critical-gate 2.2.0 → 2.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +61 -1
  2. package/package.json +18 -2
package/README.md CHANGED
@@ -36,6 +36,27 @@ Current detectors focus on TypeScript and JavaScript repositories:
36
36
  Every finding includes severity, confidence, evidence, tags, and a repair hint that another agent or
37
37
  developer can act on.
38
38
 
39
+ ## Supported Scope
40
+
41
+ Current support is strongest for TypeScript and JavaScript repositories with Git history and
42
+ package-manager metadata available. The best-covered ecosystems are Node-based projects using
43
+ common TS/JS source, test, package manifest, lockfile, config, and CI patterns.
44
+
45
+ Experimental support includes framework-aware heuristics for patterns seen in dogfooding, such as
46
+ Astro-style content contracts and repository-specific history or utility reuse signals. These checks
47
+ start conservatively and should stay in observation mode until a repository has enough clean runs.
48
+
49
+ Out of scope for the current release stage:
50
+
51
+ - Deep semantic analysis for non-TS/JS languages.
52
+ - Whole-repository LLM scanning.
53
+ - Broad vulnerability scanning beyond lightweight diff-only secret and path checks.
54
+ - Treating current internal dogfood metrics as a broad external benchmark.
55
+
56
+ Critical Gate is useful today as a pre-review integrity gate for agent-produced TS/JS diffs, but it
57
+ is still pre-stable. Roll it out progressively before making it a hard organization-wide merge
58
+ requirement.
59
+
39
60
  ## Concrete Examples
40
61
 
41
62
  Critical Gate is most useful when an AI-generated diff looks plausible at a glance but breaks the
@@ -196,12 +217,37 @@ Critical Gate has one analysis core and multiple surfaces:
196
217
  - **Codex hook**: repair-oriented stop hook for agent workflows.
197
218
  - **VS Code extension**: Activity Bar dashboard, status bar state, Problems diagnostics, full report
198
219
  output, evidence navigation, and repair-copy actions.
220
+ - **Agent onboarding**: `critical-gate init-agent` and the VS Code initialization command add a
221
+ managed Critical Gate section to `AGENTS.md` while preserving existing repository instructions.
199
222
 
200
223
  The CLI remains the source of truth. The editor and CI surfaces consume CLI output rather than
201
224
  reimplementing detector logic.
202
225
 
226
+ ## Recommended Team Rollout
227
+
228
+ Start with report-only local runs and default thresholds. Treat medium, low, info, and
229
+ observation-mode findings as calibration data until the repository has enough clean runs.
230
+
231
+ Recommended sequence:
232
+
233
+ 1. Run the CLI locally on AI-generated diffs with specific task text.
234
+ 2. Add the VS Code extension for developer feedback where useful.
235
+ 3. Add GitHub Action SARIF upload with default blocking behavior for eligible blocker and high
236
+ findings.
237
+ 4. Review noisy findings and tune task text, repository docs, or `.critical-gate.json` policy.
238
+ 5. Add Codex hook enforcement only where compact repair loops are useful.
239
+ 6. Promote observation-friendly detector families only after dogfooding shows acceptable precision.
240
+
241
+ See [docs/usage-guide.md](docs/usage-guide.md) for local rollout advice and
242
+ [docs/github-integration.md](docs/github-integration.md) for CI thresholds.
243
+
203
244
  ## Quick Start From Source
204
245
 
246
+ Critical Gate's current CLI distribution path is source-based: clone, install, build, and run
247
+ `node dist/cli.js`. Package-registry publishing and prebuilt action releases are intentionally held
248
+ until repository metadata, external dogfooding, and release artifacts are stable enough for broader
249
+ public use.
250
+
205
251
  Requirements:
206
252
 
207
253
  - Node.js 22.13 or newer.
@@ -354,6 +400,13 @@ the VS Code surface. Configure `criticalGate.cliPath` only when testing a custom
354
400
  For a fuller walkthrough with examples, rollout advice, report interpretation, and troubleshooting,
355
401
  read [docs/usage-guide.md](docs/usage-guide.md).
356
402
 
403
+ ## Quality Evidence
404
+
405
+ The CI workflow publishes coverage and deterministic evaluation reports as GitHub Actions artifacts:
406
+ `critical-gate-coverage` and `critical-gate-evaluation`. See
407
+ [docs/evaluation-strategy.md](docs/evaluation-strategy.md) for artifact paths, thresholds, and the
408
+ current limits of the internal evaluation corpus.
409
+
357
410
  ## Development
358
411
 
