@rainy-updates/cli 0.5.7 → 0.6.0

package/dist/core/fix-pr-batch.js

@@ -1,8 +1,7 @@
-import { spawn } from "node:child_process";
-import { promises as fs } from "node:fs";
-import os from "node:os";
+import { $ } from "bun";
 import path from "node:path";
 import { readManifest, writeManifest } from "../parsers/package-json.js";
+import { createTempDir } from "../utils/runtime-paths.js";
 export async function applyFixPrBatches(options, result) {
     const autofixUpdates = result.updates.filter((update) => update.autofix !== false);
     if (!options.fixPr || autofixUpdates.length === 0) {
@@ -12,14 +11,25 @@ export async function applyFixPrBatches(options, result) {
     const groups = groupUpdates(autofixUpdates, options.groupBy);
     const plans = planFixPrBatches(groups, options.fixBranch ?? "chore/rainy-updates", options.fixPrBatchSize ?? 1);
     if (options.fixDryRun) {
-        return { applied: false, branches: plans.map((plan) => plan.branchName), commits: [] };
+        return {
+            applied: false,
+            branches: plans.map((plan) => plan.branchName),
+            commits: [],
+        };
     }
     const branches = [];
     const commits = [];
     for (const plan of plans) {
-        const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), "rainy-fix-pr-batch-"));
+        const tempDir = await createTempDir("rainy-fix-pr-batch-");
         try {
-            await runGit(options.cwd, ["worktree", "add", "-B", plan.branchName, tempDir, baseRef]);
+            await runGit(options.cwd, [
+                "worktree",
+                "add",
+                "-B",
+                plan.branchName,
+                tempDir,
+                baseRef,
+            ]);
             await applyUpdatesInWorktree(options.cwd, tempDir, plan.updates);
             await stageUpdatedManifests(options.cwd, tempDir, plan.updates);
             const message = renderCommitMessage(options, plan, plans.length);
@@ -47,7 +57,9 @@ export function planFixPrBatches(groups, baseBranch, batchSize) {
         chunks.push(groups.slice(index, index + size));
     }
     return chunks.map((chunk, index) => {
-        const suffix = chunk.length === 1 ? sanitizeBranchToken(chunk[0]?.key ?? `batch-${index + 1}`) : `batch-${index + 1}`;
+        const suffix = chunk.length === 1
+            ? sanitizeBranchToken(chunk[0]?.key ?? `batch-${index + 1}`)
+            : `batch-${index + 1}`;
         return {
             index: index + 1,
             groups: chunk,
@@ -147,27 +159,25 @@ function renderCommitMessage(options, plan, totalBatches) {
     return `${baseMessage} (${plan.index}/${totalBatches}, ${plan.updates.length} updates)`;
 }
 function sanitizeBranchToken(value) {
-    return value.replace(/^@/, "").replace(/[^a-zA-Z0-9._-]+/g, "-").replace(/^-+|-+$/g, "") || "batch";
+    return (value
+        .replace(/^@/, "")
+        .replace(/[^a-zA-Z0-9._-]+/g, "-")
+        .replace(/^-+|-+$/g, "") || "batch");
 }
 async function runGit(cwd, args, allowNonZero = false) {
-    return await new Promise((resolve, reject) => {
-        const child = spawn("git", args, { cwd, stdio: ["ignore", "pipe", "pipe"] });
-        let stdout = "";
-        let stderr = "";
-        child.stdout.on("data", (chunk) => {
-            stdout += typeof chunk === "string" ? chunk : Buffer.from(chunk).toString("utf8");
-        });
-        child.stderr.on("data", (chunk) => {
-            stderr += typeof chunk === "string" ? chunk : Buffer.from(chunk).toString("utf8");
-        });
-        child.on("error", reject);
-        child.on("exit", (code) => {
-            const normalized = code ?? 1;
-            if (normalized !== 0 && !allowNonZero) {
-                reject(new Error(`git ${args.join(" ")} failed (${normalized}): ${stderr.trim()}`));
-                return;
-            }
-            resolve({ code: normalized, stdout, stderr });
-        });
-    });
+    try {
+        const res = await $ `git ${args}`.cwd(cwd).quiet().nothrow();
+        const code = res.exitCode;
+        const stdout = res.stdout.toString();
+        const stderr = res.stderr.toString();
+        if (code !== 0 && !allowNonZero) {
+            throw new Error(`git ${args.join(" ")} failed (${code}): ${stderr.trim()}`);
+        }
+        return { code, stdout, stderr };
+    }
+    catch (err) {
+        if (allowNonZero)
+            return { code: 1, stdout: "", stderr: "" };
+        throw err instanceof Error ? err : new Error(String(err));
+    }
 }

