@crossplatformai/dependency-graph 0.9.3 → 0.9.4

package/src/cli/validate-workflows.ts

@@ -1,71 +1,13 @@
 #!/usr/bin/env node
 
-import { readFileSync, existsSync, readdirSync } from 'node:fs';
-import { resolve, join } from 'node:path';
+import { existsSync, readFileSync, readdirSync } from 'node:fs';
+import { join, resolve } from 'node:path';
 import { parse as parseYaml } from 'yaml';
-
-/**
- * Parse .gitmodules file and return a Set of submodule paths.
- * Example: plugins/auth, plugins/design-system
- */
-function parseGitmodules(rootDir: string): Set<string> {
-  const gitmodulesPath = join(rootDir, '.gitmodules');
-  if (!existsSync(gitmodulesPath)) {
-    return new Set();
-  }
-
-  const content = readFileSync(gitmodulesPath, 'utf-8');
-  const paths = new Set<string>();
-
-  // Match lines like: path = plugins/auth
-  const pathMatches = content.matchAll(/^\s*path\s*=\s*(.+)$/gm);
-  for (const match of pathMatches) {
-    const matchedPath = match[1];
-    if (matchedPath) {
-      paths.add(matchedPath.trim());
-    }
-  }
-
-  return paths;
-}
-
-/**
- * Check if a given path is a git submodule.
- */
-function isGitSubmodule(
-  pluginPath: string,
-  submodulePaths: Set<string>,
-): boolean {
-  return submodulePaths.has(pluginPath);
-}
-
-interface ValidationResult {
-  workflow: string;
-  app: string;
-  valid: boolean;
-  missing: string[];
-  unnecessary: string[];
-  issues: string[];
-}
-
-interface WorkflowConfig {
-  name: string;
-  on?: {
-    push?: {
-      paths?: string[];
-    };
-    pull_request?: {
-      paths?: string[];
-    };
-    workflow_dispatch?: unknown;
-  };
-}
+import { validateWorkflows } from '../workflow/validator';
+import type { WorkflowValidationResult } from '../workflow/types';
 
 interface PackageJson {
-  name: string;
   packageManager?: string;
-  dependencies?: Record<string, string>;
-  devDependencies?: Record<string, string>;
 }
 
 interface PnpmValidationResult {
@@ -74,74 +16,6 @@ interface PnpmValidationResult {
   dockerfileIssues: { dockerfile: string; issue: string }[];
 }
 
-/**
- * Build a mapping of package names to their directory paths.
- * Scans plugins/ and packages/ directories to discover actual package names.
- * This handles any naming convention clients may use.
- */
-function buildPackageMapping(rootDir: string): Map<string, string> {
-  const mapping = new Map<string, string>();
-
-  for (const dir of ['plugins', 'features', 'packages', 'apps']) {
-    const base = join(rootDir, dir);
-    if (!existsSync(base)) continue;
-
-    for (const entry of readdirSync(base, { withFileTypes: true })) {
-      if (!entry.isDirectory()) continue;
-      const pkgPath = join(base, entry.name, 'package.json');
-      if (existsSync(pkgPath)) {
-        try {
-          const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8')) as PackageJson;
-          if (pkg.name) {
-            mapping.set(pkg.name, `${dir}/${entry.name}`);
-          }
-        } catch {
-          // Skip malformed package.json files
-        }
-      }
-    }
-  }
-
-  return mapping;
-}
-
-/**
- * Dynamically discover workflow mappings from file system.
- * Looks for deploy-*.yml and release-*.yml patterns that match apps/ directories.
- */
-function discoverWorkflowMappings(rootDir: string): Record<string, string> {
-  const workflowsDir = join(rootDir, '.github/workflows');
-  const appsDir = join(rootDir, 'apps');
-
-  if (!existsSync(workflowsDir) || !existsSync(appsDir)) {
-    return {};
-  }
-
-  const apps = readdirSync(appsDir, { withFileTypes: true })
-    .filter((d) => d.isDirectory())
-    .map((d) => d.name);
-
-  const mapping: Record<string, string> = {};
-
-  // Pattern: deploy-<app>.yml or release-<app>.yml
-  for (const app of apps) {
-    const deployWorkflow = `deploy-${app}.yml`;
-    const releaseWorkflow = `release-${app}.yml`;
-
-    if (existsSync(join(workflowsDir, deployWorkflow))) {
-      mapping[deployWorkflow] = app;
-    }
-    if (existsSync(join(workflowsDir, releaseWorkflow))) {
-      mapping[releaseWorkflow] = app;
-    }
-  }
-
-  return mapping;
-}
-
-/**
- * Dynamically discover workflows that use pnpm/action-setup
- */
 function discoverPnpmWorkflows(rootDir: string): string[] {
   const workflowsDir = join(rootDir, '.github/workflows');
   if (!existsSync(workflowsDir)) {
@@ -149,7 +23,9 @@ function discoverPnpmWorkflows(rootDir: string): string[] {
   }
 
