@rainy-updates/cli 0.5.7 → 0.6.1

package/dist/core/ci.js

@@ -1,5 +1,8 @@
 import { check } from "./check.js";
 import { warmCache } from "./warm-cache.js";
+import { buildReviewResult, createDoctorResult } from "./review-model.js";
+import { createDecisionPlan, defaultDecisionPlanPath, writeDecisionPlan, } from "./decision-plan.js";
+import { upgrade } from "./upgrade.js";
 export async function runCi(options) {
     const profile = options.ciProfile;
     if (profile !== "minimal") {
@@ -16,5 +19,53 @@ export async function runCi(options) {
         offline: profile === "minimal" ? options.offline : true,
         concurrency: profile === "enterprise" ? Math.max(options.concurrency, 32) : options.concurrency,
     };
-    return await check(checkOptions);
+    if (options.ciGate === "check") {
+        return await check(checkOptions);
+    }
+    if (options.ciGate === "doctor") {
+        const review = await buildReviewResult(checkOptions);
+        createDoctorResult(review);
+        return reviewToCheckResult(review);
+    }
+    if (options.ciGate === "review") {
+        const review = await buildReviewResult(checkOptions);
+        const selectedItems = review.items.filter((item) => item.update.selectedByDefault !== false &&
+            item.update.decisionState !== "blocked");
+        const decisionPlanFile = options.decisionPlanFile ?? defaultDecisionPlanPath(options.cwd);
+        const plan = createDecisionPlan({
+            review,
+            selectedItems,
+            sourceCommand: "ci",
+            mode: "review",
+            focus: "all",
+        });
+        await writeDecisionPlan(decisionPlanFile, plan);
+        review.decisionPlan = plan;
+        review.summary.decisionPlan = decisionPlanFile;
+        review.summary.interactiveSurface = "dashboard";
+        review.summary.queueFocus = "all";
+        review.summary.suggestedCommand = `rup upgrade --from-plan ${decisionPlanFile}`;
+        return reviewToCheckResult(review);
+    }
+    const decisionPlanFile = options.decisionPlanFile ?? defaultDecisionPlanPath(options.cwd);
+    return upgrade({
+        ...checkOptions,
+        install: false,
+        packageManager: "auto",
+        sync: checkOptions.workspace,
+        fromPlanFile: decisionPlanFile,
+    });
+}
+function reviewToCheckResult(review) {
+    return {
+        projectPath: review.projectPath,
+        packagePaths: review.analysis.check.packagePaths,
+        packageManager: review.analysis.check.packageManager,
+        target: review.target,
+        timestamp: review.analysis.check.timestamp,
+        summary: review.summary,
+        updates: review.updates,
+        errors: review.errors,
+        warnings: review.warnings,
+    };
 }

package/dist/core/decision-plan.d.ts

@@ -0,0 +1,14 @@
+import type { DashboardMode, DecisionPlan, PackageUpdate, QueueFocus, ReviewItem, ReviewResult, UpgradeOptions } from "../types/index.js";
+export declare function defaultDecisionPlanPath(cwd: string): string;
+export declare function filterReviewItemsByFocus(items: ReviewItem[], focus: QueueFocus): ReviewItem[];
+export declare function createDecisionPlan(input: {
+    review: ReviewResult;
+    selectedItems: ReviewItem[];
+    sourceCommand: string;
+    mode: DashboardMode;
+    focus: QueueFocus;
+}): DecisionPlan;
+export declare function writeDecisionPlan(filePath: string, plan: DecisionPlan): Promise<void>;
+export declare function readDecisionPlan(filePath: string): Promise<DecisionPlan>;
+export declare function selectedUpdatesFromPlan(plan: DecisionPlan): PackageUpdate[];
+export declare function resolveDecisionPlanPath(options: Pick<UpgradeOptions, "cwd" | "decisionPlanFile">, explicit?: string): string;

