@clue-ai/cli 0.0.5 → 0.0.6

package/src/setup-check.mjs

@@ -1,8 +1,8 @@
 import { access, readFile } from "node:fs/promises";
 import { join, relative, resolve } from "node:path";
 import {
-	findLifecycleCallApiNames,
-	findLifecycleGuardViolations,
+  findLifecycleCallApiNames,
+  findLifecycleGuardViolations,
 } from "./lifecycle-guard.mjs";
 import { listAllowedSourceFiles } from "./path-policy.mjs";
 import { runSemanticInventory } from "./semantic-ci.mjs";
@@ -10,426 +10,427 @@ import { runSemanticInventory } from "./semantic-ci.mjs";
 const DEFAULT_WORKFLOW_PATH = ".github/workflows/clue-semantic-snapshot.yml";
 
 const disallowedWorkflowMetadataPattern =
-	/github\.(actor|triggering_actor|repository_owner)|github\.event\.sender|github\.event\.repository\.name|"default_branch"\s*:/;
+  /github\.(actor|triggering_actor|repository_owner)|github\.event\.sender|github\.event\.repository\.name|"default_branch"\s*:/;
 const SETUP_SKILLS = [
-	"clue-setup-orchestrator",
-	"clue-route-semantic-snapshot",
-	"clue-semantic-ci",
-	"clue-sdk-instrumentation",
-	"clue-setup-audit",
-	"clue-local-verification",
-	"clue-setup-report",
+  "clue-setup-orchestrator",
+  "clue-route-semantic-snapshot",
+  "clue-semantic-ci",
+  "clue-sdk-instrumentation",
+  "clue-setup-audit",
+  "clue-local-verification",
+  "clue-setup-report",
 ];
 const TARGET_SKILL_ROOTS = {
-	codex: [".agents", "skills"],
-	claude_code: [".claude", "skills"],
+  codex: [".agents", "skills"],
+  claude_code: [".claude", "skills"],
 };
 const SOURCE_EXTENSIONS = [".py", ".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs"];
 const REQUIRED_LIFECYCLE_APIS = [
-	"ClueInit",
-	"ClueIdentify",
-	"ClueSetAccount",
-	"ClueLogout",
+  "ClueInit",
+  "ClueIdentify",
+  "ClueSetAccount",
+  "ClueLogout",
 ];
 const BACKEND_SDK_MARKERS = [
-	"clue-fastapi-sdk",
-	"clue-django-sdk",
-	"clue-python-sdk-core",
-	"clue_fastapi_sdk",
-	"clue_django_sdk",
-	"clue_python_sdk_core",
+  "clue-fastapi-sdk",
+  "clue-django-sdk",
+  "clue-python-sdk-core",
+  "clue_fastapi_sdk",
+  "clue_django_sdk",
+  "clue_python_sdk_core",
 ];
 const DEPENDENCY_FILE_CANDIDATES = [
-	"package.json",
-	"pnpm-lock.yaml",
-	"package-lock.json",
-	"yarn.lock",
-	"requirements.txt",
-	"requirements-dev.txt",
-	"pyproject.toml",
-	"poetry.lock",
-	"Pipfile",
+  "package.json",
+  "pnpm-lock.yaml",
+  "package-lock.json",
+  "yarn.lock",
+  "requirements.txt",
+  "requirements-dev.txt",
+  "pyproject.toml",
+  "poetry.lock",
+  "Pipfile",
 ];
 const exists = async (path) => {
-	try {
-		await access(path);
-		return true;
-	} catch {
-		return false;
-	}
+  try {
+    await access(path);
+    return true;
+  } catch {
+    return false;
+  }
 };
 
 const normalizeTarget = (target) => {
-	if (typeof target !== "string" || target.trim() === "") return undefined;
-	const normalized = target
-		.trim()
-		.toLowerCase()
-		.replace(/[\s-]+/g, "_");
-	if (!TARGET_SKILL_ROOTS[normalized]) {
-		throw new Error("target must be codex or claude_code");
-	}
-	return normalized;
+  if (typeof target !== "string" || target.trim() === "") return undefined;
+  const normalized = target
+    .trim()
+    .toLowerCase()
+    .replace(/[\s-]+/g, "_");
+  if (!TARGET_SKILL_ROOTS[normalized]) {
+    throw new Error("target must be codex or claude_code");
+  }
+  return normalized;
 };
 
