Bump the npm_and_yarn group across 1 directory with 8 updates#1
Open
dependabot[bot] wants to merge 1 commit into
Open
Bump the npm_and_yarn group across 1 directory with 8 updates#1dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Conversation
Bumps the npm_and_yarn group with 8 updates in the / directory: | Package | From | To | | --- | --- | --- | | [picomatch](https://github.com/micromatch/picomatch) | `4.0.3` | `4.0.4` | | [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` | `2.3.2` | | [brace-expansion](https://github.com/juliangruber/brace-expansion) | `1.1.12` | `1.1.14` | | [dompurify](https://github.com/cure53/DOMPurify) | `3.3.3` | `3.4.2` | | [fast-uri](https://github.com/fastify/fast-uri) | `3.1.0` | `3.1.2` | | [fast-xml-builder](https://github.com/NaturalIntelligence/fast-xml-builder) | `1.1.4` | `1.2.0` | | [follow-redirects](https://github.com/follow-redirects/follow-redirects) | `1.15.11` | `1.16.0` | | [ip-address](https://github.com/beaugunderson/ip-address) | `10.1.0` | `10.2.0` | | [lodash](https://github.com/lodash/lodash) | `4.17.23` | `4.18.1` | Updates `picomatch` from 4.0.3 to 4.0.4 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@4.0.3...4.0.4) Updates `picomatch` from 2.3.1 to 2.3.2 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@4.0.3...4.0.4) Updates `brace-expansion` from 1.1.12 to 1.1.14 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@v1.1.12...v1.1.14) Updates `dompurify` from 3.3.3 to 3.4.2 - [Release notes](https://github.com/cure53/DOMPurify/releases) - [Commits](cure53/DOMPurify@3.3.3...3.4.2) Updates `fast-uri` from 3.1.0 to 3.1.2 - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.1.0...v3.1.2) Updates `fast-xml-builder` from 1.1.4 to 1.2.0 - [Changelog](https://github.com/NaturalIntelligence/fast-xml-builder/blob/main/CHANGELOG.md) - [Commits](NaturalIntelligence/fast-xml-builder@v1.1.4...v1.2.0) Updates `follow-redirects` from 1.15.11 to 1.16.0 - [Release notes](https://github.com/follow-redirects/follow-redirects/releases) - [Commits](follow-redirects/follow-redirects@v1.15.11...v1.16.0) Updates `ip-address` from 10.1.0 to 10.2.0 - [Commits](https://github.com/beaugunderson/ip-address/commits) Updates `lodash` from 4.17.23 to 4.18.1 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.23...4.18.1) --- updated-dependencies: - dependency-name: picomatch dependency-version: 4.0.4 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: brace-expansion dependency-version: 1.1.14 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: dompurify dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: fast-uri dependency-version: 3.1.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: fast-xml-builder dependency-version: 1.2.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: follow-redirects dependency-version: 1.16.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: ip-address dependency-version: 10.2.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.18.1 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
7 tasks
rubenvdlinde
added a commit
that referenced
this pull request
May 11, 2026
…s 4.x, 5.1, 6.x, 7.x) Docs (Section 6): - docs/openbuilt-runtime.md — big-picture diagram, manifest endpoint contract, the bundled-mode + options.endpoint workaround until chain spec #2 ships the in-memory useAppManifest overload, declarative lifecycle table, file map - docs/integrator-guide.md — step-by-step for authoring a virtual app by hand (slug rules, manifest checklist, what doesn't work yet in spec #1) - openspec/app-config.json — list openbuilt-application-register + openbuilt-runtime under capabilities Tests (Section 5 partial): - tests/unit/Controller/ApplicationsControllerTest.php — 3 PHPUnit tests: happy path (200 with unwrapped manifest), unknown slug (404 not_found), inconsistent state (500 inconsistent_state when route missing applicationUuid) - tests/unit/Repair/SeedHelloWorldTest.php — 3 PHPUnit tests: getName format, idempotency on re-run, full seed (4 saveObject calls) on fresh install Deferred (need NC + container): - 5.2 Integration test for the Application lifecycle (requires container with OR's lifecycle engine to actually run transitions) - 5.3 Newman collection (requires running NC instance) - 5.4 Playwright e2e (requires NC + browser, mounts via docker-compose) - 4.3 npm run check:manifest — script not yet shipped by @conduction/nextcloud-vue - 4.4 Visual verify on docker compose up — manual step tasks.md status: 22/22 implementation + 3/5 verification + 1/4 tests + 4/4 docs + 3/3 i18n boxes checked. Remaining 5 deferred tasks documented inline.