package/dist/core/decision-plan.js

@@ -0,0 +1,107 @@
+import path from "node:path";
+import { stableStringify } from "../utils/stable-json.js";
+import { writeFileAtomic } from "../utils/io.js";
+export function defaultDecisionPlanPath(cwd) {
+    return path.resolve(cwd, ".artifacts/decision-plan.json");
+}
+export function filterReviewItemsByFocus(items, focus) {
+    if (focus === "security") {
+        return items.filter((item) => item.advisories.length > 0);
+    }
+    if (focus === "risk") {
+        return items.filter((item) => item.update.riskLevel === "critical" ||
+            item.update.riskLevel === "high");
+    }
+    if (focus === "major") {
+        return items.filter((item) => item.update.diffType === "major");
+    }
+    if (focus === "blocked") {
+        return items.filter((item) => item.update.decisionState === "blocked");
+    }
+    if (focus === "workspace") {
+        return items.filter((item) => Boolean(item.update.workspaceGroup));
+    }
+    return items;
+}
+export function createDecisionPlan(input) {
+    const selectedKeys = new Set(input.selectedItems.map((item) => packageUpdateKey(item.update)));
+    const items = input.review.items.map((item) => ({
+        ...toDecisionPlanItem(item.update),
+        selected: selectedKeys.has(packageUpdateKey(item.update)),
+    }));
+    return {
+        contractVersion: "1",
+        createdAt: new Date().toISOString(),
+        sourceCommand: input.sourceCommand,
+        mode: input.mode,
+        focus: input.focus,
+        projectPath: input.review.projectPath,
+        target: input.review.target,
+        interactiveSurface: "dashboard",
+        summary: {
+            totalItems: items.length,
+            selectedItems: items.filter((item) => item.selected).length,
+        },
+        items,
+    };
+}
+export async function writeDecisionPlan(filePath, plan) {
+    await writeFileAtomic(filePath, stableStringify(plan, 2) + "\n");
+}
+export async function readDecisionPlan(filePath) {
+    const parsed = (await Bun.file(filePath).json());
+    if (parsed.contractVersion !== "1" ||
+        !Array.isArray(parsed.items) ||
+        typeof parsed.projectPath !== "string") {
+        throw new Error(`Invalid decision plan: ${filePath}`);
+    }
+    return parsed;
+}
+export function selectedUpdatesFromPlan(plan) {
+    return plan.items.filter((item) => item.selected).map(toPackageUpdate);
+}
+export function resolveDecisionPlanPath(options, explicit) {
+    return (explicit ?? options.decisionPlanFile ?? defaultDecisionPlanPath(options.cwd));
+}
+function toDecisionPlanItem(update) {
+    return {
+        packagePath: update.packagePath,
+        name: update.name,
+        kind: update.kind,
+        fromRange: update.fromRange,
+        toRange: update.toRange,
+        toVersionResolved: update.toVersionResolved,
+        diffType: update.diffType,
+        riskLevel: update.riskLevel,
+        riskScore: update.riskScore,
+        policyAction: update.policyAction,
+        decisionState: update.decisionState,
+        selected: true,
+    };
+}
+function toPackageUpdate(item) {
+    return {
+        packagePath: item.packagePath,
+        name: item.name,
+        kind: item.kind,
+        fromRange: item.fromRange,
+        toRange: item.toRange,
+        toVersionResolved: item.toVersionResolved,
+        diffType: item.diffType,
+        filtered: false,
+        autofix: true,
+        riskLevel: item.riskLevel,
+        riskScore: item.riskScore,
+        policyAction: item.policyAction,
+        decisionState: item.decisionState,
+    };
+}
+function packageUpdateKey(update) {
+    return [
+        update.packagePath,
+        update.kind,
+        update.name,
+        update.fromRange,
+        update.toRange,
+    ].join("::");
+}

