yadflow 1.0.1

package/bin/sdlc.mjs

@@ -0,0 +1,135 @@
+#!/usr/bin/env node
+// `sdlc` — setup/maintenance + the PR-driven review gate + build helpers for the SDLC module.
+import { VERSION } from '../cli/manifest.mjs';
+import { c, log, closePrompts } from '../cli/lib.mjs';
+import { runSetup } from '../cli/setup.mjs';
+import { reconcile } from '../cli/reconcile.mjs';
+import { gateOpen, gateSync, gateComments, gateStatus, gateCi } from '../cli/gate.mjs';
+import { isValidEpicId } from '../cli/epic-state.mjs';
+import { runCommit } from '../cli/commit.mjs';
+import { runOpenPr } from '../cli/openpr.mjs';
+import { runRepo } from '../cli/repo.mjs';
+
+const HELP = `${c.bold('sdlc')} — setup, review-gate & build helpers for the SDLC Workflow module  ${c.dim('v' + VERSION)}
+
+${c.bold('Setup & maintenance')}
+  sdlc setup            Guided first-run setup (install module, connect & wire repos)
+  sdlc check            Report what is missing / drifted / stale (read-only)
+  sdlc check --fix      Reconcile: fill what is missing, update what changed
+  sdlc update           Apply drift only (alias for: check --fix --scope=changed)
+
+${c.bold('Review gate (front half)')}
+  sdlc gate open <epic> <artifact>      Open the review PR/MR; mark the step in_review
+  sdlc gate sync <epic> [artifact]      Pull PR state -> ledger; advance on approved+resolved+merged
+  sdlc gate comments <epic> [artifact]  Fetch unresolved review comments to address
+  sdlc gate status <epic>               Show each review step + approvals
+  sdlc gate ci [--branch <head>] [--pr <n>]
+                        CI entry (hub workflow): derive epic/artifact from the review branch,
+                        sync, commit the ledger to the default branch (sweep all PRs if no --branch)
+
+${c.bold('Build helpers')}
+  sdlc commit --type <t> -m <subject>   Commit by convention (trailers, atomic guard)
+  sdlc open-pr [--repo <name>]          Open a code-repo task PR/MR from the template
+  sdlc repo list                        Show connected repos (fresh / stale)
+  sdlc repo refresh [name]              Re-pack a stale repo (a human decision)
+
+${c.bold('Options')}
+  --dir <path>          Target project root (default: cwd)
+  --type <t>            commit: feat|fix|docs|refactor|test|perf|build|ci|chore|revert
+  -m, --message <s>     commit: subject / PR title
+  --task <id>           commit: Task trailer (else derived from the branch)
+  --ai <id>             commit: co-author — claude|copilot|cursor|coderabbit|none (default none)
+  --contract-change     commit/open-pr: mark the contract surface touched
+  --risk <level>        open-pr: low|medium|high (default low)
+  --repo <name>         open-pr: target a registered repo by name
+  --dry-run             commit: print the message, do not commit
+  --force               commit: bypass the atomic-file guard / re-copy unchanged files
+  --branch <head>       gate ci: the review PR/MR head branch (review/EP-<slug>/<artifact>)
+  --pr <n>              gate ci: the PR/MR number from the CI event
+  --no-push             gate ci: commit the ledger but do not push
+  -h, --help            Show this help
+  -v, --version         Print version`;
+
+const VALUE_FLAGS = new Set(['--dir', '--type', '--message', '--task', '--ai', '--risk', '--repo', '--platform', '--base', '--title', '--scope', '--branch', '--pr']);
+
+function parseArgs(argv) {
+  const o = { _: [], dir: process.cwd(), fix: false, force: false, scope: 'all' };
+  for (let i = 0; i < argv.length; i++) {
+    const a = argv[i];
+    if (a === '--fix') o.fix = true;
+    else if (a === '--force') o.force = true;
+    else if (a === '--contract-change') o.contractChange = true;
+    else if (a === '--no-push') o.noPush = true;
+    else if (a === '--dry-run') o.dryRun = true;
+    else if (a === '-h' || a === '--help') o.help = true;
+    else if (a === '-v' || a === '--version') o.version = true;
+    else if (a.startsWith('--scope=')) o.scope = a.slice('--scope='.length);
+    else if (a === '-m' || a === '--message') o.message = takeValue(argv, ++i, a);
+    else if (VALUE_FLAGS.has(a)) o[a.replace(/^--/, '')] = takeValue(argv, ++i, a);
+    else o._.push(a);
+  }
+  return o;
+}
+
+// A value flag must be followed by a token; erroring beats silently passing `undefined` downstream.
