Fix/publish readiness upstream

[Ntermast]

No description provided.

[coderabbitai]

Summary by CodeRabbit

• Documentation

  • Simplified installation and usage with a single top-level CLI entrypoint and updated examples.
  • Added a Current Architecture section explaining the Rust runtime, npm wrapper, platform packages, and plugin manifest.

• Chores

  • Simplified CI pipeline to a unified build workflow targeting the new Rust-based runtime.
  • Added a preflight publish check and an npm script to verify publishing prerequisites before publishing.

Walkthrough

CircleCI moved from Node-based v2 jobs to a Rust-centric single build job (v2.1); GitHub Actions gained a preflight-publish job that gates npm publishing; README and publishing docs rewritten; a new npm script and a scripts/check-npm-publish-prereqs.js script validate npm publish permissions.

Changes

Cohort / File(s)	Summary
CircleCI & GitHub Actions .circleci/config.yml, .github/workflows/publish-npm-packages.yml	CircleCI upgraded to 2.1 and replaced multiple npm test/deploy jobs with a Rust-focused build job using cimg/rust:1.85-node; caching switched to Cargo/build artifacts. GitHub Actions added preflight-publish job and made publish-platform depend on it.
Documentation README.md	Removed detailed Installation/Usage; added concise single-entrypoint examples, "Current Architecture" describing Rust runtime + npm wrapper and plugin manifest, and rewritten npm publishing guidance pointing to GitHub Actions and prerequisite checks.
Publish checks & package metadata package.json, scripts/check-npm-publish-prereqs.js	Added check:publish-prereqs npm script and new executable script that runs npm whoami, parses npm access list packages @ever-co --json, enumerates npm/cli-* package names, and fails if any platform packages lack read-write access.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Poem

🐰 I hopped through CI and build so bright,

Checked tokens, scopes, and cargo's might,
A tiny script gave publish cheer,
Workflows tidy, plugins near —
Hooray for builds that land just right! 🥕

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	No pull request description was provided by the author, making it impossible to assess whether the description relates to the changeset.	Add a description explaining the purpose of the publish readiness checks, the prerequisite validation logic, and how the new CI workflow ensures npm publishing safety.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Fix/publish readiness upstream' directly relates to the main changes: adding npm publish prerequisite checks and updating CI/CD workflows to validate publishing readiness before platform package deployment.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR introduces a preflight-publish CI gate (scripts/check-npm-publish-prereqs.js) that verifies npm authentication and scope write-access before any platform packages are published, and gates all publish jobs on its success. It also migrates the CircleCI config from a TypeScript test+deploy workflow to a Rust-oriented build/syntax-check job, with publishing fully delegated to GitHub Actions.

• P1 — loadPlatformPackages() has no explicit return after calling fail(), so if process.exit is ever intercepted the caller receives undefined and platformPackages.filter(...) throws a TypeError.
• P2 — const scope should be let scope per project convention, and a format script covering all asset types (.js, .jsx, .json, .css, .md) is missing from package.json.

Confidence Score: 4/5

Safe to merge after addressing the undefined-return path in loadPlatformPackages.

One P1 finding remains: the implicit undefined return from loadPlatformPackages() after fail() could cause a TypeError in non-standard environments. The rest of the changes are well-structured and the workflow gate logic is sound. P2 style findings do not block merge.

scripts/check-npm-publish-prereqs.js — defensive return after fail() call in catch block

Vulnerabilities

No security concerns identified. NODE_AUTH_TOKEN is passed only via env: to the step that needs it and is never logged. The preflight script uses execFileSync (not exec/shell interpolation), avoiding shell-injection risks. The npm token secret is not exposed to the loadPlatformPackages filesystem scan.