   const workflows: string[] = [];
-  const files = readdirSync(workflowsDir).filter((f) => f.endsWith('.yml'));
+  const files = readdirSync(workflowsDir).filter((file) =>
+    file.endsWith('.yml'),
+  );
 
   for (const file of files) {
     const content = readFileSync(join(workflowsDir, file), 'utf-8');
@@ -161,363 +37,64 @@ function discoverPnpmWorkflows(rootDir: string): string[] {
   return workflows;
 }
 
-/**
- * Dynamically discover Dockerfiles that install pnpm
- * Scans both root directory and app directories
- */
 function discoverPnpmDockerfiles(rootDir: string): string[] {
   const dockerfiles: string[] = [];
 
-  // Check root-level Dockerfiles
-  const rootEntries = readdirSync(rootDir);
-  for (const entry of rootEntries) {
-    if (entry.startsWith('Dockerfile')) {
-      const content = readFileSync(join(rootDir, entry), 'utf-8');
-      if (content.includes('pnpm@')) {
-        dockerfiles.push(entry);
-      }
-    }
-  }
-
-  // Check app directories for Dockerfiles
-  const appsDir = join(rootDir, 'apps');
-  if (existsSync(appsDir)) {
-    const appEntries = readdirSync(appsDir, { withFileTypes: true });
-    for (const entry of appEntries) {
-      if (entry.isDirectory()) {
-        const dockerfilePath = join(appsDir, entry.name, 'Dockerfile');
-        if (existsSync(dockerfilePath)) {
-          const content = readFileSync(dockerfilePath, 'utf-8');
-          if (content.includes('pnpm@')) {
-            dockerfiles.push(`apps/${entry.name}/Dockerfile`);
-          }
-        }
-      }
-    }
-  }
-
-  return dockerfiles;
-}
-
-/**
- * Convert a dependency name to its folder path.
- * Uses package mapping for accurate lookup, with fallback to legacy heuristics.
- */
-function convertDependencyToFolder(
-  dep: string,
-  rootDir: string,
-  packageMapping?: Map<string, string>,
-): string {
-  // Try package mapping first (most accurate)
-  if (packageMapping) {
-    const relativePath = packageMapping.get(dep);
-    if (relativePath) {
-      return join(rootDir, relativePath);
-    }
-  }
-
-  // Fallback: Generic handling for @crossplatformai/ packages
-  if (dep.startsWith('@crossplatformai/')) {
-    const packageName = dep.replace('@crossplatformai/', '');
-
-    // Check plugins/ first (most common), then packages/
-    const pluginPath = join(rootDir, 'plugins', packageName);
-    if (existsSync(pluginPath)) {
-      return pluginPath;
-    }
-    return join(rootDir, 'packages', packageName);
-  }
-
-  // Fallback: Generic handling for @repo/ packages
-  if (dep.startsWith('@repo/')) {
-    const packageName = dep.replace('@repo/', '');
-
-    // Check apps/ first (e.g., @repo/shared → apps/shared)
-    const appsPath = join(rootDir, 'apps', packageName);
-    if (existsSync(appsPath)) {
-      return appsPath;
+  for (const entry of readdirSync(rootDir)) {
+    if (!entry.startsWith('Dockerfile')) {
+      continue;
     }
 
