refactor: replace Bun.build with fossilize for Node SEA binaries (#1003)

## Phase 6: Replace Bun Binary Compilation with Fossilize

Final phase of the Bun → Node.js migration. Replaces `Bun.build({
compile: true })` with [fossilize](https://github.com/BYK/fossilize) for
producing Node SEA (Single Executable Application) binaries. This
completely removes Bun from the codebase.

### Architecture Change

```
BEFORE:
  src/bin.ts → [esbuild ESM] → dist-bin/bin.js → [Bun.build compile] → binary

AFTER:
  src/bin.ts → [esbuild CJS] → dist-build/bin.js → [fossilize --no-bundle] → binary
```

### Changes

**Build script (`script/build.ts`):**
- Replaced `Bun.build({ compile: true })` with `npx fossilize
--no-bundle`
- Switched esbuild format from ESM to CJS (Node SEA requirement)
- Added `import-meta-url.js` inject + define for CJS compatibility
- Target `node22` (downlevels `using` declarations unsupported in CJS)
- Removed sourcemap backup/restore dance (fossilize doesn't generate its
own map)
- Separated build output (`dist-build/`) from fossilize output
(`dist-bin/`)
- Replaced all `Bun.$`, `Bun.file`, `Bun.write` with Node.js equivalents
- Dropped musl targets (Node doesn't publish musl/Alpine binaries)

**Ink sidecar (`src/lib/init/ui/ink-ui.ts`):**
- Added `node:sea.getAsset()` runtime path for SEA binaries
- Sidecar embedded via fossilize `--assets` flag
- Extracts to temp file and `import()`s at runtime
- Dev and npm bundle paths unchanged

**SQLite (`src/lib/db/sqlite.ts`):**
- Removed `bun:sqlite` try/catch fallback — Node-only now

**Binary entry (`src/bin.ts`):**
- Suppresses `ExperimentalWarning: SQLite is an experimental feature`

**CI (`.github/workflows/ci.yml`):**
- Removed `setup-bun` entirely (no more Bun in CI)
- Added `rcodesign` v0.29.0 installation for macOS code signing from
Linux
- Added Apple cert/key environment setup (matches Spotlight's approach)
- `FOSSILIZE_SIGN` env var controls signing (enabled on main/release
pushes)
- Dropped musl targets from build matrix (7 → 5 targets)

**Other cleanup:**
- Removed `Bun` from `biome.jsonc` globals
- Updated `package.json` build scripts: `bun run` → `pnpm tsx`
- Added `dist-build/` to `.gitignore` and biome excludes
- `text-import-plugin`: file imports return path string for all formats
(no more ESM external for Bun.compile)

### Benchmark Results

| Mode | Avg Startup | Notes |
|------|------------|-------|
| Baseline (no cache) | ~870ms | Current approach |
| useCodeCache | ~740ms | ~15% faster (same-platform only) |
| useSnapshot | N/A | Crashes — too many unsupported modules |

Code cache improvement deferred — requires fossilize PR to support
per-platform `useCodeCache`.

### What's Gone
- `setup-bun` from CI
- `bun:sqlite` fallback
- `Bun.build()` / `Bun.$` / `Bun.file` / `Bun.write` in build script
- `Bun` global declaration
- musl binary targets

### Testing
- Local build succeeds on Linux x64 (Node SEA via fossilize)
- Binary runs `--help` and `--version` correctly
- No SQLite warning in output
- binpunch ICU hole-punching works on Node SEA binaries

