@codyswann/lisa 2.171.0 → 2.171.1

package/plugins/src/base/hooks/install-pkgs.sh

@@ -8,18 +8,40 @@ if [ -d "node_modules" ]; then
   exit 0
 fi
 
-# Detect package manager based on lock file presence
-if [ -f "bun.lockb" ] || [ -f "bun.lock" ]; then
-  bun install
-elif [ -f "pnpm-lock.yaml" ]; then
-  pnpm install
-elif [ -f "yarn.lock" ]; then
-  yarn install
-elif [ -f "package-lock.json" ]; then
-  npm install
-else
-  npm install
-fi
+# Detect the package manager this project wants, honoring explicit opt-outs.
+# Precedence: packageManager field > engines "please-use-<pm>" sentinel >
+# lockfile presence (minus any PM the engines forbid) > npm default.
+#
+# This must NOT key on lockfile presence alone. An npm-only project
+# (engines.bun = "please-use-npm", CI runs `npm ci`) that picks up a stray
+# bun.lock would otherwise get `bun install`, re-create the bun.lock, and break
+# — the SE-5221 regression. The engines/packageManager signals are
+# authoritative; lockfiles are only a fallback and never override an opt-out.
+detect_package_manager() {
+  _field="" _forced="" _forbidden=""
+  if [ -f package.json ] && command -v jq >/dev/null 2>&1; then
+    _field=$(jq -r '(.packageManager // "") | sub("@.*$";"")' package.json 2>/dev/null)
+    _forced=$(jq -r 'first((.engines // {})[] | strings | capture("please-use-(?<pm>bun|npm|yarn|pnpm)")?.pm) // ""' package.json 2>/dev/null)
+    _forbidden=$(jq -r '[(.engines // {}) | to_entries[] | select(((.value|strings) // "") | test("please-use|do-not-use";"i")) | .key] | join(" ")' package.json 2>/dev/null)
+  fi
+  case "$_field" in bun | npm | yarn | pnpm) printf '%s\n' "$_field"; return 0 ;; esac
+  case "$_forced" in bun | npm | yarn | pnpm) printf '%s\n' "$_forced"; return 0 ;; esac
+  _pm_allowed() { case " $_forbidden " in *" $1 "*) return 1 ;; *) return 0 ;; esac; }
+  if { [ -f bun.lockb ] || [ -f bun.lock ]; } && _pm_allowed bun; then printf 'bun\n'; return 0; fi
+  if [ -f pnpm-lock.yaml ] && _pm_allowed pnpm; then printf 'pnpm\n'; return 0; fi
+  if [ -f yarn.lock ] && _pm_allowed yarn; then printf 'yarn\n'; return 0; fi
+  if [ -f package-lock.json ] && _pm_allowed npm; then printf 'npm\n'; return 0; fi
+  printf 'npm\n'
+}
+
+PACKAGE_MANAGER="$(detect_package_manager)"
+echo "Detected package manager: ${PACKAGE_MANAGER}"
+case "$PACKAGE_MANAGER" in
+  bun) bun install ;;
+  pnpm) pnpm install ;;
+  yarn) yarn install ;;
+  *) npm install ;;
+esac
 
 # The tools below use Linux-specific binaries and paths — skip on other platforms.
 if [ "$(uname -s)" != "Linux" ]; then

package/plugins/src/base/skills/generate-claude-remote-build-script/SKILL.md

@@ -101,12 +101,34 @@ need() { command -v "$1" >/dev/null 2>&1; }
 require() { need "$1" || { echo "FATAL: required tool '$1' missing and install failed" >&2; exit 1; }; }
 
 # --- package manager (REQUIRED) ---
-if ! need bun; then
+# Resolve the PM from packageManager/engines/lockfiles — emit the manager the
+# `packageManager` inventory field reported, NEVER a hardcoded bun. An npm-only
+# project (engines.bun = "please-use-npm") must install with npm; emitting
+# `bun install` would create a stray bun.lock and break it (the SE-5221
+# regression). Only install/PATH-export the manager actually selected below.
+detect_package_manager() {
+  _field="" _forced="" _forbidden=""
+  if [ -f package.json ] && command -v jq >/dev/null 2>&1; then
+    _field=$(jq -r '(.packageManager // "") | sub("@.*$";"")' package.json 2>/dev/null)
+    _forced=$(jq -r 'first((.engines // {})[] | strings | capture("please-use-(?<pm>bun|npm|yarn|pnpm)")?.pm) // ""' package.json 2>/dev/null)
+    _forbidden=$(jq -r '[(.engines // {}) | to_entries[] | select(((.value|strings) // "") | test("please-use|do-not-use";"i")) | .key] | join(" ")' package.json 2>/dev/null)
+  fi
+  case "$_field" in bun | npm | yarn | pnpm) printf '%s\n' "$_field"; return 0 ;; esac
+  case "$_forced" in bun | npm | yarn | pnpm) printf '%s\n' "$_forced"; return 0 ;; esac
+  _pm_allowed() { case " $_forbidden " in *" $1 "*) return 1 ;; *) return 0 ;; esac; }
+  { [ -f bun.lockb ] || [ -f bun.lock ]; } && _pm_allowed bun && { printf 'bun\n'; return 0; }
+  [ -f pnpm-lock.yaml ] && _pm_allowed pnpm && { printf 'pnpm\n'; return 0; }
+  [ -f yarn.lock ] && _pm_allowed yarn && { printf 'yarn\n'; return 0; }
+  [ -f package-lock.json ] && _pm_allowed npm && { printf 'npm\n'; return 0; }
+  printf 'npm\n'
+}
+PM="$(detect_package_manager)"
+if [ "$PM" = "bun" ] && ! need bun; then
   curl -fsSL https://bun.sh/install | bash
+  export PATH="$HOME/.bun/bin:$PATH"
 fi
-export PATH="$HOME/.bun/bin:$PATH"
 # NOTE: bun has known proxy package-fetch issues in cloud sessions; retry to survive transient proxy errors.
-for i in 1 2 3; do bun install && break || sleep 5; done
+for i in 1 2 3; do "$PM" install && break || sleep 5; done
 
