docguard-cli 0.11.2 → 0.13.0

package/cli/commands/upgrade.mjs

@@ -0,0 +1,250 @@
+/**
+ * `docguard upgrade` — check whether the installed CLI and the project's
+ * .docguard.json schema are current, and (with --apply) migrate them.
+ *
+ * Why this exists:
+ *   Users were running stale CLI versions against new project setups, getting
+ *   confusing "validator missing" or "field unknown" warnings. A one-shot
+ *   `docguard upgrade` lets them see the gap and fix it in seconds.
+ *
+ * Three modes:
+ *   docguard upgrade                — report current vs latest, exit 0
+ *   docguard upgrade --check-only   — same report, exit 1 if behind (for CI)
+ *   docguard upgrade --apply        — actually run `npm i -g docguard-cli@latest`
+ *                                     and migrate .docguard.json if needed
+ *
+ * Network access (npm registry fetch) is OPTIONAL — if offline, we fall back
+ * to "could not check remote version" without erroring.
+ */
+import { readFileSync, writeFileSync, existsSync } from 'node:fs';
+import { resolve, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { spawnSync } from 'node:child_process';
+
+import { c, CURRENT_SCHEMA_VERSION, compareVersions } from '../shared.mjs';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const PKG = JSON.parse(readFileSync(resolve(__dirname, '..', '..', 'package.json'), 'utf-8'));
+const INSTALLED_VERSION = PKG.version;
+
+/**
+ * Fetch the latest published version from the npm registry. Uses node's
+ * built-in fetch (Node 18+). Returns null on timeout/error/offline.
+ *
+ * 3-second timeout — we never want this command to feel slow.
+ */
+async function fetchLatestNpmVersion() {
+  const controller = new AbortController();
+  const t = setTimeout(() => controller.abort(), 3000);
+  try {
+    const r = await fetch('https://registry.npmjs.org/docguard-cli/latest', {
+      signal: controller.signal,
+      headers: { Accept: 'application/json' },
+    });
+    if (!r.ok) return null;
+    const data = await r.json();
+    return data && data.version ? data.version : null;
+  } catch {
+    return null;
+  } finally {
+    clearTimeout(t);
+  }
+}
+
+/**
+ * Read the project's stored schema version from .docguard.json. Returns:
+ *   - null    : file missing OR unparseable (caller shows "init recommended")
+ *   - '0.0'   : file exists but no `version` field (pre-0.4 schemas — these
+ *               predate the version field and need migration)
+ *   - 'x.y'   : the stored version string
+ */
+function readProjectSchemaVersion(projectDir) {
+  const p = resolve(projectDir, '.docguard.json');
+  if (!existsSync(p)) return null;
+  try {
+    const cfg = JSON.parse(readFileSync(p, 'utf-8'));
+    // Pre-0.4 schemas (e.g. wu-whatsappinbox's original config from 2024)
+    // have no `version` field. Treat as 0.0 so the migration runs end-to-end.
+    return cfg.version || '0.0';
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Idempotent migration: walk the project config and add any fields introduced
+ * since the stored schema version. Returns { changed, newConfig }.
+ *
+ * Each migration is keyed by the version it migrates TO. Adding a new schema
+ * version means adding one entry here.
+ */
+function migrateSchema(cfg, fromVersion) {
+  const migrations = {
+    // v0.4 — pre-0.4 schemas (no `version` field, often `project` instead
+    // of `projectName`) normalize here. Rename `project` → `projectName`
+    // when only the old field is present, stamp the version, no other change.
