fix(review): address M8 Phase 3 code review findings

[flyingrobots]

Summary

Addresses 9 code review findings (0 critical, 1 high, 3 medium, 3 low, 2 nit) from the M8 IRONCLAD Phase 3 diff (a7d2814).

• H1: Added declaration surface gate (typecheck:surface) to CI lint job
• M1: Documented release.yml trigger change in CHANGELOG
• M2: extractDtsExports now handles export declare syntax (class, const, function, default)
• M3: readRequired() helper for fail-fast on missing files with user-friendly error
• N1: Trimmed verbose consumer test bullet in CHANGELOG
• L1: Exercised 6 unused value imports (IndexStoragePort, error classes) in consumer.ts
• L2: Tightened tick receipt constants from readonly string[] to readonly TickReceiptOpType[] / readonly TickReceiptResult[]
• L3: Strip type keyword from export { type Foo } re-exports in both JS and DTS parsers
• N2: Added section header convention comment in consumer.ts

Test plan

• Gate 1: npm run typecheck — zero errors
• Gate 2: npm run typecheck:policy — 0/0 wildcards
• Gate 3: npm run typecheck:consumer — compiles clean
• Gate 4: npm run lint — ESLint passes
• Gate 5: npm run typecheck:surface — manifest covered
• Unit tests: 3803/3803 passed

Summary by CodeRabbit

• New Features

  • Added TickReceiptOpType and TickReceiptResult to the public API for improved type safety.

• Tests

  • Strengthened type-surface validation to recognize type-only and declare-annotated exports.

• CI / Chores

  • Added an extra declaration-surface check to CI and release workflows; release workflow now triggers on direct tag pushes.

• Documentation

  • Added a Content Attachment specification and updated changelog and backlog notes.

[coderabbitai]

Warning

Rate limit exceeded

@flyingrobots has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 20 minutes and 27 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📝 Walkthrough

Walkthrough

Adds declaration-surface type checks to CI, enhances the export-surface checker to handle type-only and declare-prefixed exports with improved file error handling, updates tests to expose TickReceipt types, and adds backlog and a Content Attachment specification document.

Changes

Cohort / File(s)	Summary
CI / Workflow ​.github/workflows/ci.yml	Added "Declaration surface" step in lint and type-firewall jobs to run npm run typecheck:surface.
Export-surface checker scripts/check-dts-surface.js	Centralized file reads via readRequired() with clearer ENOENT handling; JS export parsing now strips leading type; declaration parsing recognizes export declare forms (class, const, function, default) and ignores type in export blocks.
Type-check tests test/type-check/consumer.ts	Exposes TickReceiptOpType and TickReceiptResult in the public surface and replaces generic string arrays with these specific types; adds type-only validation declarations for several storage/error types.
Changelog CHANGELOG.md	Edited 11.4.0 entry: condensed consumer type test details, added release workflow trigger note, removed ROADMAP.md update.
Docs / Specification docs/specs/CONTENT_ATTACHMENT.md	New Content Attachment spec describing CAS-based attachments, representation via _content, API approaches, CRDT semantics, materialize/history behavior, metadata, and future work.
Project backlog BACKLOG.md	New backlog listing CI/build, surface validator, type tests, content attachment, and developer experience items with identifiers and notes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰
I hopped through types and surfaces bright,
Sifted "type" and "declare" by moonlight,
CI hums a tidy tune,
Blobs and backlogs in the lune,
A rabbit nods — all checks delight!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(review): address M8 Phase 3 code review findings' accurately reflects the main objective of the PR—implementing fixes for code-review findings from M8 Phase 3.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/m8-phase3-review

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Release Preflight

• package version: 11.4.0
• prerelease: false
• npm dist-tag on release: latest
• npm pack dry-run: passed
• jsr publish dry-run: passed

If you tag this commit as v11.4.0, release workflow will publish.

[coderabbitai]

🧹 Nitpick comments (1)

scripts/check-dts-surface.js (1)

96-133: extractDtsExports lacks a pattern for standalone export default <Identifier>.

The function covers six export forms, but misses the case where a class or interface is declared separately and then re-exported via export default Identifier on its own line—a common .d.ts pattern.

