create-quiver 0.16.0 → 0.17.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (51) hide show
  1. package/CHANGELOG.md +4 -0
  2. package/README.md +7 -1
  3. package/README_FOR_AI.md +4 -1
  4. package/docs/CLI_UX_GUIDE.md +11 -0
  5. package/docs/INDEX.md +5 -1
  6. package/docs/reference/commands.md +34 -0
  7. package/package.json +1 -1
  8. package/specs/quiver-v43-cli-i18n-audit-release-readiness/command-language-mode-matrix.json +31 -1
  9. package/specs/quiver-v46-deep-project-analysis/EVIDENCE_REPORT.md +94 -0
  10. package/specs/quiver-v46-deep-project-analysis/EXECUTION_PLAN.md +26 -0
  11. package/specs/quiver-v46-deep-project-analysis/SPEC.md +157 -0
  12. package/specs/quiver-v46-deep-project-analysis/STATUS.md +26 -0
  13. package/specs/quiver-v46-deep-project-analysis/pr.md +131 -0
  14. package/specs/quiver-v46-deep-project-analysis/slices/slice-00-analysis-contract-foundation/CLOSURE_BRIEF.md +14 -0
  15. package/specs/quiver-v46-deep-project-analysis/slices/slice-00-analysis-contract-foundation/EXECUTION_BRIEF.md +41 -0
  16. package/specs/quiver-v46-deep-project-analysis/slices/slice-00-analysis-contract-foundation/slice.json +61 -0
  17. package/specs/quiver-v46-deep-project-analysis/slices/slice-01-stack-agnostic-discovery-sampling/CLOSURE_BRIEF.md +22 -0
  18. package/specs/quiver-v46-deep-project-analysis/slices/slice-01-stack-agnostic-discovery-sampling/EXECUTION_BRIEF.md +33 -0
  19. package/specs/quiver-v46-deep-project-analysis/slices/slice-01-stack-agnostic-discovery-sampling/slice.json +80 -0
  20. package/specs/quiver-v46-deep-project-analysis/slices/slice-02-provider-analysis-json-contract/CLOSURE_BRIEF.md +21 -0
  21. package/specs/quiver-v46-deep-project-analysis/slices/slice-02-provider-analysis-json-contract/EXECUTION_BRIEF.md +34 -0
  22. package/specs/quiver-v46-deep-project-analysis/slices/slice-02-provider-analysis-json-contract/slice.json +79 -0
  23. package/specs/quiver-v46-deep-project-analysis/slices/slice-03-doc-proposal-review-safe-writes/CLOSURE_BRIEF.md +19 -0
  24. package/specs/quiver-v46-deep-project-analysis/slices/slice-03-doc-proposal-review-safe-writes/EXECUTION_BRIEF.md +33 -0
  25. package/specs/quiver-v46-deep-project-analysis/slices/slice-03-doc-proposal-review-safe-writes/slice.json +79 -0
  26. package/specs/quiver-v46-deep-project-analysis/slices/slice-04-validation-docs-release-readiness/CLOSURE_BRIEF.md +20 -0
  27. package/specs/quiver-v46-deep-project-analysis/slices/slice-04-validation-docs-release-readiness/EXECUTION_BRIEF.md +32 -0
  28. package/specs/quiver-v46-deep-project-analysis/slices/slice-04-validation-docs-release-readiness/slice.json +85 -0
  29. package/src/create-quiver/commands/ai.js +521 -0
  30. package/src/create-quiver/index.js +113 -3
  31. package/src/create-quiver/lib/ai/analyze-project-discovery.js +387 -0
  32. package/src/create-quiver/lib/ai/analyze-project-docs.js +364 -0
  33. package/src/create-quiver/lib/ai/analyze-project-parser.js +277 -0
  34. package/src/create-quiver/lib/ai/analyze-project-prompts.js +214 -0
  35. package/src/create-quiver/lib/ai/analyze-project-review.js +99 -0
  36. package/src/create-quiver/lib/ai/analyze-project-sampling.js +402 -0
  37. package/src/create-quiver/lib/ai/analyze-project-schema.js +92 -0
  38. package/src/create-quiver/lib/ai/analyze-project-validation.js +309 -0
  39. package/src/create-quiver/lib/ai/artifacts.js +4 -1
  40. package/src/create-quiver/lib/cli/command-registry.js +1 -0
  41. package/.quiver/runs/run-2026-06-09t19-14-39z/approvals.json +0 -5
  42. package/.quiver/runs/run-2026-06-09t19-14-39z/decisions.md +0 -2
  43. package/.quiver/runs/run-2026-06-09t19-14-39z/requirement.md +0 -0
  44. package/.quiver/runs/run-2026-06-09t19-14-39z/snapshots/20260609T191439Z/docs/INDEX.md +0 -97
  45. package/.quiver/runs/run-2026-06-09t19-14-39z/snapshots/20260609T191439Z/manifest.json +0 -61
  46. package/.quiver/runs/run-2026-06-09t19-14-39z/state.json +0 -28
  47. package/ACTIVE_SLICES.md +0 -43
  48. package/auditoria-ux-ui-performance-documentacion.md +0 -705
  49. package/copys-landing-page.md +0 -244
  50. package/docs/ai/ACTIVE_SLICE.md +0 -61
  51. package/pr.md +0 -154
@@ -0,0 +1,131 @@
1
+ # Quiver v46 - Deep Project Analysis
2
+
3
+ ## Title
4
+
5
+ Implement production-safe `ai analyze-project`
6
+
7
+ ## Summary
8
+
9
+ This PR adds a new `ai analyze-project` workflow that can inspect an existing repository, build a bounded evidence sample, run optional provider-backed analysis, and turn validated results into reviewed documentation updates.