-    // Check plugins/ next
-    const pluginPath = join(rootDir, 'plugins', packageName);
-    if (existsSync(pluginPath)) {
-      return pluginPath;
+    const content = readFileSync(join(rootDir, entry), 'utf-8');
+    if (content.includes('pnpm@')) {
+      dockerfiles.push(entry);
     }
-
-    // Fall back to packages/
-    return join(rootDir, 'packages', packageName);
   }
 
-  // Unknown format, return as-is
-  return join(rootDir, dep);
-}
-
-/**
- * Collect transitive dependencies recursively.
- * @param packageJsonPath - Path to the package.json to analyze
- * @param rootDir - Root directory of the monorepo
- * @param visited - Set of already visited dependencies (prevents cycles)
- * @param packageMapping - Mapping of package names to directory paths
- * @param includeDevDeps - Whether to include devDependencies (true for root app, false for nested)
- */
-function collectTransitiveDependencies(
-  packageJsonPath: string,
-  rootDir: string,
-  visited: Set<string>,
-  packageMapping: Map<string, string>,
-  includeDevDeps: boolean = true,
-): Set<string> {
-  const allTransitiveDeps = new Set<string>();
-
-  if (!existsSync(packageJsonPath)) {
-    return allTransitiveDeps;
-  }
-
-  const packageJson = JSON.parse(
-    readFileSync(packageJsonPath, 'utf-8'),
-  ) as PackageJson;
-
-  const allDeps = { ...packageJson.dependencies };
-  if (includeDevDeps) {
-    Object.assign(allDeps, packageJson.devDependencies);
+  const appsDir = join(rootDir, 'apps');
+  if (!existsSync(appsDir)) {
+    return dockerfiles;
   }
 
-  // Detect workspace dependencies by their version specifier or presence in local workspace
-  // Supports:
-  // 1. workspace: protocol (e.g., workspace:*, workspace:^)
-  // 2. link: protocol (e.g., link:../../plugins/auth)
-  // 3. Legacy * syntax for @repo/ and @crossplatformai/ packages
-  // 4. Semver ranges that resolve to local packages in packageMapping
-  //    (pnpm workspace links local packages when they satisfy the version range)
-  const workspaceDeps = Object.entries(allDeps)
-    .filter(
-      ([name, version]) =>
-        version.startsWith('workspace:') ||
-        version.startsWith('link:') ||
-        (version === '*' &&
-          (name.startsWith('@repo/') ||
-            name.startsWith('@crossplatformai/'))) ||
-        packageMapping.has(name),
-    )
-    .map(([name]) => name);
-
-  for (const dep of workspaceDeps) {
-    if (visited.has(dep)) {
+  for (const entry of readdirSync(appsDir, { withFileTypes: true })) {
+    if (!entry.isDirectory()) {
       continue;
     }
 
-    visited.add(dep);
-    allTransitiveDeps.add(dep);
-
-    // Get the folder for this dependency
-    const depFolder = convertDependencyToFolder(dep, rootDir, packageMapping);
-    const depPackageJsonPath = join(depFolder, 'package.json');
-
-    // Never include devDependencies for transitive deps - they are local tooling
-    const nestedDeps = collectTransitiveDependencies(
-      depPackageJsonPath,
-      rootDir,
-      visited,
-      packageMapping,
-      false,
-    );
-    for (const nestedDep of nestedDeps) {
-      allTransitiveDeps.add(nestedDep);
+    const dockerfilePath = join(appsDir, entry.name, 'Dockerfile');
+    if (!existsSync(dockerfilePath)) {
+      continue;
     }
-  }
-
-  return allTransitiveDeps;
-}
-
-/**
- * Get all transitive workspace dependencies for an app
- */
-function getAppDependencies(
-  appName: string,
-  rootDir: string,
-  packageMapping: Map<string, string>,
-): string[] {
-  const packageJsonPath = join(rootDir, 'apps', appName, 'package.json');
-
-  if (!existsSync(packageJsonPath)) {
-    throw new Error(`Package.json not found for app: ${appName}`);
-  }
-
-  const visited = new Set<string>();
-  const deps = collectTransitiveDependencies(
-    packageJsonPath,
-    rootDir,
-    visited,
-    packageMapping,
-    true,
-  );
-  return Array.from(deps);
-}
-
-/**
- * Convert a dependency name to its workflow path patterns.
- * Uses package mapping for accurate lookup, with fallback to legacy heuristics.
- *
- * Returns an array of paths because git submodules need TWO entries:
- * - `plugins/auth` (catches submodule pointer changes in parent repo)
- * - `plugins/auth/**` (catches file changes within submodule)
- */
-function convertDependencyToPath(
-  dep: string,
-  rootDir: string,
-  packageMapping?: Map<string, string>,
-  submodulePaths?: Set<string>,
-): string[] {
-  let relativePath: string | undefined;
-
-  // Try package mapping first (most accurate)
-  if (packageMapping) {
-    relativePath = packageMapping.get(dep);
-  }
 