+function takeValue(argv, i, flag) {
+  const v = argv[i];
+  if (v === undefined || v.startsWith('-')) throw new Error(`${flag} expects a value`);
+  return v;
+}
+
+async function main() {
+  const o = parseArgs(process.argv.slice(2));
+  const cmd = o._[0];
+  if (o.version) return log(VERSION);
+  if (o.help || !cmd) return log(HELP);
+
+  const today = new Date().toISOString().slice(0, 10);
+  switch (cmd) {
+    case 'setup':
+      await runSetup(o.dir, { today, force: o.force });
+      break;
+    case 'check':
+      await reconcile(o.dir, { fix: o.fix, scope: o.scope, force: o.force, today });
+      break;
+    case 'update':
+      await reconcile(o.dir, { fix: true, scope: 'changed', force: o.force, today });
+      break;
+    case 'gate': {
+      const [, action, epic, artifact] = o._;
+      // `gate ci` takes no positionals — epic/artifact come from --branch (or a sweep of all PRs).
+      if (action === 'ci') { await gateCi(o.dir, { branch: o.branch, pr: o.pr, push: !o.noPush, today }); break; }
+      if (!epic) { log(c.red('usage: sdlc gate <open|sync|comments|status|ci> <epic> [artifact]')); process.exitCode = 1; break; }
+      // The epic id becomes a path segment under epics/ — reject anything but EP-<slug> outright.
+      if (!isValidEpicId(epic)) { log(c.red(`invalid epic id: ${epic} (expected EP-<slug>, [a-z0-9-] only)`)); process.exitCode = 1; break; }
+      if (action === 'open') await gateOpen(o.dir, { epic, artifact, today });
+      else if (action === 'sync') await gateSync(o.dir, { epic, artifact, today });
+      else if (action === 'comments') await gateComments(o.dir, { epic, artifact, today });
+      else if (action === 'status') await gateStatus(o.dir, { epic });
+      else { log(c.red(`unknown gate action: ${action} (open|sync|comments|status|ci)`)); process.exitCode = 1; }
+      break;
+    }
+    case 'commit':
+      await runCommit(o.dir, { type: o.type, message: o.message, task: o.task, ai: o.ai, contractChange: o.contractChange, dryRun: o.dryRun, force: o.force });
+      break;
+    case 'open-pr':
+      await runOpenPr(o.dir, { repo: o.repo, platform: o.platform, base: o.base, title: o.title || o.message, task: o.task, risk: o.risk, contractChange: o.contractChange });
+      break;
+    case 'repo': {
+      const [, action, name] = o._;
+      await runRepo(o.dir, { action: action || 'list', name, today });
+      break;
+    }
+    default:
+      log(c.red(`unknown command: ${cmd}`));
+      log(HELP);
+      process.exitCode = 1;
+  }
+}
+
+main()
+  .catch((err) => {
+    log(c.red(`\nsdlc failed: ${err?.message || err}`));
+    process.exitCode = 1;
+  })
+  .finally(closePrompts);

package/cli/commit.mjs

@@ -0,0 +1,81 @@
+// `sdlc commit` — commit by the SDLC conventions (CONTRIBUTING.md / config.yaml build).
