Modernize toolchain: pnpm 11, TypeScript 6, oxlint type-checking, dependency & security cleanup#117
Open
venables wants to merge 28 commits into
Open
Modernize toolchain: pnpm 11, TypeScript 6, oxlint type-checking, dependency & security cleanup#117venables wants to merge 28 commits into
venables wants to merge 28 commits into
Conversation
- Bump oxlint 1.50→1.71, oxfmt 0.35→0.56, oxlint-tsgolint 0.14→0.23, knip 6.17→6.18, tsdown 0.15→0.22 - Enable type-aware linting in .oxlintrc.json (typeAware + typeCheck) - Upgrade pnpm 10.20→11.8 and migrate workspace settings: - move save-exact from .npmrc to saveExact in pnpm-workspace.yaml - replace onlyBuiltDependencies/ignoredBuiltDependencies with allowBuilds - add blockExoticSubdeps, injectWorkspacePackages, enableGlobalVirtualStore, minimumReleaseAge - Swap standard-parse → standard-matchers (test matchers import path) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
tsdown 0.22 defaults fixedExtension to true (platform === 'node'), emitting .mjs/.d.mts. The packages' exports maps point at ./dist/index.d.ts and .js, so tsc --noEmit could not resolve workspace types (TS2307), breaking check:types for every dependent. Setting fixedExtension: false restores .js/.d.ts to match the existing exports maps. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Both settings replace live workspace symlinks with hard-copied snapshots taken at install time (injectWorkspacePackages is meant for pnpm deploy bundling, not dev). Consumers then resolved a dist-less snapshot in the global store instead of freshly built source, breaking the build->consume cycle (TS2307 in demos). Removing them restores symlinks to packages/* and lets check:types pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The oxlint 1.71 bump promoted four vitest rules to errors across test files. Downgrade them to warn in a dedicated, commented overrides block so CI passes now; remove the block once the tests are cleaned up. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Move shared TypeScript config into the root tsconfig.json and have every sub-project extend it via a relative path, removing the @repo/typescript-config workspace package and the indirection of inheriting through a tools/ package. - root tsconfig.json holds the shared options (base + noEmit, used by all) - every sub-project extends ../../tsconfig.json; examples/* add allowJs/jsx - drop @repo/typescript-config from every package.json and delete tools/typescript-config - update AGENTS.md Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
typeAware/typeCheck are configured in .oxlintrc.json, so the CLI flag on the lint script is redundant. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Type the signed-payload helpers by the schema type itself (S extends GenericSchema) and derive the body via v.InferOutput<S>, instead of GenericSchema<unknown, T>. TypeScript 6's stricter inference could not recover T from the latter, leaving payload.body typed as unknown. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
oxlint's type-aware mode performs full TypeScript type checking (TS compiler
diagnostics) via oxlint-tsgolint, so the separate tsc pass is redundant.
- fix .oxlintrc.json: move typeAware/typeCheck from `settings` (plugin config,
silently ignored) to `options`, where they actually take effect. Without this
the flags were inert and `pnpm run lint` did no type-aware work at all.
- remove `check:types` ("tsc --noEmit") from every package.json and the root
`turbo check:types` script
- drop the `check:types` turbo task and its entry in `check`'s dependsOn; type
checking now runs inside `//#lint` (needs dist, so `check` builds first)
- document the no-tsc setup in AGENTS.md; also correct the stale .npmrc note
Verified: a deliberate type error now fails `pnpm run check` via oxlint (TS2322).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Clean up the 193 warnings surfaced once type-aware linting + type checking were correctly enabled. No rules were globally weakened. Code fixes by rule: - typescript/no-unsafe-type-assertion (74): removed `as` casts in favor of precise types, type guards, or valibot `v.parse(...)` runtime validation; test fixtures rebuilt as properly-typed values / `satisfies` - vitest/require-mock-type-parameters (31): typed `vi.fn<...>()` to the real signatures - vitest/no-conditional-expect (20): restructured tests to assert unconditionally (`.rejects.toThrow`, guard-then-assert) - eslint/no-shadow (16): renamed shadowing locals/imports - vitest/require-to-throw-message (12): added matchers to `.toThrow(...)` - eslint/no-await-in-loop (11): `Promise.all` where independent; kept genuinely sequential interactive/polling loops with a scoped disable + reason - eslint/no-underscore-dangle (8): `DidResolver` cache fields are now true private `#cache`/`#useCache` (collision-proof vs the base Resolver) - typescript/restrict-template-expressions (5): explicit `String(...)` - eslint/no-unused-vars (4): `_`-prefixed type-predicate params - unicorn/consistent-function-scoping (2): hoisted pure inner functions - vitest/valid-title (1): dropped duplicate title prefix Config: - disable import/no-unassigned-import for `*.d.ts` + `vitest.setup.ts` (their side-effect imports cannot be assigned) - remove the temporary vitest-rule downgrade block; those rules are back at their default (error) level with zero violations jwtStringSchema now validates via isJwtString (identical regex, single source of truth). Full build + type check + tests + format pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
