npm - prjct-cli - Versions diffs - 2.20.2 → 2.21.1 - Mend

prjct-cli 2.20.2 → 2.21.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/CHANGELOG.md +25 -33
package/README.md +3 -0
package/dist/bin/prjct-core.mjs +328 -322
package/dist/bin/prjct.mjs +1 -1
package/dist/daemon/entry.mjs +204 -204
package/dist/mcp/server.mjs +36 -36
package/package.json +3 -2

package/CHANGELOG.md CHANGED Viewed

@@ -1,48 +1,40 @@
 # Changelog
-## [2.20.2] - 2026-05-17
+## [2.21.1] - 2026-05-18
 ### Bug Fixes
-- skill routing triages complexity FIRST — spec is the exception, not the default (v2.20.1) (#341)
+- route all remaining os.homedir()/.prjct-cli sites through pathManager (#344)
+- optimistic CAS on StorageManager.update() — close the lost-update data race (#346)
+- gate workflow rules ingested from repo markdown (close clone-to-RCE) (#345)
 ## [Unreleased]
-### Changed
-- **Skill routing triages complexity FIRST — spec is the exception, not the default.** `prjct-skill-body.ts` (skill SSOT) led with "substantive work → default to `spec` first", which pushed every simple one-file change through `spec` + `audit-spec` + 3 reviewer subagents — ceremony tax that slowed ship for zero protection on a fix. Inverted: an explicit **triage** step routes simple work (≈1 file, known root cause, reversible, "fix"/"hoy") DIRECT to `task` → implement → `qa`/`review` → `ship` with no spec; `spec`/`audit-spec` reserved for genuinely complex/high-stakes framing. Prose-only, no code-path change; skill-generator suite green (31/31).
-## [2.20.1] - 2026-05-17
-### Bug Fixes
-- skill-miss-detector — crew-isolation guard (no false nags after crew runs) (v2.19.10) (#339)
-## [Unreleased]
+## [2.21.0] - 2026-05-17
-### Fixed
+### Features
-- **skill-miss-detector no longer false-positives after a crew run (#16 follow-up).** Crew implementer/reviewer run as isolated subagents in the *shared* working tree, so at the leader's Stop hook `getModifiedFiles()` saw their edits and path-overlap relevance fired — but the leader transcript never carries the memory references the subagent made in its own isolated transcript, producing a false skill-miss nag for every crew-touched file. Fix: `detectSkillMisses` collects the `files_touched` of crew runs whose `ended_at` is within `CREW_RUN_RECENCY_MS` (6h) via `crewRunStorage.list` and excludes them from path-overlap relevance; token-overlap detection stays active so non-crew work in the same session is still covered. Crew itself is unchanged (it was architecturally correct). Best-effort — any failure degrades to prior behavior. Tests: `core/__tests__/services/skill-miss-detector.test.ts`.
+- **`prjct review-risk [--md]`** — advisory size/delivery-geometry signal (minimal cut of harnesses #18/19/20). Reads the committed changeset vs the merge-base with the default branch (`git diff --shortstat`), derives a size tier (trivial/normal/large) and suggests a delivery geometry (`direct`/`single`/`split`, with the touched top-level dirs as natural split lines). Read-only/Tier-1 (retro/health shape); never gates, never splits, never mutates git; graceful no-signal when there is no base or nothing committed. (#340)
-## [2.20.0] - 2026-05-17
+## [2.20.2] - 2026-05-17
-### Features
+### Added
-- Skill Resolution Feedback (#16) — skill-miss detector + improvement-signals widening + prjct skill-adherence (v2.19.9) (#338)
+- **Architecture guard: SQLite connection factory is now an enforced invariant.** `openDatabase()` in `core/storage/database/sqlite-compat.ts` already baked the daemon-safety PRAGMAs (`journal_mode=WAL`, `busy_timeout=5000`) into every connection, but nothing stopped a future caller from doing a raw `new Database(...)` / `require('bun:sqlite')` / `require('better-sqlite3')` and silently bypassing them — the open half of the HIGH-severity daemon-vs-CLI write-lock anti-pattern. New `core/__tests__/storage/sqlite-factory-guard.test.ts` scans `core/` + `bin/` and fails CI if any file outside the sanctioned factory acquires a driver, and separately asserts the factory keeps both PRAGMAs. Closes the anti-pattern by moving it from convention to enforced. No runtime code change. (#342)
+### Bug Fixes
-## [2.19.9] - 2026-05-16
+- skill routing triages complexity FIRST — spec is the exception, not the default (v2.20.1) (#341)
-### Bug Fixes
+## [2.20.1] - 2026-05-17
-- strictly-monotonic updated_at so the CAS token can't collide (#337)
+### Fixed
+- **skill-miss-detector no longer false-positives after a crew run (#16 follow-up) (#339).** Crew implementer/reviewer run as isolated subagents in the *shared* working tree, so at the leader's Stop hook `getModifiedFiles()` saw their edits and path-overlap relevance fired — but the leader transcript never carries the memory references the subagent made in its own isolated transcript, producing a false skill-miss nag for every crew-touched file. Fix: `detectSkillMisses` collects the `files_touched` of crew runs whose `ended_at` is within `CREW_RUN_RECENCY_MS` (6h) via `crewRunStorage.list` and excludes them from path-overlap relevance; token-overlap detection stays active so non-crew work in the same session is still covered. Crew itself is unchanged (it was architecturally correct). Best-effort — any failure degrades to prior behavior. Tests: `core/__tests__/services/skill-miss-detector.test.ts`.
-## [Unreleased]
-## [2.19.9] - 2026-05-16
+## [2.20.0] - 2026-05-17
 ### Added
@@ -56,6 +48,12 @@
 ### Fixed
 - **`getProjectId` no longer silently mints a random orphan project.** Root cause: `ConfigManager.getProjectId()` fell through to `pathManager.generateProjectId()` (`crypto.randomUUID()`) whenever `readConfig()` returned null, so any path-resolution miss (daemon resolving the wrong cwd, config transiently unreadable, case-variant path) forked a brand-new project and scattered specs/memory across ghost projects with no error surfaced. Now returns `''` — the falsy sentinel 31/32 call sites already guard with `if (!projectId)` → callers fail loud ("run prjct init") instead of writing into a random new project. Only explicit `prjct init` (`createConfig`) mints. Regression test: `core/__tests__/infrastructure/config-manager-getprojectid.test.ts`.
+## [2.19.9] - 2026-05-16
+### Bug Fixes
+- strictly-monotonic updated_at so the CAS token can't collide (#337)
 ## [2.19.8] - 2026-05-14
 Crew-mode persistence v7 (spec a50b32d1). SQLite becomes the single source of truth for crew runs, team enrollment, and checkpoint customization. Disk mirrors exist only where an external read contract demands one (the pre-commit hook).
@@ -172,15 +170,7 @@ Crew-mode persistence v7 (spec a50b32d1). SQLite becomes the single source of tr
 ## [2.15.0] - 2026-05-03
-### Features
-- prjct as a Spec-Driven Development system (#318)
-- self-heal prjct SKILL.md on every CLI invocation (#317)
-## [Unreleased]
-### Features — SDD: Spec-Driven Development
+### Features — SDD: Spec-Driven Development (#318)
 prjct now ships an end-to-end SDD primitive. The canonical sequence is `spec → audit-spec → task --spec → implement → ship (acceptance gate) → remember learning`.
@@ -193,6 +183,8 @@ prjct now ships an end-to-end SDD primitive. The canonical sequence is `spec →
 - **Skill body** — Claude is taught the SDD canonical sequence and the `spec` / `audit-spec` verbs in the intent map. The skill body's verb intent map now leads with `spec` for substantive work; `task` is the right call for routine work that doesn't deserve a spec.
 - **Templates** — `templates/spec-template.md`, `templates/spec-reviewer-rubrics/{strategic,architecture,design}.md`, `templates/sdd-canonical-sequence.md`. Old `templates/planning-methodology.md` renamed to `planning-methodology-deep.md` (retained but de-defaulted).
+- self-heal prjct SKILL.md on every CLI invocation (#317)
 ### Schema
 - Migration 16 adds the `specs` table and the `tasks.linked_spec_id` column. Additive — existing memory and tasks unaffected.