-  // Fallback heuristics if not in package mapping
-  if (!relativePath) {
-    // Generic handling for @crossplatformai/ packages
-    if (dep.startsWith('@crossplatformai/')) {
-      const packageName = dep.replace('@crossplatformai/', '');
-
-      // Check plugins/ first (most common), then packages/
-      const pluginPath = join(rootDir, 'plugins', packageName);
-      if (existsSync(pluginPath)) {
-        relativePath = `plugins/${packageName}`;
-      } else {
-        relativePath = `packages/${packageName}`;
-      }
-    } else if (dep.startsWith('@repo/')) {
-      // Generic handling for @repo/ packages
-      const packageName = dep.replace('@repo/', '');
-
-      // Check apps/ first (e.g., @repo/shared → apps/shared)
-      const appsPath = join(rootDir, 'apps', packageName);
-      if (existsSync(appsPath)) {
-        relativePath = `apps/${packageName}`;
-      } else {
-        // Check plugins/ next
-        const pluginPath = join(rootDir, 'plugins', packageName);
-        if (existsSync(pluginPath)) {
-          relativePath = `plugins/${packageName}`;
-        } else {
-          // Check features/ next
-          const featuresPath = join(rootDir, 'features', packageName);
-          if (existsSync(featuresPath)) {
-            relativePath = `features/${packageName}`;
-          } else {
-            // Fall back to packages/
-            relativePath = `packages/${packageName}`;
-          }
-        }
-      }
-    } else {
-      // Unknown format, return as-is
-      return [dep];
+    const content = readFileSync(dockerfilePath, 'utf-8');
+    if (content.includes('pnpm@')) {
+      dockerfiles.push(`apps/${entry.name}/Dockerfile`);
     }
   }
 
-  // For submodules, return both the pointer path AND the glob path
-  // This catches both submodule pointer changes and file changes within the submodule
-  if (submodulePaths && isGitSubmodule(relativePath, submodulePaths)) {
-    return [relativePath, `${relativePath}/**`];
-  }
-
-  // For regular packages, just return the glob path
-  return [`${relativePath}/**`];
-}
-
-/**
- * Get expected workflow paths for an app based on its transitive dependencies
- */
-function getExpectedPaths(
-  appName: string,
-  rootDir: string,
-  workflowMapping: Record<string, string>,
-  packageMapping: Map<string, string>,
-  submodulePaths: Set<string>,
-): string[] {
-  const dependencies = getAppDependencies(appName, rootDir, packageMapping);
-  // Use flatMap because convertDependencyToPath now returns string[]
-  // (submodules return both pointer path and glob path)
-  const paths = dependencies.flatMap((dep) =>
-    convertDependencyToPath(dep, rootDir, packageMapping, submodulePaths),
-  );
-
-  paths.push(`apps/${appName}/**`);
-
-  const workflowFile = Object.entries(workflowMapping).find(
-    ([, app]) => app === appName,
-  )?.[0];
-  if (workflowFile) {
-    paths.push(`.github/workflows/${workflowFile}`);
-  }
-
-  // Auto-discover Dockerfiles for this app
-  // Support both root-level (legacy) and app-directory (new) locations
-  const rootDockerfile = `Dockerfile.${appName}`;
-  const appDockerfile = `apps/${appName}/Dockerfile`;
-
-  if (existsSync(join(rootDir, rootDockerfile))) {
-    paths.push(rootDockerfile);
-  }
-  if (existsSync(join(rootDir, appDockerfile))) {
-    paths.push(appDockerfile);
-  }
-
-  return paths.sort();
-}
-
-/**
- * Get actual paths from a workflow file
- */
-function getWorkflowPaths(workflowFile: string, rootDir: string): string[] {
-  const workflowPath = join(rootDir, '.github/workflows', workflowFile);
-
-  if (!existsSync(workflowPath)) {
-    throw new Error(`Workflow file not found: ${workflowFile}`);
-  }
-
-  const content = readFileSync(workflowPath, 'utf-8');
-  const workflow = parseYaml(content) as WorkflowConfig;
-
-  // Check both push and pull_request triggers for paths
-  const paths = workflow.on?.push?.paths ?? workflow.on?.pull_request?.paths;
-
-  if (!paths) {
-    return [];
-  }
-
-  return paths.sort();
+  return dockerfiles;
 }
 