These were thin aliases for their replacements and had no internal callers. Removed while consolidating the larger tooling/type changes. Added a changeset (minor bump per the project's 0.x convention) documenting the migrations. keys: - bytesToJwk → publicKeyBytesToJwk - jwkToBytes → publicKeyJwkToBytes - getCompressedPublicKey → getPublicKeyFromPrivateKey did: - DidPkhChainId → Caip2ChainId - isDidPkhChainId → isCaip2ChainId - createBlockchainAccountId → createCaip10AccountId (arg order differs) - didPkhChainIdSchema (valibot + zod v3/v4) → caip2ChainIdSchema ack-pay: - createPaymentRequestBody → createSignedPaymentRequest Also drops the now-orphaned isCaip2ChainId / caip2ChainIdSchema imports left behind by the removed aliases. knip is clean; full check passes. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add pnpm overrides forcing patched versions of vulnerable transitive dependencies, scoped by major where multiple lines coexist. Brings pnpm audit from 92 to 46 advisories. Fixed via overrides: body-parser (1.x + 2.x), path-to-regexp, qs, picomatch (2.x + 4.x), js-yaml (3.x), uuid, ws, rollup, vite, postcss, esbuild, jsondiffpatch. Not fixed (no safe option): - js-yaml >=4.1.2 — advisory's patched version is unpublished - ai / @ai-sdk/provider-utils — demo-only (demos/identity), low severity, fix only in a newer major of @ai-sdk/anthropic - remaining advisories are mintlify docs-tooling, dev-only and never shipped; overriding them risks breaking the docs site None of the affected deps ship in published package runtime (they reach the packages only via devDependencies / peerDependencies). Full build + check pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ings) The mintlify upgrade pulls in patched versions of its deep dependency tree, clearing the bulk of the docs-tooling advisories. Combined with the transitive overrides, pnpm audit is now down from 92 to 3. - bump mintlify to 4.2.637 - add tar@7 override (>=7.5.16) for a mintlify transitive - set keytar build to false (deny native build for the new optional mintlify credential-store dep; docs preview does not require it) Remaining 3 advisories have no safe fix: - ai (low) / @ai-sdk/provider-utils (low) — demo-only (demos/identity); fixes require major bumps of @ai-sdk/valibot and @ai-sdk/anthropic - js-yaml (moderate) — advisory's patched version (>=4.1.2) is unpublished Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Migrate demos/identity from AI SDK v4 to v6 (ai 4.3.16 -> 6.0.209, providers
to their current majors). Clears the last two demo-only audit advisories
(ai, @ai-sdk/provider-utils); pnpm audit is now down to a single unfixable
moderate (js-yaml >=4.1.2, unpublished).
Dependency bumps:
- ai 4.3.16 -> 6.0.209
- @ai-sdk/anthropic 1.2.11 -> 3.0.85 (3.0.86 is younger than minimumReleaseAge)
- @ai-sdk/openai 1.3.22 -> 3.0.74
- @ai-sdk/valibot 0.1.28 -> 2.0.31
API migrations (per the v5/v6 migration guides):
- CoreMessage -> ModelMessage
- generateText maxSteps: 10 -> stopWhen: stepCountIs(10)
- tool({ parameters }) -> tool({ inputSchema })
Type-aware lint and full check pass. Runtime not exercised (requires a provider
API key).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Take the js-yaml advisory (<=4.1.1) off the changesets path: - override js-yaml@4 to ^4.2.0 (the published fix; the advisory's >=4.1.2 was unpublished earlier but 4.2.0 satisfies it) - override read-yaml-file@1 -> ^2.1.0 so @manypkg/get-packages pulls js-yaml 4.x instead of the 3.x line (read-yaml-file@1.1.0 used the removed safeLoad; 2.1.0 is the latest CommonJS line and uses js-yaml 4). Verified `changeset status` still works. - drop the now-unnecessary js-yaml@3 override (only front-matter still needs 3.x, and it resolves to the latest 3.14.2 on its own) The lone remaining audit advisory is js-yaml 3.x via mintlify's front-matter (docs-only, never shipped): front-matter's latest (4.0.2) still pins js-yaml ^3.13.1 and calls the removed safeLoad, so it cannot move to 4.x without breaking the docs preview. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughThe PR updates workspace tooling, removes deprecated aliases, and migrates demos, examples, and utilities to root TypeScript config inheritance, runtime validation, and updated agent and middleware contracts. ChangesWorkspace and build policy
Shared package API cleanup
Utility validation helpers
Demo and example migrations
Estimated code review effort🎯 5 (Critical) | ⏱️ ~120 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 10
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
demos/payments/src/index.ts (1)
439-446: 🩺 Stability & Availability | 🟡 Minor | ⚡ Quick winCheck the receipt-service status before parsing the body.
