create-quiver 0.15.4 → 0.17.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (199) hide show
  1. package/.github/pull_request_template.md +17 -0
  2. package/.github/workflows/ci.yml +76 -0
  3. package/.markdown-link-check.json +15 -0
  4. package/.markdownlint.json +11 -0
  5. package/ARCHITECTURE.md +133 -0
  6. package/CHANGELOG.md +16 -0
  7. package/CONTRIBUTING.md +174 -9
  8. package/README.md +17 -2
  9. package/README_FOR_AI.md +4 -1
  10. package/ROADMAP.md +4 -0
  11. package/SECURITY.md +9 -2
  12. package/docs/AI_CONTEXT.md.es.template +3 -1
  13. package/docs/AI_CONTEXT.md.template +3 -1
  14. package/docs/CLI_UX_GUIDE.md +20 -1
  15. package/docs/COMMANDS.md.template +20 -6
  16. package/docs/GITFLOW_PR_GUIDE.md +73 -11
  17. package/docs/GITFLOW_PR_GUIDE.md.es.template +61 -2
  18. package/docs/GITFLOW_PR_GUIDE.md.template +72 -10
  19. package/docs/INDEX.md +6 -1
  20. package/docs/QUICK.md.template +2 -1
  21. package/docs/STANDARD.md.template +2 -1
  22. package/docs/WORKFLOW.md.es.template +3 -1
  23. package/docs/WORKFLOW.md.template +6 -4
  24. package/docs/getting-started/installation.md +7 -0
  25. package/docs/reference/commands.md +138 -6
  26. package/docs/reference/slice-schema.md +37 -0
  27. package/docs/schema/slice.schema.json +221 -0
  28. package/docs/specs/01-spec/01-slice/01-slice.json +36 -0
  29. package/docs/specs/01-spec/01-slice/01-slice.md +106 -0
  30. package/docs/specs/01-spec/01-slice/CLOSURE_BRIEF.md +80 -0
  31. package/docs/specs/01-spec/01-slice/EXECUTION_BRIEF.md +39 -0
  32. package/docs/specs/01-spec/02-slice/02-slice.json +36 -0
  33. package/docs/specs/01-spec/02-slice/02-slice.md +108 -0
  34. package/docs/specs/01-spec/02-slice/CLOSURE_BRIEF.md +88 -0
  35. package/docs/specs/01-spec/02-slice/EXECUTION_BRIEF.md +40 -0
  36. package/docs/specs/01-spec/03-slice/03-slice.json +36 -0
  37. package/docs/specs/01-spec/03-slice/03-slice.md +103 -0
  38. package/docs/specs/01-spec/03-slice/CLOSURE_BRIEF.md +54 -0
  39. package/docs/specs/01-spec/03-slice/EXECUTION_BRIEF.md +39 -0
  40. package/docs/specs/01-spec/04-slice/04-slice.json +36 -0
  41. package/docs/specs/01-spec/04-slice/04-slice.md +107 -0
  42. package/docs/specs/01-spec/04-slice/CLOSURE_BRIEF.md +46 -0
  43. package/docs/specs/01-spec/04-slice/EXECUTION_BRIEF.md +39 -0
  44. package/docs/specs/01-spec/05-slice/05-slice.json +36 -0
  45. package/docs/specs/01-spec/05-slice/05-slice.md +106 -0
  46. package/docs/specs/01-spec/05-slice/CLOSURE_BRIEF.md +84 -0
  47. package/docs/specs/01-spec/05-slice/EXECUTION_BRIEF.md +109 -0
  48. package/docs/specs/01-spec/06-slice/06-slice.json +36 -0
  49. package/docs/specs/01-spec/06-slice/06-slice.md +107 -0
  50. package/docs/specs/01-spec/06-slice/CLOSURE_BRIEF.md +67 -0
  51. package/docs/specs/01-spec/06-slice/EXECUTION_BRIEF.md +39 -0
  52. package/docs/specs/01-spec/07-slice/07-slice.json +36 -0
  53. package/docs/specs/01-spec/07-slice/07-slice.md +105 -0
  54. package/docs/specs/01-spec/07-slice/CLOSURE_BRIEF.md +71 -0
  55. package/docs/specs/01-spec/07-slice/EXECUTION_BRIEF.md +39 -0
  56. package/docs/specs/01-spec/08-slice/08-slice.json +36 -0
  57. package/docs/specs/01-spec/08-slice/08-slice.md +105 -0
  58. package/docs/specs/01-spec/08-slice/CLOSURE_BRIEF.md +114 -0
  59. package/docs/specs/01-spec/08-slice/EXECUTION_BRIEF.md +39 -0
  60. package/docs/specs/01-spec/CLOSURE_BRIEF.md +87 -0
  61. package/docs/specs/01-spec/spec.md +197 -0
  62. package/docs/workflows/full-ai-spec-to-pr.md +46 -3
  63. package/i18n/es/docs/GITFLOW_PR_GUIDE.md.template +38 -1
  64. package/package.json +27 -1
  65. package/scripts/package-quiver.sh +82 -2
  66. package/scripts/release-quiver.sh +14 -3
  67. package/specs/[project-name]/slices/pr.md.template +19 -0
  68. package/specs/quiver-v43-cli-i18n-audit-release-readiness/command-language-mode-matrix.json +122 -1
  69. package/specs/quiver-v46-deep-project-analysis/EVIDENCE_REPORT.md +94 -0
  70. package/specs/quiver-v46-deep-project-analysis/EXECUTION_PLAN.md +26 -0
  71. package/specs/quiver-v46-deep-project-analysis/SPEC.md +157 -0
  72. package/specs/quiver-v46-deep-project-analysis/STATUS.md +26 -0
  73. package/specs/quiver-v46-deep-project-analysis/pr.md +131 -0
  74. package/specs/quiver-v46-deep-project-analysis/slices/slice-00-analysis-contract-foundation/CLOSURE_BRIEF.md +14 -0
  75. package/specs/quiver-v46-deep-project-analysis/slices/slice-00-analysis-contract-foundation/EXECUTION_BRIEF.md +41 -0
  76. package/specs/quiver-v46-deep-project-analysis/slices/slice-00-analysis-contract-foundation/slice.json +61 -0
  77. package/specs/quiver-v46-deep-project-analysis/slices/slice-01-stack-agnostic-discovery-sampling/CLOSURE_BRIEF.md +22 -0
  78. package/specs/quiver-v46-deep-project-analysis/slices/slice-01-stack-agnostic-discovery-sampling/EXECUTION_BRIEF.md +33 -0
  79. package/specs/quiver-v46-deep-project-analysis/slices/slice-01-stack-agnostic-discovery-sampling/slice.json +80 -0
  80. package/specs/quiver-v46-deep-project-analysis/slices/slice-02-provider-analysis-json-contract/CLOSURE_BRIEF.md +21 -0
  81. package/specs/quiver-v46-deep-project-analysis/slices/slice-02-provider-analysis-json-contract/EXECUTION_BRIEF.md +34 -0
  82. package/specs/quiver-v46-deep-project-analysis/slices/slice-02-provider-analysis-json-contract/slice.json +79 -0
  83. package/specs/quiver-v46-deep-project-analysis/slices/slice-03-doc-proposal-review-safe-writes/CLOSURE_BRIEF.md +19 -0
  84. package/specs/quiver-v46-deep-project-analysis/slices/slice-03-doc-proposal-review-safe-writes/EXECUTION_BRIEF.md +33 -0
  85. package/specs/quiver-v46-deep-project-analysis/slices/slice-03-doc-proposal-review-safe-writes/slice.json +79 -0
  86. package/specs/quiver-v46-deep-project-analysis/slices/slice-04-validation-docs-release-readiness/CLOSURE_BRIEF.md +20 -0
  87. package/specs/quiver-v46-deep-project-analysis/slices/slice-04-validation-docs-release-readiness/EXECUTION_BRIEF.md +32 -0
  88. package/specs/quiver-v46-deep-project-analysis/slices/slice-04-validation-docs-release-readiness/slice.json +85 -0
  89. package/specs/quiver-v50-audit-trust-foundation/EVIDENCE_REPORT.md +151 -0
  90. package/specs/quiver-v50-audit-trust-foundation/EXECUTION_PLAN.md +34 -0
  91. package/specs/quiver-v50-audit-trust-foundation/SPEC.md +113 -0
  92. package/specs/quiver-v50-audit-trust-foundation/STATUS.md +26 -0
  93. package/specs/quiver-v50-audit-trust-foundation/pr.md +120 -0
  94. package/specs/quiver-v50-audit-trust-foundation/slices/slice-00-audit-baseline-and-resolved-findings/CLOSURE_BRIEF.md +20 -0
  95. package/specs/quiver-v50-audit-trust-foundation/slices/slice-00-audit-baseline-and-resolved-findings/EXECUTION_BRIEF.md +58 -0
