ai-project-maintainer 0.4.0 → 0.4.1

package/examples/demo-ai-app/.ai-maintainer/policy.yml

@@ -1,27 +1,27 @@
-profile: oss
-mode: strict
-checks:
-  gitleaks: block
-  trivy: block
-  semgrep: block
-  osv-scanner: warn
-  syft: warn
-  grype: warn
-  actionlint: block
-  zizmor: warn
-  checkov: warn
-  trivy-config: warn
-  scorecard: warn
-  megalinter: warn
-  pre-commit: warn
-  package-audit: warn
-fail_on:
-  tests: true
-  secrets: true
-  dependency_high_or_critical: true
-  semgrep_blocking: true
-  trivy_unavailable: true
-  electron_dangerous_settings: true
-  ci_security_high: true
-warn_on:
-  missing_optional_tools: true
+profile: oss
+mode: strict
+checks:
+  gitleaks: block
+  trivy: block
+  semgrep: block
+  osv-scanner: warn
+  syft: warn
+  grype: warn
+  actionlint: block
+  zizmor: warn
+  checkov: warn
+  trivy-config: warn
+  scorecard: warn
+  megalinter: warn
+  pre-commit: warn
+  package-audit: warn
+fail_on:
+  tests: true
+  secrets: true
+  dependency_high_or_critical: true
+  semgrep_blocking: true
+  trivy_unavailable: true
+  electron_dangerous_settings: true
+  ci_security_high: true
+warn_on:
+  missing_optional_tools: true

package/examples/demo-ai-app/.ai-maintainer/project-profile.yml

@@ -1,15 +1,15 @@
-schema_version: 1
-project:
-  name: demo-ai-app
-  type: node
-  lifecycle: production-candidate
-  production: true
-risk:
-  handles_auth: false
-  handles_sensitive_data: false
-  handles_payments: false
-  handles_financial_data: false
-  handles_health_data: false
-  has_database: false
-  has_deployment: true
-  has_user_generated_content: false
+schema_version: 1
+project:
+  name: demo-ai-app
+  type: node
+  lifecycle: production-candidate
+  production: true
+risk:
+  handles_auth: false
+  handles_sensitive_data: false
+  handles_payments: false
+  handles_financial_data: false
+  handles_health_data: false
+  has_database: false
+  has_deployment: true
+  has_user_generated_content: false

package/examples/demo-ai-app/.ai-maintainer/release-checklist.yml

@@ -1,7 +1,7 @@
-schema_version: 1
-release:
-  has_staging: true
-  has_smoke_tests: true
-  has_manual_approval: false
-  has_rollback_plan: false
-  has_versioned_artifacts: true
+schema_version: 1
+release:
+  has_staging: true
+  has_smoke_tests: true
+  has_manual_approval: false
+  has_rollback_plan: false
+  has_versioned_artifacts: true

package/examples/demo-ai-app/.ai-maintainer/risk-policy.yml

@@ -1,5 +1,5 @@
-schema_version: 1
-production:
-  block_on_coverage_gaps: false
-  block_on_user_decisions: false
-  require_intake: true
+schema_version: 1
+production:
+  block_on_coverage_gaps: false
+  block_on_user_decisions: false
+  require_intake: true

package/examples/demo-ai-app/.ai-maintainer/threat-model.md

@@ -1,18 +1,18 @@
-# Threat Model
-
-## Assets
-
-- Order totals
-- Payment status
-- Release decisions
-
-## Trust Boundaries
-
-- Browser or API client input
-- Order risk calculation
-- Release approval process
-
-## User Decisions
-
-- Confirm whether manual review threshold matches real business risk.
-- Confirm who can override a release hold.
+# Threat Model
+
+## Assets
+
+- Order totals
+- Payment status
+- Release decisions
+
+## Trust Boundaries
+
+- Browser or API client input
+- Order risk calculation
+- Release approval process
+
+## User Decisions
+
+- Confirm whether manual review threshold matches real business risk.
+- Confirm who can override a release hold.