Lines 446 and 599 parse whatever came back. If the service returns a 4xx/5xx or non-JSON error body, the demo throws a Valibot error and hides the actual receipt-service failure. Guard on
response.okfirst so the surfaced error still includes the upstream status.Also applies to: 594-599
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@demos/payments/src/index.ts` around lines 439 - 446, The receipt-service response is being parsed without checking whether the HTTP request succeeded, which can hide upstream failures behind a Valibot parse error. Update the receipt handling in the affected fetch/parse paths around the receipt service call and the receipt parsing logic to first check response.ok, and if it is false, surface an error that includes the upstream status before calling v.parse on the JSON body. Keep the existing receiptResponseSchema parsing for successful responses only.
🧹 Nitpick comments (4)
examples/issuer/src/routes/receipts.ts (1)
36-36: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winRegister
issuerMiddleware()only once for this route.Line 36 already applies
issuerMiddleware()to every route, so keeping it again on Line 91 makesPOST /credentials/receiptsexecute the same middleware twice on each request.Suggested change
app.post( "/", signedPayloadValidator("json", bodySchema), - issuerMiddleware(), async (c): Promise<ApiResponse<CredentialResponse>> => {Also applies to: 91-91
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@examples/issuer/src/routes/receipts.ts` at line 36, The receipts route is registering issuerMiddleware() twice, which causes POST /credentials/receipts to run the same middleware more than once. Update the routing in receipts.ts so issuerMiddleware() is applied only once for this router, keeping the single shared registration around the app.use("*", issuerMiddleware()) setup and removing the duplicate per-route usage near POST /credentials/receipts.packages/vc/src/verification/is-expired.test.ts (1)
41-50: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winRename the new
handles…cases to assertive names.Please switch these two titles to
returns…/throws…phrasing so they match the repo's Vitest naming convention.Suggested rename
- it("handles expiration date exactly at current time", () => { + it("returns false when expiration date equals the current time", () => { @@ - it("handles invalid date strings gracefully", () => { + it("returns false for invalid date strings", () => {As per coding guidelines,
**/*.test.ts: Vitest tests should use assertive names likeit("creates…"),it("throws…"),it("requires…"), orit("returns…").🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@packages/vc/src/verification/is-expired.test.ts` around lines 41 - 50, The new Vitest cases in isExpired.test.ts use “handles…” titles, which do not match the repo’s assertive naming convention. Rename the two affected it(...) descriptions in the isExpired test block to use assertive phrasing such as “returns…” for the expiration-at-current-time case and “throws…” for the invalid-date-string case, keeping the test behavior unchanged.Source: Coding guidelines
packages/keys/src/encoding/multibase.ts (1)
16-21: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winPrevent
multibaseEncodingsfrom drifting fromMULTIBASE_PREFIX.
getMultibaseEncoding()now depends on a manually maintained list. If a new key is added toMULTIBASE_PREFIXbut not this tuple, detection silently breaks for that encoding. Consider deriving this list from the prefix map (or adding a compile-time exhaustiveness assertion).Also applies to: 103-105
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@packages/keys/src/encoding/multibase.ts` around lines 16 - 21, The manual multibaseEncodings tuple has drift risk relative to MULTIBASE_PREFIX, so detection in getMultibaseEncoding can silently miss newly added encodings. Update the logic in multibase.ts to derive multibaseEncodings from MULTIBASE_PREFIX or add a compile-time exhaustiveness check tied to MULTIBASE_PREFIX so the tuple cannot get out of sync. Make sure the fix is applied wherever the same list is duplicated, including the other referenced occurrence, and keep getMultibaseEncoding using the authoritative source.packages/did/src/did-resolvers/web-did-resolver.test.ts (1)
7-13: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winKeep
mockFetchtyped asFetchLike.
