rapidkit 0.37.0 → 0.38.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (65) hide show
  1. package/README.md +166 -147
  2. package/contracts/create-planner-capabilities.v1.json +251 -0
  3. package/contracts/runtime-command-surface.v1.json +52 -0
  4. package/dist/autopilot-release-SBPGNGAB.js +1 -0
  5. package/dist/chunk-2ED6SPXP.js +1 -0
  6. package/dist/chunk-3R7UJAX5.js +1 -0
  7. package/dist/{chunk-RUUDLAKJ.js → chunk-5NBYSXOZ.js} +1 -1
  8. package/dist/chunk-7XW2I6MP.js +13 -0
  9. package/dist/{chunk-U6QUN6V2.js → chunk-ABPDGFVD.js} +1 -1
  10. package/dist/chunk-IW3KLQXE.js +2 -0
  11. package/dist/{chunk-7VSYTOOG.js → chunk-NKNMGWAZ.js} +1 -1
  12. package/dist/{chunk-IOIWVHRO.js → chunk-TVIOAZ6E.js} +13 -13
  13. package/dist/chunk-XESEBTPE.js +1 -0
  14. package/dist/{create-HN5HOGQ4.js → create-Y3XJOKL5.js} +1 -1
  15. package/dist/index.js +150 -144
  16. package/dist/{pipeline-BOU4KETN.js → pipeline-C4UCLETO.js} +1 -1
  17. package/dist/{workspace-2AL5C3QZ.js → workspace-WBKFXH4Z.js} +1 -1
  18. package/dist/{workspace-agent-sync-V2H6NTGD.js → workspace-agent-sync-3FFFJYKF.js} +1 -1
  19. package/dist/{workspace-context-KCKNV5VQ.js → workspace-context-V4UGIHSC.js} +1 -1
  20. package/dist/{workspace-foundation-L6ZBGMVE.js → workspace-foundation-T45HAWKL.js} +1 -1
  21. package/dist/{workspace-intelligence-3TWXJQ7Y.js → workspace-intelligence-MGL3Z25K.js} +1 -1
  22. package/dist/{workspace-model-NQVZN5W4.js → workspace-model-IKMGY2BX.js} +1 -1
  23. package/dist/workspace-run-HOR56FON.js +1 -0
  24. package/dist/workspace-verify-A3J6D7T2.js +1 -0
  25. package/docs/AI_DYNAMIC_INTEGRATION.md +440 -0
  26. package/docs/AI_EXAMPLES.md +419 -0
  27. package/docs/AI_FEATURES.md +460 -0
  28. package/docs/AI_QUICKSTART.md +245 -0
  29. package/docs/DEVELOPMENT.md +88 -0
  30. package/docs/From Code to Shared Understanding.png +0 -0
  31. package/docs/OPEN_SOURCE_USER_SCENARIOS.md +170 -0
  32. package/docs/OPTIMIZATION_GUIDE.md +504 -0
  33. package/docs/PACKAGE_MANAGER_POLICY.md +25 -0
  34. package/docs/README.md +121 -0
  35. package/docs/SECURITY.md +63 -0
  36. package/docs/SETUP.md +107 -0
  37. package/docs/UTILITIES.md +221 -0
  38. package/docs/WORKSPACE_MARKER_SPEC.md +276 -0
  39. package/docs/ci-workflows.md +56 -0
  40. package/docs/commands-reference.md +136 -0
  41. package/docs/config-file-guide.md +295 -0
  42. package/docs/contracts/ARTIFACT_CATALOG.md +111 -0
  43. package/docs/contracts/COMMAND_OWNERSHIP_MATRIX.md +138 -0
  44. package/docs/contracts/README.md +71 -0
  45. package/docs/contracts/RUNTIME_ACCEPTANCE_MATRIX.md +98 -0
  46. package/docs/contracts/RUNTIME_SUPPORT_MATRIX.md +74 -0
  47. package/docs/contracts/rapidkit-cli-contracts.json +239 -0
  48. package/docs/create-planner-capabilities.md +81 -0
  49. package/docs/doctor-command.md +263 -0
  50. package/docs/examples/ci-agent-grounding.yml +62 -0
  51. package/docs/from-code-to-shared-understanding.md +46 -0
  52. package/docs/governance-policy.enterprise.example.json +40 -0
  53. package/docs/mirror-config.enterprise.example.json +60 -0
  54. package/docs/policies.workspace.example.yml +23 -0
  55. package/docs/workspace-operations.md +160 -0
  56. package/docs/workspace-run.md +80 -0
  57. package/package.json +3 -2
  58. package/dist/autopilot-release-AUXP2ZIF.js +0 -1
  59. package/dist/chunk-C7OVQQXT.js +0 -1
  60. package/dist/chunk-EJGKBFV4.js +0 -2
  61. package/dist/chunk-UXKB4KGZ.js +0 -13
  62. package/dist/chunk-YJ24EV3P.js +0 -1
  63. package/dist/workspace-run-DEXI52KO.js +0 -1
  64. package/dist/workspace-verify-HBCQNNGU.js +0 -1
  65. /package/dist/{chunk-D23L2GFT.js → chunk-6E5TBB2C.js} +0 -0
@@ -0,0 +1,504 @@
1
+ # Optimization Guide
2
+
3
+ Optimization ideas for the RapidKit npm CLI codebase.
