create-quiver 0.17.5 → 0.17.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (32) hide show
  1. package/docs/TROUBLESHOOTING.md +52 -0
  2. package/docs/reference/commands.md +3 -0
  3. package/docs/workflows/existing-project-ai-quiver-setup.md +0 -1
  4. package/docs/workflows/existing-project.md +1 -0
  5. package/package.json +1 -1
  6. package/specs/quiver-v43-cli-i18n-audit-release-readiness/command-language-mode-matrix.json +1 -0
  7. package/specs/quiver-v57-evidence-budget-recovery-ux/EVIDENCE_REPORT.md +27 -0
  8. package/specs/quiver-v57-evidence-budget-recovery-ux/EXECUTION_PLAN.md +41 -0
  9. package/specs/quiver-v57-evidence-budget-recovery-ux/SPEC.md +139 -0
  10. package/specs/quiver-v57-evidence-budget-recovery-ux/STATUS.md +20 -0
  11. package/specs/quiver-v57-evidence-budget-recovery-ux/pr.md +124 -0
  12. package/specs/quiver-v57-evidence-budget-recovery-ux/slices/slice-01-recovery-contract-security-classifier/CLOSURE_BRIEF.md +22 -0
  13. package/specs/quiver-v57-evidence-budget-recovery-ux/slices/slice-01-recovery-contract-security-classifier/EXECUTION_BRIEF.md +58 -0
  14. package/specs/quiver-v57-evidence-budget-recovery-ux/slices/slice-01-recovery-contract-security-classifier/pr.md +12 -0
  15. package/specs/quiver-v57-evidence-budget-recovery-ux/slices/slice-01-recovery-contract-security-classifier/slice.json +60 -0
  16. package/specs/quiver-v57-evidence-budget-recovery-ux/slices/slice-02-budget-command-recommendation/CLOSURE_BRIEF.md +9 -0
  17. package/specs/quiver-v57-evidence-budget-recovery-ux/slices/slice-02-budget-command-recommendation/EXECUTION_BRIEF.md +54 -0
  18. package/specs/quiver-v57-evidence-budget-recovery-ux/slices/slice-02-budget-command-recommendation/pr.md +12 -0
  19. package/specs/quiver-v57-evidence-budget-recovery-ux/slices/slice-02-budget-command-recommendation/slice.json +60 -0
  20. package/specs/quiver-v57-evidence-budget-recovery-ux/slices/slice-03-cli-json-i18n-output/CLOSURE_BRIEF.md +10 -0
  21. package/specs/quiver-v57-evidence-budget-recovery-ux/slices/slice-03-cli-json-i18n-output/EXECUTION_BRIEF.md +58 -0
  22. package/specs/quiver-v57-evidence-budget-recovery-ux/slices/slice-03-cli-json-i18n-output/pr.md +13 -0
  23. package/specs/quiver-v57-evidence-budget-recovery-ux/slices/slice-03-cli-json-i18n-output/slice.json +68 -0
  24. package/specs/quiver-v57-evidence-budget-recovery-ux/slices/slice-04-integration-fixtures-docs-release-smoke/CLOSURE_BRIEF.md +14 -0
  25. package/specs/quiver-v57-evidence-budget-recovery-ux/slices/slice-04-integration-fixtures-docs-release-smoke/EXECUTION_BRIEF.md +55 -0
  26. package/specs/quiver-v57-evidence-budget-recovery-ux/slices/slice-04-integration-fixtures-docs-release-smoke/pr.md +14 -0
  27. package/specs/quiver-v57-evidence-budget-recovery-ux/slices/slice-04-integration-fixtures-docs-release-smoke/slice.json +65 -0
  28. package/src/create-quiver/commands/ai.js +96 -1
  29. package/src/create-quiver/lib/ai/analyze-project-recovery.js +736 -0
  30. package/src/create-quiver/lib/ai/analyze-project-validation.js +1 -0
  31. package/src/create-quiver/lib/i18n/messages/en.js +6 -0
  32. package/src/create-quiver/lib/i18n/messages/es.js +6 -0
@@ -131,6 +131,58 @@ npx --yes create-quiver@latest ai analyze-project apply --run <run-id>
131
131
 
132
132
  `--review` sigue disponible como modo avanzado si querés editar la propuesta JSON manualmente antes de escribir.
133
133
 
134
+ ## `ai analyze-project` falla con `evidence-not-selected`
135
+
136
+ ### Síntoma
137
+
138
+ El comando:
139
+
140
+ ```bash
141
+ npx --yes create-quiver@latest ai analyze-project --deep --provider codex --model gpt-5.5
142
+ ```
143
+
144
+ falla con un mensaje como:
145
+
146
+ ```text
147
+ provider analysis JSON failed evidence validation
148
+ evidence-not-selected
149
+ ```
150
+
151
+ ### Explicación
152
+
153
+ El provider citó una ruta que no estaba dentro de la muestra enviada. Quiver mantiene esa validación porque evita que el modelo afirme cosas usando archivos que no leyó.
