@rainy-updates/cli 0.5.6 → 0.6.0

package/dist/core/init-ci.js

@@ -1,17 +1,20 @@
-import { access, writeFile, mkdir } from "node:fs/promises";
+import { mkdir } from "node:fs/promises";
 import path from "node:path";
+import { detectPackageManager } from "../pm/detect.js";
 export async function initCiWorkflow(cwd, force, options) {
     const workflowPath = path.join(cwd, ".github", "workflows", "rainy-updates.yml");
     try {
         if (!force) {
-            await access(workflowPath);
-            return { path: workflowPath, created: false };
+            if (await Bun.file(workflowPath).exists()) {
+                return { path: workflowPath, created: false };
+            }
         }
     }
     catch {
         // missing file, continue create
     }
-    const packageManager = await detectPackageManager(cwd);
+    const detected = await detectPackageManager(cwd);
+    const packageManager = detected === "unknown" || detected === "yarn" ? "npm" : detected;
     const scheduleBlock = renderScheduleBlock(options.schedule);
     const workflow = options.mode === "minimal"
         ? minimalWorkflowTemplate(scheduleBlock, packageManager)
@@ -19,19 +22,9 @@ export async function initCiWorkflow(cwd, force, options) {
             ? strictWorkflowTemplate(scheduleBlock, packageManager)
             : enterpriseWorkflowTemplate(scheduleBlock, packageManager);
     await mkdir(path.dirname(workflowPath), { recursive: true });
-    await writeFile(workflowPath, workflow, "utf8");
+    await Bun.write(workflowPath, workflow);
     return { path: workflowPath, created: true };
 }
-async function detectPackageManager(cwd) {
-    const pnpmLock = path.join(cwd, "pnpm-lock.yaml");
-    try {
-        await access(pnpmLock);
-        return "pnpm";
-    }
-    catch {
-        return "npm";
-    }
-}
 function renderScheduleBlock(schedule) {
     if (schedule === "off") {
         return "  workflow_dispatch:";
@@ -40,20 +33,31 @@ function renderScheduleBlock(schedule) {
     return `  schedule:\n    - cron: '${cron}'\n  workflow_dispatch:`;
 }
 function installStep(packageManager) {
+    if (packageManager === "bun") {
+        return `      - name: Install dependencies\n        run: bun install`;
+    }
     if (packageManager === "pnpm") {
         return `      - name: Setup pnpm\n        uses: pnpm/action-setup@v4\n        with:\n          version: 9\n\n      - name: Install dependencies\n        run: pnpm install --frozen-lockfile`;
     }
     return `      - name: Install dependencies\n        run: npm ci`;
 }
 function minimalWorkflowTemplate(scheduleBlock, packageManager) {
-    return `name: Rainy Updates\n\non:\n${scheduleBlock}\n\njobs:\n  dependency-check:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Setup Node\n        uses: actions/setup-node@v4\n        with:\n          node-version: '20'\n\n${installStep(packageManager)}\n\n      - name: Run dependency check\n        run: |\n          npx @rainy-updates/cli ci \\\n            --workspace \\\n            --mode minimal \\\n            --ci \\\n            --stream \\\n            --registry-timeout-ms 12000 \\\n            --registry-retries 4 \\\n            --format table\n`;
+    return `name: Rainy Updates\n\non:\n${scheduleBlock}\n\njobs:\n  dependency-check:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Setup Bun\n        uses: oven-sh/setup-bun@v1\n\n${installStep(packageManager)}\n\n      - name: Run dependency check\n        run: |\n          bunx --bun @rainy-updates/cli ci \\\n            --workspace \\\n            --mode minimal \\\n            --gate check \\\n            --ci \\\n            --stream \\\n            --registry-timeout-ms 12000 \\\n            --registry-retries 4 \\\n            --format table\n`;
 }
 function strictWorkflowTemplate(scheduleBlock, packageManager) {