package/dist/core/fix-pr.js

@@ -1,4 +1,4 @@
-import { spawn } from "node:child_process";
+import { $ } from "bun";
 import path from "node:path";
 export async function applyFixPr(options, result, extraFiles) {
     if (!options.fixPr)
@@ -42,7 +42,8 @@ export async function applyFixPr(options, result, extraFiles) {
         : [];
     const filesToStage = Array.from(new Set([...manifestFiles, ...extraFiles, ...lockfileFiles]
         .map((entry) => path.resolve(options.cwd, entry))
-        .filter((entry) => entry.startsWith(path.resolve(options.cwd) + path.sep) || entry === path.resolve(options.cwd)))).sort((a, b) => a.localeCompare(b));
+        .filter((entry) => entry.startsWith(path.resolve(options.cwd) + path.sep) ||
+        entry === path.resolve(options.cwd)))).sort((a, b) => a.localeCompare(b));
     if (filesToStage.length > 0) {
         await runGit(options.cwd, ["add", "--", ...filesToStage]);
     }
@@ -54,7 +55,8 @@ export async function applyFixPr(options, result, extraFiles) {
             commitSha: "",
         };
     }
-    const message = options.fixCommitMessage ?? `chore(deps): apply rainy-updates (${autofixUpdates.length} updates)`;
+    const message = options.fixCommitMessage ??
+        `chore(deps): apply rainy-updates (${autofixUpdates.length} updates)`;
     await runGit(options.cwd, ["commit", "-m", message]);
     const rev = await runGit(options.cwd, ["rev-parse", "HEAD"]);
     return {
@@ -64,30 +66,31 @@ export async function applyFixPr(options, result, extraFiles) {
     };
 }
 async function runGit(cwd, args, allowNonZero = false) {
-    return await new Promise((resolve, reject) => {
-        const child = spawn("git", args, { cwd, stdio: ["ignore", "pipe", "pipe"] });
-        let stdout = "";
-        let stderr = "";
-        child.stdout.on("data", (chunk) => {
-            stdout += typeof chunk === "string" ? chunk : Buffer.from(chunk).toString("utf8");
-        });
-        child.stderr.on("data", (chunk) => {
-            stderr += typeof chunk === "string" ? chunk : Buffer.from(chunk).toString("utf8");
-        });
-        child.on("error", reject);
-        child.on("exit", (code) => {
-            const normalized = code ?? 1;
-            if (normalized !== 0 && !allowNonZero) {
-                reject(new Error(`git ${args.join(" ")} failed (${normalized}): ${stderr.trim()}`));
-                return;
-            }
-            resolve({ code: normalized, stdout, stderr });
-        });
-    });
+    try {
+        const res = await $ `git ${args}`.cwd(cwd).quiet().nothrow();
+        const code = res.exitCode;
+        const stdout = res.stdout.toString();
+        const stderr = res.stderr.toString();
+        if (code !== 0 && !allowNonZero) {
+            throw new Error(`git ${args.join(" ")} failed (${code}): ${stderr.trim()}`);
+        }
+        return { code, stdout, stderr };
+    }
+    catch (err) {
+        if (allowNonZero)
+            return { code: 1, stdout: "", stderr: "" };
+        throw err instanceof Error ? err : new Error(String(err));
+    }
 }
 async function collectChangedLockfiles(cwd) {
     const status = await runGit(cwd, ["status", "--porcelain"], true);
-    const allowed = new Set(["package-lock.json", "npm-shrinkwrap.json", "pnpm-lock.yaml", "yarn.lock", "bun.lock"]);
+    const allowed = new Set([
+        "package-lock.json",
+        "npm-shrinkwrap.json",
+        "pnpm-lock.yaml",
+        "yarn.lock",
+        "bun.lock",
+    ]);
     const changed = status.stdout
         .split(/\r?\n/)
         .map((line) => line.trim())