+    '0.4': (c) => {
+      const out = { ...c, version: '0.4' };
+      if (!out.projectName && out.project) {
+        out.projectName = out.project;
+        delete out.project;
+      }
+      return out;
+    },
+    // v0.5 — K-4 per-validator severity overrides. Migration is purely
+    // additive: existing projects get an empty severity map and default
+    // (medium) behavior. No behavioral change unless they explicitly opt in.
+    '0.5': (c) => ({ ...c, severity: c.severity || {}, version: '0.5' }),
+  };
+  let current = { ...cfg };
+  let changed = false;
+  const target = CURRENT_SCHEMA_VERSION;
+  // No migrations yet — current schema matches the constant.
+  if (compareVersions(fromVersion, target) >= 0) return { changed: false, newConfig: current };
+  for (const [ver, fn] of Object.entries(migrations)) {
+    if (compareVersions(fromVersion, ver) < 0 && compareVersions(ver, target) <= 0) {
+      current = fn(current);
+      changed = true;
+    }
+  }
+  if (changed) current.version = target;
+  return { changed, newConfig: current };
+}
+
+/**
+ * Apply a CLI upgrade by running `npm install -g docguard-cli@latest`. We
+ * shell out instead of importing npm — npm is not a runtime dependency and
+ * we want zero-deps. Returns the spawn result.
+ */
+function applyCliUpgrade() {
+  const r = spawnSync('npm', ['install', '-g', 'docguard-cli@latest'], {
+    stdio: 'inherit',
+    shell: process.platform === 'win32',
+  });
+  return r;
+}
+
+export async function runUpgrade(projectDir, _config, flags) {
+  const checkOnly = flags.checkOnly || flags['check-only'];
+  const apply = flags.apply;
+
+  console.log(`${c.bold}🔧 DocGuard Upgrade${c.reset}`);
+  console.log(`${c.dim}   Checking CLI and schema versions...${c.reset}\n`);
+
+  // CLI version check
+  const latest = await fetchLatestNpmVersion();
+  const cliCmp = latest ? compareVersions(INSTALLED_VERSION, latest) : 0;
+  const cliBehind = cliCmp < 0;
+
+  // Schema version check
+  const projectSchema = readProjectSchemaVersion(projectDir);
+  const schemaCmp = projectSchema ? compareVersions(projectSchema, CURRENT_SCHEMA_VERSION) : 0;
+  const schemaBehind = projectSchema !== null && schemaCmp < 0;
+
+  // ── Report ──────────────────────────────────────────────────────────────
+  console.log(`  ${c.cyan}CLI${c.reset}    installed: ${c.bold}v${INSTALLED_VERSION}${c.reset}`);
+  if (latest) {
+    if (cliBehind) {
+      console.log(`         latest:    ${c.yellow}v${latest}${c.reset} ${c.yellow}(behind)${c.reset}`);
+    } else if (cliCmp > 0) {
+      console.log(`         latest:    v${latest} ${c.dim}(you're ahead — dev build)${c.reset}`);
+    } else {
+      console.log(`         latest:    ${c.green}v${latest}${c.reset} ${c.green}(current)${c.reset}`);
+    }
+  } else {
+    console.log(`         latest:    ${c.dim}could not check (offline?)${c.reset}`);
+  }
+
+  console.log();
+  // Two distinct null cases vs. '0.0' (pre-0.4):
+  //   null    → no .docguard.json at all → run init
+  //   '0.0'   → file exists but missing the `version` field → migration eligible
+  //   other   → real version string
+  const labelForProject = projectSchema === null
+    ? `${c.dim}(no .docguard.json found)${c.reset}`
+    : projectSchema === '0.0'
+      ? `${c.yellow}pre-0.4 (no version field)${c.reset}`
+      : `${c.bold}v${projectSchema}${c.reset}`;
+  console.log(`  ${c.cyan}Schema${c.reset} project:   ${labelForProject}`);
+  if (projectSchema) {
+    if (schemaBehind) {