-/**
- * Get pnpm version from package.json packageManager field
- */
 function getExpectedPnpmVersion(rootDir: string): string {
-  const packageJsonPath = join(rootDir, 'package.json');
   const packageJson = JSON.parse(
-    readFileSync(packageJsonPath, 'utf-8'),
+    readFileSync(join(rootDir, 'package.json'), 'utf-8'),
   ) as PackageJson;
   const packageManager = packageJson.packageManager;
+
   if (!packageManager?.startsWith('pnpm@')) {
     throw new Error('packageManager field must specify pnpm version');
   }
+
   return packageManager.replace('pnpm@', '');
 }
 
-/**
- * Check if workflow has hardcoded pnpm version
- */
 function checkWorkflowPnpmVersion(
   workflowFile: string,
   rootDir: string,
 ): { valid: boolean; issue?: string } {
   const workflowPath = join(rootDir, '.github/workflows', workflowFile);
-
   if (!existsSync(workflowPath)) {
-    return { valid: true }; // Skip non-existent workflows
+    return { valid: true };
   }
 
   const content = readFileSync(workflowPath, 'utf-8');
@@ -528,37 +105,33 @@ function checkWorkflowPnpmVersion(
     >;
   };
 
-  // Find all pnpm/action-setup steps
   for (const job of Object.values(workflow.jobs ?? {})) {
     for (const step of job.steps ?? []) {
-      if (step.uses?.startsWith('pnpm/action-setup')) {
-        const version = step.with?.version;
-        // Allow major-only versions like "10" (deploy-api-edge.yml uses this)
-        if (version !== undefined && !/^\d+$/.test(String(version))) {
-          return {
-            valid: false,
-            issue: `Hardcoded pnpm version '${version}' - remove 'version' key to auto-detect from packageManager`,
-          };
-        }
+      if (!step.uses?.startsWith('pnpm/action-setup')) {
+        continue;
+      }
+
+      const version = step.with?.version;
+      if (version !== undefined && !/^\d+$/.test(String(version))) {
+        return {
+          valid: false,
+          issue: `Hardcoded pnpm version '${version}' - remove 'version' key to auto-detect from packageManager`,
+        };
       }
     }
   }
+
   return { valid: true };
 }
 
-/**
- * Check all pnpm versions in Dockerfile match package.json
- * Finds ALL occurrences of `npm install -g pnpm@X.Y.Z` and validates each one
- */
 function checkDockerfilePnpmVersion(
   dockerfile: string,
   expectedVersion: string,
   rootDir: string,
 ): { valid: boolean; issue?: string } {
   const dockerfilePath = join(rootDir, dockerfile);
-
   if (!existsSync(dockerfilePath)) {
-    return { valid: true }; // Skip non-existent Dockerfiles
+    return { valid: true };
   }
 
   const content = readFileSync(dockerfilePath, 'utf-8');
@@ -572,12 +145,10 @@ function checkDockerfilePnpmVersion(
       };
     }
   }
+
   return { valid: true };
 }
 
