create-quiver 0.15.4 → 0.17.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (199) hide show
  1. package/.github/pull_request_template.md +17 -0
  2. package/.github/workflows/ci.yml +76 -0
  3. package/.markdown-link-check.json +15 -0
  4. package/.markdownlint.json +11 -0
  5. package/ARCHITECTURE.md +133 -0
  6. package/CHANGELOG.md +16 -0
  7. package/CONTRIBUTING.md +174 -9
  8. package/README.md +17 -2
  9. package/README_FOR_AI.md +4 -1
  10. package/ROADMAP.md +4 -0
  11. package/SECURITY.md +9 -2
  12. package/docs/AI_CONTEXT.md.es.template +3 -1
  13. package/docs/AI_CONTEXT.md.template +3 -1
  14. package/docs/CLI_UX_GUIDE.md +20 -1
  15. package/docs/COMMANDS.md.template +20 -6
  16. package/docs/GITFLOW_PR_GUIDE.md +73 -11
  17. package/docs/GITFLOW_PR_GUIDE.md.es.template +61 -2
  18. package/docs/GITFLOW_PR_GUIDE.md.template +72 -10
  19. package/docs/INDEX.md +6 -1
  20. package/docs/QUICK.md.template +2 -1
  21. package/docs/STANDARD.md.template +2 -1
  22. package/docs/WORKFLOW.md.es.template +3 -1
  23. package/docs/WORKFLOW.md.template +6 -4
  24. package/docs/getting-started/installation.md +7 -0
  25. package/docs/reference/commands.md +138 -6
  26. package/docs/reference/slice-schema.md +37 -0
  27. package/docs/schema/slice.schema.json +221 -0
  28. package/docs/specs/01-spec/01-slice/01-slice.json +36 -0
  29. package/docs/specs/01-spec/01-slice/01-slice.md +106 -0
  30. package/docs/specs/01-spec/01-slice/CLOSURE_BRIEF.md +80 -0
  31. package/docs/specs/01-spec/01-slice/EXECUTION_BRIEF.md +39 -0
  32. package/docs/specs/01-spec/02-slice/02-slice.json +36 -0
  33. package/docs/specs/01-spec/02-slice/02-slice.md +108 -0
  34. package/docs/specs/01-spec/02-slice/CLOSURE_BRIEF.md +88 -0
  35. package/docs/specs/01-spec/02-slice/EXECUTION_BRIEF.md +40 -0
  36. package/docs/specs/01-spec/03-slice/03-slice.json +36 -0
  37. package/docs/specs/01-spec/03-slice/03-slice.md +103 -0
  38. package/docs/specs/01-spec/03-slice/CLOSURE_BRIEF.md +54 -0
  39. package/docs/specs/01-spec/03-slice/EXECUTION_BRIEF.md +39 -0
  40. package/docs/specs/01-spec/04-slice/04-slice.json +36 -0
  41. package/docs/specs/01-spec/04-slice/04-slice.md +107 -0
  42. package/docs/specs/01-spec/04-slice/CLOSURE_BRIEF.md +46 -0
  43. package/docs/specs/01-spec/04-slice/EXECUTION_BRIEF.md +39 -0
  44. package/docs/specs/01-spec/05-slice/05-slice.json +36 -0
  45. package/docs/specs/01-spec/05-slice/05-slice.md +106 -0
  46. package/docs/specs/01-spec/05-slice/CLOSURE_BRIEF.md +84 -0
  47. package/docs/specs/01-spec/05-slice/EXECUTION_BRIEF.md +109 -0
  48. package/docs/specs/01-spec/06-slice/06-slice.json +36 -0
  49. package/docs/specs/01-spec/06-slice/06-slice.md +107 -0
  50. package/docs/specs/01-spec/06-slice/CLOSURE_BRIEF.md +67 -0
  51. package/docs/specs/01-spec/06-slice/EXECUTION_BRIEF.md +39 -0
  52. package/docs/specs/01-spec/07-slice/07-slice.json +36 -0
  53. package/docs/specs/01-spec/07-slice/07-slice.md +105 -0
  54. package/docs/specs/01-spec/07-slice/CLOSURE_BRIEF.md +71 -0
  55. package/docs/specs/01-spec/07-slice/EXECUTION_BRIEF.md +39 -0
  56. package/docs/specs/01-spec/08-slice/08-slice.json +36 -0
  57. package/docs/specs/01-spec/08-slice/08-slice.md +105 -0
  58. package/docs/specs/01-spec/08-slice/CLOSURE_BRIEF.md +114 -0
  59. package/docs/specs/01-spec/08-slice/EXECUTION_BRIEF.md +39 -0
  60. package/docs/specs/01-spec/CLOSURE_BRIEF.md +87 -0
  61. package/docs/specs/01-spec/spec.md +197 -0
  62. package/docs/workflows/full-ai-spec-to-pr.md +46 -3
  63. package/i18n/es/docs/GITFLOW_PR_GUIDE.md.template +38 -1
  64. package/package.json +27 -1
  65. package/scripts/package-quiver.sh +82 -2
  66. package/scripts/release-quiver.sh +14 -3
  67. package/specs/[project-name]/slices/pr.md.template +19 -0
  68. package/specs/quiver-v43-cli-i18n-audit-release-readiness/command-language-mode-matrix.json +122 -1
  69. package/specs/quiver-v46-deep-project-analysis/EVIDENCE_REPORT.md +94 -0
  70. package/specs/quiver-v46-deep-project-analysis/EXECUTION_PLAN.md +26 -0
  71. package/specs/quiver-v46-deep-project-analysis/SPEC.md +157 -0
  72. package/specs/quiver-v46-deep-project-analysis/STATUS.md +26 -0
  73. package/specs/quiver-v46-deep-project-analysis/pr.md +131 -0
  74. package/specs/quiver-v46-deep-project-analysis/slices/slice-00-analysis-contract-foundation/CLOSURE_BRIEF.md +14 -0
  75. package/specs/quiver-v46-deep-project-analysis/slices/slice-00-analysis-contract-foundation/EXECUTION_BRIEF.md +41 -0
  76. package/specs/quiver-v46-deep-project-analysis/slices/slice-00-analysis-contract-foundation/slice.json +61 -0
  77. package/specs/quiver-v46-deep-project-analysis/slices/slice-01-stack-agnostic-discovery-sampling/CLOSURE_BRIEF.md +22 -0
  78. package/specs/quiver-v46-deep-project-analysis/slices/slice-01-stack-agnostic-discovery-sampling/EXECUTION_BRIEF.md +33 -0
  79. package/specs/quiver-v46-deep-project-analysis/slices/slice-01-stack-agnostic-discovery-sampling/slice.json +80 -0
  80. package/specs/quiver-v46-deep-project-analysis/slices/slice-02-provider-analysis-json-contract/CLOSURE_BRIEF.md +21 -0
  81. package/specs/quiver-v46-deep-project-analysis/slices/slice-02-provider-analysis-json-contract/EXECUTION_BRIEF.md +34 -0
  82. package/specs/quiver-v46-deep-project-analysis/slices/slice-02-provider-analysis-json-contract/slice.json +79 -0
  83. package/specs/quiver-v46-deep-project-analysis/slices/slice-03-doc-proposal-review-safe-writes/CLOSURE_BRIEF.md +19 -0
  84. package/specs/quiver-v46-deep-project-analysis/slices/slice-03-doc-proposal-review-safe-writes/EXECUTION_BRIEF.md +33 -0
  85. package/specs/quiver-v46-deep-project-analysis/slices/slice-03-doc-proposal-review-safe-writes/slice.json +79 -0
  86. package/specs/quiver-v46-deep-project-analysis/slices/slice-04-validation-docs-release-readiness/CLOSURE_BRIEF.md +20 -0
  87. package/specs/quiver-v46-deep-project-analysis/slices/slice-04-validation-docs-release-readiness/EXECUTION_BRIEF.md +32 -0
  88. package/specs/quiver-v46-deep-project-analysis/slices/slice-04-validation-docs-release-readiness/slice.json +85 -0
  89. package/specs/quiver-v50-audit-trust-foundation/EVIDENCE_REPORT.md +151 -0
  90. package/specs/quiver-v50-audit-trust-foundation/EXECUTION_PLAN.md +34 -0
  91. package/specs/quiver-v50-audit-trust-foundation/SPEC.md +113 -0
  92. package/specs/quiver-v50-audit-trust-foundation/STATUS.md +26 -0
  93. package/specs/quiver-v50-audit-trust-foundation/pr.md +120 -0
  94. package/specs/quiver-v50-audit-trust-foundation/slices/slice-00-audit-baseline-and-resolved-findings/CLOSURE_BRIEF.md +20 -0
  95. package/specs/quiver-v50-audit-trust-foundation/slices/slice-00-audit-baseline-and-resolved-findings/EXECUTION_BRIEF.md +58 -0
  96. package/specs/quiver-v50-audit-trust-foundation/slices/slice-00-audit-baseline-and-resolved-findings/slice.json +57 -0
  97. package/specs/quiver-v50-audit-trust-foundation/slices/slice-01-runtime-minimum-and-package-metadata/CLOSURE_BRIEF.md +24 -0
  98. package/specs/quiver-v50-audit-trust-foundation/slices/slice-01-runtime-minimum-and-package-metadata/EXECUTION_BRIEF.md +67 -0
  99. package/specs/quiver-v50-audit-trust-foundation/slices/slice-01-runtime-minimum-and-package-metadata/slice.json +71 -0
  100. package/specs/quiver-v50-audit-trust-foundation/slices/slice-02-migrate-write-safety-contract/CLOSURE_BRIEF.md +24 -0
  101. package/specs/quiver-v50-audit-trust-foundation/slices/slice-02-migrate-write-safety-contract/EXECUTION_BRIEF.md +71 -0
  102. package/specs/quiver-v50-audit-trust-foundation/slices/slice-02-migrate-write-safety-contract/slice.json +81 -0
  103. package/specs/quiver-v50-audit-trust-foundation/slices/slice-03-security-reporting-channel/CLOSURE_BRIEF.md +22 -0
  104. package/specs/quiver-v50-audit-trust-foundation/slices/slice-03-security-reporting-channel/EXECUTION_BRIEF.md +57 -0
  105. package/specs/quiver-v50-audit-trust-foundation/slices/slice-03-security-reporting-channel/slice.json +56 -0
  106. package/specs/quiver-v50-audit-trust-foundation/slices/slice-04-user-facing-i18n-error-coverage/CLOSURE_BRIEF.md +23 -0
  107. package/specs/quiver-v50-audit-trust-foundation/slices/slice-04-user-facing-i18n-error-coverage/EXECUTION_BRIEF.md +68 -0
  108. package/specs/quiver-v50-audit-trust-foundation/slices/slice-04-user-facing-i18n-error-coverage/slice.json +84 -0
  109. package/specs/quiver-v50-audit-trust-foundation/slices/slice-05-init-analyze-progress-and-summaries/CLOSURE_BRIEF.md +25 -0