154
+
155
+ En versiones actuales, Quiver clasifica esas rutas antes de sugerir un fix:
156
+
157
+ - rutas seguras omitidas por presupuesto pueden recomendar `--max-files` o `--max-bytes` mayores;
158
+ - tests omitidos pueden recomendar `--include-tests`;
159
+ - DB/schema omitidos pueden recomendar `--include-db`;
160
+ - `.env`, secretos, `.git`, `.quiver`, dependencias, caches, dumps, binarios y outputs generados no se recomiendan;
161
+ - `.env.example` se trata como metadata/redacted, no como contenido seguro completo.
162
+
163
+ ### Qué hacer
164
+
165
+ Usá el comando exacto que Quiver imprime debajo de `Recommended fix` o `Solucion recomendada`. Por ejemplo:
166
+
167
+ ```bash
168
+ npx --yes create-quiver@latest ai analyze-project --deep --max-files 120 --max-bytes 500000 --provider codex --model gpt-5.5
169
+ ```
170
+
171
+ Si Quiver no puede recomendar un aumento seguro porque se exceden los caps o la evidencia no debe enviarse, inspeccioná la muestra y acotá el scope:
172
+
173
+ ```bash
174
+ npx --yes create-quiver@latest ai analyze-project --deep --dry-run --json
175
+ npx --yes create-quiver@latest ai analyze-project --deep --scope apps/web --provider codex --model gpt-5.5
176
+ ```
177
+
178
+ La auditoría queda en:
179
+
180
+ ```text
181
+ .quiver/runs/run-.../validation/analyze-project-validation.json
182
+ ```
183
+
184
+ Ese manifest incluye `recovery`, con clasificación de rutas, presupuesto calculado, comando sugerido y warnings.
185
+
134
186
  ## `ai analyze-project` no completa `docs/CONTEXTO.md` ni crea `docs/ARCHITECTURE.md`
135
187
 
136
188
  ### Síntoma
@@ -226,6 +226,7 @@ Garantías del flujo con proveedor:
226
226
  - Si el proveedor devuelve JSON con drift seguro como `notes`, `claim` usado como `name` faltante, o `confidence` en paths no permitidos, Quiver lo repara, registra el repair y revalida.
227
227
  - Si el JSON sigue inválido pero el error es retryable, Quiver hace 1 retry por defecto, con cap duro de 2 retries.
228
228
  - Si el JSON final es inválido, Quiver falla sin escribir docs finales y deja manifests de validación/retry/repair en `.quiver/runs`.
229
+ - Si el proveedor cita evidencia fuera de la muestra seleccionada, Quiver clasifica esas rutas, no recomienda incluir secretos ni binarios, y muestra una `Recommended fix` / `Solucion recomendada` con un comando seguro cuando corresponde.
229
230
  - El modo provider normal aplica docs finales por defecto después de validar la propuesta, crear proposal artifacts, snapshot, write manifest y validación post-write.
230
231
  - `--apply-docs` en TTY muestra opciones explicadas para aplicar, ver diff, guardar propuesta, editar propuesta o cancelar.
231
232
  - `--apply-docs --yes` aplica en automatización después de validar propuesta, paths permitidos, hashes, snapshot y post-write.
@@ -260,6 +261,7 @@ Evidencia esperada:
260
261
  - `package-lock.json` aparece en `detected.lockfiles` y en omitidos con `sampling:lockfile-metadata`, no en contenido enviado al provider.
261
262
  - El modo provider escribe artifacts auditados en `.quiver/runs`, redactados y con tamaño controlado, y aplica docs finales validados por defecto.
262
263
  - Si el provider devuelve drift no reparable, el comando falla con path/tipo/causa probable y próximo comando seguro, sin escribir docs finales.
264
+ - Si el error es `evidence-not-selected`, el validation manifest incluye un bloque `recovery` con clasificación de rutas, presupuesto calculado, warnings y comando recomendado. Por ejemplo, si el provider citó tests omitidos, Quiver puede sugerir `--include-tests`; si faltó presupuesto seguro, puede sugerir `--max-files` y `--max-bytes` mayores. Si la evidencia es `.env`, dependencias, caches, dumps o binarios, no la recomienda.
263
265
  - `--save-proposal` debe crear `.quiver/runs/<run-id>/proposal/*` sin modificar docs finales.
264
266
  - `--apply-docs` debe mostrar selector explicado en TTY o requerir `--yes` en automatización.
265
267
  - `apply --run <run-id>` debe aplicar la propuesta guardada sin volver a ejecutar proveedor.