10
+
11
+ The safe default is read-only: `--dry-run` reports what Quiver would read, why each file was selected or omitted, the applied budgets, and security exclusions without calling a provider or writing files.
12
+
13
+ ## Scope
14
+
15
+ - Adds `ai analyze-project` CLI routing, help text, analysis flags, human output, and JSON output.
16
+ - Adds stack-agnostic discovery and semantic sampling for source, tests, DB/schema, configs, docs, monorepos, unknown stacks, symlinks, binaries, secrets, caches, dependencies, and build outputs.
17
+ - Adds provider-backed JSON analysis with schema validation, evidence validation, confidence levels, truncation downgrade rules, prompt redaction, and no-write failure paths.
18
+ - Adds review/edit/final-diff/confirm flow for approved documentation updates only.
19
+ - Adds safe writes with managed blocks, snapshots, manifests, before/after hashes, restore hints, and redacted raw artifacts.
20
+ - Adds post-write validation for schema, evidence paths, placeholders, managed blocks, snapshot manifests, and deterministic doc conflicts with `--strict`.
21
+ - Updates README, command reference, CLI UX guide, AI guidance, fixture matrix, i18n command matrix, and package ignore rules.
22
+
23
+ ## Files
24
+
25
+ - `src/create-quiver/commands/ai.js`
26
+ - `src/create-quiver/index.js`
27
+ - `src/create-quiver/lib/ai/analyze-project-*.js`
28
+ - `tests/commands/ai-analyze-project*.test.js`
29
+ - `tests/lib/ai-analyze-project*.test.js`
30
+ - `tests/fixtures/ai-analyze-project/matrix.json`
31
+ - `docs/reference/commands.md`
32
+ - `docs/CLI_UX_GUIDE.md`
33
+ - `README.md`
34
+ - `README_FOR_AI.md`
35
+ - `.npmignore`
36
+ - `specs/quiver-v46-deep-project-analysis/**`
37
+
38
+ ## How to Test (DETAILED - REQUIRED)
39
+
40
+ ### Required Environment
41
+
42
+ - Node.js and npm available.
43
+ - GitHub CLI available for PR creation.
44
+ - Authenticated `gh` session.
45
+ - SSH host alias: `github-personal`.
46
+ - Identity file: `~/ssh/github-personal`.
47
+
48
+ ### Worktree Access
49
+
50
+ From the repository root:
51
+
52
+ ```bash
53
+ git status --short --branch
54
+ git remote -v
55
+ ```
56
+
57
+ Expected remote shape:
58
+
59
+ ```text
60
+ origin git@github-personal:FabriJuncal/quiver.git
61
+ ```
62
+
63
+ ### Run the Project
64
+
65
+ No dev server is required. This is a CLI feature.
66
+
67
+ ### Use Cases
68
+
69
+ 1. Preview analysis without writes:
70
+
71
+ ```bash
72
+ node bin/create-quiver.js ai analyze-project --deep --dry-run
73
+ node bin/create-quiver.js ai analyze-project --deep --dry-run --json
74
+ ```
75
+
76
+ 2. Run provider-backed analysis in tests through fake providers:
77
+
78
+ ```bash
79
+ node --test tests/commands/ai-analyze-project-provider.test.js
80
+ ```
81
+
82
+ 3. Validate review and safe-write behavior:
83
+
84
+ ```bash
85
+ node --test tests/commands/ai-analyze-project-review.test.js tests/lib/ai-analyze-project-validation.test.js
86
+ ```
87
+
88
+ ### Technical Verification
89
+
90
+ Commands run:
91
+
92
+ ```bash
93
+ node --test tests/docs/command-reference.test.js tests/commands/cli-contract.test.js tests/commands/i18n-audit-matrix.test.js tests/commands/parser-contract.test.js
94
+ # pass: 22 tests
95
+
96
+ node --test tests/commands/cli-contract.test.js tests/commands/i18n-audit-matrix.test.js tests/lib/ai-analyze-project-validation.test.js tests/lib/ai-analyze-project-discovery.test.js tests/commands/ai-analyze-project-review.test.js tests/commands/ai-analyze-project-provider.test.js tests/lib/ai-analyze-project-parser.test.js tests/lib/ai-analyze-project-schema.test.js
97
+ # pass: 41 tests
98
+
99
+ node --test
100
+ # pass: 686 tests
101
+
102
+ npm run smoke:create-quiver
103
+ # pass: create-quiver smoke test passed
104
+
105
+ npm run package:quiver
106
+ # pass: Package smoke passed: create-quiver-0.16.0.tgz
107
+
108
+ node bin/create-quiver.js spec validate specs/quiver-v46-deep-project-analysis --strict
109
+ # pass: spec validation passed
110
+
111
+ git diff --check
112
+ # pass
113
+ ```
114
+
115
+ ## Evidence
116
+
117
+ - `specs/quiver-v46-deep-project-analysis/EVIDENCE_REPORT.md`
118
+ - `specs/quiver-v46-deep-project-analysis/STATUS.md`
119
+ - `specs/quiver-v46-deep-project-analysis/slices/*/CLOSURE_BRIEF.md`
120
+ - `tests/fixtures/ai-analyze-project/matrix.json`
121
+
122
+ ## Rollback
123
+
124
+ Revert the PR commit. The feature is additive and isolated behind the new `ai analyze-project` command path. Runtime doc writes created by the command include snapshots and restore hints under `.quiver/runs/<run-id>/snapshots/`.
