chore(lint): adopt oxlint 1.67 canonical rule additions (selective, library posture)

[Goosterhof]

Summary

Selective adoption of the war-room canonical template's oxlint 1.55→1.67 rule additions (template commit 321da5f), respecting fs-packages' deliberate library Correctness-only posture (per CLAUDE.md §Lint Rules: "library posture is Correctness-only, opt-in per-rule for anything else").

This is not a wholesale port — Vue/jsx-a11y/type-aware bulk rules are deliberately out of scope and the skip rationale is documented inline in .oxlintrc.json.

Stacked on #98 (Supply Corps sweep — carries the oxlint 1.67 binary the new rules depend on). PR base remains main per war-room §Stacked PRs Against Pending Ally Review; the diff narrows from "Supply Corps sweep + selective rule adoption" to "selective rule adoption + 5-line script fix" once #98 merges. Once #98 merges this PR rebases onto fresh main; force-push pre-Ready is fine.

Rules adopted (7)

Rule	Severity	Rationale
no-implied-eval	error	Core ESLint security — fires on setTimeout("...") / setInterval("...") / new Function("...") callsites. No posture friction.
prefer-regex-literals	error	Core ESLint correctness — new RegExp("foo") → /foo/.
getter-return	error	Graduated from nursery → correctness (1.61). Catches getters with missing return.
typescript/no-unnecessary-type-conversion	error	Library code benefits from minimal String(x)/Number(x)/Boolean(x) noise on already-typed values.
typescript/no-unnecessary-type-parameters	warn	Type parameter used only once. API-surface smell.
unicorn/no-useless-iterator-to-array	warn	Pure performance — flags [...someArray] when result is iterated again.
unicorn/import-style	warn	Pushes the canonical import shape per node builtin (e.g. import path from 'node:path', not import {join}). Complements prefer-node-protocol.

Deliberately NOT adopted (documented inline in .oxlintrc.json)

Skipped	Why
vue/*	No SFCs in fs-packages source; published Vue-aware packages expose factories/composables only.
jsx-a11y/*	No JSX in this monorepo.
typescript/no-unsafe-* family	Library API surface intentionally exposes unknown/any at adapter boundaries (fs-adapter-store generic constraints).
unicorn/prefer-import-meta-properties	Dual ESM+CJS build target via tsdown — import.meta in CJS bundles cascades to build errors.
no-useless-assignment	Library code intentionally pre-declares values for type inference.
vitest/valid-expect-in-promise, vitest/prefer-strict-boolean-matchers	Test gates already enforce strict matcher discipline via Stryker mutation testing at 90% threshold.
Vue 2→3 deprecation guards, Composition-API safety, Options-API correctness	No Options API or template-API features used.
complexity, max-params, max-depth, max-nested-callbacks, max-lines-per-function	Stryker mutation + 100% per-package coverage gates govern complexity at the test-discipline layer.

Sweep collateral (in-scope, ≤3 line fix per order §C)

scripts/lint-pkg.mjs line 25 — unicorn/import-style fires on import {join} from 'node:path' with diagnostic "Use default import for module node:path". Rule is bidirectional per-builtin (some builtins want named, some want default); for node:path it wants default. Switched to import path from 'node:path' with path.join(...) at the 4 call sites in this file. Behaviour unchanged. 5-line diff.

Note: the order's §A rationale for unicorn/import-style describes the rule as "pushes named imports for node builtins" — directionally wrong for node:path. Fix matches what the rule actually fires on. Flagged for canonical template maintainer in the execution report.

Verification (8-gate matrix, run locally)

Gate	Status
1. npm audit (--high)	PASS — 2 moderate transitive (qs/typed-rest-client) below --audit-level=high; pre-existing baseline carried from Supply Corps sweep
2. npm run format:check	PASS — 145 files, no diffs
3. npm run lint	PASS — zero output; --deny-warnings also exits 0
4. npm run build	PASS — all 11 packages built clean
5. npm run typecheck	PASS — all 11 packages clean
6. npm run lint:pkg	FAIL — PRE-EXISTING BASELINE (22 fails: sideEffects advisory × 11 [queue #70] + attw 0.18.2 "Cannot read properties of undefined (reading 'filename')" × 11 [PR #98 commentary]). Reproduced identically on parent branch — not introduced here.
7. npm test	PASS — 528/528 tests across 22 test files
8. npm run test:coverage	PASS — per-package 100% thresholds enforced and met

Mutation testing not run — config-only change does not move the mutation surface; per-package Stryker config unchanged. 7/8 gates green; Gate 6 carries the documented pre-existing baseline that PRs #87, #88 and the 2026-05-15 wave already flagged.

Residual baseline carried forward (NOT introduced)

• lint:pkg Gate 6 — 22 fails identical to parent branch chore/supply-corps-sweep-2026-05-26. Tracked: enforcement queue fs-dialog: forward host <dialog> ARIA attributes via dialog.open() options (#67) #70 (sideEffects manifest compliance — but note PR chore: declare sideEffects: false across all 11 packages — closes queue #70 #88 already adopted "sideEffects": false, the suggestion fires because the wrapper packs from source-tree, not from dist/ — separate concern) + attw 0.18.2 known regression (PR chore: Supply Corps sweep — npm refresh + audit fix (3 advisories cleared) #98 commentary).
• npm audit — 2 moderate (qs, typed-rest-client) below --audit-level=high. Carried from Supply Corps sweep PR chore: Supply Corps sweep — npm refresh + audit fix (3 advisories cleared) #98 npm audit fix run.

Commit shape

Single commit: chore(lint): adopt oxlint 1.67 canonical rule additions selectively.
2 files changed, 26 insertions, 6 deletions.

Execution report

reports/fs-packages/execution/2026-05-26-armorer-oxlint-1.67-adoption.md in the war-room repo. Includes per-skip rationale, full 8-gate matrix, and Notes-for-the-General on the rule-direction wording issue.

Test plan

• npm run lint (oxlint w/ new rules) exits 0
• npm run lint -- --deny-warnings also exits 0
• npm run build clean
• npm run typecheck clean
• npm test 528/528
• npm run test:coverage clean
• npm run format:check clean
• lint:pkg failure matches parent branch (confirmed pre-existing, not introduced)

🤖 Generated with Claude Code

[cloudflare-workers-and-pages]

Deploying fs-packages with    Cloudflare Pages

Latest commit:	667969d
Status:	✅  Deploy successful!
Preview URL:	https://a338defc.fs-packages.pages.dev
Branch Preview URL:	https://chore-oxlint-1-67-canonical.fs-packages.pages.dev

View logs

[jasperboerhof]

PR Reviewer · 9/10 · PASS

• PR: chore(lint): adopt oxlint 1.67 canonical rule additions (selective, library posture) #99 · fs-packages
• AC anchor: none
• Reviewers run: Acceptance, Simplicity, Surface, Silent failures skipped — no triggers, Efficiency skipped — no triggers
• Acceptance: SKIP
• Simplicity: PASS · 9/10
• Surface: PASS · 9/10

Findings

• MINOR · .oxlintrc.json:24 — no-useless-assignment is named in two separate skip-rationale comments (line 21 and line 24) with mildly inconsistent justifications — line 21 says "intentionally pre-declares values for type inference", line 24 bundles it with complexity/max-* limits saying "Stryker + coverage gates govern complexity". Drop the duplicate mention on line 24 (keep it grouped with the complexity/max-* limits, or keep line 21 — but not both) so the skip-list reads cleanly.

Action

merge-ready