4
+
5
+ **Users:** [../README.md](../README.md) · [OPEN_SOURCE_USER_SCENARIOS.md](./OPEN_SOURCE_USER_SCENARIOS.md) · [Documentation index](./README.md)
6
+
7
+ ## 1. Performance Optimizations
8
+
9
+ ### 1.1 Reduce Bundle Size
10
+ ```json
11
+ // package.json - Add these
12
+ {
13
+ "sideEffects": false,
14
+ "exports": {
15
+ ".": {
16
+ "import": "./dist/index.js",
17
+ "types": "./dist/index.d.ts"
18
+ }
19
+ }
20
+ }
21
+ ```
22
+
23
+ ### 1.2 Better Tree-shaking
24
+ - Use dynamic imports for heavy libraries (inquirer, ora)
25
+ - Lazy loading for template files
26
+
27
+ ### 1.3 Result Caching
28
+ ```typescript
29
+ // Add caching for version checks and template loading
30
+ import { createHash } from 'crypto';
31
+ import os from 'os';
32
+
33
+ const CACHE_DIR = path.join(os.homedir(), '.rapidkit', 'cache');
34
+ const CACHE_TTL = 24 * 60 * 60 * 1000; // 24 hours
35
+
36
+ async function getCachedOrFetch(key: string, fetcher: () => Promise<any>) {
37
+ const cachePath = path.join(CACHE_DIR, `${createHash('md5').update(key).digest('hex')}.json`);
38
+
39
+ if (await fsExtra.pathExists(cachePath)) {
40
+ const cached = await fsExtra.readJson(cachePath);
41
+ if (Date.now() - cached.timestamp < CACHE_TTL) {
42
+ return cached.data;
43
+ }
44
+ }
45
+
46
+ const data = await fetcher();
47
+ await fsExtra.ensureDir(CACHE_DIR);
48
+ await fsExtra.writeJson(cachePath, { data, timestamp: Date.now() });
49
+ return data;
50
+ }
51
+ ```
52
+
53
+ ## 2. Code Quality Optimizations
54
+
55
+ ### 2.1 Add ESLint
56
+ ```bash
57
+ npm install -D @typescript-eslint/eslint-plugin @typescript-eslint/parser eslint
58
+ ```
59
+
60
+ ```javascript
61
+ // .eslintrc.cjs
62
+ module.exports = {
63
+ parser: '@typescript-eslint/parser',
64
+ extends: [
65
+ 'eslint:recommended',
66
+ 'plugin:@typescript-eslint/recommended',
67
+ ],
68
+ parserOptions: {
69
+ ecmaVersion: 2022,
70
+ sourceType: 'module',
71
+ },
72
+ rules: {
73
+ '@typescript-eslint/no-explicit-any': 'warn',
74
+ '@typescript-eslint/no-unused-vars': ['error', { argsIgnorePattern: '^_' }],
75
+ },
76
+ };
77
+ ```
78
+
79
+ ### 2.2 Add Prettier
80
+ ```json
81
+ // .prettierrc
82
+ {
83
+ "semi": true,
84
+ "trailingComma": "es5",
85
+ "singleQuote": true,
86
+ "printWidth": 100,
87
+ "tabWidth": 2
88
+ }
89
+ ```
90
+
91
+ ### 2.3 Pre-commit Hooks
92
+ ```bash
93
+ npm install -D husky lint-staged
94
+ ```
95
+
96
+ ```json
97
+ // package.json
98
+ {
99
+ "lint-staged": {
100
+ "*.ts": ["eslint --fix", "prettier --write"]
101
+ }
102
+ }
103
+ ```
104
+
105
+ ## 3. User Experience (UX) Optimizations
106
+
107
+ ### 3.1 Better Progress Indicators
108
+ ```typescript
109
+ // Use multi-step progress bar
110
+ import cliProgress from 'cli-progress';
111
+
112
+ const multibar = new cliProgress.MultiBar({
113
+ clearOnComplete: false,
114
+ hideCursor: true,
115
+ format: '{bar} | {filename} | {value}/{total}',
116
+ });
117
+
118