This was referenced May 11, 2026
rubenvdlinde
added a commit
that referenced
this pull request
May 11, 2026
…es nav + i18n - Add TemplateGallery.vue with grid, category filter, search, screenshots (REQ-OBTC-003, REQ-OBTC-008) - Add CloneTemplateDialog modal in src/modals/ (hydra-gate-13 modal isolation) - Register /templates route and Templates nav entry - Add 'Create from template' empty-state CTA on Dashboard (REQ-OBTC-003) - Add en+nl translations for gallery, modal, category labels, all 4 seeded templates' title/description/useCase/menu/page labels (REQ-OBTC-010) - Editor redirect feature-detects chain #5 (PageEditor) with chain #1 (ApplicationEditor) fallback (REQ-OBTC-006)
rubenvdlinde
added a commit
that referenced
this pull request
May 11, 2026
The embedded template was a copy of nextcloud-app-template at Tier-0 — no
manifest, no CnAppRoot, hand-written NcContent + NcAppNavigation + custom
MainMenu + bespoke router. That directly violates ADR-024 (every
Conduction-ecosystem app is a Tier-4 manifest consumer that mounts
CnAppRoot with a manifest as the single source of truth).
Now the template is a minimal Tier-4 shell:
lib/Resources/template/src/manifest.json
New placeholder file with {{appId}} / {{appNamespace}} / {{appName}} /
{{appVersion}} / {{appDescription}} / {{license}} / {{authorName}} /
{{authorEmail}} tokens. PlaceholderResolver already covers all of
these — they get baked in at export time, so the unzipped tree ships
with a fully-resolved manifest and no further hand-edits.
lib/Resources/template/src/App.vue
Reduced to '<CnAppRoot :manifest="manifest" :app-id="appId" />'.
No more bespoke navigation, OpenRegister-missing guards, or store
wiring — CnAppRoot owns those.
lib/Resources/template/src/main.js
Drops router + custom store init; calls
useAppManifest({ manifest }) before mounting so CnAppRoot reads from
the registry. Depends on chain spec #2 (openbuilt-manifest-runtime)
for the in-process overload signature — documented in the file
header.
lib/Resources/template/package.json
Bumps @conduction/nextcloud-vue from ^0.1.0-beta.3 to ^1.0.0-beta.30
(locked decision #1) so CnAppRoot + useAppManifest are present.
lib/Resources/template/.path-manifest.txt
Adds src/manifest.json so the snapshot validator + export tree-walker
see it.
The pre-existing router/, navigation/, and views/ files in the template
are left in place for now — they're not imported by the new App.vue/main.js
and webpack tree-shakes them out, but ripping them out is a noisy follow-up
that belongs in its own commit.
