aienvmp 0.1.56 → 0.1.57
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/BUGFIXES.md +6 -0
- package/CHANGELOG.md +9 -0
- package/README.md +1 -0
- package/package.json +1 -1
- package/src/commands/sbom.js +43 -0
- package/src/contract.js +1 -1
package/BUGFIXES.md
CHANGED
|
@@ -130,6 +130,12 @@ Short record of bugs, fixes, and follow-up checks.
|
|
|
130
130
|
- Fix: `aiReadiness` now includes `requiresHumanReview`, `safeProjectLocalActions`, and `reviewOnlyEnvironmentChanges`; `summary.md` includes the first safe-local-work hint.
|
|
131
131
|
- Verification: regression tests cover status, context, summary, and schema outputs; Windows smoke confirmed generated JSON and summary fields.
|
|
132
132
|
|
|
133
|
+
### Standalone SBOM did not expose the dependency-change loop directly
|
|
134
|
+
|
|
135
|
+
- Issue: AI agents reading only `.aienvmp/sbom.json` could see risk and hints, but still had to infer the safe dependency-change sequence from several fields.
|
|
136
|
+
- Fix: `aiDependencyReview` now gives a top-level advisory review block with read order, safe actions, review targets, before-change commands, and after-change checkpoint guidance.
|
|
137
|
+
- Verification: regression tests cover the new SBOM block and schema metadata; local sync smoke confirmed generated `sbom.json` separates before-change commands from after-change checkpoint commands.
|
|
138
|
+
|
|
133
139
|
## Template
|
|
134
140
|
|
|
135
141
|
### Title
|
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,14 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 0.1.57
|
|
4
|
+
|
|
5
|
+
- Added `aiDependencyReview` to the standalone `.aienvmp/sbom.json` artifact.
|
|
6
|
+
- Linked SBOM risk to dependency-change read order, safe actions, review targets, and before/after commands.
|
|
7
|
+
- Kept dependency review advisory and non-blocking while making the AI handoff more explicit.
|
|
8
|
+
- Documented `sbom.json.aiDependencyReview` in the README and schema contract.
|
|
9
|
+
- Fixed dependency-review command grouping so `checkpoint` appears after dependency changes, not before.
|
|
10
|
+
- Added regression tests for SBOM dependency review and schema metadata.
|
|
11
|
+
|
|
3
12
|
## 0.1.56
|
|
4
13
|
|
|
5
14
|
- Added `aiReadiness.requiresHumanReview` so agents can distinguish review-needed signals from hard blocking.
|
package/README.md
CHANGED
|
@@ -53,6 +53,7 @@ AIENV.md # Markdown env map for AI agents
|
|
|
53
53
|
- `aiReadiness` gives a one-field ready/review signal for AI continuation.
|
|
54
54
|
- `dependencyReadSet` lists manifests and lockfiles before package or security changes.
|
|
55
55
|
- `sbomRisk` gives AI a compact light-SBOM risk level, signals, and next command.
|
|
56
|
+
- `sbom.json.aiDependencyReview` connects SBOM risk to safe dependency-change steps.
|
|
56
57
|
- `coordination.conflictTargets` shows where multiple agents are planning changes.
|
|
57
58
|
- `agentActivity.multiActorTargets` shows where multiple agents actually recorded env changes.
|
|
58
59
|
- `followUps` shows records that still need `sync`, `status`, or `handoff`.