125
+
126
+ ## Risks / Notes
127
+
128
+ - `ai analyze-project` human output is currently English-only; JSON output is stable. This is recorded as an accepted i18n follow-up in the v43 command matrix.
129
+ - Stack-specific adapters such as Rails, Django, Laravel, NestJS, Spring, and mobile are deferred. Generic heuristics remain the fallback and keep the same schema.
130
+ - `--dry-run` intentionally never writes and never executes provider CLIs.
131
+ - `.quiver/` is excluded from npm packaging to avoid publishing local AI run state.
@@ -0,0 +1,14 @@
1
+ # CLOSURE_BRIEF - slice-00 Analysis contract foundation
2
+
3
+ ## Summary
4
+
5
+ Spec package and slice handoffs created from approved acceptance criteria, technical plan, and production review. Runtime implementation intentionally not started.
6
+
7
+ ## Validation
8
+
9
+ - [ ] `node -e "const fs=require('fs'); for (const f of fs.globSync('specs/quiver-v46-deep-project-analysis/slices/*/slice.json')) JSON.parse(fs.readFileSync(f,'utf8')); console.log('slice json ok')"`
10
+ - [ ] `git diff --check`
11
+
12
+ ## Follow-Up
13
+
14
+ - Start `slice-01-stack-agnostic-discovery-sampling` only when implementation is explicitly requested.
@@ -0,0 +1,41 @@
1
+ # EXECUTION_BRIEF - slice-00 Analysis contract foundation
2
+
3
+ ## Context
4
+
5
+ The user approved acceptance criteria and a production review for a new deep project analysis workflow. This slice creates the documented contract only.
6
+
7
+ ## Objective
8
+
9
+ Create the v46 spec package and all slice handoffs without implementing runtime code.
10
+
11
+ ## Scope
12
+
13
+ ### Included
14
+
15
+ - `SPEC.md`
16
+ - `STATUS.md`
17
+ - `EXECUTION_PLAN.md`
18
+ - `EVIDENCE_REPORT.md`
19
+ - `pr.md`
20
+ - `slice.json`, `EXECUTION_BRIEF.md`, and `CLOSURE_BRIEF.md` for each planned slice.
21
+
22
+ ### Excluded
23
+
24
+ - CLI parser changes.
25
+ - Source discovery implementation.
26
+ - Provider execution.
27
+ - Safe write implementation.
28
+ - Tests beyond structural validation.
29
+
30
+ ## Acceptance Criteria
31
+
32
+ - Spec package exists under `specs/quiver-v46-deep-project-analysis`.
33
+ - Every slice directory includes `slice.json`, `EXECUTION_BRIEF.md`, and `CLOSURE_BRIEF.md`.
34
+ - Runtime implementation is explicitly marked as not started.
35
+ - Source code implementation files are not modified.
36
+
37
+ ## Completion Checklist
38
+
39
+ - [x] Spec package created.
40
+ - [x] Slice handoffs created.
41
+ - [x] Implementation deferred.