rubenvdlinde
added a commit
that referenced
this pull request
May 12, 2026
* Apply bootstrap-openbuilt — core implementation (tasks 1.1–1.5, 2.1–2.4, 3.1–3.2)
Schemas (openbuilt-application-register capability):
- Declare Application schema with manifest blob + slug + version + status
- Add x-openregister-lifecycle (draft → published → archived) on Application —
canonical ADR-031 example, no service class
- Declare BuiltAppRoute schema for slug → applicationUuid index
- Wire BuiltAppRoute upkeep via x-openregister-lifecycle on_transition
(declarative path per design.md Decision 2 / Q1)
- Declare HelloMessage seed schema
Runtime (openbuilt-runtime capability):
- Register GET /api/applications/{slug}/manifest route in appinfo/routes.php
- ApplicationsController::getManifest — thin-glue resolver (slug → BuiltAppRoute
→ Application → manifest blob unwrapped). #[NoAdminRequired] + #[NoCSRFRequired]
per design.md Decision 6
- BuilderHost.vue — nested CnAppRoot mount with key=slug, options.endpoint
redirecting useAppManifest's backend fetch to the per-slug endpoint
(workaround per design.md Decision 4 until chain spec #2 ships)
- ApplicationEditor.vue — textarea-based manifest editor with validateManifest
- src/router/index.js — /applications + /builder/:slug/:pathMatch(.*)? routes
- src/manifests/placeholder.json — bundled placeholder skeleton for useAppManifest
Seed (ADR-001):
- SeedHelloWorld repair step — idempotent seed of canonical hello-world
Application + manifest exercising index/detail/form pages + three sample
HelloMessage objects
- info.xml repair-steps — SeedHelloWorld runs after InitializeSettings
Deferred to follow-up apply: tasks 4.x (verification), 5.x (tests),
6.x (docs), 7.x (i18n).
Refs: openspec/changes/bootstrap-openbuilt/{proposal,specs,design,tasks}.md
* Quality pass — DI refactors, method split, SPDX placement, dep bump (tasks 4.1, 4.2, 4.5, 7.1-7.3)
PHP refactors per "fix all issues" rule (no @SuppressWarnings shortcuts):
- ApplicationsController + SeedHelloWorld: constructor injection of
OCA\OpenRegister\Service\ObjectService (eliminates Server::get static
access). OR is a declared hard dep in info.xml, so injection is the
right pattern per ADR-022 + ADR-003.
- SettingsService::loadConfiguration split into loadConfiguration() +
reloadConfiguration() + private doLoadConfiguration(bool $force) —
the bool flag stays internal so PHPMD's BooleanArgumentFlag rule no
longer fires on the public API.
- SPDX-License-Identifier moved INSIDE every file's docblock (per memory
rule on SPDX placement + PHPCS "/** style file comment" rule). Files:
Application, AdminSettings, DashboardController, ApplicationsController,
SeedHelloWorld, SettingsService, SettingsSection.
- Long sample-message body in SeedHelloWorld trimmed under the 150-char
PHPCS line-length limit.
Dependency bumps:
- @conduction/nextcloud-vue: ^0.1.0-beta.3 → ^1.0.0-beta.30. The 1.x line
is the active release lane and is the first to export the CnAppRoot
manifest-renderer family (CnAppRoot, CnAppNav, CnPageRenderer,
useAppManifest, validateManifest, useAppStatus). 0.1.0-beta.3 did NOT
export them — design.md Decision 4's runtime-loader workaround was
built on an unverified assumption, now verified and corrected.
- @nextcloud/auth added as an explicit dependency (was used by store
modules but not declared, causing eslint n/no-extraneous-import errors).
phpstan.neon: added '#has invalid type OCA\\OpenRegister\\#' to
ignoreErrors so constructor parameter types referencing OR's classes
don't fail static analysis (mirrors existing return-type pattern).
i18n keys (tasks 7.1, 7.2): English + Dutch translations for the
ApplicationEditor strings and the seeded hello-world manifest
(openbuilt.helloworld.menu.*, openbuilt.helloworld.title.*,
openbuilt.editor.help).