MockFetchwidens the contract toPromise<unknown>, so this file can still stub values thatgetResolverwould never accept at runtime. ReusingFetchLikehere preserves the stricter fetch shape the rest of this change is adding.Suggested diff
-import type { FetchLike } from "../types" +import type { FetchLike } from "../types" import { getResolver } from "./web-did-resolver" -type MockFetch = ( - input: string | URL | Request, - init?: RequestInit, -) => Promise<unknown> - describe("web-did-resolver", () => { - const mockFetch = vi.fn<MockFetch>() + const mockFetch = vi.fn<FetchLike>()🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@packages/did/src/did-resolvers/web-did-resolver.test.ts` around lines 7 - 13, The test helper type for the web DID resolver is too loose because MockFetch returns Promise<unknown>, which weakens the fetch contract. Update the mock declaration in web-did-resolver.test.ts to use FetchLike instead of MockFetch so mockFetch matches the stricter shape expected by getResolver and cannot stub invalid runtime values.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@demos/payments/src/index.ts`:
- Around line 75-78: Update the receipt response validation so the receipt field
is validated with jwtStringSchema instead of v.string(), ensuring the credential
is checked as a JWT before it is used as a Bearer token. Make the same schema
change in both receiptResponseSchema definitions, in index and the duplicate in
payment-service, so the runtime contract stays consistent across call sites.
- Around line 466-468: The Solana secret key parsing in the `keyBytes` निर्माण
path currently accepts non-byte numbers because `v.array(v.number())` is too
permissive and `Uint8Array` will coerce invalid values. Tighten the validation
in the `JSON.parse(clientSolKeys.secretKeyJson)` flow by using a schema in the
same `keyBytes` assignment that requires integers within the byte range before
constructing the `Uint8Array`, so invalid floats or out-of-range values are
rejected up front.
In `@demos/payments/src/receipt-service.ts`:
- Around line 288-297: The Solana token-balance parser in tokenBalanceSchema is
too strict because owner is required, but preTokenBalances and postTokenBalances
can omit it and valid transactions fail before recipient lookup. Update
tokenBalanceSchema in receipt-service to make owner optional while leaving the
recipient filtering logic at the use site in receipt creation/lookup so parsing
accepts all valid balances.
In `@package.json`:
- Around line 57-61: The pnpm engine constraint is too loose and can allow
versions that do not support the workspace settings used by this repo. Update
the package manifest’s engines.pnpm entry to require at least 10.26.0 so it
aligns with the packageManager pin and supports allowBuilds/blockExoticSubdeps,
or remove the pnpm engine entry entirely if packageManager should be the only
version gate.
In `@packages/caip/src/schemas/schemas.test.ts`:
- Around line 24-197: Several Vitest cases in schemas.test.ts use non-assertive
titles like “validates”, “rejects”, and “has correct type inference”; rename
each `it(...)` description to an assertive form that matches the test outcome.
Update the CAIP-2, CAIP-10, CAIP-19, and Type Inference cases in the `schemas`
test suite so they use required prefixes such as `creates`, `throws`,
`requires`, or `returns`, keeping the wording aligned with the actual assertion
in each block.
In `@packages/keys/src/encoding/multibase.test.ts`:
- Around line 27-29: The test case titles in multibase.test.ts use non-assertive
verbs like encodes, detects, validates, and roundtrips, which violates the
repo’s test naming rule for *.test.ts. Update the affected it.each descriptions
to use assertive verbs such as creates, throws, requires, or returns, and apply
the same naming style consistently across the affected test blocks identified
around the existing it.each calls in this spec.
In `@packages/keys/src/public-key.test.ts`:
- Line 33: Rename the new Vitest test cases in public-key.test.ts to use
assertive guideline-approved verbs instead of “encodes...”; update the affected
test titles in the public key test suite (including the one starting with
test("encodes public key to hex"... and the other matching cases) to names like
“returns...”, “throws...”, or “requires...” as appropriate, while keeping the
test behavior and assertions unchanged.
In `@packages/vc/src/verification/is-revoked.test.ts`:
- Around line 31-35: The helper getStatusListCredential currently treats
revokedIndex as a truthy check, so index 0 is skipped and the first status-list
entry is never marked revoked. Update the conditional in getStatusListCredential
to explicitly accept 0 as a valid value while still ignoring only
undefined/null, so tests can exercise the boundary case for the first bit.
