chore(ci): update installations via mise

[coryrylan]

• Updated Node.js version from 26.1.0 to 26.4.0 in .nvmrc, package.json, and documentation.
• Upgraded pnpm from 11.0.8 to 11.9.0 across relevant files.
• Replaced references to nvm with mise for managing the development environment and CI setup.
• Enhanced .gitignore to exclude visual build artifacts more effectively.
• Removed the Vale installation script and integrated its management through mise.
• Updated CI configuration to utilize the new setup process with mise.

Summary by CodeRabbit

• New Features
  • Unified local development and CI under a mise-managed toolchain (Node/pnpm/Vale, plus Git hooks).
  • Added CI input to optionally skip Playwright browser setup.
  • Added CI validation to confirm required tools and pinned versions align.
• Bug Fixes
  • Improved fast-fail behavior during environment setup and task execution.
  • Blocked edits to mise.toml/mise.lock and tightened protections for risky commit patterns.
• Documentation
  • Updated README and internal guides for mise, Vale, and Git LFS workflows.
• Chores
  • Removed the custom CI Docker image build and the legacy Vale installer; refreshed CI caching and aligned tool versions.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR replaces nvm/corepack-based hook and CI setup with mise-based tool resolution and execution, updates toolchain manifests and validation, rewires Git hooks and starter build inputs, and revises repository documentation, llms-txt generation, and starter branding.

Changes

Mise toolchain migration

Layer / File(s)	Summary
Shared mise helpers .agents/hooks/lib/node-env.sh, .husky/mise.sh	Shell helpers resolve the mise binary, export MISE_BIN, and add hook_mise_exec/hook_mise_run wrappers for command execution.
Agent hook execution .agents/hooks/pre-tool-use-bash.sh, .agents/hooks/pre-tool-use-edit-write.sh, .agents/hooks/session-start.sh, .agents/hooks/post-tool-use-edit-write.sh, .agents/hooks/stop.sh	Agent hooks protect mise.toml and mise.lock, initialize mise at session start, and route formatting, linting, and project-task execution through the shared helpers.
Husky hook routing .husky/commit-msg, .husky/post-checkout, .husky/post-commit, .husky/post-merge, .husky/pre-commit, .husky/pre-push	The Husky hooks source .husky/mise.sh and execute commitlint, lint-staged, and Git LFS hook commands through run_mise.
Toolchain manifests and validation mise.toml, package.json, projects/internals/ci/ci-validate.js, knip.config.js, .gitignore, .nvmrc	mise.toml, package.json, the CI validation script, knip config, ignore rules, and the Node pin are updated to align tool versions and tool discovery.
GitHub CI wiring .github/actions/setup-ci/action.yml, .github/workflows/ci.yml	The CI action and release workflow switch to mise-action, add Playwright gating, and change Vale caching and installation.
Docs and guidance AGENTS.md, README.md, projects/internals/BUILD.md, projects/site/src/docs/internal/guidelines/troubleshooting.md	Repository setup, command examples, build/tooling guidance, and troubleshooting notes are rewritten for the mise-based toolchain and updated versions.

Site llms-txt generation

Layer / File(s)	Summary
llms-txt contracts projects/site/src/_11ty/plugins/llms-txt.js	The llms-txt plugin adds public path helpers, updates URL generation and document writing, and adds the CDN context entry.
llms-txt tests projects/site/src/_11ty/plugins/llms-txt.test.ts	The llms-txt tests cover the CDN entry, public output path resolution, and the before-hook registration.
llms-txt UI and build wiring projects/site/src/_11ty/shortcodes/index.js, projects/site/eleventy.config.js	The install shortcode adds a CDN breadcrumb link, and the Eleventy Vite plugin switches from rollupOptions to rolldownOptions.

Starter branding

Layer / File(s)	Summary
Starter build and branding projects/starters/package.json, projects/starters/go/package.json, projects/starters/go/src/index.html, projects/starters/go-htmx/package.json, projects/starters/go-htmx/src/index.html	The starter workspace narrows tracked Go files, and the Go starter package metadata and page titles are branded with NVIDIA Elements wording.

Sequence Diagram(s)

sequenceDiagram
  participant ReleaseJob as release job
  participant SetupCI as .github/actions/setup-ci
  participant MiseAction as jdx/mise-action
  participant pnpm as pnpm
  participant vale as vale
  ReleaseJob->>SetupCI: uses setup-ci with install-playwright='false'
  SetupCI->>MiseAction: installs pinned tools
  SetupCI->>pnpm: resolves store and installs dependencies
  SetupCI->>vale: runs vale sync

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Suggested labels

type(chore)

Suggested reviewers

• johnyanarella

Possibly related PRs

• NVIDIA/elements#77: Both PRs modify the CI toolchain/workflow setup in .github/workflows/ci.yml around Node/pnpm versions and Playwright Chromium installation steps/commands, so the changes overlap at the same workflow level.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 13.04% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly reflects the main change: migrating installation and environment setup to mise.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch topic-mise

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

projects/site/eleventy.config.js

ESLint skipped: missing config or dependency (missing-dependency). The ESLint configuration references a package that is not available in the sandbox.

projects/site/src/_11ty/plugins/llms-txt.js

ESLint skipped: the ESLint configuration for this file references a package that is not available in the sandbox.

projects/site/src/_11ty/plugins/llms-txt.test.ts

ESLint skipped: the ESLint configuration for this file references a package that is not available in the sandbox.

• 1 others

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 7

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.agents/hooks/lib/node-env.sh:
- Around line 48-65: The `hook_mise_exec` and `hook_mise_run` wrappers in
`node-env.sh` currently call `cd "$working_dir"` without guarding failures, so
the subsequent `mise` command can run in the wrong directory if the
change-directory fails. Update both functions to make the subshell exit
immediately when `cd` fails, using a subshell-safe guard such as `|| exit 1`,
and keep the logic localized to `hook_mise_exec` and `hook_mise_run` so callers
always execute in the intended project directory.

In @.husky/mise.sh:
- Line 1: Add a ShellCheck shell directive at the top of the sourced Husky
script so SC2148 no longer fires and linting uses the correct target shell.
Update the .husky/mise.sh bootstrap around resolve_mise_bin() to declare the
script as sh-compatible, since Husky sources it under sh and a shebang is not
appropriate here.

In `@AGENTS.md`:
- Around line 27-44: The bootstrap example under Common Commands uses mise
directly even though the setup note says it may not be on PATH; update that
example to use the full ~/.local/bin/mise path consistently. Make the change in
the repository setup snippet so the documented install-and-setup flow works in a
fresh shell, and keep the rest of the AGENTS.md setup steps unchanged.

In `@package.json`:
- Line 338: The prepare command is starting the Playwright install in the
background without waiting for it to finish, so the browser download may be
interrupted during local setup. Update the package.json prepare script that runs
pnpm run playwright, node .husky/install.mjs, and vale sync so the subshell
waits for the backgrounded Playwright task to complete before exiting, using the
existing prepare command entry as the place to fix it.

In `@projects/site/src/docs/internal/guidelines/troubleshooting.md`:
- Around line 239-247: The Node version example under the troubleshooting
guidance is incorrect because the expected output for `node --version` is
missing the leading v. Update the example in the `mise exec -- node --version`
section so it matches the actual output format (`v26.4.0`), keeping the
surrounding `mise install` and version-check instructions unchanged.

In `@projects/starters/go/package.json`:
- Around line 7-26: The Go starter build currently writes to bin/go-starter
without ensuring bin/ exists first, so update the build flow to create the
output directory before invoking go build. Adjust the wireit build command in
package.json to prepare bin/ before writing the binary, and make sure the
preview script also uses the same directory-creation step before running the
compiled starter.

In `@README.md`:
- Around line 37-40: The bootstrap snippet in the README skips the required
trust step before running setup. Update the setup instructions to include the
project-root trust command before the existing `mise run setup` call, keeping
the flow in the same install block so users trust the repo first and then run
setup.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: f3852c9a-76ba-43db-998a-4582171f6501

📥 Commits

Reviewing files that changed from the base of the PR and between 1cda122 and 5263f3d.

⛔ Files ignored due to path filters (2)

• mise.lock is excluded by !**/*.lock
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (28)

• .agents/hooks/lib/node-env.sh
• .agents/hooks/post-tool-use-edit-write.sh
• .agents/hooks/pre-tool-use-edit-write.sh
• .agents/hooks/session-start.sh
• .agents/hooks/stop.sh
• .github/actions/setup-ci/action.yml
• .github/workflows/ci.yml
• .gitignore
• .husky/commit-msg
• .husky/mise.sh
• .husky/post-checkout
• .husky/post-commit
• .husky/post-merge
• .husky/pre-commit
• .husky/pre-push
• .nvmrc
• AGENTS.md
• README.md
• config/docker/ci.dockerfile
• config/vale/install.mjs
• knip.config.js
• mise.toml
• package.json
• projects/internals/BUILD.md
• projects/internals/ci/ci-validate.js
• projects/site/src/docs/internal/guidelines/troubleshooting.md
• projects/starters/go/package.json
• projects/starters/package.json

💤 Files with no reviewable changes (2)

• config/docker/ci.dockerfile
• config/vale/install.mjs

[coderabbitai]

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Add a ShellCheck shell directive.