-/**
- * Validate pnpm version consistency across workflows and Dockerfiles
- */
 function validatePnpmVersions(rootDir: string): PnpmValidationResult {
   const result: PnpmValidationResult = {
     valid: true,
@@ -585,9 +156,7 @@ function validatePnpmVersions(rootDir: string): PnpmValidationResult {
     dockerfileIssues: [],
   };
 
-  // Dynamically discover and check workflows for hardcoded pnpm versions
-  const pnpmWorkflows = discoverPnpmWorkflows(rootDir);
-  for (const workflowFile of pnpmWorkflows) {
+  for (const workflowFile of discoverPnpmWorkflows(rootDir)) {
     const check = checkWorkflowPnpmVersion(workflowFile, rootDir);
     if (!check.valid && check.issue) {
       result.valid = false;
@@ -598,10 +167,8 @@ function validatePnpmVersions(rootDir: string): PnpmValidationResult {
     }
   }
 
-  // Dynamically discover and check Dockerfiles match package.json pnpm version
   const expectedVersion = getExpectedPnpmVersion(rootDir);
-  const dockerfiles = discoverPnpmDockerfiles(rootDir);
-  for (const dockerfile of dockerfiles) {
+  for (const dockerfile of discoverPnpmDockerfiles(rootDir)) {
     const check = checkDockerfilePnpmVersion(
       dockerfile,
       expectedVersion,
@@ -616,125 +183,23 @@ function validatePnpmVersions(rootDir: string): PnpmValidationResult {
   return result;
 }
 
-/**
- * Validate a single workflow against its app's dependencies
- */
-function validateWorkflow(
-  workflowFile: string,
-  appName: string,
-  rootDir: string,
-  workflowMapping: Record<string, string>,
-  packageMapping: Map<string, string>,
-  submodulePaths: Set<string>,
-): ValidationResult {
-  const result: ValidationResult = {
-    workflow: workflowFile,
-    app: appName,
-    valid: true,
-    missing: [],
-    unnecessary: [],
-    issues: [],
-  };
-
-  try {
-    const expectedPaths = getExpectedPaths(
-      appName,
-      rootDir,
-      workflowMapping,
-      packageMapping,
-      submodulePaths,
-    );
-    const actualPaths = getWorkflowPaths(workflowFile, rootDir);
-
-    if (actualPaths.includes('plugins/**')) {
-      result.issues.push(
-        "Uses wildcard 'plugins/**' which triggers on ALL plugin changes",
-      );
-      result.valid = false;
-    }
-
-    if (actualPaths.includes('packages/**')) {
-      result.issues.push(
-        "Uses wildcard 'packages/**' which triggers on ALL package changes",
-      );
-      result.valid = false;
-    }
-
-    const expectedPluginPaths = expectedPaths.filter((p) =>
-      p.startsWith('plugins/'),
-    );
-    const actualPluginPaths = actualPaths.filter(
-      (p) => p.startsWith('plugins/') && !p.includes('**/**'),
-    );
-
-    const expectedPackagePaths = expectedPaths.filter((p) =>
-      p.startsWith('packages/'),
-    );
-    const actualPackagePaths = actualPaths.filter(
-      (p) => p.startsWith('packages/') && !p.includes('**/**'),
-    );
-
-    // Also include apps/ paths in validation (e.g., apps/shared/**)
-    const expectedAppPaths = expectedPaths.filter((p) => p.startsWith('apps/'));
-    const actualAppPaths = actualPaths.filter(
-      (p) => p.startsWith('apps/') && !p.includes('**/**'),
-    );
-
-    for (const expectedPath of expectedPluginPaths) {
-      if (!actualPaths.includes(expectedPath)) {
-        result.missing.push(expectedPath);
-        result.valid = false;
-      }
-    }
-
-    for (const expectedPath of expectedPackagePaths) {
-      if (!actualPaths.includes(expectedPath)) {
-        result.missing.push(expectedPath);
-        result.valid = false;
-      }
-    }
-
-    for (const expectedPath of expectedAppPaths) {
-      if (!actualPaths.includes(expectedPath)) {
-        result.missing.push(expectedPath);
-        result.valid = false;
-      }
-    }
-
-    for (const actualPath of [
-      ...actualPluginPaths,
-      ...actualPackagePaths,
-      ...actualAppPaths,
-    ]) {
-      if (!expectedPaths.includes(actualPath)) {
-        result.unnecessary.push(actualPath);
-        result.valid = false;
-      }
-    }
-  } catch (error) {
-    result.valid = false;
-    result.issues.push(error instanceof Error ? error.message : String(error));
-  }
-
-  return result;
-}
-
-/**
- * Print validation result to console
- */
-function printResult(result: ValidationResult): void {
+function printResult(result: WorkflowValidationResult): void {
   const icon = result.valid ? '✅' : '❌';
-  console.log(`\n${icon} ${result.workflow} (${result.app})`);
+  console.log(`\n${icon} ${result.workflow} (${result.targetPackage})`);
 