+      console.log(`         current:   ${c.yellow}v${CURRENT_SCHEMA_VERSION}${c.reset} ${c.yellow}(behind)${c.reset}`);
+    } else if (schemaCmp > 0) {
+      console.log(`         current:   v${CURRENT_SCHEMA_VERSION} ${c.dim}(project is ahead — newer CLI needed)${c.reset}`);
+    } else {
+      console.log(`         current:   ${c.green}v${CURRENT_SCHEMA_VERSION}${c.reset} ${c.green}(current)${c.reset}`);
+    }
+  } else {
+    console.log(`         current:   v${CURRENT_SCHEMA_VERSION} ${c.dim}— run ${c.cyan}docguard init${c.dim} to create one${c.reset}`);
+  }
+
+  console.log();
+
+  // ── Decide what to do ───────────────────────────────────────────────────
+  const anythingBehind = cliBehind || schemaBehind;
+  if (!anythingBehind) {
+    console.log(`  ${c.green}✅ Everything is up to date.${c.reset}`);
+    return;
+  }
+
+  // What needs doing
+  console.log(`${c.bold}  Recommended actions:${c.reset}`);
+  if (cliBehind) {
+    console.log(`    ${c.yellow}•${c.reset} Upgrade CLI:    ${c.cyan}npm install -g docguard-cli@latest${c.reset}`);
+  }
+  if (schemaBehind) {
+    console.log(`    ${c.yellow}•${c.reset} Migrate schema: ${c.cyan}docguard upgrade --apply${c.reset} ${c.dim}(or hand-edit .docguard.json)${c.reset}`);
+  }
+  console.log();
+
+  // ── --check-only: exit 1 to fail CI ─────────────────────────────────────
+  if (checkOnly) {
+    console.log(`${c.red}Exit 1 — versions behind (--check-only mode).${c.reset}`);
+    process.exit(1);
+  }
+
+  // ── --apply: actually run the migration ─────────────────────────────────
+  if (apply) {
+    console.log(`${c.bold}  Applying upgrades...${c.reset}\n`);
+
+    if (cliBehind) {
+      console.log(`  ${c.dim}Running:${c.reset} npm install -g docguard-cli@latest`);
+      const r = applyCliUpgrade();
+      if (r.status !== 0) {
+        console.error(`  ${c.red}✗ CLI upgrade failed.${c.reset} Try with sudo, or check npm permissions.`);
+        process.exit(1);
+      }
+      console.log(`  ${c.green}✓ CLI upgraded.${c.reset}`);
+    }
+
+    if (schemaBehind && projectSchema) {
+      const cfgPath = resolve(projectDir, '.docguard.json');
+      const cfg = JSON.parse(readFileSync(cfgPath, 'utf-8'));
+      const { changed, newConfig } = migrateSchema(cfg, projectSchema);
+      if (changed) {
+        writeFileSync(cfgPath, JSON.stringify(newConfig, null, 2) + '\n', 'utf-8');
+        console.log(`  ${c.green}✓ Schema migrated ${projectSchema} → ${newConfig.version}.${c.reset}`);
+      } else {
+        console.log(`  ${c.dim}Schema migration was a no-op (no recipe registered yet for ${projectSchema} → ${CURRENT_SCHEMA_VERSION}).${c.reset}`);
+      }
+    }
+
+    console.log(`\n  ${c.green}✅ Upgrade complete.${c.reset} Run ${c.cyan}docguard guard${c.reset} to verify.`);
+  }
+}
+
+/**
+ * Lightweight check for the post-guard nudge — returns a string when the
+ * project is behind, null when it's current. Cheap to call; never throws.
+ */
+export function checkUpgradeStatus(projectDir) {
+  const schema = readProjectSchemaVersion(projectDir);
+  if (!schema) return null;
+  if (compareVersions(schema, CURRENT_SCHEMA_VERSION) < 0) {
+    // '0.0' is the internal sentinel for pre-0.4 schemas (no `version` field).
+    // Surface that as a friendlier label so users don't see "Schema 0.0".
+    const label = schema === '0.0' ? 'pre-0.4 (no version field)' : `v${schema}`;
+    return `Schema ${label} is behind current v${CURRENT_SCHEMA_VERSION}. Run \`docguard upgrade --apply\` to migrate.`;
+  }
+  return null;
+}