+// Subject is Conventional Commits; trailers are emitted in the fixed order
+// Task -> Contract-Change -> Co-Authored-By. The human git author OWNS the commit; the AI is only a
+// co-author (flagged with --ai, or `none` for human-only). An atomic-commit guard keeps diffs small.
+import path from 'node:path';
+import fs from 'node:fs';
+import { c, log, ok, info, warn, fail, run, exists } from './lib.mjs';
+import {
+  COMMIT_TYPES, AI_COAUTHORS, ATOMIC_FILE_LIMIT,
+  TASK_TRAILER, CONTRACT_CHANGE_TRAILER, COAUTHOR_TRAILER,
+} from './manifest.mjs';
+
+// PURE — unit tested directly. Build the full commit message text.
+export function buildCommitMessage({ type, subject, task, contractChange = false, ai = 'none', body = '' }) {
+  if (!COMMIT_TYPES.includes(type)) throw new Error(`invalid commit type "${type}" (one of: ${COMMIT_TYPES.join(', ')})`);
+  if (!subject || !subject.trim()) throw new Error('commit subject is required');
+  if (!(ai in AI_COAUTHORS)) throw new Error(`unknown --ai "${ai}" (one of: ${Object.keys(AI_COAUTHORS).join(', ')})`);
+  if (/\.$/.test(subject.trim())) throw new Error('subject must not end with a period');
+
+  const trailers = [];
+  if (task) trailers.push(`${TASK_TRAILER}: ${task}`);
+  if (contractChange) trailers.push(`${CONTRACT_CHANGE_TRAILER}: yes`);
+  const co = AI_COAUTHORS[ai];
+  if (co) trailers.push(`${COAUTHOR_TRAILER}: ${co.name} <${co.email}>`);
+
+  const parts = [`${type}: ${subject.trim()}`];
+  if (body?.trim()) parts.push('', body.trim());
+  if (trailers.length) parts.push('', trailers.join('\n'));
+  return parts.join('\n');
+}
+
+// feat/EP-istifta-inquiries-S01-T01-create-inquiry -> EP-istifta-inquiries-S01-T01
+export function taskFromBranch(branch = '') {
+  const m = branch.match(/(.+-S\d+-T\d+)(?:-|$)/i);
+  return m ? m[1].replace(/^[a-z]+\//i, '') : null;
+}
+
+export async function runCommit(root, opts = {}) {
+  log(c.bold('\nsdlc commit'));
+  if (!exists(path.join(root, '.git'))) { fail('not a git repo'); process.exitCode = 1; return; }
+
+  const staged = run('git', ['diff', '--cached', '--name-only'], { cwd: root }).stdout.split('\n').filter(Boolean);
+  if (!staged.length) { fail('nothing staged — `git add` your atomic change first'); process.exitCode = 1; return; }
+
+  if (staged.length > ATOMIC_FILE_LIMIT && !opts.force) {
+    warn(`${staged.length} files staged (atomic guard: ≤${ATOMIC_FILE_LIMIT}). Split the change, or pass --force.`);
+    for (const f of staged) info(f);
+    process.exitCode = 1;
+    return;
+  }
+
+  const branch = run('git', ['rev-parse', '--abbrev-ref', 'HEAD'], { cwd: root }).stdout;
+  const task = opts.task || taskFromBranch(branch);
+  if (!task) warn('no Task trailer (none given and branch has no -S0N-T0N) — spec-link gate will fail on a code repo');
+
+  let message;
+  try {
+    message = buildCommitMessage({
+      type: opts.type, subject: opts.message, task,
+      contractChange: !!opts.contractChange, ai: opts.ai || 'none',
+    });
+  } catch (e) { fail(e.message); process.exitCode = 1; return; }
+
+  if (opts.dryRun) { log('\n' + c.dim(message) + '\n'); info('dry run — not committed'); return { message }; }
+
+  const r = run('git', ['commit', '-m', message], { cwd: root });
+  if (!r.ok) { fail(`git commit failed — ${r.stderr.split('\n')[0] || r.code}`); process.exitCode = 1; return { message }; }
+  ok(`committed ${staged.length} file(s)${task ? ` for ${task}` : ''}`);
+  if (opts.contractChange) warn('Contract-Change: yes — this routes back to the architecture gate');
+  return { message };
+}
+
+// installed by sdlc-implement, but offer it here too for convenience.