package/dist/core/init-ci.js

@@ -1,17 +1,20 @@
-import { access, writeFile, mkdir } from "node:fs/promises";
+import { mkdir } from "node:fs/promises";
 import path from "node:path";
+import { detectPackageManager } from "../pm/detect.js";
 export async function initCiWorkflow(cwd, force, options) {
     const workflowPath = path.join(cwd, ".github", "workflows", "rainy-updates.yml");
     try {
         if (!force) {
-            await access(workflowPath);
-            return { path: workflowPath, created: false };
+            if (await Bun.file(workflowPath).exists()) {
+                return { path: workflowPath, created: false };
+            }
         }
     }
     catch {
         // missing file, continue create
     }
-    const packageManager = await detectPackageManager(cwd);
+    const detected = await detectPackageManager(cwd);
+    const packageManager = detected === "unknown" || detected === "yarn" ? "npm" : detected;
     const scheduleBlock = renderScheduleBlock(options.schedule);
     const workflow = options.mode === "minimal"
         ? minimalWorkflowTemplate(scheduleBlock, packageManager)
@@ -19,19 +22,9 @@ export async function initCiWorkflow(cwd, force, options) {
             ? strictWorkflowTemplate(scheduleBlock, packageManager)
             : enterpriseWorkflowTemplate(scheduleBlock, packageManager);
     await mkdir(path.dirname(workflowPath), { recursive: true });
-    await writeFile(workflowPath, workflow, "utf8");
+    await Bun.write(workflowPath, workflow);
     return { path: workflowPath, created: true };
 }
-async function detectPackageManager(cwd) {
-    const pnpmLock = path.join(cwd, "pnpm-lock.yaml");
-    try {
-        await access(pnpmLock);
-        return "pnpm";
-    }
-    catch {
-        return "npm";
-    }
-}
 function renderScheduleBlock(schedule) {
     if (schedule === "off") {
         return "  workflow_dispatch:";
@@ -40,20 +33,31 @@ function renderScheduleBlock(schedule) {
     return `  schedule:\n    - cron: '${cron}'\n  workflow_dispatch:`;
 }
 function installStep(packageManager) {
+    if (packageManager === "bun") {
+        return `      - name: Install dependencies\n        run: bun install`;
+    }
     if (packageManager === "pnpm") {
         return `      - name: Setup pnpm\n        uses: pnpm/action-setup@v4\n        with:\n          version: 9\n\n      - name: Install dependencies\n        run: pnpm install --frozen-lockfile`;
     }
     return `      - name: Install dependencies\n        run: npm ci`;
 }
 function minimalWorkflowTemplate(scheduleBlock, packageManager) {
-    return `name: Rainy Updates\n\non:\n${scheduleBlock}\n\njobs:\n  dependency-check:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Setup Node\n        uses: actions/setup-node@v4\n        with:\n          node-version: '20'\n\n${installStep(packageManager)}\n\n      - name: Run dependency check\n        run: |\n          npx @rainy-updates/cli ci \\\n            --workspace \\\n            --mode minimal \\\n            --ci \\\n            --stream \\\n            --registry-timeout-ms 12000 \\\n            --registry-retries 4 \\\n            --format table\n`;
+    return `name: Rainy Updates\n\non:\n${scheduleBlock}\n\njobs:\n  dependency-check:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Setup Bun\n        uses: oven-sh/setup-bun@v1\n\n${installStep(packageManager)}\n\n      - name: Run dependency check\n        run: |\n          bunx --bun @rainy-updates/cli ci \\\n            --workspace \\\n            --mode minimal \\\n            --gate check \\\n            --ci \\\n            --stream \\\n            --registry-timeout-ms 12000 \\\n            --registry-retries 4 \\\n            --format table\n`;
 }
 function strictWorkflowTemplate(scheduleBlock, packageManager) {