  96. package/specs/quiver-v50-audit-trust-foundation/slices/slice-00-audit-baseline-and-resolved-findings/slice.json +57 -0
  97. package/specs/quiver-v50-audit-trust-foundation/slices/slice-01-runtime-minimum-and-package-metadata/CLOSURE_BRIEF.md +24 -0
  98. package/specs/quiver-v50-audit-trust-foundation/slices/slice-01-runtime-minimum-and-package-metadata/EXECUTION_BRIEF.md +67 -0
  99. package/specs/quiver-v50-audit-trust-foundation/slices/slice-01-runtime-minimum-and-package-metadata/slice.json +71 -0
  100. package/specs/quiver-v50-audit-trust-foundation/slices/slice-02-migrate-write-safety-contract/CLOSURE_BRIEF.md +24 -0
  101. package/specs/quiver-v50-audit-trust-foundation/slices/slice-02-migrate-write-safety-contract/EXECUTION_BRIEF.md +71 -0
  102. package/specs/quiver-v50-audit-trust-foundation/slices/slice-02-migrate-write-safety-contract/slice.json +81 -0
  103. package/specs/quiver-v50-audit-trust-foundation/slices/slice-03-security-reporting-channel/CLOSURE_BRIEF.md +22 -0
  104. package/specs/quiver-v50-audit-trust-foundation/slices/slice-03-security-reporting-channel/EXECUTION_BRIEF.md +57 -0
  105. package/specs/quiver-v50-audit-trust-foundation/slices/slice-03-security-reporting-channel/slice.json +56 -0
  106. package/specs/quiver-v50-audit-trust-foundation/slices/slice-04-user-facing-i18n-error-coverage/CLOSURE_BRIEF.md +23 -0
  107. package/specs/quiver-v50-audit-trust-foundation/slices/slice-04-user-facing-i18n-error-coverage/EXECUTION_BRIEF.md +68 -0
  108. package/specs/quiver-v50-audit-trust-foundation/slices/slice-04-user-facing-i18n-error-coverage/slice.json +84 -0
  109. package/specs/quiver-v50-audit-trust-foundation/slices/slice-05-init-analyze-progress-and-summaries/CLOSURE_BRIEF.md +25 -0
  110. package/specs/quiver-v50-audit-trust-foundation/slices/slice-05-init-analyze-progress-and-summaries/EXECUTION_BRIEF.md +73 -0
  111. package/specs/quiver-v50-audit-trust-foundation/slices/slice-05-init-analyze-progress-and-summaries/slice.json +72 -0
  112. package/specs/quiver-v50-audit-trust-foundation/slices/slice-06-contributor-and-architecture-docs/CLOSURE_BRIEF.md +22 -0
  113. package/specs/quiver-v50-audit-trust-foundation/slices/slice-06-contributor-and-architecture-docs/EXECUTION_BRIEF.md +66 -0
  114. package/specs/quiver-v50-audit-trust-foundation/slices/slice-06-contributor-and-architecture-docs/slice.json +74 -0
  115. package/specs/quiver-v50-audit-trust-foundation/slices/slice-07-ci-and-documentation-lint-baseline/CLOSURE_BRIEF.md +29 -0
  116. package/specs/quiver-v50-audit-trust-foundation/slices/slice-07-ci-and-documentation-lint-baseline/EXECUTION_BRIEF.md +74 -0
  117. package/specs/quiver-v50-audit-trust-foundation/slices/slice-07-ci-and-documentation-lint-baseline/slice.json +81 -0
  118. package/specs/quiver-v51-cli-ergonomics-automation-contracts/EVIDENCE_REPORT.md +145 -0
  119. package/specs/quiver-v51-cli-ergonomics-automation-contracts/EXECUTION_PLAN.md +32 -0
  120. package/specs/quiver-v51-cli-ergonomics-automation-contracts/SPEC.md +109 -0
  121. package/specs/quiver-v51-cli-ergonomics-automation-contracts/STATUS.md +25 -0
  122. package/specs/quiver-v51-cli-ergonomics-automation-contracts/pr.md +69 -0
  123. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-00-cli-contract-baseline/CLOSURE_BRIEF.md +20 -0
  124. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-00-cli-contract-baseline/EXECUTION_BRIEF.md +58 -0
  125. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-00-cli-contract-baseline/slice.json +56 -0
  126. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-01-flow-json-compatibility/CLOSURE_BRIEF.md +21 -0
  127. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-01-flow-json-compatibility/EXECUTION_BRIEF.md +61 -0
  128. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-01-flow-json-compatibility/slice.json +68 -0
  129. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-02-dashboard-section-validation-i18n/CLOSURE_BRIEF.md +25 -0
  130. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-02-dashboard-section-validation-i18n/EXECUTION_BRIEF.md +65 -0
  131. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-02-dashboard-section-validation-i18n/pr.md +134 -0
  132. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-02-dashboard-section-validation-i18n/slice.json +80 -0
  133. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-03-base-branch-resolution-policy/CLOSURE_BRIEF.md +31 -0
  134. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-03-base-branch-resolution-policy/EXECUTION_BRIEF.md +80 -0
  135. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-03-base-branch-resolution-policy/pr.md +159 -0
  136. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-03-base-branch-resolution-policy/slice.json +102 -0
  137. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-04-next-plan-graph-ux-edge-cases/CLOSURE_BRIEF.md +25 -0
  138. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-04-next-plan-graph-ux-edge-cases/EXECUTION_BRIEF.md +74 -0
  139. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-04-next-plan-graph-ux-edge-cases/pr.md +147 -0
  140. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-04-next-plan-graph-ux-edge-cases/slice.json +91 -0
  141. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-05-evidence-robustness-path-safety/CLOSURE_BRIEF.md +28 -0
  142. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-05-evidence-robustness-path-safety/EXECUTION_BRIEF.md +73 -0
  143. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-05-evidence-robustness-path-safety/pr.md +146 -0
  144. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-05-evidence-robustness-path-safety/slice.json +100 -0
  145. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-06-namespace-compatibility-windows-scripts/CLOSURE_BRIEF.md +36 -0
  146. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-06-namespace-compatibility-windows-scripts/EXECUTION_BRIEF.md +76 -0
  147. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-06-namespace-compatibility-windows-scripts/pr.md +155 -0
  148. package/specs/quiver-v51-cli-ergonomics-automation-contracts/slices/slice-06-namespace-compatibility-windows-scripts/slice.json +111 -0
  149. package/specs/quiver-v52-schema-docs-release-hygiene/EVIDENCE_REPORT.md +95 -0
  150. package/specs/quiver-v52-schema-docs-release-hygiene/EXECUTION_PLAN.md +31 -0
  151. package/specs/quiver-v52-schema-docs-release-hygiene/SPEC.md +107 -0
  152. package/specs/quiver-v52-schema-docs-release-hygiene/STATUS.md +22 -0
  153. package/specs/quiver-v52-schema-docs-release-hygiene/pr.md +69 -0
  154. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-00-schema-docs-release-baseline/CLOSURE_BRIEF.md +21 -0