+ const installBar = multibar.create(100, 0, { filename: 'Installing dependencies' });
119
+ const templateBar = multibar.create(100, 0, { filename: 'Copying templates' });
120
+ ```
121
+
122
+ ### 3.2 Better Error Messages with Suggestions
123
+ ```typescript
124
+ export class PythonNotFoundError extends RapidKitError {
125
+ constructor() {
126
+ super(
127
+ 'Python not found',
128
+ 'PYTHON_NOT_FOUND',
129
+ 'Python 3.10+ is required but not found in PATH.\n\n' +
130
+ '💡 Quick fixes:\n' +
131
+ ' • macOS: brew install python@3.11\n' +
132
+ ' • Ubuntu/Debian: sudo apt install python3.11\n' +
133
+ ' • Windows: Download from python.org\n' +
134
+ ' • Or use pyenv: pyenv install 3.11.0'
135
+ );
136
+ }
137
+ }
138
+ ```
139
+
140
+ ### 3.3 Interactive Mode Improvements
141
+ ```typescript
142
+ // Add fuzzy search for template selection
143
+ import inquirerPrompt from 'inquirer-autocomplete-prompt';
144
+
145
+ inquirer.registerPrompt('autocomplete', inquirerPrompt);
146
+
147
+ await inquirer.prompt([{
148
+ type: 'autocomplete',
149
+ name: 'template',
150
+ message: 'Choose a template:',
151
+ source: async (_, input) => {
152
+ return templates.filter(t =>
153
+ t.name.includes(input?.toLowerCase() || '')
154
+ );
155
+ },
156
+ }]);
157
+ ```
158
+
159
+ ## 4. Security Optimizations
160
+
161
+ ### 4.1 Better Input Validation
162
+ ```typescript
163
+ import validator from 'validator';
164
+
165
+ export function validateProjectName(name: string): void {
166
+ // Check for path traversal
167
+ if (name.includes('..') || name.includes('/') || name.includes('\\')) {
168
+ throw new ValidationError('Project name cannot contain path separators');
169
+ }
170
+
171
+ // Check for dangerous characters
172
+ if (!validator.isAlphanumeric(name.replace(/[-_]/g, ''))) {
173
+ throw new ValidationError('Project name can only contain alphanumeric, dash, and underscore');
174
+ }
175
+
176
+ // Check length
177
+ if (name.length > 100) {
178
+ throw new ValidationError('Project name is too long (max 100 characters)');
179
+ }
180
+ }
181
+ ```
182
+
183
+ ### 4.2 Dependency Security
184
+ ```bash
185
+ # Add npm audit to CI/CD
186
+ npm audit --audit-level=moderate
187
+ ```
188
+
189
+ ### 4.3 Template Sanitization
190
+ ```typescript
191
+ // Use secure template rendering
192
+ import nunjucks from 'nunjucks';
193
+
194
+ const env = new nunjucks.Environment(null, {
195
+ autoescape: true,
196
+ throwOnUndefined: true,
197
+ });
198
+ ```
199
+
200
+ ## 5. Architecture Optimizations
201
+
202
+ ### 5.1 Plugin System
203
+ ```typescript
204
+ // src/plugins/plugin-manager.ts
205
+ interface Plugin {
206
+ name: string;
207
+ version: string;
208
+ hooks: {
209
+ beforeCreate?: (context: CreateContext) => Promise<void>;
210
+ afterCreate?: (context: CreateContext) => Promise<void>;
211
+ beforeInstall?: (context: InstallContext) => Promise<void>;
212
+ afterInstall?: (context: InstallContext) => Promise<void>;
213
+ };
214