+export function ensureGitMessage(repoRoot, templateSrc) {
+  const dest = path.join(repoRoot, '.gitmessage');
+  if (exists(dest)) return false;
+  if (!templateSrc || !exists(templateSrc)) return false;
+  fs.copyFileSync(templateSrc, dest);
+  run('git', ['config', 'commit.template', '.gitmessage'], { cwd: repoRoot });
+  return true;
+}

package/cli/epic-state.mjs

@@ -0,0 +1,220 @@
+// Per-epic file ledger + the gate predicate. The file ledger (epics/<epic>/.sdlc/*.json) is the
+// source of truth; the platform PR/MR is only an input path. Everything here is pure / filesystem —
+// no gh/glab — so the predicate is unit-testable without a network. Node built-ins only.
+import path from 'node:path';
+import { createHash } from 'node:crypto';
+import fs from 'node:fs';
+import { readJSONStrict, writeJSON, fileSha } from './lib.mjs';
+import { epicFiles } from './manifest.mjs';
+
+const RISK_ESCALATORS = ['contract', 'auth', 'payments'];
+
+// Epic ids are EP-<slug> with [a-z0-9-] only — anything else (uppercase, dots, slashes) is
+// rejected before it can become a path segment under epics/.
+export const isValidEpicId = (epic) => /^EP-[a-z0-9-]+$/.test(epic || '');
+
+export const epicRoot = (root, epic) => path.join(root, 'epics', epic);
+
+// epic.md -> "epic"; architecture.md -> "architecture"; stories/ -> "stories";
+// stories/EP-x-S01.md -> "stories-S01".
+export function artifactBase(artifact) {
+  const a = artifact.replace(/\/$/, '');
+  if (a === 'stories' || a === 'stories/') return 'stories';
+  const m = a.match(/stories\/.*?(S\d+)\.md$/i);
+  if (m) return `stories-${m[1]}`;
+  return path.basename(a).replace(/\.md$/, '');
+}
+
+// `review/EP-<slug>/<artifact-base>` -> { epic, base } — the branch convention `gate open` creates.
+// Null for any other branch: the guard CI uses to no-op on non-review branches.
+export function parseReviewBranch(branch = '') {
+  const m = branch.match(/^review\/(EP-[a-z0-9-]+)\/(.+)$/);
+  return m ? { epic: m[1], base: m[2] } : null;
+}
+
+// The reverse of artifactBase: an artifact-base back to the ledger's artifact path. A single-story
+// base (stories-S01) still maps to stories/ — the stories gate is ONE step over the whole set
+// (storiesHash fingerprints the directory), so any story branch syncs the same review step.
+export function artifactFromBase(base) {
+  if (base === 'stories' || /^stories-S\d+$/i.test(base)) return 'stories/';
+  return `${base}.md`;
+}
+
+// The files (relative to the epic dir) a review of this artifact covers — what `gate open` commits
+// on the review branch, and what the CI overlay checks out from the head ref (and never commits).
+// Architecture mirrors artifactHash(): the approval is bound to the locked contract surface too.
+export function artifactPaths(base) {
+  if (base === 'architecture') return ['architecture.md', 'contract.md', '.sdlc/contract-lock.json'];
+  if (base === 'stories') return ['stories'];
+  return [`${base}.md`];
+}
+
+// Replace-not-append upsert into hub-prs.json, keyed by artifact (one live review PR per artifact).
+export function upsertHubPr(hubPrs = [], rec) {
+  return [...hubPrs.filter((p) => p.artifact !== rec.artifact), rec];
+}
+
+// SHA-256 of the contract surface block (architecture only). Mirrors
+// sdlc-author-architecture/references/contract-format.md (awk markers + sha256).