@@ -0,0 +1,61 @@
1
+ {
2
+ "slice_id": "slice-00-analysis-contract-foundation",
3
+ "ticket": "QUIVER-46-00",
4
+ "type": "documentation",
5
+ "title": "Analysis contract foundation",
6
+ "objective": "Create the approved v46 spec package and implementation handoffs for deep project analysis without implementing runtime code.",
7
+ "description": "Documents the user-approved acceptance criteria, production review additions, technical plan, slice roadmap, and handoffs for the new ai analyze-project workflow.",
8
+ "git": {
9
+ "branch_type": "feature",
10
+ "base_branch": "main",
11
+ "branch_slug": "v46-analysis-contract-foundation",
12
+ "branch_name": "feature/QUIVER-46-00-v46-analysis-contract-foundation"
13
+ },
14
+ "files": [
15
+ "specs/quiver-v46-deep-project-analysis/**"
16
+ ],
17
+ "expected_read_paths": [
18
+ "README_FOR_AI.md",
19
+ "docs/reference/commands.md",
20
+ "specs/quiver-v44-provider-live-output-tui-lite/SPEC.md",
21
+ "src/create-quiver/commands/ai.js",
22
+ "src/create-quiver/lib/ai/onboarding-template.js"
23
+ ],
24
+ "allowed_write_paths": [
25
+ "specs/quiver-v46-deep-project-analysis/**"
26
+ ],
27
+ "depends_on": [],
28
+ "parallel_safe": "no",
29
+ "parallel_safe_reason": "Foundation defines the contract for all later v46 slices.",
30
+ "must": [
31
+ "Create SPEC.md, STATUS.md, EXECUTION_PLAN.md, EVIDENCE_REPORT.md, pr.md, and all slice handoffs.",
32
+ "Capture approved acceptance criteria and production review additions.",
33
+ "Keep runtime implementation code untouched.",
34
+ "Make default read-only, privacy preflight, evidence validation, and safe writes explicit guardrails."
35
+ ],
36
+ "not_included": [
37
+ "Runtime CLI parser implementation.",
38
+ "Discovery or sampling implementation.",
39
+ "Provider execution.",
40
+ "Doc write implementation."
41
+ ],
42
+ "acceptance": [
43
+ "Spec package exists under specs/quiver-v46-deep-project-analysis.",
44
+ "Every slice directory includes slice.json, EXECUTION_BRIEF.md, and CLOSURE_BRIEF.md.",
45
+ "The package records that runtime implementation has not started.",
46
+ "No source code implementation files are modified by this slice."
47
+ ],
48
+ "tests": [
49
+ "node -e \"const fs=require('fs'); for (const f of fs.globSync('specs/quiver-v46-deep-project-analysis/slices/*/slice.json')) JSON.parse(fs.readFileSync(f,'utf8')); console.log('slice json ok')\"",
50
+ "git diff --check"
51
+ ],
52
+ "validation_hints": [
53
+ "Validate JSON parseability for every slice file.",
54
+ "Inspect git diff to confirm only v46 spec files changed for this slice."
55
+ ],
56
+ "estimated_hours": 1,
57
+ "status": "completed",
58
+ "blocked_reason": null,
59
+ "actual_hours": 1,
60
+ "completed_at": "2026-06-10"
61
+ }
@@ -0,0 +1,22 @@
1
+ # CLOSURE_BRIEF - slice-01 Stack-agnostic discovery and sampling
2
+
3
+ ## Summary
4
+
5
+ Implemented the read-only `ai analyze-project` command shell plus deterministic, stack-agnostic discovery and semantic sampling. The command reports selected files, omitted files, budgets, workspace roots, detected configs/entrypoints/scripts, and safety exclusions without provider execution or persistent writes.
6
+
7
+ ## Validation
8
+
9
+ - [x] `node --test tests/commands/ai-analyze-project.test.js`
10
+ - [x] `node --test tests/lib/ai-analyze-project-discovery.test.js`
11
+ - [x] `node --test tests/commands/cli-contract.test.js`
12
+ - [x] `node --test`
13
+ - [x] `node bin/create-quiver.js ai analyze-project --dry-run`
14
+ - [x] `node bin/create-quiver.js ai analyze-project --dry-run --json`
15
+ - [x] `git diff --check`
16
+
17
+ ## Closure Notes
18
+
19
+ - Adapter-specific hooks were deferred to later slices; the current implementation uses a generic heuristic scorer with stable output fields.
20
+ - `--deep` enables source and DB sampling. Tests remain opt-in through `--include-tests`.
21
+ - JSON output includes full selected/omitted detail for automation; human output caps long lists while preserving reason summaries.
22
+ - No `.quiver` runtime state is created by the new command in slice-01.
@@ -0,0 +1,33 @@
1
+ # EXECUTION_BRIEF - slice-01 Stack-agnostic discovery and sampling
2
+
3
+ ## Context
4
+
5
+ This slice starts runtime implementation for the new `ai analyze-project` command but keeps it deterministic and read-only. It must not execute a provider and must not write files.
6
+
7
+ ## Objective
8
+
9
+ Create the command shell, dry-run output, discovery, sampling, budgets, scope handling, and safety exclusions needed before any AI provider work can be added.
10
+
11
+ ## Acceptance Criteria
12
+
13
+ - `ai analyze-project` exists and is read-only by default.
14
+ - `--dry-run` writes no files and runs no provider.
15
+ - Human output lists selected files, omitted files, budgets, roots, scope, safety exclusions, and next commands.
16
+ - `--json` produces clean machine-readable output.
17
+ - Sampling respects `--max-files`, `--max-bytes`, `--include-source`, `--include-tests`, `--include-db`, and `--scope`.
18
+ - Secrets, dependencies, caches, build outputs, `.git`, binary files, and outside-repo symlinks are excluded.
