chore(todo): close 3 follow-ups (preset 0.12, biome cleanup, parser CC refactor)

Author: oorabona

TODO.md

@@ -14,15 +14,15 @@ _None._
 
 ## Pending - LOW (Nice to Have)
 
-- [ ] ⏸️ 💡 [Release] **release-it-preset upstream — package-aware tag baseline for monorepo workspaces** — tracked as [oorabona/release-it-preset#21](https://github.com/oorabona/release-it-preset/issues/21) (driven from a separate CC session in the preset repo). `populate-unreleased-changelog.js` currently uses `latestTag` (last GPG-signed root tag) as the `since` baseline ; needs to detect the last `chore(<pkg>): release v*` commit on the same branch when run from a subdirectory. Empirical baseline : nxz-cli@6.1.0 captured commits from #108, #115, and `adfbc99` that didn't belong. Once shipped, reset retroactive curation cost to zero on future tar-xz/nxz releases.
 - [ ] [Release] Consider `engines.node` bump from `>=22.0.0` to `>=22.13.0` when 22.0–22.12 usage drops — surfaced by Copilot round 2 on PR #116 ; deferred because library itself runs fine on 22.0+, the 22.13 floor only applies to the dev/release toolchain (release-it@20). Re-evaluate if anyone reports install warnings.
-- [ ] [Lint] Single residual biome warning: `test/node-api.spec.ts:249` (`suppressions/unused` — pre-existing biome-ignore that no longer suppresses anything). Cosmetic 1-line cleanup for a future PR.
-- [ ] 🔧 [Refactor] `parseCliArgs` cognitive complexity 17 (cap 15) — biome warning, surfaced by pre-push opus review on PR #117. Not introduced by #117 (pre-existing on the function ; nxz CLI parsing has accumulated branches). Out-of-scope for #26. Candidate for a small refactor PR : extract per-flag handlers OR split the function into compress/decompress/tar branches.
 <!-- F-002 (HARDLINK + undefined linkname → TypeError) DROPPED 2026-04-29 by Copilot round-2 review on PR #115: TarEntry.linkname is typed as required string (parser returns '' for empty fields), and ensureSafeLinkname → ensureSafeName already rejects '' with "empty linkname" before reaching resolve(). The original concern was mischaracterized — there is no path where resolve(cwd, undefined) gets called with undefined. -->
 