-    return `name: Rainy Updates\n\non:\n${scheduleBlock}\n\npermissions:\n  contents: read\n  security-events: write\n\njobs:\n  dependency-check:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Setup Node\n        uses: actions/setup-node@v4\n        with:\n          node-version: '20'\n\n${installStep(packageManager)}\n\n      - name: Warm cache\n        run: npx @rainy-updates/cli warm-cache --workspace --concurrency 32 --registry-timeout-ms 12000 --registry-retries 4\n\n      - name: Run strict dependency check\n        run: |\n          npx @rainy-updates/cli ci \\\n            --workspace \\\n            --mode strict \\\n            --ci \\\n            --concurrency 32 \\\n            --stream \\\n            --registry-timeout-ms 12000 \\\n            --registry-retries 4 \\\n            --format github \\\n            --json-file .artifacts/deps-report.json \\\n            --pr-report-file .artifacts/deps-report.md \\\n            --sarif-file .artifacts/deps-report.sarif \\\n            --github-output $GITHUB_OUTPUT\n\n      - name: Upload report artifacts\n        uses: actions/upload-artifact@v4\n        with:\n          name: rainy-updates-report\n          path: .artifacts/\n\n      - name: Upload SARIF\n        uses: github/codeql-action/upload-sarif@v3\n        with:\n          sarif_file: .artifacts/deps-report.sarif\n`;
+    return `name: Rainy Updates\n\non:\n${scheduleBlock}\n\npermissions:\n  contents: read\n  security-events: write\n\njobs:\n  dependency-check:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Setup Bun\n        uses: oven-sh/setup-bun@v1\n\n${installStep(packageManager)}\n\n      - name: Warm cache\n        run: bunx --bun @rainy-updates/cli warm-cache --workspace --concurrency 32 --registry-timeout-ms 12000 --registry-retries 4\n\n      - name: Generate reviewed decision plan\n        run: |\n          bunx --bun @rainy-updates/cli ci \\\n            --workspace \\\n            --mode strict \\\n            --gate review \\\n            --plan-file .artifacts/decision-plan.json \\\n            --ci \\\n            --concurrency 32 \\\n            --stream \\\n            --registry-timeout-ms 12000 \\\n            --registry-retries 4 \\\n            --format github \\\n            --json-file .artifacts/deps-report.json \\\n            --pr-report-file .artifacts/deps-report.md \\\n            --sarif-file .artifacts/deps-report.sarif \\\n            --github-output $GITHUB_OUTPUT\n\n      - name: Upload report artifacts\n        uses: actions/upload-artifact@v4\n        with:\n          name: rainy-updates-report\n          path: .artifacts/\n\n      - name: Upload SARIF\n        uses: github/codeql-action/upload-sarif@v3\n        with:\n          sarif_file: .artifacts/deps-report.sarif\n`;
 }
 function enterpriseWorkflowTemplate(scheduleBlock, packageManager) {
-    const detectedPmInstall = packageManager === "pnpm"
-        ? "corepack enable && corepack prepare pnpm@9 --activate && pnpm install --frozen-lockfile"
-        : "npm ci";
-    return `name: Rainy Updates Enterprise\n\non:\n${scheduleBlock}\n\npermissions:\n  contents: read\n  security-events: write\n  actions: read\n\nconcurrency:\n  group: rainy-updates-\${{ github.ref }}\n  cancel-in-progress: false\n\njobs:\n  dependency-check:\n    runs-on: ubuntu-latest\n    strategy:\n      fail-fast: false\n      matrix:\n        node: [20, 22]\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Setup Node\n        uses: actions/setup-node@v4\n        with:\n          node-version: \${{ matrix.node }}\n\n      - name: Install dependencies\n        run: ${detectedPmInstall}\n\n      - name: Warm cache\n        run: npx @rainy-updates/cli warm-cache --workspace --concurrency 32 --registry-timeout-ms 12000 --registry-retries 4\n\n      - name: Check updates with rollout controls\n        run: |\n          npx @rainy-updates/cli ci \\\n            --workspace \\\n            --mode