package/examples/demo-ai-app/README.md

@@ -1,38 +1,38 @@
-# Demo AI App
-
-This is a small healthy Node.js project used by AI Project Maintainer demos.
-
-It has:
-
-- business-critical tests
-- a build script
-- production audit intake files
-- intentional production evidence gaps for monitoring, alerts, approval, and rollback
-
-## Run The Healthy Project
-
-```powershell
-npm test --prefix .\examples\demo-ai-app
-npm run build --prefix .\examples\demo-ai-app
-node .\examples\demo-ai-app\scripts\run-demo-gate.mjs
-```
-
-The demo gate uses temporary scanner shims so the sample report is reproducible on machines that do not have Gitleaks, Trivy, Semgrep, and other scanners installed yet.
-
-## Generate The Broken Before State
-
-```powershell
-node .\examples\demo-ai-app\scripts\create-before-state.mjs
-```
-
-The command prints a temporary directory. Run `npm test` in that copied project to see the business tests fail. Nothing bad is committed into this repository; the failing state exists only under the OS temp directory.
-
-## Run The Real Gate
-
-When scanner CLIs are installed, run the same command a real project would use:
-
-```powershell
-npx ai-project-maintainer gate .\examples\demo-ai-app --production --strict --release --output reports/security-report.json
-```
-
-The expected result is PASS with visible GAP items for missing production evidence.
+# Demo AI App
+
+This is a small healthy Node.js project used by AI Project Maintainer demos.
+
+It has:
+
+- business-critical tests
+- a build script
+- production audit intake files
+- intentional production evidence gaps for monitoring, alerts, approval, and rollback
+
+## Run The Healthy Project
+
+```powershell
+npm test --prefix .\examples\demo-ai-app
+npm run build --prefix .\examples\demo-ai-app
+node .\examples\demo-ai-app\scripts\run-demo-gate.mjs
+```
+
+The demo gate uses temporary scanner shims so the sample report is reproducible on machines that do not have Gitleaks, Trivy, Semgrep, and other scanners installed yet.
+
+## Generate The Broken Before State
+
+```powershell
+node .\examples\demo-ai-app\scripts\create-before-state.mjs
+```
+
+The command prints a temporary directory. Run `npm test` in that copied project to see the business tests fail. Nothing bad is committed into this repository; the failing state exists only under the OS temp directory.
+
+## Run The Real Gate
+
+When scanner CLIs are installed, run the same command a real project would use:
+
+```powershell
+npx ai-project-maintainer gate .\examples\demo-ai-app --production --strict --release --output reports/security-report.json
+```
+
+The expected result is PASS with visible GAP items for missing production evidence.

package/examples/demo-ai-app/package-lock.json

@@ -1,15 +1,15 @@
-{
-  "name": "demo-ai-app",
-  "version": "0.1.0",
-  "lockfileVersion": 3,
-  "requires": true,
-  "packages": {
-    "": {
-      "name": "demo-ai-app",
-      "version": "0.1.0",
-      "engines": {
-        "node": ">=20"
-      }
-    }
-  }
-}
+{
+  "name": "demo-ai-app",
+  "version": "0.1.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "demo-ai-app",
+      "version": "0.1.0",
+      "engines": {
+        "node": ">=20"
+      }
+    }
+  }
+}

package/examples/demo-ai-app/package.json

@@ -1,16 +1,16 @@
-{
-  "name": "demo-ai-app",
-  "version": "0.1.0",
-  "private": true,
-  "type": "module",
-  "description": "Runnable demo project for AI Project Maintainer.",
-  "scripts": {
-    "test": "node --test",
-    "build": "node scripts/build.mjs",
-    "demo:before": "node scripts/create-before-state.mjs",
-    "demo:gate": "node scripts/run-demo-gate.mjs"
-  },
-  "engines": {
-    "node": ">=20"
-  }
-}
+{
+  "name": "demo-ai-app",
+  "version": "0.1.0",
+  "private": true,
+  "type": "module",
+  "description": "Runnable demo project for AI Project Maintainer.",
+  "scripts": {
+    "test": "node --test",
+    "build": "node scripts/build.mjs",
+    "demo:before": "node scripts/create-before-state.mjs",
+    "demo:gate": "node scripts/run-demo-gate.mjs"
+  },
+  "engines": {
+    "node": ">=20"
+  }
+}