@@ -283,6 +285,7 @@ Rollback de release:
283
285
  | `npx --yes create-quiver@latest ai analyze-project --deep --apply-docs --yes --provider codex --model gpt-5.5` | Aplica docs validados en modo automatizado, con snapshots y validación post-write. |
284
286
  | `npx --yes create-quiver@latest ai analyze-project apply --run <run-id>` | Aplica una propuesta guardada sin ejecutar proveedor ni requerir `--provider` o `--model`. |
285
287
  | `npx --yes create-quiver@latest ai analyze-project --scope apps/web --max-files 80 --max-bytes 300000 --include-tests --dry-run` | Acota el análisis por workspace/ruta y presupuesto de muestra. |
288
+ | `npx --yes create-quiver@latest ai analyze-project --deep --max-files 120 --max-bytes 500000 --provider codex --model gpt-5.5` | Ejemplo de rerun cuando Quiver recomienda ampliar una muestra segura después de `evidence-not-selected`. Usá el comando exacto que imprime el error. |
286
289
  | `npx --yes create-quiver@latest ai prepare-context --dry-run` | Previsualiza actualizaciones documentales de contexto para IA. |
287
290
  | `npx --yes create-quiver@latest ai prepare-context` | Escribe actualizaciones documentales de contexto para IA. |
288
291
  | `npx --yes create-quiver@latest ai prepare-context --with-planner --dry-run` | Previsualiza una propuesta docs-only generada por el planner sin escribir archivos. |
@@ -108,7 +108,6 @@ Archivos que puede crear o actualizar:
108
108
  ```bash
109
109
  npx --yes create-quiver@latest ai analyze-project \
110
110
  --deep \
111
- --review \
112
111
  --provider codex \
113
112
  --model gpt-5.5
114
113
  ```
@@ -98,6 +98,7 @@ Qué hace:
98
98
  - muestra loader en TTY y progreso lineal en no-TTY;
99
99
  - si hay drift seguro de schema, como `notes` extra, `claim` usado como `name` faltante o `confidence` donde no está permitido, lo repara de forma auditada;
100
100
  - si el error es retryable, hace un retry acotado con feedback compacto;
101
+ - si el provider cita evidencia fuera de la muestra, clasifica esas rutas y muestra una solución recomendada con `--include-tests`, `--include-db`, `--max-files` o `--max-bytes` solo cuando sea seguro;
101
102
  - si la propuesta final no es válida, falla sin escribir docs finales.
102
103
 
103
104
  Si preferís separar generación y aplicación:
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "create-quiver",
3
- "version": "0.17.5",
3
+ "version": "0.17.6",
4
4
  "private": false,
5
5
  "description": "Quiver CLI for scaffolding projects from the packaged template",
6
6
  "license": "MIT",
@@ -610,6 +610,7 @@
610
610
  { "command": "ai analyze-project --deep --review", "profile": "ai-analyze-project", "critical": "pass" },
611
611
  { "command": "ai analyze-project --deep --provider codex --model gpt-5.5", "profile": "ai-analyze-project", "critical": "pass" },
612
612
  { "command": "ai analyze-project --deep --save-proposal --provider codex --model gpt-5.5", "profile": "ai-analyze-project", "critical": "pass" },
613
+ { "command": "ai analyze-project --deep --max-files 120 --max-bytes 500000 --provider codex --model gpt-5.5", "profile": "ai-analyze-project", "critical": "pass" },
613
614
  { "command": "ai analyze-project --deep --apply-docs --provider codex --model gpt-5.5", "profile": "ai-analyze-project", "critical": "pass" },
614
615
  { "command": "ai analyze-project --deep --apply-docs --yes --provider codex --model gpt-5.5", "profile": "ai-analyze-project", "critical": "pass" },
615
616
  { "command": "ai analyze-project apply --run <run-id>", "profile": "ai-analyze-project", "critical": "pass" },
@@ -0,0 +1,27 @@
1
+ # Evidence Report - Quiver v57 Evidence Budget Recovery UX
2
+
3
+ ## Validation Log
4
+
5
+ - PASS `node --test tests/lib/ai-analyze-project-recovery.test.js`
6
+ - PASS `node bin/create-quiver.js spec validate specs/quiver-v57-evidence-budget-recovery-ux --strict`
7
+ - Completed slice: `slice-01-recovery-contract-security-classifier`
8
+ - Completed slice: `slice-02-budget-command-recommendation`
9
+ - PASS `node --test tests/commands/ai-analyze-project-provider.test.js`
10
+ - PASS `node --test tests/lib/i18n-catalog.test.js`
11
+ - Completed slice: `slice-03-cli-json-i18n-output`
12
+ - PASS `npm run docs:check`
13
+ - Completed slice: `slice-04-integration-fixtures-docs-release-smoke`
14
+ - PASS `node --test tests/lib/ai-analyze-project-recovery.test.js tests/commands/ai-analyze-project-provider.test.js tests/lib/ai-analyze-project-validation.test.js tests/lib/i18n-catalog.test.js`
15
+ - PASS `node bin/create-quiver.js spec validate specs/quiver-v57-evidence-budget-recovery-ux --strict`
16
+ - PASS `git diff --check`
17
+
18
+ ## Required Evidence Before Completion
19
+
20
+ - Focused recovery unit tests. Completed for slice 01.
21
+ - Budget and command recovery tests. Completed for slice 02.
22
+ - Validation manifest compatibility tests. Completed for slice 03.
23
+ - CLI output tests for English and Spanish. Completed for slice 03.