-    return `name: Rainy Updates\n\non:\n${scheduleBlock}\n\npermissions:\n  contents: read\n  security-events: write\n\njobs:\n  dependency-check:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Setup Node\n        uses: actions/setup-node@v4\n        with:\n          node-version: '20'\n\n${installStep(packageManager)}\n\n      - name: Warm cache\n        run: npx @rainy-updates/cli warm-cache --workspace --concurrency 32 --registry-timeout-ms 12000 --registry-retries 4\n\n      - name: Run strict dependency check\n        run: |\n          npx @rainy-updates/cli ci \\\n            --workspace \\\n            --mode strict \\\n            --ci \\\n            --concurrency 32 \\\n            --stream \\\n            --registry-timeout-ms 12000 \\\n            --registry-retries 4 \\\n            --format github \\\n            --json-file .artifacts/deps-report.json \\\n            --pr-report-file .artifacts/deps-report.md \\\n            --sarif-file .artifacts/deps-report.sarif \\\n            --github-output $GITHUB_OUTPUT\n\n      - name: Upload report artifacts\n        uses: actions/upload-artifact@v4\n        with:\n          name: rainy-updates-report\n          path: .artifacts/\n\n      - name: Upload SARIF\n        uses: github/codeql-action/upload-sarif@v3\n        with:\n          sarif_file: .artifacts/deps-report.sarif\n`;
+    return `name: Rainy Updates\n\non:\n${scheduleBlock}\n\npermissions:\n  contents: read\n  security-events: write\n\njobs:\n  dependency-check:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Setup Bun\n        uses: oven-sh/setup-bun@v1\n\n${installStep(packageManager)}\n\n      - name: Warm cache\n        run: bunx --bun @rainy-updates/cli warm-cache --workspace --concurrency 32 --registry-timeout-ms 12000 --registry-retries 4\n\n      - name: Generate reviewed decision plan\n        run: |\n          bunx --bun @rainy-updates/cli ci \\\n            --workspace \\\n            --mode strict \\\n            --gate review \\\n            --plan-file .artifacts/decision-plan.json \\\n            --ci \\\n            --concurrency 32 \\\n            --stream \\\n            --registry-timeout-ms 12000 \\\n            --registry-retries 4 \\\n            --format github \\\n            --json-file .artifacts/deps-report.json \\\n            --pr-report-file .artifacts/deps-report.md \\\n            --sarif-file .artifacts/deps-report.sarif \\\n            --github-output $GITHUB_OUTPUT\n\n      - name: Upload report artifacts\n        uses: actions/upload-artifact@v4\n        with:\n          name: rainy-updates-report\n          path: .artifacts/\n\n      - name: Upload SARIF\n        uses: github/codeql-action/upload-sarif@v3\n        with:\n          sarif_file: .artifacts/deps-report.sarif\n`;
 }
 function enterpriseWorkflowTemplate(scheduleBlock, packageManager) {
-    const detectedPmInstall = packageManager === "pnpm"
-        ? "corepack enable && corepack prepare pnpm@9 --activate && pnpm install --frozen-lockfile"
-        : "npm ci";
-    return `name: Rainy Updates Enterprise\n\non:\n${scheduleBlock}\n\npermissions:\n  contents: read\n  security-events: write\n  actions: read\n\nconcurrency:\n  group: rainy-updates-\${{ github.ref }}\n  cancel-in-progress: false\n\njobs:\n  dependency-check:\n    runs-on: ubuntu-latest\n    strategy:\n      fail-fast: false\n      matrix:\n        node: [20, 22]\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Setup Node\n        uses: actions/setup-node@v4\n        with:\n          node-version: \${{ matrix.node }}\n\n      - name: Install dependencies\n        run: ${detectedPmInstall}\n\n      - name: Warm cache\n        run: npx @rainy-updates/cli warm-cache --workspace --concurrency 32 --registry-timeout-ms 12000 --registry-retries 4\n\n      - name: Check updates with rollout controls\n        run: |\n          npx @rainy-updates/cli ci \\\n            --workspace \\\n            --mode enterprise \\\n            --concurrency 32 \\\n            --stream \\\n            --registry-timeout-ms 12000 \\\n            --registry-retries 4 \\\n            --lockfile-mode preserve \\\n            --format github \\\n            --fail-on minor \\\n            --max-updates 50 \\\n            --json-file .artifacts/deps-report-node-\${{ matrix.node }}.json \\\n            --pr-report-file .artifacts/deps-report-node-\${{ matrix.node }}.md \\\n            --sarif-file .artifacts/deps-report-node-\${{ matrix.node }}.sarif \\\n            --github-output $GITHUB_OUTPUT\n\n      - name: Upload report artifacts\n        uses: actions/upload-artifact@v4\n        with:\n          name: rainy-updates-report-node-\${{ matrix.node }}\n          path: .artifacts/\n          retention-days: 14\n\n      - name: Upload SARIF\n        uses: github/codeql-action/upload-sarif@v3\n        with:\n          sarif_file: .artifacts/deps-report-node-\${{ matrix.node }}.sarif\n`;
+    let detectedPmInstall = "npm ci";
+    let testCmd = "npm test";
+    if (packageManager === "pnpm") {
+        detectedPmInstall =
+            "corepack enable && corepack prepare pnpm@9 --activate && pnpm install --frozen-lockfile";
+        testCmd = "pnpm test";
+    }
+    else if (packageManager === "bun") {
+        detectedPmInstall = "bun install";
+        testCmd = "bun test";
+    }
+    return `name: Rainy Updates Enterprise\n\non:\n${scheduleBlock}\n\npermissions:\n  contents: read\n  security-events: write\n  actions: read\n\nconcurrency:\n  group: rainy-updates-\${{ github.ref }}\n  cancel-in-progress: false\n\njobs:\n  dependency-check:\n    runs-on: ubuntu-latest\n    strategy:\n      fail-fast: false\n      matrix:\n        node: [20, 22]\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Setup Node\n        uses: actions/setup-node@v4\n        with:\n          node-version: \${{ matrix.node }}\n\n      - name: Setup Bun\n        uses: oven-sh/setup-bun@v1\n\n      - name: Install dependencies\n        run: ${detectedPmInstall}\n\n      - name: Warm cache\n        run: bunx --bun @rainy-updates/cli warm-cache --workspace --concurrency 32 --registry-timeout-ms 12000 --registry-retries 4\n\n      - name: Generate reviewed decision plan\n        run: |\n          bunx --bun @rainy-updates/cli ci \\\n            --workspace \\\n            --mode enterprise \\\n            --gate review \\\n            --plan-file .artifacts/decision-plan.json \\\n            --concurrency 32 \\\n            --stream \\\n            --registry-timeout-ms 12000 \\\n            --registry-retries 4 \\\n            --lockfile-mode preserve \\\n            --format github \\\n            --fail-on minor \\\n            --max-updates 50 \\\n            --json-file .artifacts/deps-report-node-\${{ matrix.node }}.json \\\n            --pr-report-file .artifacts/deps-report-node-\${{ matrix.node }}.md \\\n            --sarif-file .artifacts/deps-report-node-\${{ matrix.node }}.sarif \\\n            --github-output $GITHUB_OUTPUT\n\n      - name: Replay approved plan with verification\n        run: |\n          bunx --bun @rainy-updates/cli ci \\\n            --workspace \\\n            --mode enterprise \\\n            --gate upgrade \\\n            --from-plan .artifacts/decision-plan.json \\\n            --verify test \\\n            --test-command "${testCmd}" \\\n            --verification-report-file .artifacts/verification-node-\${{ matrix.node }}.json\n\n      - name: Upload report artifacts\n        uses: actions/upload-artifact@v4\n        with:\n          name: rainy-updates-report-node-\${{ matrix.node }}\n          path: .artifacts/\n          retention-days: 14\n\n      - name: Upload SARIF\n        uses: github/codeql-action/upload-sarif@v3\n        with:\n          sarif_file: .artifacts/deps-report-node-\${{ matrix.node }}.sarif\n`;
 }