  110. package/specs/quiver-v50-audit-trust-foundation/slices/slice-05-init-analyze-progress-and-summaries/EXECUTION_BRIEF.md +73 -0
  111. package/specs/quiver-v50-audit-trust-foundation/slices/slice-05-init-analyze-progress-and-summaries/slice.json +72 -0
  112. package/specs/quiver-v50-audit-trust-foundation/slices/slice-06-contributor-and-architecture-docs/CLOSURE_BRIEF.md +22 -0
  113. package/specs/quiver-v50-audit-trust-foundation/slices/slice-06-contributor-and-architecture-docs/EXECUTION_BRIEF.md +66 -0
  114. package/specs/quiver-v50-audit-trust-foundation/slices/slice-06-contributor-and-architecture-docs/slice.json +74 -0
  115. package/specs/quiver-v50-audit-trust-foundation/slices/slice-07-ci-and-documentation-lint-baseline/CLOSURE_BRIEF.md +29 -0
  116. package/specs/quiver-v50-audit-trust-foundation/slices/slice-07-ci-and-documentation-lint-baseline/EXECUTION_BRIEF.md +74 -0
  117. package/specs/quiver-v50-audit-trust-foundation/slices/slice-07-ci-and-documentation-lint-baseline/slice.json +81 -0
  118. package/specs/quiver-v51-cli-ergonomics-automation-contracts/EVIDENCE_REPORT.md +145 -0
  119. package/specs/quiver-v51-cli-ergonomics-automation-contracts/EXECUTION_PLAN.md +32 -0
  120. package/specs/quiver-v51-cli-ergonomics-automation-contracts/SPEC.md +109 -0
  121. package/specs/quiver-v51-cli-ergonomics-automation-contracts/STATUS.md +25 -0
  122. package/specs/quiver-v51-cli-ergonomics-automation-contracts/pr.md +69 -0
  123. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-00-cli-contract-baseline/CLOSURE_BRIEF.md +20 -0
  124. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-00-cli-contract-baseline/EXECUTION_BRIEF.md +58 -0
  125. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-00-cli-contract-baseline/slice.json +56 -0
  126. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-01-flow-json-compatibility/CLOSURE_BRIEF.md +21 -0
  127. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-01-flow-json-compatibility/EXECUTION_BRIEF.md +61 -0
  128. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-01-flow-json-compatibility/slice.json +68 -0
  129. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-02-dashboard-section-validation-i18n/CLOSURE_BRIEF.md +25 -0
  130. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-02-dashboard-section-validation-i18n/EXECUTION_BRIEF.md +65 -0
  131. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-02-dashboard-section-validation-i18n/pr.md +134 -0
  132. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-02-dashboard-section-validation-i18n/slice.json +80 -0
  133. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-03-base-branch-resolution-policy/CLOSURE_BRIEF.md +31 -0
  134. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-03-base-branch-resolution-policy/EXECUTION_BRIEF.md +80 -0
  135. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-03-base-branch-resolution-policy/pr.md +159 -0
  136. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-03-base-branch-resolution-policy/slice.json +102 -0
  137. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-04-next-plan-graph-ux-edge-cases/CLOSURE_BRIEF.md +25 -0
  138. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-04-next-plan-graph-ux-edge-cases/EXECUTION_BRIEF.md +74 -0
  139. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-04-next-plan-graph-ux-edge-cases/pr.md +147 -0
  140. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-04-next-plan-graph-ux-edge-cases/slice.json +91 -0
  141. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-05-evidence-robustness-path-safety/CLOSURE_BRIEF.md +28 -0
  142. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-05-evidence-robustness-path-safety/EXECUTION_BRIEF.md +73 -0
  143. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-05-evidence-robustness-path-safety/pr.md +146 -0
  144. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-05-evidence-robustness-path-safety/slice.json +100 -0
  145. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-06-namespace-compatibility-windows-scripts/CLOSURE_BRIEF.md +36 -0
  146. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-06-namespace-compatibility-windows-scripts/EXECUTION_BRIEF.md +76 -0
  147. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-06-namespace-compatibility-windows-scripts/pr.md +155 -0
  148. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-06-namespace-compatibility-windows-scripts/slice.json +111 -0
  149. package/specs/quiver-v52-schema-docs-release-hygiene/EVIDENCE_REPORT.md +95 -0
  150. package/specs/quiver-v52-schema-docs-release-hygiene/EXECUTION_PLAN.md +31 -0
  151. package/specs/quiver-v52-schema-docs-release-hygiene/SPEC.md +107 -0
  152. package/specs/quiver-v52-schema-docs-release-hygiene/STATUS.md +22 -0
  153. package/specs/quiver-v52-schema-docs-release-hygiene/pr.md +69 -0
  154. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-00-schema-docs-release-baseline/CLOSURE_BRIEF.md +21 -0
  155. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-00-schema-docs-release-baseline/EXECUTION_BRIEF.md +60 -0
  156. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-00-schema-docs-release-baseline/slice.json +62 -0
  157. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-01-json-schema-for-slice-json/CLOSURE_BRIEF.md +34 -0
  158. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-01-json-schema-for-slice-json/EXECUTION_BRIEF.md +71 -0
  159. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-01-json-schema-for-slice-json/pr.md +146 -0
  160. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-01-json-schema-for-slice-json/slice.json +106 -0
  161. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-02-generated-cli-reference/CLOSURE_BRIEF.md +33 -0
  162. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-02-generated-cli-reference/EXECUTION_BRIEF.md +67 -0
  163. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-02-generated-cli-reference/pr.md +144 -0
  164. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-02-generated-cli-reference/slice.json +86 -0
  165. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-03-changelog-package-release-smoke-hygiene/CLOSURE_BRIEF.md +38 -0
  166. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-03-changelog-package-release-smoke-hygiene/EXECUTION_BRIEF.md +75 -0
  167. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-03-changelog-package-release-smoke-hygiene/pr.md +159 -0
  168. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-03-changelog-package-release-smoke-hygiene/slice.json +105 -0
  169. package/src/create-quiver/commands/ai.js +521 -0
  170. package/src/create-quiver/commands/changelog.js +93 -0
  171. package/src/create-quiver/commands/config.js +16 -5
  172. package/src/create-quiver/commands/evidence.js +33 -2
  173. package/src/create-quiver/commands/flow.js +1 -0
  174. package/src/create-quiver/commands/graph.js +8 -2
  175. package/src/create-quiver/commands/plan.js +6 -0
  176. package/src/create-quiver/commands/spec.js +28 -13
  177. package/src/create-quiver/index.js +408 -98
  178. package/src/create-quiver/lib/ai/analyze-project-discovery.js +387 -0
  179. package/src/create-quiver/lib/ai/analyze-project-docs.js +364 -0
  180. package/src/create-quiver/lib/ai/analyze-project-parser.js +277 -0
  181. package/src/create-quiver/lib/ai/analyze-project-prompts.js +214 -0
  182. package/src/create-quiver/lib/ai/analyze-project-review.js +99 -0
  183. package/src/create-quiver/lib/ai/analyze-project-sampling.js +402 -0
  184. package/src/create-quiver/lib/ai/analyze-project-schema.js +92 -0
  185. package/src/create-quiver/lib/ai/analyze-project-validation.js +309 -0
  186. package/src/create-quiver/lib/ai/artifacts.js +4 -1
  187. package/src/create-quiver/lib/ai/github.js +5 -2
  188. package/src/create-quiver/lib/ai/spec-templates.js +19 -0
  189. package/src/create-quiver/lib/cli/command-registry.js +72 -0
  190. package/src/create-quiver/lib/cli/parser.js +14 -0
  191. package/src/create-quiver/lib/evidence.js +161 -6
  192. package/src/create-quiver/lib/git.js +99 -0
  193. package/src/create-quiver/lib/i18n/messages/en.js +52 -7
  194. package/src/create-quiver/lib/i18n/messages/es.js +54 -9
  195. package/src/create-quiver/lib/init-docs.js +1 -1
  196. package/src/create-quiver/lib/init-layout.js +9 -8
  197. package/src/create-quiver/lib/lifecycle.js +24 -26
  198. package/src/create-quiver/lib/readiness.js +67 -56
  199. package/src/create-quiver/lib/spec-worktrees.js +16 -34
@@ -2,3 +2,20 @@
2
2
 