Verification status (task 4.x):
- ✓ 4.1 composer phpcs / phpmd / psalm / phpstan — all clean
- ✓ 4.2 npm run lint — clean
- ⊘ 4.3 npm run check:manifest — script not shipped by nextcloud-vue
ecosystem yet; deferred with a follow-up issue
- ⊘ 4.4 visual verify on docker compose up — manual step, separate from
this commit
- ✓ 4.5 ADR-031 service-class gate — confirmed no
ApplicationLifecycleService / ApplicationStateMachine class under
lib/Service/
* Apply bootstrap-openbuilt — docs + minimum tests + capabilities (tasks 4.x, 5.1, 6.x, 7.x)
Docs (Section 6):
- docs/openbuilt-runtime.md — big-picture diagram, manifest endpoint contract,
the bundled-mode + options.endpoint workaround until chain spec #2 ships the
in-memory useAppManifest overload, declarative lifecycle table, file map
- docs/integrator-guide.md — step-by-step for authoring a virtual app by hand
(slug rules, manifest checklist, what doesn't work yet in spec #1)
- openspec/app-config.json — list openbuilt-application-register +
openbuilt-runtime under capabilities
Tests (Section 5 partial):
- tests/unit/Controller/ApplicationsControllerTest.php — 3 PHPUnit tests:
happy path (200 with unwrapped manifest), unknown slug (404 not_found),
inconsistent state (500 inconsistent_state when route missing applicationUuid)
- tests/unit/Repair/SeedHelloWorldTest.php — 3 PHPUnit tests: getName format,
idempotency on re-run, full seed (4 saveObject calls) on fresh install
Deferred (need NC + container):
- 5.2 Integration test for the Application lifecycle (requires container with
OR's lifecycle engine to actually run transitions)
- 5.3 Newman collection (requires running NC instance)
- 5.4 Playwright e2e (requires NC + browser, mounts via docker-compose)
- 4.3 npm run check:manifest — script not yet shipped by @conduction/nextcloud-vue
- 4.4 Visual verify on docker compose up — manual step
tasks.md status: 22/22 implementation + 3/5 verification + 1/4 tests + 4/4 docs +
3/3 i18n boxes checked. Remaining 5 deferred tasks documented inline.
* Fix hydra-gate-10 + hydra-gate-11 security findings surfaced by /opsx-verify
Two pre-existing template inheritances violated ADR-004 hard rules and the
corresponding hydra mechanical gates. Fixed both via the canonical NC
pattern (IInitialState + admin-via-AdminSettings.php-only).
hydra-gate-10 (DOM dataset → IInitialState):
- AdminSettings.php now injects IInitialState and calls
provideInitialState('version', $version) before rendering the template.
- templates/settings/admin.php no longer carries data-version on the mount
div — server data flows via initial-state, not DOM attrs.
- AdminRoot.vue replaces document.getElementById('openbuilt-settings')
.dataset.version with loadState('openbuilt', 'version', 'Unknown').
hydra-gate-11 (admin-router → no admin in vue-router):
- src/router/index.js no longer imports AdminRoot or registers a /settings
route. Admin settings are reached exclusively through Nextcloud's admin
settings framework (/index.php/settings/admin/openbuilt), which goes
through the admin auth gate. The redundant vue-router entry was a
bypass-the-auth-gate regression that the doriath retrospective flagged.
Verification:
- gate-10 grep: no matches
- gate-11 grep: no matches
- composer phpcs/phpmd/psalm/phpstan: all clean
- npm run lint: clean
Surfaced by: /opsx-verify bootstrap-openbuilt
* Runtime smoke test — fix 5 real bugs surfaced by docker exec app:enable + curl manifest endpoint
Verified end-to-end: GET /api/applications/hello-world/manifest returns HTTP 200 with
the seeded hello-world manifest. Smoke test mission complete.
Bug 1 — SettingsService::doLoadConfiguration missing $data + $version args.
OR's importFromApp signature is importFromApp(string $appId, array $data,
string $version, bool $force=false). My call was passing only appId + force,
so importFromApp threw "Argument #2 ($data) not passed". Fixed by reading
lib/Settings/openbuilt_register.json from disk + parsing + passing data+version
(per openregister-wiring-guide.md — the sweep agent missed this step).
Bug 2 — ObjectService::getObjects doesn't exist. The real API is findAll($config)
+ find($id, register, schema). Refactored ApplicationsController and SeedHelloWorld
to the real signatures.
Bug 3 — searchObjects requires NUMERIC register/schema IDs in @self, not slugs.
Slug-to-ID resolution is NOT applied at this layer. Injected RegisterMapper +
SchemaMapper into ApplicationsController to resolve before searchObjects. Found
via direct CLI test: @self with slug strings returns 0 results; @self with
numeric IDs returns the matching object.
Bug 4 — RegisterMapper/SchemaMapper::find with default _multitenancy=true filters
out the lookup. Pass _multitenancy: false on the LOOKUP only (object-level
multitenancy still enforced via searchObjects + the underlying RBAC).
