claudemd-cli 0.9.17 → 0.9.19
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +34 -0
- package/bin/claudemd-lint.js +45 -7
- package/package.json +3 -2
package/CHANGELOG.md
CHANGED
|
@@ -8,6 +8,40 @@ All notable changes to the `claudemd` plugin. This changelog tracks plugin artif
|
|
|
8
8
|
- **Canonical spec version source**: `spec/CLAUDE.md` top-line title (`# AI-CODING-SPEC vX.Y.Z — Core`) + `spec/CLAUDE-changelog.md` top `##` entry.
|
|
9
9
|
- **Plugin semver vs spec semver** are independent: plugin patch (0.2.0 → 0.2.1) may ship when spec is unchanged (this release); plugin minor (0.1.9 → 0.2.0) ships when spec minor updates (v0.2.0 shipped spec v6.10.0).
|
|
10
10
|
|
|
11
|
+
## [0.9.19] - 2026-05-10
|
|
12
|
+
|
|
13
|
+
**Patch — repo-wide CI guard for the argv-shape silent-fallback antipattern (§13.2 Tier 1).** Spec v6.11.7 unchanged. v0.9.14 → v0.9.18 was five consecutive patches chasing the same antipattern in five different files because each fix-set was scoped to whatever the repro session tripped on. The CHANGELOG entry for v0.9.18 stated "the next exploratory-testing session WILL find a 6th hole"; this patch makes that prediction grep-enforceable instead of trusting the next session not to slip.
|
|
14
|
+
|
|
15
|
+
### Added
|
|
16
|
+
|
|
17
|
+
- `[feat]` **`scripts/lint-argv.js`** — module-friendly gate exporting `scan({ root, dirs, exts, fileAllowlist, patterns })` and a CLI entry. Greps the union of three known antipattern signatures (`\b\w+\.includes\(['"]--`, `\.find\(\w+\s*=>\s*\w+\.startsWith\(['"]--`, `\b\w+\.indexOf\(['"]--`) across `bin/` + `scripts/` `.js` files. Pure `//` comment lines are skipped (meta-recursion guard for the validator's own docstring quoting the antipattern as the bug it prevents). Inline allowlist: append `// argv-lint:allow` to a vetted line. File allowlist: add to `FILE_ALLOWLIST` with a one-line reason — only the gate itself + `scripts/lib/argv.js` (parseStrict implementation) qualify today.
|
|
18
|
+
- `[feat]` **`npm run lint:argv` script in `package.json`.** Local + CI invocable. Exit 0 on clean, exit 1 with per-hit `file:line [pattern]` + offending text + remediation hint on dirty. Tier 2 (wiring into `.github/workflows/test.yml`) is intentionally NOT in this patch — that's a §5 Hard CI/infra change deferred to user decision.
|
|
19
|
+
- `[test]` **9 new cases in `tests/scripts/lint-argv.test.js` (248 → 257)** — live-repo clean baseline, each of the three signatures detected on synthetic fixtures, inline allowlist, file-level allowlist, pure-comment skip (the meta-recursion guard), end-of-line comment NOT skipped (allowlist evasion attempt rejected), CLI exit 0 + stdout shape on clean.
|
|
20
|
+
|
|
21
|
+
### Fixed
|
|
22
|
+
|
|
23
|
+
- `[fix]` **`bin/claudemd-lint.js` lintCmd/auditCmd add 5 inline `// argv-lint:allow` comments** on the `args.includes/indexOf('--*')` lines that are post-validator-safe-by-construction (`validateAndExpandFlags` rejects unknown + bool=value upstream, so downstream `.includes('--json')` will never observe a wrong-shape value). The lines are functionally safe and intentionally chosen over a structural refactor that would churn v0.9.18's diff for no behavioral gain.
|
|
24
|
+
|
|
25
|
+
### Why no L3 / pre-ship-review chain
|
|
26
|
+
|
|
27
|
+
`feat:` adds a CI-helper script, not user-visible plugin behavior. No spec change. L2 ceiling. Diff: 1 new gate (~100 LOC), 1 new test file (~100 LOC), 1 package.json line, 5 inline comments in the public CLI, 4 version-string bumps. The companion §13.2 promotion to a HARD spec rule (hook-level enforcement) is a separate L3 spec-change patch held until the gate has run for a few release cycles and the false-positive rate is known empirically.