  155. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-00-schema-docs-release-baseline/EXECUTION_BRIEF.md +60 -0
  156. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-00-schema-docs-release-baseline/slice.json +62 -0
  157. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-01-json-schema-for-slice-json/CLOSURE_BRIEF.md +34 -0
  158. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-01-json-schema-for-slice-json/EXECUTION_BRIEF.md +71 -0
  159. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-01-json-schema-for-slice-json/pr.md +146 -0
  160. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-01-json-schema-for-slice-json/slice.json +106 -0
  161. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-02-generated-cli-reference/CLOSURE_BRIEF.md +33 -0
  162. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-02-generated-cli-reference/EXECUTION_BRIEF.md +67 -0
  163. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-02-generated-cli-reference/pr.md +144 -0
  164. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-02-generated-cli-reference/slice.json +86 -0
  165. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-03-changelog-package-release-smoke-hygiene/CLOSURE_BRIEF.md +38 -0
  166. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-03-changelog-package-release-smoke-hygiene/EXECUTION_BRIEF.md +75 -0
  167. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-03-changelog-package-release-smoke-hygiene/pr.md +159 -0
  168. package/specs/quiver-v52-schema-docs-release-hygiene/slices/slice-03-changelog-package-release-smoke-hygiene/slice.json +105 -0
  169. package/src/create-quiver/commands/ai.js +521 -0
  170. package/src/create-quiver/commands/changelog.js +93 -0
  171. package/src/create-quiver/commands/config.js +16 -5
  172. package/src/create-quiver/commands/evidence.js +33 -2
  173. package/src/create-quiver/commands/flow.js +1 -0
  174. package/src/create-quiver/commands/graph.js +8 -2
  175. package/src/create-quiver/commands/plan.js +6 -0
  176. package/src/create-quiver/commands/spec.js +28 -13
  177. package/src/create-quiver/index.js +408 -98
  178. package/src/create-quiver/lib/ai/analyze-project-discovery.js +387 -0
  179. package/src/create-quiver/lib/ai/analyze-project-docs.js +364 -0
  180. package/src/create-quiver/lib/ai/analyze-project-parser.js +277 -0
  181. package/src/create-quiver/lib/ai/analyze-project-prompts.js +214 -0
  182. package/src/create-quiver/lib/ai/analyze-project-review.js +99 -0
  183. package/src/create-quiver/lib/ai/analyze-project-sampling.js +402 -0
  184. package/src/create-quiver/lib/ai/analyze-project-schema.js +92 -0
  185. package/src/create-quiver/lib/ai/analyze-project-validation.js +309 -0
  186. package/src/create-quiver/lib/ai/artifacts.js +4 -1
  187. package/src/create-quiver/lib/ai/github.js +5 -2
  188. package/src/create-quiver/lib/ai/spec-templates.js +19 -0
  189. package/src/create-quiver/lib/cli/command-registry.js +72 -0
  190. package/src/create-quiver/lib/cli/parser.js +14 -0
  191. package/src/create-quiver/lib/evidence.js +161 -6
  192. package/src/create-quiver/lib/git.js +99 -0
  193. package/src/create-quiver/lib/i18n/messages/en.js +52 -7
  194. package/src/create-quiver/lib/i18n/messages/es.js +54 -9
  195. package/src/create-quiver/lib/init-docs.js +1 -1
  196. package/src/create-quiver/lib/init-layout.js +9 -8
  197. package/src/create-quiver/lib/lifecycle.js +24 -26
  198. package/src/create-quiver/lib/readiness.js +67 -56
  199. package/src/create-quiver/lib/spec-worktrees.js +16 -34
@@ -0,0 +1,151 @@
1
+ # Evidence Report - Quiver v50 Audit Trust Foundation
2
+
3
+ ## Planning Evidence
4
+
5
+ - Source requirements: `REQUERIMIENTOS_DERIVADOS_DE_AUDITORIA.md`.
6
+ - Approved plan: user-approved technical plan v4.
7
+ - Repository convention inspected from `specs/quiver-v49-parser-modernization`.
8
+
9
+ ## Baseline Evidence To Capture During Execution
10
+
11
+ - `node bin/create-quiver.js --help`
12
+ - `node --test`
13
+ - `npm ci`
14
+ - `.github/workflows/ci.yml`
15
+ - `package.json` and `package-lock.json`
16
+ - `SECURITY.md`
17
+ - `CONTRIBUTING.md`
18
+ - `docs/CLI_UX_GUIDE.md`
19
+ - current command behavior for `migrate`, `init`, `analyze`, i18n errors, JSON/no-TTY/CI flows.
20
+
21
+ ## Validation Evidence
22
+
23
+ ## slice-00-audit-baseline-and-resolved-findings
24
+
25
+ - `node bin/create-quiver.js --help`: captured current public command surface, compatibility aliases, scoped options, and `--yes` scope.
26
+ - `node bin/create-quiver.js migrate --help`: current help falls back to global help and lists `migrate` as dry-run capable.
27
+ - `package.json`: no `engines` field is declared; `package-lock.json` exists and must remain synchronized when package metadata changes.
28
+ - `src/create-quiver/index.js`: `runMigrate` supports `--dry-run` and emits write warnings, but non-dry-run performs write side effects without an explicit confirmation prompt.
29
+ - `SECURITY.md`: asks for private reporting but does not name a concrete private channel.
30
+ - `CONTRIBUTING.md`: current contributor guidance is minimal.
31
+ - `ARCHITECTURE.md` and `docs/ARCHITECTURE.md`: absent.
32
+ - `.github/workflows/ci.yml`: CI runs `npm ci`, ShellCheck, slice-template validation, cross-platform smoke, and tiered pack smoke, but does not yet include full portable `node --test`, docs lint/link checks, or explicit Windows `pwsh` coverage.
33
+ - `src/create-quiver/lib/i18n/messages/{en,es}.js`: EN/ES catalogs exist; direct user-facing English errors remain in command paths and libraries for later audit.
34
+ - `src/create-quiver/lib/cli/ux.js`, `src/create-quiver/commands/init.js`, and `src/create-quiver/commands/analyze.js`: UX primitives and summaries exist; safe progress/spinner use is not yet consistently applied to `init`/`analyze`.
35
+ - Runtime code was not modified for this baseline slice.
36
+ - `git diff --check`: passed.
37
+ - `node bin/create-quiver.js spec validate specs/quiver-v50-audit-trust-foundation`: passed.
38
+
39
+ ## slice-01-runtime-minimum-and-package-metadata
40
+
41
+ - `package-lock.json` dependency metadata shows `@clack/core@1.3.1` and `@clack/prompts@1.4.0` both require Node `>= 20.12.0`, so the project cannot truthfully declare a lower supported minimum while keeping current dependencies.
42
+ - `npx -y node@20.12.0 --version`: passed, returned `v20.12.0`.
43
+ - `package.json` declares `engines.node: >=20.12.0`.
44
+ - `package-lock.json` root package metadata includes the same `engines.node` value.
45
+ - `README.md` and `docs/getting-started/installation.md` document Node `>=20.12.0`.
46
+ - `.github/workflows/ci.yml` adds a `minimum-node` job using Node `20.12.0`, `npm ci`, and `node --test`.
