ai-project-maintainer 0.4.0 → 0.4.1

package/docs/demo-output/security-report.md

@@ -1,64 +1,65 @@
-# Local Security Gate: PASS
-
-Root: `examples/demo-ai-app`
-Mode: strict=true, release=true, production=true
-Open Source Maintenance Score: 75/100 (B)
-
-## Blocking Checks
-
-- None
-
-## Warnings
-
-- production audit: Production release approval: GAP. Production deployment exists without approval evidence.
-- production audit: Error monitoring: GAP. Error monitoring evidence is missing.
-- production audit: Production logs: GAP. Production logs evidence is missing.
-- production audit: Production metrics: GAP. Production metrics evidence is missing.
-- production audit: Production alerts: GAP. Production alerts evidence is missing.
-
-## Coverage Gaps
-
-- Production release approval: use GitHub Environments or document the approval gate.
-- Error monitoring: declare Sentry, OpenTelemetry, or another error source.
-- Production logs: declare log evidence before relying on production recovery.
-- Production metrics: declare release and service health metrics.
-- Production alerts: declare alert routing before release.
-
-## Production Audit
-
-Project Type: node
-Database: false
-CI: true
-
-### Plan
-
-- PASS Production audit intake: project profile and evidence templates are present.
-- PASS Critical business flows: 2 critical flows declared.
-- PASS Business flow tests: 2 test references declared.
-- N/A Electron security review: no Electron surface detected.
-- PASS CI security review: CI workflow evidence detected.
-- GAP Production release approval: production deployment exists without approval evidence.
-- GAP Error monitoring: error monitoring evidence is missing.
-- GAP Production logs: production logs evidence is missing.
-- GAP Production metrics: production metrics evidence is missing.
-- GAP Production alerts: production alerts evidence is missing.
-- N/A Database migration review: no database surface detected or declared.
-
-## Checks Run
-
-- package test: pass
-- release build: pass
-- npm production audit: pass
-- gitleaks secret scan: pass
-- trivy filesystem scan: pass
-- osv-scanner dependency scan: pass
-- semgrep static scan: pass
-- syft SBOM: pass
-- grype vulnerability scan: pass
-- OpenSSF Scorecard: pass
-- production audit evidence checks: GAP items reported but not blocking by default
-
+# Local Security Gate: PASS_WITH_GAPS
+
+Root: `examples/demo-ai-app`
+Mode: strict=true, release=true, production=true
+Open Source Maintenance Score: 75/100 (B)
+
+## Blocking Checks
+
+- None
+
+## Warnings
+
+- production audit: Production release approval: GAP. Production deployment exists without approval evidence.
+- production audit: Error monitoring: GAP. Error monitoring evidence is missing.
+- production audit: Production logs: GAP. Production logs evidence is missing.
+- production audit: Production metrics: GAP. Production metrics evidence is missing.
+- production audit: Production alerts: GAP. Production alerts evidence is missing.
+
+## Coverage Gaps
+
+- Production release approval: use GitHub Environments or document the approval gate.
+- Error monitoring: declare Sentry, OpenTelemetry, or another error source.
+- Production logs: declare log evidence before relying on production recovery.
+- Production metrics: declare release and service health metrics.
+- Production alerts: declare alert routing before release.
+
+## Production Audit
+
+Project Type: node
+Database: false
+CI: true
+
+### Plan
+
+- PASS Production audit intake: project profile and evidence templates are present.
+- PASS Critical business flows: 2 critical flows declared.
+- PASS Business flow tests: 2 test references declared.
+- N/A Electron security review: no Electron surface detected.
+- PASS CI security review: CI workflow evidence detected.
+- GAP Production release approval: production deployment exists without approval evidence.
+- GAP Error monitoring: error monitoring evidence is missing.
+- GAP Production logs: production logs evidence is missing.
+- GAP Production metrics: production metrics evidence is missing.
+- GAP Production alerts: production alerts evidence is missing.
+- N/A Database migration review: no database surface detected or declared.
+
+## Checks Run
+
+- package test: pass
+- release build: pass
+- npm production audit: pass
+- gitleaks secret scan: pass
+- trivy filesystem scan: pass
+- osv-scanner dependency scan: pass
+- semgrep static scan: pass
+- syft SBOM: pass
+- grype vulnerability scan: pass
+- OpenSSF Scorecard: pass
+- production audit evidence checks: GAP items reported but not blocking by default
+
 ## Next Step
 
-- Add real release approval, monitoring, logs, metrics, and alerts evidence.
+- No blocking checks failed, but release-readiness gaps remain.
+- Add real release approval, monitoring, logs, metrics, and alerts evidence, or explicitly accept those gaps before release.
 - Rerun `gate --production --strict --release`.