|
package/package.json
CHANGED
package/src/commands/sbom.js
CHANGED
|
@@ -36,6 +36,7 @@ export function buildSbomArtifact(manifest = {}) {
|
|
|
36
36
|
topRisk: (lightSbom.topRisk || []).slice(0, 20),
|
|
37
37
|
packageManagerPolicy: lightSbom.packageManagerPolicy || {},
|
|
38
38
|
dependencyChangeHints: (lightSbom.dependencyChangeHints || []).slice(0, 20),
|
|
39
|
+
aiDependencyReview: aiDependencyReview(lightSbom),
|
|
39
40
|
aiUse: {
|
|
40
41
|
purpose: "Standalone AI-readable light SBOM artifact.",
|
|
41
42
|
readBefore: "Dependency changes, vulnerability remediation, release review, or shared AI handoff.",
|
|
@@ -45,6 +46,40 @@ export function buildSbomArtifact(manifest = {}) {
|
|
|
45
46
|
};
|
|
46
47
|
}
|
|
47
48
|
|
|
49
|
+
function aiDependencyReview(lightSbom = {}) {
|
|
50
|
+
const risk = lightSbom.riskSummary || {};
|
|
51
|
+
const hints = lightSbom.dependencyChangeHints || [];
|
|
52
|
+
const policy = lightSbom.packageManagerPolicy || {};
|
|
53
|
+
const level = risk.level || "clear";
|
|
54
|
+
const reviewTargets = (risk.reviewTargets || []).length
|
|
55
|
+
? risk.reviewTargets
|
|
56
|
+
: hints.map((item) => item.manifest).filter(Boolean);
|
|
57
|
+
const review = ["urgent", "high", "medium"].includes(level) || policy.status === "review-required";
|
|
58
|
+
return {
|
|
59
|
+
status: review ? "review" : "ready",
|
|
60
|
+
mode: "advisory",
|
|
61
|
+
readFirst: ["riskSummary", "dependencyChangeHints", "packageManagerPolicy", "topRisk"],
|
|
62
|
+
reviewTargets: [...new Set(reviewTargets)].slice(0, 8),
|
|
63
|
+
safeActions: [
|
|
64
|
+
"read SBOM, status, summary, context, and dependency manifests before dependency changes",
|
|
65
|
+
"plan remediation without installing, upgrading, downgrading, or switching package managers",
|
|
66
|
+
"record intent before dependency or lockfile changes when another AI may be working"
|
|
67
|
+
],
|
|
68
|
+
beforeDependencyChange: uniqueCommands([
|
|
69
|
+
...planningCommands(risk.commands || []),
|
|
70
|
+
"aienvmp intent --actor agent:id --action dependency-review --target dependency",
|
|
71
|
+
"aienvmp plan --write"
|
|
72
|
+
]),
|
|
73
|
+
afterDependencyChange: [
|
|
74
|
+
"run the narrowest relevant project validation",
|
|
75
|
+
"aienvmp checkpoint --actor agent:id --summary dependency-change --target dependency"
|
|
76
|
+
],
|
|
77
|
+
rule: review
|
|
78
|
+
? "Review SBOM risk and package manager policy before dependency changes; default behavior is advisory and non-blocking."
|
|
79
|
+
: "No light SBOM signal requires action; still record intent before dependency or lockfile changes."
|
|
80
|
+
};
|
|
81
|
+
}
|
|
82
|
+
|
|
48
83
|
export async function writeSbomArtifact(dir, sbom) {
|
|
49
84
|
const out = sbom.bomFormat === "CycloneDX" ? cyclonedxSbomPath(dir) : sbomJsonPath(dir);
|
|
50
85
|
await writeJson(out, sbom);
|
|
@@ -136,6 +171,14 @@ function normalizeFormat(format = "") {
|
|
|
136
171
|
return "aienvmp";
|
|
137
172
|
}
|
|
138
173
|
|
|
174
|
+
function uniqueCommands(commands = []) {
|
|
175
|
+
return [...new Set(commands.filter(Boolean))];
|
|
176
|
+
}
|
|
177
|
+
|
|
178
|
+
function planningCommands(commands = []) {
|
|
179
|
+
return commands.filter((command) => !String(command).includes(" checkpoint "));
|
|
180
|
+
}
|
|
181
|
+
|
|
139
182
|
function hashText(text = "") {
|
|
140
183
|
let hash = 0;
|
|
141
184
|
for (const ch of String(text)) hash = ((hash << 5) - hash + ch.charCodeAt(0)) >>> 0;
|
package/src/contract.js
CHANGED
|
@@ -42,7 +42,7 @@ export function schemaContract() {
|
|
|
42
42
|
sbom: {
|
|
43
43
|
file: ".aienvmp/sbom.json",
|
|
44
44
|
command: "aienvmp sbom --json",
|
|
45
|
-
rootFields: ["schemaVersion", "schemaName", "workspace", "summary", "riskSummary", "topRisk", "packageManagerPolicy", "dependencyChangeHints"]
|
|
45
|
+
rootFields: ["schemaVersion", "schemaName", "workspace", "summary", "riskSummary", "topRisk", "packageManagerPolicy", "dependencyChangeHints", "aiDependencyReview"]
|
|
46
46
|
},
|
|
47
47
|
cyclonedxLite: {
|
|
48
48
|
file: ".aienvmp/sbom.cdx.json",
|