Bug 5 — x-openregister-lifecycle.on_transition.upsert_relation NOT supported by
OR's current engine (design.md OQ-1 confirmed). The Application's declarative
lifecycle declaration is preserved (still ADR-031-compliant when OR ships the
hook), but SeedHelloWorld now explicitly creates the BuiltAppRoute as the
ADR-031 §Exceptions(1) fallback. A BuiltAppRouteSyncListener subscribed to
ObjectLifecycleTransitionedEvent should follow in a separate change.
Plus ObjectEntity UUID extraction now reads $entity->jsonSerialize()['@self']['id']
(__call-based getUuid() is invisible to method_exists, so we read the array).
Tests updated to the new controller signature + searchObjects mock.
Known remaining gaps (smoke-test follow-ups, deferred):
- Openbuilt Register row was NOT auto-created by importFromApp despite schemas
being created. Manually created via REST during smoke test; needs an explicit
createRegisterIfMissing step in InitializeSettings.
- Webpack build fails with @nextcloud/axios exports-field errors when the local
apps-extra/nextcloud-vue/ source-alias is active. Frontend not yet runtime-
validated; backend is.
- BuiltAppRouteSyncListener (the proper ADR-031 §Exceptions(1) PHP fallback for
the missing OR lifecycle hook) — covered only for the seed Application; new
user-created Applications won't get BuiltAppRoute upkeep yet.
All quality tools green: phpcs, phpmd, psalm, phpstan, ESLint.
* tests: expand unit + Newman coverage for bootstrap-openbuilt
- ApplicationsControllerTest: rename happy-path to match spec naming;
add testGetManifestReturns500OnInconsistentState covering the
dangling-applicationUuid branch (Application deleted, route survives).
- SeedHelloWorldTest: tighten fresh-install test to stub jsonSerialize
so it asserts exactly 4 core saves; add new
testRunCreatesBuiltAppRouteWhenApplicationUuidIsExposed covering the
5-save path (Application + BuiltAppRoute + 3 messages) that locks the
design.md Decision 6 lifecycle-hook fallback.
- Postman collection: replace placeholder /status request with three
real assertions — GET hello-world manifest (200 + version/menu/pages),
GET unknown-slug manifest (404 + error=not_found), and GET the
OpenRegister-backed Application listing (>=1 result with
slug=hello-world after seed).
* Replace placeholder PHPUnit tests with real coverage (task 5.1)
- OpenBuiltTest: assert APP_ID + autoload resolves worktree's lib/
- ApplicationsControllerTest: 4 tests on getManifest (200/404/500-x2)
- SeedHelloWorldTest: 4 tests on idempotency + fresh/uuid-exposed paths
- bootstrap-unit.php: pin OCP/NCU PSR-4 + rebuild OpenBuilt classmap from
the worktree's lib/ so tests run in a git-worktree dev setup (the
symlinked vendor/ otherwise resolves classes against a sibling checkout)
- tests/stubs/openregister-stubs.php: fallback ObjectService/Mapper stubs
when OR sources aren't on the autoload path (CI strip-down)
All 13 unit tests pass: ./vendor/bin/phpunit -c phpunit-unit.xml
PHPCS still clean — tests/ are out of phpcs.xml scope.
* tests(e2e): bootstrap Playwright framework
- playwright.config.ts: chromium project, baseURL http://localhost:8080,
basic-auth httpCredentials, OCS-APIRequest header pinned for NC API
calls, headless by default, no webServer (Docker stack is the
documented dev path).
- tests/e2e/bootstrap-openbuilt.e2e.spec.ts: two specs covering the
bootstrap-openbuilt change — (1) renders the three seeded
hello-message titles on the index page, and (2) returns a valid
unwrapped manifest (version/menu/pages) from the public endpoint.
- package.json: add @playwright/test devDep and test:e2e /
test:e2e:install scripts. Browser install is the one-time setup
documented in the spec header.
- .gitignore: ignore playwright-report/, test-results/, .playwright/,
playwright/.cache/.
