fix: copy Composer runtime files for premium build

[Arukuen]

fixes #55

Summary by CodeRabbit

• Chores
  • Enhanced the build packaging process to include Composer runtime files in premium artifacts with validation checks to ensure all required files are present before packaging.

[coderabbitai]

📝 Walkthrough

Walkthrough

scripts/package.js now includes a premium-only packaging step that validates and copies required Composer runtime files (including SVG sanitizer dependencies) into premium build artifacts. A new constant defines required paths, a helper function validates and copies them with error handling, and the build pipeline calls this helper after copying standard built files.

Changes

Premium Composer Runtime Packaging

Layer / File(s)	Summary
Premium runtime paths configuration scripts/package.js	PREMIUM_COMPOSER_RUNTIME_PATHS constant array defines vendor paths (vendor/autoload.php, composer vendor directories, vendor/enshrined/svg-sanitize) required in packaged premium artifacts.
Runtime file copy implementation scripts/package.js	copyPremiumComposerRuntime(buildDir) helper validates and copies configured runtime paths into the build directory, returning early for non-premium builds and throwing errors if required paths are missing.
Build pipeline integration scripts/package.js	packagePlugin() now calls the premium runtime copy step after copying built files, ensuring Composer dependencies are present in premium builds.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A hop, a skip, through vendor trees—
Composer files dance on the breeze,
Sanitizer bundled, safe and sound,
Premium SVGs are homeward bound! ✨

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 75.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Linked Issues check	❓ Inconclusive	Issue #55 requires fixing SVG sanitization by ensuring the sanitizer library loads at upload time. The PR copies Composer runtime files, but this appears to be an indirect solution addressing the underlying library loading issue.	Clarify how copying Composer runtime files resolves the sanitizer library loading failure described in issue #55, or provide additional context about the relationship between Composer runtime and the sanitizer library.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title mentions copying Composer runtime files for premium builds, which aligns with the code changes that add a copyPremiumComposerRuntime helper function.
Out of Scope Changes check	✅ Passed	The PR focuses on adding Composer runtime file copying to the build process, which relates to the library loading issue in #55, though the connection could be more explicit.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/55-composer-in-build

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🤖 Pull request artifacts

file	commit
pr59-cimo-59-merge.zip	b475d88

[coderabbitai]

🧹 Nitpick comments (3)

scripts/package.js (3)

335-342: 💤 Low value

Consider moving the log statement inside the function for consistency.

The current pattern has conditional logging followed by an unconditional function call (which has an internal guard). Other similar functions in this file (addSecurityFiles, updatePluginHeaderVersion) are called unconditionally without conditional logging wrappers. For consistency, either move the logging inside copyPremiumComposerRuntime, or wrap the entire function call in the if block.

♻️ Option 1: Move logging inside the function

-	// Copy Composer runtime files for premium build
-	// Only do this in premium since the SVG sanitizer used
-	// for SVG optimization is a premium-only feature.
-	if ( IS_PREMIUM_BUILD ) {
-		// eslint-disable-next-line no-console
-		console.log( '📁 Copying Composer runtime files...' )
-	}
 	copyPremiumComposerRuntime( BUILD_DIR )

Then inside copyPremiumComposerRuntime (after line 195):

 function copyPremiumComposerRuntime( buildDir ) {
 	if ( ! IS_PREMIUM_BUILD ) {
 		return
 	}
+	// Copy Composer runtime files for premium build
+	// Only do this in premium since the SVG sanitizer used
+	// for SVG optimization is a premium-only feature.
+	// eslint-disable-next-line no-console
+	console.log( '📁 Copying Composer runtime files...' )
 
 	for ( const runtimePath of PREMIUM_COMPOSER_RUNTIME_PATHS ) {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/package.js` around lines 335 - 342, The console.log belongs inside
copyPremiumComposerRuntime for consistency: remove the external IS_PREMIUM_BUILD
conditional logging and instead add the '📁 Copying Composer runtime files...'
log at the start of the copyPremiumComposerRuntime function (immediately after
its internal premium guard), so callers can call
copyPremiumComposerRuntime(BUILD_DIR) unconditionally (matching patterns used by
addSecurityFiles and updatePluginHeaderVersion) while the function itself
handles whether to log and act.