package/docs/superpowers/plans/2026-06-29-ci-dogfooding.md

@@ -1,200 +1,200 @@
-# CI Dogfooding Implementation Plan
-
-> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
-
-**Goal:** Add a real GitHub Actions CI gate so the repository dogfoods its own tests, syntax checks, package validation, and local safety gate.
-
-**Architecture:** Use a single GitHub Actions workflow at `.github/workflows/ci.yml` that runs on pushes and pull requests to `main`. Keep the first version account-free and deterministic: install npm dependencies with `npm ci`, run Node tests and syntax checks, validate npm package contents, run `doctor` without Trivy DB as a non-blocking tool probe, and run a local gate smoke test that generates reports while treating external scanners as unavailable on day one.
-
-**Tech Stack:** GitHub Actions, Node.js 20 and 22, npm, existing Node scripts in `ai-project-maintainer/scripts`.
-
----
-
-### Task 1: Add GitHub Actions CI Workflow
-
-**Files:**
-- Create: `.github/workflows/ci.yml`
-- Create: `ai-project-maintainer/scripts/ci-smoke-gate.mjs`
-
-- [ ] **Step 1: Create the workflow file**
-
-Use this workflow content:
-
-```yaml
-name: CI
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - main
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-jobs:
-  test:
-    name: Node ${{ matrix.node-version }}
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        node-version:
-          - 20
-          - 22
-
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-
-      - name: Set up Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: ${{ matrix.node-version }}
-          cache: npm
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Run tests
-        run: npm test
-
-      - name: Check script syntax
-        run: npm run check
-
-      - name: Validate package contents
-        run: npm pack --dry-run
-
-      - name: Probe local tool availability
-        continue-on-error: true
-        run: node ai-project-maintainer/scripts/doctor.mjs --no-trivy-db
-
-      - name: Run local gate smoke test
-        run: node ai-project-maintainer/scripts/ci-smoke-gate.mjs . reports/security-report.json
-
-      - name: Upload gate reports
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: security-reports-node-${{ matrix.node-version }}
-          path: reports/
-          if-no-files-found: ignore
-```
-
-- [ ] **Step 2: Validate workflow can be parsed as YAML**
-
-Run:
-
-```powershell
-node -e "import('yaml').then(({parse})=>{const fs=require('node:fs'); parse(fs.readFileSync('.github/workflows/ci.yml','utf8')); console.log('workflow yaml ok')})"
-```
-
-Expected: `workflow yaml ok`
-
-### Task 2: Update README Trust Signals
-
-**Files:**
-- Modify: `README.md`
-
-- [ ] **Step 1: Replace the static CI badge**
-
-Replace:
-
-```markdown
-![CI ready](https://img.shields.io/badge/CI-GitHub%20Actions-24292f)
-```
-
-With:
-
-```markdown
-[![CI](https://github.com/xixifusi1213-gif/ai-project-maintainer/actions/workflows/ci.yml/badge.svg)](https://github.com/xixifusi1213-gif/ai-project-maintainer/actions/workflows/ci.yml)
-```
-
-- [ ] **Step 2: Fix the README demo link separator**
-
-Replace the corrupted link separator line with:
-
-```markdown
-[See the demo](docs/DEMO.md) · [中文演示](docs/DEMO.zh-CN.md) · [Production audit docs](docs/PRODUCTION-AUDIT.zh-CN.md)
-```
-
-### Task 3: Verify Locally
-
-**Files:**
-- No additional files.
-
-- [ ] **Step 1: Run tests**
-
-Run:
-
-```powershell
-npm test
-```
-
-Expected: all tests pass.
-
-- [ ] **Step 2: Run syntax checks**
-
-Run:
-
-```powershell
-npm run check
-```
-
-Expected: syntax check passes.
-
-- [ ] **Step 3: Validate package contents**
-
-Run:
-
-```powershell
-npm pack --dry-run
-```
-
-Expected: npm reports package `ai-project-maintainer@0.3.0` without errors.
-
-- [ ] **Step 4: Run CI-equivalent local checks**
-
-Run:
-
-```powershell
-node ai-project-maintainer/scripts/doctor.mjs --no-trivy-db
-node ai-project-maintainer/scripts/ci-smoke-gate.mjs . reports/security-report.json
-```
-
-Expected: commands exit successfully and reports are generated.
-
-### Task 4: Publish
-
-**Files:**
-- Commit: `.github/workflows/ci.yml`, `README.md`, `ai-project-maintainer/scripts/ci-smoke-gate.mjs`, `docs/superpowers/plans/2026-06-29-ci-dogfooding.md`
-
-- [ ] **Step 1: Commit changes**
-
-Run:
-
-```powershell
-git add .github/workflows/ci.yml README.md ai-project-maintainer/scripts/ci-smoke-gate.mjs docs/superpowers/plans/2026-06-29-ci-dogfooding.md
-git commit -m "Add CI dogfooding workflow"
-```
-
-- [ ] **Step 2: Push to GitHub**
-
-Run:
-
-```powershell
-git push origin HEAD:main
-```