+ }
215
+
216
+ export class PluginManager {
217
+ private plugins: Plugin[] = [];
218
+
219
+ register(plugin: Plugin) {
220
+ this.plugins.push(plugin);
221
+ }
222
+
223
+ async runHook(hookName: string, context: any) {
224
+ for (const plugin of this.plugins) {
225
+ const hook = plugin.hooks[hookName];
226
+ if (hook) {
227
+ await hook(context);
228
+ }
229
+ }
230
+ }
231
+ }
232
+ ```
233
+
234
+ ### 5.2 Modular Template System
235
+ ```typescript
236
+ // src/templates/template-registry.ts
237
+ export class TemplateRegistry {
238
+ private templates = new Map<string, Template>();
239
+
240
+ register(id: string, template: Template) {
241
+ this.templates.set(id, template);
242
+ }
243
+
244
+ get(id: string): Template | undefined {
245
+ return this.templates.get(id);
246
+ }
247
+
248
+ list(): Template[] {
249
+ return Array.from(this.templates.values());
250
+ }
251
+ }
252
+ ```
253
+
254
+ ### 5.3 State Machine for Installation Flow
255
+ ```typescript
256
+ // src/core/installation-state-machine.ts
257
+ enum State {
258
+ IDLE = 'idle',
259
+ VALIDATING = 'validating',
260
+ CREATING_DIR = 'creating_dir',
261
+ INSTALLING_DEPS = 'installing_deps',
262
+ COPYING_TEMPLATES = 'copying_templates',
263
+ INITIALIZING_GIT = 'initializing_git',
264
+ COMPLETE = 'complete',
265
+ ERROR = 'error',
266
+ }
267
+
268
+ export class InstallationStateMachine {
269
+ private state: State = State.IDLE;
270
+
271
+ async transition(to: State) {
272
+ logger.debug(`State transition: ${this.state} -> ${to}`);
273
+ this.state = to;
274
+ }
275
+
276
+ canTransition(to: State): boolean {
277
+ // Define valid transitions
278
+ const validTransitions = {
279
+ [State.IDLE]: [State.VALIDATING],
280
+ [State.VALIDATING]: [State.CREATING_DIR, State.ERROR],
281
+ // ...
282
+ };
283
+ return validTransitions[this.state]?.includes(to) ?? false;
284
+ }
285
+ }
286
+ ```
287
+
288
+ ## 6. Testing Optimizations
289
+
290
+ ### 6.1 Integration Tests
291
+ ```typescript
292
+ // src/__tests__/integration/full-flow.test.ts
293
+ describe('Full installation flow', () => {
294
+ it('should create demo workspace successfully', async () => {
295
+ const tmpDir = await fsExtra.mkdtemp(path.join(os.tmpdir(), 'rapidkit-test-'));
296
+
297
+ try {
298
+ await createProject('test-workspace', {
299
+ demoMode: true,
300
+ skipGit: true,
301
+ });
302
+
303
+ expect(await fsExtra.pathExists(path.join(tmpDir, 'test-workspace'))).toBe(true);
304
+ expect(await fsExtra.pathExists(path.join(tmpDir, 'test-workspace', 'generate-demo.js'))).toBe(true);
305
+ } finally {
306
+ await fsExtra.remove(tmpDir);
307
+ }
308
+ });
309
+ });
310
+ ```
311
+
312
+ ### 6.2 Snapshot Tests for Generated Files
313
+ ```typescript
314
+ // src/__tests__/snapshots/templates.test.ts
315
+ it('should generate correct pyproject.toml', async () => {
316
+ const result = await generateTemplate('pyproject.toml', {
317
+ project_name: 'test_project',
318
