Add client steps implementation to support existing functionalities

[alfonso-noriega]

Add build step infrastructure for extension asset management

WHY are these changes introduced?

This introduces a flexible build step system to handle various asset copying and processing needs for different extension types, replacing hardcoded build logic with configurable steps.

WHAT is this pull request doing?

• Adds 'admin' to the CONFIG_EXTENSION_IDS array for admin extensions
• Creates new build step executors:
  • executeIncludeAssetsStep - handles pattern-based, static, and config-key-driven asset copying with comprehensive test coverage
  • executeCopyStaticAssetsStep - copies static assets defined in extension build manifests
  • executeCreateTaxStubStep - generates minimal JavaScript stub files for tax calculation extensions
• Implements a centralized step router (executeStepByType) that dispatches to appropriate handlers based on step type
• Supports multiple inclusion strategies:
  • Pattern-based file selection using glob patterns
  • Static file/directory copying with optional destination paths
  • Configuration key resolution for dynamic path discovery
  • Configurable structure preservation and flattening options

How to test your changes?

1. Create an extension with various asset types (static files, pattern-matched files, config-driven paths)
2. Configure build steps using the new include_assets step type with different inclusion strategies
3. Run the build process and verify assets are copied correctly to output directories
4. Test with admin extensions to ensure they're recognized as config extensions
5. Run the comprehensive test suite for include-assets-step.test.ts

Measuring impact

How do we know this change was effective? Please choose one:

• n/a - this doesn't need measurement, e.g. a linting rule or a bug-fix

Checklist

• I've considered possible cross-platform impacts (Mac, Linux, Windows)
• I've considered possible documentation changes

[alfonso-noriega]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• Refactor extension build process to use modular build steps #6867 : 2 dependent PRs (#6868 , #6869 )
• Read client steps from remote config #6941
• Add client steps implementation to support existing functionalities #6966 👈 (View in Graphite)
• Create abstract client steps infrastracture to externalize the ap modules client configurations #6965
• Clean up module outputFile calculation and move it to the specifications #6967
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

We detected some changes at packages/*/src and there are no updates in the .changeset.
If the changes are user-facing, run pnpm changeset add to track your changes and include them in the next release CHANGELOG.

Caution

DO NOT create changesets for features which you do not wish to be included in the public changelog of the next CLI release.

[github-actions]

Coverage report

St.❔	Category	Percentage	Covered / Total
🟡	Statements	78.76%	14572/18502
🟡	Branches	73%	7245/9925
🟡	Functions	78.97%	3714/4703
🟡	Lines	79.1%	13768/17405

Test suite run success

3814 tests passing in 1458 suites.

Report generated by 🧪jest coverage report action from 6a3974c

[binks-code-reviewer]

Path traversal: include_assets can write outside outputDir

joinPath(outputDir, entry.destination) is used directly with user-controlled config (destination). If destination is absolute (/etc) or contains ../.., it can escape outputDir and overwrite arbitrary files on the machine running the build (CI runner, developer machine). Same class of issue exists for entry.baseDir (controls sourceDir), copySourceEntry(...destination) (static destination), copyConfigKeyEntry(...destination) (configKey destination), and copyConfigKeyEntry where the config value itself can be ../../something.

Because build manifests/config are extension-provided, a malicious extension (or compromised repo) could cause the CLI to overwrite sensitive files or poison other build artifacts.

[binks-code-reviewer]

🤖 Code Review · #projects-dev-ai for questions
React with 👍/👎 or reply — all feedback helps improve the agent.

✅ Complete - 2 findings

📋 History

❌ Failed → ✅ 1 findings → ❌ Failed → ❌ Failed → ✅ 1 findings → ✅ 2 findings

[binks-code-reviewer]

Static include_assets copy treats sourcePath as directory when destination is omitted

In copySourceEntry, when destination is omitted it unconditionally calls copyDirectoryContents(sourcePath, ...). If sourcePath is a file (e.g., {type:'static', source:'README.md'} without destination), copyDirectoryContents will likely throw (ENOTDIR). Docs/schema imply static entries can be file/directory, but implementation only supports directory when destination is omitted.

[ryancbahan]

are we ever using _step? why is it included?

[binks-code-reviewer]

Tax stub step can overwrite a directory with a JS file

The step writes the stub to extension.outputPath directly. If outputPath is configured as a directory (which the include_assets step supports when “no extension”), this will attempt to write a file over a directory path and fail, or clobber expected directory structure.

Evidence:

await touchFile(extension.outputPath)
await writeFile(extension.outputPath, '(()=>{})();')

[binks-code-reviewer]

include_assets pattern copy can silently overwrite on filename collisions when flattening

When preserveStructure is false, it flattens to basename(filepath). If multiple matched files share a basename (e.g. index.js, styles.css in different folders), later copies overwrite earlier ones with no warning, producing nondeterministic artifacts depending on glob ordering.

Evidence:

const relPath = preserveStructure ? relativePath(sourceDir, filepath) : basename(filepath)
const destPath = joinPath(outputDir, relPath)
await copyFile(filepath, destPath)