@rainy-updates/cli 0.5.7 → 0.6.1

package/CHANGELOG.md

@@ -2,6 +2,140 @@
 
 All notable changes to this project are documented in this file.
 
+## [0.6.1] - 2026-03-03
+
+Compatibility, git-aware workspace scoping, and release-readiness stabilization for the `v0.6` line.
+
+### Added
+
+- **First-class package-manager profile layer**:
+  - detection now prefers `package.json.packageManager` before falling back to lockfiles,
+  - additive package-manager metadata for lockfile source and Yarn flavor detection,
+  - centralized install, add, and test command construction for npm, pnpm, Bun, and Yarn.
+- **Git-aware workspace scoping**:
+  - `--affected`,
+  - `--staged`,
+  - `--base <ref>`,
+  - `--head <ref>`,
+  - `--since <ref>`.
+- **Workspace dependent expansion for affected scans**:
+  - changed packages can now expand to dependent workspace packages instead of stopping at direct file matches.
+- **New `hook` command**:
+  - `rup hook install`,
+  - `rup hook uninstall`,
+  - `rup hook doctor`.
+- **Rainy-managed git hooks**:
+  - `pre-commit` runs `rup unused --workspace --staged` and `rup resolve --workspace --staged`,
+  - `pre-push` runs `rup audit --workspace --affected --report summary`.
+- **New test coverage** for:
+  - package-manager field precedence and Yarn Berry behavior,
+  - git-scoped workspace discovery,
+  - hook install/doctor/uninstall lifecycle,
+  - scoped standalone parser support.
+
+### Changed
+
+- `init-ci` workflow generation now uses the centralized package-manager profile layer instead of special-casing npm/pnpm/Bun only.
+- Yarn support is now explicit in generated workflows:
+  - Corepack enablement for Yarn/pnpm repos,
+  - Yarn Berry uses immutable installs,
+  - Yarn package adds no longer fall back to npm command construction.
+- `verification`, `audit --fix`, and `bisect` now reuse the same package-manager command model as `upgrade`.
+- `ga` package-manager reporting now includes detection source details and respects the git-scoped workspace discovery flow.
+- `check`, `warm-cache`, `audit`, `unused`, `resolve`, `health`, `licenses`, `snapshot`, and `ga` now share the same git-aware workspace scoping path.
+- Command help and parser support were aligned so git-scoping flags are consistently accepted across the primary and standalone command surfaces.
+
+### Tests
+
+- Full release validation passed:
+  - `pnpm -s exec tsc --noEmit`
+  - `bun test`
+  - `pnpm run build`
+  - `bun run build:exe`
+  - `bun run test:prod`
+  - `bun ./dist/bin/cli.js ga --workspace`
+
+## [0.6.0] - 2026-03-01
+
+Dashboard-first release candidate for the `v0.6` series, focused on unifying the interactive surface, introducing replayable decision plans, tightening CI/apply verification flows, and undergoing a complete native Bun performance optimization.
+
+### Added
+
+- **Decision plan artifact flow**:
+  - new deterministic decision plan model for reviewed update sets,
+  - reusable `.artifacts/decision-plan.json` workflow,
+  - `upgrade --from-plan <path>` replay support,
+  - additive summary/output metadata for:
+    - `suggestedCommand`,
+    - `decisionPlan`,
+    - `interactiveSurface`,
+    - `queueFocus`.
+- **Verification flow for applied plans and upgrades**:
+  - `--verify none|install|test|install,test`,
+  - `--test-command "<cmd>"`,
+  - `--verification-report-file <path>`,
+  - additive verification metadata in summary and GitHub/metrics outputs:
+    - `verificationState`,
+    - `verificationFailures`.
+- **New CI gate model**:
+  - `ci --gate check|doctor|review|upgrade`,
+  - review gate emits a decision plan artifact without mutating manifests,
+  - upgrade gate replays a prior decision plan and can run verification.
+- **New verification core** under `src/core/verification.ts`.
+- **New decision plan core** under `src/core/decision-plan.ts`.
+- **New test coverage** for:
+  - decision plan serialization and replay,
+  - CI upgrade gate plan replay,
+  - verification report generation.
+
+- **Native Bun Optimizations**:
+  - Bun is now the primary Rainy runtime path for local execution, CI templates, and release verification flows.
+  - Added a shared Bun-first runtime layer for cwd/env/stdout/stderr/exit handling across the CLI command surface.
+  - Migrated verification and package-manager-aware test execution onto `Bun.spawn`, while keeping npm, pnpm, Bun, and yarn target-repo support intact.
+  - Migrated internal hot-path file operations onto `Bun.file()`, `Bun.write()`, `Bun.Glob`, and `Bun.CryptoHasher` across workspace discovery, lockfile hashing, snapshot persistence, audit target resolution, changelog cache reads, and CLI/package metadata loading.
+  - Added real atomic file writes for Rainy-managed artifacts, reports, caches, baselines, and snapshot restore paths.
+  - Added native `build:exe` target compilation for standalone Bun-first distributions using `bun build --compile`.
+
+### Changed
+
+- `dashboard` is now the primary interactive dependency decision surface.
+- `review --interactive` now routes into the shared dashboard flow instead of maintaining a separate interactive implementation path.
+- `doctor` now recommends dashboard-first next steps:
+  - `rup dashboard --mode review`
+  - `rup dashboard --mode review --focus security`
+  - `rup dashboard --mode review --focus blocked`
+- CLI help and README now document:
+  - `dashboard` as the primary interactive workflow,
+  - `upgrade --from-plan`,
+  - `ci --gate ...`,
+  - verification and verification-report flows,
+  - Bun as the preferred Rainy runtime via `bunx --bun` and compiled Bun artifacts.
+- `init-ci` generated workflows now:
+  - use Bun as the Rainy runtime by default,
+  - use explicit CI gates,
+  - emit a decision plan artifact in strict and enterprise modes,
+  - replay approved plans with verification in enterprise mode,
+  - align install and test commands with detected npm, pnpm, or Bun target repos.
+- Artifact manifests now include verification report output paths when configured.
+- Package-manager detection and verification defaults now treat Bun as a first-class package ecosystem instead of falling back to npm/pnpm-only assumptions.
+- GA readiness checks now validate both the JS dist CLI and the compiled Bun runtime artifact.
+
+### Removed
+
+- Removed the legacy standalone dashboard Ink/store implementation under `src/ui/dashboard/` in favor of a single shared interactive path.
+- Removed the remaining explicit `node:process` imports from the main CLI command surface in favor of the shared runtime layer.
+- Removed manual recursive workspace directory walking in favor of Bun-native glob expansion.
+
+### Tests
+
+- Added coverage for:
+  - `dashboard` parser support for mode/focus/plan/verification flags,
+  - additive GitHub output fields for decision-plan and verification metadata,
+  - updated CI bootstrap templates for review/upgrade gates,
+  - Bun-aware package-manager detection and verification defaults,
+  - GA runtime-artifact readiness checks,
+  - Bun-glob workspace discovery with hidden-directory and `node_modules` exclusions.
+
 ## [0.5.7] - 2026-03-01
 