3
3
  Please fill in the slice `pr.md` and keep this PR aligned with it.
4
4
 
5
+ ## PR Policy
6
+
7
+ - [ ] This PR contains one slice only.
8
+ - [ ] Grouped PR exception: this PR contains at most 2-3 slices, all docs-only, research-only, or low-risk mechanical cleanup.
9
+ - [ ] This PR does not mix docs with UI, backend, refactor, or performance work.
10
+ - [ ] Each included slice has separate evidence.
11
+ - [ ] The whole PR can be reverted without leaving partial state.
12
+
13
+ Individual PRs are mandatory for functional code, UI/UX, Supabase, Edge Functions, auth, storage, preview, performance/code-splitting, refactors, and tests or CI changes that affect gates.
14
+
15
+ ## Merge Policy
16
+
17
+ - [ ] Human merge is expected.
18
+ - [ ] Assisted auto-merge is explicitly authorized for this PR or for this documented category.
19
+ - [ ] Assisted auto-merge conditions are met: docs-only or chore-only, low risk, no runtime changes, no production configuration changes, green checks, and no pending comments.
20
+
21
+ Assisted auto-merge is prohibited for UI, Supabase, Edge Functions, auth, storage, preview, performance, refactors, and changes with doubtful rollback.
@@ -17,6 +17,14 @@ jobs:
17
17
  - name: Checkout
18
18
  uses: actions/checkout@v4
19
19
 
20
+ - name: Setup Node
21
+ uses: actions/setup-node@v4
22
+ with:
23
+ node-version: 22
24
+
25
+ - name: Install dependencies
26
+ run: npm ci
27
+
20
28
  - name: Install shellcheck
21
29
  run: sudo apt-get update && sudo apt-get install -y shellcheck
22
30
 
@@ -28,6 +36,43 @@ jobs:
28
36
  node -e "const fs=require('fs'); const {parseJsonWithComments}=require('./src/create-quiver/lib/json'); parseJsonWithComments(fs.readFileSync('specs/[project-name]/slices/slice-template/slice.json', 'utf8'))"
29
37
  node -e "const fs=require('fs'); const {parseJsonWithComments}=require('./src/create-quiver/lib/json'); parseJsonWithComments(fs.readFileSync('specs/quiver-v01/slices/slice-01-legal-integrity/slice.json', 'utf8'))"
30
38
 
39
+ tests:
40
+ runs-on: ubuntu-latest
41
+ steps:
42
+ - name: Checkout
43
+ uses: actions/checkout@v4
44
+
45
+ - name: Setup Node
46
+ uses: actions/setup-node@v4
47
+ with:
48
+ node-version: 22
49
+
50
+ - name: Install dependencies
51
+ run: npm ci
52
+
53
+ - name: Run portable test suite
54
+ run: npm run test:ci
55
+
56
+ - name: Run package smoke
57
+ run: npm run package:quiver
58
+
59
+ docs:
60
+ runs-on: ubuntu-latest
61
+ steps:
62
+ - name: Checkout
63
+ uses: actions/checkout@v4
64
+
65
+ - name: Setup Node
66
+ uses: actions/setup-node@v4
67
+ with:
68
+ node-version: 22
69
+
70
+ - name: Install dependencies
71
+ run: npm ci
72
+
73
+ - name: Run docs checks
74
+ run: npm run docs:check
75
+
31
76
  cross-platform-smoke:
32
77
  strategy:
33
78
  fail-fast: false
@@ -52,6 +97,37 @@ jobs:
52
97
  - name: Run cross-platform smoke
53
98
  run: node scripts/ci/smoke-cross-platform.js
54
99
 