---

199-201: ⚡ Quick win

Improve error message with actionable guidance.

When Composer runtime files are missing, guide the user to install dependencies.

📝 Suggested improvement

 			throw new Error(
-				`Missing Composer runtime file required for premium build: ${ runtimePath }`
+				`Missing Composer runtime file required for premium build: ${ runtimePath }. Run 'composer install' to install dependencies.`
 			)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/package.js` around lines 199 - 201, Update the thrown Error in
scripts/package.js that currently says `Missing Composer runtime file required
for premium build: ${ runtimePath }` to include actionable guidance: mention
which dependency or package to install (e.g., run npm/yarn install or install
the Composer runtime package), provide the command(s) to run, and suggest
verifying the runtimePath or re-running the build; change the message where the
Error is constructed (the throw new Error(...) that references runtimePath) to
include these instructions so users know how to resolve the missing Composer
runtime files.

---

208-208: ⚖️ Poor tradeoff

Consider using a vendor-specific copy function instead of copyDir.

copyDir (lines 84-146) excludes .js, .css, .map, .md, package.json, and node_modules because it was designed for WordPress plugin source directories. For Composer vendor directories, these exclusions may be too aggressive. While the current enshrined/svg-sanitize library is pure PHP and won't be affected, future Composer dependencies might include runtime-required assets (e.g., browser-side JS validators, CSS for admin UI components) that would be silently excluded.

Consider either:

• Using copyBuiltDir (which copies everything without exclusions), or
• Creating a dedicated copyVendorDir function with vendor-appropriate exclusions (e.g., only exclude tests, docs, dev tools).

♻️ Option 1: Use copyBuiltDir for vendor directories

 		if ( stat.isDirectory() ) {
-			copyDir( runtimePath, destPath )
+			copyBuiltDir( runtimePath, destPath )
 		} else {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@scripts/package.js` at line 208, The current call to copyDir(runtimePath,
destPath) uses a function that intentionally excludes files like .js, .css,
.map, .md, package.json and node_modules (see copyDir), which is too aggressive
for Composer/vendor packages; replace this call with copyBuiltDir(runtimePath,
destPath) to copy everything, or implement a new copyVendorDir(source, dest)
that only excludes dev artifacts (tests, docs, examples) but preserves runtime
assets (JS/CSS/package.json), and then call that from where copyDir is currently
invoked.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@scripts/package.js`:
- Around line 335-342: The console.log belongs inside copyPremiumComposerRuntime
for consistency: remove the external IS_PREMIUM_BUILD conditional logging and
instead add the '📁 Copying Composer runtime files...' log at the start of the
copyPremiumComposerRuntime function (immediately after its internal premium
guard), so callers can call copyPremiumComposerRuntime(BUILD_DIR)
unconditionally (matching patterns used by addSecurityFiles and
updatePluginHeaderVersion) while the function itself handles whether to log and
act.
- Around line 199-201: Update the thrown Error in scripts/package.js that
currently says `Missing Composer runtime file required for premium build: ${
runtimePath }` to include actionable guidance: mention which dependency or
package to install (e.g., run npm/yarn install or install the Composer runtime
package), provide the command(s) to run, and suggest verifying the runtimePath
or re-running the build; change the message where the Error is constructed (the
throw new Error(...) that references runtimePath) to include these instructions
so users know how to resolve the missing Composer runtime files.
- Line 208: The current call to copyDir(runtimePath, destPath) uses a function
that intentionally excludes files like .js, .css, .map, .md, package.json and
node_modules (see copyDir), which is too aggressive for Composer/vendor
packages; replace this call with copyBuiltDir(runtimePath, destPath) to copy
everything, or implement a new copyVendorDir(source, dest) that only excludes
dev artifacts (tests, docs, examples) but preserves runtime assets
(JS/CSS/package.json), and then call that from where copyDir is currently
invoked.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8bae0516-9179-40ea-bb86-e9add8ff6742

📥 Commits

Reviewing files that changed from the base of the PR and between ddd2f82 and b475d88.

📒 Files selected for processing (1)

• scripts/package.js