In `@packages/vc/src/verification/parse-jwt-credential.ts`:
- Around line 23-45: The `isDecodedCredential` guard in
`parse-jwt-credential.ts` is only checking a subset of the `W3CCredential`
shape, so it can wrongly accept incomplete credentials; update this predicate to
validate the full contract before `parseJwtCredential()` returns. Use the
existing `isDecodedCredential`/`hasStringId` checks as the place to add required
fields like `@context`, `issuanceDate`, and any other mandatory W3C credential
properties, ensuring the returned value is truly a `Verifiable<W3CCredential>`.
In `@turbo.json`:
- Around line 16-17: The turbo check pipeline is missing a dependency on build,
so `//#lint` can run before `dist/` exists on a clean tree. Update the `check`
task in `turbo.json` to include `^build` alongside the existing `dependsOn`
entries, so both direct and filtered `turbo check` runs wait for upstream builds
before `//#lint` and `test` execute.
---
Outside diff comments:
In `@demos/payments/src/index.ts`:
- Around line 439-446: The receipt-service response is being parsed without
checking whether the HTTP request succeeded, which can hide upstream failures
behind a Valibot parse error. Update the receipt handling in the affected
fetch/parse paths around the receipt service call and the receipt parsing logic
to first check response.ok, and if it is false, surface an error that includes
the upstream status before calling v.parse on the JSON body. Keep the existing
receiptResponseSchema parsing for successful responses only.
---
Nitpick comments:
In `@examples/issuer/src/routes/receipts.ts`:
- Line 36: The receipts route is registering issuerMiddleware() twice, which
causes POST /credentials/receipts to run the same middleware more than once.
Update the routing in receipts.ts so issuerMiddleware() is applied only once for
this router, keeping the single shared registration around the app.use("*",
issuerMiddleware()) setup and removing the duplicate per-route usage near POST
/credentials/receipts.
In `@packages/did/src/did-resolvers/web-did-resolver.test.ts`:
- Around line 7-13: The test helper type for the web DID resolver is too loose
because MockFetch returns Promise<unknown>, which weakens the fetch contract.
Update the mock declaration in web-did-resolver.test.ts to use FetchLike instead
of MockFetch so mockFetch matches the stricter shape expected by getResolver and
cannot stub invalid runtime values.
In `@packages/keys/src/encoding/multibase.ts`:
- Around line 16-21: The manual multibaseEncodings tuple has drift risk relative
to MULTIBASE_PREFIX, so detection in getMultibaseEncoding can silently miss
newly added encodings. Update the logic in multibase.ts to derive
multibaseEncodings from MULTIBASE_PREFIX or add a compile-time exhaustiveness
check tied to MULTIBASE_PREFIX so the tuple cannot get out of sync. Make sure
the fix is applied wherever the same list is duplicated, including the other
referenced occurrence, and keep getMultibaseEncoding using the authoritative
source.
In `@packages/vc/src/verification/is-expired.test.ts`:
- Around line 41-50: The new Vitest cases in isExpired.test.ts use “handles…”
titles, which do not match the repo’s assertive naming convention. Rename the
two affected it(...) descriptions in the isExpired test block to use assertive
phrasing such as “returns…” for the expiration-at-current-time case and
“throws…” for the invalid-date-string case, keeping the test behavior unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 21f097a4-4a8b-4b2d-a0a9-b22d56e5ae55
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (131)