 Final stabilization release for the `v0.5` series, focused on modularization, doctor scan quality, and maintainability.

package/README.md

@@ -29,6 +29,7 @@ Rainy Updates gives teams one dependency lifecycle:
 - `check` detects candidate updates.
 - `doctor` summarizes the current situation.
 - `review` decides what should happen.
+- `dashboard` is the primary interactive decision surface.
 - `upgrade` applies the approved change set.
 
 Everything else supports that lifecycle: CI orchestration, advisory lookup, peer resolution, licenses, snapshots, baselines, and fix-PR automation.
@@ -43,16 +44,16 @@ Everything else supports that lifecycle: CI orchestration, advisory lookup, peer
 
 ```bash
 # 1) Detect what changed
-npx @rainy-updates/cli check --workspace --show-impact
+bunx --bun @rainy-updates/cli check --workspace --show-impact
 
 # 2) Summarize what matters
-npx @rainy-updates/cli doctor --workspace
+bunx --bun @rainy-updates/cli doctor --workspace
 
-# 3) Decide in the review surface
-npx @rainy-updates/cli review --interactive
+# 3) Decide in the dashboard
+bunx --bun @rainy-updates/cli dashboard --mode review --plan-file .artifacts/decision-plan.json
 
-# 4) Apply the approved set
-npx @rainy-updates/cli upgrade --interactive
+# 4) Apply the approved plan
+bunx --bun @rainy-updates/cli upgrade --from-plan .artifacts/decision-plan.json
 ```
 
