maintenance-release-operator

Enforce truth in your repositories.

MRO is a strict, deterministic governance tool that checks repo legitimacy and automates compliant releases. No flexibility by default. No AI. No dark patterns.

Philosophy: MRO enforces what repositories claim about themselves. If your README says tests pass, they better pass. If you have dependencies, they better be secure. See PHILOSOPHY.md for governance principles.

Core Documents:
📜 PHILOSOPHY.md — Governance principles, strictness guarantees, what MRO will never become
💰 PRICING.md — Economic boundaries, free vs. paid, monetization model
🛡️ POLICY.md — Safety constraints, engineering guardrails, data handling

Quick Start

# No install required — just run:
npx maintenance-release-operator check

Output:

🔍 Running maintenance checks...

  ✅ package.json exists
  ✅ README.md exists
  ❌ LICENSE exists
     → Add a LICENSE file. Try: npx license mit
  ❌ CHANGELOG exists
     → Create CHANGELOG.md to track versions
  ✅ .gitignore exists
  ✅ No package-lock.json AND pnpm-lock.yaml (pick one)
  ✅ CI workflow exists

─────────────────────────────────
  Passed: 5/7
  ⚠️  2 issue(s) found
─────────────────────────────────

Install (Optional)

# Global install for frequent use
npm install -g maintenance-release-operator

# Then just run:
mro check

Commands

check

Run all maintenance checks on the current repo.

mro check           # Human-readable output
mro check --json    # JSON output for scripting

Exit codes:

• 0 — All checks passed
• 1 — One or more checks failed

release

Automate version bumping, changelog updates, and git tagging.

mro release          # Bump patch version (default)
mro release patch    # Bump patch: 1.2.3 → 1.2.4
mro release minor    # Bump minor: 1.2.3 → 1.3.0
mro release major    # Bump major: 1.2.3 → 2.0.0

What it does:

1. ✅ Checks working tree is clean
2. ✅ Runs CI checks (npm run ci)
3. ✅ Calculates next version
4. ✅ Updates package.json
5. ✅ Updates CHANGELOG.md with recent commits
6. ✅ Creates git commit and tag (vX.Y.Z)

Safety checks:

• ❌ Fails if working tree is dirty
• ❌ Fails if CI checks fail

After release:

git push origin main
git push origin v1.2.4
npm publish  # if publishing to npm

What It Checks

| Check | Enforcement Reason | |-------|-------------------| | package.json | Node projects must declare dependencies and metadata | | README.md | Repos without documentation are unmaintainable | | LICENSE | No license = legal ambiguity = unusable | | CHANGELOG.md | Version history must be documented | | .gitignore | Secrets and build artifacts must not be committed | | Lockfile conflicts | Multiple lockfiles = non-deterministic installs | | CI workflow | Claims of "tests passing" must be verifiable | | Test script | npm test must be runnable | | Node engines | Supported versions must be declared | | Outdated deps | Stale dependencies accumulate security debt | | Security vulns | Known CVEs must be surfaced |

Roadmap

• [x] mro release — Automate changelog + version bump + tag ✅
• [ ] mro deps — Check for outdated/vulnerable dependencies
• [ ] mro audit — Security-focused checks
• [ ] Config file support (.mrorc)

Pricing

The CLI is free forever. Org-level enforcement and enterprise features will have paid tiers.

See PRICING.md for economic boundaries, philosophy, and future SKUs.

Contributing

Issues and PRs welcome. Please read the existing issues before opening a new one.

License

MIT