Current coverage:

• ✓ export [declare] [abstract] class Foo
• ✓ export interface Foo
• ✓ export type Foo =
• ✓ export [declare] const|function Foo
• ✓ export [declare] default class Foo (inline only)
• ✓ export { ... }

Not covered: export default WarpGraph (when WarpGraph declared separately)

Verification confirms index.d.ts currently uses the inline form (export default class WarpGraph), so the check passes. However, adding a safety-net pattern before the file evolves is prudent. The proposed regex with negative lookahead correctly avoids re-matching inline classes:

   // export default class Foo
   for (const m of src.matchAll(/export\s+(?:declare\s+)?default\s+class\s+(\w+)/g)) {
     names.add(m[1]);
   }
+  // export default Foo  (standalone identifier — common when class is declared separately)
+  for (const m of src.matchAll(/export\s+(?:declare\s+)?default\s+(\w+)(?!\s*class\b)/g)) {
+    names.add(m[1]);
+  }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/check-dts-surface.js` around lines 96 - 133, extractDtsExports misses
the "export default Identifier" form (e.g. "export default WarpGraph") and thus
won't catch defaults that re-export a separately-declared type; inside the
extractDtsExports function add a regex check for export default followed by an
identifier (ensuring it does not match inline class/interface declarations via a
negative lookahead) and add the captured identifier to the names Set so
standalone "export default Foo" entries are included alongside the existing
checks for classes, interfaces, types, consts/functions, default inline classes,
and export lists.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@scripts/check-dts-surface.js`:
- Around line 96-133: extractDtsExports misses the "export default Identifier"
form (e.g. "export default WarpGraph") and thus won't catch defaults that
re-export a separately-declared type; inside the extractDtsExports function add
a regex check for export default followed by an identifier (ensuring it does not
match inline class/interface declarations via a negative lookahead) and add the
captured identifier to the names Set so standalone "export default Foo" entries
are included alongside the existing checks for classes, interfaces, types,
consts/functions, default inline classes, and export lists.

[flyingrobots]

@coderabbitai Thanks for the nitpick — good catch on the standalone export default Identifier pattern.

✅ Addressed in commit ad557cf: added a regex for export default <Identifier> with a negative lookahead to avoid double-matching the existing export default class Foo pattern. Surface checker still passes (0 errors).

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@flyingrobots: Excellent! Thank you for addressing that edge case. The negative lookahead is a clean solution to prevent double-matching while still catching the standalone identifier pattern. Great to hear the surface checker passes cleanly! 🎉

---

If you found this review helpful, would you consider giving us a shout-out on X?

Thank you for using CodeRabbit!

[github-actions]

Release Preflight

• package version: 11.4.0
• prerelease: false
• npm dist-tag on release: latest
• npm pack dry-run: passed
• jsr publish dry-run: passed

If you tag this commit as v11.4.0, release workflow will publish.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/specs/CONTENT_ATTACHMENT.md`:
- Around line 73-76: Add a language tag to the fenced code block that shows the
property example (the block containing node: "adr:0007" and property: "_content"
= "a1b2c3d4e5f6...") to silence markdownlint MD040; update the opening fence to
include a language like text or plaintext (e.g., replace ``` with ```text) so
the example is treated as plain text.
- Around line 95-105: The code sample declares `const sha` twice across the
write and read snippets causing a syntax error; update the sample so the
declarations are in separate blocks or use distinct names (e.g., `const shaWrite
= await cas.writeBlob(buffer);` with `patch.setProperty('adr:0007','_content',
shaWrite); patch.commit();` and `const shaRead = props.get('_content'); const
buffer = await cas.readBlob(shaRead);`) or remove `const` from the second usage;
locate the sample around the `cas.writeBlob`, `patch.setProperty`,
`patch.commit`, `graph.getNodeProps`, and `cas.readBlob` references and apply
the rename/splitting there.

[github-actions]

Release Preflight

• package version: 11.4.0
• prerelease: false
• npm dist-tag on release: latest
• npm pack dry-run: passed
• jsr publish dry-run: passed

If you tag this commit as v11.4.0, release workflow will publish.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/specs/CONTENT_ATTACHMENT.md`:
- Around line 95-105: The code sample mixes the write and read paths in one
fenced block causing a TDZ because buffer is declared later but used by
cas.writeBlob; split the example into two separate fenced javascript blocks (one
for the write sequence using cas.writeBlob, patch.setProperty and patch.commit,
and a second for the read sequence using graph.getNodeProps, reading _content
into contentSha and calling cas.readBlob to assign buffer) so buffer is declared
in the scope where it’s used and the read/write examples no longer share a
single block scope.

[github-actions]

Release Preflight

• package version: 11.4.0
• prerelease: false
• npm dist-tag on release: latest
• npm pack dry-run: passed
• jsr publish dry-run: passed

If you tag this commit as v11.4.0, release workflow will publish.