Merge pull request #48 from script-development/armory-publint-git-prefix-sweep

Goosterhof · web-flow · commit cf6fc141b227 · 2026-04-23T13:27:05.000+02:00
fs-packages: re-normalize 10 publint git+ prefix regressions (PR #35 aftermath)
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -9,7 +9,7 @@ Shared frontend service packages monorepo under the `@script-development` npm sc
 - **Test:** vitest 4 (100% coverage threshold) + Stryker (90% mutation threshold)
 - **Lint:** oxlint (explicit config at `.oxlintrc.json`)
 - **Format:** oxfmt
-- **Package lint:** publint + attw (Are The Types Wrong)
+- **Package lint:** publint + attw (Are The Types Wrong) — `lint:pkg` enforces fail-on-any-advisory via `scripts/lint-pkg.mjs` (suggestions, warnings, and errors all treat as fatal — publint CLI default and `--strict` both exit 0 on suggestions). Motivated by enforcement queue #33 + the PR #35 `git+` prefix regression that silently drifted across 10 packages because the unenforced gate only printed the suggestion.
 - **Publish:** OIDC Trusted Publishing to public npm registry (no stored tokens)
 - **CI:** 8-gate pipeline: audit → format → lint → build → typecheck → lint:pkg → coverage → mutation
 
diff --git a/package.json b/package.json
@@ -11,7 +11,7 @@
     "test:mutation": "npm run test:mutation --workspaces",
     "lint": "oxlint .",
     "typecheck": "npm run typecheck --workspaces",
-    "lint:pkg": "npm run lint:pkg --workspaces",
+    "lint:pkg": "node scripts/lint-pkg.mjs",
     "audit": "npm audit",
     "format": "oxfmt --write .",
     "format:check": "oxfmt --check .",
diff --git a/scripts/lint-pkg.mjs b/scripts/lint-pkg.mjs
@@ -0,0 +1,90 @@
+#!/usr/bin/env node
+// Gate 6 (lint:pkg) enforcer — treats publint suggestions/warnings/errors as fatal.
+//
+// publint 0.3.18 CLI does not expose a flag to fail on suggestions (--strict
+// only promotes warnings → errors). This wrapper fills that gap: it runs
+// publint per workspace, captures stdout, and fails the gate if any package
+// emits a "Suggestions:", "Warnings:", or "Errors:" block. attw --pack runs
+// after publint per package and preserves its own exit code.
+//
+// See enforcement queue #33 and the PR #35 regression that motivated this
+// tightening: publint suggestions about the "git+" URL prefix silently
+// re-drifted across 10 packages because the gate tolerated them.
+
+import { spawnSync } from "node:child_process";
+import { readdirSync, readFileSync, statSync } from "node:fs";
+import { join } from "node:path";
+
+const PACKAGES_DIR = "packages";
+const PUBLINT_BLOCK_RE = /^(Suggestions|Warnings|Errors):$/m;
+
+function listPackageDirs() {
+  return readdirSync(PACKAGES_DIR)
+    .map((name) => join(PACKAGES_DIR, name))
+    .filter((dir) => {
+      try {
+        return statSync(dir).isDirectory() && statSync(join(dir, "package.json")).isFile();
+      } catch {
+        return false;
+      }
+    })
+    .sort();
+}
+
+function packageName(dir) {
+  const pkg = JSON.parse(readFileSync(join(dir, "package.json"), "utf8"));
+  return pkg.name ?? dir;
+}
+
+function runCaptured(cmd, args, cwd) {
+  const result = spawnSync(cmd, args, {
+    cwd,
+    stdio: ["ignore", "pipe", "pipe"],
+    encoding: "utf8",
+    shell: false,
+  });
+  const stdout = result.stdout ?? "";
+  const stderr = result.stderr ?? "";
+  process.stdout.write(stdout);
+  process.stderr.write(stderr);
+  return { stdout, stderr, status: result.status ?? 1 };
+}
+
+function main() {
+  const dirs = listPackageDirs();
+  const failures = [];
+
+  for (const dir of dirs) {
+    const name = packageName(dir);
+    process.stdout.write(`\n--- lint:pkg ${name} (${dir}) ---\n`);
+
+    const publint = runCaptured("npx", ["publint", "run"], dir);
+    const publintBlock = PUBLINT_BLOCK_RE.exec(publint.stdout);
+    if (publint.status !== 0) {
+      failures.push(`${name}: publint exited ${publint.status}`);
+    } else if (publintBlock) {
+      failures.push(
+        `${name}: publint emitted "${publintBlock[1]}:" block (fail-on-suggestion gate)`,
+      );
+    }
+
+    const attw = runCaptured("npx", ["attw", "--pack"], dir);
+    if (attw.status !== 0) {
+      failures.push(`${name}: attw exited ${attw.status}`);
+    }
+  }
+
+  if (failures.length > 0) {
+    process.stderr.write(`\n\nlint:pkg gate FAILED (${failures.length}):\n`);
+    for (const f of failures) {
+      process.stderr.write(`  - ${f}\n`);
+    }
+    process.exit(1);
+  }
+
+  process.stdout.write(
+    `\nlint:pkg gate PASS — ${dirs.length} packages clean (publint suggestions/warnings/errors all treated as fatal).\n`,
+  );
+}
+
+main();