+// Line endings are normalized to LF so the same surface hashes identically across
+// platforms (a CRLF re-save must not revoke approvals). A BEGIN without an END is
+// malformed and yields null — never a silent hash of everything to end-of-file.
+export function contractSurfaceHash(epicDir) {
+  const file = path.join(epicDir, 'contract.md');
+  if (!fs.existsSync(file)) return null;
+  const lines = fs.readFileSync(file, 'utf8').replace(/\r\n/g, '\n').split('\n');
+  let inside = false;
+  let terminated = true;
+  const body = [];
+  for (const ln of lines) {
+    if (/CONTRACT-SURFACE:BEGIN/.test(ln)) { inside = true; terminated = false; continue; }
+    if (/CONTRACT-SURFACE:END/.test(ln)) { inside = false; terminated = true; continue; }
+    if (inside) body.push(ln);
+  }
+  if (!terminated || !body.length) return null;
+  return 'sha256:' + createHash('sha256').update(body.join('\n')).digest('hex');
+}
+
+// Deterministic fingerprint of the whole stories/ set: hash each story file, sort, combine. Lets an
+// edit to any story revoke prior stories-review approvals (the escalated, per-repo gate).
+export function storiesHash(epicDir) {
+  const dir = path.join(epicDir, 'stories');
+  if (!fs.existsSync(dir)) return null;
+  const parts = fs.readdirSync(dir).filter((f) => f.endsWith('.md')).sort()
+    .map((f) => `${f}:${fileSha(path.join(dir, f))}`);
+  if (!parts.length) return null;
+  return 'sha256:' + createHash('sha256').update(parts.join('\n')).digest('hex');
+}
+
+// The content fingerprint an approval is bound to. For architecture the fingerprint is the locked
+// contract surface (a re-lock => stale); for stories it is the whole stories/ set; for every other
+// artifact it is the file's bytes.
+export function artifactHash(epicDir, artifact) {
+  const b = artifactBase(artifact);
+  if (b === 'architecture') return contractSurfaceHash(epicDir);
+  if (b === 'stories') return storiesHash(epicDir);
+  return fileSha(path.join(epicDir, artifact.replace(/\/$/, '')));
+}
+
+// Shape checks for the ledger files. Fail fast with the exact file named — a wrong-shape ledger
+// silently treated as a default would be rewritten by the next sync, destroying the real data.
+const badShape = (file, what) => new Error(`${file}: ${what} — fix the file or restore it from git`);
+function requireArray(v, file) {
+  if (!Array.isArray(v)) throw badShape(file, 'expected a JSON array');
+  return v;
+}
+function validateState(state, file) {
+  if (state === null) return null; // missing state.json = epic not seeded yet, a normal state
+  if (typeof state !== 'object' || Array.isArray(state)) throw badShape(file, 'expected a JSON object');
+  if (!Array.isArray(state.steps) || !state.steps.length) throw badShape(file, 'expected a non-empty `steps` array');
+  for (const s of state.steps) {
+    if (!s || typeof s.id !== 'string' || typeof s.type !== 'string' || typeof s.status !== 'string') {
+      throw badShape(file, 'every step needs string `id`, `type` and `status`');
+    }
+  }
+  if (typeof state.currentStep !== 'string') throw badShape(file, 'expected a string `currentStep`');
+  return state;
+}
+
+export function loadLedger(epicDir) {
+  const f = epicFiles(epicDir);
+  return {
+    files: f,
+    state: validateState(readJSONStrict(f.state, null), f.state),
+    approvals: requireArray(readJSONStrict(f.approvals, []), f.approvals),
+    comments: requireArray(readJSONStrict(f.comments, []), f.comments),
+    hubPrs: requireArray(readJSONStrict(f.hubPrs, []), f.hubPrs),
+    contractLock: readJSONStrict(f.contractLock, null),
+  };
+}
+
+// The review+approve step for an artifact (or the current step if it is a review step).