.changeset/remove-deprecated-aliases.md.npmrc.oxlintrc.jsonAGENTS.mddemos/e2e/package.jsondemos/e2e/src/verification.tsdemos/e2e/tsconfig.jsondemos/identity-a2a/package.jsondemos/identity-a2a/src/bank-client-agent.tsdemos/identity-a2a/src/bank-teller-agent.tsdemos/identity-a2a/src/utils/server-utils.tsdemos/identity-a2a/tsconfig.jsondemos/identity/package.jsondemos/identity/src/agent.tsdemos/identity/src/client-agent.tsdemos/identity/src/haiku-agent.tsdemos/identity/src/identity-tools.tsdemos/identity/src/index.tsdemos/identity/tsconfig.jsondemos/payments/package.jsondemos/payments/src/index.tsdemos/payments/src/payment-service.tsdemos/payments/src/receipt-service.tsdemos/payments/src/utils/ensure-balances.tsdemos/payments/src/utils/usdc-contract.tsdemos/payments/tsconfig.jsondemos/skyfire-kya/package.jsondemos/skyfire-kya/src/index.tsdemos/skyfire-kya/src/skyfire-kya-ack-id.tsdemos/skyfire-kya/tsconfig.jsondocs/package.jsonexamples/issuer/package.jsonexamples/issuer/src/db/utils/get-status-list-position.test.tsexamples/issuer/src/lib/credentials/build-signed-credential.test.tsexamples/issuer/src/routes/credentials.test.tsexamples/issuer/src/routes/credentials.tsexamples/issuer/src/routes/receipts.test.tsexamples/issuer/src/routes/receipts.tsexamples/issuer/src/routes/status.tsexamples/issuer/tsconfig.jsonexamples/local-did-host/package.jsonexamples/local-did-host/src/index.tsexamples/local-did-host/tsconfig.jsonexamples/verifier/package.jsonexamples/verifier/tsconfig.jsonpackage.jsonpackages/ack-id/package.jsonpackages/ack-id/src/controller-claim-verifier.test.tspackages/ack-id/src/controller-credential.test.tspackages/ack-id/tsconfig.jsonpackages/ack-id/tsdown.config.tspackages/ack-pay/package.jsonpackages/ack-pay/src/create-signed-payment-request.tspackages/ack-pay/src/verify-payment-receipt.test.tspackages/ack-pay/tsconfig.jsonpackages/ack-pay/tsdown.config.tspackages/agentcommercekit/package.jsonpackages/agentcommercekit/tsconfig.jsonpackages/agentcommercekit/tsdown.config.tspackages/caip/package.jsonpackages/caip/src/schemas/schemas.test.tspackages/caip/tsconfig.jsonpackages/caip/tsdown.config.tspackages/caip/vitest.setup.tspackages/did/package.jsonpackages/did/src/did-resolvers/did-resolver.tspackages/did/src/did-resolvers/get-did-resolver.tspackages/did/src/did-resolvers/web-did-resolver.test.tspackages/did/src/did-resolvers/web-did-resolver.tspackages/did/src/methods/did-pkh.test.tspackages/did/src/methods/did-pkh.tspackages/did/src/resolve-did.tspackages/did/src/schemas/valibot.tspackages/did/src/schemas/zod/v3.tspackages/did/src/schemas/zod/v4.tspackages/did/tsconfig.jsonpackages/did/tsdown.config.tspackages/did/vitest.setup.tspackages/jwt/package.jsonpackages/jwt/src/create-jwt.test.tspackages/jwt/src/jwt-algorithm.tspackages/jwt/src/schemas/valibot.tspackages/jwt/src/schemas/zod/v3.tspackages/jwt/src/schemas/zod/v4.tspackages/jwt/src/verify.test.tspackages/jwt/tsconfig.jsonpackages/jwt/tsdown.config.tspackages/keys/package.jsonpackages/keys/src/curves/ed25519.test.tspackages/keys/src/curves/secp256k1.test.tspackages/keys/src/curves/secp256r1.test.tspackages/keys/src/encoding/jwk.test.tspackages/keys/src/encoding/jwk.tspackages/keys/src/encoding/multibase.test.tspackages/keys/src/encoding/multibase.tspackages/keys/src/key-curves.tspackages/keys/src/keypair.test.tspackages/keys/src/public-key.test.tspackages/keys/src/public-key.tspackages/keys/tsconfig.jsonpackages/keys/tsdown.config.tspackages/vc/package.jsonpackages/vc/src/create-credential.tspackages/vc/src/revocation/status-list-credential.tspackages/vc/src/signing/sign-credential.test.tspackages/vc/src/verification/is-expired.test.tspackages/vc/src/verification/is-revoked.test.tspackages/vc/src/verification/parse-jwt-credential.test.tspackages/vc/src/verification/parse-jwt-credential.tspackages/vc/src/verification/verify-parsed-credential.test.tspackages/vc/src/verification/verify-parsed-credential.tspackages/vc/src/verification/verify-proof.test.tspackages/vc/tsconfig.jsonpackages/vc/tsdown.config.tspnpm-workspace.yamltools/api-utils/package.jsontools/api-utils/src/middleware/signed-payload-validator.tstools/api-utils/src/validate-payload.test.tstools/api-utils/src/validate-payload.tstools/api-utils/tsconfig.jsontools/cli-tools/package.jsontools/cli-tools/src/prompts.tstools/cli-tools/src/update-env-file.tstools/cli-tools/tsconfig.jsontools/typescript-config/README.mdtools/typescript-config/base-app.jsontools/typescript-config/base.jsontools/typescript-config/package.jsontools/typescript-config/typescript-library.jsontsconfig.jsonturbo.json