47
+ - `npm ci`: passed, added 7 packages and found 0 vulnerabilities.
48
+ - `node --test`: passed, 612 tests, 0 failures.
49
+ - `npx -y node@20.12.0 --test`: passed, 612 tests, 0 failures. Local npm emitted a compatibility warning because npm `11.12.1` does not support Node `20.12.0`, but the Node 20.12.0 runtime test suite completed successfully.
50
+ - `git diff --check`: passed.
51
+ - `node bin/create-quiver.js spec validate specs/quiver-v50-audit-trust-foundation`: passed.
52
+
53
+ ## slice-02-migrate-write-safety-contract
54
+
55
+ - `src/create-quiver/index.js`: `runMigrate` is now async and calls `confirmMigrateWrite` before `packTemplate`, `mergeDirectoryTree`, `initializeProjectDocs`, `updateStateForMigrate`, or `installSelfAsDevDep`.
56
+ - `migrate --dry-run`: remains prompt-free and write-free because it returns before confirmation.
57
+ - `migrate --yes`: maps to the existing `force` parser flag and bypasses the prompt for automation.
58
+ - no-TTY/CI without `--yes`: fails before writes with actionable guidance to run `migrate --dry-run` or pass `--yes`; JSON mode keeps stdout empty on that failure path.
59
+ - TTY cancellation: covered through exported `runMigrate` with injected `promptConfirm: () => false`; snapshot comparison proves the project tree remains unchanged.
60
+ - EN/ES messages: added `migrate.confirm.required`, `migrate.confirm.prompt`, and `migrate.confirm.declined`; Spanish no-TTY error and Spanish `--yes` help are covered in tests.
61
+ - `docs/reference/commands.md` and `docs/CLI_UX_GUIDE.md`: document `migrate --dry-run`, `migrate`, and `migrate --yes` safety semantics.
62
+ - `specs/quiver-v43-cli-i18n-audit-release-readiness/command-language-mode-matrix.json`: updated to include documented command `migrate --yes`; this file was added to the slice scope because `tests/commands/i18n-audit-matrix.test.js` enforces command-reference coverage.
63
+ - `node --test tests/commands/cli-contract.test.js`: passed.
64
+ - `node --test tests/commands/init-profiles.test.js`: passed.
65
+ - `node --test tests/commands/i18n-audit-matrix.test.js`: passed after adding `migrate --yes` to the matrix.
66
+ - `node --test`: passed, 614 tests, 0 failures.
67
+ - `npx -y node@20.12.0 --test tests/commands/cli-contract.test.js tests/commands/init-profiles.test.js tests/commands/i18n-audit-matrix.test.js`: passed, 39 tests, 0 failures.
68
+ - `git diff --check`: passed.
69
+
70
+ ## slice-03-security-reporting-channel
71
+
72
+ - `gh repo view FabriJuncal/quiver --json nameWithOwner,isPrivate,viewerPermission,url`: verified repository visibility, URL, and ADMIN permission for inspection.
73
+ - `gh api repos/FabriJuncal/quiver/private-vulnerability-reporting --jq '.'`: returned `{"enabled":false}`; GitHub Private Vulnerability Reporting is not currently active.
74
+ - `SECURITY.md`: replaced vague private reporting wording with the concrete email channel `juncalfabri@gmail.com`, required report details, and owner action to enable GitHub Private Vulnerability Reporting before making it the primary channel.
75
+ - `git diff --check`: passed.
76
+ - `node bin/create-quiver.js spec validate specs/quiver-v50-audit-trust-foundation`: passed.
77
+ - `node bin/create-quiver.js check-slice specs/quiver-v50-audit-trust-foundation/slices/slice-03-security-reporting-channel/slice.json --local`: passed with the expected completed-slice warning after marking the slice completed.
78
+
79
+ ## slice-04-user-facing-i18n-error-coverage
80
+
81
+ - `src/create-quiver/commands/config.js`: localized unsupported language, unsupported section, and unsupported language-command errors through EN/ES catalog keys.
82
+ - `src/create-quiver/index.js`: passed resolved language into `runConfig` and localized parser-level `config` section/command errors plus the `spec` missing-directory wrapper.
83
+ - `src/create-quiver/commands/evidence.js` and `src/create-quiver/lib/evidence.js`: localized missing evidence subcommand and missing command-after-`--` errors while preserving the direct library fallback for existing callers.
84
+ - `src/create-quiver/commands/graph.js`: localized unsupported graph format errors before JSON output is emitted.
85
+ - `src/create-quiver/commands/spec.js`: localized missing/unknown spec directory, spec validation failure wrapper, spec-create collision, interactive TTY requirement, declined approval, and review terminal/cancellation wrappers.
86
+ - `src/create-quiver/lib/i18n/messages/{en,es}.js`: added matching EN/ES keys; catalog completeness remains enforced by `tests/lib/i18n-catalog.test.js`.
87
+ - Covered hardcoded error audit: no `throw new Error` user-facing wrapper remains hardcoded in `commands/{config,evidence,graph,spec}.js` or `lib/evidence.js` outside catalog-backed messages.
88
+ - Allowlist: `spec validate` internal diagnostics remain technical validator strings because they include field names, file paths, JSON parser messages, strict-warning labels, and schema terminology that tests already treat as stable developer diagnostics; machine-readable JSON keys and command/path snippets are intentionally not localized.
89
+ - `src/create-quiver/commands/prepare.js`: inspected; no direct user-facing throw path was changed in this slice.
90
+ - `src/create-quiver/commands/ai-core.js`: expected-read path from the brief does not exist in the current repo; AI command/provider dynamic errors remain outside this covered wrapper set and were not modified in this slice.
91
+ - `node --test tests/commands/config-language.test.js tests/commands/evidence.test.js tests/commands/graph.test.js tests/commands/spec-validate.test.js tests/commands/spec-create.test.js tests/lib/i18n-catalog.test.js tests/commands/i18n-audit-matrix.test.js`: passed, 51 tests, 0 failures.
92
+ - `node --test tests/lib/i18n-catalog.test.js`: passed, 7 tests, 0 failures.
93
+ - `node --test tests/commands/i18n-audit-matrix.test.js`: passed, 2 tests, 0 failures.
94
+ - `node --test`: passed, 619 tests, 0 failures.
95
+ - `git diff --check`: passed.
96
+ - `node bin/create-quiver.js spec validate specs/quiver-v50-audit-trust-foundation`: passed.
97
+ - `node bin/create-quiver.js check-slice specs/quiver-v50-audit-trust-foundation/slices/slice-04-user-facing-i18n-error-coverage/slice.json --local`: passed with the expected completed-slice warning after marking the slice completed.
98
+ - Manual dirty-scope check against `slice-04` `allowed_write_paths`: passed, 18 files within scope.
99
+
100
+ ## slice-05-init-analyze-progress-and-summaries
101
+
102
+ - `src/create-quiver/index.js`: added an internal command-progress helper using `createUx.withSpinner(..., { echo: false })` so disabled spinner paths do not emit fallback progress lines.
103
+ - `analyze`: now wraps scan, artifact write, AI context refresh, and state update phases in transient progress; final human summary lines are unchanged.
104
+ - `init`: now wraps template preparation, optional compatibility-template export, docs/language writes, and optional package-install check in transient progress; final install/next-step summary lines are unchanged.
105
+ - Progress safety: progress can run only when `createUx` considers the output a safe human TTY and is additionally disabled for `--no-color`; JSON, CI, and no-TTY paths do not receive progress fallback text.
106
+ - Current layout note: `src/create-quiver/commands/init.js` and `src/create-quiver/commands/analyze.js` from the original expected path list do not exist in this repo; both command flows live in `src/create-quiver/index.js`.