package/cli/docguard.mjs

@@ -40,10 +40,12 @@ import { runPublish } from './commands/publish.mjs';
 import { runTrace } from './commands/trace.mjs';
 import { runLlms } from './commands/llms.mjs';
 import { runSetup } from './commands/setup.mjs';
+import { runUpgrade } from './commands/upgrade.mjs';
 import { ensureSkills } from './ensure-skills.mjs';
 
 // ── Shared constants (imported to break circular dependencies) ──────────
 import { c, PROFILES } from './shared.mjs';
+import { mergeIgnoreFile } from './shared-ignore.mjs';
 export { c, PROFILES };
 
 // ── Config Loading ─────────────────────────────────────────────────────────
@@ -138,6 +140,9 @@ export function loadConfig(projectDir) {
           merged.testPatterns.push(merged.testPattern);
         }
       }
+      // Merge .docguardignore patterns into config.ignore so every validator
+      // honors them without having to know about the file.
+      mergeIgnoreFile(projectDir, merged);
       return merged;
     } catch (e) {
       console.error(`${c.red}Error parsing .docguard.json: ${e.message}${c.reset}`);
@@ -148,6 +153,9 @@ export function loadConfig(projectDir) {
   // No config file — auto-detect everything
   defaults.projectType = autoDetectProjectType(projectDir);
   defaults.projectTypeConfig = getProjectTypeDefaults(defaults.projectType);
+  // .docguardignore is read even when no .docguard.json exists — keeps
+  // ignore-only projects (no config but want to skip paths) working.
+  mergeIgnoreFile(projectDir, defaults);
   return defaults;
 }
 
@@ -367,6 +375,21 @@ async function main() {
       i++;
     } else if (args[i] === '--show-failing') {
       flags.showFailing = true;
+    } else if (args[i] === '--check-only') {
+      flags.checkOnly = true;
+    } else if (args[i] === '--apply') {
+      flags.apply = true;
+    } else if (args[i] === '--changed-only') {
+      flags.changedOnly = true;
+    } else if (args[i] === '--reverse') {
+      flags.reverse = true;
+    } else if (args[i] === '--history') {
+      flags.history = true;
+    } else if (!args[i].startsWith('--') && i > 0) {
+      // Positional args go into flags.args for commands that take them (e.g.
+      // `docguard trace --reverse <path>`). Skip the command itself (i === 0).
+      flags.args = flags.args || [];
+      flags.args.push(args[i]);
     } else if (args[i] === '--doc' && args[i + 1]) {
       flags.doc = args[i + 1];
       i++;
@@ -405,12 +428,21 @@ async function main() {
     process.exit(0);
   }
 
-  printBanner();
+  // In JSON mode the entire stdout MUST be parseable JSON. The banner and
+  // ensureSkills' install message would corrupt the output for any
+  // programmatic consumer (CI, dashboards, the Score-on-PR Action recipe).
+  // Headless flags (`--write`, `--check-only`, `--auto`) also suppress chrome.
+  const jsonMode = flags.format === 'json';
+  const headless = jsonMode || flags.write || flags.checkOnly || flags.changedOnly;
+
+  if (!jsonMode) printBanner();
 
   const config = loadConfig(projectDir);
 
-  // Silent auto-check: install skills/commands if missing
-  if (command !== 'setup' && command !== 'init') {
+  // Silent auto-check: install skills/commands if missing. Skip entirely in
+  // headless modes where the user wants deterministic, parseable output and
+  // doesn't expect side effects on their AI-agent skill directories.
+  if (command !== 'setup' && command !== 'init' && !headless) {
     ensureSkills(projectDir, flags);
   }
 
@@ -478,6 +510,10 @@ async function main() {
     case 'llms':
       runLlms(projectDir, config, flags);
       break;
+    case 'upgrade':
+    case 'update':
+      await runUpgrade(projectDir, config, flags);
+      break;
     default:
       console.error(`${c.red}Unknown command: ${command}${c.reset}`);
       console.log(`Run ${c.cyan}docguard --help${c.reset} for usage.`);

package/cli/shared-ignore.mjs

@@ -40,6 +40,56 @@ export const DEFAULT_IGNORE_DIRS = new Set([
 const ALWAYS_REJECT_PATH_RE =
   /(?:^|[/\\])(?:node_modules|\.claude[/\\]worktrees|\.git[/\\]worktrees|\.jj)(?:[/\\]|$)/;
 