 const addCheck = (checks, id, passed, summary, details = {}) => {
-	checks.push({ id, passed, summary, ...details });
+  checks.push({ id, passed, summary, ...details });
 };
 
 const readAllowedSourceText = async ({
-	repoRoot,
-	allowedSourcePaths,
-	excludedSourcePaths,
+  repoRoot,
+  allowedSourcePaths,
+  excludedSourcePaths,
 }) => {
-	const files = await listAllowedSourceFiles({
-		repoRoot,
-		allowedSourcePaths,
-		excludedSourcePaths,
-		extensions: SOURCE_EXTENSIONS,
-	});
-	const sources = [];
-	for (const absolutePath of files) {
-		sources.push({
-			file_path: relative(resolve(repoRoot), absolutePath),
-			text: await readFile(absolutePath, "utf8"),
-		});
-	}
-	return sources;
+  const files = await listAllowedSourceFiles({
+    repoRoot,
+    allowedSourcePaths,
+    excludedSourcePaths,
+    extensions: SOURCE_EXTENSIONS,
+  });
+  const sources = [];
+  for (const absolutePath of files) {
+    sources.push({
+      file_path: relative(resolve(repoRoot), absolutePath),
+      text: await readFile(absolutePath, "utf8"),
+    });
+  }
+  return sources;
 };
 
 const readDependencyText = async ({ repoRoot, roots }) => {
-	const candidatePaths = [
-		...DEPENDENCY_FILE_CANDIDATES,
-		...roots.flatMap((root) =>
-			DEPENDENCY_FILE_CANDIDATES.map((file) => join(root, file)),
-		),
-	];
-	const sources = [];
-	for (const path of [...new Set(candidatePaths)]) {
-		const absolutePath = join(repoRoot, path);
-		if (!(await exists(absolutePath))) continue;
-		sources.push({
-			file_path: path,
-			text: await readFile(absolutePath, "utf8"),
-		});
-	}
-	return sources;
+  const candidatePaths = [
+    ...DEPENDENCY_FILE_CANDIDATES,
+    ...roots.flatMap((root) =>
+      DEPENDENCY_FILE_CANDIDATES.map((file) => join(root, file)),
+    ),
+  ];
+  const sources = [];
+  for (const path of [...new Set(candidatePaths)]) {
+    const absolutePath = join(repoRoot, path);
+    if (!(await exists(absolutePath))) continue;
+    sources.push({
+      file_path: path,
+      text: await readFile(absolutePath, "utf8"),
+    });
+  }
+  return sources;
 };
 
 const setupSourcePaths = async ({ repoRoot, request, includeFrontend }) => {
-	const requested = request?.allowed_source_paths?.length
-		? request.allowed_source_paths
-		: ["."];
-	if (!includeFrontend) return requested;
-	const candidates = [
-		...requested,
-		"frontend/src",
-		"src",
-		"app",
-		"apps/web/src",
-		"packages/frontend",
-	];
-	const existing = [];
-	for (const candidate of [...new Set(candidates)]) {
-		if (await exists(join(repoRoot, candidate))) {
-			existing.push(candidate);
-		}
-	}
-	return existing.length ? existing : requested;
+  const requested = request?.allowed_source_paths?.length
+    ? request.allowed_source_paths
+    : ["."];
+  if (!includeFrontend) return requested;
+  const candidates = [
+    ...requested,
+    "frontend/src",
+    "src",
+    "app",
+    "apps/web/src",
+    "packages/frontend",
+  ];
+  const existing = [];
+  for (const candidate of [...new Set(candidates)]) {
+    if (await exists(join(repoRoot, candidate))) {
+      existing.push(candidate);
+    }
+  }
+  return existing.length ? existing : requested;
 };
 
 const secretLeakPatterns = [
-	/pk_(live|test)_[A-Za-z0-9_-]+/,
-	/sk_(live|test)_[A-Za-z0-9_-]+/,
-	/npm_[A-Za-z0-9]{20,}/,
-	/CLUE_API_KEY\s*[:=]\s*["'][^"']+["']/,
-	/AI_PROVIDER_API_KEY\s*[:=]\s*["'][^"']+["']/,
+  /pk_(live|test)_[A-Za-z0-9_-]+/,
+  /sk_(live|test)_[A-Za-z0-9_-]+/,
+  /npm_[A-Za-z0-9]{20,}/,
+  /CLUE_API_KEY\s*[:=]\s*["'][^"']+["']/,
+  /CLUE_AI_PROVIDER_API_KEY\s*[:=]\s*["'][^"']+["']/,
 ];
 