107
+ - `src/create-quiver/lib/i18n/messages/{en,es}.js`: added localized progress messages for `init` and `analyze`.
108
+ - `tests/commands/analyze.test.js`: covers safe TTY spinner events separately from final summary output and verifies `--no-color` suppresses transient progress.
109
+ - `tests/commands/init-profiles.test.js`: verifies non-TTY `init` output does not contain transient progress messages while existing generated layout assertions still pass.
110
+ - `node --test tests/commands/analyze.test.js`: passed, 7 tests, 0 failures.
111
+ - `node --test tests/commands/init-profiles.test.js`: passed, 23 tests, 0 failures.
112
+ - `node --test tests/lib/cli-ux.test.js tests/lib/i18n-catalog.test.js`: passed, 17 tests, 0 failures.
113
+ - `node --test`: passed, 621 tests, 0 failures.
114
+ - `git diff --check`: passed.
115
+ - `node bin/create-quiver.js spec validate specs/quiver-v50-audit-trust-foundation`: passed.
116
+ - `node bin/create-quiver.js check-slice specs/quiver-v50-audit-trust-foundation/slices/slice-05-init-analyze-progress-and-summaries/slice.json --local`: passed with the expected completed-slice warning after marking the slice completed.
117
+ - Manual dirty-scope check against `slice-05` `allowed_write_paths`: passed, 10 files within scope.
118
+
119
+ ## slice-06-contributor-and-architecture-docs
120
+
121
+ - `node bin/create-quiver.js --help`: current command surface captured; docs use existing commands such as `start-slice`, `check-slice`, `check-pr`, `check-handoff`, `new-handoff`, `cleanup-slice`, `check-scope`, and `refresh-active-slices`.
122
+ - `CONTRIBUTING.md`: expanded setup, workflow, spec/slice convention, validation, PR headings, templates/examples, and package boundary guidance.
123
+ - `ARCHITECTURE.md`: created real architecture guide covering entrypoints, command layer, library layer, spec/slice structure, generated project contract, templates/localization, package boundary, tests, CI, and design constraints.
124
+ - `ROADMAP.md`: added a note explaining that `vNN` labels are internal spec identifiers unless a section explicitly states an npm release.
125
+ - `git diff --check`: passed.
126
+ - `node bin/create-quiver.js spec validate specs/quiver-v50-audit-trust-foundation`: passed.
127
+ - `node bin/create-quiver.js check-slice specs/quiver-v50-audit-trust-foundation/slices/slice-06-contributor-and-architecture-docs/slice.json --local`: passed with the expected completed-slice warning after marking the slice completed.
128
+
129
+ ## slice-07-ci-and-documentation-lint-baseline
130
+
131
+ - `.github/workflows/ci.yml`: added `tests` and `docs` jobs using Node 22, `npm ci`, `npm run test:ci`, `npm run package:quiver`, `npm run docs:lint`, and `npm run docs:links`.
132
+ - `.github/workflows/ci.yml`: changed the minimum-node full-suite step to `npm run test:ci`, which invokes Node's native runner through a portable Node wrapper.
133
+ - `.github/workflows/ci.yml`: added a Windows-only `pwsh` smoke that parses `node .\bin\create-quiver.js version --json` and runs `npm run test:ci -- tests\lib\paths.test.js`.
134
+ - `scripts/ci/run-node-tests.js`: added a shell-free wrapper around `node --test`, preserving pass-through test file arguments without shell glob expansion.
135
+ - `scripts/ci/docs-scope.js`, `scripts/ci/check-docs-markdown.js`, and `scripts/ci/check-doc-links.js`: added explicit public-docs scope and per-file local link checking.
136
+ - `.markdownlint.json`: added the initial markdown lint baseline while disabling inherited noisy style rules (`MD012`, `MD013`, `MD033`, `MD041`, `MD060`) to avoid broad documentation churn.
137
+ - `.markdown-link-check.json`: added a non-flaky local-link baseline by ignoring external `http(s)` and `mailto:` links plus same-page anchors.
138
+ - `package.json` and `package-lock.json`: added `test`, `test:ci`, `docs:lint`, `docs:links`, `docs:check`, `markdownlint-cli2`, and `markdown-link-check`; lockfile synchronized by npm.
139
+ - `CONTRIBUTING.md`: documented local equivalents for the new CI gates and clarified that docs link checks intentionally ignore external URLs in this baseline.
140
+ - `npm install --save-dev markdownlint-cli2 markdown-link-check`: passed; added 153 packages, audited 161 packages, 0 vulnerabilities.
141
+ - `npm ci`: passed; added 160 packages, audited 161 packages, 0 vulnerabilities.
142
+ - `npm run docs:lint`: passed, 20 files, 0 markdownlint errors after baseline config.
143
+ - `npm run docs:links`: passed, 20 files, local-link scope only.
144
+ - `npm run docs:check`: passed.
145
+ - `npm run test:ci -- tests/lib/paths.test.js`: passed, 10 tests, 0 failures.
146
+ - `node --test`: passed, 621 tests, 0 failures.
147
+ - `npm run package:quiver`: passed, produced package smoke `create-quiver-0.15.3.tgz`.
148
+ - `git diff --check`: passed.
149
+ - `node bin/create-quiver.js spec validate specs/quiver-v50-audit-trust-foundation`: passed.
150
+ - `node bin/create-quiver.js check-slice specs/quiver-v50-audit-trust-foundation/slices/slice-07-ci-and-documentation-lint-baseline/slice.json --local`: passed with the expected completed-slice warning after marking the slice completed.
151
+ - Local `pwsh` validation was not runnable because `pwsh` is not installed on this machine; Windows `pwsh` coverage is encoded in CI.
@@ -0,0 +1,34 @@
1
+ # Execution Plan - Quiver v50 Audit Trust Foundation
2
+
3
+ ## Order
4
+
5
+ 1. Execute `slice-00-audit-baseline-and-resolved-findings`.
6
+ 2. Execute `slice-01-runtime-minimum-and-package-metadata`.
7
+ 3. Execute `slice-02-migrate-write-safety-contract`.
8
+ 4. Execute `slice-03-security-reporting-channel`.
9
+ 5. Execute `slice-04-user-facing-i18n-error-coverage`.
10
+ 6. Execute `slice-05-init-analyze-progress-and-summaries`.
11
+ 7. Execute `slice-06-contributor-and-architecture-docs`.
12
+ 8. Execute `slice-07-ci-and-documentation-lint-baseline`.
13
+
14
+ ## Parallel Execution
15
+
16
+ - `slice-02`, `slice-03`, `slice-04`, and `slice-06` may run in parallel after `slice-00`.
17
+ - `slice-05` should wait for `slice-04` if it adds localized progress/summary messages.
18
+ - `slice-07` should wait for `slice-01` and `slice-06` because it validates package metadata, lockfile, and docs.
19
+
20
+ ## Risk Controls
21
+
22
+ - Snapshot files before/after `migrate` cancellation and no-TTY tests.
23
+ - Treat `package.json` and `package-lock.json` as a pair.
24
+ - Keep docs lint adoption controlled to avoid unrelated churn.
25
+ - Keep JSON stdout free of progress, warnings, and prose.
26
+
27
+ ## Required Final Validation
28
+
29
+ - `npm ci`
30
+ - `node --test`
31
+ - `npm run package:quiver`
32
+ - `node bin/create-quiver.js --help`
33
+ - `git diff --check`
34
+ - `node bin/create-quiver.js spec validate specs/quiver-v50-audit-trust-foundation`
@@ -0,0 +1,113 @@
1
+ # Quiver v50 - Audit Trust Foundation
2
+
3
+ **Date:** 2026-06-01
4
+ **Status:** Completed
5
+ **Source:** User-approved plan v4 derived from `REQUERIMIENTOS_DERIVADOS_DE_AUDITORIA.md`.