package/examples/demo-ai-app/scripts/build.mjs

@@ -1,18 +1,18 @@
-import fs from "node:fs";
-import path from "node:path";
-import { fileURLToPath } from "node:url";
-
-const root = path.resolve(path.dirname(fileURLToPath(import.meta.url)), "..");
-const outDir = path.join(root, "dist");
-
-fs.mkdirSync(outDir, { recursive: true });
-fs.writeFileSync(
-  path.join(outDir, "build-manifest.json"),
-  `${JSON.stringify({
-    app: "demo-ai-app",
-    builtAt: new Date().toISOString(),
-    entrypoints: ["src/order-risk.js"],
-  }, null, 2)}\n`,
-);
-
-console.log(`Demo build manifest written to ${path.relative(root, outDir)}`);
+import fs from "node:fs";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+
+const root = path.resolve(path.dirname(fileURLToPath(import.meta.url)), "..");
+const outDir = path.join(root, "dist");
+
+fs.mkdirSync(outDir, { recursive: true });
+fs.writeFileSync(
+  path.join(outDir, "build-manifest.json"),
+  `${JSON.stringify({
+    app: "demo-ai-app",
+    builtAt: new Date().toISOString(),
+    entrypoints: ["src/order-risk.js"],
+  }, null, 2)}\n`,
+);
+
+console.log(`Demo build manifest written to ${path.relative(root, outDir)}`);