enterprise \\\n            --concurrency 32 \\\n            --stream \\\n            --registry-timeout-ms 12000 \\\n            --registry-retries 4 \\\n            --lockfile-mode preserve \\\n            --format github \\\n            --fail-on minor \\\n            --max-updates 50 \\\n            --json-file .artifacts/deps-report-node-\${{ matrix.node }}.json \\\n            --pr-report-file .artifacts/deps-report-node-\${{ matrix.node }}.md \\\n            --sarif-file .artifacts/deps-report-node-\${{ matrix.node }}.sarif \\\n            --github-output $GITHUB_OUTPUT\n\n      - name: Upload report artifacts\n        uses: actions/upload-artifact@v4\n        with:\n          name: rainy-updates-report-node-\${{ matrix.node }}\n          path: .artifacts/\n          retention-days: 14\n\n      - name: Upload SARIF\n        uses: github/codeql-action/upload-sarif@v3\n        with:\n          sarif_file: .artifacts/deps-report-node-\${{ matrix.node }}.sarif\n`;
+    let detectedPmInstall = "npm ci";
+    let testCmd = "npm test";
+    if (packageManager === "pnpm") {
+        detectedPmInstall =
+            "corepack enable && corepack prepare pnpm@9 --activate && pnpm install --frozen-lockfile";
+        testCmd = "pnpm test";
+    }
+    else if (packageManager === "bun") {
+        detectedPmInstall = "bun install";
+        testCmd = "bun test";
+    }
+    return `name: Rainy Updates Enterprise\n\non:\n${scheduleBlock}\n\npermissions:\n  contents: read\n  security-events: write\n  actions: read\n\nconcurrency:\n  group: rainy-updates-\${{ github.ref }}\n  cancel-in-progress: false\n\njobs:\n  dependency-check:\n    runs-on: ubuntu-latest\n    strategy:\n      fail-fast: false\n      matrix:\n        node: [20, 22]\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Setup Node\n        uses: actions/setup-node@v4\n        with:\n          node-version: \${{ matrix.node }}\n\n      - name: Setup Bun\n        uses: oven-sh/setup-bun@v1\n\n      - name: Install dependencies\n        run: ${detectedPmInstall}\n\n      - name: Warm cache\n        run: bunx --bun @rainy-updates/cli warm-cache --workspace --concurrency 32 --registry-timeout-ms 12000 --registry-retries 4\n\n      - name: Generate reviewed decision plan\n        run: |\n          bunx --bun @rainy-updates/cli ci \\\n            --workspace \\\n            --mode enterprise \\\n            --gate review \\\n            --plan-file .artifacts/decision-plan.json \\\n            --concurrency 32 \\\n            --stream \\\n            --registry-timeout-ms 12000 \\\n            --registry-retries 4 \\\n            --lockfile-mode preserve \\\n            --format github \\\n            --fail-on minor \\\n            --max-updates 50 \\\n            --json-file .artifacts/deps-report-node-\${{ matrix.node }}.json \\\n            --pr-report-file .artifacts/deps-report-node-\${{ matrix.node }}.md \\\n            --sarif-file .artifacts/deps-report-node-\${{ matrix.node }}.sarif \\\n            --github-output $GITHUB_OUTPUT\n\n      - name: Replay approved plan with verification\n        run: |\n          bunx --bun @rainy-updates/cli ci \\\n            --workspace \\\n            --mode enterprise \\\n            --gate upgrade \\\n            --from-plan .artifacts/decision-plan.json \\\n            --verify test \\\n            --test-command "${testCmd}" \\\n            --verification-report-file .artifacts/verification-node-\${{ matrix.node }}.json\n\n      - name: Upload report artifacts\n        uses: actions/upload-artifact@v4\n        with:\n          name: rainy-updates-report-node-\${{ matrix.node }}\n          path: .artifacts/\n          retention-days: 14\n\n      - name: Upload SARIF\n        uses: github/codeql-action/upload-sarif@v3\n        with:\n          sarif_file: .artifacts/deps-report-node-\${{ matrix.node }}.sarif\n`;
 }