100
+ - name: Run Windows PowerShell portable path smoke
101
+ if: runner.os == 'Windows'
102
+ shell: pwsh
103
+ run: |
104
+ $versionJson = node .\bin\create-quiver.js version --json
105
+ $version = $versionJson | ConvertFrom-Json
106
+ if (-not $version.version_schema_version -or -not $version.cli.version) {
107
+ throw "create-quiver version JSON did not include version schema metadata"
108
+ }
109
+ node .\bin\create-quiver.js slice check --local specs\quiver-v51-cli-ergonomics-automation-contracts\slices\slice-00-cli-contract-baseline\slice.json
110
+ node .\bin\create-quiver.js handoff check specs\quiver-v51-cli-ergonomics-automation-contracts\slices\slice-06-namespace-compatibility-windows-scripts\EXECUTION_BRIEF.md
111
+ npm run quiver:check-handoff -- specs\quiver-v51-cli-ergonomics-automation-contracts\slices\slice-06-namespace-compatibility-windows-scripts\EXECUTION_BRIEF.md
112
+ npm run test:ci -- tests\lib\paths.test.js
113
+
55
114
  - name: Run tiered pack smoke
56
115
  shell: bash
57
116
  run: bash scripts/ci/smoke-tiered-pack.sh
117
+
118
+ minimum-node:
119
+ runs-on: ubuntu-latest
120
+ steps:
121
+ - name: Checkout
122
+ uses: actions/checkout@v4
123
+
124
+ - name: Setup minimum supported Node
125
+ uses: actions/setup-node@v4
126
+ with:
127
+ node-version: 20.12.0
128
+
129
+ - name: Install dependencies
130
+ run: npm ci
131
+
132
+ - name: Run full test suite on minimum Node
133
+ run: npm run test:ci
@@ -0,0 +1,15 @@
1
+ {
2
+ "ignorePatterns": [
3
+ {
4
+ "pattern": "^https?://"
5
+ },
6
+ {
7
+ "pattern": "^mailto:"
8
+ },
9
+ {
10
+ "pattern": "^#"
11
+ }
12
+ ],
13
+ "retryOn429": false,
14
+ "timeout": "5s"
15
+ }
@@ -0,0 +1,11 @@
1
+ {
2
+ "default": true,
3
+ "MD012": false,
4
+ "MD013": false,
5
+ "MD024": {
6
+ "siblings_only": true
7
+ },
8
+ "MD033": false,
9
+ "MD041": false,
10
+ "MD060": false
11
+ }
@@ -0,0 +1,133 @@
1
+ # Quiver Architecture
2
+
3
+ Quiver is a Node.js CLI package published as `create-quiver`. It bootstraps and
4
+ operates a WDD + SDD workflow around specs, slices, handoffs, validation
5
+ evidence, and PR readiness.
6
+
7
+ ## Runtime Entrypoints
8
+
9
+ | Surface | Path | Purpose |
10
+ |---|---|---|
11
+ | CLI binary | `bin/create-quiver.js` | Package binary for `create-quiver` and `quiver`. |
12
+ | Main dispatcher | `src/create-quiver/index.js` | Parses top-level args, routes commands, renders help, and wires command modules. |
13
+ | Package scripts | `package.json` | Contributor and generated workflow shortcuts such as `quiver:plan`, `quiver:graph`, and `package:quiver`. |
14
+
15
+ The public bootstrap command is `npx create-quiver ...`. The `quiver` binary is
16
+ a local installed alias to the same entrypoint.
17
+
18
+ ## Command Layer
19
+
20
+ Command modules live under `src/create-quiver/commands/`.
21
+
22
+ | Area | Representative files | Responsibility |
23
+ |---|---|---|
24
+ | Project setup | `analyze.js`, `prepare.js`, `config.js` | Project scans, diagnostics, language config, and preparation checks. |
25
+ | Read-only status | `dashboard.js`, `flow.js`, `next.js`, `plan.js`, `graph.js` | Guided status, dependency graphs, and next-slice discovery. |
26
+ | AI workflow | `ai.js`, `src/create-quiver/lib/ai/**` | Planner drafts, approvals, profiles, execution plans, provider execution, PR preflight, and export. |
27
+ | Specs and lifecycle | `spec.js`, `src/create-quiver/lib/lifecycle.js`, `src/create-quiver/lib/spec-worktrees.js` | Spec creation/validation, slice readiness, worktrees, and closure. |
28
+ | Evidence and demos | `evidence.js`, `demo.js` | Validation evidence capture and optional static Spec Viewer demo generation. |
29
+
30
+ The current `origin/main` help surface uses legacy slice/handoff commands such
31
+ as `start-slice`, `check-slice`, `check-pr`, `check-handoff`, `new-handoff`,
32
+ `cleanup-slice`, `check-scope`, and `refresh-active-slices`.
33
+
34
+ ## Library Layer
35
+
36
+ Shared logic lives under `src/create-quiver/lib/`.
37
+
38
+ | Area | Representative files |
39
+ |---|---|
40
+ | Project analysis and generated docs | `analyze.js`, `project-scan.js`, `init-docs.js`, `init-layout.js`, `template-resolver.js` |
41
+ | State and safety | `state.js`, `project-state-resolver.js`, `statuses.js`, `locks.js`, `paths.js`, `scope.js` |
42
+ | UX and i18n | `cli/ux.js`, `cli/theme.js`, `cli/selectors.js`, `cli/ux-flags.js`, `i18n/**` |
43
+ | AI orchestration | `ai/artifacts.js`, `ai/context-packs.js`, `ai/executor.js`, `ai/providers.js`, `ai/spec-generator.js`, `ai/phase-gates.js` |
44
+ | Spec graphing | `slice.js`, `slice-graph.js`, `renderers/tree.js`, `renderers/mermaid.js`, `renderers/dot.js` |
45
+ | Packaging | `package-safety.js`, `version.js` |
46
+
47
+ Keep command modules thin where possible. Put reusable behavior in `lib/` so it
48
+ can be tested without spawning the full CLI.
49
+
50
+ ## Specs and Slices
51
+
52
+ Quiver dogfoods its own workflow in `specs/quiver-vNN-*`.
53
+
54
+ Each spec contains:
55
+
56
+ - `SPEC.md`: problem, objective, scope, acceptance criteria, guardrails.
57
+ - `STATUS.md`: current status and per-slice state.
58
+ - `EVIDENCE_REPORT.md`: validation evidence and decisions.
59
+ - `EXECUTION_PLAN.md`: dependency-aware execution order.
60
+ - `pr.md`: PR body source.
61
+ - `slices/<slice-id>/slice.json`: machine-readable scope, dependencies, and validation.
62
+ - `slices/<slice-id>/EXECUTION_BRIEF.md`: executor instructions.
63
+ - `slices/<slice-id>/CLOSURE_BRIEF.md`: completion conditions and validation record.
64
+
65
+ Slice numbering resets inside each spec. `slice-00` is the documentary
66
+ foundation for that spec; `slice-01` is the first implementation slice in that
67
+ same spec.
68
+
69
+ ## Generated Project Contract
70
+
71
+ When Quiver initializes another project, it writes visible workflow docs and
72
+ internal state:
73
+
74
+ - Visible docs: `AGENTS.md`, `docs/**`, `specs/<project-slug>/**` when specs are created.
75
+ - Internal state: `.quiver/config.json`, `.quiver/state.json`,
76
+ `.quiver/scans/PROJECT_SCAN.json`, `.quiver/runs/**`, `.quiver/agents/**`.
77
+
78
+ Do not treat `.quiver/` as product code. It is local workflow state and must not
79
+ be published to npm.
80
+
81
+ ## Templates and Localization
82
+
83
+ Human Markdown templates live under `docs/*.template`; Spanish variants use
84
+ `.es.template`. Machine-readable artifacts, command names, flags, ids,
85
+ providers, and JSON keys are not localized.
86
+
87
+ Spec templates live under `specs/[project-name]/`. Optional docs examples live
88
+ under `docs/examples/`.
89
+
90
+ ## Package Boundary
91
+
92
+ `scripts/package-quiver.sh` builds and validates the npm tarball. The package
93
+ must include the CLI entrypoint, runtime source, README, public docs/templates,
94
+ community files, package scripts, and the minimal spec template.
95
+
96
+ The package must exclude tests, local examples, historical dogfooding specs that
97
+ are explicitly ignored, CI-only scripts, local PDFs, worktrees, provider state,
98
+ secrets, `.DS_Store`, and npm credentials. `src/create-quiver/lib/package-safety.js`
99
+ enforces additional unsafe-path checks against tarball contents.
100
+
101
+ ## Tests and Smokes
102
+
103
+ | Command | Purpose |
104
+ |---|---|
105
+ | `node --test` | Full Node test suite. |
106
+ | `node --test tests/<file>.js` | Targeted test file. |
107
+ | `npm run package:quiver` | Build tarball and validate package contents. |
108
+ | `bash scripts/ci/smoke-create-quiver.sh` | Package-installed CLI smoke. |
109
+ | `npm run smoke:doctor-fixtures` | Doctor/preflight fixture smoke. |
110
+ | `npm run smoke:tiered-pack` | Tiered packaging smoke. |
111
+ | `npm run smoke:guided-workflow` | Guided workflow smoke. |
112
+
113
+ Run `node bin/create-quiver.js --help` after changing command surfaces or docs
114
+ that mention command names.
115
+
116
+ ## CI
117
+
118
+ `.github/workflows/ci.yml` currently validates shell scripts, selected slice
119
+ templates, cross-platform smoke behavior on Ubuntu/macOS/Windows, and package
120
+ smoke coverage.
121
+
122
+ CI should stay deterministic and local-first. Avoid adding blocking network link
123
+ checks or publish steps unless a slice explicitly provides the safety contract.
124
+
125
+ ## Design Constraints
126
+
127
+ - Keep JSON stdout clean and machine-readable.
128
+ - Keep prompts and spinners out of CI, no-TTY, `--json`, and `--no-color` flows.
129
+ - Preserve existing command compatibility unless a slice explicitly scopes a
130
+ breaking change.
131
+ - Prefer additive fields and aliases over removing established contracts.
132
+ - Do not publish local audit files, generated PDFs, worktrees, secrets, or AI
133
+ raw provider state.
package/CHANGELOG.md CHANGED
@@ -6,6 +6,14 @@ All notable changes to this project will be documented in this file.
6
6
 
