Align project-backed config failures with app config validate JSON

[dmerand]

What

Align the remaining project-backed local configuration failures with shopify app config validate --json.

This PR extends the same LocalConfigError path to Project / ActiveConfig-backed failures and surfaces malformed discovered extension and web configs through the existing validation flow.

Why

After the Project-based app discovery changes, some local failures were still bypassing the JSON validation contract:

• missing app roots
• malformed selected app configs
• missing selected app configs
• malformed discovered extension configs
• malformed discovered web configs

That left app config validate --json inconsistent depending on where a local configuration failure originated.

How

• use LocalConfigError for Project-backed app discovery failures
• use LocalConfigError for ActiveConfig selection failures
• preserve malformed app, extension, and web TOML metadata in Project
• filter malformed discovered extension and web configs to the active app config
• report those malformed discovered configs through the loader’s existing error aggregation path

Notes

This keeps the layering aligned with the Project extraction:

• Project owns discovery facts
• ActiveConfig owns selection
• loader owns validation aggregation
• command/service own public JSON serialization

Testing

Manual checks against a local test app:

• run app config validate --json against an app with an existing validation error (for example, an extension config missing a required name) and confirm it returns {valid: false, issues: [...]}
• run with --path pointing outside any app and confirm it returns a root issue in JSON
• break shopify.app.toml with invalid TOML (for example, replace the file contents with {{invalid toml) and confirm the parse failure returns a root issue in JSON
• run with --config missing and confirm the command returns a root issue for shopify.app.missing.toml
• create a broken selected config such as shopify.app.broken.toml containing {{invalid toml, run with --config broken, and confirm it returns a root issue in JSON
• break a discovered shopify.extension.toml with invalid TOML (for example, replace the file contents with {{invalid toml) and confirm the command returns valid: false instead of reporting a valid app

[dmerand]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• Add Monorail telemetry for app config validate #7120
• Align project-backed config failures with app config validate JSON #7106 👈 (View in Graphite)
• Expose structured local configuration issues in app config validate JSON #7090 : 1 other dependent PR (#7103 )
• Preserve structured app validation issues internally #7066 : 1 other dependent PR (#7070 )
• Add --json to app config validate #7065
• --json -j should not use color #7069
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

Differences in type declarations

We detected differences in the type declarations generated by Typescript for this branch compared to the baseline ('main' branch). Please, review them to ensure they are backward-compatible. Here are some important things to keep in mind:

• Some seemingly private modules might be re-exported through public modules.
• If the branch is behind main you might see odd diffs, rebase main into this branch.

New type declarations

We found no new type declarations in this PR

Existing type declarations

packages/cli-kit/dist/private/node/constants.d.ts

@@ -8,7 +8,7 @@ export declare const environmentVariables: {
     env: string;
     firstPartyDev: string;
     noAnalytics: string;
-    appAutomationToken: string;
+    cliToken: string;
     partnersToken: string;
     runAsUser: string;
     serviceEnv: string;

packages/cli-kit/dist/public/node/environment.d.ts

@@ -10,12 +10,12 @@
  */
 export declare function getEnvironmentVariables(): NodeJS.ProcessEnv;
 /**
- * Returns the value of the SHOPIFY_APP_AUTOMATION_TOKEN environment variable,
+ * Returns the value of the SHOPIFY_CLI_TOKEN environment variable,
  * falling back to the deprecated SHOPIFY_CLI_PARTNERS_TOKEN.
  *
- * @returns The app automation token value, or undefined if neither env var is set.
+ * @returns The CLI token value, or undefined if neither env var is set.
  */
-export declare function getAppAutomationToken(): string | undefined;
+export declare function getCliToken(): string | undefined;
 /**
  * Returns the value of the organization id from the environment variables.
  *

