komplian 0.3.7 → 0.3.8

package/README.md

@@ -7,7 +7,7 @@
 3. `npx komplian onboard --yes`
 
 No OAuth App registration — `gh` uses GitHub’s built-in flow. **Default workspace:** current working directory (`process.cwd()`), not `~/komplian`. Pass a path as last argument to clone elsewhere.  
-**npm install** runs with `--no-audit --no-fund` unless `KOMPLIAN_NPM_AUDIT=1`. Run `npm audit` in each repo when you work on it.
+**Dependencies:** repos with `package-lock.json` use **`npm ci`** (does not modify the lockfile, so no spurious git changes). Repos without a lockfile use **`npm install --no-package-lock`** so onboarding does not create a new `package-lock.json`. Yarn / pnpm repos use frozen lock installs when `yarn` / `pnpm` is on PATH. Unless `KOMPLIAN_NPM_AUDIT=1`, npm runs with `--no-audit --no-fund`.
 
 **Maintainers:** publish from **`scripts/`** (folder with `package.json`), not the monorepo root:
 

package/komplian-onboard.mjs

@@ -304,29 +304,91 @@ function copyCursorPack(workspace, cursorRepoUrl) {
   );
 }
 
-function npmInstallEach(workspace) {
-  log("");
-  log(`${c.cyan}━━ npm install por repo ━━${c.reset}`);
-  if (!canRun("npm", ["--version"])) {
-    log(`${c.yellow}○${c.reset} npm no está en PATH — omito installs`);
-    return;
-  }
+/** Sin esto, `npm install` crea o retoca package-lock.json y git muestra cambios sin querer. */
+function npmQuietFlags() {
   const audit =
     process.env.KOMPLIAN_NPM_AUDIT === "1" || process.env.KOMPLIAN_NPM_AUDIT === "true";
-  const installArgs = audit
-    ? ["install"]
-    : ["install", "--no-audit", "--no-fund"];
+  return audit ? [] : ["--no-audit", "--no-fund"];
+}
+
+function npmInstallOneRepo(dir, name) {
+  const pkg = join(dir, "package.json");
+  if (!existsSync(pkg)) return { ok: true, skipped: true };
+
+  const yarnLock = join(dir, "yarn.lock");
+  const pnpmLock = join(dir, "pnpm-lock.yaml");
+  const npmLock = join(dir, "package-lock.json");
+
+  if (existsSync(yarnLock)) {
+    if (!canRun("yarn", ["--version"])) {
+      log(
+        `${c.yellow}○${c.reset} ${name} ${c.dim}(yarn.lock; instala yarn o ejecuta yarn install a mano)${c.reset}`
+      );
+      return { ok: true, skipped: true };
+    }
+    log(`${c.dim}→${c.reset} ${name} ${c.dim}(yarn)${c.reset}`);
+    const r = spawnSync(
+      "yarn",
+      ["install", "--frozen-lockfile"],
+      spawnWin({ cwd: dir, stdio: "inherit" })
+    );
+    return { ok: r.status === 0, skipped: false };
+  }
+
+  if (existsSync(pnpmLock)) {
+    if (!canRun("pnpm", ["--version"])) {
+      log(
+        `${c.yellow}○${c.reset} ${name} ${c.dim}(pnpm-lock; instala pnpm o pnpm install a mano)${c.reset}`
+      );
+      return { ok: true, skipped: true };
+    }
+    log(`${c.dim}→${c.reset} ${name} ${c.dim}(pnpm)${c.reset}`);
+    const r = spawnSync(
+      "pnpm",
+      ["install", "--frozen-lockfile"],
+      spawnWin({ cwd: dir, stdio: "inherit" })
+    );
+    return { ok: r.status === 0, skipped: false };
+  }
+
+  if (!canRun("npm", ["--version"])) {
+    log(`${c.yellow}○${c.reset} npm no está en PATH — omito ${name}`);
+    return { ok: true, skipped: true };
+  }
+
+  const quiet = npmQuietFlags();
+
+  if (existsSync(npmLock)) {
+    log(`${c.dim}→${c.reset} ${name} ${c.dim}(npm ci — lock sin cambios)${c.reset}`);
+    const r = spawnSync("npm", ["ci", ...quiet], spawnWin({ cwd: dir, stdio: "inherit" }));
+    if (r.status === 0) return { ok: true, skipped: false };
+    log(
+      `${c.yellow}○${c.reset} ${name}: npm ci falló (¿lock desincronizado?). ${c.dim}Revisa con npm install en ese repo.${c.reset}`
+    );
+    return { ok: false, skipped: false };
+  }
+
+  log(`${c.dim}→${c.reset} ${name} ${c.dim}(npm install — sin crear package-lock)${c.reset}`);
+  const r = spawnSync(
+    "npm",
+    ["install", ...quiet, "--no-package-lock"],
+    spawnWin({ cwd: dir, stdio: "inherit" })
+  );
+  return { ok: r.status === 0, skipped: false };
+}
+
+function npmInstallEach(workspace) {
+  log("");
+  log(`${c.cyan}━━ Dependencias por repo ━━${c.reset}`);
   for (const ent of readdirSync(workspace)) {
     const d = join(workspace, ent);
     if (!statSync(d).isDirectory()) continue;
-    const pkg = join(d, "package.json");
-    if (!existsSync(pkg)) continue;
-    log(`${c.dim}→${c.reset} ${ent}`);
-    const ir = spawnSync("npm", installArgs, spawnWin({ cwd: d, stdio: "inherit" }));
-    if (ir.status !== 0) {
-      log(`${c.yellow}○${c.reset} npm install con avisos en ${ent}`);
-    } else {
+    const { ok, skipped } = npmInstallOneRepo(d, ent);
+    if (skipped) continue;
+    if (ok) {
       log(`${c.green}✓${c.reset} ${ent}`);
+    } else {
+      log(`${c.yellow}○${c.reset} ${ent}`);
     }
   }
 }
@@ -521,7 +583,7 @@ async function main() {
   }
   log(`${c.green}✓${c.reset} Cursor: ${c.bold}File → Open Folder → ${abs}${c.reset}`);
   log(
-    `${c.dim}  npm install usa --no-audit --no-fund (menos ruido). Auditoría: cd cada repo y npm audit. KOMPLIAN_NPM_AUDIT=1 para resumen completo.${c.reset}`
+    `${c.dim}  Con package-lock.json: npm ci (no retoca el lock). Sin lock: npm install --no-package-lock. yarn/pnpm: lock congelado. KOMPLIAN_NPM_AUDIT=1 activa auditoría en npm.${c.reset}`
   );
   log(`${c.dim}  .env.example → .env por proyecto; secretos en 1Password — nunca commit.${c.reset}`);
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "komplian",
-  "version": "0.3.7",
+  "version": "0.3.8",
   "description": "Komplian developer workspace setup: GitHub CLI (browser login) + git clone by team. Node 18+, git, gh — no OAuth App to register.",
   "type": "module",
   "engines": {