359
412
  Useful commands:
@@ -382,10 +435,14 @@ Branch and commit conventions for this repository:
382
435
  - [docs/project-brief.md](docs/project-brief.md): product thesis, users, positioning, and scope.
383
436
  - [docs/architecture.md](docs/architecture.md): core architecture and data flow.
384
437
  - [docs/detectors.md](docs/detectors.md): detector catalog, severities, evidence, and implementation notes.
438
+ - [docs/detector-quality.md](docs/detector-quality.md): detector quality boundaries, blind spots,
439
+ and coverage expectations.
385
440
  - [docs/usage-guide.md](docs/usage-guide.md): practical usage examples and troubleshooting.
386
441
  - [docs/installation.md](docs/installation.md): CLI, GitHub Action, Codex hook, and VSIX installation.
387
442
  - [docs/editor-surface.md](docs/editor-surface.md): VS Code dashboard and diagnostics behavior.
388
443
  - [docs/github-integration.md](docs/github-integration.md): GitHub Action, SARIF, and threshold guidance.
444
+ - [docs/policy-file.md](docs/policy-file.md): `.critical-gate.json` policy-as-code reference and
445
+ validated examples.
389
446
  - [docs/codex-integration.md](docs/codex-integration.md): Codex hook and repair-loop guidance.
390
447
  - [docs/dogfood-evidence-plan.md](docs/dogfood-evidence-plan.md): real-repository dogfood automation,
391
448
  repair-loop metrics, and screenshot proof plan.
@@ -393,12 +450,15 @@ Branch and commit conventions for this repository:
393
450
  evidence, misses, fixes, and current evaluation baseline.
394
451
  - [docs/versioning-policy.md](docs/versioning-policy.md): release and versioning policy.
395
452
  - [docs/improvements-task-plan.md](docs/improvements-task-plan.md): trust and calibration roadmap.
453
+ - [docs/tasks/pragmatic-improvement-backlog.md](docs/tasks/pragmatic-improvement-backlog.md):
454
+ realistic next improvements for trust, evaluation, policy, and rollout.
455
+ - [SECURITY.md](SECURITY.md): supported security policy and private vulnerability reporting path.
396
456
  - [CHANGELOG.md](CHANGELOG.md): project-level release notes.
397
457
 
398
458
  ## Project Status
399
459
 
400
460
  The repository contains the TypeScript CLI implementation, deterministic detectors, Codex hook
401
- integration, GitHub Action integration, optional LLM explanation boundaries, npm package
461
+ integration, GitHub Action integration, optional LLM explanation boundaries, source-based CLI
402
462
  distribution, and a VS Code Marketplace extension surface.
403
463
 
404
464
  ## License
package/package.json CHANGED
@@ -1,8 +1,16 @@
1
1
  {
2
2
  "name": "critical-gate",
3
- "version": "2.2.0",
3
+ "version": "2.3.0",
4
4
  "description": "Repository-aware diff integrity gate for AI-generated code changes.",
5
5
  "type": "module",
6
+ "repository": {
7
+ "type": "git",
8
+ "url": "https://github.com/criticaldeveloper/critical-gate.git"
9
+ },
10
+ "homepage": "https://github.com/criticaldeveloper/critical-gate#readme",
11
+ "bugs": {
12
+ "url": "https://github.com/criticaldeveloper/critical-gate/issues"
13
+ },
6
14
  "bin": {
7
15
  "critical-gate": "./dist/cli.js"
8
16
  },
@@ -11,10 +19,14 @@
11
19
  ],
12
20
  "keywords": [
13
21
  "ai",
22
+ "ai-agents",
14
23
  "codex",
15
24
  "diff",
25
+ "diff-integrity",
16
26
  "quality-gate",
17
- "code-review"
27
+ "code-review",
28
+ "sarif",
29
+ "static-analysis"
18
30
  ],
19
31
  "license": "MIT",
20
32
  "engines": {
@@ -24,6 +36,7 @@
24
36
  "@eslint/js": "^9.29.0",
25
37
  "@types/node": "^24.0.3",
26
38
  "@types/vscode": "^1.120.0",
39
+ "@vitest/coverage-v8": "4.1.9",
27
40
  "@vscode/test-electron": "^3.0.0",
28
41
  "@vscode/vsce": "^3.9.2",
29
42
  "ajv": "^8.20.0",
@@ -35,6 +48,8 @@
35
48
  },
36
49
  "scripts": {
37
50
  "build": "tsc -p tsconfig.build.json",
51
+ "package:action": "pnpm build && node scripts/prepare-action-package.mjs",
52
+ "smoke:action": "node scripts/smoke-action-package.mjs",
38
53
  "build:vscode": "tsc -p extensions/vscode/tsconfig.json",
39
54
  "build:vscode-tests": "tsc -p extensions/vscode/tsconfig.test.json",
40
55
  "package:vscode": "node scripts/prepare-vscode-package.mjs && pnpm build && pnpm build:vscode && node scripts/bundle-vscode-analyzer.mjs && pnpm --dir extensions/vscode exec vsce package --no-dependencies --out ../../artifacts/vscode/critical-gate-vscode.vsix",
@@ -45,6 +60,7 @@
45
60
  "format": "prettier --check .",
46
61
  "format:write": "prettier --write .",
47
62
  "test": "vitest run",
63
+ "coverage": "vitest run --coverage",
48
64
  "evaluate": "pnpm build && node scripts/evaluate-fixtures.mjs",
49
65
  "dogfood:plan": "node scripts/dogfood-runner.mjs plan",
50
66
  "dogfood:render": "node scripts/render-dogfood-report.mjs",