Important Files Changed

Filename	Overview
scripts/check-npm-publish-prereqs.js	New preflight script that verifies npm auth and scope access before publishing; has a potential undefined-return path if process.exit is intercepted and uses const where let is preferred by convention.
.github/workflows/publish-npm-packages.yml	Adds a preflight-publish job that gates all publish jobs on npm auth/scope verification; dependency chain looks correct.
package.json	Adds check:publish-prereqs script entry; missing a format script covering all asset types per project convention.
.circleci/config.yml	Replaces the old TypeScript test+deploy workflow with a Rust-oriented build/syntax-check job; deploy responsibility now lives entirely in GitHub Actions.
README.md	Updated to reflect Rust-based architecture, revised examples, and trimmed stale badges and legacy sections.

Sequence Diagram

sequenceDiagram
    participant WD as workflow_dispatch
    participant PF as preflight-publish job
    participant NPM as npm registry
    participant PP as publish-platform jobs (7x)
    participant PM as publish-main job

    WD->>PF: trigger
    PF->>NPM: npm whoami (NODE_AUTH_TOKEN)
    NPM-->>PF: username
    PF->>NPM: npm access list packages @ever-co --json
    NPM-->>PF: pkg read-write or read-only map
    PF->>PF: loadPlatformPackages() scan npm/cli-*/package.json
    PF->>PF: fail if any pkg is read-only
    PF-->>PP: needs: preflight-publish (gate)
    PP->>PP: cargo build --release --target matrix.target
    PP->>PP: prepare-platform-package.js
    PP->>NPM: npm publish dist/artifact --access public
    PP-->>PM: needs: publish-platform (gate)
    PM->>NPM: npm publish --access public (ever-cli root)

Loading

Comments Outside Diff (1)

1. package.json, line 14-23 (link)

   Missing format script for consistent asset formatting

   Per project convention, the scripts section should include a format script that covers .js, .jsx, .json, .css, and .md files for consistent formatting across all asset types. Example:

   "format": "prettier --write \"**/*.{js,jsx,json,css,md}\""

   Rule Used: Expand the format script in package.json to includ... (source)

   Learnt From
   ever-co/ever-teams#3858

   Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

_{Reviews (1): Last reviewed commit: "fix(release): use documented npm access ..." | Re-trigger Greptile}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/check-npm-publish-prereqs.js`:
- Around line 28-48: The current discovery in loadPlatformPackages is ad-hoc and
diverges from sync-package-versions.js; extract the directory-discovery logic
into a shared helper (e.g., discoverPlatformPackageDirs(repoRoot) in
scripts/lib/platform-packages.js) that returns a sorted list of npm/cli-*
package directory paths (or names), then update loadPlatformPackages to call
discoverPlatformPackageDirs and map those dirs to package.json -> package names,
and update sync-package-versions.js to use discoverPlatformPackageDirs instead
of its hardcoded list so both scripts share the same discovery source.
- Around line 74-87: The validation currently filters platformPackages into
writablePackages and readOnlyPackages using accessiblePackages but misses
packages that aren't present in accessiblePackages (i.e., unpublished/not
visible); update the logic around writablePackages/readOnlyPackages to also
compute a missingPackages list by selecting pkg where
!Object.hasOwn(accessiblePackages, pkg), and if missingPackages.length > 0 call
fail with a clear message (similar to the existing fail for read-only) listing
missingPackages.join(', ') so the PR check reports packages not yet published
and avoids surprising publish-time failures; reference the existing symbols
writablePackages, readOnlyPackages, accessiblePackages, platformPackages and the
fail() call when implementing this change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7ab305bb-2f6e-4e2d-b64a-4100b9ffd742

📥 Commits

Reviewing files that changed from the base of the PR and between 1b90840 and d3061ad.

📒 Files selected for processing (5)

• .circleci/config.yml
• .github/workflows/publish-npm-packages.yml
• README.md
• package.json
• scripts/check-npm-publish-prereqs.js

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

scripts/check-npm-publish-prereqs.js (2)

28-44: 🛠️ Refactor suggestion | 🟠 Major

Unify package discovery with the version-sync script to avoid drift.

loadPlatformPackages() implements local npm/cli-* discovery here. This should come from a shared helper used by both publish preflight and version-sync flows.

