build(deps-dev): bump typescript from 5.9.3 to 6.0.3 in /engine#13
Closed
dependabot[bot] wants to merge 174 commits into
Closed
build(deps-dev): bump typescript from 5.9.3 to 6.0.3 in /engine#13dependabot[bot] wants to merge 174 commits into
dependabot[bot] wants to merge 174 commits into
Conversation
Slidev slide deck for stakeholder presentation covering: - Problem statement and cost of no enforcement - The AI Sandwich concept (AI + Determinism + AI) - Spec-driven generation workflow and YAML spec examples - Regeneration safety, schema types, and bundle ecosystem - Competitive comparison, production stats, and commercial model - Market timing, prior art, and Stage 1 scope Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Merged internal and business decks into slides-business/ - Internal deck (slides/) refocused as internal go/no-go discussion - Business plan rewritten around end-to-end pipeline (spec → generate → deploy) - Product framing evolved: individual dev capture/replay → org transformation - New slides: platform team workflow, developer/PM roles, AI-enabled team structure - Product architecture: pluggable pipeline integrations (GitHub Actions, GitLab CI) - Acquisition research with real comps (Astral, Bun, DX, Promptfoo, Windsurf) - Honest assessment of business options, risks, and open questions - Removed MCP-first strategy in favour of CLI-native (AI agents call CLIs directly) - Removed Terraform branding, marketplace assumptions, inflated revenue projections Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- New slides-org/ deck focused on org transformation story "Smaller Teams. Faster Delivery. Fewer Handoffs." - Website updated: hero, problem, AI sandwich, how-it-works all reframed around coordination overhead and org change - New /ai-sandwich detail page with patent pending easter egg - AI Sandwich first layer split into Domain Specs + Template Curation - Examples changed from Pexa (workspace/compliance) to generic (orders) - Removed CQRS and DLQ as standalone features throughout - Business plan updated with target market, input adapters, design loops - Cloudflare Pages deployment configured (fixedcode-ai) - Added .gitignore for node_modules, dist, out, env files Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ctions Website: - Hero: tabbed terminal (AI Agent / CLI / CI Pipeline modes) - SVG sandwich diagram with hover glow animations - "Why not just one or the other?" section (AI vs scaffolding vs both) - AI Sandwich split: Domain Specs + Template Curation as separate activities - HowItWorks: syntax-highlighted code blocks, icons, role dissolving callout - Org Change section moved up, rewritten around role blurring - Proven at Scale section with 6 production stats - Who It's For section (mid-market regulated, fast-scaling, AI-adopting) - How It Scales section (individual → team → platform → enterprise) - Pricing page (/pricing) with 4 tiers: Free, Team ($99), Org ($499), Enterprise - /ai-sandwich detail page with patent pending easter egg - Light/dark mode toggle - Shared SVG icons (Person, Robot, Factory) used across site - Removed Pexa-specific examples (workspace → orders) - Removed CQRS/DLQ as standalone features - Generic task tracker references (not Jira-specific) - Human interaction lines highlighted in purple in terminal Slides: - AI Sandwich first layer split into Domain Specs + Template Curation - Stats show labels first, numbers reveal on click - ~3s generation time, 100% CFR compliance Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Code example section now tabbed: Domain Service, AI Agent, Orchestrator Same engine, different spec + bundle — demonstrated visually - Agent spec shows tools, middleware, auth generation - Orchestrator spec shows 4-agent sequential pipeline generation - Each tab shows spec input → generated file tree output - Removed outdated slides/ deck (superseded by slides-org/) - SchemaTypes: split into Services + AI Infrastructure categories - Bundles: added agent, MCP server, orchestrator bundles + "Your Pattern" card - Business plan kept — contains unique strategic content not in slides Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Merged unique slides from slides-business/ into slides-org/: Competitive Landscape, What We'd Build, What Gets Acquired - Deleted slides-business/ — all content now in slides-org/ - Single deck at /slides/ covers everything: org transformation, product, market, acquisition context, risks, decision Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Cleanroom rewrite of GAP CLI as a pluggable, spec-driven code generation engine. TypeScript, Handlebars, Commander, npm bundles. Addresses review feedback: multi-file generation, error handling, bundle loading mechanics, config resolution, post-render hooks. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
16 tasks across 4 phases: context model design, engine pipeline, CLI, and end-to-end integration. Context-model-first approach. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Fix {{../package}} → {{package}} (engine merges flat context)
- Remove broken require() code, use direct ESM import
- Add kebabPlural to NameVariants, use for endpoint computation
- Add {{/each}} boundary directory to template structure