packages/cli-kit/dist/public/node/path.d.ts

 import type { URL } from 'url';
 /**
  * Joins a list of paths together.
  *
  * @param paths - Paths to join.
  * @returns Joined path.
  */
 export declare function joinPath(...paths: string[]): string;
 /**
  * Normalizes a path.
  *
  * @param path - Path to normalize.
  * @returns Normalized path.
  */
 export declare function normalizePath(path: string): string;
 /**
  * Resolves a list of paths together.
  *
  * @param paths - Paths to resolve.
  * @returns Resolved path.
  */
 export declare function resolvePath(...paths: string[]): string;
 /**
  * Returns the relative path from one path to another.
  *
  * @param from - Path to resolve from.
  * @param to - Path to resolve to.
  * @returns Relative path.
  */
 export declare function relativePath(from: string, to: string): string;
 /**
  * Returns whether the path is absolute.
  *
  * @param path - Path to check.
  * @returns Whether the path is absolute.
  */
 export declare function isAbsolutePath(path: string): boolean;
 /**
  * Returns the directory name of a path.
  *
  * @param path - Path to get the directory name of.
  * @returns Directory name.
  */
 export declare function dirname(path: string): string;
 /**
  * Returns the base name of a path.
  *
  * @param path - Path to get the base name of.
  * @param ext - Optional extension to remove from the result.
  * @returns Base name.
  */
 export declare function basename(path: string, ext?: string): string;
 /**
  * Returns the extension of the path.
  *
  * @param path - Path to get the extension of.
  * @returns Extension.
  */
 export declare function extname(path: string): string;
 /**
  * Parses a path into its components (root, dir, base, ext, name).
  *
  * @param path - Path to parse.
  * @returns Parsed path object.
  */
 export declare function parsePath(path: string): {
     root: string;
     dir: string;
     base: string;
     ext: string;
     name: string;
 };
 /**
  * Given an absolute filesystem path, it makes it relative to
  * the current working directory. This is useful when logging paths
  * to allow the users to click on the file and let the OS open it
  * in the editor of choice.
  *
  * @param path - Path to relativize.
  * @param dir - Current working directory.
  * @returns Relativized path.
  */
 export declare function relativizePath(path: string, dir?: string): string;
 /**
  * Given 2 paths, it returns whether the second path is a subpath of the first path.
  *
  * @param mainPath - The main path.
  * @param subpath - The subpath.
  * @returns Whether the subpath is a subpath of the main path.
  */
 export declare function isSubpath(mainPath: string, subpath: string): boolean;
 /**
  * Given a module's import.meta.url it returns the directory containing the module.
  *
  * @param moduleURL - The value of import.meta.url in the context of the caller module.
  * @returns The path to the directory containing the caller module.
  */
 export declare function moduleDirectory(moduleURL: string | URL): string;
 /**
  * When running a script using `npm run`, something interesting happens. If the current
  * folder does not have a `package.json` or a `node_modules` folder, npm will traverse
  * the directory tree upwards until it finds one. Then it will run the script and set
  * `process.cwd()` to that folder, while the actual path is stored in the INIT_CWD
  * environment variable (see here: https://docs.npmjs.com/cli/v9/commands/npm-run-script#description).
  *
  * @returns The path to the current working directory.
  */
 export declare function cwd(): string;
 /**
  * Tries to get the value of the `--path` argument, if provided.
  *
  * @param argv - The arguments to search for the `--path` argument.
  * @returns The value of the `--path` argument, if provided.
  */
 export declare function sniffForPath(argv?: string[]): string | undefined;
 /**
  * Returns whether the `--json` or `-j` flags are present in the arguments.
  *
  * @param argv - The arguments to search for the `--json` and `-j` flags.
  * @returns Whether the `--json` or `-j` flag is present in the arguments.
  */
 export declare function sniffForJson(argv?: string[]): boolean;
-/**
- * Removes any `..` traversal segments from a relative path and calls `warn`
- * if any were stripped. Normal `..` that cancel out within the path (e.g.
- * `foo/../bar` → `bar`) are collapsed but never allowed to escape the root.
- * Both `/` and `\` are treated as separators for cross-platform safety.
- *
- * @param input - The relative path to sanitize.
- * @param warn - Called with a human-readable warning when traversal segments are removed.
- * @returns The sanitized path (may be an empty string if all segments were traversal).
- */
-export declare function sanitizeRelativePath(input: string, warn: (msg: string) => void): string;

packages/cli-kit/dist/private/node/session/exchange.d.ts

@@ -25,9 +25,9 @@ export declare function exchangeAccessForApplicationTokens(identityToken: Identi
  */
 export declare function refreshAccessToken(currentToken: IdentityToken): Promise<IdentityToken>;
 /**
- * Given a custom app automation token passed as ENV variable, request a valid Partners API token.
+ * Given a custom CLI token passed as ENV variable, request a valid Partners API token.
  * This token does not accept extra scopes, just the cli one.
- * @param token - The app automation token passed as ENV variable 
+ * @param token - The CLI token passed as ENV variable 
  * @returns An instance with the application access tokens.
  */
 export declare function exchangeCustomPartnerToken(token: string): Promise<{
@@ -35,20 +35,20 @@ export declare function exchangeCustomPartnerToken(token: string): Promise<{
     userId: string;
 }>;
 /**
- * Given a custom app automation token passed as ENV variable, request a valid App Management API token.
- * @param token - The app automation token passed as ENV variable 
+ * Given a custom CLI token passed as ENV variable, request a valid App Management API token.
+ * @param token - The CLI token passed as ENV variable 
  * @returns An instance with the application access tokens.
  */
-export declare function exchangeAppAutomationTokenForAppManagementAccessToken(token: string): Promise<{
+export declare function exchangeCliTokenForAppManagementAccessToken(token: string): Promise<{
     accessToken: string;
     userId: string;
 }>;
 /**
- * Given a custom app automation token passed as ENV variable, request a valid Business Platform API token.
- * @param token - The app automation token passed as ENV variable 
+ * Given a custom CLI token passed as ENV variable, request a valid Business Platform API token.
+ * @param token - The CLI token passed as ENV variable 
  * @returns An instance with the application access tokens.
  */
-export declare function exchangeAppAutomationTokenForBusinessPlatformAccessToken(token: string): Promise<{
+export declare function exchangeCliTokenForBusinessPlatformAccessToken(token: string): Promise<{
     accessToken: string;
     userId: string;
 }>;

