@rainy-updates/cli 0.5.6 → 0.6.0

package/CHANGELOG.md

@@ -2,6 +2,139 @@
 
 All notable changes to this project are documented in this file.
 
+## [0.6.0] - 2026-03-01
+
+Dashboard-first release candidate for the `v0.6` series, focused on unifying the interactive surface, introducing replayable decision plans, tightening CI/apply verification flows, and undergoing a complete native Bun performance optimization.
+
+### Added
+
+- **Decision plan artifact flow**:
+  - new deterministic decision plan model for reviewed update sets,
+  - reusable `.artifacts/decision-plan.json` workflow,
+  - `upgrade --from-plan <path>` replay support,
+  - additive summary/output metadata for:
+    - `suggestedCommand`,
+    - `decisionPlan`,
+    - `interactiveSurface`,
+    - `queueFocus`.
+- **Verification flow for applied plans and upgrades**:
+  - `--verify none|install|test|install,test`,
+  - `--test-command "<cmd>"`,
+  - `--verification-report-file <path>`,
+  - additive verification metadata in summary and GitHub/metrics outputs:
+    - `verificationState`,
+    - `verificationFailures`.
+- **New CI gate model**:
+  - `ci --gate check|doctor|review|upgrade`,
+  - review gate emits a decision plan artifact without mutating manifests,
+  - upgrade gate replays a prior decision plan and can run verification.
+- **New verification core** under `src/core/verification.ts`.
+- **New decision plan core** under `src/core/decision-plan.ts`.
+- **New test coverage** for:
+  - decision plan serialization and replay,
+  - CI upgrade gate plan replay,
+  - verification report generation.
+
+- **Native Bun Optimizations**:
+  - Bun is now the primary Rainy runtime path for local execution, CI templates, and release verification flows.
+  - Added a shared Bun-first runtime layer for cwd/env/stdout/stderr/exit handling across the CLI command surface.
+  - Migrated verification and package-manager-aware test execution onto `Bun.spawn`, while keeping npm, pnpm, Bun, and yarn target-repo support intact.
+  - Migrated internal hot-path file operations onto `Bun.file()`, `Bun.write()`, `Bun.Glob`, and `Bun.CryptoHasher` across workspace discovery, lockfile hashing, snapshot persistence, audit target resolution, changelog cache reads, and CLI/package metadata loading.
+  - Added real atomic file writes for Rainy-managed artifacts, reports, caches, baselines, and snapshot restore paths.
+  - Added native `build:exe` target compilation for standalone Bun-first distributions using `bun build --compile`.
+
+### Changed
+
+- `dashboard` is now the primary interactive dependency decision surface.
+- `review --interactive` now routes into the shared dashboard flow instead of maintaining a separate interactive implementation path.
+- `doctor` now recommends dashboard-first next steps:
+  - `rup dashboard --mode review`
+  - `rup dashboard --mode review --focus security`
+  - `rup dashboard --mode review --focus blocked`
+- CLI help and README now document:
+  - `dashboard` as the primary interactive workflow,
+  - `upgrade --from-plan`,
+  - `ci --gate ...`,
+  - verification and verification-report flows,
+  - Bun as the preferred Rainy runtime via `bunx --bun` and compiled Bun artifacts.
+- `init-ci` generated workflows now:
+  - use Bun as the Rainy runtime by default,
+  - use explicit CI gates,
+  - emit a decision plan artifact in strict and enterprise modes,
+  - replay approved plans with verification in enterprise mode,
+  - align install and test commands with detected npm, pnpm, or Bun target repos.
+- Artifact manifests now include verification report output paths when configured.
+- Package-manager detection and verification defaults now treat Bun as a first-class package ecosystem instead of falling back to npm/pnpm-only assumptions.
+- GA readiness checks now validate both the JS dist CLI and the compiled Bun runtime artifact.
+
+### Removed
+
+- Removed the legacy standalone dashboard Ink/store implementation under `src/ui/dashboard/` in favor of a single shared interactive path.
+- Removed the remaining explicit `node:process` imports from the main CLI command surface in favor of the shared runtime layer.
+- Removed manual recursive workspace directory walking in favor of Bun-native glob expansion.
+
+### Tests
+
+- Added coverage for:
+  - `dashboard` parser support for mode/focus/plan/verification flags,
+  - additive GitHub output fields for decision-plan and verification metadata,
+  - updated CI bootstrap templates for review/upgrade gates,
+  - Bun-aware package-manager detection and verification defaults,
+  - GA runtime-artifact readiness checks,
+  - Bun-glob workspace discovery with hidden-directory and `node_modules` exclusions.
+
+## [0.5.7] - 2026-03-01
+
+Final stabilization release for the `v0.5` series, focused on modularization, doctor scan quality, and maintainability.
+
+### Added
+
+- **Doctor scan upgrades inspired by high-level audit CLIs**:
+  - normalized doctor findings with categories and severities,
+  - deterministic dependency health score (`0-100`),
+  - score labels and next-action reasoning,
+  - agent-oriented doctor output via `doctor --agent-report`.
+- **New modular doctor core** under `src/core/doctor/`:
+  - findings derivation,
+  - score calculation,
+  - result assembly,
+  - rendering.
+- **New modular analysis helpers** under `src/core/analysis/`:
+  - analysis option adapters,
+  - review item enrichment,
+  - silenced runner wrapper.
+- **New CLI seam modules**:
+  - `src/bin/dispatch.ts`
+  - `src/bin/help.ts`
+  - `src/core/review-verdict.ts`
+- **New help coverage** in `tests/help.test.ts`.
+
+### Changed
+
+- `doctor` now behaves as a stronger high-level scan surface:
+  - `State`
+  - `Score`
+  - `PrimaryRisk`
+  - `NextAction`
+  - `NextActionReason`
+- Summary and machine outputs now carry additive doctor metadata:
+  - `dependencyHealthScore`,
+  - `findingCountsByCategory`,
+  - `findingCountsBySeverity`,
+  - `primaryFindingCode`,
+  - `primaryFindingCategory`,
+  - `nextActionReason`.
+- GitHub output, SARIF, and human-readable metrics/table output now expose the new doctor summary fields additively.
+- `src/core/review-model.ts` was reduced to review aggregation responsibilities, with doctor logic extracted into focused modules.
+- `src/core/analysis-bundle.ts` was reduced to a thin coordinator, with item enrichment and option adaptation moved into dedicated modules.
+- `src/bin/cli.ts` was simplified by extracting command dispatch and help rendering into standalone modules.
+
+### Tests
+
+- Added coverage for doctor score/findings behavior and agent report rendering.
+- Added coverage for new GitHub output and SARIF fields.
+- Added help rendering coverage after extracting CLI help into its own module.
+
 ## [0.5.6] - 2026-03-01
 
