feat(campaign): /config-audit campaign — human-approved write-CLI + command (v5.7 Fase 2 Block 3c)

Completes the THIN machine-wide campaign surface (ledger + roll-up + status).
The write half of the campaign motor, mirroring how knowledge-refresh gates
register writes:

- scanners/campaign-write-cli.mjs (-cli → NOT a scanner; 11 tests): init/add/
  set-status, each a thin wrapper over the invariant-enforcing lib transforms
  (createLedger/addRepo/setRepoStatus) + saveLedger — path-normalization/dedup,
  idempotent add, status-lifecycle guard and updatedDate bump never hand-rolled.
  init refuses to clobber an existing/corrupt ledger (exit 1, file untouched);
  add auto-inits + reports added vs skipped; set-status takes --findings/--session.
  Deterministic: --reference-date is the only clock read, injected as `now`.
  Exit 0=write, 1=advisory no-op, 3=error.
- commands/campaign.md (opus, no Web): thin orchestrator — always reports first
  (read-only campaign-cli), then proposes init/add/set-status and invokes ONE
  write-CLI subcommand only on explicit human approval (Verifiseringsplikt; never
  hand-edits the JSON). add --discover finds git repos under a root to pick from.

Not byte-stable (own command, outside snapshot suite) like /config-audit optimize
+ knowledge-refresh. Both CLIs are -cli → scanner count stays 15, snapshot suite
untouched. commands 20→21, suite 1127→1138 (+11), test files 64→65.

Docs: CLAUDE.md §campaign-write-cli + command table + Testing badge; README
commands badge 20→21 + table row; help.md + router wiring.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Kjell Tore Guttormsen 2026-06-22 17:25:15 +02:00
commit ee0c762151
7 changed files with 622 additions and 3 deletions

