function parseJsonArray(raw, fallback) {
+    if (typeof raw !== "string")
+        return [fallback];
+    try {
+        const parsed = JSON.parse(raw);
+        if (!Array.isArray(parsed))
+            return [fallback];
+        const values = parsed.filter((value) => typeof value === "string");
+        return values.length > 0 ? values : [fallback];
+    }
+    catch {
+        return [fallback];
+    }
+}

package/dist/config/loader.d.ts

@@ -1,4 +1,4 @@
-import type { DependencyKind, OutputFormat, TargetLevel } from "../types/index.js";
+import type { DependencyKind, FailOnLevel, OutputFormat, TargetLevel } from "../types/index.js";
 export interface FileConfig {
     target?: TargetLevel;
     filter?: string;
@@ -15,6 +15,13 @@ export interface FileConfig {
     offline?: boolean;
     policyFile?: string;
     prReportFile?: string;
+    failOn?: FailOnLevel;
+    maxUpdates?: number;
+    fixPr?: boolean;
+    fixBranch?: string;
+    fixCommitMessage?: string;
+    fixDryRun?: boolean;
+    noPrReport?: boolean;
     install?: boolean;
     packageManager?: "auto" | "npm" | "pnpm";
     sync?: boolean;

package/dist/core/baseline.d.ts

@@ -0,0 +1,23 @@
+import type { BaselineOptions, DependencyKind } from "../types/index.js";
+interface BaselineEntry {
+    packagePath: string;
+    kind: DependencyKind;
+    name: string;
+    range: string;
+}
+export interface BaselineSaveResult {
+    filePath: string;
+    entries: number;
+}
+export interface BaselineDiffResult {
+    filePath: string;
+    added: BaselineEntry[];
+    removed: BaselineEntry[];
+    changed: Array<{
+        before: BaselineEntry;
+        after: BaselineEntry;
+    }>;
+}
+export declare function saveBaseline(options: BaselineOptions): Promise<BaselineSaveResult>;
+export declare function diffBaseline(options: BaselineOptions): Promise<BaselineDiffResult>;
+export {};

package/dist/core/baseline.js

@@ -0,0 +1,72 @@
+import { promises as fs } from "node:fs";
+import path from "node:path";
+import { collectDependencies, readManifest } from "../parsers/package-json.js";
+import { discoverPackageDirs } from "../workspace/discover.js";
+export async function saveBaseline(options) {
+    const entries = await collectBaselineEntries(options.cwd, options.workspace, options.includeKinds);
+    const payload = {
+        version: 1,
+        createdAt: new Date().toISOString(),
+        entries,
+    };
+    await fs.mkdir(path.dirname(options.filePath), { recursive: true });
+    await fs.writeFile(options.filePath, JSON.stringify(payload, null, 2) + "\n", "utf8");
+    return {
+        filePath: options.filePath,
+        entries: entries.length,
+    };
+}
+export async function diffBaseline(options) {
+    const content = await fs.readFile(options.filePath, "utf8");
+    const baseline = JSON.parse(content);
+    const currentEntries = await collectBaselineEntries(options.cwd, options.workspace, options.includeKinds);
+    const baselineMap = new Map(baseline.entries.map((entry) => [toKey(entry), entry]));
+    const currentMap = new Map(currentEntries.map((entry) => [toKey(entry), entry]));
+    const added = [];
+    const removed = [];
+    const changed = [];
+    for (const [key, current] of currentMap) {
+        const base = baselineMap.get(key);
+        if (!base) {
+            added.push(current);
+            continue;
+        }
+        if (base.range !== current.range) {
+            changed.push({ before: base, after: current });
+        }
+    }
+    for (const [key, base] of baselineMap) {
+        if (!currentMap.has(key)) {
+            removed.push(base);
+        }
+    }
+    return {
+        filePath: options.filePath,
+        added: sortEntries(added),
+        removed: sortEntries(removed),
+        changed: changed.sort((a, b) => toKey(a.after).localeCompare(toKey(b.after))),
+    };
+}
+async function collectBaselineEntries(cwd, workspace, includeKinds) {
+    const packageDirs = await discoverPackageDirs(cwd, workspace);
+    const entries = [];
+    for (const packageDir of packageDirs) {
+        const manifest = await readManifest(packageDir);
+        const deps = collectDependencies(manifest, includeKinds);
+        for (const dep of deps) {
+            entries.push({
+                packagePath: path.relative(cwd, packageDir) || ".",
+                kind: dep.kind,
+                name: dep.name,
+                range: dep.range,
+            });
+        }
+    }
+    return sortEntries(entries);
+}
+function toKey(entry) {
+    return `${entry.packagePath}::${entry.kind}::${entry.name}`;
+}
+function sortEntries(entries) {
+    return [...entries].sort((a, b) => toKey(a).localeCompare(toKey(b)));
+}