   if (result.valid) {
     console.log('   All paths match dependencies');
     return;
   }
 
-  if (result.issues.length > 0) {
+  const extraIssues = result.issues.filter(
+    (issue) => issue.kind !== 'missing' && issue.kind !== 'unnecessary',
+  );
+
+  if (extraIssues.length > 0) {
     console.log('   Issues:');
-    for (const issue of result.issues) {
-      console.log(`     ⚠️  ${issue}`);
+    for (const issue of extraIssues) {
+      console.log(`     ⚠️  ${issue.message}`);
     }
   }
 
@@ -753,47 +218,26 @@ function printResult(result: ValidationResult): void {
   }
 }
 
-function main(): void {
+async function main(): Promise<void> {
   const rootDir = resolve(process.cwd());
   let hasErrors = false;
 
-  // Build package mapping once at startup for efficient lookups
-  const packageMapping = buildPackageMapping(rootDir);
-
-  // Parse .gitmodules once to detect submodule plugins
-  const submodulePaths = parseGitmodules(rootDir);
-
-  // Auto-discover workflow mappings from file system
-  const workflowMapping = discoverWorkflowMappings(rootDir);
-  const workflowCount = Object.keys(workflowMapping).length;
-
-  // Part 1: Validate workflow path filters match dependencies
   console.log(
     '🔍 Validating GitHub Actions workflows against dependencies...\n',
   );
-  console.log(`Found ${workflowCount} workflow(s) to validate\n`);
+  const results = await validateWorkflows(rootDir);
+  console.log(`Found ${results.length} workflow(s) to validate\n`);
 
-  if (workflowCount === 0) {
+  if (results.length === 0) {
     console.log('No deploy-*.yml or release-*.yml workflows found.\n');
   }
 
-  const results: ValidationResult[] = [];
-
-  for (const [workflowFile, appName] of Object.entries(workflowMapping)) {
-    const result = validateWorkflow(
-      workflowFile,
-      appName,
-      rootDir,
-      workflowMapping,
-      packageMapping,
-      submodulePaths,
-    );
-    results.push(result);
+  for (const result of results) {
     printResult(result);
   }
 
-  const validCount = results.filter((r) => r.valid).length;
-  const invalidCount = results.filter((r) => !r.valid).length;
+  const validCount = results.filter((result) => result.valid).length;
+  const invalidCount = results.length - validCount;
 
   console.log('\n' + '='.repeat(60));
   console.log(
@@ -805,20 +249,16 @@ function main(): void {
     console.log('\nTo fix:');
     console.log('1. Update workflow path filters to match missing paths');
     console.log('2. Remove unnecessary paths');
-    console.log(
-      '3. Replace wildcards (plugins/**, packages/**) with specific paths\n',
-    );
+    console.log('3. Replace broad workspace wildcards with specific paths\n');
     hasErrors = true;
-  } else if (workflowCount > 0) {
+  } else if (results.length > 0) {
     console.log('✅ All workflows match their dependencies!\n');
   }
 
-  // Part 2: Validate pnpm version consistency
   console.log('='.repeat(60));
   console.log('\n🔍 Validating pnpm version consistency...\n');
 
   const pnpmResult = validatePnpmVersions(rootDir);
-
   if (!pnpmResult.valid) {
     console.log('❌ PNPM version issues found:\n');
     for (const { workflow, issue } of pnpmResult.workflowIssues) {
@@ -844,4 +284,4 @@ function main(): void {
   }
 }
 
-main();
+void main();