💤 Files with no reviewable changes (26)
- packages/did/src/schemas/zod/v3.ts
- packages/did/src/schemas/zod/v4.ts
- packages/did/src/schemas/valibot.ts
- tools/typescript-config/README.md
- .npmrc
- tools/typescript-config/typescript-library.json
- packages/agentcommercekit/package.json
- demos/skyfire-kya/package.json
- demos/e2e/package.json
- packages/vc/package.json
- examples/verifier/package.json
- tools/typescript-config/package.json
- tools/typescript-config/base-app.json
- examples/issuer/package.json
- packages/keys/src/public-key.ts
- packages/jwt/package.json
- examples/local-did-host/package.json
- demos/identity-a2a/package.json
- packages/ack-pay/package.json
- packages/keys/package.json
- demos/payments/package.json
- packages/ack-id/package.json
- tools/cli-tools/package.json
- tools/typescript-config/base.json
- tools/api-utils/package.json
- packages/ack-pay/src/create-signed-payment-request.ts
From the panel review loop on #117: - verify-parsed-credential: restore sequential claim-verifier execution so a multi-verifier failure throws deterministically (first verifier in order) and short-circuits, instead of the race-dependent error Promise.all surfaced. Matches the original behavior; scoped oxlint-disable for the intentional sequential await. - changeset: document the two breaking @agentcommercekit/vc type changes the lint cleanup introduced (parseJwtCredential dropped its <T> generic; createCredential now returns W3CCredential instead of T), bumping vc to minor with migration notes. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Catalog (pnpm-workspace.yaml): - hono 4.12.26 -> 4.12.27, @hono/node-server 2.0.5 -> 2.0.6 - uuid 14.0.0 -> 14.0.1, viem 2.52.2 -> 2.53.1 - zod 3.25.4 -> 4.4.3 (schema files already target zod/v3 + zod/v4 subpaths, both of which ship in zod 4; package zod peers widened to "^3.25.0 || ^4.0.0", which is additive/non-breaking) - @a2a-js/sdk 0.2.2 -> 0.3.13 Direct deps: - @types/node 24.9.2 -> 25.9.4 (see note on 26 below) - express 4.21.2 -> 5.2.1 (demos/identity-a2a) - @solana/kit 4.0.0 -> 6.10.0, @solana-program/token 0.6.0 -> 0.14.0 (demos/payments) @a2a-js/sdk 0.3 migration (demos/identity-a2a): entry points moved to server/client/express subpaths; A2AError is now a value; AgentCard requires protocolVersion. Updated imports and cards accordingly. ack-id/agentcommercekit a2a peer bumped ^0.2.2 -> ^0.3.0 (breaking — changeset added). Held back (not safely upgradable right now): - did-resolver 5.0.1: the did-jwt stack (did-jwt@8, did-jwt-vc@4) still requires did-resolver ^4.1.0, so bumping @agentcommercekit/did to 5 creates a two-copy `Resolvable` type skew. Stays on 4.1.0 until upstream supports 5. - @types/node 26: its declarations break the TS 6.0.3 / oxlint-tsgolint type check (poisons module resolution -> spurious "cannot find module 'vitest'" across all test files). 25.9.4 is the newest usable. All packages build; full check passes (build + lint/type-check + format + test). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
From the panel review loop on #117: - turbo.json: disable cache on //#lint. Type checking now runs via oxlint (tsgolint) inside //#lint, which depends on workspace dist/ that turbo does not track as inputs; a cached lint result could mask cross-package type errors. (dependsOn:["build"] isn't valid for a root task, so cache:false is the correct lever; the `turbo build && turbo check` script still guarantees build-first ordering.) - ack-pay README: update the example to createSignedPaymentRequest (the removed createPaymentRequestBody), use paymentRequestToken, and fix the Response init (headers, not the invalid contentType key). - did README: createDidPkhUri now documents Caip2ChainId (removed DidPkhChainId). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
publint flagged that `@agentcommercekit/keys` declares a `./secp256r1` subpath
export but never built `dist/curves/secp256r1.{js,d.ts}` — the module was
missing from the tsdown entry array, so importing the export failed at runtime.