- Fix loadConfig receiving file path instead of directory
- Add engine build step before spike bundle compilation
- Use consistent dirname(fileURLToPath()) pattern
- Explicitly list deferred items in Not Included section
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add configDir to FixedCodeConfig, set by loadConfig - Pass configDir to resolveBundle for local path resolution - Fix itemContext merge order (item takes precedence over parent) - Update all tests with configDir parameter Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Phase 1: DDD spike bundle with context model, enrichment functions, 28 passing tests
- Phase 2: Engine pipeline (parse, config, resolve, validate, render, write)
- Phase 3: CLI with generate, validate, init commands
- Handlebars rendering with {{#each}} directory iteration
- Bundle resolution from .fixedcode.yaml config
- bundle-crud-api with enrichment for resources, fields, endpoints - Generates Express router + TypeScript model interfaces - 5 REST endpoints per resource (GET list/item, POST, PUT, DELETE) - Custom Handlebars helpers in bundle
- Better validation error messages with path and details - Add bundle init command to scaffold new bundles - Updated CLI help with bundle commands
- Create spring-domain bundle with package.json, tsconfig, vitest config - Add schema.json defining DDD aggregates structure - Implement stub index.ts with enrich() and generateFiles() - Export FileEntry type from engine for bundle compatibility
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Remove dead bundles/ddd-basic (TS build broken on arrival, only ever one commit, superseded by spring-domain). Drop from .fixedcode.yaml. - Add --passWithNoTests to vitest in crud-api, mcp-wrapper, openapi generator (bundles without test files were exiting non-zero). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
12 findings consolidated from 4 parallel audit agents. Fix this phase: F-1 (bundle-init path traversal), F-5 (registryRepo arg), F-7 (npm install regex), F-8 (LLM baseUrl), F-9 (enrich LLM-output warning + docs). 7 medium/low findings deferred to issues. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- F-1: validateBundleName() in cli/bundle-init.ts rejects path traversal in `fixedcode bundle init <name>`. Pattern: ^[a-z0-9][a-z0-9_-]*$. - F-5: validateRegistryRepo() in engine/registry.ts rejects flag-style values that gh might interpret as options. Pattern: owner/repo. - F-7: tighten npm-install command parser. Disallow .. and absolute or relative paths in the package identifier. - F-8: validateBaseUrl() in engine/llm.ts allowlist of LLM hosts (openrouter, openai, anthropic, localhost). Reject http on non-loopback. Prevents API-key + project-content exfiltration via crafted .fixedcode.yaml. - F-9: print a privacy banner at the start of every enrich session listing the LLM endpoint and reminding the user to review via git diff before committing. Tests: 161/161 passing (+30 from new tests). Smoke test green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- F-7: extend install allow-list to accept github:owner/repo[#ref] spec (publishPackage produces this for bundles with a GitHub repo URL). Add INSTALL_GITHUB_PATTERN. Loosen npm version-range portion to accept ^/~/>=/+ semver operators while still rejecting .. - F-8: add IPv6 loopback [::1] to LLM allowlist. Bracket-normalise url.hostname for both WHATWG (kept brackets) and older parsers. - F-1 test: replace unintentionally-escaped null-byte test with a whitespace-rejection test that actually exercises the regex boundary. - Tests: 169/169 passing (+8 new). Smoke green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes the high-severity Vite vulns flagged by `npm audit --audit-level=high` in engine and the moderate vulns in 8 bundles + openapi generator (all from old vitest 1.2.2 transitive). All packages now report 0 vulnerabilities. Tests: engine 169/169, spring-domain 46/46, python-agent 17/17 — all green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ELOG Productionisation Phase 3 root-level docs. README covers value prop, quickstart, concepts, bundle catalog, CFRs, and links to docs/ tree. SECURITY.md links the v0.2.0 findings doc and disclosure email. CHANGELOG.md initial 0.2.0 entry summarising the productionisation push. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Bug, feature, and question issue templates plus a PR template that enforces a test plan and links. FUNDING.yml is commented-out by default. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…egistry, llm, release) Seven new docs covering the engine pipeline & contracts, bundle authoring, generator authoring, the CFR catalog & workflow, the registry distribution model, LLM trust boundaries & baseUrl allowlist, and the maintainer release playbook (npm trusted publisher, branch protection, pre-release checklist). All linked from README.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Each bundle README has a tagline, install command, generated-output summary, spec highlights, optional adapters note, and links into docs/. Engine README has a CLI command table and programmatic API summary. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- eslint.config.js (flat config, typescript-eslint, no-empty-object-type fix in spring-domain). Lint passes with 0 errors / 53 advisory warnings. - .prettierrc.json + .prettierignore. format check clean across the repo after a one-shot reformat (mostly trailing commas and quote normalisation). - Root package.json with scripts: lint, lint:fix, format, format:check. Tests: 169/169 still passing post-reformat. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- ci.yml: matrix on Node 20/22; lint, format check, typecheck, build, test the engine + each bundle + each generator, plus a smoke generation test. npm audit is advisory (continue-on-error). - release.yml: triggers on v* tags. npm publish --provenance with OIDC trusted publisher; falls back to NPM_TOKEN secret if configured. Creates a GitHub Release with auto-generated notes and the tarball attached. - codeql.yml: weekly + per-PR JS/TS scanning. - dependabot.yml: weekly npm and github-actions updates. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
dependabot
Bot
added
dependencies
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The engine's draft test imports `bundles/spring-domain/dist/index.js`, so bundles must be built before the engine test step. Restructure into two phases: install+build everything (engine → bundles → generators), then test in the same order. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ode/generator-openapi) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Prior pexa-removal commit changed the source default from io.pexa.gap to com.example but left schema.json default and two test expectations pointing at the old value. Tests fail in CI on a clean install. - schema.json default: io.pexa.gap → com.example - enrich.test.ts assertion: io.pexa.gap → com.example - render.test.ts assertion: io.pexa.gap.workspace → com.example.workspace Also export renderTemplates/createHandlebarsEnv/renderFile from the engine root so spring-library's render test doesn't need to import a subpath (which the engine's exports map blocks). Update render.test.ts to use the root import. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Bump version 0.1.0 → 0.2.0
- Add description, keywords, author, license (Apache-2.0), homepage,
repository (subdir=engine), bugs links
- Add files allowlist (dist, bin, README, LICENSE) so src/, test/,
tsconfig.json don't ship in the tarball
- Add engines: { node: '>=20' }
- Add prepublishOnly to ensure build+test before publish
- Copy LICENSE into engine/ so it ships in the tarball
- Replace engine/README.md with a tarball-friendly version (absolute
github URLs for cross-references so links work on npmjs.com)
- Update docs/registry.md and CHANGELOG to reflect that registry.json is
a discovery catalog only in v0.2.0; bundles are not yet published to
npm so registry install will 404 until they are.
npm pack --dry-run: 41.6 kB tarball, 72 files, only dist/, bin/,
README.md, LICENSE, package.json.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/engine/typescript-6.0.3
branch
from
a0367a1 to
f246cc5
Compare
…scoped)
Unscoped npm name avoids the org-creation step and gives a cleaner install
command (`npm install -g fixedcode`) that matches major dev tools (typescript,
eslint, prettier, vite, vitest).
- engine/package.json: name @fixedcode/engine → fixedcode
- All bundle and generator package.json: dependency key renamed
- All bundle/generator src .ts: import { ... } from '@fixedcode/engine'
→ from 'fixedcode'
- README, CHANGELOG, CONTRIBUTING, docs/, engine/README: badges, install
commands, and code examples updated
- registry.json: bundle entries' description references unchanged (only the
engine package was renamed; bundles keep their @fixedcode/bundle-* scope)
- All package-lock.json files regenerated.
Tests: engine 169/169, all bundles green, smoke test passes (23/23).
Tarball: fixedcode-0.2.0.tgz, 41.6 kB, 72 files.
BREAKING CHANGE: pre-publish rename, no consumers yet but the import path
for bundle authors changes from '@fixedcode/engine' to 'fixedcode'.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Bumps [typescript](https://github.com/microsoft/TypeScript) from 5.9.3 to 6.0.3. - [Release notes](https://github.com/microsoft/TypeScript/releases) - [Commits](microsoft/TypeScript@v5.9.3...v6.0.3) --- updated-dependencies: - dependency-name: typescript dependency-version: 6.0.3 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/engine/typescript-6.0.3
branch
from
f246cc5 to
86be934
Compare
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps typescript from 5.9.3 to 6.0.3.
Release notes
Sourced from typescript's releases.
Commits
050880cBump version to 6.0.3 and LKGeeae9dd🤖 Pick PR #63401 (Also check package name validity in...) into release-6.0 (#...ad1c695🤖 Pick PR #63368 (Harden ATA package name filtering) into release-6.0 (#63372)0725fb4🤖 Pick PR #63310 (Mark class property initializers as...) into release-6.0 (#...607a22aBump version to 6.0.2 and LKG9e72ab7🤖 Pick PR #63239 (Fix missing lib files in reused pro...) into release-6.0 (#...35ff23d🤖 Pick PR #63163 (Port anyFunctionType subtype fix an...) into release-6.0 (#...e175b69Bump version to 6.0.1-rc and LKGaf4caacUpdate LKG8efd7e8Merge remote-tracking branch 'origin/main' into release-6.0