-
-- [ ] **Step 3: Check workflow registration**
-
-Run:
-
-```powershell
-gh workflow list --repo xixifusi1213-gif/ai-project-maintainer
-```
-
-Expected: workflow list includes `CI`.
+# CI Dogfooding Implementation Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Add a real GitHub Actions CI gate so the repository dogfoods its own tests, syntax checks, package validation, and local safety gate.
+
+**Architecture:** Use a single GitHub Actions workflow at `.github/workflows/ci.yml` that runs on pushes and pull requests to `main`. Keep the first version account-free and deterministic: install npm dependencies with `npm ci`, run Node tests and syntax checks, validate npm package contents, run `doctor` without Trivy DB as a non-blocking tool probe, and run a local gate smoke test that generates reports while treating external scanners as unavailable on day one.
+
+**Tech Stack:** GitHub Actions, Node.js 20 and 22, npm, existing Node scripts in `ai-project-maintainer/scripts`.
+
+---
+
+### Task 1: Add GitHub Actions CI Workflow
+
+**Files:**
+- Create: `.github/workflows/ci.yml`
+- Create: `ai-project-maintainer/scripts/ci-smoke-gate.mjs`
+
+- [ ] **Step 1: Create the workflow file**
+
+Use this workflow content:
+
+```yaml
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    name: Node ${{ matrix.node-version }}
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        node-version:
+          - 20
+          - 22
+
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run tests
+        run: npm test
+
+      - name: Check script syntax
+        run: npm run check
+
+      - name: Validate package contents
+        run: npm pack --dry-run
+
+      - name: Probe local tool availability
+        continue-on-error: true
+        run: node ai-project-maintainer/scripts/doctor.mjs --no-trivy-db
+
+      - name: Run local gate smoke test
+        run: node ai-project-maintainer/scripts/ci-smoke-gate.mjs . reports/security-report.json
+
+      - name: Upload gate reports
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: security-reports-node-${{ matrix.node-version }}
+          path: reports/
+          if-no-files-found: ignore
+```
+
+- [ ] **Step 2: Validate workflow can be parsed as YAML**
+
+Run:
+
+```powershell
+node -e "import('yaml').then(({parse})=>{const fs=require('node:fs'); parse(fs.readFileSync('.github/workflows/ci.yml','utf8')); console.log('workflow yaml ok')})"
+```
+
+Expected: `workflow yaml ok`
+
+### Task 2: Update README Trust Signals
+
+**Files:**
+- Modify: `README.md`
+
+- [ ] **Step 1: Replace the static CI badge**
+
+Replace:
+
+```markdown
+![CI ready](https://img.shields.io/badge/CI-GitHub%20Actions-24292f)
+```
+
+With:
+
+```markdown
+[![CI](https://github.com/xixifusi1213-gif/ai-project-maintainer/actions/workflows/ci.yml/badge.svg)](https://github.com/xixifusi1213-gif/ai-project-maintainer/actions/workflows/ci.yml)
+```
+
+- [ ] **Step 2: Fix the README demo link separator**
+
+Replace the corrupted link separator line with:
+
+```markdown
+[See the demo](docs/DEMO.md) · [中文演示](docs/DEMO.zh-CN.md) · [Production audit docs](docs/PRODUCTION-AUDIT.zh-CN.md)
+```
+
+### Task 3: Verify Locally
+
+**Files:**
+- No additional files.
+
+- [ ] **Step 1: Run tests**
+
+Run:
+
+```powershell
+npm test
+```
+
+Expected: all tests pass.
+
+- [ ] **Step 2: Run syntax checks**
+
+Run:
+
+```powershell
+npm run check
+```
+
+Expected: syntax check passes.
+
+- [ ] **Step 3: Validate package contents**
+
+Run:
+
+```powershell
+npm pack --dry-run
+```
+
+Expected: npm reports package `ai-project-maintainer@0.3.0` without errors.
+
+- [ ] **Step 4: Run CI-equivalent local checks**
+
+Run:
+
+```powershell
+node ai-project-maintainer/scripts/doctor.mjs --no-trivy-db
+node ai-project-maintainer/scripts/ci-smoke-gate.mjs . reports/security-report.json
+```
+
+Expected: commands exit successfully and reports are generated.
+
+### Task 4: Publish
+
+**Files:**
+- Commit: `.github/workflows/ci.yml`, `README.md`, `ai-project-maintainer/scripts/ci-smoke-gate.mjs`, `docs/superpowers/plans/2026-06-29-ci-dogfooding.md`
+
+- [ ] **Step 1: Commit changes**
+
+Run:
+
+```powershell
+git add .github/workflows/ci.yml README.md ai-project-maintainer/scripts/ci-smoke-gate.mjs docs/superpowers/plans/2026-06-29-ci-dogfooding.md
+git commit -m "Add CI dogfooding workflow"
+```
+
+- [ ] **Step 2: Push to GitHub**
+
+Run:
+
+```powershell
+git push origin HEAD:main
+```
+
+- [ ] **Step 3: Check workflow registration**
+
+Run:
+
+```powershell
+gh workflow list --repo xixifusi1213-gif/ai-project-maintainer
+```
+
+Expected: workflow list includes `CI`.