 const findSecretLeaks = (sources) =>
-	sources.flatMap((source) =>
-		secretLeakPatterns.some((pattern) => pattern.test(source.text))
-			? [source.file_path]
-			: [],
-	);
+  sources.flatMap((source) =>
+    secretLeakPatterns.some((pattern) => pattern.test(source.text))
+      ? [source.file_path]
+      : [],
+  );
 
 const startsWithRoot = (filePath, root) =>
-	filePath === root || filePath.startsWith(`${root.replace(/\/+$/, "")}/`);
+  filePath === root || filePath.startsWith(`${root.replace(/\/+$/, "")}/`);
 
 const hasAnyMarker = (text, markers) =>
-	markers.some((marker) => text.includes(marker));
+  markers.some((marker) => text.includes(marker));
 
 const checkSdkLifecycle = ({
-	backendRootPaths = [],
-	dependencySources = [],
-	sources,
+  backendRootPaths = [],
+  dependencySources = [],
+  sources,
 }) => {
-	const combined = sources.map((source) => source.text).join("\n");
-	const backendSources = sources.filter((source) =>
-		backendRootPaths.some((root) => startsWithRoot(source.file_path, root)),
-	);
-	const backendCombined = backendSources
-		.map((source) => source.text)
-		.join("\n");
-	const dependencyCombined = dependencySources
-		.map((source) => source.text)
-		.join("\n");
-	const foundApiNames = findLifecycleCallApiNames(combined);
-	const backendFoundApiNames = findLifecycleCallApiNames(backendCombined);
-	const foundApis = REQUIRED_LIFECYCLE_APIS.filter((api) =>
-		foundApiNames.includes(api),
-	);
-	const missingApis = REQUIRED_LIFECYCLE_APIS.filter(
-		(api) => !foundApis.includes(api),
-	);
-	const noOpPattern =
-		/window\.Clue(?:Init|Identify|SetAccount|Logout)|(?:function|const|let|var)\s+Clue(?:Init|Identify|SetAccount|Logout)\b/;
-	const componentLifecycleInitFiles = sources
-		.filter((source) =>
-			/useEffect\s*\([\s\S]{0,1200}ClueInit/.test(source.text),
-		)
-		.map((source) => source.file_path);
-	const unguardedLifecycleCalls = sources.flatMap((source) =>
-		findLifecycleGuardViolations(source.text).map((violation) => ({
-			file_path: source.file_path,
-			...violation,
-		})),
-	);
-	const unguardedLifecycleFiles = [
-		...new Set(unguardedLifecycleCalls.map((violation) => violation.file_path)),
-	];
-	const backendPresent = backendSources.length > 0;
-	const backendSdkPresent =
-		!backendPresent ||
-		hasAnyMarker(
-			`${backendCombined}\n${dependencyCombined}`,
-			BACKEND_SDK_MARKERS,
-		);
-	const backendInitPresent =
-		!backendPresent ||
-		/clue_init_fastapi|clue_init_django|configure_settings|CluePythonBootstrapConfig/.test(
-			backendCombined,
-		);
-	const backendIdentityRequired =
-		backendPresent &&
-		/\b(login|signin|sign_in|auth|token|session)\b/i.test(backendCombined);
-	const backendLogoutRequired =
-		backendPresent && /\b(logout|signout|sign_out)\b/i.test(backendCombined);
-	const backendAccountRequired =
-		backendPresent &&
-		/\b(account|workspace|organization|tenant)\b/i.test(backendCombined);
-	const backendMissingApis = [
-		...(backendIdentityRequired &&
-		!backendFoundApiNames.includes("ClueIdentify")
-			? ["ClueIdentify"]
-			: []),
-		...(backendLogoutRequired && !backendFoundApiNames.includes("ClueLogout")
-			? ["ClueLogout"]
-			: []),
-		...(backendAccountRequired &&
-		!backendFoundApiNames.includes("ClueSetAccount")
-			? ["ClueSetAccount"]
-			: []),
-	];
-	return {
-		foundApis,
-		missingApis,
-		backend_lifecycle: {
-			backend_present: backendPresent,
-			backend_root_paths: backendRootPaths,
-			dependency_files: dependencySources.map((source) => source.file_path),
-			sdk_dependency_or_import_present: backendSdkPresent,
-			sdk_init_present: backendInitPresent,
-			required_apis: [
-				...(backendIdentityRequired ? ["ClueIdentify"] : []),
-				...(backendAccountRequired ? ["ClueSetAccount"] : []),
-				...(backendLogoutRequired ? ["ClueLogout"] : []),
-			],
-			missing_apis: backendMissingApis,
-		},
-		has_noop_wrapper: noOpPattern.test(combined),
-		component_lifecycle_init_files: componentLifecycleInitFiles,
-		unguarded_lifecycle_files: unguardedLifecycleFiles,