7
7
  ### Added
8
8
 
9
+ - v46 deep project analysis under `specs/quiver-v46-deep-project-analysis/`.
10
+ - `ai analyze-project` for bounded, evidence-backed repository analysis with read-only `--dry-run`, JSON automation output, provider-backed `--review`, safe doc writes, snapshots, and post-write validation.
11
+ - Top-level read-only `changelog` command with human and JSON output for inspecting packaged release notes.
12
+ - Spec 01 branch-recovery closure package under `docs/specs/01-spec/`, including controlled branch-cleanup guidance and release-readiness evidence.
13
+ - v52 schema/docs/release hygiene under `specs/quiver-v52-schema-docs-release-hygiene/`.
14
+ - Public `slice.json` JSON Schema docs and schema validation with `npm run schema:slice:check`.
15
+ - Generated CLI command reference drift checks with `npm run docs:commands:write` and `npm run docs:commands:check`.
16
+ - Changelog validation with `npm run changelog:check`.
9
17
  - Implemented v31 AI model catalog and guided agent setup under `specs/quiver-v31-ai-model-catalog-agent-selection/`.
10
18
  - Local known-model catalog for Codex, Claude, and Gemini, with role metadata, alias normalization, and `ai models list`.
11
19
  - Guided provider/model selection for `ai agent set <role>`, plus `ai agent doctor` and `ai agent repair --dry-run` for legacy or invalid profiles.
@@ -17,6 +25,14 @@ All notable changes to this project will be documented in this file.
17
25
 
18
26
  ### Changed
19
27
 
28
+ - Existing-project AI onboarding now recommends `ai analyze-project --deep --dry-run` before context preparation so agents can see the intended read set, omissions, budgets, and privacy exclusions before any provider-backed docs update.
29
+ - npm package hygiene now excludes local `.quiver/` run state from published tarballs.
30
+ - CLI parser and command registry are now split into explicit modules while preserving existing command behavior and legacy aliases.
31
+ - Release-readiness evidence now includes a command-role audit that explains what each public command is for and how it was safely validated.
32
+ - `npm run docs:check` now includes generated CLI command reference drift detection.
33
+ - Package smoke now installs the generated tarball and verifies the installed CLI with `--version`, `--help`, and `init --dry-run`.
34
+ - Release dry-runs now require changelog, docs, schema, installer, package, and installed CLI smoke gates before publishing guidance.
35
+ - Release publishing remains explicitly guarded and requires `QUIVER_ALLOW_NPM_PUBLISH=1` when using publish flags.
20
36
  - Agent profiles now distinguish the technical `model` id passed to provider CLIs from the human `displayName` shown in Quiver output.
21
37
  - Live AI commands now normalize safe CLI model aliases, block persisted display aliases before provider execution, and surface invalid-model provider failures more clearly.
22
38
  - Public docs, generated templates, CLI help, and smoke checks now describe model catalog entries as known by Quiver, not guaranteed account availability.
package/CONTRIBUTING.md CHANGED
@@ -1,15 +1,180 @@
1
1
  # Contributing
2
2
 
3
- ## How to Contribute
3
+ Thanks for contributing to Quiver. This repository is the source for the
4
+ `create-quiver` CLI, the generated workflow templates, and the public docs used
5
+ by teams adopting WDD + SDD.
4
6
 
5
- 1. Open an issue describing the problem or proposal.
6
- 2. Wait for the scope to be clarified if needed.
7
- 3. Open a pull request that matches one slice.
8
- 4. Link the issue and the slice in the PR body.
7
+ ## Prerequisites
9
8
 
10
- ## Expectations
9
+ - Node.js and npm. Use the version declared in `package.json` when present; if
10
+ no runtime metadata is present on your branch, match the Node version used by
11
+ CI.
12
+ - Git and GitHub CLI (`gh`) for PR workflows.
13
+ - ShellCheck when changing Bash scripts under `scripts/`.
11
14
 
12
- - Keep changes small and scoped.
13
- - Follow the slice workflow.
14
- - Include evidence when the change needs validation.
15
+ ## Setup
15
16
 
