shipwright-cli 2.3.0 → 2.4.0

package/README.md

@@ -13,7 +13,7 @@
   <a href="https://github.com/sethdford/shipwright/actions/workflows/test.yml"><img src="https://github.com/sethdford/shipwright/actions/workflows/test.yml/badge.svg" alt="Tests"></a>
   <a href="https://github.com/sethdford/shipwright/actions/workflows/shipwright-pipeline.yml"><img src="https://github.com/sethdford/shipwright/actions/workflows/shipwright-pipeline.yml/badge.svg" alt="Pipeline"></a>
   <img src="https://img.shields.io/badge/tests-103_suites_passing-4ade80?style=flat-square" alt="103 suites">
-  <img src="https://img.shields.io/badge/version-2.3.0-00d4ff?style=flat-square" alt="v2.3.0">
+  <img src="https://img.shields.io/badge/version-2.4.0-00d4ff?style=flat-square" alt="v2.4.0">
   <img src="https://img.shields.io/badge/license-MIT-green?style=flat-square" alt="MIT License">
   <img src="https://img.shields.io/badge/bash-3.2%2B-7c3aed?style=flat-square" alt="Bash 3.2+">
 </p>
@@ -23,7 +23,8 @@
 ## Table of Contents
 
 - [Shipwright Builds Itself](#shipwright-builds-itself)
-- [What's New in v2.3.0](#whats-new-in-v230)
+- [Code Factory Pattern](#code-factory-pattern)
+- [What's New in v2.4.0](#whats-new-in-v240)
 - [How It Works](#how-it-works)
 - [Install](#install)
 - [Quick Start](#quick-start)
@@ -46,18 +47,77 @@ This repo uses Shipwright to process its own issues. Label a GitHub issue with `
 
 ---
 
-## What's New in v2.3.0
+## Code Factory Pattern
 
-**Docs & platform polish** — doc-fleet, shared libs, policy schema, release infra:
+Shipwright implements the complete **Code Factory** control-plane pattern — where agents write 100% of the code and the repo enforces deterministic, risk-aware checks before every merge. Every decision is traceable to policy. Every merge is backed by machine-verifiable evidence.
 