package/examples/demo-ai-app/.ai-maintainer/business-flows.yml

@@ -1,14 +1,14 @@
-schema_version: 1
-business_flows:
-  - id: "checkout-quote"
-    name: "Customer checkout quote"
-    criticality: "high"
-    expected_behavior: "A customer-visible total must include the selected shipping cost exactly once."
-    tests:
-      - "test/order-risk.test.mjs"
-  - id: "order-release"
-    name: "Paid order release"
-    criticality: "high"
-    expected_behavior: "An order can be released only when payment, stock, and risk checks all pass."
-    tests:
-      - "test/order-risk.test.mjs"
+schema_version: 1
+business_flows:
+  - id: "checkout-quote"
+    name: "Customer checkout quote"
+    criticality: "high"
+    expected_behavior: "A customer-visible total must include the selected shipping cost exactly once."
+    tests:
+      - "test/order-risk.test.mjs"
+  - id: "order-release"
+    name: "Paid order release"
+    criticality: "high"
+    expected_behavior: "An order can be released only when payment, stock, and risk checks all pass."
+    tests:
+      - "test/order-risk.test.mjs"

package/examples/demo-ai-app/.ai-maintainer/db-migration-policy.yml

@@ -1,6 +1,6 @@
-schema_version: 1
-database:
-  changes_use_migrations: false
-  destructive_changes_require_review: true
-  backup_before_production_migration: false
-  rollback_or_forward_fix_required: false
+schema_version: 1
+database:
+  changes_use_migrations: false
+  destructive_changes_require_review: true
+  backup_before_production_migration: false
+  rollback_or_forward_fix_required: false

package/examples/demo-ai-app/.ai-maintainer/evidence-sources.yml

@@ -1,18 +1,18 @@
-schema_version: 1
-evidence:
-  github_actions: "present"
-  deployment:
-    provider: "demo"
-    has_staging: true
-    has_production: true
-    production_requires_approval: false
-  observability:
-    errors: "none"
-    logs: "none"
-    metrics: "none"
-    alerts: "none"
-  database:
-    migrations: "none"
-    review_tool: "none"
-    backup_policy: "none"
-    rollback_plan: "none"
+schema_version: 1
+evidence:
+  github_actions: "present"
+  deployment:
+    provider: "demo"
+    has_staging: true
+    has_production: true
+    production_requires_approval: false
+  observability:
+    errors: "none"
+    logs: "none"
+    metrics: "none"
+    alerts: "none"
+  database:
+    migrations: "none"
+    review_tool: "none"
+    backup_policy: "none"
+    rollback_plan: "none"

package/examples/demo-ai-app/.ai-maintainer/exceptions.yml

@@ -1 +1 @@
-exceptions: []
+exceptions: []

package/examples/demo-ai-app/.ai-maintainer/incident-runbook.md

@@ -1,11 +1,11 @@
-# Incident Runbook
-
-## First Response
-
-- Stop new releases.
-- Check checkout quote and order release tests.
-- Decide whether to rollback the latest release.
-
-## Missing Evidence
-
-- Production monitoring is intentionally missing in the demo so the audit report shows GAP items.
+# Incident Runbook
+
+## First Response
+
+- Stop new releases.
+- Check checkout quote and order release tests.
+- Decide whether to rollback the latest release.
+
+## Missing Evidence
+
+- Production monitoring is intentionally missing in the demo so the audit report shows GAP items.

package/examples/demo-ai-app/.ai-maintainer/observability-checklist.yml

@@ -1,7 +1,7 @@
-schema_version: 1
-observability:
-  error_monitoring: false
-  structured_logs: false
-  metrics: false
-  alerts: false
-  release_tracking: false
+schema_version: 1
+observability:
+  error_monitoring: false
+  structured_logs: false
+  metrics: false
+  alerts: false
+  release_tracking: false