24
+ - JSON recovery payload tests. Completed for slice 04 through `runAnalyzeProject --json` error payload coverage.
25
+ - Sanitized nika-erp-style smoke. Covered by provider command fixture that reproduces omitted test evidence and metadata-only `.env.example` without private repo content.
26
+ - Spec validation. Completed.
27
+ - `git diff --check`. Completed.
@@ -0,0 +1,41 @@
1
+ # Execution Plan - Quiver v57 Evidence Budget Recovery UX
2
+
3
+ ## Order
4
+
5
+ 1. `slice-01-recovery-contract-security-classifier`
6
+ 2. `slice-02-budget-command-recommendation`
7
+ 3. `slice-03-cli-json-i18n-output`
8
+ 4. `slice-04-integration-fixtures-docs-release-smoke`
9
+
10
+ ## Parallelism
11
+
12
+ - Slice 01 is sequential and blocks everything else.
13
+ - Slice 02 is sequential after Slice 01 because it consumes the classification contract.
14
+ - Slice 03 is sequential after Slice 02 because it renders the recovery payload and must not recalculate safety or budget.
15
+ - Slice 04 is final. Inside Slice 04, docs, release notes, and integration fixture work can be done in parallel once Slice 03 is complete.
16
+
17
+ ## PR Strategy
18
+
19
+ - PR 1: Slice 01.
20
+ - PR 2: Slice 02.
21
+ - PR 3: Slice 03.
22
+ - PR 4: Slice 04.
23
+
24
+ ## Validation Gates
25
+
26
+ Each PR must run its focused tests plus:
27
+
28
+ ```bash
29
+ git diff --check
30
+ node bin/create-quiver.js spec validate specs/quiver-v57-evidence-budget-recovery-ux --strict
31
+ ```
32
+
33
+ ## Blocking Rule
34
+
35
+ Do not start a later slice unless the previous slice has:
36
+
37
+ - stable data contracts;
38
+ - focused tests;
39
+ - updated handoff status;
40
+ - no unresolved safety ambiguity.
41
+
@@ -0,0 +1,139 @@
1
+ # Quiver v57 - Evidence Budget Recovery UX
2
+
3
+ **Date:** 2026-06-18
4
+ **Status:** In Progress
5
+ **Source:** User-approved requirement, production review, stricter second-pass review, and execution plan for recoverable `ai analyze-project` evidence validation failures.
6
+
7
+ ## Problem
8
+
9
+ `ai analyze-project --deep --provider codex --model gpt-5.5` can fail safely when the provider cites evidence outside the selected context sample. The current failure is technically correct, but the user must infer whether the fix is increasing `--max-files`, increasing `--max-bytes`, enabling a category such as tests/db, or reducing scope. This creates avoidable friction after an expensive provider run.
10
+
11
+ The real observed case in `nika-erp` failed with `evidence-not-selected` for paths such as `.env.example`, `eslint.config.mjs`, and `app/test/page.tsx`. A larger budget later succeeded, but Quiver did not calculate or highlight a safe command that would likely recover the run.
12
+
13
+ ## Objective
14
+
15
+ When provider evidence validation fails because cited evidence was not selected, Quiver must generate a safe, auditable recovery payload and a prominent next command. The recovery must help the user rerun with the right context budget or scope without weakening evidence validation or sending unsafe files.
16
+
17
+ ## Scope
18
+
19
+ ### Included
20
+
21
+ - Evidence recovery contract for `evidence-not-selected` failures.
22
+ - Secure path normalization and classification.
23
+ - Safety-first classification for missing evidence paths.
24
+ - Deterministic budget recommendation for `--max-files` and `--max-bytes`.
25
+ - Command recommendation that preserves relevant user flags.
26
+ - Human CLI output in English and Spanish.
27
+ - `--json` recovery payload.
28
+ - Validation manifest recovery details.
29
+ - Focused tests, docs, and release smoke with a sanitized nika-erp-style fixture.
30
+
31
+ ### Excluded
32
+
33
+ - Auto-expanding context and retrying with a larger budget in the same run.
34
+ - Sending or recommending unsafe files such as `.env`, secrets, dependency folders, build outputs, dumps, caches, or binaries.
35
+ - Relaxing provider schema or evidence validation.
36
+ - Modifying product code in the analyzed repository.
37
+ - Generating specs automatically from project analysis.
38
+ - Rewriting the existing sampling engine beyond metadata needed for recovery.
39
+
40
+ ## Requirements
41
+
42
+ 1. On final `evidence-not-selected` failure, Quiver must classify every missing evidence path before recommending any fix.
43
+ 2. Classification must be the single source of truth for recovery safety.
44
+ 3. Quiver must never recommend increasing budget to include paths excluded for security.
45
+ 4. Quiver must never read or send `.env`, secrets, `.git`, `node_modules`, `.next`, caches, dumps, dependency folders, or binaries.
46
+ 5. `.env.example` and similar files must be treated as metadata/redacted only unless existing policy explicitly allows safe content.