package/dist/core/doctor/result.js

@@ -17,6 +17,7 @@ export function createDoctorResult(review) {
     review.summary.primaryFindingCode = findings[0]?.code;
     review.summary.primaryFindingCategory = findings[0]?.category;
     review.summary.nextActionReason = nextActionReason;
+    review.summary.suggestedCommand = recommendedCommand;
     return {
         verdict,
         score,
@@ -31,11 +32,13 @@ export function createDoctorResult(review) {
 }
 function recommendDoctorCommand(review, verdict) {
     if (verdict === "blocked")
-        return "rup review --interactive";
-    if ((review.summary.securityPackages ?? 0) > 0)
-        return "rup review --security-only";
-    if (review.errors.length > 0 || review.items.length > 0)
-        return "rup review --interactive";
+        return "rup dashboard --mode review --focus blocked";
+    if ((review.summary.securityPackages ?? 0) > 0) {
+        return "rup dashboard --mode review --focus security";
+    }
+    if (review.errors.length > 0 || review.items.length > 0) {
+        return "rup dashboard --mode review";
+    }
     return "rup check";
 }
 function describeNextActionReason(review, verdict) {

package/dist/core/fix-pr-batch.js

@@ -1,8 +1,7 @@
-import { spawn } from "node:child_process";
-import { promises as fs } from "node:fs";
-import os from "node:os";
+import { $ } from "bun";
 import path from "node:path";
 import { readManifest, writeManifest } from "../parsers/package-json.js";
+import { createTempDir } from "../utils/runtime-paths.js";
 export async function applyFixPrBatches(options, result) {
     const autofixUpdates = result.updates.filter((update) => update.autofix !== false);
     if (!options.fixPr || autofixUpdates.length === 0) {
@@ -12,14 +11,25 @@ export async function applyFixPrBatches(options, result) {
     const groups = groupUpdates(autofixUpdates, options.groupBy);
     const plans = planFixPrBatches(groups, options.fixBranch ?? "chore/rainy-updates", options.fixPrBatchSize ?? 1);
     if (options.fixDryRun) {
-        return { applied: false, branches: plans.map((plan) => plan.branchName), commits: [] };
+        return {
+            applied: false,
+            branches: plans.map((plan) => plan.branchName),
+            commits: [],
+        };
     }
     const branches = [];
     const commits = [];
     for (const plan of plans) {
-        const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), "rainy-fix-pr-batch-"));
+        const tempDir = await createTempDir("rainy-fix-pr-batch-");
         try {
-            await runGit(options.cwd, ["worktree", "add", "-B", plan.branchName, tempDir, baseRef]);
+            await runGit(options.cwd, [
+                "worktree",
+                "add",
+                "-B",
+                plan.branchName,
+                tempDir,
+                baseRef,
+            ]);
             await applyUpdatesInWorktree(options.cwd, tempDir, plan.updates);
             await stageUpdatedManifests(options.cwd, tempDir, plan.updates);
             const message = renderCommitMessage(options, plan, plans.length);
@@ -47,7 +57,9 @@ export function planFixPrBatches(groups, baseBranch, batchSize) {
         chunks.push(groups.slice(index, index + size));
     }
     return chunks.map((chunk, index) => {
-        const suffix = chunk.length === 1 ? sanitizeBranchToken(chunk[0]?.key ?? `batch-${index + 1}`) : `batch-${index + 1}`;
+        const suffix = chunk.length === 1
+            ? sanitizeBranchToken(chunk[0]?.key ?? `batch-${index + 1}`)
+            : `batch-${index + 1}`;
         return {
             index: index + 1,
             groups: chunk,
@@ -147,27 +159,25 @@ function renderCommitMessage(options, plan, totalBatches) {
     return `${baseMessage} (${plan.index}/${totalBatches}, ${plan.updates.length} updates)`;
 }
 function sanitizeBranchToken(value) {
-    return value.replace(/^@/, "").replace(/[^a-zA-Z0-9._-]+/g, "-").replace(/^-+|-+$/g, "") || "batch";
+    return (value
+        .replace(/^@/, "")
+        .replace(/[^a-zA-Z0-9._-]+/g, "-")
+        .replace(/^-+|-+$/g, "") || "batch");
 }
 async function runGit(cwd, args, allowNonZero = false) {
-    return await new Promise((resolve, reject) => {
-        const child = spawn("git", args, { cwd, stdio: ["ignore", "pipe", "pipe"] });
-        let stdout = "";
-        let stderr = "";
-        child.stdout.on("data", (chunk) => {
-            stdout += typeof chunk === "string" ? chunk : Buffer.from(chunk).toString("utf8");
-        });
-        child.stderr.on("data", (chunk) => {
-            stderr += typeof chunk === "string" ? chunk : Buffer.from(chunk).toString("utf8");
-        });
-        child.on("error", reject);
-        child.on("exit", (code) => {
-            const normalized = code ?? 1;
-            if (normalized !== 0 && !allowNonZero) {
-                reject(new Error(`git ${args.join(" ")} failed (${normalized}): ${stderr.trim()}`));
-                return;
-            }
-            resolve({ code: normalized, stdout, stderr });
-        });
-    });
+    try {
+        const res = await $ `git ${args}`.cwd(cwd).quiet().nothrow();
+        const code = res.exitCode;
+        const stdout = res.stdout.toString();
+        const stderr = res.stderr.toString();
+        if (code !== 0 && !allowNonZero) {
+            throw new Error(`git ${args.join(" ")} failed (${code}): ${stderr.trim()}`);
+        }
+        return { code, stdout, stderr };
+    }
+    catch (err) {
+        if (allowNonZero)
+            return { code: 1, stdout: "", stderr: "" };
+        throw err instanceof Error ? err : new Error(String(err));
+    }
 }