Author: BYK

.github/workflows/ci.yml

@@ -75,21 +75,19 @@ jobs:
           {
             echo 'matrix<<MATRIX_EOF'
             if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-              # PRs build linux-x64 (smoke test + e2e) and linux-x64-musl (Alpine smoke test)
+              # PRs build linux-x64 (smoke test + e2e)
               echo '{"include":[
-                {"target":"linux-x64",      "os":"ubuntu-latest", "can-test":true},
-                {"target":"linux-x64-musl", "os":"ubuntu-latest", "can-test":false}
+                {"target":"linux-x64", "os":"ubuntu-latest", "can-test":true}
               ]}'
             else
-              # main, release/**, workflow_call: full cross-platform matrix
+              # main, release/**, workflow_call: full cross-platform matrix.
+              # All targets cross-compiled from ubuntu-latest via fossilize.
               echo '{"include":[
-                {"target":"darwin-arm64",      "os":"macos-latest",  "can-test":true},
-                {"target":"linux-x64",         "os":"ubuntu-latest", "can-test":true},
-                {"target":"linux-x64-musl",    "os":"ubuntu-latest", "can-test":false},
-                {"target":"windows-x64",       "os":"windows-latest","can-test":true},
-                {"target":"darwin-x64",        "os":"macos-latest",  "can-test":false},
-                {"target":"linux-arm64",       "os":"ubuntu-latest", "can-test":false},
-                {"target":"linux-arm64-musl",  "os":"ubuntu-latest", "can-test":false}
+                {"target":"darwin-arm64",  "os":"ubuntu-latest", "can-test":false},
+                {"target":"linux-x64",     "os":"ubuntu-latest", "can-test":true},
+                {"target":"windows-x64",   "os":"ubuntu-latest", "can-test":false},
+                {"target":"darwin-x64",    "os":"ubuntu-latest", "can-test":false},
+                {"target":"linux-arm64",   "os":"ubuntu-latest", "can-test":false}
               ]}'
             fi
             echo 'MATRIX_EOF'
@@ -246,9 +244,6 @@ jobs:
       matrix: ${{ fromJSON(needs.changes.outputs.build-targets) }}
     steps:
       - uses: actions/checkout@v6
-      - uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: "1.3.13"
       - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v6
         with:
@@ -262,6 +257,28 @@ jobs:
         if: steps.cache.outputs.cache-hit != 'true'
         shell: bash
         run: pnpm install --frozen-lockfile
+      - name: Setup codesign dependencies
+        env:
+          APPLE_CERT_DATA: ${{ secrets.CSC_LINK }}
+          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
+        run: |
+          curl -L 'https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F0.29.0/apple-codesign-0.29.0-x86_64-unknown-linux-musl.tar.gz' -o 'rcodesign.tar.gz'
+          echo 'dbe85cedd8ee4217b64e9a0e4c2aef92ab8bcaaa41f20bde99781ff02e600002 rcodesign.tar.gz' | sha256sum -c
+          tar -xzf rcodesign.tar.gz --strip-components=1
+          mv rcodesign /usr/local/bin/rcodesign
+          rm rcodesign.tar.gz
+          if [ -n "$APPLE_CERT_DATA" ]; then
+            echo "$APPLE_CERT_DATA" | base64 --decode > /tmp/certs.p12
+            echo 'APPLE_CERT_PATH=/tmp/certs.p12' >> $GITHUB_ENV
+          fi
+          if [ -n "$APPLE_API_KEY" ]; then
+            echo "$APPLE_API_KEY" | base64 -d > /tmp/apple_key.json
+            cat /tmp/apple_key.json | jq .private_key -r > /tmp/apple_key.pem
+            echo "APPLE_API_KEY_ISSUER_ID=$(cat /tmp/apple_key.json | jq .issuer_id -r | tr -d '\n\r')" >> $GITHUB_ENV
+            echo "APPLE_API_KEY_ID=$(cat /tmp/apple_key.json | jq .key_id -r | tr -d '\n\r')" >> $GITHUB_ENV
+            echo "APPLE_API_KEY_P8_PATH=/tmp/apple_key.pem" >> $GITHUB_ENV
+            echo 'APPLE_API_KEY_PATH=/tmp/apple_key.json' >> $GITHUB_ENV
+          fi
       - name: Set nightly version
         # Inject the nightly version (computed once in the changes job) into
         # package.json before the build so it gets baked into the binary.
@@ -278,7 +295,11 @@ jobs:
           SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
           # Set on main/release branches so build.ts runs binpunch + creates .gz
           RELEASE_BUILD: ${{ github.event_name != 'pull_request' && '1' || '' }}
-        run: bun run build --target ${{ matrix.target }}
+          # Codesigning: only on main/release pushes (fork PRs lack secrets)
+          FOSSILIZE_SIGN: ${{ github.event_name == 'push' && (github.ref_name == 'main' || startsWith(github.ref_name, 'release/')) && 'y' || 'n' }}
+          APPLE_CERT_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
+          APPLE_TEAM_ID: ${{ vars.APPLE_TEAM_ID }}
+        run: pnpm run build -- --target ${{ matrix.target }}
       - name: Smoke test
         if: matrix.can-test
         shell: bash
@@ -288,11 +309,6 @@ jobs:
           else
             ./dist-bin/sentry-${{ matrix.target }} --help
           fi
-      - name: Smoke test (musl/Alpine)
-        if: matrix.target == 'linux-x64-musl'
-        run: |
-          docker run --rm -v "$PWD/dist-bin:/dist-bin:ro" alpine:latest \
-            sh -c "apk add --no-cache libstdc++ libgcc >/dev/null 2>&1 && /dist-bin/sentry-linux-x64-musl --help"
       - name: Upload binary artifact
         uses: actions/upload-artifact@v7
         with:

.github/workflows/docs-preview.yml

@@ -33,9 +33,6 @@ jobs:
     steps:
       - uses: actions/checkout@v6
 
-      - uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: "1.3.13"
       - uses: pnpm/action-setup@v4
 
       # Astro 6 requires Node >= 22.12. Pin an explicit version so the docs
@@ -58,7 +55,7 @@ jobs:
         run: echo "version=$(node -p 'require("./package.json").version')" >> "$GITHUB_OUTPUT"
 
       - name: Generate docs content
-        run: bun run generate:schema && bun run generate:docs
+        run: pnpm run generate:schema && pnpm run generate:docs
 
       - name: Build Docs for Preview
         working-directory: docs
@@ -70,8 +67,8 @@ jobs:
           SENTRY_RELEASE: ${{ steps.version.outputs.version }}
           PUBLIC_SENTRY_RELEASE: ${{ steps.version.outputs.version }}
         run: |
-          bun install --frozen-lockfile
-          bun run build
+          pnpm install --frozen-lockfile
+          pnpm run build
 
       - name: Inject debug IDs and upload sourcemaps
         if: env.SENTRY_AUTH_TOKEN != ''
@@ -80,8 +77,8 @@ jobs:
           SENTRY_ORG: sentry
           SENTRY_PROJECT: cli-website
         run: |
-          bun run --bun src/bin.ts sourcemap inject docs/dist/
-          bun run --bun src/bin.ts sourcemap upload docs/dist/ \
+          pnpm run cli sourcemap inject docs/dist/
+          pnpm run cli sourcemap upload docs/dist/ \
             --release "${{ steps.version.outputs.version }}" \
             --url-prefix "~/"
 

.github/workflows/eval-skill-fork.yml

@@ -36,9 +36,6 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
 
-      - uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: "1.3.13"
       - uses: pnpm/action-setup@v4
 
       - uses: actions/cache@v5
@@ -50,11 +47,11 @@ jobs:
         run: pnpm install --frozen-lockfile
 
       - name: Generate docs and skill files
-        run: bun run generate:schema && bun run generate:docs
+        run: pnpm run generate:schema && pnpm run generate:docs
 
       - name: Eval SKILL.md
         id: eval
-        run: bun run eval:skill
+        run: pnpm run eval:skill
         env:
           ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
         continue-on-error: true

.gitignore

@@ -6,6 +6,7 @@ package-lock.json
 out
 dist
 dist-bin
+dist-build
 *.tgz
 
 # fossilize build cache