This file is sourced (not executed), so a shebang isn't appropriate, but ShellCheck reports SC2148 because it can't infer the target shell. Since Husky runs hooks under sh, add a directive so linting is accurate and CI ShellCheck doesn't error.

🔧 Proposed fix

+# shellcheck shell=sh
 resolve_mise_bin() {

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	resolve_mise_bin() {
	# shellcheck shell=sh
	resolve_mise_bin() {

🧰 Tools

🪛 Shellcheck (0.11.0)

[error] 1-1: Tips depend on target shell and yours is unknown. Add a shebang or a 'shell' directive.

(SC2148)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.husky/mise.sh at line 1, Add a ShellCheck shell directive at the top of the
sourced Husky script so SC2148 no longer fires and linting uses the correct
target shell. Update the .husky/mise.sh bootstrap around resolve_mise_bin() to
declare the script as sh-compatible, since Husky sources it under sh and a
shebang is not appropriate here.

Source: Linters/SAST tools

[coderabbitai]

🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

Backgrounded Playwright install is never awaited.

pnpm run playwright & runs detached, then the subshell exits after vale sync. The triggering install process can terminate before the Playwright browser download completes (and may SIGHUP the orphaned job), leaving browsers partially installed during local prepare. Add a wait so the parallelized install is allowed to finish.

🔧 Proposed fix

-      "command": "test -n \"$CI\" || (pnpm run playwright & node .husky/install.mjs ; vale sync)"
+      "command": "test -n \"$CI\" || (pnpm run playwright & node .husky/install.mjs ; vale sync ; wait)"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"command": "test -n \"$CI\" || (pnpm run playwright & node .husky/install.mjs ; vale sync)"
	"command": "test -n \"$CI\" || (pnpm run playwright & node .husky/install.mjs ; vale sync ; wait)"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 338, The prepare command is starting the Playwright
install in the background without waiting for it to finish, so the browser
download may be interrupted during local setup. Update the package.json prepare
script that runs pnpm run playwright, node .husky/install.mjs, and vale sync so
the subshell waits for the backgrounded Playwright task to complete before
exiting, using the existing prepare command entry as the place to fix it.

[coderabbitai]

🎯 Functional Correctness | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

sed -n '232,252p' projects/site/src/docs/internal/guidelines/troubleshooting.md

Repository: NVIDIA/elements

Length of output: 625

---

Fix the Node version example output.

node --version prints v26.4.0, so the expected output should include the v prefix.

Proposed fix

-mise exec -- node --version  # Should show 26.4.0
+mise exec -- node --version  # Should show v26.4.0

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- **Solution:** Install the repository toolchain with mise
	```shell
	# Install correct version from .nvmrc
	nvm install
	nvm use
	# Install tool versions from mise.toml
	mise install
	# Verify version
	node --version # Should show 26.1.0
	mise exec -- node --version # Should show 26.4.0
	```

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@projects/site/src/docs/internal/guidelines/troubleshooting.md` around lines
239 - 247, The Node version example under the troubleshooting guidance is
incorrect because the expected output for `node --version` is missing the
leading v. Update the example in the `mise exec -- node --version` section so it
matches the actual output format (`v26.4.0`), keeping the surrounding `mise
install` and version-check instructions unchanged.

[coderabbitai]

🩺 Stability & Availability | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Locate README and relevant references to mise setup/trust
git ls-files | rg -n '^README\.md$|mise|trust|setup' || true

echo '--- README.md excerpt ---'
nl -ba README.md | sed -n '1,120p'

echo '--- Search for trust/setup references across repo ---'
rg -n "mise trust|mise run setup|curl https://mise.run|mise\.run|gettings?-started|setup" .

Repository: NVIDIA/elements

Length of output: 785

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the exact README region around the disputed lines and any surrounding instructions
nl -ba README.md | sed -n '30,50p'

# Find any docs or scripts that define the intended bootstrap flow
rg -n "trust|mise run setup|mise install|curl https://mise.run|bootstrap|bootstrap path" README.md .github . 2>/dev/null || true

Repository: NVIDIA/elements

Length of output: 193

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the README section and any project files that define mise behavior
nl -ba README.md | sed -n '34,45p'

echo '--- Project files mentioning mise ---'
fd -HI 'mise*' . || true

echo '--- Relevant config contents ---'
for f in .mise.toml mise.toml .tool-versions .config/mise/config.toml; do
  if [ -f "$f" ]; then
    echo "### $f"
    nl -ba "$f" | sed -n '1,220p'
  fi
done

Repository: NVIDIA/elements

Length of output: 193

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo '--- README.md around lines 34-45 ---'
sed -n '34,45p' README.md

echo '--- mise.toml ---'
sed -n '1,220p' mise.toml

echo '--- .github/actions/setup-ci/action.yml (if relevant) ---'
sed -n '1,220p' .github/actions/setup-ci/action.yml

echo '--- .husky/mise.sh (if relevant) ---'
sed -n '1,200p' .husky/mise.sh

Repository: NVIDIA/elements

Length of output: 4379

---

Add mise trust before mise run setup. The bootstrap snippet skips the trust step, but this repo expects the project root to be trusted first.