47
+ 6. Quiver must differentiate at least these causes:
48
+ - `budget_limited`
49
+ - `security_excluded`
50
+ - `generated_or_dependency`
51
+ - `metadata_only`
52
+ - `missing_file`
53
+ - `not_discovered`
54
+ - `outside_scope`
55
+ - `unknown`
56
+ 7. Quiver must calculate recommended budgets from the current selected sample, safe missing evidence, and a safety margin.
57
+ 8. Quiver must never recommend a budget lower than the one used by the failed command.
58
+ 9. Quiver must enforce caps and suggest scope reduction when a safe recommendation exceeds caps.
59
+ 10. Quiver must preserve relevant command flags such as `--deep`, `--provider`, `--model`, `--include-tests`, `--include-db`, `--include-source`, `--scope`, `--lang`, and `--strict`.
60
+ 11. Quiver must not preserve transient or contradictory flags in the recommended command when they are not useful for recovery, such as `--json`, `--dry-run`, or obsolete review/apply flags.
61
+ 12. Human output must show the recommended fix prominently before long details.
62
+ 13. Human output must summarize missing evidence paths and truncate long lists.
63
+ 14. Spanish output must be available through existing language selection.
64
+ 15. `--json` must expose a stable optional `recovery` object without breaking existing consumers.
65
+ 16. Validation manifests must record recovery classification, budget calculation inputs, generated command, and warnings.
66
+ 17. If no safe recovery exists, Quiver must say so clearly and recommend inspection with a safe dry-run JSON command.
67
+ 18. Recovery must be deterministic for the same validation issues, report, and CLI options.
68
+
69
+ ## Budget Recommendation Contract
70
+
71
+ Recommended values are calculated only from classified safe evidence:
72
+
73
+ ```text
74
+ safe_missing_bytes = sum(effective_prompt_bytes for safe_to_include missing evidence)
75
+ safety_margin_bytes = max(50000, ceil(safe_missing_bytes * 0.25))
76
+ recommended_max_bytes = round_up_to_50000(current_selected_bytes + safe_missing_bytes + safety_margin_bytes)
77
+ recommended_max_files = max(current_max_files, current_selected_files + safe_missing_file_count + 20)
78
+ ```
79
+
80
+ The final values must never be lower than the original command values. If the recommendation exceeds configured caps, Quiver must not emit an inflated command; it must recommend reducing scope or enabling a more precise category.
81
+
82
+ ## Recovery Output Shape
83
+
84
+ `--json` and manifests may include:
85
+
86
+ ```json
87
+ {
88
+ "recovery": {
89
+ "schema_version": 1,
90
+ "available": true,
91
+ "reason": "evidence_not_selected",
92
+ "recommendation_type": "increase_budget",
93
+ "command": "npx --yes create-quiver@latest ai analyze-project --deep --max-files 120 --max-bytes 500000 --provider codex --model gpt-5.5",
94
+ "budget": {
95
+ "current_max_files": 80,
96
+ "current_max_bytes": 300000,
97
+ "recommended_max_files": 120,
98
+ "recommended_max_bytes": 500000
99
+ },
100
+ "evidence_summary": {
101
+ "safe_to_include": [],
102
+ "metadata_only": [],
103
+ "excluded": []
104
+ },
105
+ "warnings": []
106
+ }
107
+ }
108
+ ```
109
+
110
+ The recovery object must be optional and additive.
111
+
112
+ ## Slice Roadmap
113
+
114
+ | Slice | Title | Status | Dependencies | Parallel Guidance |
115
+ |---|---|---|---|---|
116
+ | slice-01-recovery-contract-security-classifier | Recovery Contract + Security Classifier | completed | none | sequential first |
117
+ | slice-02-budget-command-recommendation | Budget + Command Recommendation | completed | slice-01 | sequential after slice-01 |
118
+ | slice-03-cli-json-i18n-output | CLI + JSON + i18n Output | completed | slice-02 | sequential after slice-02 |
119
+ | slice-04-integration-fixtures-docs-release-smoke | Integration Fixtures + Docs + Release Smoke | completed | slice-03 | final; docs/tests can be parallel inside the slice |
120
+
121
+ ## Production Guardrails
122
+
123
+ - Provider output remains untrusted until schema and evidence validation pass.
124
+ - Recovery is diagnostic only and must not weaken validation.
125
+ - Recovery must not silently expand budget in the same run.
126
+ - Recovery must not expose secret values or read unsafe content.
127
+ - Failure remains a failure when final provider output is invalid.
128
+ - Manifests must be audit-friendly but redacted.