+/**
+ * Read `.docguardignore` from a project directory and return its patterns.
+ *
+ * Format: gitignore-style — one pattern per line, `#` for comments, blank lines
+ * ignored. Returned patterns are normalized but not transformed (callers
+ * decide whether to expand directory globs).
+ *
+ * Returns [] if the file is missing or unreadable — never throws.
+ */
+import { readFileSync, existsSync } from 'node:fs';
+import { resolve as resolvePath } from 'node:path';
+
+export function loadDocguardIgnore(projectDir) {
+  const p = resolvePath(projectDir, '.docguardignore');
+  if (!existsSync(p)) return [];
+  try {
+    const raw = readFileSync(p, 'utf-8');
+    return raw
+      .split(/\r?\n/)
+      .map(line => line.trim())
+      .filter(line => line && !line.startsWith('#'));
+  } catch {
+    return [];
+  }
+}
+
+/**
+ * Merge `.docguardignore` patterns into a config object's `ignore` array.
+ *
+ * Used at config-load time so every validator sees the combined set without
+ * having to know about the file. Mutates and returns the config for ergonomics.
+ *
+ * Idempotent — calling twice produces the same result. Skips duplicates.
+ */
+export function mergeIgnoreFile(projectDir, config) {
+  const filePatterns = loadDocguardIgnore(projectDir);
+  if (filePatterns.length === 0) return config;
+  const existing = Array.isArray(config.ignore) ? config.ignore : [];
+  const seen = new Set(existing);
+  const merged = [...existing];
+  for (const p of filePatterns) {
+    if (!seen.has(p)) {
+      merged.push(p);
+      seen.add(p);
+    }
+  }
+  config.ignore = merged;
+  return config;
+}
+
 /**
  * Convert a glob pattern to a RegExp.
  * Supports: * (any chars except /), ** (any path segments), . (literal dot).

package/cli/shared.mjs

@@ -4,6 +4,68 @@
  * All commands import from here instead of docguard.mjs.
  */
 
+/**
+ * Current .docguard.json schema version that this CLI version writes via
+ * `docguard init`. Bump this when adding fields that need migration (e.g.
+ * v0.12 adds `severity` overrides per validator).
+ *
+ * The post-guard nudge fires when an existing project's stored
+ * `.docguard.json.version` is BEHIND this constant — pointing users at
+ * `docguard upgrade` to migrate.
+ */
+export const CURRENT_SCHEMA_VERSION = '0.5';
+
+/**
+ * Allowed severity values for per-validator `severity` overrides in
+ * `.docguard.json`. Affects EXIT-CODE behavior of `docguard guard`:
+ *   - 'high':   warnings from this validator fail CI (exit 1)
+ *   - 'medium': default — warnings exit 2 (informational)
+ *   - 'low':    warnings ignored for exit code (exit 0)
+ *
+ * Display (the per-validator status lines and the summary) is unchanged
+ * regardless of severity — severity is a CI/operational knob, not a UI one.
+ */
+export const SEVERITY_LEVELS = new Set(['high', 'medium', 'low']);
+
+/**
+ * Resolve a validator's effective severity from config.
+ * Returns 'medium' (default) if no override is set or the override is bogus.
+ */
+export function resolveSeverity(config, validatorKey) {
+  const s = config && config.severity && config.severity[validatorKey];
+  if (typeof s === 'string' && SEVERITY_LEVELS.has(s.toLowerCase())) {
+    return s.toLowerCase();
+  }
+  return 'medium';
+}
+
+/**
+ * Parse a dotted-decimal version string into a tuple of integers for
+ * comparison. Tolerates extra suffixes (e.g. `0.4-beta` → [0, 4]).
+ * Returns null when the string is unparseable.
+ */
+export function parseVersion(v) {
+  if (!v || typeof v !== 'string') return null;
+  const m = v.match(/^(\d+)(?:\.(\d+))?(?:\.(\d+))?/);
+  if (!m) return null;
+  return [Number(m[1] || 0), Number(m[2] || 0), Number(m[3] || 0)];
+}
+
+/**
+ * Compare two version strings. Returns -1 if a<b, 0 if equal, 1 if a>b.
+ * Unparseable inputs sort as equal (no nag).
+ */
+export function compareVersions(a, b) {
+  const pa = parseVersion(a);
+  const pb = parseVersion(b);
+  if (!pa || !pb) return 0;
+  for (let i = 0; i < 3; i++) {
+    if (pa[i] < pb[i]) return -1;
+    if (pa[i] > pb[i]) return 1;
+  }
+  return 0;
+}
+
 // ── Colors (ANSI escape codes, zero deps) ──────────────────────────────────
 export const c = {
   reset: '\x1b[0m',