+export function findReviewStep(state, artifact) {
+  if (!state?.steps) return null;
+  const base = artifactBase(artifact);
+  return state.steps.find(
+    (s) => s.type === 'review+approve' && artifactBase(s.artifact) === base,
+  ) || null;
+}
+
+export const isEscalated = (step) =>
+  (step?.risk_tags || []).some((t) => RISK_ESCALATORS.includes(t)) || step?.id === 'stories-review';
+
+const uniqueBy = (arr, key) => {
+  const seen = new Set();
+  return arr.filter((x) => (seen.has(x[key]) ? false : seen.add(x[key])));
+};
+
+// PURE gate predicate. Given the step, its approvals, the current content hash, the PR thread/merge
+// state and the touched domains, decide whether the gate passes — and exactly what is missing.
+// `currentHash` drops any approval bound to a different hash (revoke-on-change). `merged` /
+// `threadsResolved` come from the platform; with no bridge they default to the "advance" intent.
+export function gatePredicate({
+  step,
+  approvals,
+  currentHash = null,
+  touchedDomains = [],
+  defaultReviewers = 1,
+  threadsResolved = true,
+  merged = true,
+}) {
+  const forStep = approvals.filter((a) => a.step === step.id && a.status === 'approved');
+  // Revoke-on-change: an approval bound to a stale content hash no longer counts.
+  const stale = forStep.filter((a) => a.artifactHash && currentHash && a.artifactHash !== currentHash);
+  const live = forStep.filter((a) => !stale.includes(a));
+
+  const owners = uniqueBy(live.filter((a) => a.role === 'owner'), 'approver');
+  const reviewers = uniqueBy(live.filter((a) => a.role === 'reviewer'), 'approver');
+  const domainOwners = live.filter((a) => a.role === 'domain-owner');
+
+  const missing = [];
+  if (owners.length < 1) missing.push('1 owner approval');
+  if (reviewers.length < defaultReviewers) {
+    missing.push(`${defaultReviewers - reviewers.length} reviewer approval(s)`);
+  }
+  const escalate = isEscalated(step);
+  if (escalate) {
+    for (const d of touchedDomains) {
+      if (!domainOwners.some((a) => a.domain === d)) missing.push(`domain-owner for ${d}`);
+    }
+  }
+  const approvalsSatisfied = missing.length === 0;
+  if (stale.length) missing.unshift(`${stale.length} approval(s) revoked — artifact changed; re-approve`);
+  if (!threadsResolved) missing.push('unresolved review comments');
+  if (!merged) missing.push('review PR/MR not merged');
+
+  return {
+    approvalsSatisfied,
+    threadsResolved,
+    merged,
+    staleDropped: stale.length,
+    passed: approvalsSatisfied && threadsResolved && merged,
+    missing,
+    rule: escalate ? (step.id === 'stories-review' ? 'per-repo' : 'escalated') : 'base',
+  };
+}
+
+// Advance the step in state.json once the predicate passes. Mirrors sdlc-review-gate Step 3:
+// mark this review step done, unblock the next step, or set `ready-for-build` for the last one.
+export function advanceState(state, step) {
+  const i = state.steps.findIndex((s) => s.id === step.id);
+  state.steps[i] = { ...state.steps[i], status: 'done' };
+  const next = state.steps[i + 1];
+  if (next) {
+    next.status = next.type === 'review+approve' ? 'in_review' : 'in_progress';
+    state.currentStep = next.id;
+  } else {
+    state.currentStep = 'ready-for-build';
+  }
+  return state;
+}
+
+// Mark a step in-review (idempotent) and point currentStep at it.
+export function markInReview(state, step) {
+  const i = state.steps.findIndex((s) => s.id === step.id);
+  if (state.steps[i].status !== 'done') state.steps[i].status = 'in_review';
+  state.currentStep = step.id;
+  return state;
+}
+
+export { writeJSON };