package/dist/core/fix-pr.js

@@ -1,4 +1,4 @@
-import { spawn } from "node:child_process";
+import { $ } from "bun";
 import path from "node:path";
 export async function applyFixPr(options, result, extraFiles) {
     if (!options.fixPr)
@@ -42,7 +42,8 @@ export async function applyFixPr(options, result, extraFiles) {
         : [];
     const filesToStage = Array.from(new Set([...manifestFiles, ...extraFiles, ...lockfileFiles]
         .map((entry) => path.resolve(options.cwd, entry))
-        .filter((entry) => entry.startsWith(path.resolve(options.cwd) + path.sep) || entry === path.resolve(options.cwd)))).sort((a, b) => a.localeCompare(b));
+        .filter((entry) => entry.startsWith(path.resolve(options.cwd) + path.sep) ||
+        entry === path.resolve(options.cwd)))).sort((a, b) => a.localeCompare(b));
     if (filesToStage.length > 0) {
         await runGit(options.cwd, ["add", "--", ...filesToStage]);
     }
@@ -54,7 +55,8 @@ export async function applyFixPr(options, result, extraFiles) {
             commitSha: "",
         };
     }
-    const message = options.fixCommitMessage ?? `chore(deps): apply rainy-updates (${autofixUpdates.length} updates)`;
+    const message = options.fixCommitMessage ??
+        `chore(deps): apply rainy-updates (${autofixUpdates.length} updates)`;
     await runGit(options.cwd, ["commit", "-m", message]);
     const rev = await runGit(options.cwd, ["rev-parse", "HEAD"]);
     return {
@@ -64,30 +66,31 @@ export async function applyFixPr(options, result, extraFiles) {
     };
 }
 async function runGit(cwd, args, allowNonZero = false) {
-    return await new Promise((resolve, reject) => {
-        const child = spawn("git", args, { cwd, stdio: ["ignore", "pipe", "pipe"] });
-        let stdout = "";
-        let stderr = "";
-        child.stdout.on("data", (chunk) => {
-            stdout += typeof chunk === "string" ? chunk : Buffer.from(chunk).toString("utf8");
-        });
-        child.stderr.on("data", (chunk) => {
-            stderr += typeof chunk === "string" ? chunk : Buffer.from(chunk).toString("utf8");
-        });
-        child.on("error", reject);
-        child.on("exit", (code) => {
-            const normalized = code ?? 1;
-            if (normalized !== 0 && !allowNonZero) {
-                reject(new Error(`git ${args.join(" ")} failed (${normalized}): ${stderr.trim()}`));
-                return;
-            }
-            resolve({ code: normalized, stdout, stderr });
-        });
-    });
+    try {
+        const res = await $ `git ${args}`.cwd(cwd).quiet().nothrow();
+        const code = res.exitCode;
+        const stdout = res.stdout.toString();
+        const stderr = res.stderr.toString();
+        if (code !== 0 && !allowNonZero) {
+            throw new Error(`git ${args.join(" ")} failed (${code}): ${stderr.trim()}`);
+        }
+        return { code, stdout, stderr };
+    }
+    catch (err) {
+        if (allowNonZero)
+            return { code: 1, stdout: "", stderr: "" };
+        throw err instanceof Error ? err : new Error(String(err));
+    }
 }
 async function collectChangedLockfiles(cwd) {
     const status = await runGit(cwd, ["status", "--porcelain"], true);
-    const allowed = new Set(["package-lock.json", "npm-shrinkwrap.json", "pnpm-lock.yaml", "yarn.lock", "bun.lock"]);
+    const allowed = new Set([
+        "package-lock.json",
+        "npm-shrinkwrap.json",
+        "pnpm-lock.yaml",
+        "yarn.lock",
+        "bun.lock",
+    ]);
     const changed = status.stdout
         .split(/\r?\n/)
         .map((line) => line.trim())