Proposed fix

 curl https://mise.run | sh
+~/.local/bin/mise trust
 ~/.local/bin/mise run setup

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# install dependencies https://mise.en.dev/getting-started.html
	curl https://mise.run | sh
	~/.local/bin/mise run setup
	```
	# install dependencies https://mise.en.dev/getting-started.html
	curl https://mise.run | sh
	~/.local/bin/mise trust
	~/.local/bin/mise run setup

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@README.md` around lines 37 - 40, The bootstrap snippet in the README skips
the required trust step before running setup. Update the setup instructions to
include the project-root trust command before the existing `mise run setup`
call, keeping the flow in the same install block so users trust the repo first
and then run setup.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/actions/setup-ci/action.yml:
- Around line 37-46: The Vale cache workflow always runs `vale sync` because the
`actions/cache` step in the setup CI action has no identifier to inspect its
cache result. Add an `id` to the Cache Vale styles step and update the following
`Sync Vale styles` step in the action workflow to run only when the cache was
not hit by checking `cache-hit != 'true'`, so restored
`config/vale/styles/Google` and `config/vale/styles/write-good` do not trigger a
redundant sync.

In `@projects/internals/BUILD.md`:
- Line 122: The mise documentation link is incorrect and points to a broken
site. Update the markdown reference in BUILD.md from the current mise hyperlink
to the official mise documentation URL, using the existing link entry so readers
of the BUILD.md section get the correct destination.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 31d000fd-0d7f-4284-8108-e9769cff2825

📥 Commits

Reviewing files that changed from the base of the PR and between 5263f3d and 1191e33.

⛔ Files ignored due to path filters (2)

• mise.lock is excluded by !**/*.lock
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (28)

• .agents/hooks/lib/node-env.sh
• .agents/hooks/post-tool-use-edit-write.sh
• .agents/hooks/pre-tool-use-edit-write.sh
• .agents/hooks/session-start.sh
• .agents/hooks/stop.sh
• .github/actions/setup-ci/action.yml
• .github/workflows/ci.yml
• .gitignore
• .husky/commit-msg
• .husky/mise.sh
• .husky/post-checkout
• .husky/post-commit
• .husky/post-merge
• .husky/pre-commit
• .husky/pre-push
• .nvmrc
• AGENTS.md
• README.md
• config/docker/ci.dockerfile
• config/vale/install.mjs
• knip.config.js
• mise.toml
• package.json
• projects/internals/BUILD.md
• projects/internals/ci/ci-validate.js
• projects/site/src/docs/internal/guidelines/troubleshooting.md
• projects/starters/go/package.json
• projects/starters/package.json

💤 Files with no reviewable changes (2)

• config/docker/ci.dockerfile
• config/vale/install.mjs

[coderabbitai]

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Incorrect mise documentation URL.

https://mise.en.dev/ is not the official site; the mise documentation lives at https://mise.jdx.dev/. As-is, this link is broken for readers.

📝 Proposed fix

-- [mise](https://mise.en.dev/)
+- [mise](https://mise.jdx.dev/)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- [mise](https://mise.en.dev/)
	[mise](https://mise.jdx.dev/)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@projects/internals/BUILD.md` at line 122, The mise documentation link is
incorrect and points to a broken site. Update the markdown reference in BUILD.md
from the current mise hyperlink to the official mise documentation URL, using
the existing link entry so readers of the BUILD.md section get the correct
destination.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 107-109: The setup-ci action is being invoked without the npm auth
token, so it cannot write the authenticated npm config needed by the release
flow. Update the `setup-ci` step in the workflow to pass `NODE_AUTH_TOKEN` (the
same token later used by `Release`) into `./.github/actions/setup-ci`, ensuring
the action can prepare a valid `$HOME/.npmrc` before `pnpm run release` runs.

In `@projects/internals/ci/ci-validate.js`:
- Around line 12-15: The validation checks in ci-validate.js currently assume
packageJson.engines, packageJson.devEngines.packageManager, and
packageJson.packageManager always exist, which can throw before the mismatch
reporting runs. Update the reads used in the validation list to be null-safe so
the existing comparison logic can still produce a readable validation failure
when those fields are missing; keep the changes local to the validation entries
that reference packageJson and the related mismatch labels.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: b677be75-168a-49b3-b06e-e8a6097ea7a0

📥 Commits

Reviewing files that changed from the base of the PR and between 1191e33 and 254c886.

⛔ Files ignored due to path filters (2)

• mise.lock is excluded by !**/*.lock
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (28)

• .agents/hooks/lib/node-env.sh
• .agents/hooks/post-tool-use-edit-write.sh
• .agents/hooks/pre-tool-use-edit-write.sh
• .agents/hooks/session-start.sh
• .agents/hooks/stop.sh
• .github/actions/setup-ci/action.yml
• .github/workflows/ci.yml
• .gitignore
• .husky/commit-msg
• .husky/mise.sh
• .husky/post-checkout
• .husky/post-commit
• .husky/post-merge
• .husky/pre-commit
• .husky/pre-push
• .nvmrc
• AGENTS.md
• README.md
• config/docker/ci.dockerfile
• config/vale/install.mjs
• knip.config.js
• mise.toml
• package.json
• projects/internals/BUILD.md
• projects/internals/ci/ci-validate.js
• projects/site/src/docs/internal/guidelines/troubleshooting.md
• projects/starters/go/package.json
• projects/starters/package.json

💤 Files with no reviewable changes (2)

• config/docker/ci.dockerfile
• config/vale/install.mjs

[coderabbitai]

🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

Report missing package fields as validation failures instead of crashing.

If engines, devEngines.packageManager, or packageManager disappears, this script throws before it can emit the intended mismatch message. Make these reads null-safe so config drift produces a readable failure instead of a TypeError.

Suggested fix

 const expectations = [
   ['mise node', tools.node, read('.nvmrc').trim(), '.nvmrc'],
-  ['package engines.node', packageJson.engines.node, tools.node, 'mise node'],
-  ['packageManager pnpm', packageJson.packageManager.match(/^pnpm@(.+)$/)?.[1], tools.pnpm, 'mise pnpm'],
-  ['devEngines.packageManager.version', packageJson.devEngines.packageManager.version, tools.pnpm, 'mise pnpm']
+  ['package engines.node', packageJson.engines?.node, tools.node, 'mise node'],
+  [
+    'packageManager pnpm',
+    typeof packageJson.packageManager === 'string'
+      ? packageJson.packageManager.match(/^pnpm@(.+)$/)?.[1]
+      : undefined,
+    tools.pnpm,
+    'mise pnpm'
+  ],
+  [
+    'devEngines.packageManager.version',
+    packageJson.devEngines?.packageManager?.version,
+    tools.pnpm,
+    'mise pnpm'
+  ]
 ];

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	['mise node', tools.node, read('.nvmrc').trim(), '.nvmrc'],
	['package engines.node', packageJson.engines.node, tools.node, 'mise node'],
	['packageManager pnpm', packageJson.packageManager.match(/^pnpm@(.+)$/)?.[1], tools.pnpm, 'mise pnpm'],
	['devEngines.packageManager.version', packageJson.devEngines.packageManager.version, tools.pnpm, 'mise pnpm']
	['mise node', tools.node, read('.nvmrc').trim(), '.nvmrc'],
	['package engines.node', packageJson.engines?.node, tools.node, 'mise node'],
	[
	'packageManager pnpm',
	typeof packageJson.packageManager === 'string'
	? packageJson.packageManager.match(/^pnpm@(.+)$/)?.[1]
	: undefined,
	tools.pnpm,
	'mise pnpm'
	],
	[
	'devEngines.packageManager.version',
	packageJson.devEngines?.packageManager?.version,
	tools.pnpm,
	'mise pnpm'
	]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@projects/internals/ci/ci-validate.js` around lines 12 - 15, The validation
checks in ci-validate.js currently assume packageJson.engines,
packageJson.devEngines.packageManager, and packageJson.packageManager always
exist, which can throw before the mismatch reporting runs. Update the reads used
in the validation list to be null-safe so the existing comparison logic can
still produce a readable validation failure when those fields are missing; keep
the changes local to the validation entries that reference packageJson and the
related mismatch labels.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (8)

README.md (1)

37-39: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Trust the repository before mise run setup.

This setup block jumps from installing mise straight to mise run setup, but the repo bootstrap flow still requires mise trust first. As written, a fresh clone can fail before dependencies are installed.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@README.md` around lines 37 - 39, The README bootstrap steps for mise are
missing the required trust step before running setup. Update the setup
instructions around the mise install/run sequence to include `mise trust` in the
repository workflow before `mise run setup`, so the fresh-clone bootstrap path
uses the correct order and can proceed cleanly.

projects/internals/ci/ci-validate.js (1)

11-15: 🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

Make the package.json reads null-safe.

If any of engines, packageManager, or devEngines.packageManager is missing, Lines 13-15 throw before this script can emit the intended mismatch message, so config drift becomes a crash instead of a validation failure.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@projects/internals/ci/ci-validate.js` around lines 11 - 15, The
`expectations` setup in `ci-validate.js` assumes `packageJson.engines`,
`packageJson.packageManager`, and `packageJson.devEngines.packageManager` always
exist, which can crash before validation runs. Update the reads for these fields
to be null-safe in the `expectations` array so missing config values produce a
mismatch entry instead of throwing, while preserving the existing labels and
comparison flow.

AGENTS.md (1)

41-44: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Use the documented ~/.local/bin/mise path in the bootstrap commands.

Line 42 says mise may not be on PATH yet, but Lines 43-44 still invoke mise directly, so the first-run example can fail in a fresh shell.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@AGENTS.md` around lines 41 - 44, The bootstrap example still calls mise
directly even though it may not be on PATH yet, so update the setup commands to
use the documented ~/.local/bin/mise path consistently. Fix the command sequence
in AGENTS.md so the first-run instructions for mise trust and mise run setup