package/dist/core/options.js

@@ -1,6 +1,6 @@
 import path from "node:path";
-import process from "node:process";
 import { loadConfig } from "../config/loader.js";
+import { getRuntimeCwd } from "../utils/runtime.js";
 const DEFAULT_INCLUDE_KINDS = [
     "dependencies",
     "devDependencies",
@@ -83,7 +83,7 @@ export async function parseCliArgs(argv) {
         return { command, options: parseGaArgs(args) };
     }
     const base = {
-        cwd: process.cwd(),
+        cwd: getRuntimeCwd(),
         target: "latest",
         filter: undefined,
         reject: undefined,
@@ -122,6 +122,11 @@ export async function parseCliArgs(argv) {
         interactive: false,
         showImpact: false,
         showHomepage: false,
+        decisionPlanFile: undefined,
+        verify: "none",
+        testCommand: undefined,
+        verificationReportFile: undefined,
+        ciGate: "check",
     };
     let force = false;
     let initCiMode = "enterprise";
@@ -492,6 +497,54 @@ export async function parseCliArgs(argv) {
         if (current === "--file") {
             throw new Error("Missing value for --file");
         }
+        if (current === "--plan-file" && next) {
+            base.decisionPlanFile = path.resolve(base.cwd, next);
+            index += 1;
+            continue;
+        }
+        if (current === "--plan-file") {
+            throw new Error("Missing value for --plan-file");
+        }
+        if (current === "--from-plan" && next) {
+            base.decisionPlanFile = path.resolve(base.cwd, next);
+            index += 1;
+            continue;
+        }
+        if (current === "--from-plan") {
+            throw new Error("Missing value for --from-plan");
+        }
+        if (current === "--verify" && next) {
+            base.verify = ensureVerificationMode(next);
+            index += 1;
+            continue;
+        }
+        if (current === "--verify") {
+            throw new Error("Missing value for --verify");
+        }
+        if (current === "--test-command" && next) {
+            base.testCommand = next;
+            index += 1;
+            continue;
+        }
+        if (current === "--test-command") {
+            throw new Error("Missing value for --test-command");
+        }
+        if (current === "--verification-report-file" && next) {
+            base.verificationReportFile = path.resolve(base.cwd, next);
+            index += 1;
+            continue;
+        }
+        if (current === "--verification-report-file") {
+            throw new Error("Missing value for --verification-report-file");
+        }
+        if (current === "--gate" && next) {
+            base.ciGate = ensureCiGate(next);
+            index += 1;
+            continue;
+        }
+        if (current === "--gate") {
+            throw new Error("Missing value for --gate");
+        }
         if (current.startsWith("-")) {
             throw new Error(`Unknown option: ${current}`);
         }
@@ -526,6 +579,7 @@ export async function parseCliArgs(argv) {
             install: args.includes("--install") || resolvedConfig.install === true,
             packageManager: cliPm === "auto" ? (configPm ?? "auto") : cliPm,
             sync: args.includes("--sync") || resolvedConfig.sync === true,
+            fromPlanFile: base.decisionPlanFile,
         };
         return { command, options: upgradeOptions };
     }
@@ -687,16 +741,35 @@ function applyConfig(base, config) {
     if (typeof config.showHomepage === "boolean") {
         base.showHomepage = config.showHomepage;
     }
+    if (typeof config.decisionPlanFile === "string") {
+        base.decisionPlanFile = path.resolve(base.cwd, config.decisionPlanFile);
+    }
+    if (typeof config.verify === "string") {
+        base.verify = ensureVerificationMode(config.verify);
+    }
+    if (typeof config.testCommand === "string") {
+        base.testCommand = config.testCommand;
+    }
+    if (typeof config.verificationReportFile === "string") {
+        base.verificationReportFile = path.resolve(base.cwd, config.verificationReportFile);
+    }
+    if (typeof config.ciGate === "string") {
+        base.ciGate = ensureCiGate(config.ciGate);
+    }
 }
 function parsePackageManager(args) {
     const index = args.indexOf("--pm");
     if (index === -1)
         return "auto";
     const value = args[index + 1] ?? "auto";
-    if (value === "auto" || value === "npm" || value === "pnpm") {
+    if (value === "auto" ||
+        value === "bun" ||
+        value === "npm" ||
+        value === "pnpm" ||
+        value === "yarn") {
         return value;
     }
-    throw new Error("--pm must be auto, npm or pnpm");
+    throw new Error("--pm must be auto, bun, npm, pnpm or yarn");
 }
 function ensureTarget(value) {
     if (value === "patch" ||
@@ -800,3 +873,21 @@ export function ensureRiskLevel(value) {
     }
     throw new Error("--risk must be critical, high, medium or low");
 }
+function ensureVerificationMode(value) {
+    if (value === "none" ||
+        value === "install" ||
+        value === "test" ||
+        value === "install,test") {
+        return value;
+    }
+    throw new Error("--verify must be none, install, test or install,test");
+}
+function ensureCiGate(value) {
+    if (value === "check" ||
+        value === "doctor" ||
+        value === "review" ||
+        value === "upgrade") {
+        return value;
+    }
+    throw new Error("--gate must be check, doctor, review or upgrade");
+}

package/dist/core/review-model.d.ts

@@ -1,5 +1,5 @@
-import type { CheckOptions, DoctorOptions, DoctorResult, ReviewOptions, ReviewResult } from "../types/index.js";
+import type { CheckOptions, DoctorOptions, ReviewOptions, ReviewResult } from "../types/index.js";
+export { createDoctorResult } from "./doctor/result.js";
+export { renderDoctorAgentReport, renderDoctorResult, } from "./doctor/render.js";
 export declare function buildReviewResult(options: ReviewOptions | DoctorOptions | CheckOptions): Promise<ReviewResult>;
-export declare function createDoctorResult(review: ReviewResult): DoctorResult;
 export declare function renderReviewResult(review: ReviewResult): string;
-export declare function renderDoctorResult(result: DoctorResult, verdictOnly?: boolean): string;