package/dist/core/options.js

@@ -1,6 +1,6 @@
 import path from "node:path";
-import process from "node:process";
 import { loadConfig } from "../config/loader.js";
+import { getRuntimeCwd } from "../utils/runtime.js";
 const DEFAULT_INCLUDE_KINDS = [
     "dependencies",
     "devDependencies",
@@ -83,7 +83,7 @@ export async function parseCliArgs(argv) {
         return { command, options: parseGaArgs(args) };
     }
     const base = {
-        cwd: process.cwd(),
+        cwd: getRuntimeCwd(),
         target: "latest",
         filter: undefined,
         reject: undefined,
@@ -122,6 +122,11 @@ export async function parseCliArgs(argv) {
         interactive: false,
         showImpact: false,
         showHomepage: false,
+        decisionPlanFile: undefined,
+        verify: "none",
+        testCommand: undefined,
+        verificationReportFile: undefined,
+        ciGate: "check",
     };
     let force = false;
     let initCiMode = "enterprise";
@@ -492,6 +497,54 @@ export async function parseCliArgs(argv) {
         if (current === "--file") {
             throw new Error("Missing value for --file");
         }
+        if (current === "--plan-file" && next) {
+            base.decisionPlanFile = path.resolve(base.cwd, next);
+            index += 1;
+            continue;
+        }
+        if (current === "--plan-file") {
+            throw new Error("Missing value for --plan-file");
+        }
+        if (current === "--from-plan" && next) {
+            base.decisionPlanFile = path.resolve(base.cwd, next);
+            index += 1;
+            continue;
+        }
+        if (current === "--from-plan") {
+            throw new Error("Missing value for --from-plan");
+        }
+        if (current === "--verify" && next) {
+            base.verify = ensureVerificationMode(next);
+            index += 1;
+            continue;
+        }
+        if (current === "--verify") {
+            throw new Error("Missing value for --verify");
+        }
+        if (current === "--test-command" && next) {
+            base.testCommand = next;
+            index += 1;
+            continue;
+        }
+        if (current === "--test-command") {
+            throw new Error("Missing value for --test-command");
+        }
+        if (current === "--verification-report-file" && next) {
+            base.verificationReportFile = path.resolve(base.cwd, next);
+            index += 1;
+            continue;
+        }
+        if (current === "--verification-report-file") {
+            throw new Error("Missing value for --verification-report-file");
+        }
+        if (current === "--gate" && next) {
+            base.ciGate = ensureCiGate(next);
+            index += 1;
+            continue;
+        }
+        if (current === "--gate") {
+            throw new Error("Missing value for --gate");
+        }
         if (current.startsWith("-")) {
             throw new Error(`Unknown option: ${current}`);
         }
@@ -526,6 +579,7 @@ export async function parseCliArgs(argv) {
             install: args.includes("--install") || resolvedConfig.install === true,
             packageManager: cliPm === "auto" ? (configPm ?? "auto") : cliPm,
             sync: args.includes("--sync") || resolvedConfig.sync === true,
+            fromPlanFile: base.decisionPlanFile,
         };
         return { command, options: upgradeOptions };
     }
@@ -687,16 +741,35 @@ function applyConfig(base, config) {
     if (typeof config.showHomepage === "boolean") {
         base.showHomepage = config.showHomepage;
     }
+    if (typeof config.decisionPlanFile === "string") {
+        base.decisionPlanFile = path.resolve(base.cwd, config.decisionPlanFile);
+    }
+    if (typeof config.verify === "string") {
+        base.verify = ensureVerificationMode(config.verify);
+    }
+    if (typeof config.testCommand === "string") {
+        base.testCommand = config.testCommand;
+    }
+    if (typeof config.verificationReportFile === "string") {
+        base.verificationReportFile = path.resolve(base.cwd, config.verificationReportFile);
+    }
+    if (typeof config.ciGate === "string") {
+        base.ciGate = ensureCiGate(config.ciGate);
+    }
 }
 function parsePackageManager(args) {
     const index = args.indexOf("--pm");
     if (index === -1)
         return "auto";
     const value = args[index + 1] ?? "auto";
-    if (value === "auto" || value === "npm" || value === "pnpm") {
+    if (value === "auto" ||
+        value === "bun" ||
+        value === "npm" ||
+        value === "pnpm" ||
+        value === "yarn") {
         return value;
     }
-    throw new Error("--pm must be auto, npm or pnpm");
+    throw new Error("--pm must be auto, bun, npm, pnpm or yarn");
 }
 function ensureTarget(value) {
     if (value === "patch" ||
@@ -800,3 +873,21 @@ export function ensureRiskLevel(value) {
     }
     throw new Error("--risk must be critical, high, medium or low");
 }
+function ensureVerificationMode(value) {
+    if (value === "none" ||
+        value === "install" ||
+        value === "test" ||
+        value === "install,test") {
+        return value;
+    }
+    throw new Error("--verify must be none, install, test or install,test");
+}
+function ensureCiGate(value) {
+    if (value === "check" ||
+        value === "doctor" ||
+        value === "review" ||
+        value === "upgrade") {
+        return value;
+    }
+    throw new Error("--gate must be check, doctor, review or upgrade");
+}

