Skip to content

fix(plugin): validate provides.mixins targets against allowlist#2256

Merged
bpamiri merged 1 commit intodevelopfrom
claude/eager-turing-ca9934
Apr 23, 2026
Merged

fix(plugin): validate provides.mixins targets against allowlist#2256
bpamiri merged 1 commit intodevelopfrom
claude/eager-turing-ca9934

Conversation

@bpamiri
Copy link
Copy Markdown
Collaborator

@bpamiri bpamiri commented Apr 23, 2026

Summary

  • Adds $validateMixinTargets() to PackageLoader so packages declaring unknown mixin targets fail to load with a clear error instead of silently producing zero injection. Valid targets come from the existing variables.mixableComponents allowlist plus the special values global and none.
  • Drops the silent-noop "view" target from packages/basecoat/package.json and packages/hotwire/package.json. Controller mixins already surface in views because Wheels views execute in the controller's variables scope, so helper availability is unchanged.
  • Aligns the provides.mixins description in CLAUDE.md with the real allowlist and notes that view is not a valid target.
  • Adds invalidmixin and invalidmixinview test fixtures plus a new Mixin target validation describe block in PackageLoaderSpec.cfc (4 cases).

Closes #2247.

Before → after behavior

Manifest Before After
"mixins": "controler" (typo) package appears loaded, zero mixin injection package recorded in failedPackages with error naming the unknown target
"mixins": "controller,view" controller mixes; view silently ignored package recorded in failedPackages (view not in allowlist)
"mixins": "none" or "global" unchanged unchanged
Valid single/multi target from allowlist unchanged unchanged

Test plan

  • RED: new tests fail against develop (2 of 4 fail because validator does not exist)
  • GREEN: bash tools/test-local.sh → 3300 pass / 0 fail / 0 error (Lucee 7 + SQLite)
  • CI: full compat matrix (Lucee 5/6/7, Adobe 2018/2021/2023/2025, all DBs) green before merge
  • Verify first-party packages basecoat and hotwire still load when copied into vendor/ (manual smoke)

Follow-ups (tracked as separate issues)

  • Extend validation to the per-method mixin metadata override in $collectMixins (same typo-swallowing problem, narrower scope).
  • packages/basecoat/CLAUDE.md and packages/hotwire/CLAUDE.md still claim mixins reach "view scope" directly; inaccurate but runtime-correct. Docs-only cleanup.

🤖 Generated with Claude Code

@bpamiri @claude
fix(plugin): validate provides.mixins targets against allowlist
0f5f0a9 
PackageLoader silently accepted unknown mixin targets: a typo like
"controler" or an unsupported name like "view" produced zero mixin
injection, so the package appeared loaded but its methods never reached
the target. Added $validateMixinTargets() to reject unknown targets up
front with a clear error naming the unknown entry and the full allowlist.
Dropped the silent-noop "view" target from the basecoat and hotwire
manifests (controller mixins already surface in views via variables
scope) and aligned the CLAUDE.md provides.mixins description with the
actual allowlist.

Refs #2247

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-actions github-actions Bot added docs enhancement dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 23, 2026
This was referenced Apr 23, 2026
Closed
Closed
@bpamiri bpamiri merged commit 92bb0df into develop Apr 23, 2026
3 checks passed
@bpamiri bpamiri deleted the claude/eager-turing-ca9934 branch April 23, 2026 11:55
@bpamiri bpamiri mentioned this pull request Apr 24, 2026
Merged
3 tasks
bpamiri added a commit that referenced this pull request Apr 24, 2026
@bpamiri
fix(plugin): validate per-method mixin metadata against allowlist (#2284
104fcb3 
)

Extends the #2256 allowlist check to per-method mixin metadata overrides
in $collectMixins. A typo like `function foo() mixin="controler" {}` is
no longer silent — the package is recorded in failedPackages with an
error naming the package, method, unknown target, and the allowlist.

$validateMixinTargets gains an optional methodName context param; the
per-method call happens in a validation pre-pass so a typo on method N
cannot leave methods 1..N-1 half-registered in variables.mixins.

Closes #2257.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file docs enhancement javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

packages: validate provides.mixins targets against allowlist

1 participant

@bpamiri