package/dist/core/review-model.js

@@ -1,6 +1,9 @@
 import path from "node:path";
 import { createSummary, finalizeSummary } from "./summary.js";
 import { buildAnalysisBundle } from "./analysis-bundle.js";
+export { createDoctorResult } from "./doctor/result.js";
+export { renderDoctorAgentReport, renderDoctorResult, } from "./doctor/render.js";
+import { deriveReviewVerdict } from "./review-verdict.js";
 export async function buildReviewResult(options) {
     const includeChangelog = ("showChangelog" in options && options.showChangelog === true) ||
         ("includeChangelog" in options && options.includeChangelog === true) ||
@@ -48,17 +51,6 @@ export async function buildReviewResult(options) {
         ],
     };
 }
-export function createDoctorResult(review) {
-    const verdict = review.summary.verdict ?? deriveVerdict(review.items, review.errors);
-    const primaryFindings = buildPrimaryFindings(review);
-    return {
-        verdict,
-        summary: review.summary,
-        review,
-        primaryFindings,
-        recommendedCommand: recommendCommand(review, verdict),
-    };
-}
 export function renderReviewResult(review) {
     const lines = [];
     lines.push(`Project: ${review.projectPath}`);
@@ -117,16 +109,8 @@ export function renderReviewResult(review) {
     }
     lines.push("");
     lines.push(`Summary: ${review.summary.updatesFound} updates, riskPackages=${review.summary.riskPackages ?? 0}, securityPackages=${review.summary.securityPackages ?? 0}, peerConflictPackages=${review.summary.peerConflictPackages ?? 0}`);
-    return lines.join("\n");
-}
-export function renderDoctorResult(result, verdictOnly = false) {
-    const lines = [
-        `State: ${result.verdict}`,
-        `PrimaryRisk: ${result.primaryFindings[0] ?? "No blocking findings."}`,
-        `NextAction: ${result.recommendedCommand}`,
-    ];
-    if (!verdictOnly) {
-        lines.push(`Counts: updates=${result.summary.updatesFound}, security=${result.summary.securityPackages ?? 0}, risk=${result.summary.riskPackages ?? 0}, peer=${result.summary.peerConflictPackages ?? 0}, license=${result.summary.licenseViolationPackages ?? 0}`);
+    if (review.summary.decisionPlan) {
+        lines.push(`DecisionPlan: ${review.summary.decisionPlan}`);
     }
     return lines.join("\n");
 }
@@ -196,51 +180,6 @@ function createReviewSummary(base, items, errors, warnings, interactiveSession,
     summary.monitorPackages = items.filter((item) => item.update.policyAction === "monitor").length;
     summary.decisionPackages = items.length;
     summary.degradedSources = degradedSources;
-    summary.verdict = deriveVerdict(items, errors);
+    summary.verdict = deriveReviewVerdict(items, errors);
     return summary;
 }
-function deriveVerdict(items, errors) {
-    if (items.some((item) => item.update.peerConflictSeverity === "error" ||
-        item.update.licenseStatus === "denied")) {
-        return "blocked";
-    }
-    if (items.some((item) => item.advisories.length > 0 || item.update.riskLevel === "critical")) {
-        return "actionable";
-    }
-    if (errors.length > 0 ||
-        items.some((item) => item.update.riskLevel === "high" || item.update.diffType === "major")) {
-        return "review";
-    }
-    return "safe";
-}
-function buildPrimaryFindings(review) {
-    const findings = [];
-    if ((review.summary.peerConflictPackages ?? 0) > 0) {
-        findings.push(`${review.summary.peerConflictPackages} package(s) have peer conflicts.`);
-    }
-    if ((review.summary.licenseViolationPackages ?? 0) > 0) {
-        findings.push(`${review.summary.licenseViolationPackages} package(s) violate license policy.`);
-    }
-    if ((review.summary.securityPackages ?? 0) > 0) {
-        findings.push(`${review.summary.securityPackages} package(s) have security advisories.`);
-    }
-    if ((review.summary.riskPackages ?? 0) > 0) {
-        findings.push(`${review.summary.riskPackages} package(s) are high risk.`);
-    }
-    if (review.errors.length > 0) {
-        findings.push(`${review.errors.length} execution error(s) need review before treating the result as clean.`);
-    }
-    if (findings.length === 0) {
-        findings.push("No blocking findings; remaining updates are low-risk.");
-    }
-    return findings;
-}
-function recommendCommand(review, verdict) {
-    if (verdict === "blocked")
-        return "rup review --interactive";
-    if ((review.summary.securityPackages ?? 0) > 0)
-        return "rup review --security-only";
-    if (review.errors.length > 0 || review.items.length > 0)
-        return "rup review --interactive";
-    return "rup check";
-}