package/dist/core/init-ci.js

@@ -1,17 +1,20 @@
-import { access, writeFile, mkdir } from "node:fs/promises";
+import { mkdir } from "node:fs/promises";
 import path from "node:path";
+import { buildInstallInvocation, buildTestCommand, createPackageManagerProfile, detectPackageManagerDetails, } from "../pm/detect.js";
 export async function initCiWorkflow(cwd, force, options) {
     const workflowPath = path.join(cwd, ".github", "workflows", "rainy-updates.yml");
     try {
         if (!force) {
-            await access(workflowPath);
-            return { path: workflowPath, created: false };
+            if (await Bun.file(workflowPath).exists()) {
+                return { path: workflowPath, created: false };
+            }
         }
     }
     catch {
         // missing file, continue create
     }
-    const packageManager = await detectPackageManager(cwd);
+    const detected = await detectPackageManagerDetails(cwd);
+    const packageManager = createPackageManagerProfile("auto", detected);
     const scheduleBlock = renderScheduleBlock(options.schedule);
     const workflow = options.mode === "minimal"
         ? minimalWorkflowTemplate(scheduleBlock, packageManager)
@@ -19,19 +22,9 @@ export async function initCiWorkflow(cwd, force, options) {
             ? strictWorkflowTemplate(scheduleBlock, packageManager)
             : enterpriseWorkflowTemplate(scheduleBlock, packageManager);
     await mkdir(path.dirname(workflowPath), { recursive: true });
-    await writeFile(workflowPath, workflow, "utf8");
+    await Bun.write(workflowPath, workflow);
     return { path: workflowPath, created: true };
 }
-async function detectPackageManager(cwd) {
-    const pnpmLock = path.join(cwd, "pnpm-lock.yaml");
-    try {
-        await access(pnpmLock);
-        return "pnpm";
-    }
-    catch {
-        return "npm";
-    }
-}
 function renderScheduleBlock(schedule) {
     if (schedule === "off") {
         return "  workflow_dispatch:";
@@ -39,21 +32,34 @@ function renderScheduleBlock(schedule) {
     const cron = schedule === "daily" ? "0 8 * * *" : "0 8 * * 1";
     return `  schedule:\n    - cron: '${cron}'\n  workflow_dispatch:`;
 }
-function installStep(packageManager) {
-    if (packageManager === "pnpm") {
-        return `      - name: Setup pnpm\n        uses: pnpm/action-setup@v4\n        with:\n          version: 9\n\n      - name: Install dependencies\n        run: pnpm install --frozen-lockfile`;
+function installStep(profile) {
+    const install = buildInstallInvocation(profile, { frozen: true, ci: true });
+    return `      - name: Install dependencies\n        run: ${install.display}`;
+}
+function runtimeSetupSteps(profile) {
+    const lines = [
+        `      - name: Checkout\n        uses: actions/checkout@v4`,
+    ];
+    if (profile.manager !== "bun") {
+        lines.push(`      - name: Setup Node\n        uses: actions/setup-node@v4\n        with:\n          node-version: 22`);
+    }
+    lines.push(`      - name: Setup Bun\n        uses: oven-sh/setup-bun@v1`);
+    if (profile.manager === "pnpm" || profile.manager === "yarn") {
+        lines.push(`      - name: Enable Corepack\n        run: corepack enable`);
+    }
+    if (profile.manager === "pnpm") {
+        lines.push(`      - name: Prepare pnpm\n        run: corepack prepare pnpm@9 --activate`);
     }
-    return `      - name: Install dependencies\n        run: npm ci`;