 GA readiness, shared analysis plumbing, and richer review operations.

package/README.md

@@ -29,6 +29,7 @@ Rainy Updates gives teams one dependency lifecycle:
 - `check` detects candidate updates.
 - `doctor` summarizes the current situation.
 - `review` decides what should happen.
+- `dashboard` is the primary interactive decision surface.
 - `upgrade` applies the approved change set.
 
 Everything else supports that lifecycle: CI orchestration, advisory lookup, peer resolution, licenses, snapshots, baselines, and fix-PR automation.
@@ -43,16 +44,16 @@ Everything else supports that lifecycle: CI orchestration, advisory lookup, peer
 
 ```bash
 # 1) Detect what changed
-npx @rainy-updates/cli check --workspace --show-impact
+bunx --bun @rainy-updates/cli check --workspace --show-impact
 
 # 2) Summarize what matters
-npx @rainy-updates/cli doctor --workspace
+bunx --bun @rainy-updates/cli doctor --workspace
 
-# 3) Decide in the review surface
-npx @rainy-updates/cli review --interactive
+# 3) Decide in the dashboard
+bunx --bun @rainy-updates/cli dashboard --mode review --plan-file .artifacts/decision-plan.json
 
-# 4) Apply the approved set
-npx @rainy-updates/cli upgrade --interactive
+# 4) Apply the approved plan
+bunx --bun @rainy-updates/cli upgrade --from-plan .artifacts/decision-plan.json
 ```
 
 ## Why teams use it
@@ -67,10 +68,15 @@ npx @rainy-updates/cli upgrade --interactive
 ## Install
 
 ```bash
+# Preferred: run with Bun's runtime directly
+bunx --bun @rainy-updates/cli check
+
 # As a project dev dependency (recommended for teams)
 npm install --save-dev @rainy-updates/cli
 # or
 pnpm add -D @rainy-updates/cli
+# or
+bun add -d @rainy-updates/cli
 ```
 