Add it to the build. All packages/* now pass `publint`.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Drop `fixedExtension: false` from every package's tsdown.config.ts so the build uses tsdown's default extensions (.mjs / .d.mts) instead of forcing .js / .d.ts. Update each package.json `main`, `types`, and `exports` to point at the new extensions so module resolution still resolves. (This reverses the earlier fixedExtension workaround, which existed only to keep the old extensions and avoid touching the exports maps.) No public subpath changes — consumers resolving via the package name / exports are unaffected. All packages/* pass publint; full check passes. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Both receiptResponseSchema definitions checked receipt with v.string(); the receipt is used as a Bearer credential, so validate it with jwtStringSchema at the runtime boundary. Addresses a PR review comment. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Solana pre/postTokenBalances can omit owner, so requiring it rejected valid transactions before the recipient filter ran. Addresses a PR review comment. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The workspace relies on pnpm 11-era settings (allowBuilds, blockExoticSubdeps); engines.pnpm >=10 allowed versions that ignore them. Match the packageManager pin. Addresses a PR review comment. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
getStatusListCredential(0) skipped the first bit because if (revokedIndex) is falsy for 0; guard on !== undefined. Addresses a PR review comment. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…-depenencies #116 landed on main after this branch was cut, restructuring the schema layer (collapsed schemas/zod/{v3,v4}.ts into a single zod.ts, dropped zod v3, adopted web-identity-schemas). Resolved 16 conflicts by taking main's schema architecture and re-applying this branch's orthogonal work on top: - schema files / package.json exports: main's single ./schemas/zod (+ a2a) and web-identity-schemas dep; re-applied our .mjs/.d.mts extensions - zod peer: ^4.0.0 (main; our v3-widening is obsolete) - re-applied our removals that main predates: @repo/typescript-config devDeps, per-package check:types scripts, standard-parse -> standard-matchers - kept our @a2a-js/sdk ^0.3.0 peer, dep bumps, audit overrides, tooling - honored our deprecated-API removal (dropped didPkhChainIdSchema from did valibot+zod, which main had kept) - dropped our redundant secp256r1 changeset (main fixed it independently) - regenerated pnpm-lock.yaml Build + full check pass (29/29). 4 pre-existing warnings in main's new schema code (surfaced by this branch's type-aware lint) fixed in a follow-up. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- jwt/schemas/zod.ts: rename unused refine param val -> _val
- vc/schemas/{zod,valibot}.ts: scope-disable no-unsafe-type-assertion on the
transform's W3CCredential normalization (main's #116 code, surfaced by this
branch's type-aware lint)
- demos/skyfire-kya: drop a now-unnecessary `as JwtString`
- regenerate pnpm-lock.yaml from a clean store so the pnpm-audit overrides
fully apply (the in-merge incremental installs had left vite/ws/body-parser
on stale vulnerable versions); audit back to a single unfixable moderate
Full check passes (29/29); 0 lint warnings.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
A broad toolchain modernization and dependency/security cleanup pass. Highlights:
Tooling
.npmrc→saveExact,onlyBuiltDependencies→allowBuilds).js/.d.tsviafixedExtension: false(tsdown 0.22 changed the default ESM extension, which broke type resolution against theexportsmaps)Type checking via oxlint (no more
tsc)options.typeAware/options.typeCheck, backed by oxlint-tsgolint) — these were previously in the wrong config block (settings) and silently inertcheck:types(tsc --noEmit) scripts and thecheck:typesturbo task; type checking now runs insidelintConfig consolidation
@repo/typescript-configworkspace package with a single roottsconfig.jsonthat every sub-project extends (examples addallowJs/jsxinline)Code quality
vi.fnmocks, restructured conditionalexpects,#privateclass fields, etc.@repo/api-utils: infer validator schema output viav.InferOutput<S>(required by TS 6's stricter inference)keys,did,ack-pay(see changeset for migrations)Dependencies & security
pnpm audit: 92 → 1 advisoriesoverridesfor vulnerable transitives (body-parser, path-to-regexp, qs, picomatch, uuid, ws, rollup, vite, postcss, esbuild, jsondiffpatch, js-yaml)read-yaml-file@1 → ^2.1.0demos/identityto AI SDK v6 (ai4→6, providers to current majors;CoreMessage→ModelMessage,maxSteps→stopWhen,parameters→inputSchema)js-yaml3.x via mintlify'sfront-matter(docs-only, never shipped; front-matter's latest still pins js-yaml 3.x and uses the removedsafeLoad, so it can't move to 4.x)Breaking changes
Removal of deprecated APIs in
keys/did/ack-payis covered by a changeset (minor bump, per the 0.x convention). Migrations are documented there.Verification
pnpm run build+pnpm run checkpass (29/29: build, lint incl. type-check, format, tests)pnpm auditdown to 1 (upstream-locked, docs-only)AI usage disclosure
Per the repo AI Usage Policy: this branch was developed with Claude Code (Anthropic). AI assistance was extensive — it performed the dependency/version investigation, code migrations, oxlint warning fixes, and audit remediation, with human review and direction throughout. Library/version-migration details were verified against current docs (AI SDK, pnpm, oxlint) rather than model memory.
🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Bug Fixes
Breaking Changes
Chores