-		unguarded_lifecycle_calls: unguardedLifecycleCalls,
-		passed:
-			missingApis.length === 0 &&
-			backendSdkPresent &&
-			backendInitPresent &&
-			backendMissingApis.length === 0 &&
-			!noOpPattern.test(combined) &&
-			componentLifecycleInitFiles.length === 0 &&
-			unguardedLifecycleFiles.length === 0,
-	};
+  const combined = sources.map((source) => source.text).join("\n");
+  const backendSources = sources.filter((source) =>
+    backendRootPaths.some((root) => startsWithRoot(source.file_path, root)),
+  );
+  const backendCombined = backendSources
+    .map((source) => source.text)
+    .join("\n");
+  const dependencyCombined = dependencySources
+    .map((source) => source.text)
+    .join("\n");
+  const foundApiNames = findLifecycleCallApiNames(combined);
+  const backendFoundApiNames = findLifecycleCallApiNames(backendCombined);
+  const foundApis = REQUIRED_LIFECYCLE_APIS.filter((api) =>
+    foundApiNames.includes(api),
+  );
+  const missingApis = REQUIRED_LIFECYCLE_APIS.filter(
+    (api) => !foundApis.includes(api),
+  );
+  const noOpPattern =
+    /window\.Clue(?:Init|Identify|SetAccount|Logout)|(?:function|const|let|var)\s+Clue(?:Init|Identify|SetAccount|Logout)\b/;
+  const componentLifecycleInitFiles = sources
+    .filter((source) =>
+      /useEffect\s*\([\s\S]{0,1200}ClueInit/.test(source.text),
+    )
+    .map((source) => source.file_path);
+  const unguardedLifecycleCalls = sources.flatMap((source) =>
+    findLifecycleGuardViolations(source.text).map((violation) => ({
+      file_path: source.file_path,
+      ...violation,
+    })),
+  );
+  const unguardedLifecycleFiles = [
+    ...new Set(unguardedLifecycleCalls.map((violation) => violation.file_path)),
+  ];
+  const backendPresent = backendSources.length > 0;
+  const backendSdkPresent =
+    !backendPresent ||
+    hasAnyMarker(
+      `${backendCombined}\n${dependencyCombined}`,
+      BACKEND_SDK_MARKERS,
+    );
+  const backendInitPresent =
+    !backendPresent ||
+    /clue_init_fastapi|clue_init_django|configure_settings|CluePythonBootstrapConfig/.test(
+      backendCombined,
+    );
+  const backendIdentityRequired =
+    backendPresent &&
+    /\b(login|signin|sign_in|auth|token|session)\b/i.test(backendCombined);
+  const backendLogoutRequired =
+    backendPresent && /\b(logout|signout|sign_out)\b/i.test(backendCombined);
+  const backendAccountRequired =
+    backendPresent &&
+    /\b(account|workspace|organization|tenant)\b/i.test(backendCombined);
+  const backendMissingApis = [
+    ...(backendIdentityRequired &&
+    !backendFoundApiNames.includes("ClueIdentify")
+      ? ["ClueIdentify"]
+      : []),
+    ...(backendLogoutRequired && !backendFoundApiNames.includes("ClueLogout")
+      ? ["ClueLogout"]
+      : []),
+    ...(backendAccountRequired &&
+    !backendFoundApiNames.includes("ClueSetAccount")
+      ? ["ClueSetAccount"]
+      : []),
+  ];
+  return {
+    foundApis,
+    missingApis,
+    backend_lifecycle: {
+      backend_present: backendPresent,
+      backend_root_paths: backendRootPaths,
+      dependency_files: dependencySources.map((source) => source.file_path),
+      sdk_dependency_or_import_present: backendSdkPresent,
+      sdk_init_present: backendInitPresent,
+      required_apis: [
+        ...(backendIdentityRequired ? ["ClueIdentify"] : []),
+        ...(backendAccountRequired ? ["ClueSetAccount"] : []),
+        ...(backendLogoutRequired ? ["ClueLogout"] : []),
+      ],
+      missing_apis: backendMissingApis,
+    },
+    has_noop_wrapper: noOpPattern.test(combined),
+    component_lifecycle_init_files: componentLifecycleInitFiles,
+    unguarded_lifecycle_files: unguardedLifecycleFiles,
+    unguarded_lifecycle_calls: unguardedLifecycleCalls,
+    passed:
+      missingApis.length === 0 &&
+      backendSdkPresent &&
+      backendInitPresent &&
+      backendMissingApis.length === 0 &&
+      !noOpPattern.test(combined) &&
+      componentLifecycleInitFiles.length === 0 &&
+      unguardedLifecycleFiles.length === 0,
+  };
 };
 