package/dist/core/review-verdict.d.ts

@@ -0,0 +1,2 @@
+import type { ReviewItem, Verdict } from "../types/index.js";
+export declare function deriveReviewVerdict(items: ReviewItem[], errors: string[]): Verdict;

package/dist/core/review-verdict.js

@@ -0,0 +1,14 @@
+export function deriveReviewVerdict(items, errors) {
+    if (items.some((item) => item.update.peerConflictSeverity === "error" ||
+        item.update.licenseStatus === "denied")) {
+        return "blocked";
+    }
+    if (items.some((item) => item.advisories.length > 0 || item.update.riskLevel === "critical")) {
+        return "actionable";
+    }
+    if (errors.length > 0 ||
+        items.some((item) => item.update.riskLevel === "high" || item.update.diffType === "major")) {
+        return "review";
+    }
+    return "safe";
+}

package/dist/core/summary.js

@@ -63,6 +63,18 @@ export function createSummary(input) {
         cacheBackend: undefined,
         binaryRecommended: false,
         gaReady: undefined,
+        dependencyHealthScore: undefined,
+        findingCountsByCategory: undefined,
+        findingCountsBySeverity: undefined,
+        primaryFindingCode: undefined,
+        primaryFindingCategory: undefined,
+        nextActionReason: undefined,
+        suggestedCommand: undefined,
+        decisionPlan: undefined,
+        interactiveSurface: undefined,
+        queueFocus: undefined,
+        verificationState: "not-run",
+        verificationFailures: 0,
     };
 }
 export function finalizeSummary(summary) {

package/dist/core/upgrade.js

@@ -5,17 +5,25 @@ import { detectPackageManager } from "../pm/detect.js";
 import { applyRangeStyle, parseVersion, compareVersions } from "../utils/semver.js";
 import { buildWorkspaceGraph } from "../workspace/graph.js";
 import { captureLockfileSnapshot, changedLockfiles, validateLockfileMode } from "../utils/lockfile.js";
+import { createSummary, finalizeSummary } from "./summary.js";
+import { readDecisionPlan, selectedUpdatesFromPlan } from "./decision-plan.js";
+import { runVerification } from "./verification.js";
 export async function upgrade(options) {
     validateLockfileMode(options.lockfileMode, options.install);
     const lockfilesBefore = await captureLockfileSnapshot(options.cwd);
-    const checkResult = await check(options);
+    const checkResult = options.fromPlanFile
+        ? await createUpgradeResultFromPlan(options)
+        : await check(options);
     if (checkResult.updates.length === 0) {
         return {
             ...checkResult,
             changed: false,
         };
     }
-    await applySelectedUpdates(options, checkResult.updates);
+    const selectedUpdates = options.fromPlanFile
+        ? checkResult.updates
+        : checkResult.updates;
+    await applySelectedUpdates(options, selectedUpdates);
     const lockfileChanges = await changedLockfiles(options.cwd, lockfilesBefore);
     if (lockfileChanges.length > 0 && (options.lockfileMode === "preserve" || options.lockfileMode === "error")) {
         throw new Error(`Lockfile changes detected in ${options.lockfileMode} mode: ${lockfileChanges.join(", ")}`);
@@ -23,6 +31,18 @@ export async function upgrade(options) {
     if (lockfileChanges.length > 0 && options.lockfileMode === "update") {
         checkResult.warnings.push(`Lockfiles changed: ${lockfileChanges.map((item) => item.split("/").pop()).join(", ")}`);
     }
+    if (options.verify !== "none") {
+        const verification = await runVerification(options);
+        checkResult.summary.verificationState = verification.passed
+            ? "passed"
+            : "failed";
+        checkResult.summary.verificationFailures = verification.checks.filter((check) => !check.passed).length;
+        if (!verification.passed) {
+            checkResult.errors.push(...verification.checks
+                .filter((check) => !check.passed)
+                .map((check) => `Verification failed for ${check.name}: ${check.error ?? check.command}`));
+        }
+    }
     return {
         ...checkResult,
         changed: true,
@@ -59,6 +79,48 @@ export async function applySelectedUpdates(options, updates) {
         await installDependencies(options.cwd, options.packageManager, detected);
     }
 }
+async function createUpgradeResultFromPlan(options) {
+    if (!options.fromPlanFile) {
+        throw new Error("Missing decision plan file.");
+    }
+    const plan = await readDecisionPlan(options.fromPlanFile);
+    const packageManager = await detectPackageManager(options.cwd);
+    const updates = selectedUpdatesFromPlan(plan);
+    const packagePaths = Array.from(new Set(updates.map((update) => update.packagePath))).sort((left, right) => left.localeCompare(right));
+    const summary = finalizeSummary(createSummary({
+        scannedPackages: packagePaths.length,
+        totalDependencies: updates.length,
+        checkedDependencies: updates.length,
+        updatesFound: updates.length,
+        upgraded: 0,
+        skipped: 0,
+        warmedPackages: 0,
+        errors: [],
+        warnings: [],
+        durations: {
+            totalMs: 0,
+            discoveryMs: 0,
+            registryMs: 0,
+            cacheMs: 0,
+        },
+    }));
+    summary.decisionPlan = options.fromPlanFile;
+    summary.interactiveSurface = plan.interactiveSurface;
+    summary.queueFocus = plan.focus;
+    summary.updatesFound = updates.length;
+    return {
+        projectPath: options.cwd,
+        packagePaths,
+        packageManager,
+        target: plan.target,
+        timestamp: new Date().toISOString(),
+        summary,
+        updates,
+        errors: [],
+        warnings: [],
+        changed: false,
+    };
+}
 function applyWorkspaceSync(manifestsByPath, orderedPaths, localPackageNames, includeKinds, updates) {
     const desiredByPackage = new Map();
     for (const update of updates) {