17
+ ```bash
18
+ git clone git@github.com:FabriJuncal/quiver.git
19
+ cd quiver
20
+ npm ci
21
+ node bin/create-quiver.js --help
22
+ ```
23
+
24
+ Quiver is normally executed through `npx create-quiver` by users. Contributors
25
+ can run the local checkout directly with `node bin/create-quiver.js ...`.
26
+
27
+ ## Repository Workflow
28
+
29
+ 1. Open or reference an issue, audit finding, or approved requirement.
30
+ 2. Work from the relevant spec under `specs/quiver-vNN-*`.
31
+ 3. Execute one slice at a time and keep one commit per slice.
32
+ 4. Keep changes inside the slice `files` or `allowed_write_paths`.
33
+ 5. Record validation evidence in the spec's `EVIDENCE_REPORT.md`.
34
+ 6. Update the slice `CLOSURE_BRIEF.md`, `STATUS.md`, and `slice.json` when a
35
+ slice is completed.
36
+ 7. Open one PR per slice by default using the relevant `pr.md`.
37
+ 8. Group slices in one PR only when the grouped PR policy in
38
+ `docs/GITFLOW_PR_GUIDE.md` allows it.
39
+
40
+ Use the branch and base metadata in the target `slice.json`. If a branch guide
41
+ and `slice.json` disagree, prefer the current slice metadata and document the
42
+ decision in the PR notes.
43
+
44
+ ## Specs and Slices
45
+
46
+ The real convention in this repository is:
47
+
48
+ ```text
49
+ specs/quiver-vNN-short-name/
50
+ ├─ SPEC.md
51
+ ├─ STATUS.md
52
+ ├─ EVIDENCE_REPORT.md
53
+ ├─ EXECUTION_PLAN.md
54
+ ├─ pr.md
55
+ └─ slices/
56
+ └─ slice-XX-short-name/
57
+ ├─ slice.json
58
+ ├─ EXECUTION_BRIEF.md
59
+ └─ CLOSURE_BRIEF.md
60
+ ```
61
+
62
+ Do not document `docs/specs` as the canonical source for this repo. Generated
63
+ projects may receive their own `specs/<project-slug>/...` tree, but Quiver's
64
+ own dogfooding specs live under `specs/quiver-vNN-*`.
65
+
66
+ ## Useful Commands
67
+
68
+ ```bash
69
+ node bin/create-quiver.js --help
70
+ node bin/create-quiver.js spec validate specs/<spec-dir>
71
+ node bin/create-quiver.js check-slice specs/<spec-dir>/slices/<slice-id>/slice.json --local
72
+ node bin/create-quiver.js check-scope specs/<spec-dir>/slices/<slice-id>/slice.json --base origin/main --strict
73
+ npm run test:ci
74
+ npm run docs:check
75
+ npm run package:quiver
76
+ bash scripts/ci/smoke-create-quiver.sh
77
+ ```
78
+
79
+ Current public CLI commands include canonical namespaces such as
80
+ `slice start`, `slice check`, `slice pr`, `slice scope`, `slice cleanup`,
81
+ `slice refresh-active`, `handoff check`, and `handoff new`. Legacy workflow
82
+ aliases such as `start-slice`, `check-slice`, `check-pr`, `check-handoff`,
83
+ `new-handoff`, `cleanup-slice`, `check-scope`, and `refresh-active-slices`
84
+ remain available for backward compatibility and warn on stderr. Do not document
85
+ unsupported command aliases unless they appear in `node bin/create-quiver.js --help`
86
+ on the branch you are changing.
87
+
88
+ ## Validation Expectations
89
+
90
+ Run the smallest test set that proves the slice, then run broader gates when
91
+ the slice affects shared CLI behavior, package metadata, templates, or release
92
+ checks.
93
+
94
+ Recommended validation by change type:
95
+
96
+ | Change type | Minimum validation |
97
+ |---|---|
98
+ | Spec or slice docs only | `node bin/create-quiver.js spec validate specs/<spec-dir>` and `git diff --check` |
99
+ | CLI behavior | Targeted `npm run test:ci -- tests/...`, then `npm run test:ci` when shared paths change |
100
+ | Templates/generated docs | Init/analyze/doctor targeted tests plus `npm run docs:check` when docs links or public docs change |
101
+ | Package boundary | `npm run package:quiver` and installed CLI smoke when package contents change |
102
+ | Scripts | Relevant smoke script and ShellCheck for Bash scripts |
103
+
104
+ CI uses the same local equivalents:
105
+
106
+ - `npm ci` installs from the committed lockfile.
107
+ - `npm run test:ci` runs Node's native test runner through `scripts/ci/run-node-tests.js` without shell glob expansion.
108
+ - `npm run docs:lint` checks a controlled public-docs markdown scope.
109
+ - `npm run docs:links` checks local documentation links and ignores external URLs to avoid flaky network gates.
110
+ - `npm run package:quiver` validates the npm package boundary.
111
+
112
+ Always record commands, exit codes, and meaningful output in the relevant
113
+ `EVIDENCE_REPORT.md`.
114
+
115
+ ## PR Requirements
116
+
117
+ Follow `docs/GITFLOW_PR_GUIDE.md` for PR structure, PR sizing, and merge
118
+ policy. Slice PR bodies must use:
119
+
120
+ - `## Title`
121
+ - `## Summary`
122
+ - `## PR Policy`
123
+ - `## Scope`
124
+ - `## Files`
125
+ - `## How to Test (DETAILED - REQUIRED)`
126
+ - `## Evidence`
127
+ - `## Rollback`
128
+ - `## Risks / Notes`
129
+
130
+ Use draft PRs while a spec or slice still needs review. Do not include local
131
+ audit inputs, PDFs, `.DS_Store`, worktrees, provider state, or secrets.
132
+
133
+ Open an individual PR when a slice changes functional code, UI/UX, Supabase,
134
+ Edge Functions, auth, storage, preview, performance/code-splitting, refactors,
135
+ or tests/CI gates. Grouped PRs are limited to at most 2-3 docs-only,
136
+ research-only, or low-risk mechanical-cleanup slices, with separate evidence
137
+ and no behavior changes.
138
+
139
+ Human merge is the default. Agents may create PRs, fix CI, monitor checks, and
140
+ mark PRs as ready. Assisted auto-merge requires explicit human authorization and
141
+ is limited to low-risk docs-only or chore-only PRs with green checks, no runtime
142
+ or production configuration changes, and no pending comments.
143
+
144
+ ## Templates and Examples
145
+
146
+ - Human docs templates live under `docs/*.template` and localized variants use
147
+ `.es.template`.
148
+ - Machine templates such as `slice.json` are not localized.
149
+ - Spec templates live under `specs/[project-name]/`.
150
+ - Optional examples live under `docs/examples/`; generated demo output must not
151
+ be committed unless the slice explicitly asks for it.
152
+
153
+ ## Package Boundary
154
+
155
+ The npm package is validated by `scripts/package-quiver.sh`. It requires the
156
+ runtime CLI, docs/templates, public metadata, community files, and package
157
+ scripts. It excludes tests, examples, old historical specs, CI-only scripts,
158
+ local PDFs, local AI state, worktrees, env files, npm credentials, and other
159
+ developer-only artifacts.
160
+
161
+ `npm run package:quiver` also installs the generated tarball in a temporary
162
+ project and verifies the installed CLI with `--version`, `--help`, and
163
+ `init --dry-run`. This catches package-boundary drift that local source tests
164
+ cannot catch.
165
+
166
+ If a contribution changes what should be published, update the package smoke and
167
+ package-safety expectations in the same slice.
168
+
169
+ ## Changelog and Release Hygiene
170
+
171
+ - Every release-impacting slice must update `CHANGELOG.md` under
172
+ `[Unreleased]`.
173
+ - Keep entries categorized with headings such as `Added`, `Changed`, or `Fixed`.
174
+ - Run `npm run changelog:check` before opening a release or package-boundary PR.
175
+ - Run `npm run release:quiver` as a dry-run gate before release. It validates
176
+ changelog, docs, schema, installer smoke, package contents, and installed CLI
177
+ behavior.
178
+ - Publishing remains manual by default. The release script only honors
179
+ `--publish` or `--publish-current` when the release is explicitly authorized
180
+ with `QUIVER_ALLOW_NPM_PUBLISH=1`.
package/README.md CHANGED
@@ -39,7 +39,7 @@ En lugar de pedirle a un agente "hacé esto y vemos qué pasa", Quiver propone u
39
39
  4. generar specs y slices;
40
40
  5. ejecutar un slice por vez;
41
41
  6. validar con evidencia;
42
- 7. abrir un PR por spec.
42
+ 7. abrir un PR por slice por defecto.
43
43
 
44
44
  ## ¿Qué problema resuelve?
45
45
 
@@ -90,6 +90,8 @@ flowchart TD
90
90
 
91
91
  ## Primeros pasos
92
92
 
93
+ Requisito runtime: Node.js `>=20.12.0`. Ese mínimo está declarado en `package.json` y coincide con las dependencias publicadas que usa el CLI.
94
+
93
95
  Ejecutá Quiver desde la raíz del proyecto que querés preparar.
94
96
 