129
+
130
+ ## Validation Strategy
131
+
132
+ ```bash
133
+ node --test tests/lib/ai-analyze-project-recovery.test.js
134
+ node --test tests/lib/ai-analyze-project-validation.test.js
135
+ node --test tests/commands/ai-analyze-project-provider.test.js
136
+ node --test tests/lib/i18n-catalog.test.js
137
+ node bin/create-quiver.js spec validate specs/quiver-v57-evidence-budget-recovery-ux --strict
138
+ git diff --check
139
+ ```
@@ -0,0 +1,20 @@
1
+ # Status - Quiver v57 Evidence Budget Recovery UX
2
+
3
+ ## Current State
4
+
5
+ - Status: Completed
6
+ - Active slice: none
7
+ - Branch: `feature/QUIVER-57-01-recovery-contract-security-classifier`
8
+
9
+ ## Slice Status
10
+
11
+ | Slice | Status | Notes |
12
+ |---|---|---|
13
+ | slice-01-recovery-contract-security-classifier | completed | Defines recovery data contract, path safety, classification, and manifest-ready payload base. |
14
+ | slice-02-budget-command-recommendation | completed | Calculates safe budgets, caps, category flags, and one-line rerun commands from the slice-01 classification contract. |
15
+ | slice-03-cli-json-i18n-output | completed | Renders recovery guidance in CLI errors, validation manifests, and English/Spanish messages. |
16
+ | slice-04-integration-fixtures-docs-release-smoke | completed | Adds docs, JSON recovery coverage, troubleshooting guidance, and release evidence. |
17
+
18
+ ## Open Risks
19
+
20
+ - No critical open risks. Live provider behavior should still be smoke-tested before npm release because external providers can drift.
@@ -0,0 +1,124 @@
1
+ ## Title
2
+
3
+ Quiver v57 Evidence Budget Recovery UX
4
+
5
+ ## Summary
6
+
7
+ - Adds safe recovery guidance for `ai analyze-project` evidence validation failures.
8
+ - Classifies missing evidence before recommending budget changes.
9
+ - Calculates safe `--max-files` and `--max-bytes` rerun recommendations from classified evidence.
10
+ - Adds prominent English/Spanish recovery output, JSON recovery errors, validation manifest recovery payloads, docs, and tests.
11
+
12
+ ## PR Policy
13
+
14
+ - Type: feature.
15
+ - Base: `main`.
16
+ - Scope: Quiver v57 evidence-budget recovery UX.
17
+ - Policy note: this PR groups the full v57 recovery feature because the slices are sequentially dependent and were executed as one approved implementation batch. The PR remains revertable as one feature change.
18
+ - Merge: human merge required.
19
+
20
+ ## Scope
21
+
22
+ Included:
23
+
24
+ - Recovery classification for `evidence-not-selected` issues.
25
+ - Safe handling of `.env`, `.env.example`, dependency folders, generated output, binaries, missing files, and paths outside the repo.
26
+ - Budget recommendation and command builder.
27
+ - Human CLI error guidance in English and Spanish.
28
+ - `--json` error payload with optional `recovery`.
29
+ - Validation manifest recovery payload.
30
+ - Public docs and troubleshooting guidance.
31
+
32
+ Excluded:
33
+
34
+ - Auto-expanding context and retrying with a larger budget in the same run.
35
+ - Relaxing provider schema or evidence validation.
36
+ - Reading or sending unsafe files.
37
+ - Product-code changes in analyzed repositories.
38
+
39
+ ## Files
40
+
41
+ - `src/create-quiver/lib/ai/analyze-project-recovery.js`
42
+ - `src/create-quiver/commands/ai.js`
43
+ - `src/create-quiver/lib/ai/analyze-project-validation.js`
44
+ - `src/create-quiver/lib/i18n/messages/en.js`
45
+ - `src/create-quiver/lib/i18n/messages/es.js`
46
+ - `tests/lib/ai-analyze-project-recovery.test.js`
47
+ - `tests/commands/ai-analyze-project-provider.test.js`
48
+ - `docs/TROUBLESHOOTING.md`
49
+ - `docs/reference/commands.md`
50
+ - `docs/workflows/existing-project.md`
51
+ - `docs/workflows/existing-project-ai-quiver-setup.md`
52
+ - `specs/quiver-v57-evidence-budget-recovery-ux/**`
53
+
54
+ ## How to Test (DETAILED - REQUIRED)
55
+
56
+ ### Required Environment
57
+
58
+ - Node.js compatible with the repo.
59
+ - npm dependencies installed.
60
+ - GitHub CLI only needed for PR creation, not runtime tests.
61
+
62
+ ### Worktree Access
63
+
64
+ From the repository root:
65
+
66
+ ```bash
67
+ git status --short --branch
68
+ ```
69
+
70
+ Expected branch:
71
+
72
+ ```text
73
+ feature/QUIVER-57-01-recovery-contract-security-classifier
74
+ ```
75
+
76
+ ### Run the Project
77
+
78
+ No dev server is required. This is a CLI/runtime validation change.
79
+
80
+ ### Use Cases
81
+
82
+ 1. Provider cites a test file outside the selected sample.
83
+ - Quiver fails validation.
84
+ - Quiver shows a recommended command that includes `--include-tests`.
85
+ - No docs are written.
86
+
87
+ 2. Provider cites `.env.example`.
88
+ - Quiver treats it as metadata-only/redacted.
89
+ - Quiver does not recommend including its raw content.
90
+
91
+ 3. Provider cites unsafe files.
92
+ - Quiver classifies them as excluded.
