Skip to content

chore: modernize package tooling and CI#175

Merged
tonyketcham merged 5 commits intomainfrom
toeknee/modernize-tooling-ci-1d04
May 8, 2026
Merged

chore: modernize package tooling and CI#175
tonyketcham merged 5 commits intomainfrom
toeknee/modernize-tooling-ci-1d04

Conversation

@tonyketcham
Copy link
Copy Markdown
Collaborator

@tonyketcham tonyketcham commented May 7, 2026
edited by cursor Bot
Loading

Summary of changes

This branch contains five reviewable stack entries shaped by proof plus an adversarial proof follow-up:

  1. chore: modernize package test toolchain

    • Updates the existing Vitest-backed packages (@flatbread/codegen, @flatbread/utils) to current Vitest/Vite/TypeScript/tsup/Node typings.
    • Adds package-local TS configs so TS 6 options stay scoped to those packages.
    • Adds root typecheck, split test:ava/test:vitest, full test, and verify scripts.
    • Pins packageManager and the Node floor for the modern Vite/Vitest toolchain.

  2. ci: harden pipeline verification

    • Pins pnpm to 10.33.0, uses pnpm install --frozen-lockfile, and approves required native build dependencies for pnpm 10.
    • Adds read-only workflow permissions and cancellation concurrency.
    • Runs proof typecheck in CI and routes tests through the root command that now includes AVA plus Vitest.
    • Fixes the SvelteKit integration job so it builds the SvelteKit example instead of duplicating the Next.js build.

  3. docs: record tooling modernization decisions

    • Documents the Biome/Oxc evaluation and why neither is adopted in this low-risk pass.
    • Captures migration notes, rollback considerations, measured local runtime notes, and deferred follow-ups.

  4. chore: clean modernization config smells

    • Removes package-local pnpm.peerDependencyRules blocks that pnpm ignores; the root remains the single policy owner.
    • Adds missing workspace path aliases for @flatbread/codegen and @flatbread/resolver-svimg.
    • Makes the Next.js example declare its flatbread workspace CLI dependency explicitly.
    • Corrects SvelteKit example repository metadata.

  5. docs: align modernization developer guidance

    • Updates contributor prerequisites to Node 20.19+ and pnpm 10.33.x/Corepack.
    • Documents pnpm verify, the real AVA/Vitest split, and Prettier as the enforced lint gate.
    • Fixes stale example links and a broken fieldNameTransform README snippet.

Adversarial audit notes:

  • A second proof DAG completed 5/5 tasks and drove the config/docs remediations above.
  • Deferred findings include full AVA→Vitest migration, root ESLint repair/removal, project references, svelte-check after route data typing is fixed, deprecated runtime dependency cleanup, and optional GitHub Action SHA pinning.

Migration notes:

  • Root typecheck is intentionally scoped to @flatbread/proof until more packages expose typecheck scripts or project references.
  • svelte-check remains deferred because the existing SvelteKit route data types report a pre-existing data.allPostCategories error after svelte-kit sync; CI now validates the SvelteKit production build.
  • Biome/Oxc are deferred until root ESLint ownership is repaired or explicitly removed, and until formatting boundaries for Markdown/YAML/framework examples are explicit.

Rollback considerations:

  • Revert the first commit to restore prior package scripts and codegen/utils package-local toolchain versions.
  • Revert the second commit to restore the prior workflow and pnpm build-script policy.
  • Revert the third commit to remove the initial decision record only.
  • Revert the fourth commit to restore prior package metadata, pnpm warning behavior, and path aliases.
  • Revert the fifth commit to restore prior documentation only.

Before/after runtime impact:

  • Initial proof DAG audit completed 5/5 tasks in ~1m09s.
  • Adversarial proof DAG audit completed 5/5 tasks in ~55s.
  • Full local verification chain (pnpm install --frozen-lockfile && pnpm lint && pnpm typecheck && pnpm build && pnpm test) completed in ~40s after the adversarial fixes.
  • Sequential local example builds completed in ~22s after the adversarial fixes.
  • Exact GitHub Actions runtime impact should be measured from PR checks; expected improvements are deterministic installs, cancellation of superseded runs, and replacing duplicate Next.js integration work with real SvelteKit build coverage.

Follow-ups deferred:

  • Repair or remove dormant root ESLint in a dedicated PR; reconsider Biome/Oxc only after that boundary is explicit.
  • Add package-level typecheck scripts/project references across the monorepo.
  • Unify AVA/Vitest or document longer-term ownership.
  • Add coverage thresholds after test runner boundaries are settled.
  • Resolve SvelteKit route data typing and then add svelte-check to CI.
  • Audit Apollo Server v3, Express-GraphQL, @nrwl/workspace, tsconfig-paths, and other deprecated/possibly dead dependencies separately.

Closes #

Please don't delete this checklist! Before submitting the PR, please make sure you do the following:

  • I added doc comments to any new public exports, and inline comments to any hard-to-understand areas
  • My changes generate no new console errors locally
  • If applicable, try to include a test that fails without this PR but passes with it

Does this introduce any non-backwards compatible changes?

  • Yes
  • No

Does this include any user config changes?

  • Yes
    • If so, I have updated the relevant areas of documentation
  • No
Open in Web Open in Cursor 

@cursor cursor Bot force-pushed the toeknee/modernize-tooling-ci-1d04 branch 2 times, most recently from 94ff552 to 53d71fd Compare May 8, 2026 00:02
@cursor cursor Bot changed the title chore: modernize package test toolchain chore: modernize package tooling and CI May 8, 2026
@cursor cursor Bot force-pushed the stack/tonyketcham/feat/proof-package/add-pkg-readme--1b0148ae branch from b91daec to 3eafa04 Compare May 8, 2026 00:46
Base automatically changed from stack/tonyketcham/feat/proof-package/add-pkg-readme--1b0148ae to main May 8, 2026 01:16
cursoragent added 5 commits May 8, 2026 05:33
@cursoragent
chore: modernize package test toolchain
52290aa 
Objective: modernize the lowest-risk dependency/toolchain slice by aligning the packages that already use Vitest with current Vitest, Vite, TypeScript, Node typings, and tsup, while adding root scripts for typecheck, split test runners, and full local verification.