95
97
  ```bash
@@ -102,17 +104,21 @@ npx --yes create-quiver@latest doctor
102
104
  Después prepará el contexto para IA:
103
105
 
104
106
  ```bash
107
+ npx --yes create-quiver@latest ai analyze-project --deep --dry-run
105
108
  npx --yes create-quiver@latest ai prepare-context --dry-run
106
109
  npx --yes create-quiver@latest ai prepare-context
107
110
  ```
108
111
 
109
- Ese flujo usa el modo determinístico de Quiver: analiza el proyecto y actualiza solo documentación de contexto sin llamar a un proveedor de IA. Si querés que un agente planificador proponga el contexto, usá el modo asistido:
112
+ `ai analyze-project --deep --dry-run` arma una muestra representativa del repo sin escribir archivos ni ejecutar proveedor. El flujo de `prepare-context` usa el modo determinístico de Quiver: analiza el proyecto y actualiza solo documentación de contexto sin llamar a un proveedor de IA. Si querés que un agente planificador proponga el contexto, usá el modo asistido:
110
113
 
111
114
  ```bash
115
+ npx --yes create-quiver@latest ai analyze-project --deep --review
112
116
  npx --yes create-quiver@latest ai prepare-context --with-planner --dry-run
113
117
  npx --yes create-quiver@latest ai prepare-context --with-planner --review --interactive
114
118
  ```
115
119
 
120
+ `ai analyze-project --deep --review` ejecuta el proveedor configurado, valida JSON con evidencia, abre revisión humana y solo escribe docs permitidos después de confirmación. No lee `.env`, dependencias, caches, binarios ni outputs generados; tampoco afirma comprensión perfecta cuando la evidencia no alcanza.
121
+
116
122
  La inicialización crea un contrato visible para humanos y agentes, más estado interno de Quiver:
117
123
 
118
124
  - `AGENTS.md`
@@ -176,6 +182,8 @@ Usá la guía que corresponda al estado de tu proyecto:
176
182
  | `npx --yes create-quiver@latest doctor --json` | Devuelve el diagnóstico como JSON para automatizaciones. |
177
183
  | `npx --yes create-quiver@latest flow` | Indica el próximo paso seguro. |
178
184
  | `npx --yes create-quiver@latest dashboard` | Muestra estado consolidado de specs, slices, runs, approvals y agentes sin escribir archivos. |
185
+ | `npx --yes create-quiver@latest ai analyze-project --deep --dry-run` | Muestra qué archivos leería para inferir producto, arquitectura, funcionalidades y riesgos, sin escribir ni ejecutar proveedor. |
186
+ | `npx --yes create-quiver@latest ai analyze-project --deep --review` | Ejecuta análisis IA con evidencia, abre revisión humana y actualiza solo docs permitidos con snapshot previo. |
179
187
  | `npx --yes create-quiver@latest ai prepare-context --dry-run` | Previsualiza contexto de onboarding para IA sin tocar código de producto. |
180
188
  | `npx --yes create-quiver@latest ai prepare-context --with-planner --dry-run` | Previsualiza una propuesta de contexto generada por el planner. |
181
189
  | `npx --yes create-quiver@latest ai models list` | Lista proveedores y modelos conocidos por Quiver para configurar agentes. |
@@ -260,6 +268,10 @@ Los perfiles de agentes separan dos datos:
260
268
  - Un CLI local de proveedor si querés que Quiver invoque IA directamente.
261
269
 
262
270
  El CLI está pensado para macOS, Linux, Windows PowerShell, Git Bash y WSL.
271
+ En Windows PowerShell usá el CLI Node o los scripts `quiver:*` generados, por
272
+ ejemplo `npm run quiver:check-slice -- --local specs/<spec>/slices/<slice>/slice.json`.
273
+ Los scripts Bash legacy, como `start:slice` o `check:slice`, se conservan solo
274
+ para compatibilidad en shells con Bash.
263
275
 
264
276
  ## Desarrollar Quiver
265
277
 
@@ -275,6 +287,9 @@ npm run package:quiver
275
287
  Validación de release:
276
288
 
277
289
  ```bash
290
+ npm run changelog:check
291
+ npm run docs:check
292
+ npm run schema:slice:check
278
293
  npm run smoke:create-quiver
279
294
  npm run smoke:doctor-fixtures
280
295
  npm run smoke:guided-workflow
package/README_FOR_AI.md CHANGED
@@ -17,6 +17,7 @@ If the project already exists from an older Quiver version and was previously in
17
17
  If the project was never initialized by Quiver, do not use `migrate` as bootstrap; run `npx create-quiver init --name "Project Name"` first.
18
18
  Use `npx create-quiver evidence run -- <command>` to capture validation evidence with command, exit code, duration, truncated output, and best-effort redaction. The safe default output is `.quiver/evidence/`; use `--output <file>` when a slice needs a specific evidence artifact.
19
19
  Use `npx create-quiver demo create spec-viewer --dry-run` to inspect the optional Quiver Spec Viewer demo scaffold, then add `--dir <target>` for a real run. The demo is not part of default init and must remain small, static, dependency-light, and non-destructive.
20
+ Use `npx create-quiver ai analyze-project --deep --dry-run` before asking IA to describe an existing repo. Dry-run must stay read-only, skip provider execution, and explain selected/omitted files. Use `npx create-quiver ai analyze-project --deep --review` only when the human wants provider-backed docs: it must validate JSON with evidence/confidence, open editable review, show final diff, require confirmation, snapshot under `.quiver/runs`, redact artifacts, and run post-write validation. Never claim perfect project understanding; keep weak conclusions as `unknown` or `needs_confirmation`.
20
21
  The v20, v21, v22, and v23 specs are completed. `specs/quiver-v23-guided-flow-productization/` productized the manual planner/executor prompt workflow into guided Quiver commands, profiles, compact prompts, safe approvals, executor prompts, delegated execution modes, and release readiness evidence.
21
22
  The v24 spec is implemented under `specs/quiver-v24-dx-onboarding-hardening/`; it captures DX hardening found while dogfooding Quiver with Quiver Spec Viewer, including init hygiene, CLI ambiguity, local slice validation, analyzer quality, AI context preparation, evidence capture, and demo scaffolding. Do not claim a package release until npm publication actually happens.
22
23
  The v25 spec is implemented under `specs/quiver-v25-ai-first-lifecycle-orchestrator/` and shipped in `create-quiver@0.12.0`; it covers safe AI onboarding docs, strict run state, phase locks, agent adapters, approval gates, spec/slice generation, execution planning, controlled slice execution, worktree/PR lifecycle, validation hardening, export, and migration.
@@ -29,6 +30,7 @@ The v31 spec is implemented and release-ready pending PR/package publication und
29
30
  The v32 documentation spec is implemented under `specs/quiver-v32-npx-installation-guidance/`; it clarifies why `npx --yes create-quiver@latest` does not install Quiver into project `node_modules`, when to install `create-quiver` as a `devDependency`, and where users should look when troubleshooting that behavior.
30
31
  The v34 dashboard spec is implemented under `specs/quiver-v34-cli-dashboard-status/`; it adds the read-only top-level `dashboard` command, compact schema v1 JSON output, global vs visible progress, next-ready slice guidance, edge-case guardrails, `quiver:dashboard` generated scripts, docs, tests, smokes, and package-readiness evidence. It does not publish npm.
31
32
  The v35 dashboard/version UX spec is implemented under `specs/quiver-v35-compact-dashboard-version-ux/`; it keeps `dashboard` compact by default, adds `dashboard --details`, `dashboard --section <name>`, `dashboard --limit <n>`, and adds the Quiver-branded `version` command without changing top-level `--version` / `-V`.
33
+ The v46 deep project analysis spec is implemented under `specs/quiver-v46-deep-project-analysis/` and release-ready pending npm publication. It adds `ai analyze-project` with bounded stack-agnostic discovery, semantic sampling, privacy exclusions, evidence/confidence validation, provider-backed JSON parsing, editable human review, docs-only safe writes, `.quiver/runs` snapshots, and post-write consistency checks.
32
34
  Guided AI workflow behavior is available: prepare, approvals, production-readiness plan review, spec worktrees, executor commits, execution waves, PR creation, spec close, and package safety.
33
35
  Generated projects also get `quiver:*` npm scripts that call the Node CLI directly; prefer those for repeatable project workflows, including `quiver:version` for version metadata, `quiver:flow` for the read-only guided entrypoint, `quiver:dashboard` for consolidated read-only project/spec/slice status, `quiver:plan` for sequential planning, `quiver:graph` for parallel-level inspection, `quiver:next` for the next ready slice, `quiver:evidence` for local command evidence, `quiver:spec:create` for real spec generation, `quiver:spec:validate` for full spec validation, and the AI family `quiver:ai:agent`, `quiver:ai:inspect`, `quiver:ai:export`, `quiver:ai:specs`, `quiver:ai:slices`, `quiver:ai:trace`, `quiver:ai:onboard`, `quiver:ai:prepare-context`, `quiver:ai:plan`, `quiver:ai:review-plan`, `quiver:ai:approve`, `quiver:ai:prompt-slice`, `quiver:ai:execute-slice`, `quiver:ai:execute-plan`, `quiver:ai:pr`, and `quiver:ai:doctor`. Use `quiver:graph --format mermaid` for PR-ready Markdown or `quiver:graph --format dot` for Graphviz source.
34
36
  `quiver:ai:execute-plan` supports `--mode manual` for paste-ready executor prompts and `--mode delegated` for temporary worktrees on parallel-ready waves; unsafe waves fall back to sequential execution.
@@ -51,11 +53,12 @@ The primary generated project context for agents is `docs/AI_CONTEXT.md`.
51
53
  The project map is the single source of truth for stack, package manager, commands, and file hints: `docs/PROJECT_MAP.md`.
52
54
  The raw analyzer output is internal machinery at `.quiver/scans/PROJECT_SCAN.json`; read it only when the visible map is not enough.
53
55
  `npx create-quiver analyze --dry-run` must remain read-only and only preview the scan/project-map/context writes. `npx create-quiver flow` reports the context source/freshness and the package-manager-aware generated script command so agents can see whether the project map is current, stale, partial, legacy, invalid, or missing.
56
+ `npx create-quiver ai analyze-project --deep --dry-run` is the safe default for evidence-backed IA context analysis and must not write files or call provider CLIs. It excludes `.env`, `.git`, `.quiver`, dependencies, caches, build outputs, binaries and symlinks. Live `ai analyze-project --deep --review` may update only approved docs (`docs/CONTEXTO.md`, `docs/AI_CONTEXT.md`, `docs/ARCHITECTURE.md`, `docs/STATUS.md`, `docs/DECISIONS.md`, `docs/PROJECT_MAP.md`) after editable review and confirmation.
54
57
  `npx create-quiver ai prepare-context --dry-run` remains the deterministic default and must not execute provider CLIs. `npx create-quiver ai prepare-context --with-planner --dry-run` previews planner-assisted context preparation. `--with-planner --print-prompt` prints the exact prompt without provider auth; live planner writes should use `--review` and/or `--interactive` when the human wants review before docs-only writes.
55
58
  `npx create-quiver ai agent set <role> --provider <provider> --model <model-id> --dry-run` must preview `.quiver/agents/profiles.json` changes without writing. In TTY mode, `npx create-quiver ai agent set <role>` can guide provider/model selection; in CI/no-TTY, require explicit `--provider` and `--model`. Use dry-run before saving planner/executor/reviewer/doctor profiles.
56
59
  GitHub PR diagnostics must stay cross-platform: auth failures should point to likely account, scope, and SSH alias issues; path examples with spaces must be copy-safe for macOS/Linux, Windows PowerShell, Git Bash, and WSL.
57
60
  CLI UX standard lives in `docs/CLI_UX_GUIDE.md`. Supported Quiver colors are `#86C8F2`, `#6BADEB`, `#7F9EE8`, `#9B82E6`, and `#D56AB0`; output must respect `--no-color`, `NO_COLOR`, CI, and no-TTY environments.
58
- UX flags are intentionally limited: `ai prepare-context`, `ai plan`, and `spec create` support `--with-planner`, `--interactive`, and `--review`; `ai pr` supports `--interactive` and `--review` but rejects `--with-planner`; read-only commands such as `flow`, `dashboard`, `version`, `next`, `graph`, `ai inspect`, `ai export`, `ai specs list`, `ai slices list`, and `ai trace report` reject these UX flags. `dashboard` may use read-only inspection flags `--details`, `--section`, and `--limit`; `--json` must reject human-only dashboard flags plus `--interactive` and `--review` before writing human output.
61
+ UX flags are intentionally limited: `ai analyze-project` supports `--review` for provider-backed docs after dry-run-first analysis; `ai prepare-context`, `ai plan`, and `spec create` support `--with-planner`, `--interactive`, and `--review`; `ai pr` supports `--interactive` and `--review` but rejects `--with-planner`; read-only commands such as `flow`, `dashboard`, `version`, `next`, `graph`, `ai inspect`, `ai export`, `ai specs list`, `ai slices list`, and `ai trace report` reject these UX flags. `dashboard` may use read-only inspection flags `--details`, `--section`, and `--limit`; `--json` must reject human-only dashboard flags plus `--interactive` and `--review` before writing human output.
59
62
  The universal router for generated projects is `AGENTS.md`; read it before `docs/AI_CONTEXT.md` and `docs/AI_ONBOARDING_PROMPT.md`.
60
63
  Generated projects also get `docs/DECISIONS.md`; use it for durable choices that should not be re-litigated.
61
64
  If a generated project has been analyzed, the exact agent handoff prompt is `docs/AI_ONBOARDING_PROMPT.md`.
package/ROADMAP.md CHANGED
@@ -1,5 +1,9 @@
1
1
  # Roadmap
2
2
 