 # --- required CLIs ---
 need gh || (sudo apt-get update -y && sudo apt-get install -y gh)

package/scripts/claude-remote-setup.sh

@@ -80,12 +80,40 @@ fi
 require gitleaks
 
 # --- project dependencies ---
+# Resolve the package manager from packageManager/engines/lockfiles rather than
+# hardcoding bun: an npm-only project (engines.bun = "please-use-npm", CI runs
+# `npm ci`) must install with npm, never `bun install` — which would create a
+# stray bun.lock and break the project (the SE-5221 regression). jq is required
+# above, so the package.json signals are always available here.
 # bun has known proxy package-fetch issues in cloud sessions; retry transient failures.
+detect_package_manager() {
+  _field="" _forced="" _forbidden=""
+  if [ -f package.json ]; then
+    _field=$(jq -r '(.packageManager // "") | sub("@.*$";"")' package.json 2>/dev/null)
+    _forced=$(jq -r 'first((.engines // {})[] | strings | capture("please-use-(?<pm>bun|npm|yarn|pnpm)")?.pm) // ""' package.json 2>/dev/null)
+    _forbidden=$(jq -r '[(.engines // {}) | to_entries[] | select(((.value|strings) // "") | test("please-use|do-not-use";"i")) | .key] | join(" ")' package.json 2>/dev/null)
+  fi
+  case "$_field" in bun | npm | yarn | pnpm) printf '%s\n' "$_field"; return 0 ;; esac
+  case "$_forced" in bun | npm | yarn | pnpm) printf '%s\n' "$_forced"; return 0 ;; esac
+  _pm_allowed() { case " $_forbidden " in *" $1 "*) return 1 ;; *) return 0 ;; esac; }
+  if { [ -f bun.lockb ] || [ -f bun.lock ]; } && _pm_allowed bun; then printf 'bun\n'; return 0; fi
+  if [ -f pnpm-lock.yaml ] && _pm_allowed pnpm; then printf 'pnpm\n'; return 0; fi
+  if [ -f yarn.lock ] && _pm_allowed yarn; then printf 'yarn\n'; return 0; fi
+  if [ -f package-lock.json ] && _pm_allowed npm; then printf 'npm\n'; return 0; fi
+  printf 'npm\n'
+}
+PM="$(detect_package_manager)"
+case "$PM" in
+  bun) PM_INSTALL="bun install" ;;
+  pnpm) PM_INSTALL="pnpm install" ;;
+  yarn) PM_INSTALL="yarn install" ;;
+  *) PM_INSTALL="npm install" ;;
+esac
 if [ ! -d node_modules ]; then
-  echo "Installing project dependencies (bun install)..."
-  for i in 1 2 3; do bun install && break || { echo "bun install attempt $i failed; retrying..."; sleep 5; }; done
+  echo "Installing project dependencies (${PM_INSTALL})..."
+  for i in 1 2 3; do $PM_INSTALL && break || { echo "${PM_INSTALL} attempt $i failed; retrying..."; sleep 5; }; done
 fi
-[ -d node_modules ] || { echo "FATAL: bun install failed after retries" >&2; exit 1; }
+[ -d node_modules ] || { echo "FATAL: ${PM_INSTALL} failed after retries" >&2; exit 1; }
 
 # --- OPTIONAL (only with --include-optional; dormant stacks/integrations) ---
 if [ "$INCLUDE_OPTIONAL" = "1" ]; then

package/typescript/copy-contents/.husky/pre-push

@@ -150,7 +150,14 @@ else
     # `bun audit --audit-level=high --ignore ...`, parse `bun audit --json` and
     # apply the exclusion list ourselves with jq — same approach as the npm/yarn
     # paths above.
-    AUDIT_JSON=$(bun audit --json 2>/dev/null || true)
+    #
+    # `--production` scopes the audit to production dependencies, matching the
+    # npm branch (`npm audit --production`) and the yarn branch
+    # (`yarn audit --groups dependencies`). Without it, bun audits
+    # devDependencies too and the gate fails on dev-only CVEs that never ship —
+    # the SE-5221 false positive. bun honours `--production` even though
+    # `bun audit --help` omits it from the flag list.
+    AUDIT_JSON=$(bun audit --production --json 2>/dev/null || true)
     UNFIXED_HIGH=$(echo "$AUDIT_JSON" | jq -r --arg ids "$AUDIT_EXCLUSIONS" '
       ($ids | split(" ") | map(select(length > 0))) as $ex
       | [ .[]? | .[]?