-- **Doc-fleet** — Five Cursor agents (doc-architect, claude-md, strategy-curator, pattern-writer, readme-optimizer) keep docs, strategy, and README in sync
-- **Pipeline lib split** — `scripts/lib/pipeline-quality.sh`, `daemon-health.sh`, `policy.sh` for reuse and tests
-- **Policy schema** — `config/policy.json` and `docs/config-policy.md` for hygiene, quality, and platform rules
-- **Release infra** — npm, GitHub Releases (darwin/linux/windows), Homebrew tap; `scripts/build-release.sh` and `.github/workflows/release.yml` ship all platforms
+```
+Agent writes code → Risk policy gate → Tier-appropriate CI → Code review agent
+→ Findings auto-remediated → SHA-validated evidence → Bot threads cleaned → Merge
+→ Incidents feed back into harness coverage
+```
+
+### What makes Shipwright best-in-class
+
+| Code Factory Layer     | Shipwright Implementation                                                                               |
+| ---------------------- | ------------------------------------------------------------------------------------------------------- |
+| **Single contract**    | `config/policy.json` — risk tiers, merge policy, docs drift, evidence specs, harness SLAs in one file   |
+| **Preflight gate**     | `risk-policy-gate.yml` classifies risk from changed files before expensive CI runs                      |
+| **SHA discipline**     | All checks, reviews, and approvals validated against current PR head — stale evidence is never trusted  |
+| **Rerun writer**       | `sw-review-rerun.sh` — SHA-deduped, single canonical writer, no duplicate bot comments                  |
+| **Remediation loop**   | `review-remediation.yml` — agent reads findings, patches code, validates, pushes fix to same branch     |
+| **Bot thread cleanup** | `auto-resolve-threads.yml` — resolves bot-only threads after clean rerun, never touches human threads   |
+| **Evidence framework** | `sw-evidence.sh` — browser, API, database, CLI, webhook, and custom evidence with freshness enforcement |
+| **Harness-gap loop**   | `shipwright incident gap` — every regression creates a test case with SLA tracking                      |
+
+### Beyond the baseline
+
+Shipwright extends the Code Factory pattern with capabilities most implementations don't have:
+
+- **12-stage pipeline** with self-healing builds, adversarial review, and compound quality gates
+- **Predictive risk scoring** using GitHub signals (security alerts, contributor expertise, file churn)
+- **Persistent memory** — failure patterns, fix effectiveness, and prediction accuracy compound over time
+- **18 autonomous agents** with specialized roles (PM, reviewer, security auditor, test generator, etc.)
+- **Fleet operations** — the Code Factory pattern applied across every repo in your org
+- **Cost intelligence** — per-pipeline cost tracking, budget enforcement, adaptive model routing
+- **Self-optimization** — DORA metrics analysis auto-tunes daemon config and template weights
+
+```bash
+# Evidence framework — capture and verify all types
+npm run harness:evidence:capture          # All collectors (browser, API, DB, CLI)
+npm run harness:evidence:capture:api      # API endpoints only
+npm run harness:evidence:capture:cli      # CLI commands only
+npm run harness:evidence:capture:database # Database checks only
+npm run harness:evidence:verify           # Verify manifest + freshness
+npm run harness:evidence:pre-pr           # Capture + verify in one step
+
+# Risk and policy
+npm run harness:risk-tier
+
+# Incident-to-harness loop
+shipwright incident gap list
+shipwright incident gap sla
+```
+
+**[Full Code Factory documentation](https://sethdford.github.io/shipwright/guides/code-factory/)**
+
+---
+
+## What's New in v2.4.0
+
+**Code Factory pattern** — deterministic, risk-aware agent delivery with machine-verifiable evidence:
+
+- **Risk policy gate** — PR-level preflight classifies risk tier from changed files; blocks before expensive CI
+- **SHA discipline** — All evidence validated against current PR head SHA; stale evidence never trusted
+- **Evidence framework** — 6 collector types (browser, API, database, CLI, webhook, custom) with freshness enforcement
+- **Review remediation** — Agent reads review findings, patches code, validates, pushes fix commit in-branch
+- **Auto-resolve bot threads** — Bot-only PR threads cleaned up after clean rerun; human threads untouched
+- **Harness-gap loop** — Every incident creates a test case requirement with SLA tracking (P0: 24h, P1: 72h)
+- **Policy contract v2** — Risk tiers, merge policy, docs drift rules, evidence specs, harness SLAs in one file
 
-**v2.1.2**: AGI-level recruit — `recruit match` / `team` / `route`, cross-system integration, 103 test suites in CI
+**v2.3.1**: Autonomous feedback loops, testing foundation, chaos resilience
 
-**v2.1.0**: tmux visual overhaul — role-colored borders, pipeline status widgets, active pane depth
+**v2.3.0**: Fleet Command completeness overhaul + autonomous team oversight
 
 **v2.0.0**: 18 autonomous agents, 100+ CLI commands, intelligence layer, multi-repo fleet, local mode
 
@@ -408,16 +468,18 @@ shipwright templates list
 
 ## Configuration
 
-| File                          | Purpose                                            |
-| ----------------------------- | -------------------------------------------------- |
-| `.claude/daemon-config.json`  | Daemon settings, intelligence flags, patrol config |
-| `.claude/pipeline-state.md`   | Current pipeline state                             |
-| `templates/pipelines/*.json`  | 8 pipeline template definitions                    |
-| `tmux/templates/*.json`       | 24 team composition templates                      |
-| `~/.shipwright/events.jsonl`  | Event log for metrics                              |
-| `~/.shipwright/costs.json`    | Cost tracking data                                 |
-| `~/.shipwright/budget.json`   | Budget limits                                      |
-| `~/.shipwright/github-cache/` | Cached GitHub API responses                        |
+| File                          | Purpose                                                                                     |
+| ----------------------------- | ------------------------------------------------------------------------------------------- |
+| `config/policy.json`          | **Central contract** — risk tiers, merge policy, docs drift, browser evidence, harness SLAs |
+| `config/policy.schema.json`   | JSON Schema validation for the policy contract                                              |
+| `.claude/daemon-config.json`  | Daemon settings, intelligence flags, patrol config                                          |
+| `.claude/pipeline-state.md`   | Current pipeline state                                                                      |
+| `templates/pipelines/*.json`  | 8 pipeline template definitions                                                             |
+| `tmux/templates/*.json`       | 24 team composition templates                                                               |
+| `~/.shipwright/events.jsonl`  | Event log for metrics                                                                       |
+| `~/.shipwright/costs.json`    | Cost tracking data                                                                          |
+| `~/.shipwright/budget.json`   | Budget limits                                                                               |
+| `~/.shipwright/github-cache/` | Cached GitHub API responses                                                                 |
 