3
+ Note: `vNN` labels in this file refer to Quiver's internal dogfooding specs
4
+ under `specs/quiver-vNN-*`. They are not npm semver releases unless the section
5
+ explicitly says a package version was published.
6
+
3
7
  ## v0.1
4
8
 
5
9
  - Publish the OSS foundation
package/SECURITY.md CHANGED
@@ -7,6 +7,13 @@ Security fixes are applied to the current active version of the repository and t
7
7
  ## Reporting a Vulnerability
8
8
 
9
9
  - Do not open a public issue for a security bug.
10
- - Report the issue privately to the maintainers.
11
- - Include reproduction steps and impact if possible.
10
+ - Email `juncalfabri@gmail.com` with the subject prefix `[quiver-security]`.
11
+ - Include affected version or commit, reproduction steps, observed impact, and
12
+ whether the issue is already being exploited.
13
+ - Do not share exploit details publicly until maintainers coordinate a fix or
14
+ disclosure plan.
12
15
 
16
+ GitHub Private Vulnerability Reporting is the preferred long-term channel, but
17
+ it is not enabled for this repository as of 2026-06-01. Repository owners should
18
+ enable it from GitHub repository settings before replacing the email fallback
19
+ above.
@@ -20,7 +20,9 @@ Este archivo comprime el contrato de trabajo para agentes IA. Usa los documentos
20
20
  ## Reglas criticas
21
21
 
22
22
  - Un slice equivale a un commit.
23
- - Un spec equivale a un PR.
23
+ - Un slice equivale a un PR por defecto.
24
+ - Un spec puede generar multiples PRs.
25
+ - Los PRs agrupados son excepciones y deben cumplir `docs/GITFLOW_PR_GUIDE.md`.
24
26
  - No inventes archivos, rutas, flags ni reglas de negocio.
25
27
  - No sobrescribas contenido humano sin revisar si debe preservarse.
26
28
  - Usa `TODO`, `Assumption` o `Pending confirmation` para incertidumbre.
@@ -34,7 +34,9 @@ This file is the main context pack after `AGENTS.md` and `docs/PROJECT_MAP.md`.
34
34
  ## Critical Rules
35
35
 
36
36
  - One slice maps to one commit.
37
- - One spec maps to one PR.
37
+ - One slice maps to one PR by default.
38
+ - One spec can produce multiple PRs.
39
+ - Grouped PRs are exceptions and must follow `docs/GITFLOW_PR_GUIDE.md`.
38
40
  - Slice numbering resets inside each spec.
39
41
  - Do not invent files that the bootstrap did not generate.
40
42
  - Use canonical paths when a path matters.