proof-pr 0.1.9 → 0.1.11

package/README.md

@@ -6,12 +6,22 @@ ProofPR 是给开源维护者和工程团队使用的 PR 证据门禁。它在
 
 ## 快速使用
 
+确认 latest 版本：
+
+```bash
+npx proof-pr@latest --version
+```
+
+当前应输出 `0.1.11`。
+
 初始化配置和 GitHub Action：
 
 ```bash
-npx proof-pr@latest init --preset open-source-maintainer
+npx proof-pr@latest init
 ```
 
+这个命令会生成 `.proofpr.yml` 和 `.github/workflows/proofpr.yml`，提交后打开 PR 即可看到报告。
+
 本地扫描当前分支：
 
 ```bash
@@ -27,7 +37,7 @@ npx proof-pr@latest scan --diff-file examples/cases/workflow-untrusted-checkout.
 生成独立 HTML 可视化报告：
 
 ```bash
-npx proof-pr@latest scan --base origin/main --head HEAD --locale zh-CN --format html > proofpr-report.html
+npx proof-pr@latest scan --base origin/main --head HEAD --locale zh-CN --format html --output proofpr-report.html
 ```
 
 运行 benchmark：
@@ -39,7 +49,7 @@ npx proof-pr@latest benchmark --cases benchmarks/cases
 ## GitHub Action
 
 ```yaml
-- uses: linsk27/proof-pr@v0.1.9
+- uses: linsk27/proof-pr@v0.1.11
   with:
     fail-on: high
     comment: "true"
@@ -52,7 +62,7 @@ npx proof-pr@latest benchmark --cases benchmarks/cases
 - 证据评分：0-100 分。
 - Review 门禁：正常 review、重点 review、先补证据、风险处理前不要合并。
 - Review 行动清单：维护者可直接执行的 checklist。
-- 可选输出：GitHub annotations、SARIF、benchmark report、独立 HTML 可视化报告。
+- 可选输出：GitHub annotations、SARIF、benchmark report、独立 HTML 可视化报告；CLI 可用 `--output` 直接写文件。
 