 ## Prerequisites
 

package/config/policy.json

@@ -1,7 +1,165 @@
 {
   "$schema": "https://shipwright.dev/schemas/policy-v1.json",
-  "description": "Central policy for Shipwright — timeouts, limits, thresholds. Prefer adaptive/learned overrides when available.",
-  "version": "1",
+  "description": "Central policy for Shipwright — timeouts, limits, thresholds, risk tiers, merge gates. Single source of truth for the Code Factory pattern.",
+  "version": "2",
+  "riskTierRules": {
+    "critical": [
+      "config/policy.json",
+      "config/policy.schema.json",
+      ".github/workflows/**",
+      ".claude/hooks/**",
+      "scripts/lib/policy.sh"
+    ],
+    "high": [
+      "scripts/sw-pipeline.sh",
+      "scripts/sw-daemon.sh",
+      "scripts/sw-pr-lifecycle.sh",
+      "scripts/sw-incident.sh",
+      "scripts/sw-security-audit.sh",
+      "scripts/sw-github-checks.sh",
+      "scripts/sw-github-graphql.sh",
+      "scripts/sw-github-deploy.sh",
+      "scripts/lib/pipeline-stages.sh",
+      "scripts/lib/pipeline-quality.sh",
+      "dashboard/server.ts"
+    ],
+    "medium": [
+      "scripts/sw-*.sh",
+      "scripts/lib/*.sh",
+      "dashboard/**",
+      "templates/pipelines/**"
+    ],
+    "low": ["docs/**", "website/**", "**/*.md", "**"]
+  },
+  "mergePolicy": {
+    "critical": {
+      "requiredChecks": [
+        "risk-policy-gate",
+        "tests",
+        "e2e-smoke",
+        "platform-health",
+        "code-review-agent"
+      ],
+      "requiredReviewers": 1,
+      "requiredEvidence": ["cli", "api"],
+      "requireDocsDriftCheck": true
+    },
+    "high": {
+      "requiredChecks": [
+        "risk-policy-gate",
+        "tests",
+        "e2e-smoke",
+        "code-review-agent"
+      ],
+      "requiredReviewers": 0,
+      "requiredEvidence": ["cli"],
+      "requireDocsDriftCheck": false
+    },
+    "medium": {
+      "requiredChecks": ["risk-policy-gate", "tests"],
+      "requiredReviewers": 0,
+      "requiredEvidence": [],
+      "requireDocsDriftCheck": false
+    },
+    "low": {
+      "requiredChecks": ["risk-policy-gate"],
+      "requiredReviewers": 0,
+      "requiredEvidence": [],
+      "requireDocsDriftCheck": false
+    }
+  },
+  "docsDriftRules": {
+    "trackedPairs": [
+      {
+        "source": "config/policy.json",
+        "docs": ["docs/config-policy.md", "README.md"]
+      },
+      {
+        "source": ".github/workflows/**",
+        "docs": ["docs/config-policy.md"]
+      },
+      {
+        "source": "scripts/sw-pipeline.sh",
+        "docs": ["website/src/content/docs/guides/pipeline.mdx"]
+      }
+    ],
+    "failOnDrift": false,
+    "warnOnDrift": true
+  },
+  "evidence": {
+    "artifactMaxAgeMinutes": 30,
+    "requireFreshArtifacts": true,
+    "collectors": [
+      {
+        "name": "dashboard-loads",
+        "type": "browser",
+        "entrypoint": "/",
+        "baseUrl": "http://localhost:3000",
+        "assertions": ["page-title-visible", "websocket-connected"]
+      },
+      {
+        "name": "pipeline-status",
+        "type": "browser",
+        "entrypoint": "/pipeline",
+        "baseUrl": "http://localhost:3000",
+        "assertions": ["stage-list-rendered", "progress-indicator-visible"]
+      },
+      {
+        "name": "dashboard-api-health",
+        "type": "api",
+        "method": "GET",
+        "url": "http://localhost:3000/api/health",
+        "expectedStatus": 200,
+        "assertions": ["status-ok", "response-has-version"]
+      },
+      {
+        "name": "dashboard-ws-connect",
+        "type": "api",
+        "method": "GET",
+        "url": "http://localhost:3000/api/ws-status",
+        "expectedStatus": 200,
+        "assertions": ["websocket-active"]
+      },
+      {
+        "name": "pipeline-cli-smoke",
+        "type": "cli",
+        "command": "bash scripts/sw-pipeline.sh status --json",
+        "expectedExitCode": 0,
+        "assertions": ["valid-json-output", "has-pipeline-state"]
+      },
+      {
+        "name": "policy-validation",
+        "type": "cli",
+        "command": "jq empty config/policy.json",
+        "expectedExitCode": 0,
+        "assertions": ["valid-json"]
+      },
+      {
+        "name": "db-schema-integrity",
+        "type": "database",
+        "command": "bash scripts/sw-db.sh check",
+        "expectedExitCode": 0,
+        "assertions": ["schema-valid", "migrations-current"]
+      }
+    ]
+  },
+  "harnessGapPolicy": {
+    "enabled": true,
+    "p0SlaHours": 24,
+    "p1SlaHours": 72,
+    "p2SlaHours": 168,
+    "autoCreateGapIssue": true,
+    "requireTestCaseBeforeClose": true
+  },
+  "codeReviewAgent": {
+    "provider": "internal",
+    "rerunMarker": "<!-- shipwright-review-rerun -->",
+    "timeoutMinutes": 20,
+    "treatVulnerabilityLanguageAsActionable": true,
+    "treatWeakConfidenceAsActionable": true,
+    "autoResolveBotsOnlyThreads": true,
+    "neverAutoResolveHumanThreads": true
+  },
   "daemon": {
     "poll_interval_seconds": 60,
     "health_heartbeat_timeout": 120,