reference the explicit binary path instead of relying on PATH availability.

package.json (1)

339-339: 🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

Wait for the backgrounded Playwright install before exiting prepare.

pnpm run playwright & is still launched asynchronously, and the subshell exits after vale sync without wait, so browser downloads can be interrupted during local installs.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 339, The prepare command starts `pnpm run playwright`
in the background and then exits without waiting, so the Playwright install can
be cut off. Update the `command` entry in package.json to keep the prepare step
alive until the backgrounded Playwright install finishes, using the existing
shell flow around `pnpm run playwright`, `node .husky/install.mjs`, and `vale
sync`.

projects/starters/go/package.json (1)

10-10: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Create bin/ before writing bin/go-starter.

Both preview and the Wireit build command write into bin/, but neither ensures the directory exists, so a clean checkout still fails on the first build.

Also applies to: 19-19

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@projects/starters/go/package.json` at line 10, The preview and Wireit build
commands write the Go binary into bin/ without guaranteeing the directory
exists, so a clean checkout can fail on first run. Update the package.json
scripts for preview and build so they create bin/ before invoking go build,
keeping the existing go build and ./bin/go-starter flow intact.

projects/site/src/docs/internal/guidelines/troubleshooting.md (1)

245-247: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Update the Node version example output.

node --version prints v26.4.0, so the example should keep the leading v. This is the same mismatch flagged in the previous review.
Based on the previous review comment about the missing v prefix.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@projects/site/src/docs/internal/guidelines/troubleshooting.md` around lines
245 - 247, The Node version example in the troubleshooting guide is missing the
leading v prefix shown by node --version; update the example output in the
documentation to match the actual `node --version` result. Locate the version
check snippet around the `mise exec -- node --version` example and change the
displayed version text so it includes the `v` prefix consistently.

projects/internals/BUILD.md (1)

122-124: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Fix the mise documentation link.

https://mise.en.dev/ is still the wrong destination for the mise docs. This remains the same broken link reported in the prior review.
Based on the previous review comment about the incorrect mise URL.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@projects/internals/BUILD.md` around lines 122 - 124, The mise documentation
link is still pointing to the wrong destination in the BUILD.md docs section.
Update the markdown link on the mise reference to the correct official docs URL,
and keep the surrounding description unchanged; use the existing mise entry in
the documentation list as the place to fix it.

.github/workflows/ci.yml (1)

107-109: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Pass NODE_AUTH_TOKEN into setup-ci.

setup-ci still runs before Release, so it writes $HOME/.npmrc without auth and the install phase can’t rely on the token added later. This is the same gap flagged in the previous review.
Based on the previous review comment about authenticated npm config.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 107 - 109, The setup-ci step is still
running without npm auth, so it writes an unauthenticated .npmrc before Release
provides the token. Update the setup-ci invocation in the CI workflow to pass
NODE_AUTH_TOKEN through its with/secret inputs so the action can configure npm
with credentials up front; use the setup-ci action and the Release-auth flow as
the reference points when wiring the token.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.agents/hooks/lib/node-env.sh:
- Around line 38-42: The setup probe in the subshell is running tool checks even
when cd "$project_root" fails, so guard the directory change before invoking
MISE_BIN probes. Update the logic in the subshell in node-env.sh so that the
node and pnpm version checks only execute after a successful cd, using the
existing command grouping around "$MISE_BIN" exec and the surrounding fallback
block to stop early on directory change failure.

In `@projects/starters/go/package.json`:
- Around line 20-23: The Wireit build inputs for the Go starter are incomplete
because the package.json files list only main.go and src/**, so dependency
changes in go.mod and go.sum can leave bin/go-starter stale. Update the build
task’s tracked files to include go.mod and go.sum alongside the existing entries
so changes to module dependencies correctly invalidate the cache.

---

Duplicate comments:
In @.github/workflows/ci.yml:
- Around line 107-109: The setup-ci step is still running without npm auth, so
it writes an unauthenticated .npmrc before Release provides the token. Update
the setup-ci invocation in the CI workflow to pass NODE_AUTH_TOKEN through its
with/secret inputs so the action can configure npm with credentials up front;
use the setup-ci action and the Release-auth flow as the reference points when
wiring the token.

In `@AGENTS.md`:
- Around line 41-44: The bootstrap example still calls mise directly even though
it may not be on PATH yet, so update the setup commands to use the documented
~/.local/bin/mise path consistently. Fix the command sequence in AGENTS.md so
the first-run instructions for mise trust and mise run setup reference the
explicit binary path instead of relying on PATH availability.

In `@package.json`:
- Line 339: The prepare command starts `pnpm run playwright` in the background
and then exits without waiting, so the Playwright install can be cut off. Update
the `command` entry in package.json to keep the prepare step alive until the
backgrounded Playwright install finishes, using the existing shell flow around
`pnpm run playwright`, `node .husky/install.mjs`, and `vale sync`.

In `@projects/internals/BUILD.md`:
- Around line 122-124: The mise documentation link is still pointing to the
wrong destination in the BUILD.md docs section. Update the markdown link on the
mise reference to the correct official docs URL, and keep the surrounding
description unchanged; use the existing mise entry in the documentation list as
the place to fix it.

In `@projects/internals/ci/ci-validate.js`:
- Around line 11-15: The `expectations` setup in `ci-validate.js` assumes
`packageJson.engines`, `packageJson.packageManager`, and
`packageJson.devEngines.packageManager` always exist, which can crash before
validation runs. Update the reads for these fields to be null-safe in the
`expectations` array so missing config values produce a mismatch entry instead
of throwing, while preserving the existing labels and comparison flow.

In `@projects/site/src/docs/internal/guidelines/troubleshooting.md`:
- Around line 245-247: The Node version example in the troubleshooting guide is
missing the leading v prefix shown by node --version; update the example output
in the documentation to match the actual `node --version` result. Locate the
version check snippet around the `mise exec -- node --version` example and
change the displayed version text so it includes the `v` prefix consistently.

In `@projects/starters/go/package.json`:
- Line 10: The preview and Wireit build commands write the Go binary into bin/
without guaranteeing the directory exists, so a clean checkout can fail on first
run. Update the package.json scripts for preview and build so they create bin/
before invoking go build, keeping the existing go build and ./bin/go-starter
flow intact.

In `@README.md`:
- Around line 37-39: The README bootstrap steps for mise are missing the
required trust step before running setup. Update the setup instructions around
the mise install/run sequence to include `mise trust` in the repository workflow
before `mise run setup`, so the fresh-clone bootstrap path uses the correct
order and can proceed cleanly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: d38cfee7-97b7-4406-9ebd-df7fe40789d5

📥 Commits

Reviewing files that changed from the base of the PR and between 254c886 and 17c9f3c.

⛔ Files ignored due to path filters (2)

• mise.lock is excluded by !**/*.lock
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (28)

• .agents/hooks/lib/node-env.sh
• .agents/hooks/post-tool-use-edit-write.sh
• .agents/hooks/pre-tool-use-edit-write.sh
• .agents/hooks/session-start.sh
• .agents/hooks/stop.sh
• .github/actions/setup-ci/action.yml
• .github/workflows/ci.yml
• .gitignore
• .husky/commit-msg
• .husky/mise.sh
• .husky/post-checkout
• .husky/post-commit
• .husky/post-merge
• .husky/pre-commit
• .husky/pre-push
• .nvmrc
• AGENTS.md
• README.md
• config/docker/ci.dockerfile
• config/vale/install.mjs
• knip.config.js
• mise.toml
• package.json
• projects/internals/BUILD.md
• projects/internals/ci/ci-validate.js
• projects/site/src/docs/internal/guidelines/troubleshooting.md
• projects/starters/go/package.json
• projects/starters/package.json

💤 Files with no reviewable changes (2)

• config/docker/ci.dockerfile
• config/vale/install.mjs

[coderabbitai]

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Track go.mod and go.sum as Wireit build inputs.

The build task only watches main.go and src/**. If module dependencies change, Wireit can reuse a stale bin/go-starter even though the compiled output should change.

Suggested fix

       "files": [
         "main.go",
+        "go.mod",
+        "go.sum",
         "src/**"
       ],

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"files": [
	"main.go",
	"src/**"
	],
	"files": [
	"main.go",
	"go.mod",
	"go.sum",
	"src/**"
	],

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@projects/starters/go/package.json` around lines 20 - 23, The Wireit build
inputs for the Go starter are incomplete because the package.json files list
only main.go and src/**, so dependency changes in go.mod and go.sum can leave
bin/go-starter stale. Update the build task’s tracked files to include go.mod
and go.sum alongside the existing entries so changes to module dependencies
correctly invalidate the cache.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (8)

.husky/mise.sh (1)

1-1: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Add a ShellCheck shell directive.