 Once installed, three binary aliases are available in your `node_modules/.bin/`:
@@ -88,16 +94,25 @@ rainy-up check
 rainy-updates check
 ```
 
-### One-off usage with npx (no install required)
+### Bun-first runtime
 
 ```bash
-# Always works without installing:
+# Preferred no-install path:
+bunx --bun @rainy-updates/cli check
+bunx --bun @rainy-updates/cli audit --severity high
+bunx --bun @rainy-updates/cli ci --workspace --mode strict
+```
+
+### One-off usage with npx (compatibility path)
+
+```bash
+# Compatibility path when Bun is not available:
 npx @rainy-updates/cli check
 npx @rainy-updates/cli audit --severity high
 npx @rainy-updates/cli ci --workspace --mode strict
 ```
 
-> **Note:** The short aliases (`rup`, `rainy-up`) only work after installing the package. For one-off `npx` runs, use `npx @rainy-updates/cli <command>`.
+> **Note:** Rainy is Bun-first at runtime. `bunx --bun @rainy-updates/cli ...` is the fastest no-install path. The npm package and `npx` remain supported compatibility paths.
 
 ## Commands
 
@@ -106,6 +121,7 @@ npx @rainy-updates/cli ci --workspace --mode strict
 - `check` — detect candidate dependency updates
 - `doctor` — summarize the current dependency situation
 - `review` — decide what to do with security, risk, peer, and policy context
+- `dashboard` — open the primary interactive decision console
 - `upgrade` — apply the approved change set
 - `ga` — audit GA and CI readiness for the current checkout
 
@@ -123,71 +139,108 @@ npx @rainy-updates/cli ci --workspace --mode strict
 
 ## Quick usage
 
-> Commands work with `npx` (no install) **or** with the `rup` / `rainy-up` shortcut if the package is installed.
+> Commands work with `bunx --bun`, with `npx` as a compatibility path, or with the `rup` / `rainy-up` shortcut if the package is installed.
 
 ```bash
 # 1) Detect updates
+bunx --bun @rainy-updates/cli check --format table
 npx @rainy-updates/cli check --format table
 rup check --format table                      # if installed
 
 # 2) Summarize the state
-npx @rainy-updates/cli doctor --workspace
+bunx --bun @rainy-updates/cli doctor --workspace
 rup doctor --workspace
 
 # 3) Review and decide
-npx @rainy-updates/cli review --security-only
-rup review --interactive
+bunx --bun @rainy-updates/cli review --security-only
+rup dashboard --mode review --plan-file .artifacts/decision-plan.json
 rup review --show-changelog
 
-# 4) Apply upgrades with workspace sync
-npx @rainy-updates/cli upgrade --target latest --workspace --sync --install
-rup upgrade --target latest --workspace --sync --install
+# 4) Apply an approved decision plan with verification
+bunx --bun @rainy-updates/cli upgrade --from-plan .artifacts/decision-plan.json --verify install,test --test-command "bun test"
+rup upgrade --from-plan .artifacts/decision-plan.json --verify install,test --test-command "npm test"
 
 # 5) CI orchestration with policy gates
-npx @rainy-updates/cli ci --workspace --mode strict --format github
-rup ci --workspace --mode strict --format github
+bunx --bun @rainy-updates/cli ci --workspace --mode strict --gate review --plan-file .artifacts/decision-plan.json --format github
+rup ci --workspace --mode strict --gate review --plan-file .artifacts/decision-plan.json --format github
+
+# 6) Replay an approved plan in CI
+rup ci --workspace --mode strict --gate upgrade --from-plan .artifacts/decision-plan.json --verify test --test-command "npm test"
 
-# 6) Batch fix branches by scope (enterprise)
+# 7) Batch fix branches by scope (enterprise)
 npx @rainy-updates/cli ci --workspace --mode enterprise --group-by scope --fix-pr --fix-pr-batch-size 2
 rup ci --workspace --mode enterprise --group-by scope --fix-pr --fix-pr-batch-size 2
 
-# 7) Warm cache → deterministic offline CI check
+# 8) Warm cache -> deterministic offline CI check
 npx @rainy-updates/cli warm-cache --workspace --concurrency 32
 npx @rainy-updates/cli check --workspace --offline --ci
 
-# 8) Save and compare baseline drift
+# 9) Save and compare baseline drift
 npx @rainy-updates/cli baseline --save --file .artifacts/deps-baseline.json --workspace
 npx @rainy-updates/cli baseline --check --file .artifacts/deps-baseline.json --workspace --ci
 