 
 ## Completed
 
+- [x] ✅ [Refactor] **`parseMemlimitSize` cognitive complexity 17 → 2** (PR #120 squash `43c4d25`, 2026-04-30). Pure refactor in `packages/nxz/src/memlimit.ts` : extract-method on the previously dense parser ; three private helpers (`isZeroSynonym` CC=2, `parseSuffixed` CC=3, `parsePlainBytes` CC=1) + module-scope hoisting of multiplier maps and regex literals. Main function becomes a thin coordinator with a `??`-chain across the three branches. 29/29 vitest cases pass byte-identical (decimal rejection, mixed-case suffix, all-zero forms, whitespace, arbitrary-precision values >UINT64_MAX). Net diff +50/-48. Repo is now biome-clean (0 warnings). Closes the last Pending-LOW followup from #117 pre-push opus review.
+- [x] ✅ [Lint] **Drop dead biome suppression in tar-xz node-api spec** (PR #119 squash `49c7f14`, 2026-04-30). Removed 1 line — the `// biome-ignore lint/suspicious/noEmptyBlockStatements: intentional drain` above a `for await` drain loop whose body has a `/* drain */` comment that satisfies biome's check. Verified post-removal : `noEmptyBlockStatements` does not fire ; 0 new warnings.
+- [x] ✅ [Release] **release-it-preset upstream tag baseline fix consumed** — bumped `@oorabona/release-it-preset` 0.11.0 → 0.12.0 (PR #118 squash `7ac6d05`, 2026-04-30). Consumes upstream issue [oorabona/release-it-preset#21](https://github.com/oorabona/release-it-preset/issues/21) → PR #22 (squash `d117cad`). New `resolveSinceBaseline()` detects per-package release commits matching `chore(<pkg>): release v*` and uses their SHA as the `since` baseline when `GIT_CHANGELOG_PATH` is set. Future workspace releases (`tar-xz`, `nxz-cli`) auto-scope CHANGELOG entries — eliminates the manual curation that nxz-cli@6.1.0 needed (commit `9e30af4`). Empirical dry-run from `packages/nxz/` produces zero diff (resolver correctly stops at `ecff028 chore(nxz-cli): release v6.1.0`).
 - [x] ✅ [Release] **#26 — nxz-cli `--memlimit-decompress` + 6.1.0 release — closed** (PR #117 squash `2e3c25f`, release commit `ecff028`, npm published 2026-04-30). Pivoted from a metadata-only visibility bump to a real minor with new user-facing capability after audit revealed nxz CLI never surfaced the `LZMAOptions.memlimit` already supported by the library (PRs #111 WASM + #112 Native). New `--memlimit-decompress <SIZE>` CLI flag mirrors `xz` standard : integer mantissa, IEC (1024-based) and SI (1000-based) suffixes, all-zero forms (`0`, `0MiB`, `max`) → no limit, decimal mantissa rejected for parity. Helper `parseMemlimitSize(s: string): bigint | undefined` extracted to `packages/nxz/src/memlimit.ts` (side-effect-free, importable by tests). 36 vitest cases (29 direct parser + 7 CLI binary), 707 tests across workspace. **Review trail** : opus + Codex parallel (Copilot quota exhausted ; Codex substituted via `llm-delegate.sh --codex --mode review`) ; R1 found 1 S (decimal precision elevated by Codex) + 4 M ; fix-round 1 closed S/M-1/M-2/M-3 ; Codex R2 found M-4 (test imports CLI module that auto-runs main) ; fix-round 2 extracted helper to standalone module ; pre-push opus on cumulative 3-commit state returned SAFE-TO-PUSH ; admin-merged. CHANGELOG curated post-release : populate-script picked up too much history (uses root `latestTag` baseline rather than last per-package release — tracked as upstream follow-up TODO). Transitive notes added manually for tar-xz@6.1.0 streaming + Win32 TOCTOU benefits.
 - [x] ✅ [Release] **#25 — Per-package CHANGELOG scoping (release-it) — closed** (PR #116 squash `68d6d91`, 2026-04-30). Future workspace-package releases (`tar-xz`, `nxz-cli`) produce CHANGELOGs scoped to commits whose diffs touch their own subtree. **Phase 1** : upstream `oorabona/release-it-preset` v0.11.0 (commit `0b4f857`) added opt-in `GIT_CHANGELOG_PATH` env var + 9 vitest cases incl. security validation (rejects `../`, absolute paths, shell metacharacters). **Phase 2** (this PR) : bumped preset 0.9.0 → 0.11.0, bumped `release-it` 19.2.4 → 20.0.1 to satisfy preset peerDep (Copilot M round 1), wired `GIT_CHANGELOG_PATH=.` inline on the workspace bump step in `release.yml` after `cd "$PKG_DIR"` (the `.` resolves to the package's own subtree), removed dormant changesets pipeline (workflow + `.changeset/` + 2 devDeps + ~90 transitive lockfile entries). Net diff : 7 files, +279/-1011 (-732 lines after fix-round 1 lockfile). Senior reviewer opus pre-push verdict : SAFE-TO-MERGE 0 S/0 M/3 L. 2 Copilot review rounds : R1=2 findings (1 M peer dep + 2 L cosmetic), R2=1 L (engines.node) classified-and-rejected with rationale on PR thread. Resolves "changesets vs release-it" architecture question raised 2026-04-27 (`adfbc99`) → cleanup `4d24fde` left noise problem unsolved. Body-fragment parser issue tracked separately upstream as v0.11+ "Out-of-scope follow-up" in preset's TODO.
 - [x] ✅ [Refactor] **Biome warnings sweep + cognitive-complexity extract-method — story REFACTOR-BIOME-2026-04-29 closed** (PR #115 squash `ad2e18f`, 2026-04-29). Pure refactor sweep across the workspace: **63 → 1 biome warnings (-98.4%)**. 5 phases: biome --write auto-fix (Phase 2, -23), manual noNonNullAssertion + cycle-ignore + useForOf (Phases 3+4, -26), test extract-method (Phase 5a, -8), low-risk src extract (Phase 5b-1, -3), HIGH-RISK security/streaming src extract (Phase 5b-2, -2). 11 helpers extracted in Phase 5b-2 alone (extractSymlinkEntry, extractHardlinkEntry, openFileExclusive, writeFileEntryPosix/Win32, writeFileEntry, ensureSafeLinkname for file.ts; nextParseEvent, drainEntryChunks, drainSkippedEntry, createEntryDataPull for extract.ts). Win32 TOCTOU contract preserved byte-identical (em-dash U+2014 in security error verbatim). Pre-push opus senior-review verdict: SAFE-TO-PUSH. **6 Copilot review rounds, 13 findings folded** (1→3→1→1→2→3 — last 3 were L-only comment-precision; class breakdown: 5 fail-fast invariant patterns, 2 doc/comment drift, 2 type-narrowing semantics, 4 stale doc pointers). 671 tests stable throughout. 1 residual warning is pre-existing unrelated (`test/node-api.spec.ts:249`). Net diff: 20 files / +808/-499. ~3h wall-clock.
@@ -82,12 +82,12 @@ _None_
 |----------|-------|--------|
 | HIGH | 0 | Cleared |
 | MEDIUM | 0 | Cleared (#25 + #26 closed) |
-| LOW | 4 | populate-script tag baseline upstream ; engines.node bump consideration ; biome residual ; parseCliArgs CC refactor |
+| LOW | 1 | engines.node bump consideration (deferred — wait-and-see) |
 
-**Last merge:** PR #117 squash `2e3c25f` (2026-04-30) — `feat(nxz)`: `--memlimit-decompress` flag for CLI memory cap during decompression.
+**Last merge:** PR #120 squash `43c4d25` (2026-04-30) — `refactor(nxz)`: split `parseMemlimitSize` via extract-method (CC 17→2) ; repo now biome-clean.
 **Last release:** `nxz-cli@6.1.0` (release commit `ecff028`, npm published 2026-04-30) — first real feature minor since 6.0.0.
-**Last audit:** opus pre-push SAFE-TO-PUSH on PR #117 cumulative (0 S/0 M/2 L). Codex (substituted for Copilot — quota out) caught 1 S decimal/precision elevation in R1 and 1 M test-import in R2 ; fix-rounds 1+2 resolved cleanly.
-**Last story:** #26 — nxz `--memlimit-decompress` + 6.1.0 release — pivoted from metadata-only bump to real minor feature ; ~3h wall-clock incl. 2 fix-rounds + cross-LLM review.
+**Last audit:** all post-#117 follow-ups merged (PR #118 preset 0.12.0 ; PR #119 dead biome-ignore removal ; PR #120 parseMemlimitSize CC refactor). Repo is biome-clean (0 warnings) and 707 tests green.
+**Last story arc:** #25 + #26 + 4 follow-ups end-to-end — per-package CHANGELOG scoping (cross-repo) → `--memlimit-decompress` feature → release v6.1.0 → upstream tag-baseline fix consumption → biome cleanup → parser CC refactor. Cross-LLM reviewing pattern (Codex substituted for Copilot quota) rodé.
 
 **Independent versioning matrix (npm):**