6
+
7
+ Slice numbering resets here. This spec intentionally starts at `slice-00`.
8
+
9
+ ## Problem
10
+
11
+ The audit identified trust gaps around write-safety, runtime metadata, security reporting, user-facing i18n, onboarding feedback, contributor documentation, and CI/docs validation. Several related findings are already implemented in the current branch and must be closed by evidence instead of reimplementation.
12
+
13
+ ## Objective
14
+
15
+ Establish a production-ready trust baseline for Quiver without broad rewrites:
16
+
17
+ - Verify current audit findings before changing behavior.
18
+ - Declare a real Node runtime minimum.
19
+ - Protect `migrate` from unintended writes.
20
+ - Provide a concrete private security reporting channel.
21
+ - Complete EN/ES coverage for user-facing errors.
22
+ - Improve `init` and `analyze` feedback without breaking automation.
23
+ - Make contributor and architecture docs usable.
24
+ - Harden CI and docs lint with controlled, non-flaky gates.
25
+
26
+ ## Scope
27
+
28
+ ### Included
29
+
30
+ - Audit baseline and already-resolved finding classification.
31
+ - Runtime minimum verification and package metadata.
32
+ - `migrate` write-safety and `--yes` contract.
33
+ - Security reporting channel documentation/evidence.
34
+ - User-facing i18n error coverage for commands and invoked libs.
35
+ - `init`/`analyze` progress and summaries.
36
+ - Contributor and architecture documentation.
37
+ - CI, docs lint, lockfile, and portable test baseline.
38
+
39
+ ### Excluded
40
+
41
+ - Commander.js/yargs migration.
42
+ - TypeScript migration.
43
+ - Parser rewrite.
44
+ - Shell completion.
45
+ - Global async I/O migration.
46
+ - Alias removal.
47
+ - npm publish automation.
48
+
49
+ ## Approved Acceptance Criteria
50
+
51
+ 1. All audit findings in this spec are classified as `implemented`, `partial`, `missing`, or `not applicable` before implementation.
52
+ 2. `package.json` declares a verified Node minimum and any package changes keep `package-lock.json` synchronized.
53
+ 3. `migrate` requires explicit confirmation before side effects unless `--yes` or `--dry-run` is used.
54
+ 4. `SECURITY.md` provides a concrete private vulnerability reporting channel with evidence or documented owner confirmation.
55
+ 5. User-facing errors in covered command paths respect EN/ES i18n and keep JSON stdout clean.
56
+ 6. `init` and `analyze` show progress only where safe and preserve automation/no-TTY/CI behavior.
57
+ 7. Contributor docs explain setup, tests, smokes, commits, PRs, architecture, templates, examples, and real spec structure.
58
+ 8. CI uses portable test commands, validates docs with controlled lint/link checks, runs `npm ci`, and includes Windows `pwsh` coverage.
59
+
60
+ ## Execution Baseline - slice-00
61
+
62
+ | Finding | Current state | Evidence | Action |
63
+ |---|---|---|---|
64
+ | Runtime minimum metadata | missing | `package.json` has `dependencies` but no `engines`; `package-lock.json` exists. | Implement in `slice-01-runtime-minimum-and-package-metadata`; keep lockfile synchronized. |
65
+ | `migrate` write-safety confirmation | partial | `runMigrate` supports `--dry-run` and writes warning text, but non-dry-run proceeds to filesystem writes without an explicit prompt; global help scopes `--yes` only to `init, slice cleanup`. | Implement confirmation and `--yes` contract in `slice-02-migrate-write-safety-contract`. |
66
+ | Private security reporting channel | partial | `SECURITY.md` says to report privately but does not provide a concrete email, GitHub private vulnerability reporting path, or owner-confirmed channel. | Implement in `slice-03-security-reporting-channel`. |
67
+ | User-facing i18n error coverage | partial | EN/ES message catalogs exist in `src/create-quiver/lib/i18n/messages/{en,es}.js`, but direct English errors remain in command paths and invoked libraries. | Implement covered command/library message audit in `slice-04-user-facing-i18n-error-coverage`. |
68
+ | `init` / `analyze` progress and summaries | partial | `init` has interactive summaries through `createUx`; `analyze` prints direct summaries; no safe spinner/progress contract is used for these write paths. | Implement safe TTY-only progress and stable summaries in `slice-05-init-analyze-progress-and-summaries`. |
69
+ | Contributor and architecture docs | partial | `CONTRIBUTING.md` is minimal; no `ARCHITECTURE.md` or `docs/ARCHITECTURE.md` exists. | Implement in `slice-06-contributor-and-architecture-docs`. |
70
+ | CI and docs validation baseline | partial | `.github/workflows/ci.yml` runs `npm ci`, ShellCheck, slice-template validation, cross-platform smoke, and tiered pack smoke; it does not run full portable `node --test`, docs lint/link checks, or explicit Windows `pwsh` coverage. | Implement in `slice-07-ci-and-documentation-lint-baseline`. |
71
+ | Package safety against local audit artifacts | implemented | `.npmignore` excludes `*.pdf`, `.DS_Store`, `tests`, examples, package lock, and CI scripts; package safety code also rejects env/secrets/tool state. | Close with evidence only; do not reimplement in v50 unless a later slice touches packaging. |
72
+ | Parser/help compatibility baseline | implemented | `node bin/create-quiver.js --help` shows scoped help and compatibility aliases from v49. | Preserve current command/help contracts in all v50 changes. |
73
+
74
+ ## Slice Roadmap
75
+
76
+ | Slice | Title | Status | Dependencies |
77
+ |---|---|---|---|
78
+ | slice-00 | Audit baseline and already-resolved findings | completed | none |
79
+ | slice-01 | Runtime minimum and package metadata | completed | slice-00 |
80
+ | slice-02 | Migrate write-safety contract | completed | slice-00 |
81
+ | slice-03 | Security reporting channel | completed | slice-00 |
82
+ | slice-04 | User-facing i18n error coverage | completed | slice-00 |
83
+ | slice-05 | Init/analyze progress and summaries | completed | slice-00, slice-04 |
84
+ | slice-06 | Contributor and architecture docs | completed | slice-00 |
85
+ | slice-07 | CI and documentation lint baseline | completed | slice-01, slice-06 |
86
+
87
+ ## Guardrails
88
+
89
+ - Do not reimplement findings already implemented; close them with evidence/tests/docs only.
90
+ - Do not write files in `migrate` before confirmation.
91
+ - Do not localize machine-readable JSON keys.
92
+ - Do not emit spinner/progress frames in JSON, no-TTY, `CI=true`, or `--no-color`.
93
+ - Do not introduce flaky external link checks as blocking CI gates.
94
+ - Do not publish or package local audit files, PDFs, secrets, `.DS_Store`, worktrees, or tool state.
95
+
96
+ ## Required Production Gates
97
+
98
+ - `npm ci`
99
+ - portable test runner, not shell-expanded globs
100
+ - targeted command tests per slice
101
+ - `node bin/create-quiver.js --help`
102
+ - stdout/stderr separation for warnings, errors, JSON, and prompts
103
+ - EN/ES validation for new human messages
104
+ - `npm pack` or package smoke where package contents change
105
+ - `git diff --check`
106
+ - `node bin/create-quiver.js spec validate specs/quiver-v50-audit-trust-foundation`
107
+
108
+ ## Resolved Decisions
109
+
110
+ - Node minimum real version: `>=20.12.0`.