 export const runSetupCheck = async ({
-	repoRoot,
-	target,
-	request,
-	requireSdkLifecycle = false,
+  repoRoot,
+  target,
+  request,
+  requireSdkLifecycle = false,
 }) => {
-	const resolvedRepoRoot = resolve(repoRoot ?? ".");
-	const checks = [];
-	const normalizedTarget = normalizeTarget(target);
+  const resolvedRepoRoot = resolve(repoRoot ?? ".");
+  const checks = [];
+  const normalizedTarget = normalizeTarget(target);
 
-	if (normalizedTarget) {
-		const skillRoot = join(
-			resolvedRepoRoot,
-			...TARGET_SKILL_ROOTS[normalizedTarget],
-		);
-		const missingSkills = [];
-		for (const skillName of SETUP_SKILLS) {
-			const skillPath = join(skillRoot, skillName, "SKILL.md");
-			if (!(await exists(skillPath))) {
-				missingSkills.push(
-					join(...TARGET_SKILL_ROOTS[normalizedTarget], skillName, "SKILL.md"),
-				);
-			}
-		}
-		addCheck(
-			checks,
-			"setup_skills",
-			missingSkills.length === 0,
-			missingSkills.length === 0
-				? "setup skills are installed"
-				: "setup skills are missing",
-			{ missing_files: missingSkills },
-		);
-	}
+  if (normalizedTarget) {
+    const skillRoot = join(
+      resolvedRepoRoot,
+      ...TARGET_SKILL_ROOTS[normalizedTarget],
+    );
+    const missingSkills = [];
+    for (const skillName of SETUP_SKILLS) {
+      const skillPath = join(skillRoot, skillName, "SKILL.md");
+      if (!(await exists(skillPath))) {
+        missingSkills.push(
+          join(...TARGET_SKILL_ROOTS[normalizedTarget], skillName, "SKILL.md"),
+        );
+      }
+    }
+    addCheck(
+      checks,
+      "setup_skills",
+      missingSkills.length === 0,
+      missingSkills.length === 0
+        ? "setup skills are installed"
+        : "setup skills are missing",
+      { missing_files: missingSkills },
+    );
+  }
 