-# 9) Scan for known CVEs
+# 10) Scan for known CVEs
 npx @rainy-updates/cli audit
 npx @rainy-updates/cli audit --severity high
 npx @rainy-updates/cli audit --summary
 npx @rainy-updates/cli audit --source osv
-npx @rainy-updates/cli audit --fix          # prints the patching npm install command
+npx @rainy-updates/cli audit --fix          # prints the patching install command for the detected package manager
 rup audit --severity high                   # if installed
 
-`audit` prefers npm/pnpm lockfiles today for exact installed-version inference, and now also reads simple `bun.lock` workspace entries when available. It reports source-health warnings when OSV or GitHub returns only partial coverage.
+`audit` resolves installed versions from lockfiles across npm, pnpm, and simple `bun.lock` workspace entries when available. It reports source-health warnings when OSV or GitHub returns only partial coverage.
 
-# 10) Check dependency maintenance health
+# 11) Check dependency maintenance health
 npx @rainy-updates/cli health
 npx @rainy-updates/cli health --stale 6m   # flag packages with no release in 6 months
 npx @rainy-updates/cli health --stale 180d # same but in days
 rup health --stale 6m                       # if installed
 
-# 11) Find which version introduced a breaking change
+# 12) Find which version introduced a breaking change
 npx @rainy-updates/cli bisect axios --cmd "bun test"
 npx @rainy-updates/cli bisect react --range "18.0.0..19.0.0" --cmd "npm test"
 npx @rainy-updates/cli bisect lodash --cmd "npm run test:unit" --dry-run
 rup bisect axios --cmd "bun test"           # if installed
 
-# 12) Focus review on high-risk changes
+# 13) Focus review on high-risk changes
 rup review --risk high --diff major
 
-# 13) Audit GA / CI readiness
+# 14) Audit GA / CI readiness
 rup ga --workspace
 ```
 
+## Decision Plans And Verification
+
+Rainy can persist an approved update set as a deterministic decision plan and replay it later:
+
+```bash
+# Create a reviewed plan
+rup dashboard --mode review --plan-file .artifacts/decision-plan.json
+
+# Apply only that approved plan later
+rup upgrade --from-plan .artifacts/decision-plan.json
+
+# Apply and verify install + tests
+rup upgrade \
+  --from-plan .artifacts/decision-plan.json \
+  --verify install,test \
+  --test-command "bun test" \
+  --verification-report-file .artifacts/verification.json
+```
+
+This is the intended local review -> CI replay workflow.
+
+Verification follows the target repository's package manager when one is detected.
+That means Bun repositories can verify with `bun install` / `bun test`, while npm and pnpm projects keep their native install/test flows.
+
+## CI Gates
+
+`ci` supports explicit execution gates:
+
+- `--gate check` runs detection only.
+- `--gate doctor` computes the high-level verdict and doctor metadata.
+- `--gate review` emits a decision plan artifact without mutating the repo.
+- `--gate upgrade` replays an existing plan and can run verification.
+
 ## What it does in production
 
 ### Update detection engine
@@ -275,8 +328,8 @@ Generated file:
 
 Modes:
 
-- `strict`: warm-cache + offline check + artifacts + SARIF upload.
-- `enterprise`: strict checks + runtime matrix + retention policy + rollout gates.
+- `strict`: warm-cache + review gate + artifacts + SARIF upload.
+- `enterprise`: strict checks + runtime matrix + review/upgrade gates + retention policy.
 - `minimal`: fast check-only workflow for quick adoption.
 
 Schedule:
@@ -307,9 +360,15 @@ Schedule:
 - `--pr-limit <n>`
 - `--only-changed`
 - `--interactive`
+- `--plan-file <path>`
+- `--from-plan <path>`
+- `--verify none|install|test|install,test`
+- `--test-command <cmd>`
+- `--verification-report-file <path>`
 - `--show-impact`
 - `--show-homepage`
 - `--mode minimal|strict|enterprise` (for `ci`)
+- `--gate check|doctor|review|upgrade` (for `ci`)
 - `--fix-pr-batch-size <n>` (for batched fix branches in `ci`)
 - `--policy-file <path>`
 - `--format table|json|minimal|github`
@@ -328,7 +387,7 @@ Schedule:
 ### Upgrade-only
 
 - `--install`
-- `--pm auto|npm|pnpm`
+- `--pm auto|bun|npm|pnpm|yarn`
 - `--sync`
 
 ### Review-only