+ author: 'Test Author',
319
+ });
320
+
321
+ expect(result).toMatchSnapshot();
322
+ });
323
+ ```
324
+
325
+ ### 6.3 Performance Benchmarks
326
+ ```typescript
327
+ // src/__tests__/benchmarks/creation-speed.bench.ts
328
+ import { bench, describe } from 'vitest';
329
+
330
+ describe('Creation performance', () => {
331
+ bench('create demo workspace', async () => {
332
+ await createProject('bench-test', { demoMode: true, dryRun: true });
333
+ });
334
+ });
335
+ ```
336
+
337
+ ## 7. Documentation Optimizations
338
+
339
+ ### 7.1 API Documentation
340
+ ```bash
341
+ npm install -D typedoc
342
+ ```
343
+
344
+ ```json
345
+ // package.json
346
+ {
347
+ "scripts": {
348
+ "docs": "typedoc --out docs src/index.ts"
349
+ }
350
+ }
351
+ ```
352
+
353
+ ### 7.2 Interactive Examples
354
+ ```typescript
355
+ // examples/programmatic-usage.ts
356
+ import { createProject } from 'rapidkit';
357
+
358
+ async function example() {
359
+ await createProject('my-workspace', {
360
+ demoMode: true,
361
+ skipGit: false,
362
+ });
363
+ }
364
+ ```
365
+
366
+ ## 8. CI/CD Optimizations
367
+
368
+ **Note**: CI/CD is optional. If you don't need automated workflows, you can skip this section.
369
+
370
+ ### 8.1 GitHub Actions Workflow
371
+ ```yaml
372
+ # .github/workflows/ci.yml
373
+ name: CI
374
+
375
+ on: [push, pull_request]
376
+
377
+ jobs:
378
+ test:
379
+ runs-on: ${{ matrix.os }}
380
+ strategy:
381
+ matrix:
382
+ os: [ubuntu-latest, macos-latest, windows-latest]
383
+ node-version: [18, 20, 22]
384
+
385
+ steps:
386
+ - uses: actions/checkout@v3
387
+ - uses: actions/setup-node@v3
388
+ with:
389
+ node-version: ${{ matrix.node-version }}
390
+ - run: npm ci
391
+ - run: npm test
392
+ - run: npm run build
393
+ ```
394
+
395
+ ### 8.2 Automated Releases
396
+ ```yaml
397
+ # .github/workflows/release.yml
398
+ name: Release
399
+
400
+ on:
401
+ push:
402
+ tags:
403
+ - 'v*'
404
+
405
+ jobs:
406
+ release:
407
+ runs-on: ubuntu-latest
408
+ steps:
409
+ - uses: actions/checkout@v3
410
+ - uses: actions/setup-node@v3
411
+ - run: npm ci
412
+ - run: npm run build
413
+ - run: npm publish
414
+ env:
415
+ NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
416
+ ```
417
+
418
+ ## 9. Monitoring & Analytics Optimizations
419
+
420
+ ### 9.1 Telemetry (Optional with User Consent)
421
+ ```typescript
422
+ // src/telemetry.ts
423
+ import os from 'os';
424
+ import { getVersion } from './update-checker.js';
425
+
426
+ interface TelemetryData {
427
+ version: string;
428
+ command: string;
429
+ options: string[];
430
+ platform: string;
431
+ nodeVersion: string;
432
+ success: boolean;
433
+ duration: number;
434
+ }
435
+
436
+ export async function sendTelemetry(data: TelemetryData) {
437
+ // Only if user opted-in via config
438
+ const config = await loadUserConfig();
439
+ if (!config.telemetry) return;
440
+
441
+ try {
442
+ await fetch('https://telemetry.getrapidkit.com/api/events', {
