feat(ci): cache pharos-tokens fingerprint + activate TurboSnap

[dgraciac]

Summary

Activates TurboSnap (`onlyChanged: true` in `chromaui/action`) by caching the content fingerprint of `@code-sherpas/pharos-tokens` in a git-tracked file. Closes the long-standing reason TurboSnap was disabled: pharos-tokens ships its CSS through `node_modules/`, which falls outside the git tree TurboSnap compares against, so a pharos-tokens release that changed pixels could not invalidate any snapshot (documented in the old comment in chromatic.yml, observed live when `error.fg` was darkened to pass WCAG AA 4.5:1).

Architecture

Four coordinated pieces:

1. `scripts/snapshot-pharos-tokens.sh` — hashes every file under `node_modules/@code-sherpas/pharos-tokens` (sorted, content-addressed, locale-independent). Writes `version= / content_sha256=` to `.pharos-tokens.fingerprint`. Hashing the whole installed package directory, not just `dist/styles.css`, eliminates the residual risk a non-CSS change (a future JS icon-registry, a `.d.ts` shipped with the runtime, a metadata field that affects rendering) slips through unnoticed.

2. `package.json` `postinstall` — runs the script after every `pnpm install`. Local developers get the fingerprint regenerated automatically; `git status` surfaces the drift to be committed.

3. `ci.yml` `Verify pharos-tokens fingerprint is current` step — runs right after `pnpm install --frozen-lockfile` (which already executes the postinstall) and fails the CI with a precise remediation message when the committed fingerprint disagrees with `node_modules/`. This is the gate that prevents stale-fingerprint Chromatic baselines from shipping. Should be made a required status check via branch protection on `main` (CTO action — separate from this PR; see PR description below for the exact `gh api` invocation).

4. `chromatic.yml` — flips `onlyChanged: true` and declares `.pharos-tokens.fingerprint` as a Chromatic `externals` glob. A pharos-tokens release that mutates any byte under `dist/` changes the fingerprint → TurboSnap sees the diff in the git tree → invalidates the whole baseline. Same correctness as today's `onlyChanged: false`, but limited to bumps that actually matter.

Expected impact

Chromatic publishes 40–60% reduction in snapshot consumption for typical workflows. For pharos-react specifically, the win compounds because:

• Every Dependabot patch of dev-deps (vite/eslint/prettier/jsdom/chromatic itself) currently spends 67 snapshots × 2 (PR + main). With TurboSnap and an unchanged fingerprint, those PRs snapshot zero stories.
• Every PR adding a single atom currently rebuilds all 67 stories. With TurboSnap, only the stories importing the changed module rebuild — typically 4-8 per atom PR.
• pharos-tokens bumps still rebuild everything (the fingerprint changes), as they should.

What this does not do

• Does not change the public API. Pure CI / tooling change.
• Does not rely on PR ci(chromatic): skip snapshots on docs-only changes + Dependabot PRs #85 (paths-ignore for docs). The two PRs are independent and can land in either order. If ci(chromatic): skip snapshots on docs-only changes + Dependabot PRs #85 merges first, the TurboSnap PR rebases cleanly (different comment blocks in chromatic.yml).
• Does not bypass any guardrail. The fingerprint-verify step is what makes TurboSnap safe again; without that gate the original failure mode returns.

Local verification

• `pnpm install --frozen-lockfile` triggers postinstall, which regenerates `.pharos-tokens.fingerprint`. File content is idempotent given the same `node_modules/@code-sherpas/pharos-tokens` contents.
• `pnpm build` / `pnpm typecheck` / `pnpm lint` / `pnpm format:check` / `pnpm test` — all clean (136 tests pass).
• Simulated stale-fingerprint: editing `.pharos-tokens.fingerprint` by hand, then running the verify step (`git diff --exit-code .pharos-tokens.fingerprint`) fails with the expected remediation message.

Required branch-protection follow-up

After this merges, the `lint + typecheck + build + test` CI job needs to remain a required status check on `main` (it already is — this PR adds a step inside it, not a new job). Nothing further required for the verify step itself.

Test plan

• CI on this PR runs Chromatic with TurboSnap on. Expect ~67 snapshots invalidated this run (the `.pharos-tokens.fingerprint` is brand new and triggers the rebuild).
• After merge: a follow-up PR that does not touch `pharos-tokens` should see TurboSnap skip most stories. Verify in Chromatic UI `Build N` → `changed: X / Y` line.
• After merge: open a synthetic PR that bumps `pharos-tokens` to a new patch — fingerprint should change, TurboSnap should rebuild everything, no stale snapshot risk.
• Verify the fingerprint-verify step fails the build when fingerprint is stale (edit fingerprint manually in a draft PR, push, expect CI red).

🤖 Generated with Claude Code

[chromatic-com]

Warning

Testing paused

Monthly snapshot limit reached. Update your plan to get more snapshots and resume testing.