Files
Alex Newman cf450cec00 fix(build): enforce shipped dependency-closure boundary (plan-10, closes #2783) (#2800)
* plan-10 Phase 1: ship deterministic plugin runtime dependency closure

Approach A — commit & ship plugin/bun.lock so the plugin's runtime
node_modules install is deterministic, fixing the recurring
`Cannot find module 'zod/v3'` (#2730).

- align generated plugin zod range to root (^4.4.3) in build-hooks.js
- new scripts/gen-plugin-lockfile.cjs generates plugin/bun.lock as a
  build artifact after build-hooks.js writes plugin/package.json
- track & ship plugin/bun.lock (.gitignore negation, .npmignore, files allowlist)
- install with `bun install --frozen-lockfile --ignore-scripts` at runtime

Refs #2783, #2730

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* plan-10 Phase 2: fail loud at install time on a broken dependency closure

Strengthen verifyCriticalModules to assert each dependency is actually
importable via require.resolve (not merely a directory), and assert the
worker-required zod subpaths resolve: zod/v3, zod/v4, zod/v4-mini.
A partial/stale install now fails `npx claude-mem install` immediately
instead of surfacing later as a Stop-hook `Cannot find module 'zod/v3'`.

Bin-only packages (e.g. tree-sitter-cli, which has no bare-name entry
point) fall back to resolving <dep>/package.json so a healthy install
isn't falsely rejected.

Adds tests/cli/verify-critical-modules.test.ts covering a missing zod/v3
subpath (throws), a complete zod (passes), and a bin-only dep (passes).

Refs #2783, #2730

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* plan-10 Phase 3: clean-room install + import smoke test (#2730 backstop)

Add scripts/smoke-clean-room.cjs and a `smoke:clean-room` npm script.
Against fresh temp dirs (never the repo's node_modules) it:
- copies plugin/, runs `bun install --frozen-lockfile --ignore-scripts`,
  asserts zod, zod/v3, zod/v4, zod/v4-mini resolve, and boots the bundled
  worker asserting no `Cannot find module` — the direct #2730 regression guard;
- `npm pack`s, installs the tarball into a second temp dir, and load-tests
  the published bin entrypoint, warning loudly on any declared main/exports
  target missing from the tarball (latent #2537 gap).

Exits non-zero naming the missing module on any failure; cleans up all
temp dirs and the tarball in a finally.

Refs #2783, #2730

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* plan-10 Phase 4: gate CI and publish on the clean-room dependency closure

- ci.yml: new `clean-room-deps` job (between build and the docker e2e job)
  runs a frozen-lockfile drift check on the committed plugin lockfile, then
  `npm run build` + `npm run smoke:clean-room`. The drift step catches a
  contributor who changed plugin deps without regenerating plugin/bun.lock.
- npm-publish.yml: add setup-bun and run `npm run smoke:clean-room` between
  build and `npm publish`, so a broken runtime closure cannot be published
  on a tag push (ci.yml does not run on tags). Secrets block untouched.

Refs #2783, #2730

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* plan-10: doc recluster note + Phase 0 execution slice for #2730

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* plans: backlog recluster (2026-06-04) — cross-cluster execution order + plan-13 doc

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* plan-10: gen-plugin-lockfile degrades gracefully when bun is absent

The Windows build CI job has no bun on PATH; regenerating the lockfile there
threw and failed the build. The committed plugin/bun.lock is already the
deterministic closure, so skip regeneration (non-fatal) when bun is missing
and a lockfile exists; fail loud only when neither is available.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-05 20:27:34 -07:00

71 lines
1.5 KiB
Bash

#!/usr/bin/env bash
set -uo pipefail
# child master plan-label (one row per child)
read -r -d '' ROWS <<'EOF'
2766 2778 plan-01
2765 2778 plan-01
2722 2778 plan-01
2709 2778 plan-01
2707 2778 plan-01
2721 2778 plan-01
2776 2779 plan-02
2762 2779 plan-02
2757 2779 plan-02
2755 2779 plan-02
2716 2779 plan-02
2715 2779 plan-02
2714 2779 plan-02
2708 2779 plan-02
2706 2779 plan-02
2754 2780 plan-03
2747 2780 plan-03
2740 2780 plan-03
2726 2780 plan-03
2720 2780 plan-03
2703 2780 plan-03
2723 2781 plan-04
2772 2782 plan-09
2769 2782 plan-09
2767 2782 plan-09
2729 2782 plan-09
2705 2782 plan-09
2730 2783 plan-10
2758 2784 plan-11
2749 2784 plan-11
2738 2784 plan-11
2736 2785 plan-12
2711 2785 plan-12
2704 2785 plan-12
2702 2785 plan-12
2690 2785 plan-12
2645 2785 plan-12
2566 2785 plan-12
2522 2785 plan-12
2513 2785 plan-12
2498 2785 plan-12
2467 2785 plan-12
2463 2785 plan-12
2423 2785 plan-12
2418 2785 plan-12
2773 2786 plan-13
2750 2786 plan-13
EOF
ok=0; fail=0
while read -r child master plan; do
[ -z "$child" ] && continue
comment="Consolidating into #${master} (${plan}). The root cause and fix sequencing are tracked there alongside the rest of the cluster — please follow that issue for progress."
if gh issue comment "$child" --body "$comment" >/dev/null 2>&1 \
&& gh issue close "$child" --reason "not planned" >/dev/null 2>&1; then
echo "OK #$child -> #$master ($plan)"
ok=$((ok+1))
else
echo "FAIL #$child -> #$master ($plan)"
fail=$((fail+1))
fi
done <<< "$ROWS"
echo ""
echo "Closed OK: $ok Failed: $fail"