 ## Why teams use it
@@ -67,10 +68,15 @@ npx @rainy-updates/cli upgrade --interactive
 ## Install
 
 ```bash
+# Preferred: run with Bun's runtime directly
+bunx --bun @rainy-updates/cli check
+
 # As a project dev dependency (recommended for teams)
 npm install --save-dev @rainy-updates/cli
 # or
 pnpm add -D @rainy-updates/cli
+# or
+bun add -d @rainy-updates/cli
 ```
 
 Once installed, three binary aliases are available in your `node_modules/.bin/`:
@@ -88,16 +94,25 @@ rainy-up check
 rainy-updates check
 ```
 
-### One-off usage with npx (no install required)
+### Bun-first runtime
 
 ```bash
-# Always works without installing:
+# Preferred no-install path:
+bunx --bun @rainy-updates/cli check
+bunx --bun @rainy-updates/cli audit --severity high
+bunx --bun @rainy-updates/cli ci --workspace --mode strict
+```
+
+### One-off usage with npx (compatibility path)
+
+```bash
+# Compatibility path when Bun is not available:
 npx @rainy-updates/cli check
 npx @rainy-updates/cli audit --severity high
 npx @rainy-updates/cli ci --workspace --mode strict
 ```
 
-> **Note:** The short aliases (`rup`, `rainy-up`) only work after installing the package. For one-off `npx` runs, use `npx @rainy-updates/cli <command>`.
+> **Note:** Rainy is Bun-first at runtime. `bunx --bun @rainy-updates/cli ...` is the fastest no-install path. The npm package and `npx` remain supported compatibility paths.
 
 ## Commands
 
@@ -106,6 +121,7 @@ npx @rainy-updates/cli ci --workspace --mode strict
 - `check` — detect candidate dependency updates
 - `doctor` — summarize the current dependency situation
 - `review` — decide what to do with security, risk, peer, and policy context
+- `dashboard` — open the primary interactive decision console
 - `upgrade` — apply the approved change set
 - `ga` — audit GA and CI readiness for the current checkout
 
@@ -123,71 +139,108 @@ npx @rainy-updates/cli ci --workspace --mode strict
 
 ## Quick usage
 
-> Commands work with `npx` (no install) **or** with the `rup` / `rainy-up` shortcut if the package is installed.
+> Commands work with `bunx --bun`, with `npx` as a compatibility path, or with the `rup` / `rainy-up` shortcut if the package is installed.
 
 ```bash
 # 1) Detect updates
+bunx --bun @rainy-updates/cli check --format table
 npx @rainy-updates/cli check --format table
 rup check --format table                      # if installed
 
 # 2) Summarize the state
-npx @rainy-updates/cli doctor --workspace
+bunx --bun @rainy-updates/cli doctor --workspace
 rup doctor --workspace
 
 # 3) Review and decide
-npx @rainy-updates/cli review --security-only
-rup review --interactive
+bunx --bun @rainy-updates/cli review --security-only
+rup dashboard --mode review --plan-file .artifacts/decision-plan.json
 rup review --show-changelog
 
-# 4) Apply upgrades with workspace sync
-npx @rainy-updates/cli upgrade --target latest --workspace --sync --install
-rup upgrade --target latest --workspace --sync --install
+# 4) Apply an approved decision plan with verification
+bunx --bun @rainy-updates/cli upgrade --from-plan .artifacts/decision-plan.json --verify install,test --test-command "bun test"
+rup upgrade --from-plan .artifacts/decision-plan.json --verify install,test --test-command "npm test"
 
