build: derive libc verifier scope from optionalDependencies

[carlos-alm]

Summary

• scripts/verify-lockfile-libc.mjs previously hand-maintained EXPECTED_LIBC, duplicating the list of linux native packages already declared in package.json's optionalDependencies. Adding a new platform required updating both — and follow-up: extend lockfile libc verifier when linux-arm64-musl is added to optionalDependencies #1168 exists precisely because they drifted (@optave/codegraph-linux-arm64-musl is mapped in ci-install-native.mjs and the CI parity job, but was absent from EXPECTED_LIBC).
• This change derives the package list from optionalDependencies and infers the expected libc value from the napi-rs -gnu/-musl suffix. New linux platforms added to optionalDependencies are now covered automatically with no script edit.
• An unknown suffix (e.g. linux-armhf-gnueabihf) fails loudly with a pointer to the inference rule, so silent gaps cannot reappear.

Test plan

• Happy path: node scripts/verify-lockfile-libc.mjs on the current lockfile → package-lock.json libc discriminators OK (3 linux package(s) checked).
• Derivation: temporarily added @optave/codegraph-linux-arm64-musl to optionalDependencies and re-ran — verifier reports missing from package-lock.json and exits 1 (proves the script picks up new entries without code changes).
• Unknown-suffix guard: temporarily added @optave/codegraph-linux-armhf-gnueabihf — verifier reports the suffix is unknown, points at LIBC_BY_SUFFIX, and exits 1.
• CI lint job remains green on this branch.

Closes #1168

[claude]

Claude finished @carlos-alm's task —— View job

---

Reviewing PR: build: derive libc verifier scope from optionalDependencies

Todo List

• Read and analyze the modified script file
• Check related context files (package.json, etc.)
• Apply 5-phase review framework
• Provide comprehensive review feedback

---

Root Cause Analysis

Problem Being Solved: Issue #1168 - The verify-lockfile-libc.mjs script maintained a hardcoded EXPECTED_LIBC map that duplicated package names already declared in package.json's optionalDependencies. When new linux platforms were added, both locations needed updates, and they drifted out of sync (@optave/codegraph-linux-arm64-musl was missing from the manual list).

Why This Approach: The solution derives the package list dynamically from optionalDependencies and infers the expected libc value from the napi-rs naming convention (-gnu → glibc, -musl → musl). This eliminates the dual-maintenance burden and automatically covers new platforms.

Risk Assessment: Low risk. This is a build-time validation script with clear error handling and explicit testing in the PR description.

Backlog Compliance

• Zero-dep: ✓ — No new runtime dependencies, only uses Node.js built-in modules
• Foundation-aligned: ✓ — Improves build tooling without violating core principles
• Problem-fit: 3 — Useful build system improvement but doesn't directly address the core "lost AI" problem
• Breaking: No — Pure build script improvement with no API/CLI changes
• Tier: 1

Code Quality Analysis

Strengths ⭐⭐⭐⭐

• Clean elimination of duplication: Removes the hand-maintained EXPECTED_LIBC map in favor of dynamic derivation from authoritative source (package.json)
• Robust error handling: Unknown suffixes fail loudly with clear guidance on how to extend the mapping
• Clear intent: Well-documented logic and comments explain the napi-rs naming convention
• Defensive programming: Handles edge cases (no linux packages, missing package-lock entries)
• Proper path resolution: Uses import.meta.url and proper path resolution to work from any CWD

Technical Implementation

The regex LINUX_PKG_PATTERN = /^@optave\/codegraph-linux-[^-]+-(gnu|musl)$/ correctly matches the expected package naming pattern and captures the libc suffix. The mapping logic is sound:

const expectedLibc = LIBC_BY_SUFFIX[match[1]]; // gnu → glibc, musl → musl

Potential Concerns (Minor)

1. Line 74-75: The error message uses import.meta.url.replace('file://', '') which could be simplified with fileURLToPath(import.meta.url) for consistency, but this is stylistic.

2. Future-proofing: The current implementation assumes the napi-rs naming convention will remain stable. If new libc variants emerge, the script will fail loudly (which is good), but the error message could be slightly clearer about this being an expected failure mode.

Test Integrity ✅

The PR author manually validated:

• Happy path execution
• Detection of missing packages when temporarily adding new entries
• Unknown suffix detection and clear error messaging

Final Recommendation

• Rating: ⭐⭐⭐⭐☆ (4/5)
• Action: APPROVE
• Reasoning: This is a solid improvement that eliminates duplication, reduces maintenance burden, and prevents the drift issue that caused follow-up: extend lockfile libc verifier when linux-arm64-musl is added to optionalDependencies #1168. The implementation is robust with good error handling. The code quality is high with clear intent and proper defensive programming. No breaking changes or concerning patterns detected.