111
+ - Final security channel: private email fallback documented in `SECURITY.md`; GitHub Private Vulnerability Reporting remains an owner action before it becomes primary.
112
+ - Initial markdown lint scope: public root docs, `.github/pull_request_template.md`, and public docs under `docs/getting-started`, `docs/reference`, and `docs/workflows`.
113
+ - Link checks: local documentation links are blocking; external URLs are ignored in this first CI baseline to avoid flaky network gates.
@@ -0,0 +1,26 @@
1
+ # Status - Quiver v50 Audit Trust Foundation
2
+
3
+ **Overall status:** Completed
4
+ **Created:** 2026-06-01
5
+ **Current slice:** none
6
+
7
+ ## Summary
8
+
9
+ This spec converted audit-derived trust and contributor-readiness requirements into production-safe implementation slices. All planned slices are complete and validated locally.
10
+
11
+ ## Slice Status
12
+
13
+ | Slice | Status | Notes |
14
+ |---|---|---|
15
+ | slice-00-audit-baseline-and-resolved-findings | Completed | Classified current findings, mapped implemented items to evidence-only closure, and froze command/package/docs/CI contracts before implementation. |
16
+ | slice-01-runtime-minimum-and-package-metadata | Completed | Declared Node >=20.12.0 with dependency/runtime evidence, synchronized lockfile, documented the minimum, and added minimum-node CI coverage. |
17
+ | slice-02-migrate-write-safety-contract | Completed | Added pre-write migrate confirmation, no-TTY/JSON-safe refusal without `--yes`, `migrate --yes` automation, and updated help/docs/i18n coverage. |
18
+ | slice-03-security-reporting-channel | Completed | Documented a concrete private email channel and recorded that GitHub Private Vulnerability Reporting is disabled pending owner action. |
19
+ | slice-04-user-facing-i18n-error-coverage | Completed | Localized covered `config`, `evidence`, `graph`, and `spec` error wrappers plus parser/wiring paths; documented technical allowlist and preserved JSON stdout cleanliness. |
20
+ | slice-05-init-analyze-progress-and-summaries | Completed | Added TTY-only transient progress for `init` and `analyze`, suppressed progress in automation/no-color paths, and preserved final summaries. |
21
+ | slice-06-contributor-and-architecture-docs | Completed | Expanded contributor workflow docs and added architecture/package-boundary documentation based on the current CLI and repo structure. |
22
+ | slice-07-ci-and-documentation-lint-baseline | Completed | Added portable test/docs scripts, docs lint/link baseline, CI test/docs jobs, Windows `pwsh` smoke, and lockfile-synchronized dev dependencies. |
23
+
24
+ ## Current Blockers
25
+
26
+ - None.
@@ -0,0 +1,120 @@
1
+ ## Title
2
+
3
+ QUIVER-50: Audit Trust Foundation execution
4
+
5
+ ## Summary
6
+
7
+ Executes the Quiver v50 Audit Trust Foundation spec across its implementation slices.
8
+
9
+ This PR turns audit-derived trust findings into production-ready behavior and documentation: runtime metadata, safer `migrate` writes, concrete security reporting, broader EN/ES error coverage, safe `init`/`analyze` progress feedback, contributor/architecture docs, and CI/docs validation gates.
10
+
11
+ ## Scope
12
+
13
+ - Declares the verified Node runtime minimum and synchronizes package metadata.
14
+ - Adds pre-write safety for `migrate`, including no-TTY/CI-safe refusal and `--yes` automation.
15
+ - Documents a concrete private vulnerability reporting channel.
16
+ - Localizes covered user-facing CLI errors while preserving JSON stdout cleanliness and technical diagnostics.
17
+ - Adds transient TTY-only progress for `init` and `analyze` without emitting progress in JSON, CI, no-TTY, or `--no-color` paths.
18
+ - Expands contributor and architecture documentation around Quiver's real CLI/spec/slice workflow.
19
+ - Adds portable CI scripts, markdown lint/link checks with controlled non-flaky scope, package smoke coverage, and Windows `pwsh` path coverage.
20
+
21
+ ## Files
22
+
23
+ - `.github/workflows/ci.yml`
24
+ - `.markdownlint.json`
25
+ - `.markdown-link-check.json`
26
+ - `package.json`
27
+ - `package-lock.json`
28
+ - `README.md`
29
+ - `CONTRIBUTING.md`
30
+ - `ARCHITECTURE.md`
31
+ - `ROADMAP.md`
32
+ - `SECURITY.md`
33
+ - `docs/CLI_UX_GUIDE.md`
34
+ - `docs/getting-started/installation.md`
35
+ - `docs/reference/commands.md`
36
+ - `scripts/ci/**`
37
+ - `src/create-quiver/**`
38
+ - `tests/**`
39
+ - `specs/quiver-v43-cli-i18n-audit-release-readiness/command-language-mode-matrix.json`
40
+ - `specs/quiver-v50-audit-trust-foundation/**`
41
+
42
+ ## How to Test (DETAILED - REQUIRED)
43
+
44
+ ### Required Environment
45
+
46
+ - Node.js `>=20.12.0`.
47
+ - npm with access to the committed lockfile.
48
+ - GitHub CLI `gh` only for PR creation, not for local validation.
49
+ - ShellCheck for CI validation of Bash scripts.
50
+ - Windows `pwsh` coverage is encoded in GitHub Actions; `pwsh` was not available on this local machine.
51
+
52
+ ### Worktree Access
53
+
54
+ - Checkout this branch:
55
+
56
+ ```bash
57
+ git checkout feature/QUIVER-50-audit-trust-foundation-execution
58
+ ```
59
+
60
+ - Keep local audit artifacts and generated PDFs untracked; they are intentionally excluded from this PR.
61
+
62
+ ### Run the Project
63
+
64
+ No long-running app server is required. Validate the CLI directly:
65
+
66
+ ```bash
67
+ node bin/create-quiver.js --help
68
+ node bin/create-quiver.js spec validate specs/quiver-v50-audit-trust-foundation
69
+ ```
70
+
71
+ ### Use Cases
72
+
73
+ - Run `migrate --dry-run` and confirm it remains prompt-free and write-free.
74
+ - Run `migrate` without `--yes` in no-TTY automation and confirm it fails before writes.
75
+ - Run covered commands with `--lang es` and confirm human errors are localized without changing command snippets or JSON keys.
76
+ - Run `init`/`analyze` in non-TTY or `--no-color` mode and confirm transient progress text is suppressed.
77
+ - Run docs checks and confirm only the controlled public-docs scope is linted/linked.
78
+
79
+ ### Technical Verification
80
+
81
+ ```bash
82
+ npm ci
83
+ npm run docs:check
84
+ npm run test:ci -- tests/lib/paths.test.js
85
+ node --test
86
+ npm run package:quiver
87
+ git diff --check
88
+ node bin/create-quiver.js spec validate specs/quiver-v50-audit-trust-foundation
89
+ node bin/create-quiver.js check-slice specs/quiver-v50-audit-trust-foundation/slices/slice-07-ci-and-documentation-lint-baseline/slice.json --local
90
+ ```
91
+
92
+ ## Evidence
93
+
94
+ - `npm ci`: passed, 160 packages installed/audited, 0 vulnerabilities.
95
+ - `npm run docs:lint`: passed, 20 files, 0 markdownlint errors.
96
+ - `npm run docs:links`: passed, 20 files, local-link scope only.
97
+ - `npm run docs:check`: passed.
98
+ - `npm run test:ci -- tests/lib/paths.test.js`: passed, 10 tests, 0 failures.
99
+ - `node --test`: passed, 621 tests, 0 failures.
100
+ - `npm run package:quiver`: passed, package smoke `create-quiver-0.15.3.tgz`.