package/examples/demo-ai-app/scripts/create-before-state.mjs

@@ -1,86 +1,86 @@
-#!/usr/bin/env node
-import fs from "node:fs";
-import os from "node:os";
-import path from "node:path";
-import { fileURLToPath } from "node:url";
-
-const ignored = new Set(["node_modules", "dist", "reports"]);
-
-function normalizeForCompare(value) {
-  return path.resolve(value).toLowerCase();
-}
-
-function assertInsideTemp(destination) {
-  const tempRoot = normalizeForCompare(fs.realpathSync(os.tmpdir()));
-  const resolved = normalizeForCompare(destination);
-  if (resolved !== tempRoot && !resolved.startsWith(`${tempRoot}${path.sep}`)) {
-    throw new Error(`Refusing to write demo before-state outside the OS temp directory: ${destination}`);
-  }
-}
-
-function copyDirectory(source, destination) {
-  fs.mkdirSync(destination, { recursive: true });
-  for (const entry of fs.readdirSync(source, { withFileTypes: true })) {
-    if (ignored.has(entry.name)) continue;
-    const from = path.join(source, entry.name);
-    const to = path.join(destination, entry.name);
-    if (entry.isDirectory()) copyDirectory(from, to);
-    else if (entry.isFile()) fs.copyFileSync(from, to);
-  }
-}
-
-function readOutputArg(args) {
-  const index = args.indexOf("--output");
-  if (index !== -1) return args[index + 1];
-  const inline = args.find((arg) => arg.startsWith("--output="));
-  return inline ? inline.slice("--output=".length) : null;
-}
-
-export function createBeforeState({ outputPath = null } = {}) {
-  const demoRoot = path.resolve(path.dirname(fileURLToPath(import.meta.url)), "..");
-  const destination = path.resolve(outputPath || path.join(os.tmpdir(), `apm-demo-before-${Date.now()}`));
-  assertInsideTemp(destination);
-
-  fs.rmSync(destination, { recursive: true, force: true });
-  copyDirectory(demoRoot, destination);
-
-  fs.writeFileSync(
-    path.join(destination, "src", "order-risk.js"),
-    `const shippingRates = {
-  standard: 499,
-  expedited: 1299,
-};
-
-export function quoteOrder({ subtotalCents, shippingTier }) {
-  if (!Number.isInteger(subtotalCents) || subtotalCents < 0) {
-    throw new TypeError("subtotalCents must be a non-negative integer");
-  }
-
-  if (!Object.hasOwn(shippingRates, shippingTier)) {
-    throw new RangeError(\`unsupported shipping tier: \${shippingTier}\`);
-  }
-
-  const shippingCents = shippingRates[shippingTier];
-  const totalCents = subtotalCents + shippingCents;
-
-  return {
-    subtotalCents,
-    shippingCents,
-    totalCents,
-    needsManualReview: false,
-  };
-}
-
-export function canReleaseOrder({ paid, flagged }) {
-  return Boolean(paid && !flagged);
-}
-`,
-  );
-
-  return { destination };
-}
-
-if (process.argv[1] && path.resolve(process.argv[1]) === fileURLToPath(import.meta.url)) {
-  const result = createBeforeState({ outputPath: readOutputArg(process.argv.slice(2)) });
-  console.log(JSON.stringify(result, null, 2));
-}
+#!/usr/bin/env node
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+
+const ignored = new Set(["node_modules", "dist", "reports"]);
+
+function normalizeForCompare(value) {
+  return path.resolve(value).toLowerCase();
+}
+
+function assertInsideTemp(destination) {
+  const tempRoot = normalizeForCompare(fs.realpathSync(os.tmpdir()));
+  const resolved = normalizeForCompare(destination);
+  if (resolved !== tempRoot && !resolved.startsWith(`${tempRoot}${path.sep}`)) {
+    throw new Error(`Refusing to write demo before-state outside the OS temp directory: ${destination}`);
+  }
+}
+
+function copyDirectory(source, destination) {
+  fs.mkdirSync(destination, { recursive: true });
+  for (const entry of fs.readdirSync(source, { withFileTypes: true })) {
+    if (ignored.has(entry.name)) continue;
+    const from = path.join(source, entry.name);
+    const to = path.join(destination, entry.name);
+    if (entry.isDirectory()) copyDirectory(from, to);
+    else if (entry.isFile()) fs.copyFileSync(from, to);
+  }
+}
+
+function readOutputArg(args) {
+  const index = args.indexOf("--output");
+  if (index !== -1) return args[index + 1];
+  const inline = args.find((arg) => arg.startsWith("--output="));
+  return inline ? inline.slice("--output=".length) : null;
+}
+
+export function createBeforeState({ outputPath = null } = {}) {
+  const demoRoot = path.resolve(path.dirname(fileURLToPath(import.meta.url)), "..");
+  const destination = path.resolve(outputPath || path.join(os.tmpdir(), `apm-demo-before-${Date.now()}`));
+  assertInsideTemp(destination);
+
+  fs.rmSync(destination, { recursive: true, force: true });
+  copyDirectory(demoRoot, destination);
+
+  fs.writeFileSync(
+    path.join(destination, "src", "order-risk.js"),
+    `const shippingRates = {
+  standard: 499,
+  expedited: 1299,
+};
+
+export function quoteOrder({ subtotalCents, shippingTier }) {
+  if (!Number.isInteger(subtotalCents) || subtotalCents < 0) {
+    throw new TypeError("subtotalCents must be a non-negative integer");
+  }
+
+  if (!Object.hasOwn(shippingRates, shippingTier)) {
+    throw new RangeError(\`unsupported shipping tier: \${shippingTier}\`);
+  }
+
+  const shippingCents = shippingRates[shippingTier];
+  const totalCents = subtotalCents + shippingCents;
+
+  return {
+    subtotalCents,
+    shippingCents,
+    totalCents,
+    needsManualReview: false,
+  };
+}
+
+export function canReleaseOrder({ paid, flagged }) {
+  return Boolean(paid && !flagged);
+}
+`,
+  );
+
+  return { destination };
+}
+
+if (process.argv[1] && path.resolve(process.argv[1]) === fileURLToPath(import.meta.url)) {
+  const result = createBeforeState({ outputPath: readOutputArg(process.argv.slice(2)) });
+  console.log(JSON.stringify(result, null, 2));
+}