19
+ - Monorepo/workspace roots are reported.
20
+
21
+ ## Production Guardrails
22
+
23
+ - `--json` is format only; it must not imply writes or provider execution.
24
+ - No-TTY behavior must not wait for interaction.
25
+ - Symlinks must be omitted unless they resolve inside the repo and an explicit future mode supports following them.
26
+
27
+ ## Completion Checklist
28
+
29
+ - [ ] Parser and command dispatch added.
30
+ - [ ] Discovery/sampling module added.
31
+ - [ ] Dry-run report implemented.
32
+ - [ ] Fixtures and tests added.
33
+ - [ ] No provider or write path introduced.
@@ -0,0 +1,80 @@
1
+ {
2
+ "slice_id": "slice-01-stack-agnostic-discovery-sampling",
3
+ "ticket": "QUIVER-46-01",
4
+ "type": "feature",
5
+ "title": "Stack-agnostic discovery and sampling",
6
+ "objective": "Add the read-only ai analyze-project command shell plus deterministic discovery and semantic sampling without provider execution or writes.",
7
+ "description": "Introduces the safe default command behavior, dry-run reports, stack-agnostic source discovery, scope support, budgets, safety exclusions, and selected/omitted file explanations.",
8
+ "git": {
9
+ "branch_type": "feature",
10
+ "base_branch": "main",
11
+ "branch_slug": "v46-discovery-sampling",
12
+ "branch_name": "feature/QUIVER-46-01-v46-discovery-sampling"
13
+ },
14
+ "files": [
15
+ "src/create-quiver/index.js",
16
+ "src/create-quiver/commands/ai.js",
17
+ "src/create-quiver/lib/ai/analyze-project-discovery.js",
18
+ "src/create-quiver/lib/ai/analyze-project-sampling.js",
19
+ "src/create-quiver/lib/ai/safety.js",
20
+ "tests/**"
21
+ ],
22
+ "expected_read_paths": [
23
+ "src/create-quiver/index.js",
24
+ "src/create-quiver/commands/ai.js",
25
+ "src/create-quiver/lib/ai/safety.js",
26
+ "src/create-quiver/lib/project-scan.js",
27
+ "src/create-quiver/lib/project-state-resolver.js",
28
+ "tests/commands"
29
+ ],
30
+ "allowed_write_paths": [
31
+ "src/create-quiver/index.js",
32
+ "src/create-quiver/commands/ai.js",
33
+ "src/create-quiver/lib/ai/analyze-project-discovery.js",
34
+ "src/create-quiver/lib/ai/analyze-project-sampling.js",
35
+ "src/create-quiver/lib/ai/safety.js",
36
+ "tests/**",
37
+ "specs/quiver-v46-deep-project-analysis/**"
38
+ ],
39
+ "depends_on": [
40
+ "slice-00-analysis-contract-foundation"
41
+ ],
42
+ "parallel_safe": "no",
43
+ "parallel_safe_reason": "This slice establishes command shape and discovery contracts used by all later slices.",
44
+ "must": [
45
+ "Add ai analyze-project parser and read-only default behavior.",
46
+ "Implement --dry-run and --json output without provider execution or writes.",
47
+ "Implement --max-files, --max-bytes, --include-source, --include-tests, --include-db, and --scope planning behavior.",
48
+ "Select representative files using stack-agnostic semantic signals.",
49
+ "Report selected files, omitted files, budgets, safety exclusions, symlink handling, and analyzed roots.",
50
+ "Never include secrets, .git, node_modules, caches, build outputs, binary files, or outside-repo symlinks."
51
+ ],
52
+ "not_included": [
53
+ "Provider prompt execution.",
54
+ "AI JSON schema parsing.",
55
+ "Doc update writes.",
56
+ "Review/editor flow."
57
+ ],
58
+ "acceptance": [
59
+ "Running ai analyze-project with no write flags is read-only.",
60
+ "Running ai analyze-project --dry-run writes no files and runs no provider.",
61
+ "Dry-run human output explains selected files and omitted files with reasons.",
62
+ "Dry-run JSON output is machine-readable and not contaminated by human UI.",
63
+ "Budgets and include flags change the sampling plan predictably.",
64
+ "Monorepo/workspace roots are reported and --scope restricts analysis.",
65
+ "Symlinks are not followed by default and outside-repo symlinks are omitted."
66
+ ],
67
+ "tests": [
68
+ "node --test tests/commands/ai-analyze-project.test.js",
69
+ "node --test tests/lib/ai-analyze-project-discovery.test.js",
70
+ "git diff --check"
71
+ ],
72
+ "validation_hints": [
73
+ "Use fixtures for Next/Supabase, unknown stack, monorepo, symlink, binary, and secret paths.",
74
+ "Assert no .quiver/runs directory is created by dry-run."