package/README.md CHANGED Viewed

@@ -58,6 +58,7 @@ After install, **next session in any prjct project**:
   - `security` — OWASP Top 10 + STRIDE, 8/10 confidence gate, concrete exploit per finding
   - `investigate` — Iron Law (no fix without investigation), max 3 failed hypotheses
   - `ship` (endurecido) — Coverage Gate + Auto-Document
+- **Delivery-geometry advisory** (`prjct review-risk`): reads the committed changeset vs the merge-base and suggests a size tier (trivial/normal/large) + whether to ship direct, as one PR, or split — with the touched top-level dirs as natural split lines. Purely advisory: never gates, never mutates git.
 ## How it works
@@ -132,6 +133,7 @@ Cursor / Windsurf use the same commands with a `/` prefix: `/capture`, `/task`,
 | `prjct sync` | Re-index files, git co-change, imports; refresh project analysis. |
 | `prjct regen` | Full rebuild of the Obsidian vault snapshot from SQLite. |
 | `prjct suggest` | Smart recommendations based on current project state. |
+| `prjct review-risk` | Advisory change-size + delivery-geometry signal for the branch (read-only; never gates, never splits). |
 | `prjct seed <add\|list>` | Manage packs (persona, memory types, workflow slots). |
 ## Personas & Packs
@@ -205,6 +207,7 @@ prjct watch              Auto-sync on file changes
 prjct doctor             Check system health
 prjct hooks <install|uninstall|status>  Git hooks for auto-sync
 prjct context <files|signatures|imports|recent|summary>  Smart context filters
+prjct review-risk        Advisory change-size + delivery-geometry hint (read-only)
 prjct workflow ["config"]  Configure hooks via natural language
 prjct stop / restart     Background daemon control
 prjct login / logout / auth   Cloud sync authentication