packages/cli-kit/dist/public/node/toml/toml-file.d.ts

 import { JsonMapType } from './codec.js';
 /**
- * Thrown when a TOML file does not exist at the expected path.
- */
-export declare class TomlFileNotFoundError extends Error {
-    readonly path: string;
-    constructor(path: string);
-}
-/**
  * Thrown when a TOML file cannot be parsed. Includes the file path for context.
  */
 export declare class TomlParseError extends Error {
     readonly path: string;
     constructor(path: string, cause: Error);
 }
 /**
  * General-purpose TOML file abstraction.
  *
  * Provides a unified interface for reading, patching, removing keys from, and replacing
  * the content of TOML files on disk.
  *
  * - `read` populates content from disk
  * - `patch` does surgical WASM-based edits (preserves comments and formatting)
  * - `remove` deletes a key by dotted path (preserves comments and formatting)
  * - `replace` does a full re-serialization (comments and formatting are NOT preserved).
  * - `transformRaw` applies a function to the raw TOML string on disk.
  */
 export declare class TomlFile {
     /**
      * Read and parse a TOML file from disk. Throws if the file doesn't exist or contains invalid TOML.
      * Parse errors are wrapped in {@link TomlParseError} with the file path for context.
      *
      * @param path - Absolute path to the TOML file.
      * @returns A TomlFile instance with parsed content.
      */
     static read(path: string): Promise<TomlFile>;
     readonly path: string;
     content: JsonMapType;
     constructor(path: string, content: JsonMapType);
     /**
      * Surgically patch values in the TOML file, preserving comments and formatting.
      *
      * Accepts a nested object whose leaf values are set in the TOML. Intermediate tables are
      * created automatically. Setting a leaf to `undefined` removes it (use `remove()` for a
      * clearer API when deleting keys).
      *
      * @example
      * ```ts
      * await file.patch({build: {dev_store_url: 'my-store.myshopify.com'}})
      * await file.patch({application_url: 'https://example.com', auth: {redirect_urls: ['...']}})
      * ```
      */
     patch(changes: {
         [key: string]: unknown;
     }): Promise<void>;
     /**
      * Remove a key from the TOML file by dotted path, preserving comments and formatting.
      *
      * @param keyPath - Dotted key path to remove (e.g. 'build.include_config_on_deploy').
      * @example
      * ```ts
      * await file.remove('build.include_config_on_deploy')
      * ```
      */
     remove(keyPath: string): Promise<void>;
     /**
      * Replace the entire file content. The file is fully re-serialized — comments and formatting
      * are NOT preserved.
      *
      * @param content - The new content to write.
      * @example
      * ```ts
      * await file.replace({client_id: 'abc', name: 'My App'})
      * ```
      */
     replace(content: JsonMapType): Promise<void>;
     /**
      * Transform the raw TOML string on disk. Reads the file, applies the transform function
      * to the raw text, writes back, and re-parses to keep `content` in sync.
      *
      * Use this for text-level operations that can't be expressed as structured edits —
      * e.g. Injecting comments or positional insertion of keys in arrays-of-tables.
      * Subsequent `patch()` calls will preserve any comments added this way.
      *
      * @param transform - A function that receives the raw TOML string and returns the modified string.
      * @example
      * ```ts
      * await file.transformRaw((raw) => `# Header comment\n${raw}`)
      * ```
      */
     transformRaw(transform: (raw: string) => string): Promise<void>;
     private decode;
 }

[github-actions]

Coverage report

St.❔	Category	Percentage	Covered / Total
🟢	Statements	82.36%	15202/18457
🟡	Branches	74.89%	7502/10017
🟢	Functions	81.44%	3827/4699
🟢	Lines	82.75%	14368/17363

Test suite run success

4015 tests passing in 1530 suites.

Report generated by 🧪jest coverage report action from 818de8b

[github-actions]

We detected some changes at packages/*/src and there are no updates in the .changeset.
If the changes are user-facing, run pnpm changeset add to track your changes and include them in the next release CHANGELOG.

Caution

DO NOT create changesets for features which you do not wish to be included in the public changelog of the next CLI release.