This file is sourced under sh by Husky, so a shebang isn't appropriate, but ShellCheck still emits SC2148 because it can't infer the target shell. Add # shellcheck shell=sh at the top so linting is accurate and CI doesn't error.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.husky/mise.sh at line 1, Add a ShellCheck shell directive at the top of the
Husky-sourced script so linting knows it targets sh. Update the .husky/mise.sh
script by placing # shellcheck shell=sh before resolve_mise_bin() to satisfy
ShellCheck and avoid SC2148 while keeping the file sourced rather than
executable.

Source: Linters/SAST tools

.agents/hooks/lib/node-env.sh (2)

48-66: 🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

cd is still unguarded in the exec/run wrappers (appears unaddressed/regressed).

Despite the earlier fix marked as addressed, lines 53 and 63 still call cd "$working_dir" without a guard, and ShellCheck (SC2164) continues to flag both. Since these library functions may run without set -e, a failed cd lets the command execute in the caller's directory (likely repo root), targeting the wrong project.

🛡️ Proposed fix

 hook_mise_exec() {
   local working_dir="$1"
   shift

   (
-    cd "$working_dir"
+    cd "$working_dir" || exit 1
     "$MISE_BIN" exec -- "$@"
   )
 }

 hook_mise_run() {
   local working_dir="$1"
   shift

   (
-    cd "$working_dir"
+    cd "$working_dir" || exit 1
     "$MISE_BIN" run "$@"
   )
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.agents/hooks/lib/node-env.sh around lines 48 - 66, The hook_mise_exec and
hook_mise_run wrappers still call cd without checking for failure, so a bad
working_dir can fall through and run mise in the wrong directory. Update both
functions in node-env.sh to guard the directory change before invoking MISE_BIN,
and if the directory switch fails, stop the wrapper from executing the command.
Keep the fix localized to hook_mise_exec and hook_mise_run so ShellCheck SC2164
is resolved consistently.

Source: Linters/SAST tools

---

38-46: 🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

Guard the setup cd before probing tools.

Line 39's cd "$project_root" is unguarded inside the subshell; if it fails, the mise exec version probes run in the caller's directory and validate the wrong toolchain. Use || exit 1 (subshell-safe).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.agents/hooks/lib/node-env.sh around lines 38 - 46, Guard the project_root
directory change in the setup block of node-env.sh so the tool probes only run
after a successful cd. In the subshell that calls "$MISE_BIN" exec for node and
pnpm versions, make the cd failure terminate that subshell immediately (for
example by using a subshell-safe early exit) so the checks do not fall back to
the caller’s directory; keep the existing failure message path in the
surrounding block.

Source: Linters/SAST tools

projects/starters/go-htmx/package.json (1)

20-24: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Track go.mod and go.sum in Wireit inputs.

Without them, module-only changes can reuse a stale cached build.

🔎 Read-only verification

#!/bin/bash
set -euo pipefail

printf '\n## Wireit inputs\n'
sed -n '18,24p' projects/starters/go-htmx/package.json

printf '\n## Module files at starter root\n'
find projects/starters/go-htmx -maxdepth 1 -type f \( -name 'go.mod' -o -name 'go.sum' \) -print | sort

🛠️ Proposed fix

       "files": [
         "main.go",
+        "go.mod",
+        "go.sum",
         "src/**",
         "package.json"
       ],

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@projects/starters/go-htmx/package.json` around lines 20 - 24, The Wireit
inputs for the go-htmx starter are missing the module files, so module-only
changes can bypass cache invalidation. Update the package.json inputs for the
build task to include go.mod and go.sum alongside main.go, src/**, and
package.json, using the existing Wireit configuration in the starter package.

package.json (1)

341-341: 🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

Wait for the Playwright install.

pnpm run playwright is still backgrounded without a wait, so prepare can exit before the browser download finishes.

🔧 Proposed fix

-      "command": "test -n \"$CI\" || (pnpm run playwright & node .husky/install.mjs ; vale sync)"
+      "command": "test -n \"$CI\" || (pnpm run playwright & node .husky/install.mjs ; vale sync ; wait)"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 341, The prepare command is still launching pnpm run
playwright in the background without waiting, so the install can finish early;
update the package.json prepare script to ensure the Playwright install
completes before continuing, using the existing command and keeping the node
.husky/install.mjs and vale sync steps synchronized with that wait.

projects/internals/BUILD.md (1)

122-124: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Fix the mise docs URL.

https://mise.en.dev/ is broken; point readers at the official documentation site instead.

📝 Proposed fix

-- [mise](https://mise.en.dev/)
+- [mise](https://mise.jdx.dev/)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@projects/internals/BUILD.md` around lines 122 - 124, The mise documentation
link is broken and should point to the official docs instead. Update the
markdown link in the BUILD.md section that references mise to use the correct
official documentation URL, keeping the surrounding description about the
repository toolchain and CI unchanged.

projects/internals/ci/ci-validate.js (1)

13-15: 🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

Null-safe these config reads.

packageJson.engines, packageJson.packageManager, or packageJson.devEngines.packageManager can still be absent, and this script will throw before it can report the mismatch.

🛠 Proposed fix

-  ['package engines.node', packageJson.engines.node, tools.node, 'mise node'],
-  ['packageManager pnpm', packageJson.packageManager.match(/^pnpm@(.+)$/)?.[1], tools.pnpm, 'mise pnpm'],
-  ['devEngines.packageManager.version', packageJson.devEngines.packageManager.version, tools.pnpm, 'mise pnpm']
+  ['package engines.node', packageJson.engines?.node, tools.node, 'mise node'],
+  [
+    'packageManager pnpm',
+    typeof packageJson.packageManager === 'string'
+      ? packageJson.packageManager.match(/^pnpm@(.+)$/)?.[1]
+      : undefined,
+    tools.pnpm,
+    'mise pnpm'
+  ],
+  [
+    'devEngines.packageManager.version',
+    packageJson.devEngines?.packageManager?.version,
+    tools.pnpm,
+    'mise pnpm'
+  ]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@projects/internals/ci/ci-validate.js` around lines 13 - 15, The config checks
in the validation list are not null-safe, so missing packageJson.engines,
packageJson.packageManager, or packageJson.devEngines.packageManager can throw
before reporting mismatches. Update the read expressions in the CI validation
logic to safely access those nested fields, especially around the packageManager
regex match and the devEngines.packageManager.version lookup, so the script can
continue and report comparison results even when sections are absent.

README.md (1)

40-42: 🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

Add the missing trust step.

The bootstrap flow still goes straight from install to setup, so a fresh shell can fail if the repo isn't trusted yet. Use the explicit ~/.local/bin/mise path here as well.

🔧 Proposed fix

 curl https://mise.run | sh
+~/.local/bin/mise trust
 ~/.local/bin/mise run setup

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@README.md` around lines 40 - 42, The README bootstrap steps are missing the
required trust command before setup, which can break a fresh shell flow; update
the setup sequence to include the explicit ~/.local/bin/mise path for the trust
step as well as the existing setup step so the repo is trusted before running
setup.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@README.md`:
- Line 39: The setup note in the README uses a dead mise documentation URL;
update the inline install-dependencies comment to point to the official mise
docs instead. Locate the existing docs link in the README and replace it with
the correct official URL so the setup guidance remains valid.

---

Duplicate comments:
In @.agents/hooks/lib/node-env.sh:
- Around line 48-66: The hook_mise_exec and hook_mise_run wrappers still call cd
without checking for failure, so a bad working_dir can fall through and run mise
in the wrong directory. Update both functions in node-env.sh to guard the
directory change before invoking MISE_BIN, and if the directory switch fails,
stop the wrapper from executing the command. Keep the fix localized to
hook_mise_exec and hook_mise_run so ShellCheck SC2164 is resolved consistently.
- Around line 38-46: Guard the project_root directory change in the setup block
of node-env.sh so the tool probes only run after a successful cd. In the
subshell that calls "$MISE_BIN" exec for node and pnpm versions, make the cd
failure terminate that subshell immediately (for example by using a
subshell-safe early exit) so the checks do not fall back to the caller’s
directory; keep the existing failure message path in the surrounding block.

In @.husky/mise.sh:
- Line 1: Add a ShellCheck shell directive at the top of the Husky-sourced
script so linting knows it targets sh. Update the .husky/mise.sh script by
placing # shellcheck shell=sh before resolve_mise_bin() to satisfy ShellCheck
and avoid SC2148 while keeping the file sourced rather than executable.

In `@package.json`:
- Line 341: The prepare command is still launching pnpm run playwright in the
background without waiting, so the install can finish early; update the
package.json prepare script to ensure the Playwright install completes before
continuing, using the existing command and keeping the node .husky/install.mjs
and vale sync steps synchronized with that wait.

In `@projects/internals/BUILD.md`:
- Around line 122-124: The mise documentation link is broken and should point to
the official docs instead. Update the markdown link in the BUILD.md section that
references mise to use the correct official documentation URL, keeping the
surrounding description about the repository toolchain and CI unchanged.

In `@projects/internals/ci/ci-validate.js`:
- Around line 13-15: The config checks in the validation list are not null-safe,
so missing packageJson.engines, packageJson.packageManager, or
packageJson.devEngines.packageManager can throw before reporting mismatches.
Update the read expressions in the CI validation logic to safely access those
nested fields, especially around the packageManager regex match and the
devEngines.packageManager.version lookup, so the script can continue and report
comparison results even when sections are absent.

In `@projects/starters/go-htmx/package.json`:
- Around line 20-24: The Wireit inputs for the go-htmx starter are missing the
module files, so module-only changes can bypass cache invalidation. Update the
package.json inputs for the build task to include go.mod and go.sum alongside
main.go, src/**, and package.json, using the existing Wireit configuration in
the starter package.

In `@README.md`:
- Around line 40-42: The README bootstrap steps are missing the required trust
command before setup, which can break a fresh shell flow; update the setup
sequence to include the explicit ~/.local/bin/mise path for the trust step as
well as the existing setup step so the repo is trusted before running setup.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 1ee2730c-aa2e-444d-ab0c-14a6dec0d08a

📥 Commits

Reviewing files that changed from the base of the PR and between 17c9f3c and 590ee00.

⛔ Files ignored due to path filters (2)

• mise.lock is excluded by !**/*.lock
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (31)

• .agents/hooks/lib/node-env.sh
• .agents/hooks/post-tool-use-edit-write.sh
• .agents/hooks/pre-tool-use-edit-write.sh
• .agents/hooks/session-start.sh
• .agents/hooks/stop.sh
• .github/actions/setup-ci/action.yml
• .github/workflows/ci.yml
• .gitignore
• .husky/commit-msg
• .husky/mise.sh
• .husky/post-checkout
• .husky/post-commit
• .husky/post-merge
• .husky/pre-commit
• .husky/pre-push
• .nvmrc
• AGENTS.md
• README.md
• config/docker/ci.dockerfile
• config/vale/install.mjs
• knip.config.js
• mise.toml
• package.json
• projects/internals/BUILD.md
• projects/internals/ci/ci-validate.js
• projects/site/src/docs/internal/guidelines/troubleshooting.md
• projects/starters/go-htmx/package.json
• projects/starters/go-htmx/src/index.html
• projects/starters/go/package.json
• projects/starters/go/src/index.html
• projects/starters/package.json

💤 Files with no reviewable changes (2)

• config/docker/ci.dockerfile
• config/vale/install.mjs

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

.github/workflows/ci.yml (1)

107-109: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Pass NODE_AUTH_TOKEN into setup-ci.

The action still runs before the npm auth token is available, so it cannot prepare the authenticated .npmrc that the release flow expects.

Proposed fix

       - uses: ./.github/actions/setup-ci
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         with:
           install-playwright: 'false'

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 107 - 109, The setup-ci action is
missing the npm auth token, so it cannot generate the authenticated .npmrc
needed by the release flow. Update the workflow step that calls setup-ci to pass
NODE_AUTH_TOKEN through its with/env configuration, using the existing setup-ci
action reference so the token is available before npm setup runs.

projects/starters/go/package.json (1)

18-27: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Track go.mod and go.sum in the Wireit inputs.

Module updates still won’t invalidate this build, so bin can be reused after the compiled output should have changed.

Proposed fix

       "files": [
         "main.go",
+        "go.mod",
+        "go.sum",
         "src/**",
         "package.json"
       ],

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@projects/starters/go/package.json` around lines 18 - 27, The Wireit build
inputs for the Go starter are missing the module manifest files, so changes to
dependencies won’t invalidate the cached build. Update the build definition in
the package config used by the go starter to include go.mod and go.sum alongside
the existing inputs for the build command, so the build is rerun whenever module
metadata changes.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@projects/starters/go-htmx/package.json`:
- Around line 18-27: The build inputs for the go-htmx starter are missing module
metadata, so changes to dependencies can leave the cached binary stale. Update
the build configuration in package.json so the build files tracked by the
starter include go.mod and go.sum alongside main.go and src/**, using the build
section to ensure dependency changes invalidate the cache correctly.

---

Duplicate comments:
In @.github/workflows/ci.yml:
- Around line 107-109: The setup-ci action is missing the npm auth token, so it
cannot generate the authenticated .npmrc needed by the release flow. Update the
workflow step that calls setup-ci to pass NODE_AUTH_TOKEN through its with/env
configuration, using the existing setup-ci action reference so the token is
available before npm setup runs.

In `@projects/starters/go/package.json`:
- Around line 18-27: The Wireit build inputs for the Go starter are missing the
module manifest files, so changes to dependencies won’t invalidate the cached
build. Update the build definition in the package config used by the go starter
to include go.mod and go.sum alongside the existing inputs for the build
command, so the build is rerun whenever module metadata changes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: b20328fe-edc6-4934-bb55-91900eec89f3

📥 Commits

Reviewing files that changed from the base of the PR and between 17c9f3c and 3bf51ef.

⛔ Files ignored due to path filters (2)

• mise.lock is excluded by !**/*.lock
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (32)

• .agents/hooks/lib/node-env.sh
• .agents/hooks/post-tool-use-edit-write.sh
• .agents/hooks/pre-tool-use-bash.sh
• .agents/hooks/pre-tool-use-edit-write.sh
• .agents/hooks/session-start.sh
• .agents/hooks/stop.sh
• .github/actions/setup-ci/action.yml
• .github/workflows/ci.yml
• .gitignore
• .husky/commit-msg
• .husky/mise.sh
• .husky/post-checkout
• .husky/post-commit
• .husky/post-merge
• .husky/pre-commit
• .husky/pre-push
• .nvmrc
• AGENTS.md
• README.md
• config/docker/ci.dockerfile
• config/vale/install.mjs
• knip.config.js
• mise.toml
• package.json
• projects/internals/BUILD.md
• projects/internals/ci/ci-validate.js
• projects/site/src/docs/internal/guidelines/troubleshooting.md
• projects/starters/go-htmx/package.json
• projects/starters/go-htmx/src/index.html
• projects/starters/go/package.json
• projects/starters/go/src/index.html
• projects/starters/package.json

💤 Files with no reviewable changes (2)

• config/docker/ci.dockerfile
• config/vale/install.mjs

[coderabbitai]

Caution

Inline review comments failed to post. This is likely due to GitHub's internal server error or limits when posting large numbers of comments. If you are seeing this consistently it is likely a permissions issue. Please check "Moderation" -> "Code review limits" under your organization settings.

Actionable comments posted: 1

♻️ Duplicate comments (2)

.github/workflows/ci.yml (1)

107-109: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Pass NODE_AUTH_TOKEN into setup-ci.

The action still runs before the npm auth token is available, so it cannot prepare the authenticated .npmrc that the release flow expects.

Proposed fix

       - uses: ./.github/actions/setup-ci
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         with:
           install-playwright: 'false'

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 107 - 109, The setup-ci action is
missing the npm auth token, so it cannot generate the authenticated .npmrc
needed by the release flow. Update the workflow step that calls setup-ci to pass
NODE_AUTH_TOKEN through its with/env configuration, using the existing setup-ci
action reference so the token is available before npm setup runs.

projects/starters/go/package.json (1)

18-27: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Track go.mod and go.sum in the Wireit inputs.

Module updates still won’t invalidate this build, so bin can be reused after the compiled output should have changed.

Proposed fix

       "files": [
         "main.go",
+        "go.mod",
+        "go.sum",
         "src/**",
         "package.json"
       ],

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@projects/starters/go/package.json` around lines 18 - 27, The Wireit build
inputs for the Go starter are missing the module manifest files, so changes to
dependencies won’t invalidate the cached build. Update the build definition in
the package config used by the go starter to include go.mod and go.sum alongside
the existing inputs for the build command, so the build is rerun whenever module
metadata changes.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@projects/starters/go-htmx/package.json`:
- Around line 18-27: The build inputs for the go-htmx starter are missing module
metadata, so changes to dependencies can leave the cached binary stale. Update
the build configuration in package.json so the build files tracked by the
starter include go.mod and go.sum alongside main.go and src/**, using the build
section to ensure dependency changes invalidate the cache correctly.

---

Duplicate comments:
In @.github/workflows/ci.yml:
- Around line 107-109: The setup-ci action is missing the npm auth token, so it
cannot generate the authenticated .npmrc needed by the release flow. Update the
workflow step that calls setup-ci to pass NODE_AUTH_TOKEN through its with/env
configuration, using the existing setup-ci action reference so the token is
available before npm setup runs.

In `@projects/starters/go/package.json`:
- Around line 18-27: The Wireit build inputs for the Go starter are missing the
module manifest files, so changes to dependencies won’t invalidate the cached
build. Update the build definition in the package config used by the go starter
to include go.mod and go.sum alongside the existing inputs for the build
command, so the build is rerun whenever module metadata changes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: b20328fe-edc6-4934-bb55-91900eec89f3

📥 Commits

Reviewing files that changed from the base of the PR and between 17c9f3c and 3bf51ef.

⛔ Files ignored due to path filters (2)

• mise.lock is excluded by !**/*.lock
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (32)

• .agents/hooks/lib/node-env.sh
• .agents/hooks/post-tool-use-edit-write.sh
• .agents/hooks/pre-tool-use-bash.sh
• .agents/hooks/pre-tool-use-edit-write.sh
• .agents/hooks/session-start.sh
• .agents/hooks/stop.sh
• .github/actions/setup-ci/action.yml
• .github/workflows/ci.yml
• .gitignore
• .husky/commit-msg
• .husky/mise.sh
• .husky/post-checkout
• .husky/post-commit
• .husky/post-merge
• .husky/pre-commit
• .husky/pre-push
• .nvmrc
• AGENTS.md
• README.md
• config/docker/ci.dockerfile
• config/vale/install.mjs
• knip.config.js
• mise.toml
• package.json
• projects/internals/BUILD.md
• projects/internals/ci/ci-validate.js
• projects/site/src/docs/internal/guidelines/troubleshooting.md
• projects/starters/go-htmx/package.json
• projects/starters/go-htmx/src/index.html