* tests: expand Newman CRUD + add BuilderHost journey e2e
Linter rewrites that landed after the initial commits:
- openbuilt.postman_collection.json: extend from 3 to 6 requests —
add a full CRUD round-trip on Application objects via OR
(POST/GET/PUT/DELETE on /openregister/api/objects/openbuilt/application)
in addition to the manifest endpoint coverage (200 + 404) and the
seed listing assertion.
- tests/e2e/builder-host.spec.ts: BuilderHost journey covering
REQ-OBR-002 (mount the manifest) and REQ-OBR-003 (forward to detail
pages declared in the manifest). Companion to the
bootstrap-openbuilt.e2e.spec.ts smoke test.
* psalm: suppress UndefinedClass for OR mappers (cross-app deps)
OCA\OpenRegister\Db\RegisterMapper and SchemaMapper are referenced by
ApplicationsController's constructor for the slug→id resolution; they
live in the openregister app and are only present at runtime. Adding
them to the existing OpenRegister suppress list (alongside ObjectService
and ConfigurationService) clears the 4 pre-existing UndefinedClass
errors surfaced during the test-coverage task.
* tests(e2e): add ApplicationEditor + manifest-endpoint specs
Two further e2e specs surfaced by the linter to round out coverage:
- tests/e2e/application-editor.spec.ts: exercises the in-app manifest
editor (data-testid hooks added to ApplicationEditor.vue).
- tests/e2e/manifest-endpoint.spec.ts: API-level coverage of the
/api/applications/{slug}/manifest endpoint (200/404 paths,
unwrapped envelope).
Companion changes:
- ApplicationEditor.vue: add data-testid='openbuilt-editor-textarea'
+ 'openbuilt-editor-save' to make the form addressable from Playwright.
- BuilderHost.vue: add data-testid='openbuilt-builder-host' so the
journey spec can scope its locators to the inner-app root.
* tasks: tick 5.3 (Newman) + 5.4 (Playwright) — coverage landed
* fix(ci+review): regenerate lockfile, address MWest review on PR #2
CI was red on lint-check + License/Security/Vue Quality npm jobs because
`npm ci` refused the out-of-sync lockfile (missing playwright, pinia
v3 transitive deps, etc. after the @conduction/nextcloud-vue
0.1.0-beta.3 → 1.0.0-beta.30 bump). Regenerated package-lock.json from
scratch and confirmed `npm run lint`, `npm run stylelint`,
`npm audit --audit-level=critical --omit=dev`, and the workflow's
license-checker step all pass locally.
Also addresses MWest2020's PR-#2 review:
* Finding #3 (manifest visibility) — added an explicit visibility block
to `ApplicationsController::getManifest`'s docblock noting manifests
are publicly readable to authenticated users by design, and that
future role-scoped manifests must extend BuiltAppRoute (e.g. a
`restrictToGroup` property) rather than hardening this endpoint.
Forwards the decision to the RBAC spec (PR #6).
* Finding #4 (correlation ID) — the catch-all 500 path now generates a
16-hex correlationId, includes it in both the log context and the
response envelope, and is covered by a new
testGetManifestIncludesCorrelationIdOnInternalError unit test.
* Finding #5 (tracking issue) — opened issue #10 to track the 3
remaining deferred items (tasks 4.3, 4.4, 5.2); the other 13 ticks
from sections 5/6/7 were landed before merge.
Also fixes 9 rule-empty-line-before stylelint violations in
ApplicationEditor.vue surfaced once Vue Quality (stylelint) could run.
* fix(tests): replace stdClass mocks with concrete entity mocks
PHPUnit on CI rejects the prior stdClass+addMethods doubles because OR's
RegisterMapper::find() and SchemaMapper::find() are typed `: Register`
and `: Schema`, and ObjectService::saveObject() is typed `: ObjectEntity`.
Locally those return-type checks pass against the anonymous stubs because
OR isn't on the classpath; CI mounts the real classes and raises
PHPUnit\Framework\MockObject\IncompatibleReturnValueException.