93
+ - Quiver does not recommend increasing budget for them.
94
+
95
+ 4. `--json` is used on final evidence validation failure.
96
+ - Quiver prints a parseable JSON error payload with optional `recovery`.
97
+ - Exit behavior remains failure.
98
+
99
+ ### Technical Verification
100
+
101
+ ```bash
102
+ node --test tests/lib/ai-analyze-project-recovery.test.js tests/commands/ai-analyze-project-provider.test.js tests/lib/ai-analyze-project-validation.test.js tests/lib/i18n-catalog.test.js
103
+ npm run docs:check
104
+ node bin/create-quiver.js spec validate specs/quiver-v57-evidence-budget-recovery-ux --strict
105
+ git diff --check
106
+ ```
107
+
108
+ ## Evidence
109
+
110
+ - PASS `node --test tests/lib/ai-analyze-project-recovery.test.js tests/commands/ai-analyze-project-provider.test.js tests/lib/ai-analyze-project-validation.test.js tests/lib/i18n-catalog.test.js`
111
+ - PASS `npm run docs:check`
112
+ - PASS `node bin/create-quiver.js spec validate specs/quiver-v57-evidence-budget-recovery-ux --strict`
113
+ - PASS `git diff --check`
114
+
115
+ ## Rollback
116
+
117
+ Revert this PR. The feature is additive around failed `ai analyze-project` evidence validation. Existing validation remains strict, and runtime doc writes remain blocked when provider output is invalid.
118
+
119
+ ## Risks / Notes
120
+
121
+ - Live provider behavior can still drift; run a smoke with a real provider before npm release.
122
+ - The recovery command is diagnostic guidance only. It does not auto-expand context in the same run.
123
+ - The validation manifest gains an optional `recovery` field; existing consumers should remain compatible.
124
+
@@ -0,0 +1,22 @@
1
+ # CLOSURE_BRIEF - slice-01 Recovery Contract + Security Classifier
2
+
3
+ ## Summary
4
+
5
+ Implemented the recovery classification contract for final `evidence-not-selected` failures.
6
+
7
+ ## Delivered
8
+
9
+ - Added `src/create-quiver/lib/ai/analyze-project-recovery.js`.
10
+ - Added deterministic evidence path normalization and classification helpers.
11
+ - Classified safe, metadata-only, security-excluded, generated/dependency, missing, outside-scope, and unknown evidence.
12
+ - Reused existing safety/path policies for env files, unsafe segments, file URLs, absolute paths, and traversal paths.
13
+ - Added focused unit tests for safe, metadata-only, unsafe, missing, binary, generated, traversal, and issue aggregation cases.
14
+
15
+ ## Validation
16
+
17
+ - PASS `node --test tests/lib/ai-analyze-project-recovery.test.js`
18
+ - PASS `node bin/create-quiver.js spec validate specs/quiver-v57-evidence-budget-recovery-ux --strict`
19
+
20
+ ## Notes
21
+
22
+ - This slice does not calculate budgets, render CLI output, or alter provider validation. Those remain assigned to later slices.
@@ -0,0 +1,58 @@
1
+ # EXECUTION_BRIEF - slice-01 Recovery Contract + Security Classifier
2
+
3
+ ## Objective
4
+
5
+ Implement the recovery contract and secure evidence path classifier for final `evidence-not-selected` failures.
6
+
7
+ ## Context
8
+
9
+ `ai analyze-project` can fail when the provider cites paths outside the selected sample. This slice must not change CLI output or budget recommendation yet. It creates the safe classification layer that later slices will consume.
10
+
11
+ ## Scope
12
+
13
+ - Add recovery data contract helpers.
14
+ - Normalize and validate evidence paths as repo-relative paths.
15
+ - Classify missing evidence paths without reading unsafe content.
16
+ - Reuse or mirror existing analyze-project exclusion rules.
17
+ - Detect safe, metadata-only, security-excluded, generated/dependency, missing, outside-scope, and unknown paths.
18
+ - Produce deterministic, manifest-ready classification output.
19
+ - Add focused unit tests.
20
+
21
+ ## Acceptance Criteria
22
+
23
+ - Unsafe paths are never marked safe to include.
24
+ - `.env`, `.git`, `node_modules`, `.next`, caches, dumps, and binaries are classified as excluded.
25
+ - `.env.example` is classified as metadata-only/redacted, not content-safe.
26
+ - Missing paths are classified without throwing.
27
+ - Absolute paths, traversal paths, and paths outside the repo are rejected or classified as outside-scope.
28
+ - Classification output is deterministic.
29
+ - Unit tests cover safe, metadata-only, unsafe, missing, binary, generated, and traversal cases.
30
+
31
+ ## Expected Files
32
+
33
+ - `src/create-quiver/lib/ai/analyze-project-recovery.js`
34
+ - `tests/lib/ai-analyze-project-recovery.test.js`
35
+ - `specs/quiver-v57-evidence-budget-recovery-ux/**`
36
+
37
+ ## Validation
38
+
39
+ ```bash
40
+ node --test tests/lib/ai-analyze-project-recovery.test.js
41
+ node bin/create-quiver.js spec validate specs/quiver-v57-evidence-budget-recovery-ux --strict
42
+ git diff --check
43
+ ```
44
+
45
+ ## Completion Checklist
46
+
47
+ - Recovery module exists and exports classifier helpers.