package/dist/core/review-model.js

@@ -109,6 +109,9 @@ export function renderReviewResult(review) {
     }
     lines.push("");
     lines.push(`Summary: ${review.summary.updatesFound} updates, riskPackages=${review.summary.riskPackages ?? 0}, securityPackages=${review.summary.securityPackages ?? 0}, peerConflictPackages=${review.summary.peerConflictPackages ?? 0}`);
+    if (review.summary.decisionPlan) {
+        lines.push(`DecisionPlan: ${review.summary.decisionPlan}`);
+    }
     return lines.join("\n");
 }
 function matchesReviewFilters(item, options) {

package/dist/core/summary.js

@@ -69,6 +69,12 @@ export function createSummary(input) {
         primaryFindingCode: undefined,
         primaryFindingCategory: undefined,
         nextActionReason: undefined,
+        suggestedCommand: undefined,
+        decisionPlan: undefined,
+        interactiveSurface: undefined,
+        queueFocus: undefined,
+        verificationState: "not-run",
+        verificationFailures: 0,
     };
 }
 export function finalizeSummary(summary) {

package/dist/core/upgrade.js

@@ -5,17 +5,25 @@ import { detectPackageManager } from "../pm/detect.js";
 import { applyRangeStyle, parseVersion, compareVersions } from "../utils/semver.js";
 import { buildWorkspaceGraph } from "../workspace/graph.js";
 import { captureLockfileSnapshot, changedLockfiles, validateLockfileMode } from "../utils/lockfile.js";
+import { createSummary, finalizeSummary } from "./summary.js";
+import { readDecisionPlan, selectedUpdatesFromPlan } from "./decision-plan.js";
+import { runVerification } from "./verification.js";
 export async function upgrade(options) {
     validateLockfileMode(options.lockfileMode, options.install);
     const lockfilesBefore = await captureLockfileSnapshot(options.cwd);
-    const checkResult = await check(options);
+    const checkResult = options.fromPlanFile
+        ? await createUpgradeResultFromPlan(options)
+        : await check(options);
     if (checkResult.updates.length === 0) {
         return {
             ...checkResult,
             changed: false,
         };
     }
-    await applySelectedUpdates(options, checkResult.updates);
+    const selectedUpdates = options.fromPlanFile
+        ? checkResult.updates
+        : checkResult.updates;
+    await applySelectedUpdates(options, selectedUpdates);
     const lockfileChanges = await changedLockfiles(options.cwd, lockfilesBefore);
     if (lockfileChanges.length > 0 && (options.lockfileMode === "preserve" || options.lockfileMode === "error")) {
         throw new Error(`Lockfile changes detected in ${options.lockfileMode} mode: ${lockfileChanges.join(", ")}`);
@@ -23,6 +31,18 @@ export async function upgrade(options) {
     if (lockfileChanges.length > 0 && options.lockfileMode === "update") {
         checkResult.warnings.push(`Lockfiles changed: ${lockfileChanges.map((item) => item.split("/").pop()).join(", ")}`);
     }
+    if (options.verify !== "none") {
+        const verification = await runVerification(options);
+        checkResult.summary.verificationState = verification.passed
+            ? "passed"
+            : "failed";
+        checkResult.summary.verificationFailures = verification.checks.filter((check) => !check.passed).length;
+        if (!verification.passed) {
+            checkResult.errors.push(...verification.checks
+                .filter((check) => !check.passed)
+                .map((check) => `Verification failed for ${check.name}: ${check.error ?? check.command}`));
+        }
+    }
     return {
         ...checkResult,
         changed: true,
@@ -59,6 +79,48 @@ export async function applySelectedUpdates(options, updates) {
         await installDependencies(options.cwd, options.packageManager, detected);
     }
 }
+async function createUpgradeResultFromPlan(options) {
+    if (!options.fromPlanFile) {
+        throw new Error("Missing decision plan file.");
+    }
+    const plan = await readDecisionPlan(options.fromPlanFile);
+    const packageManager = await detectPackageManager(options.cwd);
+    const updates = selectedUpdatesFromPlan(plan);
+    const packagePaths = Array.from(new Set(updates.map((update) => update.packagePath))).sort((left, right) => left.localeCompare(right));
+    const summary = finalizeSummary(createSummary({
+        scannedPackages: packagePaths.length,
+        totalDependencies: updates.length,
+        checkedDependencies: updates.length,
+        updatesFound: updates.length,
+        upgraded: 0,
+        skipped: 0,
+        warmedPackages: 0,
+        errors: [],
+        warnings: [],
+        durations: {
+            totalMs: 0,
+            discoveryMs: 0,
+            registryMs: 0,
+            cacheMs: 0,
+        },
+    }));
+    summary.decisionPlan = options.fromPlanFile;
+    summary.interactiveSurface = plan.interactiveSurface;
+    summary.queueFocus = plan.focus;
+    summary.updatesFound = updates.length;
+    return {
+        projectPath: options.cwd,
+        packagePaths,
+        packageManager,
+        target: plan.target,
+        timestamp: new Date().toISOString(),
+        summary,
+        updates,
+        errors: [],
+        warnings: [],
+        changed: false,
+    };
+}
 function applyWorkspaceSync(manifestsByPath, orderedPaths, localPackageNames, includeKinds, updates) {
     const desiredByPackage = new Map();
     for (const update of updates) {