|
|
28
|
+
|
|
29
|
+
## [0.9.18] - 2026-05-10
|
|
30
|
+
|
|
31
|
+
**Patch — public npm CLI `bin/claudemd-lint.js` had the same argv-shape silent-fallback the slash-commands fixed in v0.9.16/v0.9.17.** Spec v6.11.7 unchanged. Surfaced exercising the published CLI as a downstream integrator would: `claudemd lint --jzon "..."` (typo) silently dropped the unknown flag and scanned the text anyway → exit reflected only the text content; `claudemd lint --json=yes "..."` silently dropped `--json` (because `args.includes('--json')` returns false for the `=` form) → human-readable text emitted on stdout when JSON was expected; `claudemd lint --file=PATH` (GNU-getopt convention) was unrecognized and exited 2 with the misleading `text required` message; `claudemd audit --include-ratiox PATH` silently dropped the typo → exit 0 even when content would deny. Fifth recurrence of argv-shape silent-fallback (v0.9.14 lint positional, v0.9.15 hook tag, v0.9.16 three slash-commands, v0.9.17 two more slash-commands, this one — the **publicly published** surface, the most-visible footgun).
|
|
32
|
+
|
|
33
|
+
### Fixed
|
|
34
|
+
|
|
35
|
+
- `[fix]` **`bin/claudemd-lint.js` `lintCmd` + `auditCmd` validate flags up-front via `validateAndExpandFlags(rawArgs, knownBools, knownValues, sub)`.** Pre-fix, both commands used `args.includes('--bool')` / `args.indexOf('--key')` which silently dropped (a) `--bool=value` (typo'd as truthy → false), (b) any unknown `--typo` flag (filtered out of positional via `startsWith('--')`), (c) `--key=value` for value flags (`indexOf` looks for the bare `--key`). Post-fix, all three exit 2 with a parser error before the existing happy-path logic runs. Bonus: `--file=PATH` (GNU-getopt `=` form) is now accepted as a sibling of `--file PATH` (Unix convention preserved). Backward-compatible — every previously-passing call shape still works.
|
|
36
|
+
|
|
37
|
+
### Added
|
|
38
|
+
|
|
39
|
+
- `[test]` **4 new cases in `tests/scripts/lint-cli.test.js`** asserting exit 2 + stderr message on the three silent-fallback shapes (`--jzon` typo, `--json=yes` bool-with-value, audit `--include-ratiox` typo) + the new accepted shape (`--file=PATH`). Test count 244 → 248. Coverage gap that allowed v0.9.17 to ship without catching this: the existing tests asserted happy paths but had no negative assertions on bug shapes.
|
|
40
|
+
|
|
41
|
+
### Why no L3 / pre-ship-review chain
|
|
42
|
+
|
|
43
|
+
`fix:` per spec §2 hard-upgrade exclusion — restores the implied contract (every flag shape either works or rejects loudly; no silent-drop). L2 ceiling. Diff: 1 source file (~30 LOC added, no API change), 1 test file (+45 LOC). Notable: this is the FIFTH consecutive patch chasing the same antipattern. The §13.2 promotion case for a `grep -rE '\.find\(.*startsWith\|args\.includes.*--' bin/ scripts/` lint gate (CI step or pre-commit) is now overwhelming. The v0.9.16 memory note already flagged this — adding a one-line `npm run lint:argv` step that fails CI on any `args.includes('--`'-shaped flag detection is the obvious next iteration.
|
|
44
|
+
|
|
11
45
|
## [0.9.17] - 2026-05-10
|
|
12
46
|
|
|
13
47
|
**Patch — two more slash-command CLIs leaked the v0.9.16 antipattern.** Spec v6.11.7 unchanged. Surfaced in the same exploratory-testing session that produced v0.9.16: `/claudemd-doctor --prune-backups 5` (space form) silently dropped the value, ran without prune, exited 0; `/claudemd-rules --days 30` (space form) silently fell back to the default 90-day window, exited 0. v0.9.16 swept `clean-residue.js` / `audit.js` / `sparkline.js` but missed `doctor.js` and `hard-rules-audit.js` carrying the same `args.find(a => a.startsWith('--key='))` pattern. Fourth recurrence of argv-shape silent-fallback (v0.9.14 lint, v0.9.15 hook tag, v0.9.16 three CLIs, this one).
|
package/bin/claudemd-lint.js
CHANGED
|
@@ -67,13 +67,50 @@ function readPackageVersion() {
|
|
|
67
67
|
}
|
|
68
68
|
}
|
|
69
69
|
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
70
|
+
// Strict-validate flag-shaped args + normalize `--key=value` → `--key value`
|
|
71
|
+
// pairs so the existing space-form parsing below works on either shape.
|
|
72
|
+
// Catches the same antipattern the slash-command CLIs hit in v0.9.16/0.9.17:
|
|
73
|
+
// `args.includes('--json')` returns false for `--json=yes`, so the flag was
|
|
74
|
+
// silently dropped; `args.indexOf('--file')` returns -1 for `--file=PATH`,
|
|
75
|
+
// so the value was silently ignored; an unknown `--jzon` typo was silently
|
|
76
|
+
// stripped from positional and never surfaced. Each path now exits 2.