-	const workflowPath = request?.ci_workflow_path ?? DEFAULT_WORKFLOW_PATH;
-	const absoluteWorkflowPath = join(resolvedRepoRoot, workflowPath);
-	if (await exists(absoluteWorkflowPath)) {
-		const workflow = await readFile(absoluteWorkflowPath, "utf8");
-		addCheck(
-			checks,
-			"semantic_workflow",
-			workflow.includes(
-				"npx @clue-ai/cli semantic-ci --request-env CLUE_SEMANTIC_REQUEST_JSON --repo .",
-			) &&
-				workflow.includes("CLUE_SEMANTIC_REQUEST_JSON: |") &&
-				workflow.includes("CLUE_API_KEY: ${{ secrets.CLUE_API_KEY }}") &&
-				workflow.includes(
-					"AI_PROVIDER_API_KEY: ${{ secrets.AI_PROVIDER_API_KEY }}",
-				) &&
-				workflow.includes("permissions:\n  contents: read") &&
-				workflow.includes("persist-credentials: false") &&
-				!disallowedWorkflowMetadataPattern.test(workflow),
-			"semantic workflow uses the canonical env runtime request, least-privilege checkout, and privacy-minimized GitHub metadata",
-			{ workflow_path: workflowPath },
-		);
-	} else {
-		addCheck(
-			checks,
-			"semantic_workflow",
-			false,
-			"semantic workflow is missing",
-			{
-				workflow_path: workflowPath,
-			},
-		);
-	}
+  const workflowPath = request?.ci_workflow_path ?? DEFAULT_WORKFLOW_PATH;
+  const absoluteWorkflowPath = join(resolvedRepoRoot, workflowPath);
+  if (await exists(absoluteWorkflowPath)) {
+    const workflow = await readFile(absoluteWorkflowPath, "utf8");
+    addCheck(
+      checks,
+      "semantic_workflow",
+      workflow.includes(
+        "npx @clue-ai/cli semantic-ci --request-env CLUE_SEMANTIC_REQUEST_JSON --repo .",
+      ) &&
+        workflow.includes("CLUE_SEMANTIC_REQUEST_JSON: |") &&
+        workflow.includes("CLUE_API_KEY: ${{ secrets.CLUE_API_KEY }}") &&
+        workflow.includes(
+          "CLUE_AI_PROVIDER_API_KEY: ${{ secrets.CLUE_AI_PROVIDER_API_KEY }}",
+        ) &&
+        workflow.includes("CLUE_AI_PROVIDER: ${{ vars.CLUE_AI_PROVIDER }}") &&
+        workflow.includes("permissions:\n  contents: read") &&
+        workflow.includes("persist-credentials: false") &&
+        !disallowedWorkflowMetadataPattern.test(workflow),
+      "semantic workflow uses the canonical env runtime request, least-privilege checkout, and privacy-minimized GitHub metadata",
+      { workflow_path: workflowPath },
+    );
+  } else {
+    addCheck(
+      checks,
+      "semantic_workflow",
+      false,
+      "semantic workflow is missing",
+      {
+        workflow_path: workflowPath,
+      },
+    );
+  }
 
-	addCheck(
-		checks,
-		"runtime_request_not_committed",
-		!(await exists(
-			join(resolvedRepoRoot, ".clue", "semantic-request.runtime.json"),
-		)),
-		".clue/semantic-request.runtime.json is not present in the repository",
-	);
+  addCheck(
+    checks,
+    "runtime_request_not_committed",
+    !(await exists(
+      join(resolvedRepoRoot, ".clue", "semantic-request.runtime.json"),
+    )),
+    ".clue/semantic-request.runtime.json is not present in the repository",
+  );
 
-	if (request) {
-		try {
-			const inventory = await runSemanticInventory({
-				repoRoot: resolvedRepoRoot,
-				request,
-			});
-			addCheck(
-				checks,
-				"semantic_inventory",
-				true,
-				"semantic inventory discovers routes",
-				{
-					route_count: inventory.route_count,
-				},
-			);
-		} catch (error) {
-			addCheck(
-				checks,
-				"semantic_inventory",
-				false,
-				"semantic inventory failed",
-				{
-					error: error instanceof Error ? error.message : String(error),
-				},
-			);
-		}
-	}
+  if (request) {
+    try {
+      const inventory = await runSemanticInventory({
+        repoRoot: resolvedRepoRoot,
+        request,
+      });
+      addCheck(
+        checks,
+        "semantic_inventory",
+        true,
+        "semantic inventory discovers routes",
+        {
+          route_count: inventory.route_count,
+        },
+      );
+    } catch (error) {
+      addCheck(
+        checks,
+        "semantic_inventory",
+        false,
+        "semantic inventory failed",
+        {
+          error: error instanceof Error ? error.message : String(error),
+        },
+      );
+    }
+  }
 