Switched both ApplicationsControllerTest and SeedHelloWorldTest to mock
the concrete entity classes (Register, Schema, ObjectEntity). Behaviour
is unchanged; only the mock construction is correct now.
* brand: OpenBuilt icon — white box symbol on cobalt point-up hexagon
Replace the scaffold's rounded-rectangle #0082C9 placeholder with the
Conduction app-icon convention (matches ConductionNL/scholiq):
- img/app-store.svg — point-up hexagon fill #4376FC (Conduction Cobalt),
white `package-variant-closed` box symbol centred via translate(136,136)
scale(10) over the 512×512 viewBox. This is the icon the README + the
Nextcloud app store render.
- img/app.svg — monochrome box symbol, fill currentColor (navbar/light).
- img/app-dark.svg — same symbol, fill #ffffff (dark theme).
Per feedback_brand-rules-strict: pointy-top point-up, solid colours only,
hex polygon background (no rounded rect, no Nextcloud blue). README logo
block already references img/app-store.svg so it now shows the hex.
rubenvdlinde
added a commit
that referenced
this pull request
May 12, 2026
Spec #7 of the OpenBuilt 9-spec chain. Closes spec #1 OQ-2. - proposal.md: kind=mixed, depends_on=[bootstrap-openbuilt] - specs/openbuilt-rbac/spec.md: 7 new requirements (REQ-OBRBAC-001..007) - specs/openbuilt-application-register/spec.md: 2 ADDED reqs (permissions property + migration) - specs/openbuilt-runtime/spec.md: 4 ADDED reqs (403 path, list filter, action gating, initial-state groups) - design.md: 6 decisions + declarative-vs-imperative table + 6 OQs - tasks.md: 21 tasks across schema/migration/controller/frontend/i18n/docs openspec validate --strict: PASS
rubenvdlinde
added a commit
that referenced
this pull request
May 12, 2026
The embedded template was a copy of nextcloud-app-template at Tier-0 — no
manifest, no CnAppRoot, hand-written NcContent + NcAppNavigation + custom
MainMenu + bespoke router. That directly violates ADR-024 (every
Conduction-ecosystem app is a Tier-4 manifest consumer that mounts
CnAppRoot with a manifest as the single source of truth).
Now the template is a minimal Tier-4 shell:
lib/Resources/template/src/manifest.json
New placeholder file with {{appId}} / {{appNamespace}} / {{appName}} /
{{appVersion}} / {{appDescription}} / {{license}} / {{authorName}} /
{{authorEmail}} tokens. PlaceholderResolver already covers all of
these — they get baked in at export time, so the unzipped tree ships
with a fully-resolved manifest and no further hand-edits.
lib/Resources/template/src/App.vue
Reduced to '<CnAppRoot :manifest="manifest" :app-id="appId" />'.
No more bespoke navigation, OpenRegister-missing guards, or store
wiring — CnAppRoot owns those.
lib/Resources/template/src/main.js
Drops router + custom store init; calls
useAppManifest({ manifest }) before mounting so CnAppRoot reads from
the registry. Depends on chain spec #2 (openbuilt-manifest-runtime)
for the in-process overload signature — documented in the file
header.
lib/Resources/template/package.json
Bumps @conduction/nextcloud-vue from ^0.1.0-beta.3 to ^1.0.0-beta.30
(locked decision #1) so CnAppRoot + useAppManifest are present.
lib/Resources/template/.path-manifest.txt
Adds src/manifest.json so the snapshot validator + export tree-walker
see it.
The pre-existing router/, navigation/, and views/ files in the template
are left in place for now — they're not imported by the new App.vue/main.js
and webpack tree-shakes them out, but ripping them out is a noisy follow-up
that belongs in its own commit.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the npm_and_yarn group with 8 updates in the / directory:
4.0.34.0.42.3.12.3.21.1.121.1.143.3.33.4.23.1.03.1.21.1.41.2.01.15.111.16.010.1.010.2.04.17.234.18.1Updates
picomatchfrom 4.0.3 to 4.0.4Release notes
Sourced from picomatch's releases.