 # 5) CI orchestration with policy gates
-npx @rainy-updates/cli ci --workspace --mode strict --format github
-rup ci --workspace --mode strict --format github
+bunx --bun @rainy-updates/cli ci --workspace --mode strict --gate review --plan-file .artifacts/decision-plan.json --format github
+rup ci --workspace --mode strict --gate review --plan-file .artifacts/decision-plan.json --format github
+
+# 6) Replay an approved plan in CI
+rup ci --workspace --mode strict --gate upgrade --from-plan .artifacts/decision-plan.json --verify test --test-command "npm test"
 
-# 6) Batch fix branches by scope (enterprise)
+# 7) Batch fix branches by scope (enterprise)
 npx @rainy-updates/cli ci --workspace --mode enterprise --group-by scope --fix-pr --fix-pr-batch-size 2
 rup ci --workspace --mode enterprise --group-by scope --fix-pr --fix-pr-batch-size 2
 
-# 7) Warm cache → deterministic offline CI check
+# 8) Warm cache -> deterministic offline CI check
 npx @rainy-updates/cli warm-cache --workspace --concurrency 32
 npx @rainy-updates/cli check --workspace --offline --ci
 
-# 8) Save and compare baseline drift
+# 9) Save and compare baseline drift
 npx @rainy-updates/cli baseline --save --file .artifacts/deps-baseline.json --workspace
 npx @rainy-updates/cli baseline --check --file .artifacts/deps-baseline.json --workspace --ci
 
-# 9) Scan for known CVEs
+# 10) Scan for known CVEs
 npx @rainy-updates/cli audit
 npx @rainy-updates/cli audit --severity high
 npx @rainy-updates/cli audit --summary
 npx @rainy-updates/cli audit --source osv
-npx @rainy-updates/cli audit --fix          # prints the patching npm install command
+npx @rainy-updates/cli audit --fix          # prints the patching install command for the detected package manager
 rup audit --severity high                   # if installed
 
-`audit` prefers npm/pnpm lockfiles today for exact installed-version inference, and now also reads simple `bun.lock` workspace entries when available. It reports source-health warnings when OSV or GitHub returns only partial coverage.
+`audit` resolves installed versions from lockfiles across npm, pnpm, and simple `bun.lock` workspace entries when available. It reports source-health warnings when OSV or GitHub returns only partial coverage.
 
-# 10) Check dependency maintenance health
+# 11) Check dependency maintenance health
 npx @rainy-updates/cli health
 npx @rainy-updates/cli health --stale 6m   # flag packages with no release in 6 months
 npx @rainy-updates/cli health --stale 180d # same but in days
 rup health --stale 6m                       # if installed
 
-# 11) Find which version introduced a breaking change
+# 12) Find which version introduced a breaking change
 npx @rainy-updates/cli bisect axios --cmd "bun test"
 npx @rainy-updates/cli bisect react --range "18.0.0..19.0.0" --cmd "npm test"
 npx @rainy-updates/cli bisect lodash --cmd "npm run test:unit" --dry-run
 rup bisect axios --cmd "bun test"           # if installed
 
-# 12) Focus review on high-risk changes
+# 13) Focus review on high-risk changes
 rup review --risk high --diff major
 