443
+ method: 'POST',
444
+ headers: { 'Content-Type': 'application/json' },
445
+ body: JSON.stringify({
446
+ ...data,
447
+ timestamp: new Date().toISOString(),
448
+ }),
449
+ });
450
+ } catch {
451
+ // Fail silently
452
+ }
453
+ }
454
+ ```
455
+
456
+ ## 10. Bundle Size Optimizations
457
+
458
+ ### 10.1 Analyze Bundle
459
+ ```bash
460
+ npm install -D webpack-bundle-analyzer
461
+ ```
462
+
463
+ ### 10.2 Replace Heavy Dependencies
464
+ - `inquirer` → `prompts` (lighter alternative)
465
+ - `chalk` → `picocolors` (much smaller)
466
+ - `fs-extra` → native `fs/promises` where possible
467
+
468
+ ### 10.3 Code Splitting
469
+ ```typescript
470
+ // Dynamic imports for heavy operations
471
+ const createDemoWorkspace = async () => {
472
+ const { generateDemoKit } = await import('./demo-kit.js');
473
+ return generateDemoKit(...);
474
+ };
475
+ ```
476
+
477
+ ## Implementation Priority
478
+
479
+ ### 🔴 High Priority (Week 1)
480
+ 1. ESLint + Prettier setup ✅
481
+ 2. Better error messages with suggestions
482
+ 3. Input validation improvements
483
+ 4. Bundle size optimization
484
+
485
+ ### 🟡 Medium Priority (Weeks 2-3)
486
+ 1. Plugin system
487
+ 2. Integration tests
488
+ 3. Performance benchmarks
489
+ 4. CI/CD workflows (optional)
490
+
491
+ ### 🟢 Low Priority (Month 2+)
492
+ 1. Telemetry system
493
+ 2. Advanced caching
494
+ 3. Multi-language support
495
+ 4. Interactive documentation
496
+
497
+ ## Summary
498
+
499
+ These optimizations can achieve:
500
+ - **Performance**: ~40% faster installation
501
+ - **Bundle Size**: ~30% reduction
502
+ - **User Experience**: Significant improvements in error handling and progress tracking
503
+ - **Code Quality**: Higher coverage and better maintainability
504
+ - **Security**: Reduced attack surface and better validation
@@ -0,0 +1,25 @@
1
+ # Package Manager Policy
2
+
3
+ ## Official Policy
4
+
5
+ This repository is **npm-only** for development and CI workflows.
6
+
7
+ ## Why
8
+
9
+ - CI workflows use `npm ci` as the canonical install path.
10
+ - A single lockfile strategy reduces dependency drift and release variance.
11
+ - Release and E2E scripts are standardized on npm commands.
12
+
13
+ ## Rules
14
+
15
+ - Use `npm install` (or `npm ci` in CI/local clean installs).
16
+ - Do not use `yarn` or `pnpm` for contributor workflows in this repository.
17
+ - Keep `package-lock.json` as the canonical lockfile.
18
+
19
+ ## Enforcement
20
+
21
+ A `preinstall` guard blocks non-npm package managers during local install.
22
+
23
+ ## Notes
24
+
25
+ This policy applies to the `rapidkit-npm` repository itself. Generated projects may use their own package-manager conventions depending on framework and template outputs.
package/docs/README.md ADDED
@@ -0,0 +1,121 @@
1
+ # RapidKit NPM — Documentation Index
2
+
3
+ Hub for user and contributor documentation. Start with the [main README](../README.md) for install and quickstarts.