75
+ ],
76
+ "estimated_hours": 8,
77
+ "status": "completed",
78
+ "completed_at": "2026-06-10",
79
+ "blocked_reason": null
80
+ }
@@ -0,0 +1,21 @@
1
+ # CLOSURE_BRIEF - slice-02 Provider analysis JSON contract
2
+
3
+ ## Summary
4
+
5
+ Implemented provider-backed analysis for `ai analyze-project` without documentation writes. Live mode builds a redacted evidence prompt, runs privacy preflight before provider execution, requires JSON-only output, validates schema, validates evidence paths against the selected sample, downgrades confirmed claims backed by truncated files, and returns a redacted size-limited provider artifact in memory/stdout.
6
+
7
+ ## Validation
8
+
9
+ - [x] `node --test tests/commands/ai-analyze-project-provider.test.js`
10
+ - [x] `node --test tests/lib/ai-analyze-project-schema.test.js`
11
+ - [x] `node --test tests/lib/ai-analyze-project-parser.test.js`
12
+ - [x] `node --test`
13
+ - [x] `git diff --check`
14
+
15
+ ## Closure Notes
16
+
17
+ - Provider failure, timeout-style non-ok results, malformed JSON, invalid schema, invalid evidence paths, and unapproved doc update paths fail before any filesystem write.
18
+ - `confirmed`, `inferred`, and `conflict` conclusions require evidence from the selected sample. `unknown` may omit evidence.
19
+ - Claims citing truncated files cannot remain `confirmed`; they are downgraded to `inferred` with validation warnings.
20
+ - Provider artifacts are redacted and size-limited but not persisted in this slice. Persistence/snapshots are deferred to slice-03.
21
+ - Doc update proposal content is validated as JSON data only; converting it into files is deferred to slice-03.
@@ -0,0 +1,34 @@
1
+ # EXECUTION_BRIEF - slice-02 Provider analysis JSON contract
2
+
3
+ ## Context
4
+
5
+ The command can already plan discovery and sampling in read-only mode after slice-01. This slice adds provider-backed analysis but must still not write documentation.
6
+
7
+ ## Objective
8
+
9
+ Run the provider only after privacy preflight, then parse and validate evidence-backed JSON analysis.
10
+
11
+ ## Acceptance Criteria
12
+
13
+ - Provider execution requires privacy preflight approval.
14
+ - Provider prompt requires JSON only.
15
+ - JSON schema validates product, domain, architecture, features, risks, questions, claims, and doc update proposals.
16
+ - Evidence paths exist in the selected sample or are rejected/downgraded.
17
+ - Truncated-file claims cannot be `confirmed`.
18
+ - Invalid JSON, invalid schema, provider failure, timeout, or privacy failure writes no files.
19
+ - Artifacts are redacted and size-limited.
20
+
21
+ ## Production Guardrails
22
+
23
+ - Do not persist unredacted provider output.
24
+ - Do not convert JSON into docs yet.
25
+ - Do not mark weak or missing evidence as confirmed.
26
+ - Keep `--json` output clean.
27
+
28
+ ## Completion Checklist
29
+
30
+ - [ ] Prompt added.
31
+ - [ ] Schema added.
32
+ - [ ] Parser and evidence validator added.
33
+ - [ ] Privacy preflight wired before provider execution.
34
+ - [ ] Provider tests added.
@@ -0,0 +1,79 @@
1
+ {
2
+ "slice_id": "slice-02-provider-analysis-json-contract",
3
+ "ticket": "QUIVER-46-02",
4
+ "type": "feature",
5
+ "title": "Provider analysis JSON contract",
6
+ "objective": "Add privacy-gated provider execution and validated JSON analysis output with confidence and evidence rules.",
7
+ "description": "Builds the provider prompt, schema, parser, evidence validation, confidence enforcement, truncation rules, and invalid-output no-write behavior for ai analyze-project.",
8
+ "git": {
9
+ "branch_type": "feature",
10
+ "base_branch": "main",
11
+ "branch_slug": "v46-provider-analysis-json",
12
+ "branch_name": "feature/QUIVER-46-02-v46-provider-analysis-json"
13
+ },
14
+ "files": [
15
+ "src/create-quiver/commands/ai.js",
16
+ "src/create-quiver/lib/ai/analyze-project-schema.js",
17
+ "src/create-quiver/lib/ai/analyze-project-prompts.js",
18
+ "src/create-quiver/lib/ai/analyze-project-parser.js",
19
+ "src/create-quiver/lib/ai/artifacts.js",
20
+ "tests/**"
21
+ ],
22
+ "expected_read_paths": [
23
+ "src/create-quiver/lib/ai/providers.js",
24
+ "src/create-quiver/lib/ai/preflight.js",
25
+ "src/create-quiver/lib/ai/artifacts.js",
26
+ "src/create-quiver/commands/ai.js",
27
+ "src/create-quiver/lib/ai/context-proposal.schema.js"
28
+ ],
29
+ "allowed_write_paths": [
30
+ "src/create-quiver/commands/ai.js",
31
+ "src/create-quiver/lib/ai/analyze-project-schema.js",
32
+ "src/create-quiver/lib/ai/analyze-project-prompts.js",
33
+ "src/create-quiver/lib/ai/analyze-project-parser.js",
34
+ "src/create-quiver/lib/ai/artifacts.js",
35
+ "tests/**",
36
+ "specs/quiver-v46-deep-project-analysis/**"
37
+ ],
38
+ "depends_on": [
39
+ "slice-01-stack-agnostic-discovery-sampling"
40
+ ],
41
+ "parallel_safe": "no",
42
+ "parallel_safe_reason": "Provider execution depends on deterministic sampling and privacy preflight from slice-01.",
43
+ "must": [
44
+ "Add privacy preflight before any provider execution.",
45
+ "Build a prompt that requires JSON only, evidence-backed claims, and no unsupported assertions.",
46
+ "Validate provider JSON against schema before any write or proposal conversion.",
47
+ "Validate evidence paths against selected sampled files.",
48
+ "Enforce confidence rules, including that truncated-file claims cannot be confirmed.",
49
+ "Fail without writes on invalid JSON, invalid paths, unsupported model, provider failure, timeout, or privacy failure.",
50
+ "Redact sensitive content before prompt construction and artifact persistence."