 ## 常用预设
 

package/dist/index.js

@@ -23726,14 +23726,13 @@ function renderHtmlReport(result, locale = "en") {
         <h2>${labels.reviewPlan}</h2>
         <div class="action-list">
           ${result.reviewPlan.actionItems.length > 0
-        ? result.reviewPlan.actionItems.map((action) => `
-          <div class="action">
+        ? result.reviewPlan.actionItems.map((action) => `<div class="action">
             <span class="box"></span>
             <div>
               <div class="action-title">${escapeHtml(localizeActionTitle(action.actionId, action.title, locale))}<span class="priority">${escapeHtml(formatPriority(action.priority, locale))}</span></div>
               <div class="muted">${escapeHtml(localizeActionDetail(action.actionId, action.detail, locale))}</div>
             </div>
-          </div>`).join("\n")
+          </div>`).join("\n          ")
         : `<div class="muted">${labels.noActions}</div>`}
         </div>
       </article>
@@ -23752,11 +23751,10 @@ function renderHtmlReport(result, locale = "en") {
         <h2>${labels.focusFiles}</h2>
         <div class="focus-list">
           ${result.reviewPlan.focusFiles.length > 0
-        ? result.reviewPlan.focusFiles.map((file) => `
-          <div class="focus">
+        ? result.reviewPlan.focusFiles.map((file) => `<div class="focus">
             <div><code>${escapeHtml(file.path)}</code></div>
             <div class="muted">${escapeHtml(localizeFocusReason(file.reasonId, file.reason, locale))}</div>
-          </div>`).join("\n")
+          </div>`).join("\n          ")
         : `<div class="muted">${labels.noFocusFiles}</div>`}
         </div>
       </article>
@@ -23765,11 +23763,10 @@ function renderHtmlReport(result, locale = "en") {
         <h2>${labels.scoreDetails}</h2>
         <div class="deduction-list">
           ${result.evidenceScore.deductions.length > 0
-        ? result.evidenceScore.deductions.map((deduction) => `
-          <div class="deduction">
+        ? result.evidenceScore.deductions.map((deduction) => `<div class="deduction">
             <strong>-${deduction.points}</strong>
             <div class="muted">${escapeHtml(localizeDeduction(deduction.reasonId, deduction.message, locale))}</div>
-          </div>`).join("\n")
+          </div>`).join("\n          ")
         : `<div class="muted">${labels.noDeductions}</div>`}
         </div>
       </article>
@@ -25735,7 +25732,7 @@ const build_program = new Command();
 build_program
     .name("proof-pr")
     .description("Review pull request evidence, scope, and safety before maintainers spend time on it.")
-    .version("0.1.9");
+    .version("0.1.11");
 build_program
     .command("scan", { isDefault: true })
     .description("Scan a git diff and print a ProofPR report.")
@@ -25747,6 +25744,7 @@ build_program
     .option("--pr-body-file <path>", "Read a pull request body from a Markdown file.")
     .option("--config <path>", "Path to .proofpr.yml.", ".proofpr.yml")
     .option("--format <format>", "Output format: markdown, json, sarif, or html.", parseFormat, "markdown")
+    .option("--output <path>", "Write report output to a file instead of stdout.")
     .option("--locale <locale>", "Report language: en or zh-CN.")
     .option("--fail-on <level>", "Exit with code 1 on risk level: low, medium, high, or never.", parseFailLevel, "never")
     .action(async (options) => {
@@ -25761,7 +25759,13 @@ build_program
     const result = scanDiff(diffText, { config, pullRequest });
     const locale = parseLocale(options.locale, config.locale);
     const output = renderOutput(result, options.format, locale);
-    process.stdout.write(`${output}\n`);
+    if (options.output) {
+        await writeOutput(options.output, `${output}\n`);
+        process.stdout.write(`ProofPR ${options.format} report written to ${options.output}\n`);
+    }
+    else {
+        process.stdout.write(`${output}\n`);
+    }
     if (riskMeetsThreshold(result.risk, options.failOn)) {
         process.exitCode = 1;
     }
@@ -25777,7 +25781,7 @@ build_program
     .action(async (options) => {
     await writeIfMissing(options.configPath, renderConfigTemplate(options.preset), options.force);
     await writeIfMissing(options.workflowPath, renderWorkflowTemplate(options.failOn), options.force);
-    process.stdout.write(`ProofPR initialized:\n- ${options.configPath}\n- ${options.workflowPath}\n`);
+    process.stdout.write(`ProofPR initialized.\n\nCreated:\n- ${options.configPath}\n- ${options.workflowPath}\n\nNext:\n1. Commit these files.\n2. Open or update a pull request.\n3. Read the ProofPR comment or Actions summary.\n\nLocal check:\nnpx proof-pr@latest scan --base origin/main --head HEAD --locale zh-CN\n`);
 });
 build_program
     .command("benchmark")
@@ -25854,61 +25858,8 @@ preset: ${preset}
 comment:
   enabled: true
 
-# 如需更严格或更宽松，可以先换 preset：
-# preset: security-strict
-#
-# 可用预设：
-# - balanced
-# - open-source-maintainer
-# - security-strict
-# - ai-generated-pr
-# - mcp-security
-# - dependency-careful
-#
-# 也可以取消注释下面这些字段，覆盖 preset 的默认值。
-# riskThreshold: high
-#
-# sensitivePaths:
-#   - ".github/workflows/**"
-#   - ".github/actions/**"
-#   - "**/.env*"
-#   - "**/mcp*.json"
-#   - "**/*mcp*.json"
-#   - "Dockerfile"
-#   - "**/Dockerfile"
-#   - "package.json"
-#   - "pnpm-lock.yaml"
-#   - "package-lock.json"
-#   - "yarn.lock"
-#   - "bun.lockb"
-#
-# requireTests:
-#   enabled: true
-#   paths:
-#     - "src/**"
-#     - "packages/**/src/**"
-#     - "app/**"
-#     - "lib/**"
-#
-# secrets:
-#   enabled: true
-#
-# dependencies:
-#   flagNewPackages: true
-#   flagMajorUpgrades: true
-#   flagLifecycleScripts: true
-#
-# evidence:
-#   contracts:
-#     - id: ui-screenshot
-#       title: UI changes need screenshots
-#       paths:
-#         - "src/components/**"
-#         - "app/**"
-#       requires:
-#         - screenshot
-#         - verification
-#       severity: medium
+# 想更严格时，把 preset 改成 security-strict / dependency-careful / mcp-security。
+# 详细配置见 docs/configuration.md。
 `;
 }
 function renderWorkflowTemplate(failOn) {
@@ -25927,7 +25878,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: linsk27/proof-pr@v0.1.9
+      - uses: linsk27/proof-pr@v0.1.11
         with:
           fail-on: ${failOn}
           comment: "true"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "proof-pr",
-  "version": "0.1.9",
+  "version": "0.1.11",
   "description": "CLI for ProofPR, a maintainer-focused pull request evidence scanner.",
   "license": "MIT",
   "type": "module",