4
+
5
+ ## Table of contents
6
+
7
+ - [User documentation](#user-documentation)
8
+ - [Operations & security](#operations--security)
9
+ - [AI module recommendations](#ai-module-recommendations)
10
+ - [Technical contracts](#technical-contracts)
11
+ - [Contributor documentation](#contributor-documentation)
12
+ - [Validation commands](#validation-commands)
13
+
14
+ ## User documentation
15
+
16
+ | Document | Description |
17
+ | --- | --- |
18
+ | [commands-reference.md](./commands-reference.md) | Full CLI syntax, profiles, and policy keys |
19
+ | [workspace-operations.md](./workspace-operations.md) | Import, adopt, snapshots, archives, contracts, infra |
20
+ | [workspace-run.md](./workspace-run.md) | Polyglot fleet orchestration (`workspace run`) |
21
+ | [create-planner-capabilities.md](./create-planner-capabilities.md) | Native create, external-create-adopt, and adopt-only lanes |
22
+ | [from-code-to-shared-understanding.md](./from-code-to-shared-understanding.md) | GitHub-rendered Workspace Intelligence diagram |
23
+ | [OPEN_SOURCE_USER_SCENARIOS.md](./OPEN_SOURCE_USER_SCENARIOS.md) | Role-based workflows (junior → enterprise) |
24
+ | [doctor-command.md](./doctor-command.md) | Doctor scopes, CI exit codes, JSON evidence |
25
+ | [config-file-guide.md](./config-file-guide.md) | User config file (`~/.rapidkitrc.json`, `rapidkit.config.*`) |
26
+ | [WORKSPACE_MARKER_SPEC.md](./WORKSPACE_MARKER_SPEC.md) | Workspace marker format |
27
+ | [PACKAGE_MANAGER_POLICY.md](./PACKAGE_MANAGER_POLICY.md) | npm-only policy for this repository |
28
+
29
+ **Common tasks**
30
+
31
+ - Adopt an existing repo: [workspace-operations.md#import-and-adoption](./workspace-operations.md#import-and-adoption)
32
+ - Scaffold a frontend app: [commands-reference.md](./commands-reference.md) (`create frontend`)
33
+ - CI release gate: [commands-reference.md](./commands-reference.md) (`pipeline`, `readiness`)
34
+ - Agent context: `workspace model` / `workspace context` — schemas in [contracts/workspace-intelligence/](../contracts/workspace-intelligence/)
35
+
36
+ ## Operations & security
37
+
38
+ | Document | Description |
39
+ | --- | --- |
40
+ | [SECURITY.md](./SECURITY.md) | Vulnerability reporting and supported versions |
41
+ | [policies.workspace.example.yml](./policies.workspace.example.yml) | Workspace policy template |
42
+ | [governance-policy.enterprise.example.json](./governance-policy.enterprise.example.json) | Sigstore governance allowlist template |
43
+ | [mirror-config.enterprise.example.json](./mirror-config.enterprise.example.json) | Mirror + evidence export template |
44
+
45
+ ## AI module recommendations
46
+
47
+ FastAPI/NestJS module suggestions via OpenAI embeddings (optional).
48
+
49
+ | Document | Description |
50
+ | --- | --- |
51
+ | [AI_QUICKSTART.md](./AI_QUICKSTART.md) | 60-second setup |
52
+ | [AI_FEATURES.md](./AI_FEATURES.md) | Complete feature reference |
53
+ | [AI_EXAMPLES.md](./AI_EXAMPLES.md) | Use-case examples |
54
+ | [AI_DYNAMIC_INTEGRATION.md](./AI_DYNAMIC_INTEGRATION.md) | Integration architecture |
55
+
56
+ ## Technical contracts
57
+
58
+ JSON schemas and ownership rules for tooling parity.
59
+
60
+ | Location | Description |
61
+ | --- | --- |
62
+ | [contracts/README.md](./contracts/README.md) | Core CLI JSON contracts + generator scripts |
63
+ | [contracts/COMMAND_OWNERSHIP_MATRIX.md](./contracts/COMMAND_OWNERSHIP_MATRIX.md) | npm wrapper vs Core command ownership |
64
+ | [contracts/RUNTIME_SUPPORT_MATRIX.md](./contracts/RUNTIME_SUPPORT_MATRIX.md) | Scaffold/import/lifecycle support tiers |
65
+ | [contracts/RUNTIME_ACCEPTANCE_MATRIX.md](./contracts/RUNTIME_ACCEPTANCE_MATRIX.md) | Runtime acceptance test expectations |
66
+ | [../contracts/](../contracts/) | Canonical JSON schemas (published in npm tarball) |
67
+
68
+ Regenerate and verify:
69
+
70
+ ```bash
71
+ npm run generate:contracts
72
+ npm run check:generated-contracts
73
+ npm run validate:contracts
74
+ ```
75
+
76
+ ## Contributor documentation
77
+
78
+ | Document | Description |
79
+ | --- | --- |
80
+ | [DEVELOPMENT.md](./DEVELOPMENT.md) | Local dev, testing, debugging |
81
+ | [SETUP.md](./SETUP.md) | Build gates, smoke flows, release hygiene |
82
+ | [ci-workflows.md](./ci-workflows.md) | GitHub Actions workflow map |
83
+ | [OPTIMIZATION_GUIDE.md](./OPTIMIZATION_GUIDE.md) | Performance and improvement notes |
84
+ | [UTILITIES.md](./UTILITIES.md) | Internal cache and metrics helpers |
85
+
86
+ Also see [../CONTRIBUTING.md](../CONTRIBUTING.md) and [../CHANGELOG.md](../CHANGELOG.md).