+    return lines.join("\n\n");
 }
-function minimalWorkflowTemplate(scheduleBlock, packageManager) {
-    return `name: Rainy Updates\n\non:\n${scheduleBlock}\n\njobs:\n  dependency-check:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Setup Node\n        uses: actions/setup-node@v4\n        with:\n          node-version: '20'\n\n${installStep(packageManager)}\n\n      - name: Run dependency check\n        run: |\n          npx @rainy-updates/cli ci \\\n            --workspace \\\n            --mode minimal \\\n            --ci \\\n            --stream \\\n            --registry-timeout-ms 12000 \\\n            --registry-retries 4 \\\n            --format table\n`;
+function minimalWorkflowTemplate(scheduleBlock, profile) {
+    return `name: Rainy Updates\n\non:\n${scheduleBlock}\n\njobs:\n  dependency-check:\n    runs-on: ubuntu-latest\n    steps:\n${runtimeSetupSteps(profile)}\n\n${installStep(profile)}\n\n      - name: Run dependency check\n        run: |\n          bunx --bun @rainy-updates/cli ci \\\n            --workspace \\\n            --mode minimal \\\n            --gate check \\\n            --ci \\\n            --stream \\\n            --registry-timeout-ms 12000 \\\n            --registry-retries 4 \\\n            --format table\n`;
 }
-function strictWorkflowTemplate(scheduleBlock, packageManager) {
-    return `name: Rainy Updates\n\non:\n${scheduleBlock}\n\npermissions:\n  contents: read\n  security-events: write\n\njobs:\n  dependency-check:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Setup Node\n        uses: actions/setup-node@v4\n        with:\n          node-version: '20'\n\n${installStep(packageManager)}\n\n      - name: Warm cache\n        run: npx @rainy-updates/cli warm-cache --workspace --concurrency 32 --registry-timeout-ms 12000 --registry-retries 4\n\n      - name: Run strict dependency check\n        run: |\n          npx @rainy-updates/cli ci \\\n            --workspace \\\n            --mode strict \\\n            --ci \\\n            --concurrency 32 \\\n            --stream \\\n            --registry-timeout-ms 12000 \\\n            --registry-retries 4 \\\n            --format github \\\n            --json-file .artifacts/deps-report.json \\\n            --pr-report-file .artifacts/deps-report.md \\\n            --sarif-file .artifacts/deps-report.sarif \\\n            --github-output $GITHUB_OUTPUT\n\n      - name: Upload report artifacts\n        uses: actions/upload-artifact@v4\n        with:\n          name: rainy-updates-report\n          path: .artifacts/\n\n      - name: Upload SARIF\n        uses: github/codeql-action/upload-sarif@v3\n        with:\n          sarif_file: .artifacts/deps-report.sarif\n`;
+function strictWorkflowTemplate(scheduleBlock, profile) {
+    return `name: Rainy Updates\n\non:\n${scheduleBlock}\n\npermissions:\n  contents: read\n  security-events: write\n\njobs:\n  dependency-check:\n    runs-on: ubuntu-latest\n    steps:\n${runtimeSetupSteps(profile)}\n\n${installStep(profile)}\n\n      - name: Warm cache\n        run: bunx --bun @rainy-updates/cli warm-cache --workspace --concurrency 32 --registry-timeout-ms 12000 --registry-retries 4\n\n      - name: Generate reviewed decision plan\n        run: |\n          bunx --bun @rainy-updates/cli ci \\\n            --workspace \\\n            --mode strict \\\n            --gate review \\\n            --plan-file .artifacts/decision-plan.json \\\n            --ci \\\n            --concurrency 32 \\\n            --stream \\\n            --registry-timeout-ms 12000 \\\n            --registry-retries 4 \\\n            --format github \\\n            --json-file .artifacts/deps-report.json \\\n            --pr-report-file .artifacts/deps-report.md \\\n            --sarif-file .artifacts/deps-report.sarif \\\n            --github-output $GITHUB_OUTPUT\n\n      - name: Upload report artifacts\n        uses: actions/upload-artifact@v4\n        with:\n          name: rainy-updates-report\n          path: .artifacts/\n\n      - name: Upload SARIF\n        uses: github/codeql-action/upload-sarif@v3\n        with:\n          sarif_file: .artifacts/deps-report.sarif\n`;
 }
-function enterpriseWorkflowTemplate(scheduleBlock, packageManager) {
-    const detectedPmInstall = packageManager === "pnpm"
-        ? "corepack enable && corepack prepare pnpm@9 --activate && pnpm install --frozen-lockfile"
-        : "npm ci";
-    return `name: Rainy Updates Enterprise\n\non:\n${scheduleBlock}\n\npermissions:\n  contents: read\n  security-events: write\n  actions: read\n\nconcurrency:\n  group: rainy-updates-\${{ github.ref }}\n  cancel-in-progress: false\n\njobs:\n  dependency-check:\n    runs-on: ubuntu-latest\n    strategy:\n      fail-fast: false\n      matrix:\n        node: [20, 22]\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Setup Node\n        uses: actions/setup-node@v4\n        with:\n          node-version: \${{ matrix.node }}\n\n      - name: Install dependencies\n        run: ${detectedPmInstall}\n\n      - name: Warm cache\n        run: npx @rainy-updates/cli warm-cache --workspace --concurrency 32 --registry-timeout-ms 12000 --registry-retries 4\n\n      - name: Check updates with rollout controls\n        run: |\n          npx @rainy-updates/cli ci \\\n            --workspace \\\n            --mode enterprise \\\n            --concurrency 32 \\\n            --stream \\\n            --registry-timeout-ms 12000 \\\n            --registry-retries 4 \\\n            --lockfile-mode preserve \\\n            --format github \\\n            --fail-on minor \\\n            --max-updates 50 \\\n            --json-file .artifacts/deps-report-node-\${{ matrix.node }}.json \\\n            --pr-report-file .artifacts/deps-report-node-\${{ matrix.node }}.md \\\n            --sarif-file .artifacts/deps-report-node-\${{ matrix.node }}.sarif \\\n            --github-output $GITHUB_OUTPUT\n\n      - name: Upload report artifacts\n        uses: actions/upload-artifact@v4\n        with:\n          name: rainy-updates-report-node-\${{ matrix.node }}\n          path: .artifacts/\n          retention-days: 14\n\n      - name: Upload SARIF\n        uses: github/codeql-action/upload-sarif@v3\n        with:\n          sarif_file: .artifacts/deps-report-node-\${{ matrix.node }}.sarif\n`;
+function enterpriseWorkflowTemplate(scheduleBlock, profile) {
+    const install = buildInstallInvocation(profile, { frozen: true, ci: true });
+    const testCmd = buildTestCommand(profile);