• projects/starters/go/package.json
• projects/starters/go/src/index.html
• projects/starters/package.json

💤 Files with no reviewable changes (2)

• config/docker/ci.dockerfile
• config/vale/install.mjs

🛑 Comments failed to post (1)

projects/starters/go-htmx/package.json (1)

18-27: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Track go.mod and go.sum here too.

Module dependency changes can still leave the cached binary stale, so the starter may ship outdated output.

Proposed fix

       "files": [
         "main.go",
+        "go.mod",
+        "go.sum",
         "src/**",
         "package.json"
       ],

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

    "build": {
      "command": "go build -o bin main.go",
      "files": [
        "main.go",
        "go.mod",
        "go.sum",
        "src/**",
        "package.json"
      ],
      "output": [
        "bin"
      ]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@projects/starters/go-htmx/package.json` around lines 18 - 27, The build
inputs for the go-htmx starter are missing module metadata, so changes to
dependencies can leave the cached binary stale. Update the build configuration
in package.json so the build files tracked by the starter include go.mod and
go.sum alongside main.go and src/**, using the build section to ensure
dependency changes invalidate the cache correctly.

[coderabbitai]

Actionable comments posted: 4

♻️ Duplicate comments (7)

AGENTS.md (1)

39-44: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Use the fallback path consistently in the bootstrap snippet.

The note says mise may not be on PATH yet, but Lines 43-44 still call bare mise, so the first-run setup flow can fail.

Proposed fix

 # Install required tools and run CI
 curl https://mise.run | sh
 # If mise is not on PATH yet, use ~/.local/bin/mise for the setup commands.
-mise trust
-mise run setup
+~/.local/bin/mise trust
+~/.local/bin/mise run setup

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@AGENTS.md` around lines 39 - 44, The bootstrap instructions mix the fallback
path note with bare mise commands, so first-run setup can still fail when mise
is not on PATH. Update the setup snippet in AGENTS.md to use the same fallback
path consistently for the trust and setup steps, referencing the bootstrap
commands around curl, mise trust, and mise run setup so the flow works even
before PATH is updated.

README.md (1)

39-41: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Fix the bootstrap block before it sends contributors down the wrong path.

It still points at the dead mise.en.dev URL and skips mise trust before run setup, so a fresh checkout can fail before tools install.

Proposed fix

-# install dependencies https://mise.en.dev/getting-started.html
+# install dependencies https://mise.jdx.dev/getting-started.html
 curl https://mise.run | sh
+~/.local/bin/mise trust
 ~/.local/bin/mise run setup

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@README.md` around lines 39 - 41, The bootstrap steps in the README are
outdated and incomplete: the setup instructions still reference the dead
mise.en.dev link and omit the required trust step before running setup. Update
the README bootstrap block to point contributors at the current Mise
documentation and ensure the sequence includes trusting the local config before
invoking the setup command, using the existing bootstrap commands as the
reference point.

projects/internals/BUILD.md (1)

122-124: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Point the mise reference at the official docs.

https://mise.en.dev/ is a dead link, so this section sends readers to the wrong site.

Proposed fix

-- [mise](https://mise.en.dev/)
+- [mise](https://mise.jdx.dev/)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@projects/internals/BUILD.md` around lines 122 - 124, The mise link in the
BUILD.md toolchain section points to a dead site, so update the existing
markdown reference to the official mise documentation URL. Keep the surrounding
text about `mise.toml`, `Node.js`, `pnpm`, `Vale`, `Go`, and `Git LFS`
unchanged, and just replace the outdated link target for the `mise` reference.

projects/internals/ci/ci-validate.js (1)

13-15: 🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

Make the package.json reads null-safe.

If any of these fields disappear, the validator throws before it can print the mismatch it is supposed to report.

Proposed fix

 const expectations = [
   ['mise node', tools.node, read('.nvmrc').trim(), '.nvmrc'],
-  ['package engines.node', packageJson.engines.node, tools.node, 'mise node'],
-  ['packageManager pnpm', packageJson.packageManager.match(/^pnpm@(.+)$/)?.[1], tools.pnpm, 'mise pnpm'],
-  ['devEngines.packageManager.version', packageJson.devEngines.packageManager.version, tools.pnpm, 'mise pnpm']
+  ['package engines.node', packageJson.engines?.node, tools.node, 'mise node'],
+  [
+    'packageManager pnpm',
+    typeof packageJson.packageManager === 'string'
+      ? packageJson.packageManager.match(/^pnpm@(.+)$/)?.[1]
+      : undefined,
+    tools.pnpm,
+    'mise pnpm'
+  ],
+  [
+    'devEngines.packageManager.version',
+    packageJson.devEngines?.packageManager?.version,
+    tools.pnpm,
+    'mise pnpm'
+  ]
 ];

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@projects/internals/ci/ci-validate.js` around lines 13 - 15, The package.json
field reads in the validator are not null-safe, so missing fields can throw
before mismatch reporting. Update the comparisons in ci-validate.js to safely
access packageJson.engines.node, packageJson.packageManager, and
packageJson.devEngines.packageManager.version using optional chaining or
equivalent guards, and make the packageManager regex extraction resilient when
packageManager is absent. Keep the existing validation flow in the same loop so
the script still reports mismatches instead of crashing.

package.json (1)

341-341: 🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

Wait for the Playwright install to finish.

The subshell still exits after vale sync, so the backgrounded browser download can be interrupted during local prepare.

Proposed fix

-      "command": "test -n \"$CI\" || (pnpm run playwright & node .husky/install.mjs ; vale sync)"
+      "command": "test -n \"$CI\" || (pnpm run playwright & node .husky/install.mjs ; vale sync ; wait)"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 341, The prepare command in package.json backgrounds
the Playwright install, so the subshell can finish before the browser download
completes. Update the command string for the CI guard to wait for the pnpm run
playwright process before exiting, while keeping the node .husky/install.mjs and
vale sync steps intact. Use the existing prepare script entry and its command
value as the place to fix this.

.agents/hooks/lib/node-env.sh (1)

38-41: 🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

Guard each helper cd before invoking mise.

Line 39, Line 53, and Line 63 still execute after a failed directory change, so these shared helpers can probe or run commands in the caller's current directory instead of the intended project. That affects every downstream hook using hook_mise_exec/hook_mise_run.

Suggested fix

   (
-    cd "$project_root"
+    cd "$project_root" || exit 1
     "$MISE_BIN" exec -- node --version >/dev/null
     "$MISE_BIN" exec -- pnpm --version >/dev/null
   ) || {
@@
   (
-    cd "$working_dir"
+    cd "$working_dir" || exit 1
     "$MISE_BIN" exec -- "$@"
   )
@@
   (
-    cd "$working_dir"
+    cd "$working_dir" || exit 1
     "$MISE_BIN" run "$@"
   )

Also applies to: 52-65

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.agents/hooks/lib/node-env.sh around lines 38 - 41, Each helper block in
node-env.sh that wraps a cd before calling mise still continues even if the
directory change fails, which can make hook_mise_exec and hook_mise_run run in
the wrong directory. Update the shared helper functions that contain the cd
grouping so they explicitly stop or return on cd failure before invoking
"$MISE_BIN" exec/run, and apply the same guard consistently in the helper paths
referenced by hook_mise_exec and hook_mise_run.

Source: Linters/SAST tools

.husky/mise.sh (1)

1-1: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Declare the sourced shell for ShellCheck.

This file is sourced by Husky hooks, so ShellCheck cannot infer the dialect and will keep reporting SC2148 until it has a shell directive.

Suggested fix

+# shellcheck shell=sh
 resolve_mise_bin() {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.husky/mise.sh at line 1, The sourced hook script is missing an explicit
shell directive, so ShellCheck cannot determine the dialect and reports SC2148.
Add the appropriate shell declaration at the top of the Husky helper script and
keep the existing resolve_mise_bin logic unchanged. This should make the shell
source unambiguous for ShellCheck while preserving the current behavior.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.agents/hooks/pre-tool-use-bash.sh:
- Around line 10-12: The pre-tool hook is inferring NVE_AGENT=isolated from the
host OS in the pre-tool-use bash script, which can accidentally switch blocked
git operations into the warning-only path. Update the logic around HOOK_OS and
handle_blocked_operation so isolation is determined only from an explicit
environment signal, not from uname -s or any default non-Darwin fallback. Keep
the existing blocked-command handling intact, but remove the OS-based
auto-export and use the NVE_AGENT check as the sole source of truth.

In `@projects/site/src/_11ty/plugins/llms-txt.js`:
- Line 11: `getContextUrl()` is still using the old `./.11ty-vite/public`
fallback, which no longer matches the default public root from
`getPublicOutputPath()`. Update the default root used in `getContextUrl()` to
the same value as `DEFAULT_PUBLIC_OUTPUT_PATH` in `llms-txt.js`, and ensure the
path resolution logic for omitted third arguments stays aligned so callers under
`dist/public` generate the correct relative URL.
- Around line 108-112: The CDN fragment is generated in the llms-txt plugin but
never included in the full archive assembly, so update the full-content path in
llms-txt.js to append the CDN markdown alongside the other integration
fragments. Make the change in the full archive build logic that constructs
fullContent, and ensure the new CDN doc produced by the context/integrations/cdn
writeContextDoc step is referenced there so both llms-full.txt and
context/full.md include it.

In `@projects/site/src/_11ty/shortcodes/index.js`:
- Around line 37-38: Update the region label in the shortcode markup so it
matches the currently rendered navigation options. The region announced by the