-	const sourcePaths = await setupSourcePaths({
-		repoRoot: resolvedRepoRoot,
-		request,
-		includeFrontend: requireSdkLifecycle,
-	});
-	const excludedPaths = request?.excluded_source_paths ?? [];
-	const sources = await readAllowedSourceText({
-		repoRoot: resolvedRepoRoot,
-		allowedSourcePaths: sourcePaths,
-		excludedSourcePaths: excludedPaths,
-	});
-	const dependencySources = await readDependencyText({
-		repoRoot: resolvedRepoRoot,
-		roots: request?.allowed_source_paths ?? [],
-	});
-	const secretLeaks = findSecretLeaks([
-		...sources,
-		...dependencySources,
-		...((await exists(absoluteWorkflowPath))
-			? [
-					{
-						file_path: workflowPath,
-						text: await readFile(absoluteWorkflowPath, "utf8"),
-					},
-				]
-			: []),
-	]);
-	addCheck(
-		checks,
-		"no_secret_values",
-		secretLeaks.length === 0,
-		"no obvious secret values found",
-		{
-			files: secretLeaks,
-		},
-	);
+  const sourcePaths = await setupSourcePaths({
+    repoRoot: resolvedRepoRoot,
+    request,
+    includeFrontend: requireSdkLifecycle,
+  });
+  const excludedPaths = request?.excluded_source_paths ?? [];
+  const sources = await readAllowedSourceText({
+    repoRoot: resolvedRepoRoot,
+    allowedSourcePaths: sourcePaths,
+    excludedSourcePaths: excludedPaths,
+  });
+  const dependencySources = await readDependencyText({
+    repoRoot: resolvedRepoRoot,
+    roots: request?.allowed_source_paths ?? [],
+  });
+  const secretLeaks = findSecretLeaks([
+    ...sources,
+    ...dependencySources,
+    ...((await exists(absoluteWorkflowPath))
+      ? [
+          {
+            file_path: workflowPath,
+            text: await readFile(absoluteWorkflowPath, "utf8"),
+          },
+        ]
+      : []),
+  ]);
+  addCheck(
+    checks,
+    "no_secret_values",
+    secretLeaks.length === 0,
+    "no obvious secret values found",
+    {
+      files: secretLeaks,
+    },
+  );
 
-	if (requireSdkLifecycle) {
-		const sdkLifecycle = checkSdkLifecycle({
-			backendRootPaths: request?.allowed_source_paths ?? [],
-			dependencySources,
-			sources,
-		});
-		addCheck(
-			checks,
-			"sdk_lifecycle",
-			sdkLifecycle.passed,
-			"SDK lifecycle calls resolve to real source code instead of no-op globals",
-			{
-				found_apis: sdkLifecycle.foundApis,
-				missing_apis: sdkLifecycle.missingApis,
-				backend_lifecycle: sdkLifecycle.backend_lifecycle,
-				has_noop_wrapper: sdkLifecycle.has_noop_wrapper,
-				component_lifecycle_init_files:
-					sdkLifecycle.component_lifecycle_init_files,
-				unguarded_lifecycle_files: sdkLifecycle.unguarded_lifecycle_files,
-				unguarded_lifecycle_calls: sdkLifecycle.unguarded_lifecycle_calls,
-			},
-		);
-	}
+  if (requireSdkLifecycle) {
+    const sdkLifecycle = checkSdkLifecycle({
+      backendRootPaths: request?.allowed_source_paths ?? [],
+      dependencySources,
+      sources,
+    });
+    addCheck(
+      checks,
+      "sdk_lifecycle",
+      sdkLifecycle.passed,
+      "SDK lifecycle calls resolve to real source code instead of no-op globals",
+      {
+        found_apis: sdkLifecycle.foundApis,
+        missing_apis: sdkLifecycle.missingApis,
+        backend_lifecycle: sdkLifecycle.backend_lifecycle,
+        has_noop_wrapper: sdkLifecycle.has_noop_wrapper,
+        component_lifecycle_init_files:
+          sdkLifecycle.component_lifecycle_init_files,
+        unguarded_lifecycle_files: sdkLifecycle.unguarded_lifecycle_files,
+        unguarded_lifecycle_calls: sdkLifecycle.unguarded_lifecycle_calls,
+      },
+    );
+  }
 
-	const passed = checks.every((check) => check.passed);
-	return {
-		passed,
-		checks,
-	};
+  const passed = checks.every((check) => check.passed);
+  return {
+    passed,
+    checks,
+  };
 };