package/config/policy.schema.json

@@ -1,13 +1,174 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema#",
   "title": "Shipwright Policy",
-  "description": "Central policy for Shipwright — timeouts, limits, thresholds. Validated by CI platform-health workflow.",
+  "description": "Central policy for Shipwright — timeouts, limits, thresholds, risk tiers, merge gates. Single source of truth for the Code Factory pattern.",
   "type": "object",
   "required": ["version"],
   "properties": {
     "$schema": { "type": "string" },
     "description": { "type": "string" },
     "version": { "type": "string" },
+    "riskTierRules": {
+      "type": "object",
+      "description": "Path-based risk classification. Tiers: critical, high, medium, low. Glob patterns matched against changed files.",
+      "properties": {
+        "critical": { "type": "array", "items": { "type": "string" } },
+        "high": { "type": "array", "items": { "type": "string" } },
+        "medium": { "type": "array", "items": { "type": "string" } },
+        "low": { "type": "array", "items": { "type": "string" } }
+      },
+      "additionalProperties": false
+    },
+    "mergePolicy": {
+      "type": "object",
+      "description": "Required checks and evidence by risk tier before merge is allowed.",
+      "additionalProperties": {
+        "type": "object",
+        "properties": {
+          "requiredChecks": { "type": "array", "items": { "type": "string" } },
+          "requiredReviewers": { "type": "integer", "minimum": 0 },
+          "requiredEvidence": {
+            "type": "array",
+            "items": {
+              "type": "string",
+              "enum": ["browser", "api", "database", "cli", "webhook", "custom"]
+            },
+            "description": "Evidence types required before merge for this tier"
+          },
+          "requireDocsDriftCheck": { "type": "boolean" }
+        },
+        "additionalProperties": false
+      }
+    },
+    "docsDriftRules": {
+      "type": "object",
+      "description": "Detect when control-plane files change without corresponding doc updates.",
+      "properties": {
+        "trackedPairs": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "source": { "type": "string" },
+              "docs": { "type": "array", "items": { "type": "string" } }
+            },
+            "required": ["source", "docs"]
+          }
+        },
+        "failOnDrift": { "type": "boolean" },
+        "warnOnDrift": { "type": "boolean" }
+      },
+      "additionalProperties": false
+    },
+    "evidence": {
+      "type": "object",
+      "description": "Evidence framework — machine-verifiable proof for browser, API, database, CLI, and webhook changes. Each collector defines a type-specific verification strategy.",
+      "properties": {
+        "artifactMaxAgeMinutes": { "type": "integer", "minimum": 1 },
+        "requireFreshArtifacts": { "type": "boolean" },
+        "collectors": {
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "name": {
+                "type": "string",
+                "description": "Unique name for this evidence collector"
+              },
+              "type": {
+                "type": "string",
+                "enum": [
+                  "browser",
+                  "api",
+                  "database",
+                  "cli",
+                  "webhook",
+                  "custom"
+                ],
+                "description": "Evidence type: browser (HTTP page load), api (REST/GraphQL endpoint), database (schema/migration check), cli (command execution), webhook (callback verification), custom (user-defined script)"
+              },
+              "entrypoint": {
+                "type": "string",
+                "description": "URL path for browser evidence"
+              },
+              "baseUrl": {
+                "type": "string",
+                "description": "Base URL for browser/api evidence"
+              },
+              "url": {
+                "type": "string",
+                "description": "Full URL for api evidence"
+              },
+              "method": {
+                "type": "string",
+                "enum": ["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD"],
+                "description": "HTTP method for api evidence"
+              },
+              "command": {
+                "type": "string",
+                "description": "Shell command for cli/database evidence"
+              },
+              "expectedStatus": {
+                "type": "integer",
+                "description": "Expected HTTP status code for api evidence"
+              },
+              "expectedExitCode": {
+                "type": "integer",
+                "description": "Expected exit code for cli/database evidence"
+              },
+              "headers": {
+                "type": "object",
+                "additionalProperties": { "type": "string" },
+                "description": "HTTP headers for api evidence"
+              },
+              "body": {
+                "type": "string",
+                "description": "Request body for api evidence"
+              },
+              "assertions": {
+                "type": "array",
+                "items": { "type": "string" },
+                "description": "Named assertions to validate"
+              },
+              "timeout": {
+                "type": "integer",
+                "minimum": 1,
+                "description": "Timeout in seconds for this collector"
+              }
+            },
+            "required": ["name", "type", "assertions"]
+          }
+        }
+      },
+      "additionalProperties": false
+    },
+    "harnessGapPolicy": {
+      "type": "object",
+      "description": "Incident-to-harness loop: every regression must produce a test case within SLA.",
+      "properties": {
+        "enabled": { "type": "boolean" },
+        "p0SlaHours": { "type": "integer", "minimum": 1 },
+        "p1SlaHours": { "type": "integer", "minimum": 1 },
+        "p2SlaHours": { "type": "integer", "minimum": 1 },
+        "autoCreateGapIssue": { "type": "boolean" },
+        "requireTestCaseBeforeClose": { "type": "boolean" }
+      },
+      "additionalProperties": false
+    },
+    "codeReviewAgent": {
+      "type": "object",
+      "description": "Code review agent configuration — provider-agnostic settings for rerun, resolve, and remediation.",
+      "properties": {
+        "provider": { "type": "string" },
+        "rerunMarker": { "type": "string" },
+        "timeoutMinutes": { "type": "integer", "minimum": 1 },
+        "treatVulnerabilityLanguageAsActionable": { "type": "boolean" },
+        "treatWeakConfidenceAsActionable": { "type": "boolean" },
+        "autoResolveBotsOnlyThreads": { "type": "boolean" },
+        "neverAutoResolveHumanThreads": { "type": "boolean" }
+      },
+      "additionalProperties": false
+    },
     "daemon": {
       "type": "object",
       "properties": {

package/dashboard/public/index.html

@@ -733,7 +733,7 @@
 
     <!-- Footer -->
     <footer class="footer">
-      <span>Shipwright Fleet Command v2.3.0</span>
+      <span>Shipwright Fleet Command v2.3.1</span>
       <span>Dashboard refreshes via WebSocket</span>
     </footer>