package/dist/core/verification.d.ts

@@ -0,0 +1,2 @@
+import type { UpgradeOptions, VerificationResult } from "../types/index.js";
+export declare function runVerification(options: Pick<UpgradeOptions, "cwd" | "verify" | "testCommand" | "verificationReportFile" | "packageManager">): Promise<VerificationResult>;

package/dist/core/verification.js

@@ -0,0 +1,106 @@
+import { detectPackageManager, resolvePackageManager } from "../pm/detect.js";
+import { installDependencies } from "../pm/install.js";
+import { stableStringify } from "../utils/stable-json.js";
+import { writeFileAtomic } from "../utils/io.js";
+import { readEnv } from "../utils/runtime.js";
+export async function runVerification(options) {
+    const mode = options.verify;
+    if (mode === "none") {
+        const result = {
+            mode,
+            passed: true,
+            checks: [],
+        };
+        await maybeWriteVerificationReport(options.verificationReportFile, result);
+        return result;
+    }
+    const checks = [];
+    const detected = await detectPackageManager(options.cwd);
+    if (includesInstall(mode)) {
+        checks.push(await runCheck("install", `${resolvePackageManager(options.packageManager, detected)} install`, async () => {
+            await installDependencies(options.cwd, options.packageManager, detected);
+        }));
+    }
+    if (includesTest(mode)) {
+        const command = options.testCommand ??
+            defaultTestCommand(options.packageManager, detected);
+        checks.push(await runShellCheck(options.cwd, command));
+    }
+    const result = {
+        mode,
+        passed: checks.every((check) => check.passed),
+        checks,
+    };
+    await maybeWriteVerificationReport(options.verificationReportFile, result);
+    return result;
+}
+function includesInstall(mode) {
+    return mode === "install" || mode === "install,test";
+}
+function includesTest(mode) {
+    return mode === "test" || mode === "install,test";
+}
+function defaultTestCommand(packageManager, detected) {
+    return `${resolvePackageManager(packageManager, detected, "bun")} test`;
+}
+async function runShellCheck(cwd, command) {
+    const startedAt = Date.now();
+    try {
+        const shell = readEnv("SHELL") || "sh";
+        const proc = Bun.spawn([shell, "-lc", command], {
+            cwd,
+            stdin: "inherit",
+            stdout: "inherit",
+            stderr: "inherit",
+        });
+        const exitCode = await proc.exited;
+        return {
+            name: "test",
+            command,
+            passed: exitCode === 0,
+            exitCode,
+            durationMs: Math.max(0, Date.now() - startedAt),
+            error: exitCode === 0
+                ? undefined
+                : `${command} failed with exit code ${exitCode}`,
+        };
+    }
+    catch (error) {
+        return {
+            name: "test",
+            command,
+            passed: false,
+            exitCode: 1,
+            durationMs: Math.max(0, Date.now() - startedAt),
+            error: String(error),
+        };
+    }
+}
+async function runCheck(name, command, action) {
+    const startedAt = Date.now();
+    try {
+        await action();
+        return {
+            name,
+            command,
+            passed: true,
+            exitCode: 0,
+            durationMs: Math.max(0, Date.now() - startedAt),
+        };
+    }
+    catch (error) {
+        return {
+            name,
+            command,
+            passed: false,
+            exitCode: 1,
+            durationMs: Math.max(0, Date.now() - startedAt),
+            error: String(error),
+        };
+    }
+}
+async function maybeWriteVerificationReport(filePath, result) {
+    if (!filePath)
+        return;
+    await writeFileAtomic(filePath, stableStringify(result, 2) + "\n");
+}