package/dist/core/verification.d.ts

@@ -0,0 +1,2 @@
+import type { UpgradeOptions, VerificationResult } from "../types/index.js";
+export declare function runVerification(options: Pick<UpgradeOptions, "cwd" | "verify" | "testCommand" | "verificationReportFile" | "packageManager">): Promise<VerificationResult>;

package/dist/core/verification.js

@@ -0,0 +1,106 @@
+import { detectPackageManager, resolvePackageManager } from "../pm/detect.js";
+import { installDependencies } from "../pm/install.js";
+import { stableStringify } from "../utils/stable-json.js";
+import { writeFileAtomic } from "../utils/io.js";
+import { readEnv } from "../utils/runtime.js";
+export async function runVerification(options) {
+    const mode = options.verify;
+    if (mode === "none") {
+        const result = {
+            mode,
+            passed: true,
+            checks: [],
+        };
+        await maybeWriteVerificationReport(options.verificationReportFile, result);
+        return result;
+    }
+    const checks = [];
+    const detected = await detectPackageManager(options.cwd);
+    if (includesInstall(mode)) {
+        checks.push(await runCheck("install", `${resolvePackageManager(options.packageManager, detected)} install`, async () => {
+            await installDependencies(options.cwd, options.packageManager, detected);
+        }));
+    }
+    if (includesTest(mode)) {
+        const command = options.testCommand ??
+            defaultTestCommand(options.packageManager, detected);
+        checks.push(await runShellCheck(options.cwd, command));
+    }
+    const result = {
+        mode,
+        passed: checks.every((check) => check.passed),
+        checks,
+    };
+    await maybeWriteVerificationReport(options.verificationReportFile, result);
+    return result;
+}
+function includesInstall(mode) {
+    return mode === "install" || mode === "install,test";
+}
+function includesTest(mode) {
+    return mode === "test" || mode === "install,test";
+}
+function defaultTestCommand(packageManager, detected) {
+    return `${resolvePackageManager(packageManager, detected, "bun")} test`;
+}
+async function runShellCheck(cwd, command) {
+    const startedAt = Date.now();
+    try {
+        const shell = readEnv("SHELL") || "sh";
+        const proc = Bun.spawn([shell, "-lc", command], {
+            cwd,
+            stdin: "inherit",
+            stdout: "inherit",
+            stderr: "inherit",
+        });
+        const exitCode = await proc.exited;
+        return {
+            name: "test",
+            command,
+            passed: exitCode === 0,
+            exitCode,
+            durationMs: Math.max(0, Date.now() - startedAt),
+            error: exitCode === 0
+                ? undefined
+                : `${command} failed with exit code ${exitCode}`,
+        };
+    }
+    catch (error) {
+        return {
+            name: "test",
+            command,
+            passed: false,
+            exitCode: 1,
+            durationMs: Math.max(0, Date.now() - startedAt),
+            error: String(error),
+        };
+    }
+}
+async function runCheck(name, command, action) {
+    const startedAt = Date.now();
+    try {
+        await action();
+        return {
+            name,
+            command,
+            passed: true,
+            exitCode: 0,
+            durationMs: Math.max(0, Date.now() - startedAt),
+        };
+    }
+    catch (error) {
+        return {
+            name,
+            command,
+            passed: false,
+            exitCode: 1,
+            durationMs: Math.max(0, Date.now() - startedAt),
+            error: String(error),
+        };
+    }
+}
+async function maybeWriteVerificationReport(filePath, result) {
+    if (!filePath)
+        return;
+    await writeFileAtomic(filePath, stableStringify(result, 2) + "\n");
+}