wrapper around the link group should no longer say only “CLI or MCP” once the
CDN link is included; adjust the accessible label/text in the relevant shortcode
template so users of screen readers hear all three options, including CDN, when
they enter the region.

---

Duplicate comments:
In @.agents/hooks/lib/node-env.sh:
- Around line 38-41: Each helper block in node-env.sh that wraps a cd before
calling mise still continues even if the directory change fails, which can make
hook_mise_exec and hook_mise_run run in the wrong directory. Update the shared
helper functions that contain the cd grouping so they explicitly stop or return
on cd failure before invoking "$MISE_BIN" exec/run, and apply the same guard
consistently in the helper paths referenced by hook_mise_exec and hook_mise_run.

In @.husky/mise.sh:
- Line 1: The sourced hook script is missing an explicit shell directive, so
ShellCheck cannot determine the dialect and reports SC2148. Add the appropriate
shell declaration at the top of the Husky helper script and keep the existing
resolve_mise_bin logic unchanged. This should make the shell source unambiguous
for ShellCheck while preserving the current behavior.

In `@AGENTS.md`:
- Around line 39-44: The bootstrap instructions mix the fallback path note with
bare mise commands, so first-run setup can still fail when mise is not on PATH.
Update the setup snippet in AGENTS.md to use the same fallback path consistently
for the trust and setup steps, referencing the bootstrap commands around curl,
mise trust, and mise run setup so the flow works even before PATH is updated.

In `@package.json`:
- Line 341: The prepare command in package.json backgrounds the Playwright
install, so the subshell can finish before the browser download completes.
Update the command string for the CI guard to wait for the pnpm run playwright
process before exiting, while keeping the node .husky/install.mjs and vale sync
steps intact. Use the existing prepare script entry and its command value as the
place to fix this.

In `@projects/internals/BUILD.md`:
- Around line 122-124: The mise link in the BUILD.md toolchain section points to
a dead site, so update the existing markdown reference to the official mise
documentation URL. Keep the surrounding text about `mise.toml`, `Node.js`,
`pnpm`, `Vale`, `Go`, and `Git LFS` unchanged, and just replace the outdated
link target for the `mise` reference.

In `@projects/internals/ci/ci-validate.js`:
- Around line 13-15: The package.json field reads in the validator are not
null-safe, so missing fields can throw before mismatch reporting. Update the
comparisons in ci-validate.js to safely access packageJson.engines.node,
packageJson.packageManager, and packageJson.devEngines.packageManager.version
using optional chaining or equivalent guards, and make the packageManager regex
extraction resilient when packageManager is absent. Keep the existing validation
flow in the same loop so the script still reports mismatches instead of
crashing.

In `@README.md`:
- Around line 39-41: The bootstrap steps in the README are outdated and
incomplete: the setup instructions still reference the dead mise.en.dev link and
omit the required trust step before running setup. Update the README bootstrap
block to point contributors at the current Mise documentation and ensure the
sequence includes trusting the local config before invoking the setup command,
using the existing bootstrap commands as the reference point.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: d624bf0f-d501-4774-982c-29909e6cb911

📥 Commits

Reviewing files that changed from the base of the PR and between 3bf51ef and 3182551.

⛔ Files ignored due to path filters (2)

• mise.lock is excluded by !**/*.lock
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (37)

• .agents/hooks/lib/node-env.sh
• .agents/hooks/post-tool-use-edit-write.sh
• .agents/hooks/pre-tool-use-bash.sh
• .agents/hooks/pre-tool-use-edit-write.sh
• .agents/hooks/session-start.sh
• .agents/hooks/stop.sh
• .github/actions/setup-ci/action.yml
• .github/workflows/ci.yml
• .gitignore
• .husky/commit-msg
• .husky/mise.sh
• .husky/post-checkout
• .husky/post-commit
• .husky/post-merge
• .husky/pre-commit
• .husky/pre-push
• .nvmrc
• AGENTS.md
• README.md
• config/docker/ci.dockerfile
• config/vale/install.mjs
• knip.config.js
• mise.toml
• package.json
• pnpm-workspace.yaml
• projects/internals/BUILD.md
• projects/internals/ci/ci-validate.js
• projects/site/eleventy.config.js
• projects/site/src/_11ty/plugins/llms-txt.js
• projects/site/src/_11ty/plugins/llms-txt.test.ts
• projects/site/src/_11ty/shortcodes/index.js
• projects/site/src/docs/internal/guidelines/troubleshooting.md
• projects/starters/go-htmx/package.json
• projects/starters/go-htmx/src/index.html
• projects/starters/go/package.json
• projects/starters/go/src/index.html
• projects/starters/package.json

💤 Files with no reviewable changes (2)

• config/docker/ci.dockerfile
• config/vale/install.mjs

[coderabbitai]

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
rg -n --hidden 'NVE_AGENT|CURSOR_AGENT|CURSOR_SANDBOX|isolated' .agents .husky AGENTS.md

Repository: NVIDIA/elements

Length of output: 528

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the hook with line numbers around the relevant logic.
sed -n '1,120p' .agents/hooks/pre-tool-use-bash.sh | cat -n

# Look for any other source of NVE_AGENT or isolation detection in the repo.
rg -n --hidden 'NVE_AGENT|CURSOR_AGENT|CURSOR_SANDBOX|isolated VM|warning instead of blocking|explicit confirmation' .

Repository: NVIDIA/elements

Length of output: 4524

---

Don’t infer isolated from the host OS. handle_blocked_operation() turns NVE_AGENT=isolated into a warning-only path, so any non-Darwin machine without an explicit NVE_AGENT bypasses blocking for destructive git commands. Use an actual environment signal instead. (lines 10-12, 41-45)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.agents/hooks/pre-tool-use-bash.sh around lines 10 - 12, The pre-tool hook
is inferring NVE_AGENT=isolated from the host OS in the pre-tool-use bash
script, which can accidentally switch blocked git operations into the
warning-only path. Update the logic around HOOK_OS and handle_blocked_operation
so isolation is determined only from an explicit environment signal, not from
uname -s or any default non-Darwin fallback. Keep the existing blocked-command
handling intact, but remove the OS-based auto-export and use the NVE_AGENT check
as the sole source of truth.

[coderabbitai]

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Align getContextUrl()'s default root with getPublicOutputPath().

Line 43 still falls back to ./.11ty-vite/public, but Line 39 now defines the default public root as dist/public. Any caller that omits the third argument and passes a path under dist/public will generate a malformed ../../../dist/... URL.

Proposed fix

-const DEFAULT_PUBLIC_OUTPUT_PATH = './.11ty-vite/public';
-
 export function getPublicOutputPath(directories = {}) {
   return nodePath.join(directories.output ?? 'dist', 'public');
 }
 
-export function getContextUrl(filePath, extension, publicOutputPath = DEFAULT_PUBLIC_OUTPUT_PATH) {
+export function getContextUrl(filePath, extension, publicOutputPath = getPublicOutputPath()) {
   return getSiteUrl(`/${nodePath.relative(publicOutputPath, filePath).split(nodePath.sep).join('/')}${extension}`);
 }

Also applies to: 43-45

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@projects/site/src/_11ty/plugins/llms-txt.js` at line 11, `getContextUrl()` is
still using the old `./.11ty-vite/public` fallback, which no longer matches the
default public root from `getPublicOutputPath()`. Update the default root used
in `getContextUrl()` to the same value as `DEFAULT_PUBLIC_OUTPUT_PATH` in
`llms-txt.js`, and ensure the path resolution logic for omitted third arguments
stays aligned so callers under `dist/public` generate the correct relative URL.

[coderabbitai]

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Include the CDN fragment in the full archive outputs.

Lines 108-112 generate context/integrations/cdn, but Lines 155-167 never append that markdown to fullContent. llms-full.txt and context/full.md therefore omit the new CDN doc even though llms.txt advertises them as the complete archive.

Proposed fix

   const cdnReadme = await fsp.readFile('./src/docs/integrations/cdn.md', 'utf-8');
+  const cdnContent = `# CDN\n\n${cdnReadme.split('# {{ title }}')[1].trim()}`;
   await writeContextDoc(
     nodePath.join(publicOutputPath, 'context', 'integrations', 'cdn'),
-    `# CDN\n\n${cdnReadme.split('# {{ title }}')[1].trim()}`
+    cdnContent
   );
@@
   const fullContent = [
     content,
     cliReadme,
     lintReadme,
+    cdnContent,
     skillsContent,
     ...skillMarkdown,
     apiContent,

Also applies to: 155-169

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@projects/site/src/_11ty/plugins/llms-txt.js` around lines 108 - 112, The CDN
fragment is generated in the llms-txt plugin but never included in the full
archive assembly, so update the full-content path in llms-txt.js to append the
CDN markdown alongside the other integration fragments. Make the change in the
full archive build logic that constructs fullContent, and ensure the new CDN doc
produced by the context/integrations/cdn writeContextDoc step is referenced
there so both llms-full.txt and context/full.md include it.

[coderabbitai]

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Keep the region label in sync with the visible links.

Line 27 still announces “CLI or MCP”, but Lines 37-38 add a third CDN option. Screen-reader users will not hear that this region also exposes CDN install guidance.

Proposed fix

-<div nve-layout="column gap:xs" role="region" aria-label="AI Agent API access via CLI or MCP">
+<div nve-layout="column gap:xs" role="region" aria-label="AI Agent API access via CLI, MCP, or CDN">

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	<span nve-text="body sm muted">/</span>
	<a href="/docs/integrations/cdn/" nve-text="body sm muted">CDN</a>
	<div nve-layout="column gap:xs" role="region" aria-label="AI Agent API access via CLI, MCP, or CDN">

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@projects/site/src/_11ty/shortcodes/index.js` around lines 37 - 38, Update the
region label in the shortcode markup so it matches the currently rendered
navigation options. The region announced by the wrapper around the link group
should no longer say only “CLI or MCP” once the CDN link is included; adjust the
accessible label/text in the relevant shortcode template so users of screen
readers hear all three options, including CDN, when they enter the region.