48
+ - Unsafe paths are covered by tests.
49
+ - Metadata-only env templates are covered by tests.
50
+ - Missing, generated, dependency, binary, traversal, and budget-omitted paths are covered by tests.
51
+ - Slice closure brief records validation evidence.
52
+
53
+ ## Constraints
54
+
55
+ - Do not alter provider schema validation.
56
+ - Do not alter CLI rendering in this slice.
57
+ - Do not calculate final recommended budgets in this slice.
58
+ - Do not read unsafe files to classify them.
@@ -0,0 +1,12 @@
1
+ # PR - slice-01 Recovery Contract + Security Classifier
2
+
3
+ ## Summary
4
+
5
+ - Adds a recovery classification module for `ai analyze-project` evidence validation failures.
6
+ - Ensures unsafe paths are excluded before later slices calculate recovery budgets.
7
+ - Adds tests for metadata-only env templates, unsafe paths, binary files, missing files, and deterministic issue aggregation.
8
+
9
+ ## Validation
10
+
11
+ - PASS `node --test tests/lib/ai-analyze-project-recovery.test.js`
12
+ - PASS `node bin/create-quiver.js spec validate specs/quiver-v57-evidence-budget-recovery-ux --strict`
@@ -0,0 +1,60 @@
1
+ {
2
+ "slice_id": "slice-01-recovery-contract-security-classifier",
3
+ "ticket": "QUIVER-57-01",
4
+ "type": "feature",
5
+ "title": "Recovery Contract + Security Classifier",
6
+ "objective": "Implement safe evidence recovery classification for analyze-project evidence-not-selected failures.",
7
+ "description": "Defines the deterministic, security-first classifier used to decide whether evidence paths from provider validation failures are safe to recommend, metadata-only, missing, generated, or excluded.",
8
+ "git": {
9
+ "branch_type": "feature",
10
+ "base_branch": "main",
11
+ "branch_slug": "v57-recovery-contract-security-classifier",
12
+ "branch_name": "feature/QUIVER-57-01-recovery-contract-security-classifier"
13
+ },
14
+ "files": [
15
+ "src/create-quiver/lib/ai/analyze-project-recovery.js",
16
+ "tests/lib/ai-analyze-project-recovery.test.js",
17
+ "specs/quiver-v57-evidence-budget-recovery-ux/**"
18
+ ],
19
+ "allowed_write_paths": [
20
+ "src/create-quiver/lib/ai/analyze-project-recovery.js",
21
+ "tests/lib/ai-analyze-project-recovery.test.js",
22
+ "specs/quiver-v57-evidence-budget-recovery-ux/**"
23
+ ],
24
+ "depends_on": [],
25
+ "parallel_safe": "never",
26
+ "parallel_safe_reason": "This slice defines the security and classification contract consumed by every later slice.",
27
+ "must": [
28
+ "Normalize evidence paths as repo-relative paths.",
29
+ "Never read unsafe file contents for classification.",
30
+ "Classify safe, metadata-only, security-excluded, generated/dependency, missing, outside-scope, and unknown evidence.",
31
+ "Keep output deterministic and manifest-ready.",
32
+ "Add focused unit tests."
33
+ ],
34
+ "not_included": [
35
+ "Budget recommendation.",
36
+ "Recommended command builder.",
37
+ "CLI output changes.",
38
+ "JSON output integration.",
39
+ "i18n rendering."
40
+ ],
41
+ "acceptance": [
42
+ "Unsafe paths are never marked safe to include.",
43
+ ".env.example is metadata-only/redacted.",
44
+ "Missing and traversal paths do not throw.",
45
+ "Generated/dependency paths are excluded.",
46
+ "Binary files are excluded.",
47
+ "Classification output is deterministic."
48
+ ],
49
+ "tests": [
50
+ "node --test tests/lib/ai-analyze-project-recovery.test.js",
51
+ "node bin/create-quiver.js spec validate specs/quiver-v57-evidence-budget-recovery-ux --strict",
52
+ "git diff --check"
53
+ ],
54
+ "estimated_hours": 4,
55
+ "actual_hours": 4,
56
+ "status": "completed",
57
+ "blocked_reason": null,
58
+ "started_at": "2026-06-18T00:00:00.000Z",
59
+ "completed_at": "2026-06-18T00:00:00.000Z"
60
+ }
@@ -0,0 +1,9 @@
1
+ # CLOSURE_BRIEF - slice-02 Budget + Command Recommendation
2
+
3
+ ## Summary
4
+
5
+ Implemented budget and rerun command recommendation from the recovery classification contract.
6
+
7
+ ## Validation
8
+
9
+ - PASS `node --test tests/lib/ai-analyze-project-recovery.test.js`