+    return `name: Rainy Updates Enterprise\n\non:\n${scheduleBlock}\n\npermissions:\n  contents: read\n  security-events: write\n  actions: read\n\nconcurrency:\n  group: rainy-updates-\${{ github.ref }}\n  cancel-in-progress: false\n\njobs:\n  dependency-check:\n    runs-on: ubuntu-latest\n    strategy:\n      fail-fast: false\n      matrix:\n        node: [20, 22]\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n\n      - name: Setup Node\n        uses: actions/setup-node@v4\n        with:\n          node-version: \${{ matrix.node }}\n\n      - name: Setup Bun\n        uses: oven-sh/setup-bun@v1\n\n${profile.manager === "pnpm" || profile.manager === "yarn" ? '      - name: Enable Corepack\n        run: corepack enable\n\n' : ""}${profile.manager === "pnpm" ? '      - name: Prepare pnpm\n        run: corepack prepare pnpm@9 --activate\n\n' : ""}      - name: Install dependencies\n        run: ${install.display}\n\n      - name: Warm cache\n        run: bunx --bun @rainy-updates/cli warm-cache --workspace --concurrency 32 --registry-timeout-ms 12000 --registry-retries 4\n\n      - name: Generate reviewed decision plan\n        run: |\n          bunx --bun @rainy-updates/cli ci \\\n            --workspace \\\n            --mode enterprise \\\n            --gate review \\\n            --plan-file .artifacts/decision-plan.json \\\n            --concurrency 32 \\\n            --stream \\\n            --registry-timeout-ms 12000 \\\n            --registry-retries 4 \\\n            --lockfile-mode preserve \\\n            --format github \\\n            --fail-on minor \\\n            --max-updates 50 \\\n            --json-file .artifacts/deps-report-node-\${{ matrix.node }}.json \\\n            --pr-report-file .artifacts/deps-report-node-\${{ matrix.node }}.md \\\n            --sarif-file .artifacts/deps-report-node-\${{ matrix.node }}.sarif \\\n            --github-output $GITHUB_OUTPUT\n\n      - name: Replay approved plan with verification\n        run: |\n          bunx --bun @rainy-updates/cli ci \\\n            --workspace \\\n            --mode enterprise \\\n            --gate upgrade \\\n            --from-plan .artifacts/decision-plan.json \\\n            --verify test \\\n            --test-command "${testCmd}" \\\n            --verification-report-file .artifacts/verification-node-\${{ matrix.node }}.json\n\n      - name: Upload report artifacts\n        uses: actions/upload-artifact@v4\n        with:\n          name: rainy-updates-report-node-\${{ matrix.node }}\n          path: .artifacts/\n          retention-days: 14\n\n      - name: Upload SARIF\n        uses: github/codeql-action/upload-sarif@v3\n        with:\n          sarif_file: .artifacts/deps-report-node-\${{ matrix.node }}.sarif\n`;
 }

package/dist/core/options.d.ts

@@ -1,4 +1,4 @@
-import type { BaselineOptions, CheckOptions, UpgradeOptions, AuditOptions, BisectOptions, HealthOptions, UnusedOptions, ResolveOptions, LicenseOptions, SnapshotOptions, ReviewOptions, DoctorOptions, RiskLevel, DashboardOptions, GaOptions } from "../types/index.js";
+import type { BaselineOptions, CheckOptions, UpgradeOptions, AuditOptions, BisectOptions, HealthOptions, UnusedOptions, ResolveOptions, LicenseOptions, SnapshotOptions, ReviewOptions, DoctorOptions, RiskLevel, DashboardOptions, GaOptions, HookOptions } from "../types/index.js";
 import type { InitCiMode, InitCiSchedule } from "./init-ci.js";
 export type ParsedCliArgs = {
     command: "check";
@@ -58,6 +58,9 @@ export type ParsedCliArgs = {
 } | {
     command: "ga";
     options: GaOptions;
+} | {
+    command: "hook";
+    options: HookOptions;
 };
 export declare function parseCliArgs(argv: string[]): Promise<ParsedCliArgs>;
 export declare function ensureRiskLevel(value: string): RiskLevel;