87
+
88
+ ## Validation commands
89
+
90
+ ```bash
91
+ npm run validate:docs # links + drift guard + examples + README smoke
92
+ npm run check:markdown-links # local markdown link integrity
93
+ npm run validate:docs-examples # example JSON/YAML in docs
94
+ npm run smoke:readme # CLI help smoke for documented commands
95
+ ```
96
+
97
+ ## Repository layout
98
+
99
+ ```text
100
+ rapidkit-npm/
101
+ ├── README.md # User hub (install, quickstarts, doc links)
102
+ ├── CHANGELOG.md
103
+ ├── RELEASE_NOTES.md
104
+ ├── releases/ # Per-version release notes
105
+ └── docs/
106
+ ├── README.md # This index
107
+ ├── commands-reference.md
108
+ ├── workspace-operations.md
109
+ ├── workspace-run.md
110
+ ├── ci-workflows.md
111
+ ├── doctor-command.md
112
+ ├── OPEN_SOURCE_USER_SCENARIOS.md
113
+ ├── config-file-guide.md
114
+ ├── SECURITY.md
115
+ ├── SETUP.md
116
+ ├── DEVELOPMENT.md
117
+ ├── contracts/ # Contract docs (mirrors + matrices)
118
+ └── … # AI guides, policies, examples
119
+ ```
120
+
121
+ Enterprise governance runbooks are maintained outside this OSS docs tree.
@@ -0,0 +1,63 @@
1
+ # Security Policy
2
+
3
+ ## Supported Versions
4
+
5
+ | Version | Supported |
6
+ | ------- | ------------------ |
7
+ | 0.35.x (latest minor) | :white_check_mark: |
8
+ | < 0.35.0 | :x: |
9
+
10
+ During the `0.x` phase, only the latest minor line receives security fixes.
11
+
12
+ ## Known Security Considerations
13
+
14
+ ### Development Dependencies
15
+
16
+ Our CI/CD pipeline may report moderate severity vulnerabilities in development dependencies (vitest, vite, esbuild). These packages are:
17
+
18
+ - ✅ **Only used during development and testing**
19
+ - ✅ **Not included in the published npm package**
20
+ - ✅ **Not shipped to end users**
21
+ - ✅ **Do not affect runtime security**
22
+
23
+ The published package only includes runtime dependencies required for workspace creation.
24
+
25
+ ### Production Dependencies
26
+
27
+ We actively monitor and address any security vulnerabilities in production dependencies that are shipped with the package.
28
+
29
+ ## Reporting a Vulnerability
30
+
31
+ If you discover a security vulnerability in rapidkit, please report it by emailing **security@getrapidkit.com** or opening a private security advisory on GitHub.
32
+
33
+ Please include:
34
+ - Description of the vulnerability
35
+ - Steps to reproduce
36
+ - Potential impact
37
+ - Suggested fix (if available)
38
+
39
+ We will respond within 48 hours and work to address critical issues as quickly as possible.
40
+
41
+ ## Security Best Practices
42
+
43
+ When using rapidkit:
44
+
45
+ 1. **Keep dependencies updated**: Run `npm update` regularly
46
+ 2. **Review generated code**: Always review the workspace structure before deployment
47
+ 3. **Use official releases**: Install from npm registry, not from git directly
48
+ 4. **Verify package integrity**: Use `npm audit` on your generated project
49
+
50
+ ## Security Scanning
51
+
52
+ We use:
53
+ - GitHub Security Advisories
54
+ - npm audit (production dependencies)
55
+ - Dependabot for automated updates
56
+ - Regular manual security reviews
57
+
58
+ ## Updates
59
+
60
+ Security updates are released as patch versions on the latest `0.x` minor line and announced in:
61
+ - GitHub Releases
62
+ - CHANGELOG.md
63
+ - npm package updates