View file

@ -0,0 +1,196 @@
#!/usr/bin/env node
/**
* campaign-write-cli the human-approved WRITE half of the durable campaign ledger
* (v5.7 Fase 2, Block 3c).
*
* Sibling of the read-only `campaign-cli`: where that one only reports, this one mutates.
* Every mutation is routed through the pure, invariant-enforcing lib transforms
* (`createLedger`/`addRepo`/`setRepoStatus`) + `saveLedger` so path normalization/dedup,
* idempotent add, the status-lifecycle guard, and the `updatedDate` bump are never
* re-implemented by hand. The `/config-audit campaign` command is a thin opus orchestrator:
* it reports (via campaign-cli), proposes a change, and only on explicit human approval
* invokes a single subcommand here (Verifiseringsplikt). It NEVER auto-writes.
*
* Determinism mirrors the lib + the knowledge-refresh CLI: `--reference-date` is the only
* place the clock is read (defaulting to today), and it is passed to the transforms as the
* injected `now`, so the persisted stamps are fully testable.
*
* Naming: `-cli` suffix NOT an orchestrated scanner (the scan-orchestrator only loads
* scanner modules), so the scanner count is unchanged and the snapshot suite stays
* byte-stable.
*
* Usage:
* node campaign-write-cli.mjs init [--ledger-file <p>] [--reference-date <YYYY-MM-DD>]
* node campaign-write-cli.mjs add <path>... [--name <n>] [--ledger-file <p>] [--reference-date <d>]
* node campaign-write-cli.mjs set-status <path> <status>
* [--findings '<json>'] [--session <id>]
* [--ledger-file <p>] [--reference-date <d>]
* (all accept [--output-file <p>] to write the result payload to a file instead of stdout)
*
* Exit codes: 0 = write performed, 1 = advisory no-op (init when already initialized),
* 3 = error (unknown subcommand, bad args, invalid status, untracked repo, no/corrupt ledger).
*/
import { resolve } from 'node:path';
import { writeFile } from 'node:fs/promises';
import {
createLedger,
addRepo,
setRepoStatus,
rollUp,
loadLedger,
saveLedger,
defaultLedgerPath,
} from './lib/campaign-ledger.mjs';
const DATE_RE = /^\d{4}-\d{2}-\d{2}$/;
function fail(message) {
process.stderr.write(`Error: ${message}\n`);
process.exit(3);
}
/** Parse argv into a subcommand, positional args, and the flag map. */
function parseArgs(argv) {
const positionals = [];
const flags = { ledgerFile: null, referenceDate: null, outputFile: null, name: null, findings: null, session: null };
for (let i = 0; i < argv.length; i++) {
const a = argv[i];
if (a === '--ledger-file' && argv[i + 1] !== undefined) flags.ledgerFile = argv[++i];
else if (a === '--reference-date' && argv[i + 1] !== undefined) flags.referenceDate = argv[++i];
else if (a === '--output-file' && argv[i + 1] !== undefined) flags.outputFile = argv[++i];
else if (a === '--name' && argv[i + 1] !== undefined) flags.name = argv[++i];
else if (a === '--findings' && argv[i + 1] !== undefined) flags.findings = argv[++i];
else if (a === '--session' && argv[i + 1] !== undefined) flags.session = argv[++i];
else if (a.startsWith('--')) fail(`unknown flag "${a}"`);
else positionals.push(a);
}
return { subcommand: positionals[0], rest: positionals.slice(1), flags };
}
/** Load an existing ledger, treating a parse error as a hard failure (never clobber corrupt data). */
async function loadOrFail(path) {
try {
return await loadLedger(path); // null on ENOENT (no ledger yet)
} catch (err) {
fail(`could not read ledger at ${path}: ${err.message}`);
}
}
async function emit(payload, outputFile, exitCode) {
const json = JSON.stringify(payload, null, 2);
if (outputFile) await writeFile(outputFile, json, 'utf-8');
else process.stdout.write(json + '\n');
process.exit(exitCode);
}
async function main() {
const { subcommand, rest, flags } = parseArgs(process.argv.slice(2));
if (!subcommand) fail('a subcommand is required: init | add | set-status');
const ledgerPath = resolve(flags.ledgerFile || defaultLedgerPath());
if (flags.referenceDate && !DATE_RE.test(flags.referenceDate)) fail('--reference-date must be YYYY-MM-DD');
// The clock is read here ONLY — the transforms take this injected `now` and stay pure.
const now = flags.referenceDate || new Date().toISOString().slice(0, 10);
if (subcommand === 'init') {
const existing = await loadOrFail(ledgerPath);
if (existing !== null) {
// Advisory no-op: never wipe an existing campaign.
return emit(
{ status: 'ok', action: 'init', written: false, alreadyInitialized: true, ledgerPath },
flags.outputFile,
1,
);
}
const ledger = createLedger({ now });
await saveLedger(ledgerPath, ledger);
return emit(
{
status: 'ok', action: 'init', written: true, alreadyInitialized: false, ledgerPath,
schemaVersion: ledger.schemaVersion, createdDate: ledger.createdDate, updatedDate: ledger.updatedDate,
repos: ledger.repos, rollUp: rollUp(ledger),
},
flags.outputFile,
0,
);
}
if (subcommand === 'add') {
const paths = rest;
if (paths.length === 0) fail('add requires at least one repo path');
const loaded = await loadOrFail(ledgerPath);
const autoInitialized = loaded === null;
let ledger = loaded === null ? createLedger({ now }) : loaded;
const added = [];
const skipped = [];
for (const p of paths) {
const resolved = resolve(p);
const present = ledger.repos.some((r) => r.path === resolved);
// --name applies only to a lone path; multi-add lets the lib derive each basename.
const name = paths.length === 1 ? flags.name || undefined : undefined;
ledger = addRepo(ledger, { path: p, name }, { now });
(present ? skipped : added).push(resolved);
}
await saveLedger(ledgerPath, ledger);
return emit(
{
status: 'ok', action: 'add', written: true, autoInitialized, ledgerPath,
added, skipped, repos: ledger.repos, rollUp: rollUp(ledger),
},
flags.outputFile,
0,
);
}
if (subcommand === 'set-status') {
const [path, status] = rest;
if (!path || !status) fail('set-status requires <path> <status>');
const ledger = await loadOrFail(ledgerPath);
if (ledger === null) fail(`no ledger at ${ledgerPath} — run "init" or "add" first`);
let findingsBySeverity;
if (flags.findings !== null) {
try {
findingsBySeverity = JSON.parse(flags.findings);
} catch (err) {
fail(`--findings must be valid JSON: ${err.message}`);
}
}
const opts = { now };
if (findingsBySeverity !== undefined) opts.findingsBySeverity = findingsBySeverity;
if (flags.session !== null) opts.sessionId = flags.session;
let next;
try {
next = setRepoStatus(ledger, path, status, opts);
} catch (err) {
// RangeError (bad status) or Error (untracked repo) → caller error.
fail(err.message);
}
await saveLedger(ledgerPath, next);
const resolved = resolve(path);
return emit(
{
status: 'ok', action: 'set-status', written: true, ledgerPath,
repo: next.repos.find((r) => r.path === resolved), repos: next.repos, rollUp: rollUp(next),
},
flags.outputFile,
0,
);
}
fail(`unknown subcommand "${subcommand}" — expected init | add | set-status`);
}
const isDirectRun =
process.argv[1] && resolve(process.argv[1]) === resolve(new URL(import.meta.url).pathname);
if (isDirectRun) {
main().catch((err) => {
process.stderr.write(`Fatal: ${err.message}\n`);
process.exit(3);
});
}