-# 13) Audit GA / CI readiness
+# 14) Audit GA / CI readiness
 rup ga --workspace
 ```
 
+## Decision Plans And Verification
+
+Rainy can persist an approved update set as a deterministic decision plan and replay it later:
+
+```bash
+# Create a reviewed plan
+rup dashboard --mode review --plan-file .artifacts/decision-plan.json
+
+# Apply only that approved plan later
+rup upgrade --from-plan .artifacts/decision-plan.json
+
+# Apply and verify install + tests
+rup upgrade \
+  --from-plan .artifacts/decision-plan.json \
+  --verify install,test \
+  --test-command "bun test" \
+  --verification-report-file .artifacts/verification.json
+```
+
+This is the intended local review -> CI replay workflow.
+
+Verification follows the target repository's package manager when one is detected.
+That means Bun repositories can verify with `bun install` / `bun test`, while npm and pnpm projects keep their native install/test flows.
+
+## CI Gates
+
+`ci` supports explicit execution gates:
+
+- `--gate check` runs detection only.
+- `--gate doctor` computes the high-level verdict and doctor metadata.
+- `--gate review` emits a decision plan artifact without mutating the repo.
+- `--gate upgrade` replays an existing plan and can run verification.
+
 ## What it does in production
 
 ### Update detection engine
@@ -275,8 +328,8 @@ Generated file:
 
 Modes:
 
-- `strict`: warm-cache + offline check + artifacts + SARIF upload.
-- `enterprise`: strict checks + runtime matrix + retention policy + rollout gates.
+- `strict`: warm-cache + review gate + artifacts + SARIF upload.
+- `enterprise`: strict checks + runtime matrix + review/upgrade gates + retention policy.
 - `minimal`: fast check-only workflow for quick adoption.
 
 Schedule:
@@ -307,9 +360,15 @@ Schedule:
 - `--pr-limit <n>`
 - `--only-changed`
 - `--interactive`
+- `--plan-file <path>`
+- `--from-plan <path>`
+- `--verify none|install|test|install,test`
+- `--test-command <cmd>`
+- `--verification-report-file <path>`
 - `--show-impact`
 - `--show-homepage`
 - `--mode minimal|strict|enterprise` (for `ci`)
+- `--gate check|doctor|review|upgrade` (for `ci`)
 - `--fix-pr-batch-size <n>` (for batched fix branches in `ci`)
 - `--policy-file <path>`
 - `--format table|json|minimal|github`
@@ -328,7 +387,7 @@ Schedule:
 ### Upgrade-only
 
 - `--install`
-- `--pm auto|npm|pnpm`
+- `--pm auto|bun|npm|pnpm|yarn`
 - `--sync`
 
 ### Review-only

package/dist/bin/cli.js

@@ -1,134 +1,19 @@
 #!/usr/bin/env node
-import { promises as fs } from "node:fs";
-import path from "node:path";
-import process from "node:process";
+import { spawnSync } from "node:child_process";
 import { fileURLToPath } from "node:url";
-import { parseCliArgs } from "../core/options.js";
-import { applyFixPr } from "../core/fix-pr.js";
-import { applyFixPrBatches } from "../core/fix-pr-batch.js";
-import { createRunId, writeArtifactManifest } from "../core/artifacts.js";
-import { renderResult } from "../output/format.js";
-import { writeGitHubOutput } from "../output/github.js";
-import { createSarifReport } from "../output/sarif.js";
-import { renderPrReport } from "../output/pr-report.js";
-import { writeFileAtomic } from "../utils/io.js";
-import { resolveFailReason } from "../core/summary.js";
-import { stableStringify } from "../utils/stable-json.js";
-import { handleDirectCommand, runPrimaryCommand } from "./dispatch.js";
-import { renderHelp } from "./help.js";
+import { runCli } from "./main.js";
 async function main() {
-    try {
-        const argv = process.argv.slice(2);
-        if (argv.includes("--version") || argv.includes("-v")) {
-            process.stdout.write((await readPackageVersion()) + "\n");
-            return;
-        }
-        if (argv.includes("--help") || argv.includes("-h")) {
-            process.stdout.write(renderHelp(argv[0]) + "\n");
-            return;
-        }
-        const parsed = await parseCliArgs(argv);
-        if (await handleDirectCommand(parsed))
-            return;
-        if (parsed.command !== "check" &&
-            parsed.command !== "upgrade" &&
-            parsed.command !== "warm-cache" &&
-            parsed.command !== "ci") {
-            throw new Error(`Unhandled command: ${parsed.command}`);
-        }
-        const result = await runPrimaryCommand(parsed);
-        result.summary.runId = createRunId(parsed.command, parsed.options, result);
-        if (parsed.options.fixPr &&
-            (parsed.command === "check" ||
-                parsed.command === "upgrade" ||
-                parsed.command === "ci")) {
-            result.summary.fixPrApplied = false;
-            result.summary.fixBranchName =