|
|
77
|
+
function validateAndExpandFlags(args, knownBools, knownValues, sub) {
|
|
78
|
+
const out = [];
|
|
79
|
+
const bools = new Set(knownBools);
|
|
80
|
+
const values = new Set(knownValues);
|
|
81
|
+
for (const a of args) {
|
|
82
|
+
if (!a.startsWith('--')) { out.push(a); continue; }
|
|
83
|
+
if (a.includes('=')) {
|
|
84
|
+
const eq = a.indexOf('=');
|
|
85
|
+
const k = a.slice(0, eq);
|
|
86
|
+
const v = a.slice(eq + 1);
|
|
87
|
+
if (bools.has(k)) {
|
|
88
|
+
process.stderr.write(`${sub}: '${k}' is a boolean flag and does not take a value (got '${a}'). Drop the '=...' suffix.\n`);
|
|
89
|
+
process.exit(2);
|
|
90
|
+
}
|
|
91
|
+
if (values.has(k)) {
|
|
92
|
+
out.push(k);
|
|
93
|
+
out.push(v);
|
|
94
|
+
continue;
|
|
95
|
+
}
|
|
96
|
+
process.stderr.write(`${sub}: unknown flag '${k}' (got '${a}').\n`);
|
|
97
|
+
process.exit(2);
|
|
98
|
+
}
|
|
99
|
+
if (bools.has(a) || values.has(a)) { out.push(a); continue; }
|
|
100
|
+
process.stderr.write(`${sub}: unknown flag '${a}'.\n`);
|
|
101
|
+
process.exit(2);
|
|
102
|
+
}
|
|
103
|
+
return out;
|
|
104
|
+
}
|
|
105
|
+
|
|
106
|
+
function lintCmd(rawArgs) {
|
|
107
|
+
const args = validateAndExpandFlags(rawArgs, ['--json', '--stdin'], ['--file'], 'lint');
|
|
108
|
+
const json = args.includes('--json'); // argv-lint:allow — validated upstream by validateAndExpandFlags
|
|
109
|
+
const stdin = args.includes('--stdin'); // argv-lint:allow — validated upstream by validateAndExpandFlags
|
|
73
110
|
|
|
74
111
|
// --file <path> consumes the next non-flag arg.
|
|
75
112
|
let filePath = null;
|
|
76
|
-
const fileIdx = args.indexOf('--file');
|
|
113
|
+
const fileIdx = args.indexOf('--file'); // argv-lint:allow — validated upstream by validateAndExpandFlags
|
|
77
114
|
if (fileIdx !== -1) {
|
|
78
115
|
const next = args[fileIdx + 1];
|
|
79
116
|
if (!next || next.startsWith('--')) {
|
|
@@ -152,9 +189,10 @@ function lintCmd(args) {
|
|
|
152
189
|
process.exit(hits.length === 0 ? 0 : 1);
|
|
153
190
|
}
|
|
154
191
|
|
|
155
|
-
function auditCmd(
|
|
156
|
-
const
|
|
157
|
-
const
|
|
192
|
+
function auditCmd(rawArgs) {
|
|
193
|
+
const args = validateAndExpandFlags(rawArgs, ['--json', '--include-ratio'], [], 'audit');
|
|
194
|
+
const json = args.includes('--json'); // argv-lint:allow — validated upstream by validateAndExpandFlags
|
|
195
|
+
const includeRatio = args.includes('--include-ratio'); // argv-lint:allow — validated upstream by validateAndExpandFlags
|
|
158
196
|
const positional = args.filter(a => !a.startsWith('--'));
|
|
159
197
|
const transcriptPath = positional[0];
|
|
160
198
|
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "claudemd-cli",
|
|
3
|
-
"version": "0.9.
|
|
3
|
+
"version": "0.9.19",
|
|
4
4
|
"description": "Standalone CLI for §10-V banned-vocab + transcript scanning. Companion to the claudemd Claude Code plugin (github.com/sdsrss/claudemd) for use in git pre-commit hooks, GitHub Actions, and other agents.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"bin": {
|
|
@@ -16,7 +16,8 @@
|
|
|
16
16
|
"scripts": {
|
|
17
17
|
"test": "bash tests/run-all.sh",
|
|
18
18
|
"test:scripts": "node --test tests/scripts/*.test.js",
|
|
19
|
-
"test:hooks": "bash tests/hooks/*.test.sh"
|
|
19
|
+
"test:hooks": "bash tests/hooks/*.test.sh",
|
|
20
|
+
"lint:argv": "node scripts/lint-argv.js"
|
|
20
21
|
},
|
|
21
22
|
"engines": {
|
|
22
23
|
"node": ">=20"
|