Minor suggestions (non-blocking):

1. Consider using fileURLToPath(import.meta.url) instead of string replacement on line 74 for consistency
2. The script works correctly and the approach is sound

Job Run

[greptile-apps]

Greptile Summary

This PR eliminates the manual EXPECTED_LIBC map in scripts/verify-lockfile-libc.mjs by reading package.json's optionalDependencies at runtime and inferring expected libc values from each package name's -gnu/-musl suffix. The regex is derived from LIBC_BY_SUFFIX keys so the two can never drift.

• New linux platforms added to optionalDependencies are automatically picked up by the verifier with no script change, closing the gap that triggered follow-up: extend lockfile libc verifier when linux-arm64-musl is added to optionalDependencies #1168.
• Packages with unrecognised suffixes fail loudly with a pointer to LIBC_BY_SUFFIX, and the success message now reports how many packages were checked.

Confidence Score: 5/5

Safe to merge — a focused script refactor that removes a maintenance footgun without changing the lockfile validation logic.

The change replaces a static map with a derivation from optionalDependencies, keeping all the same lockfile checks intact. The regex is constructed from the same keys as the lookup map, so they are structurally coupled. Edge cases (empty package list, unknown suffix) are handled explicitly and exit non-zero. No data is written, no external systems are touched, and the test plan confirms the happy path and both failure modes.

No files require special attention.

Important Files Changed

Filename	Overview
scripts/verify-lockfile-libc.mjs	Replaces hardcoded EXPECTED_LIBC map with derivation from package.json optionalDependencies; adds unknown-suffix guard and count in success message. Logic is sound and well-structured.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Start] --> B[Read package.json]
    B --> C[Read package-lock.json]
    C --> D[Filter optionalDependencies\nfor @optave/codegraph-linux-*]
    D --> E{linuxPackages\nempty?}
    E -- Yes --> F[Log: skipping\nexit 0]
    E -- No --> G[For each package:\nmatch LINUX_PKG_PATTERN]
    G --> H{Regex\nmatch?}
    H -- No --> I[Collect into\nunknownSuffixes]
    H -- Yes --> J[Look up expectedLibc\nfrom LIBC_BY_SUFFIX]
    J --> K{Entry in\nlockfile?}
    K -- No --> L[Collect into failures:\nmissing from lockfile]
    K -- Yes --> M{libc field\ncorrect?}
    M -- No --> N[Collect into failures:\nwrong libc value]
    M -- Yes --> O[OK]
    I --> P{unknownSuffixes\nnon-empty?}
    L --> P
    N --> P
    O --> P
    P -- Yes --> Q[Print unknown suffix error\nwith fix instructions\nexit 1]
    P -- No --> R{failures\nnon-empty?}
    R -- Yes --> S[Print libc failures\nexit 1]
    R -- No --> T[Log: OK N packages checked\nexit 0]

Loading

_{Reviews (8): Last reviewed commit: "Merge branch 'main' into fix/1168-libc-v..." | Re-trigger Greptile}

[greptile-apps]

Incomplete fix guidance in unknown-suffix error

The error message tells the developer to "Extend LIBC_BY_SUFFIX", but that alone is not sufficient to fix the problem. A future suffix like gnueabihf would also require updating LINUX_PKG_PATTERN (specifically the (gnu|musl) capture group), because the regex is the gatekeeper that determines what reaches the map lookup — extending the map alone leaves the package permanently matched as an unknown suffix and exiting 1. A developer following only the printed instructions would be confused when adding a new map entry doesn't resolve the failure.

[carlos-alm]

Fixed in 4af75ec — derived LINUX_PKG_PATTERN from Object.keys(LIBC_BY_SUFFIX) so the regex and the map can never drift apart. Adding a new suffix to the map is now genuinely the only required edit (the regex picks it up automatically). The error message has been updated to reflect this and to list the current rules from the map dynamically.

[carlos-alm]

Thanks for the review! Addressed both points in 4af75ec:

• Switched the script-path interpolation from import.meta.url.replace('file://', '') to fileURLToPath(import.meta.url) (cached in a __filename const alongside the existing __dirname derivation).
• Also addressed Greptile's related concern by deriving LINUX_PKG_PATTERN from Object.keys(LIBC_BY_SUFFIX), so the regex and the map can no longer drift apart when a new libc suffix is added. The unknown-suffix error message now lists the active rule dynamically from the map.

[carlos-alm]

@greptileai