-                parsed.options.fixBranch ?? "chore/rainy-updates";
-            result.summary.fixCommitSha = "";
-            result.summary.fixPrBranchesCreated = 0;
-            if (parsed.command === "ci") {
-                const batched = await applyFixPrBatches(parsed.options, result);
-                result.summary.fixPrApplied = batched.applied;
-                result.summary.fixBranchName =
-                    batched.branches[0] ??
-                        parsed.options.fixBranch ??
-                        "chore/rainy-updates";
-                result.summary.fixCommitSha = batched.commits[0] ?? "";
-                result.summary.fixPrBranchesCreated = batched.branches.length;
-                if (batched.branches.length > 1) {
-                    result.warnings.push(`Created ${batched.branches.length} fix-pr batch branches.`);
-                }
-            }
-            else {
-                const fixResult = await applyFixPr(parsed.options, result, []);
-                result.summary.fixPrApplied = fixResult.applied;
-                result.summary.fixBranchName = fixResult.branchName ?? "";
-                result.summary.fixCommitSha = fixResult.commitSha ?? "";
-                result.summary.fixPrBranchesCreated = fixResult.applied ? 1 : 0;
-            }
-        }
-        if (parsed.options.prReportFile) {
-            const markdown = renderPrReport(result);
-            await writeFileAtomic(parsed.options.prReportFile, markdown + "\n");
-        }
-        const artifactManifest = await writeArtifactManifest(parsed.command, parsed.options, result);
-        if (artifactManifest) {
-            result.summary.artifactManifest = artifactManifest.artifactManifestPath;
-        }
-        result.summary.failReason = resolveFailReason(result.updates, result.errors, parsed.options.failOn, parsed.options.maxUpdates, parsed.options.ci);
-        const renderStartedAt = Date.now();
-        let rendered = renderResult(result, parsed.options.format, {
-            showImpact: parsed.options.showImpact,
-            showHomepage: parsed.options.showHomepage,
+    if (typeof Bun === "undefined") {
+        const currentFile = fileURLToPath(import.meta.url);
+        const result = spawnSync("bun", [currentFile, ...process.argv.slice(2)], {
+            stdio: "inherit",
         });
-        result.summary.durationMs.render = Math.max(0, Date.now() - renderStartedAt);
-        if (parsed.options.format === "json" ||
-            parsed.options.format === "metrics") {
-            rendered = renderResult(result, parsed.options.format, {
-                showImpact: parsed.options.showImpact,
-                showHomepage: parsed.options.showHomepage,
-            });
-        }
-        if (parsed.options.onlyChanged &&
-            result.updates.length === 0 &&
-            result.errors.length === 0 &&
-            result.warnings.length === 0 &&
-            (parsed.options.format === "table" ||
-                parsed.options.format === "minimal" ||
-                parsed.options.format === "github")) {
-            rendered = "";
+        if (result.error) {
+            process.stderr.write("rainy-updates (rup): Bun is required to run the published JavaScript entrypoint. Install Bun or use the compiled binary release.\n");
+            process.exit(1);
         }
-        if (parsed.options.jsonFile) {
-            await writeFileAtomic(parsed.options.jsonFile, stableStringify(result, 2) + "\n");
-        }
-        if (parsed.options.githubOutputFile) {
-            await writeGitHubOutput(parsed.options.githubOutputFile, result);
-        }
-        if (parsed.options.sarifFile) {
-            const sarif = createSarifReport(result);
-            await writeFileAtomic(parsed.options.sarifFile, stableStringify(sarif, 2) + "\n");
-        }
-        process.stdout.write(rendered + "\n");
-        process.exitCode = resolveExitCode(result, result.summary.failReason);
-    }
-    catch (error) {
-        process.stderr.write(`rainy-updates (rup): ${String(error)}\n`);
-        process.exitCode = 2;
+        process.exit(result.status ?? 1);
     }
+    await runCli();
 }
 void main();
-async function readPackageVersion() {
-    const currentFile = fileURLToPath(import.meta.url);
-    const packageJsonPath = path.resolve(path.dirname(currentFile), "../../package.json");
-    const content = await fs.readFile(packageJsonPath, "utf8");
-    const parsed = JSON.parse(content);
-    return parsed.version ?? "0.0.0";
-}
-function resolveExitCode(result, failReason) {
-    if (result.errors.length > 0)
-        return 2;
-    if (failReason !== "none")
-        return 1;
-    return 0;
-}