101
+ - `git diff --check`: passed.
102
+ - `node bin/create-quiver.js spec validate specs/quiver-v50-audit-trust-foundation`: passed.
103
+ - `node bin/create-quiver.js check-slice .../slice-07-ci-and-documentation-lint-baseline/slice.json --local`: passed with the expected completed-slice warning.
104
+
105
+ ## Rollback
106
+
107
+ Revert the QUIVER-50 commits on this branch. For partial rollback, revert the affected slice commit and rerun:
108
+
109
+ ```bash
110
+ npm ci
111
+ node --test
112
+ npm run package:quiver
113
+ node bin/create-quiver.js spec validate specs/quiver-v50-audit-trust-foundation
114
+ ```
115
+
116
+ ## Risks / Notes
117
+
118
+ - Local `pwsh` validation was not runnable because `pwsh` is not installed on this machine; GitHub Actions now includes a Windows-only `pwsh` smoke.
119
+ - External HTTP and `mailto:` links are ignored in the first docs link baseline to avoid flaky network gates; local documentation links are blocking.
120
+ - The root-level local audit/input files and generated PDF remain untracked and are intentionally excluded from the PR.
@@ -0,0 +1,20 @@
1
+ # CLOSURE_BRIEF - slice-00 audit baseline and already-resolved findings
2
+
3
+ ## Summary
4
+
5
+ Classified the v50 audit-derived trust findings against current repository behavior and mapped each implemented, partial, or missing state to the correct later slice. Runtime code was not changed.
6
+
7
+ ## Validation
8
+
9
+ - [x] `git diff --check`
10
+ - [x] `node bin/create-quiver.js spec validate specs/quiver-v50-audit-trust-foundation`
11
+
12
+ ## Closure Conditions
13
+
14
+ - [x] Finding classification completed.
15
+ - [x] Implemented findings mapped to evidence/test/docs only.
16
+ - [x] Runtime code unchanged.
17
+
18
+ ## Open Items
19
+
20
+ - None.
@@ -0,0 +1,58 @@
1
+ # EXECUTION_BRIEF - slice-00 audit baseline and already-resolved findings
2
+
3
+ ## Context
4
+
5
+ The audit file includes findings that are already implemented in the current branch. This slice prevents duplicate work by freezing the real baseline.
6
+
7
+ ## Objective
8
+
9
+ Classify audit findings against current repository behavior before implementation.
10
+
11
+ ## Scope
12
+
13
+ - v50 finding classification.
14
+ - Existing command/help/JSON/package/CI baseline.
15
+ - Planning artifacts only.
16
+
17
+ ## Acceptance Criteria
18
+
19
+ - A `Finding | Current state | Action` table exists.
20
+ - Findings are marked `implemented`, `partial`, `missing`, or `not applicable`.
21
+ - Implemented findings are limited to evidence/test/docs follow-up.
22
+ - Runtime code is not modified.
23
+
24
+ ## Expected Files To Modify
25
+
26
+ - `specs/quiver-v50-audit-trust-foundation/SPEC.md`
27
+ - `specs/quiver-v50-audit-trust-foundation/STATUS.md`
28
+ - `specs/quiver-v50-audit-trust-foundation/EVIDENCE_REPORT.md`
29
+
30
+ ## Validations Required
31
+
32
+ - `git diff --check`
33
+ - `node bin/create-quiver.js spec validate specs/quiver-v50-audit-trust-foundation`
34
+
35
+ ## Risks
36
+
37
+ - Reimplementing behavior already present.
38
+ - Trusting audit assumptions without checking current code.
39
+
40
+ ## Dependencies
41
+
42
+ - None.
43
+
44
+ ## Instructions For Executor
45
+
46
+ 1. Inspect current code/tests/help before editing the spec artifacts.
47
+ 2. Record evidence for every implemented or partial finding.
48
+ 3. Do not change runtime code.
49
+
50
+ ## Completion Checklist
51
+
52
+ - [ ] Acceptance criteria satisfied.
53
+ - [ ] Required validations run or blockers documented.
54
+ - [ ] Closure brief updated.
55
+
56
+ ## Conditions Of Closure
57
+
58
+ - Later v50 slices have an accurate baseline and no duplicated work.
@@ -0,0 +1,57 @@
1
+ {
2
+ "slice_id": "slice-00-audit-baseline-and-resolved-findings",
3
+ "ticket": "QUIVER-50-00",
4
+ "type": "documentation",
5
+ "title": "Audit baseline and already-resolved findings",
6
+ "objective": "Classify audit findings against current repository behavior before implementation.",
7
+ "description": "Creates the v50 baseline so executors do not reimplement behavior already present in the current branch.",
8
+ "git": {
9
+ "branch_type": "feature",
10
+ "base_branch": "main",
11
+ "branch_slug": "v50-audit-baseline",
12
+ "branch_name": "feature/QUIVER-50-00-v50-audit-baseline"
13
+ },
14
+ "files": [
15
+ "specs/quiver-v50-audit-trust-foundation/**"
16
+ ],
17
+ "expected_read_paths": [
18
+ "REQUERIMIENTOS_DERIVADOS_DE_AUDITORIA.md",
19
+ "package.json",
20
+ ".github/workflows/ci.yml",
21
+ "src/create-quiver/**",
22
+ "tests/**"
23
+ ],
24
+ "allowed_write_paths": [
25
+ "specs/quiver-v50-audit-trust-foundation/**"
26
+ ],
27
+ "depends_on": [],
28
+ "parallel_safe": "no",
29
+ "parallel_safe_reason": "Baseline defines finding state and constraints for every later v50 slice.",
30
+ "must": [
31
+ "Create a Finding | Current state | Action table.",
32
+ "Mark each finding as implemented, partial, missing, or not applicable.",
33
+ "Record current help, JSON, parser, CI, package, and command contracts.",
34
+ "Do not change runtime code."
35
+ ],
36
+ "not_included": [
37
+ "Implementing fixes.",
38
+ "Changing docs outside this spec."
39
+ ],
40
+ "acceptance": [
41
+ "Resolved findings are identified as evidence/test/docs only.",
42
+ "Missing and partial findings are mapped to later slices.",
43
+ "Contracts that must not regress are explicit."
44
+ ],
45
+ "tests": [
46
+ "git diff --check",
47
+ "node bin/create-quiver.js spec validate specs/quiver-v50-audit-trust-foundation"
48
+ ],
49
+ "validation_hints": [
50
+ "Use current CLI behavior as evidence, not assumptions from the audit file."
51
+ ],
52
+ "estimated_hours": 2,
53
+ "status": "completed",
54
+ "blocked_reason": null,
55
+ "actual_hours": 2,
56
+ "completed_at": "2026-06-01T21:37:54-0300"
57
+ }
@@ -0,0 +1,24 @@
1
+ # CLOSURE_BRIEF - slice-01 runtime minimum and package metadata
2
+
3
+ ## Summary
4
+
5
+ Declared the supported Node runtime minimum as `>=20.12.0`, synchronized package metadata and lockfile, documented the requirement, and added CI coverage for the exact minimum.
6
+
7
+ ## Validation
8
+
9
+ - [x] `npm ci`
10
+ - [x] `node --test`
11
+ - [x] `npx -y node@20.12.0 --test`
12
+ - [x] `git diff --check`
13
+ - [x] `node bin/create-quiver.js spec validate specs/quiver-v50-audit-trust-foundation`
14
+
15
+ ## Closure Conditions
16
+
17
+ - [x] Node minimum verified.
18
+ - [x] Package metadata and lockfile synchronized.
19
+ - [x] Docs updated.
20
+ - [x] Evidence recorded.
21
+
22
+ ## Open Items
23
+
24
+ - None.