Commits
e5474fcPublish 4.0.44516eb5Merge commit from fork5eceecdMerge commit from fork0db7dd7Run benchmark again against latest minimatch version (#161)9500377docs: clarify what brace expansion syntax is and isn't supported (#134)2661f23fix typo in globstars.js test name (#138)1798b07docs: fixmakeReexample (#143)9d76bc5chore: undocument removed options (#146)e4d718bRemove unused time-require (#160)38dffebchore(deps): pin dependencies (#158)Updates
picomatchfrom 2.3.1 to 2.3.2Release notes
Sourced from picomatch's releases.
Commits
e5474fcPublish 4.0.44516eb5Merge commit from fork5eceecdMerge commit from fork0db7dd7Run benchmark again against latest minimatch version (#161)9500377docs: clarify what brace expansion syntax is and isn't supported (#134)2661f23fix typo in globstars.js test name (#138)1798b07docs: fixmakeReexample (#143)9d76bc5chore: undocument removed options (#146)e4d718bRemove unused time-require (#160)38dffebchore(deps): pin dependencies (#158)Updates
brace-expansionfrom 1.1.12 to 1.1.14Commits
10c05fc1.1.141afa1b2Add opt-in { max } mitigation to v1 legacy line (#103)2fbb6a2Revert "Backport fix for GHSA-7h2j-956f-4vf2 to v1 (#101)" (#102)0d7652eBackport fix for GHSA-7h2j-956f-4vf2 to v1 (#101)6c353ca1.1.137fd684fBackport fix for GHSA-f886-m6hf-6m8v (#95)Updates
dompurifyfrom 3.3.3 to 3.4.2Release notes
Sourced from dompurify's releases.
Commits
6f67fd3Sync/3.4.2 (#1322)5b0cdbbchore: merge main into 3.x for 3.4.1 release (#1301)09f5911test: added three more browsers to test setup (OSX, mobile)5b16e0bGetting 3.x branch ready for 3.4.0 release (#1250)Install script changes
This version adds
preparescript that runs during installation. Review the package contents before updating.Updates
fast-urifrom 3.1.0 to 3.1.2Release notes
Sourced from fast-uri's releases.
Commits
919dd8eBumped v3.1.2c65ba57fixup: linting6c86c17Merge commit from forka95158aHandle malformed fragment decoding without throwing (#171)cea547cBumped v3.1.1876ce79Merge commit from forkdcdf690ci: add lock-threads workflow (#169)c860e65build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)9b4c6dcbuild(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)85d09a9build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...Updates
fast-xml-builderfrom 1.1.4 to 1.2.0Changelog
Sourced from fast-xml-builder's changelog.
Commits
a9a905bfor release42680e8support name sanitization8b00185release info8a08f17allow indentation to be empty string7fc5decupdate docsc241b6aimprove documentation15d5668update for release9877485fix: skip text property for PI tags311a221fix #5 typing import issuese8fc5b1update for releastUpdates
follow-redirectsfrom 1.15.11 to 1.16.0Commits
0c23a22Release version 1.16.0 of the npm package.844c4d3Add sensitiveHeaders option.5e8b8d0ci: add Node.js 24.x to the CI matrix7953e22ci: upgrade GitHub Actions to use setup-node@v6 and checkout@v686dc1f8Sanitizing input.Updates
ip-addressfrom 10.1.0 to 10.2.0Commits
Updates
lodashfrom 4.17.23 to 4.18.1Release notes
Sourced from lodash's releases.
Commits
cb0b9b9release(patch): bump main to 4.18.1 (#6177)75535f5chore: prune stale advisory refs (#6170)62e91bcdocs: remove n_ Node.js < 6 REPL note from README (#6165)59be2derelease(minor): bump to 4.18.0 (#6161)af63457fix: broken tests for _.template 879aaa91073a76fix: linting issues879aaa9fix: validate imports keys in _.templatefe8d32efix: block prototype pollution in baseUnset via constructor/prototype traversal18ba0a3refactor(fromPairs): use baseAssignValue for consistent assignment (#6153)b819080ci: add dist sync validation workflow (#6137)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsYou can disable automated security fix PRs for this repo from the Security Alerts page.