build: restore libc discriminator on linux lockfile entries (#1163)

* build: restore libc discriminator on linux lockfile entries

npm 11 silently strips the `libc` field from @optave/codegraph-linux-*
entries in package-lock.json on `npm install`, even though the published
packages declare it correctly. Without the discriminator, npm cannot tell
linux-x64-gnu apart from linux-x64-musl when resolving the lockfile, so
the wrong native binary may load on Alpine/musl hosts.

Restore the field and add a CI guard (run before `npm install` in the
lint job) that fails any PR which lands a lockfile missing the
discriminator — Dependabot bumps and contributor installs would
otherwise silently regress this again.

Closes #1160

* fix: resolve lockfile path relative to script location (#1163)

Use import.meta.url to find package-lock.json regardless of the
process CWD. Previously running 'node scripts/verify-lockfile-libc.mjs'
from the scripts/ subdirectory failed with a confusing ENOENT instead
of running the actual check.

Author: carlos-alm

.github/workflows/ci.yml

@@ -21,6 +21,13 @@ jobs:
         with:
           node-version: 22
 
+      # Runs before `npm install` because npm 11 silently strips the `libc`
+      # field from optional-dependency lockfile entries (see #1160). If the
+      # check ran post-install we'd flag every CI run instead of the PRs that
+      # actually introduce the regression.
+      - name: Verify lockfile libc discriminators
+        run: node scripts/verify-lockfile-libc.mjs
+
       - name: Install dependencies
         timeout-minutes: 20
         shell: bash

package-lock.json

@@ -0,0 +1,54 @@
+#!/usr/bin/env node
+// Verifies that @optave/codegraph-linux-* entries in package-lock.json declare
+// the `libc` discriminator. npm 11 silently strips this field when generating
+// the lockfile on non-Linux hosts (and sometimes on Linux too), even though the
+// published packages declare it. Without it, npm cannot disambiguate
+// linux-x64-gnu vs linux-x64-musl when resolving from the lockfile and may
+// install (or load) the wrong native binary on Alpine/musl hosts.
+//
+// Run via `npm run lint` (or directly) in CI to catch silent regressions from
+// Dependabot bumps and contributor `npm install` runs.
+import { readFileSync } from 'node:fs';
+import { dirname, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const EXPECTED_LIBC = {
+  '@optave/codegraph-linux-arm64-gnu': 'glibc',
+  '@optave/codegraph-linux-x64-gnu': 'glibc',
+  '@optave/codegraph-linux-x64-musl': 'musl',
+};
+
+// Resolve relative to this script's location so it works regardless of CWD
+// (e.g. running `node scripts/verify-lockfile-libc.mjs` from the `scripts/`
+// subdirectory still finds the repo-root lockfile).
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const lockfilePath = resolve(__dirname, '..', 'package-lock.json');
+const lock = JSON.parse(readFileSync(lockfilePath, 'utf8'));
+const failures = [];
+
+for (const [pkgName, expectedLibc] of Object.entries(EXPECTED_LIBC)) {
+  const entry = lock.packages?.[`node_modules/${pkgName}`];
+  if (!entry) {
+    failures.push(`${pkgName}: missing from package-lock.json`);
+    continue;
+  }
+  const libc = entry.libc;
+  if (!Array.isArray(libc) || !libc.includes(expectedLibc)) {
+    failures.push(
+      `${pkgName}: expected libc=["${expectedLibc}"], got ${JSON.stringify(libc)}`,
+    );
+  }
+}
+
+if (failures.length > 0) {
+  console.error('package-lock.json libc discriminator check failed:\n');
+  for (const f of failures) console.error(`  - ${f}`);
+  console.error(
+    '\nnpm install may have stripped the libc field. Restore it by editing\n' +
+      'package-lock.json so each @optave/codegraph-linux-* entry includes\n' +
+      'its libc field (see expected values above). Tracked in #1160.',
+  );
+  process.exit(1);
+}
+
+console.log('package-lock.json libc discriminators OK');