package/dist/core/warm-cache.js

@@ -1,4 +1,3 @@
-import process from "node:process";
 import { collectDependencies, readManifest } from "../parsers/package-json.js";
 import { matchesPattern } from "../utils/pattern.js";
 import { VersionCache } from "../cache/cache.js";
@@ -7,6 +6,7 @@ import { detectPackageManager } from "../pm/detect.js";
 import { discoverPackageDirs } from "../workspace/discover.js";
 import { createSummary, finalizeSummary } from "./summary.js";
 import { formatClassifiedMessage } from "./errors.js";
+import { writeStdout } from "../utils/runtime.js";
 export async function warmCache(options) {
     const startedAt = Date.now();
     let discoveryMs = 0;
@@ -39,7 +39,7 @@ export async function warmCache(options) {
         if (!options.stream)
             return;
         streamedEvents += 1;
-        process.stdout.write(`${message}\n`);
+        writeStdout(`${message}\n`);
     };
     for (const packageDir of packageDirs) {
         try {

package/dist/output/format.js

@@ -70,6 +70,16 @@ export function renderResult(result, format, display = {}) {
             `cache_backend=${result.summary.cacheBackend ?? ""}`,
             `degraded_sources=${(result.summary.degradedSources ?? []).join(",")}`,
             `ga_ready=${result.summary.gaReady === true ? "1" : "0"}`,
+            `dependency_health_score=${result.summary.dependencyHealthScore ?? ""}`,
+            `primary_finding_code=${result.summary.primaryFindingCode ?? ""}`,
+            `primary_finding_category=${result.summary.primaryFindingCategory ?? ""}`,
+            `next_action_reason=${result.summary.nextActionReason ?? ""}`,
+            `suggested_command=${result.summary.suggestedCommand ?? ""}`,
+            `decision_plan=${result.summary.decisionPlan ?? ""}`,
+            `interactive_surface=${result.summary.interactiveSurface ?? ""}`,
+            `queue_focus=${result.summary.queueFocus ?? ""}`,
+            `verification_state=${result.summary.verificationState ?? "not-run"}`,
+            `verification_failures=${result.summary.verificationFailures ?? 0}`,
         ].join("\n");
     }
     const lines = [];
@@ -130,6 +140,18 @@ export function renderResult(result, format, display = {}) {
     if (result.summary.verdict) {
         lines.push(`Verdict=${result.summary.verdict}, riskPackages=${result.summary.riskPackages ?? 0}, securityPackages=${result.summary.securityPackages ?? 0}, peerConflictPackages=${result.summary.peerConflictPackages ?? 0}, licenseViolationPackages=${result.summary.licenseViolationPackages ?? 0}`);
     }
+    if (typeof result.summary.dependencyHealthScore === "number") {
+        lines.push(`DependencyHealthScore=${result.summary.dependencyHealthScore}, primaryFinding=${result.summary.primaryFindingCode ?? "none"}, category=${result.summary.primaryFindingCategory ?? "none"}`);
+    }
+    if (result.summary.suggestedCommand) {
+        lines.push(`SuggestedCommand=${result.summary.suggestedCommand}`);
+    }
+    if (result.summary.decisionPlan) {
+        lines.push(`DecisionPlan=${result.summary.decisionPlan}, surface=${result.summary.interactiveSurface ?? "none"}, focus=${result.summary.queueFocus ?? "all"}`);
+    }
+    if (result.summary.verificationState && result.summary.verificationState !== "not-run") {
+        lines.push(`Verification=${result.summary.verificationState}, failures=${result.summary.verificationFailures ?? 0}`);
+    }
     if (result.summary.runId) {
         lines.push(`RunId=${result.summary.runId}, artifactManifest=${result.summary.artifactManifest ?? "none"}, blockedPackages=${result.summary.blockedPackages ?? 0}, reviewPackages=${result.summary.reviewPackages ?? 0}, monitorPackages=${result.summary.monitorPackages ?? 0}`);
     }