51
+ ],
52
+ "not_included": [
53
+ "Writing docs updates.",
54
+ "Editor review flow.",
55
+ "Post-write validation."
56
+ ],
57
+ "acceptance": [
58
+ "Provider execution cannot start until the privacy preflight passes.",
59
+ "Invalid provider JSON fails with no filesystem writes.",
60
+ "Evidence paths are validated and missing paths are rejected or downgraded according to schema rules.",
61
+ "Claims include confidence and evidence where required.",
62
+ "Truncated inputs prevent confirmed confidence.",
63
+ "Provider output artifacts are redacted and size-limited."
64
+ ],
65
+ "tests": [
66
+ "node --test tests/commands/ai-analyze-project-provider.test.js",
67
+ "node --test tests/lib/ai-analyze-project-schema.test.js",
68
+ "node --test tests/lib/ai-analyze-project-parser.test.js",
69
+ "git diff --check"
70
+ ],
71
+ "validation_hints": [
72
+ "Use fake provider output for valid JSON, invalid JSON, invented evidence, conflict claims, and truncated evidence.",
73
+ "Assert no docs are written by this slice."
74
+ ],
75
+ "estimated_hours": 10,
76
+ "status": "completed",
77
+ "completed_at": "2026-06-10",
78
+ "blocked_reason": null
79
+ }
@@ -0,0 +1,19 @@
1
+ # CLOSURE_BRIEF - slice-03 Doc proposal review and safe writes
2
+
3
+ ## Summary
4
+
5
+ Implemented safe documentation writes for `ai analyze-project --review`. Validated analysis is converted into a constrained doc proposal, edited as JSON, revalidated, diffed, and written only after explicit confirmation. Writes are limited to approved Markdown docs, preserve human-authored content through a managed block, report dirty target files before confirmation, and create `.quiver/runs` snapshots, manifests, before/after hashes, restore hints, and redacted raw artifacts before mutating docs.
6
+
7
+ ## Validation
8
+
9
+ - [x] `node --test tests/commands/ai-analyze-project-review.test.js`
10
+ - [x] `node --test tests/lib/ai-analyze-project-docs.test.js`
11
+ - [x] `node --test`
12
+ - [x] `git diff --check`
13
+
14
+ ## Closure Notes
15
+
16
+ - Managed-block strategy: Quiver owns only the block between `<!-- quiver:analyze-project:start -->` and `<!-- quiver:analyze-project:end -->`. Existing human content outside that block is preserved.
17
+ - `docs/PROJECT_MAP.md` uses the same constrained managed-block path as other approved docs; product code, lockfiles, configs, and dependency files remain denied for writes.
18
+ - Restore guidance is stored per changed file in the snapshot manifest with original snapshots and before/after hashes.
19
+ - No-TTY review, review cancellation, invalid edited proposals, path traversal, oversized docs, dirty targets, and declined confirmation leave target docs unchanged.
@@ -0,0 +1,33 @@
1
+ # EXECUTION_BRIEF - slice-03 Doc proposal review and safe writes
2
+
3
+ ## Context
4
+
5
+ The provider can return validated project analysis JSON after slice-02. This slice is the first one allowed to write docs, but only through review and safe snapshots.
6
+
7
+ ## Objective
8
+
9
+ Turn validated analysis into reviewable documentation updates and write them safely after explicit approval.
10
+
11
+ ## Acceptance Criteria
12
+
13
+ - Only approved Markdown docs can be updated.
14
+ - `docs/PROJECT_MAP.md` remains deterministic or receives only constrained managed-block content.
15
+ - Human-authored content is preserved.
16
+ - `--review` opens an editable proposal, revalidates it, shows a final diff, and asks for confirmation.
17
+ - Canceling review writes nothing.
18
+ - Non-TTY review fails with actionable guidance.
19
+ - Writes create `.quiver/runs` snapshots, manifest, before/after hashes, and redacted artifacts.