#!/bin/bash
set -euo pipefail

echo "Locating sync-package-versions script..."
files="$(fd -i 'sync-package-versions.js$' -t f || true)"
if [ -z "${files}" ]; then
  echo "sync-package-versions.js not found"
  exit 0
fi

echo "${files}"
echo
echo "Checking for hardcoded platform package discovery patterns:"
echo "${files}" | xargs -I{} rg -n -C3 "cli-|npm/|readdirSync|package.json" "{}"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/check-npm-publish-prereqs.js` around lines 28 - 44,
loadPlatformPackages currently performs an independent local discovery of
npm/cli-* packages (using repoRoot, npmDir and readdirSync) which duplicates the
logic in the version-sync flow; replace this inline discovery by importing and
invoking the shared helper used by sync-package-versions (the version-sync
script or its exported function) so both flows use the same implementation,
remove the readdirSync/JSON parsing block from loadPlatformPackages, and update
any exports/require paths so loadPlatformPackages delegates to that shared
helper (preserve the function name loadPlatformPackages as the caller-facing
API).

---

95-101: ⚠️ Potential issue | 🟠 Major

Fail preflight when platform packages are not visible in scope.

Lines 95–100 only log unseen packages. This allows CI preflight to pass while publish can still fail later on create-permission checks.

Proposed fix

-if (unpublishedPackages.length > 0) {
-  console.log(
-    `Packages not yet visible in the scope: ${unpublishedPackages.join(
-      ', ',
-    )}. This can be valid for a first publish, but publish will still require organization-level permission to create packages under the scope.`,
-  );
-} else if (writablePackages.length === 0) {
+if (unpublishedPackages.length > 0) {
+  fail(
+    `Packages not yet visible in the scope: ${unpublishedPackages.join(
+      ', ',
+    )}. Preflight cannot verify create permission for these packages.`,
+  );
+} else if (writablePackages.length === 0) {
   console.log('No writable platform packages are currently visible in the scope.');
 }

Is there an npm CLI command that reliably verifies org-level create permission for unpublished scoped packages before first publish?

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/check-npm-publish-prereqs.js`:
- Around line 63-81: The code assumes npm JSON output yields an object and
assigns accessiblePackages directly from JSON.parse(output); add a defensive
type/shape guard after parsing to ensure accessiblePackages is a plain object
mapping package names to access levels before using it in
writablePackages/readOnlyPackages/unpublishedPackages. Specifically, after the
run('npm', ...) and JSON.parse(output) call (where accessiblePackages is set),
validate that typeof accessiblePackages === 'object' && accessiblePackages !==
null && !Array.isArray(accessiblePackages); if the check fails, set
accessiblePackages = {} and call fail(...) or log a clear error (similar to the
existing fail used in the catch) so subsequent filters (writablePackages,
readOnlyPackages, unpublishedPackages) that rely on
Object.hasOwn(accessiblePackages, ...) are safe; keep the rest of the flow
(loadPlatformPackages(), filters) unchanged.

---

Duplicate comments:
In `@scripts/check-npm-publish-prereqs.js`:
- Around line 28-44: loadPlatformPackages currently performs an independent
local discovery of npm/cli-* packages (using repoRoot, npmDir and readdirSync)
which duplicates the logic in the version-sync flow; replace this inline
discovery by importing and invoking the shared helper used by
sync-package-versions (the version-sync script or its exported function) so both
flows use the same implementation, remove the readdirSync/JSON parsing block
from loadPlatformPackages, and update any exports/require paths so
loadPlatformPackages delegates to that shared helper (preserve the function name
loadPlatformPackages as the caller-facing API).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 357f5e2d-6f0d-45fb-857c-a30612297ca5

📥 Commits

Reviewing files that changed from the base of the PR and between d3061ad and 3d0d969.

📒 Files selected for processing (1)

• scripts/check-npm-publish-prereqs.js