Rationale: the proof audit found that @flatbread/codegen and @flatbread/utils had Vitest suites that were not reachable from the root test script, and their test stack was pinned to older TypeScript/tsup/Vitest versions. Root package metadata now pins the package manager and Node floor used by the modern Vite/Vitest toolchain.

Migration notes: root test now runs AVA first and then the existing Vitest-backed package suites. Root typecheck is intentionally scoped to @flatbread/proof because it is the only package with a dedicated typecheck script today. prepublish:ci no longer mutates dependency ranges via recursive update and instead verifies frozen install plus generated declarations.

Rollback: restore package.json, packages/codegen/package.json, packages/utils/package.json, and pnpm-lock.yaml from the previous commit. This reverts the package manager metadata, root scripts, and the scoped Vitest/Vite/TypeScript/tsup updates without touching source behavior.
Change-Id: I779b9a2d46804836b932f76757a675ab023b0149
@cursoragent
ci: harden pipeline verification
caf9b6d 
Objective: make the existing GitHub Actions pipeline deterministic and more complete without restructuring every job in one review.

Rationale: the proof audit found mutable pnpm installs, no explicit typecheck, Vitest suites omitted from root CI, and a SvelteKit integration job that actually built the Next.js example. The workflow now pins pnpm, uses frozen installs, sets read-only permissions and cancellation concurrency, runs the root proof typecheck, runs the root test script that includes AVA plus Vitest, and points SvelteKit integration at the SvelteKit example.

Runtime impact: exact CI minutes require GitHub measurements, but frozen installs improve determinism and concurrency cancels superseded PR runs. The prior SvelteKit job duplicated Next.js coverage; the updated job trades that duplicate work for real SvelteKit build coverage. Native build approvals make pnpm 10 installs reliable for esbuild, sharp, sqlite3, and related maintained native packages.

Rollback: revert .github/workflows/pipeline.yml and pnpm-workspace.yaml. The script and dependency changes from the previous stack entry remain usable locally if this workflow tightening needs to be backed out.
Change-Id: I003869a3e87761629ccf23947380ed1ec8709ce5
@cursoragent
docs: record tooling modernization decisions
6cbb944 
Objective: capture the rationale, migration notes, rollback considerations, runtime impact, Biome/Oxc evaluation, and deferred follow-ups for the modernization stack.

Rationale: the proof audit recommended not adopting Biome or Oxc in this pass because formatter/linter boundaries span Markdown, YAML, Next.js, SvelteKit, dormant root ESLint, and framework-specific rules. A decision record keeps that tradeoff visible without coupling it to executable workflow changes.

Runtime notes: local proof completed 5/5 tasks in about 1m09s; focused codegen/utils builds completed in about 4s after package-local TS configs; proof typecheck completed in about 2.5s. Exact CI runtime impact should be measured on GitHub Actions after this stack runs.

Rollback: revert docs/tooling-modernization.md. No runtime behavior changes are included in this commit.
Change-Id: Ic160f37689a8d054c298b09226401abe95b9d092
@cursoragent
chore: clean modernization config smells
dbc5325 
Objective: remediate low-risk configuration smells found by the adversarial proof audit.

Rationale: package-local pnpm.peerDependencyRules blocks were ignored by pnpm and produced install warnings even though the root already owns the GraphQL peer policy. Root TypeScript paths omitted existing workspace packages, and the Next.js example invoked the flatbread CLI without declaring the workspace dependency it relies on. The SvelteKit example repository metadata still pointed at the old playground path.

Migration notes: pnpm peer policy remains at the root package.json. The Next.js example now declares flatbread as a workspace dev dependency. Added root path aliases are IDE/type-resolution hygiene only and do not change runtime exports.

Rollback: revert this commit to restore the previous package metadata, path aliases, and lockfile entries. The previous stack entries remain independently valid.
Change-Id: I54fc3c5302d102a8d677f063fcc1d174f9ffc3f8
@cursoragent
docs: align modernization developer guidance
8895c4a 
Objective: remediate documentation and DX smells from the adversarial proof audit.

Rationale: CONTRIBUTING still told developers to use Node 16+, omitted the pinned pnpm/Corepack path, described Vitest as the dominant runner, and did not mention the new pnpm verify command. The Flatbread package README linked to the old playground path and contained a broken fieldNameTransform example.

Migration notes: contributor guidance now reflects Node 20.19+, pnpm 10.33.x, root AVA plus package-local Vitest behavior, Prettier as the enforced lint gate, and pnpm verify for local CI parity.

Rollback: revert this commit to restore the prior docs only. No runtime code or package metadata changes are included.
Change-Id: I37b2abadd3433fb0d2145c2db64b4a0b9730f917
@cursor cursor Bot force-pushed the toeknee/modernize-tooling-ci-1d04 branch from e706434 to 8895c4a Compare May 8, 2026 05:35
@tonyketcham tonyketcham marked this pull request as ready for review May 8, 2026 05:40
@tonyketcham tonyketcham merged commit 49fba33 into main May 8, 2026
19 checks passed
@tonyketcham tonyketcham deleted the toeknee/modernize-tooling-ci-1d04 branch May 8, 2026 05:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tonyketcham @cursoragent