20
+ - Dirty target docs are reported before writing.
21
+
22
+ ## Production Guardrails
23
+
24
+ - Product code, lockfiles, configs, and dependency files are denylisted for writes.
25
+ - Path traversal and oversized doc updates must fail closed.
26
+ - Raw provider artifacts must be redacted before persistence.
27
+
28
+ ## Completion Checklist
29
+
30
+ - [ ] Doc proposal conversion added.
31
+ - [ ] Review/edit/final-diff flow added.
32
+ - [ ] Safe write and snapshot logic added.
33
+ - [ ] Cancel/no-TTY/dirty path behavior tested.
@@ -0,0 +1,79 @@
1
+ {
2
+ "slice_id": "slice-03-doc-proposal-review-safe-writes",
3
+ "ticket": "QUIVER-46-03",
4
+ "type": "feature",
5
+ "title": "Doc proposal review and safe writes",
6
+ "objective": "Convert validated analysis into reviewable doc updates and write only approved docs with snapshots and manifests.",
7
+ "description": "Adds doc update proposal generation, review/edit/final-diff/confirm flow, managed blocks or safe merge behavior, safe writes, snapshot manifests, hashes, and restore guidance.",
8
+ "git": {
9
+ "branch_type": "feature",
10
+ "base_branch": "main",
11
+ "branch_slug": "v46-doc-review-safe-writes",
12
+ "branch_name": "feature/QUIVER-46-03-v46-doc-review-safe-writes"
13
+ },
14
+ "files": [
15
+ "src/create-quiver/commands/ai.js",
16
+ "src/create-quiver/lib/ai/analyze-project-docs.js",
17
+ "src/create-quiver/lib/ai/analyze-project-review.js",
18
+ "src/create-quiver/lib/ai/run-state.js",
19
+ "src/create-quiver/lib/ai/artifacts.js",
20
+ "tests/**"
21
+ ],
22
+ "expected_read_paths": [
23
+ "src/create-quiver/commands/ai.js",
24
+ "src/create-quiver/lib/ai/run-state.js",
25
+ "src/create-quiver/lib/ai/artifacts.js",
26
+ "src/create-quiver/lib/cli/editor.js",
27
+ "src/create-quiver/lib/approvals.js"
28
+ ],
29
+ "allowed_write_paths": [
30
+ "src/create-quiver/commands/ai.js",
31
+ "src/create-quiver/lib/ai/analyze-project-docs.js",
32
+ "src/create-quiver/lib/ai/analyze-project-review.js",
33
+ "src/create-quiver/lib/ai/run-state.js",
34
+ "src/create-quiver/lib/ai/artifacts.js",
35
+ "tests/**",
36
+ "specs/quiver-v46-deep-project-analysis/**"
37
+ ],
38
+ "depends_on": [
39
+ "slice-02-provider-analysis-json-contract"
40
+ ],
41
+ "parallel_safe": "no",
42
+ "parallel_safe_reason": "Safe writes depend on validated provider analysis and must define the user-visible mutation contract.",
43
+ "must": [
44
+ "Convert validated analysis into doc updates for approved paths only.",
45
+ "Keep docs/PROJECT_MAP.md deterministic or constrain AI content to a managed block.",
46
+ "Preserve human-authored content using stable managed blocks or safe merge rules.",
47
+ "Implement --review editor flow with schema revalidation after edit.",
48
+ "Show final diff and require explicit confirmation before writing.",
49
+ "Cancel cleanly without writes.",
50
+ "Create .quiver/runs snapshots, manifests, before/after hashes, redacted raw artifacts, and restore guidance.",
51
+ "Handle no-TTY review attempts with actionable errors."
52
+ ],
53
+ "not_included": [
54
+ "Final public docs polish.",
55
+ "Release readiness smokes.",
56
+ "Post-write placeholder/conflict validation beyond write-time safety checks."
57
+ ],
58
+ "acceptance": [
59
+ "Doc updates target only whitelisted Markdown paths.",
60
+ "Review edit is revalidated before final diff.",
61
+ "Canceling review leaves the repo unchanged.",
62
+ "Approved writes create snapshots and manifest entries for every changed file.",
63
+ "Dirty target docs are reported before writing and require explicit confirmation or a documented flag.",
64
+ ".quiver/runs artifacts are redacted and ignored from git."
65
+ ],
66
+ "tests": [
67
+ "node --test tests/commands/ai-analyze-project-review.test.js",
68
+ "node --test tests/lib/ai-analyze-project-docs.test.js",
69
+ "git diff --check"
70
+ ],
71
+ "validation_hints": [
72
+ "Test review cancel, invalid edited JSON, no-TTY review, dirty target docs, path traversal, oversized doc updates, and snapshot manifests.",
73
+ "Confirm product code paths cannot be written."
74
+ ],
75
+ "estimated_hours": 10,
76
+ "status": "completed",
77
+ "completed_at": "2026-06-10",
78
+ "blocked_reason": null
79
+ }