Unify planning pipeline + harden semver/lockfile analyzers

.github/workflows/ci.yml

@@ -49,13 +49,43 @@ jobs:
           done
           echo "No sensitive files found"
 
-  test:
-    name: Test (Node ${{ matrix.node-version }})
+  dependency-freshness:
+    name: Dependency Freshness
     runs-on: ubuntu-latest
     needs: safety-check
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 9
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: 'pnpm'
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Report outdated dependencies
+        run: |
+          if ! pnpm outdated; then
+            echo "::notice::Outdated dependencies detected. See log above."
+          fi
+
+  test:
+    name: Test (Node ${{ matrix.node-version }}, ${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    needs: [safety-check, dependency-freshness]
     strategy:
       matrix:
         node-version: [18, 20, 22]
+        os: [ubuntu-latest, macos-latest, windows-latest]
       fail-fast: false
 
     steps:
@@ -79,6 +109,11 @@ jobs:
       - name: Build
         run: pnpm build
 
+      - name: CLI smoke test
+        run: |
+          node dist/index.js --version
+          node dist/index.js merge --help
+
       - name: Type check
         run: pnpm typecheck
 
@@ -336,3 +371,43 @@ jobs:
           fi
           echo "History preserved successfully with $COMMIT_COUNT commits"
         timeout-minutes: 5
+
+  smoke-test:
+    name: Publish Smoke Test
+    runs-on: ubuntu-latest
+    needs: test
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 9
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: 'pnpm'
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build
+        run: pnpm build
+
+      - name: Verify built CLI works
+        run: |
+          node dist/index.js --version
+          node dist/index.js merge --help
+
+      - name: Type-check tests
+        run: pnpm tsc -p tests/tsconfig.json --noEmit
+
+      - name: Publish dry run
+        run: |
+          npm pack --dry-run 2>&1 | tee pack-output.txt
+          echo "--- Package contents ---"
+          cat pack-output.txt

.github/workflows/security.yml

@@ -34,7 +34,6 @@ jobs:
 
       - name: Run pnpm audit
         run: pnpm audit --audit-level=high
-        continue-on-error: true
 
   codeql:
     name: CodeQL Analysis
@@ -113,4 +112,4 @@ jobs:
     with:
       scan-args: |-
         --lockfile=pnpm-lock.yaml
-      fail-on-vuln: false
+      fail-on-vuln: true

.gitignore

@@ -2,8 +2,19 @@ node_modules/
 dist/
 *.log
 .DS_Store
+._*
 coverage/
 .env
 .env.local
 tests/.temp/
 tests/.test-output/
+
+# Local runtime/workspace artifacts from monotize runs
+.monotize/
+monorepo/
+/packages/
+monorepo.staging-*/
+monorepo.staging-*.ops.jsonl
+
+# Local assistant/editor state
+.claude/

.vscode/settings.json

@@ -0,0 +1,5 @@
+{
+  "files.exclude": {
+    "**/._*": true
+  }
+}

CHANGELOG.md

@@ -0,0 +1,33 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Added
+- Full lifecycle CLI commands: `add`, `archive`, `configure`, `migrate-branch`
+- Extended analysis engine with environment, tooling, CI, publishing, and repo risk detection
+- Risk classification system (straightforward / needs-decisions / complex)
+- Path-filtered GitHub Actions workflow generation
+- Configure engine for Prettier, ESLint, and TypeScript scaffolding
+- Dependency enforcement via package manager overrides/resolutions
+- Multi-language detection (Go, Rust, Python) with workspace scaffolding
+- Smart defaults with evidence-based suggestions
+- Performance utilities (concurrent mapping, disk space checks, progress events)
+- Cross-platform path normalization
+- 8-step wizard UI with SeverityBadge, DiffViewer, TreePreview, FindingsFilter components
+
+### Security
+- Fixed Python injection vulnerability in history preservation (SEC-01)
+- Fixed path traversal vulnerability in apply command (SEC-02)
+- Added install command executable allowlist (SEC-04)
+- Replaced shell `exec()` with `execFile()` in browser opener (SEC-05)
+- Added server authentication via shared-secret token (SEC-03)
+- Added CORS, rate limiting, and body size limits to server
+- Added symlink protection to file operations
+
+### Fixed
+- Async `.filter()` bug in gitignore merge that caused all paths to be included

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 pmclSF
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

SECURITY.md

@@ -0,0 +1,25 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.x.x   | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in Monotize, please report it responsibly:
+
+1. **Do not** open a public GitHub issue for security vulnerabilities
+2. Email the maintainer or use [GitHub Security Advisories](https://github.com/pmclSF/monotize/security/advisories/new)
+3. Include a description of the vulnerability, steps to reproduce, and potential impact
+4. Allow up to 72 hours for an initial response
+
+## Security Considerations
+
+Monotize executes git commands and package manager operations on your behalf. When using it:
+
+- Only merge repositories you trust
+- Review plan files before applying them with `monotize apply`
+- The web UI server (`monotize ui`) binds to localhost with token authentication — do not expose it to untrusted networks
+- Never embed credentials directly in repository URLs — use SSH keys or credential helpers instead

package.json

@@ -1,10 +1,25 @@
 {
-  "name": "monorepo-cli",
+  "name": "monotize",
   "version": "0.2.0",
   "description": "Combine multiple Git repositories into a monorepo with pnpm, yarn, or npm workspace support",
   "type": "module",
+  "author": "pmclSF",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/pmclSF/monotize.git"
+  },
+  "homepage": "https://github.com/pmclSF/monotize#readme",
+  "bugs": {
+    "url": "https://github.com/pmclSF/monotize/issues"
+  },
+  "files": [
+    "dist",
+    "bin",
+    "README.md",
+    "LICENSE"
+  ],
   "bin": {
-    "monorepo": "./bin/monorepo.js",
+    "monotize": "./bin/monorepo.js",
     "mr": "./bin/monorepo.js"
   },
   "exports": "./dist/index.js",
@@ -33,13 +48,17 @@
     "commander": "^12.0.0",
     "express": "^5.2.1",
     "fs-extra": "^11.2.0",
+    "js-yaml": "^4.1.1",
+    "semver": "^7.7.3",
     "simple-git": "^3.22.0",
     "ws": "^8.19.0"
   },
   "devDependencies": {
     "@types/express": "^5.0.6",
     "@types/fs-extra": "^11.0.0",
+    "@types/js-yaml": "^4.0.9",
     "@types/node": "^20.0.0",
+    "@types/semver": "^7.5.0",
     "@types/supertest": "^7.2.0",
     "@types/ws": "^8.18.1",
     "@vitest/coverage-v8": "^2.0.0",
@@ -59,5 +78,12 @@
     "turborepo",
     "nx"
   ],
+  "pnpm": {
+    "overrides": {
+      "esbuild": ">=0.25.0",
+      "minimatch": ">=9.0.7",
+      "rollup": ">=4.59.0"
+    }
+  },
   "license": "MIT"
 }