@decocms/start 2.30.1 → 4.0.0

package/.github/workflows/preview.yml

@@ -1,142 +0,0 @@
-name: preview (central)
-
-# Reusable workflow that uploads a preview version (alias) for any storefront
-# repo registered under `deploy/sites/<repo-name>.jsonc`.
-#
-# Caller usage (in customer repo, `.github/workflows/preview.yml`):
-#
-#   on:
-#     repository_dispatch:
-#       types: [preview-deploy]
-#     pull_request:
-#       types: [opened, synchronize, reopened]
-#     push:
-#       branches: ['env/**']
-#   permissions:
-#     contents: read
-#     pull-requests: write
-#     statuses: write
-#   jobs:
-#     preview:
-#       uses: decocms/deco-start/.github/workflows/preview.yml@v2
-#       secrets: inherit
-#
-# Same secret model as deploy.yml: `CLOUDFLARE_*` resolve from this repo's
-# `production` environment, not from the caller. See deploy.yml for details.
-
-on:
-  workflow_call: {}
-
-permissions:
-  contents: read
-  pull-requests: write
-  statuses: write
-
-concurrency:
-  group: preview-${{ github.repository }}-${{ github.event.client_payload.ref || github.head_ref || github.ref_name }}
-  cancel-in-progress: true
-
-jobs:
-  preview:
-    runs-on: ubuntu-latest
-    environment: production
-    steps:
-      - name: Resolve ref
-        id: resolve
-        run: |
-          if [ "${{ github.event_name }}" = "repository_dispatch" ]; then
-            echo "ref=${{ github.event.client_payload.ref }}" >> "$GITHUB_OUTPUT"
-          else
-            echo "ref=${{ github.head_ref || github.ref_name }}" >> "$GITHUB_OUTPUT"
-          fi
-
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ steps.resolve.outputs.ref }}
-
-      - name: Resolve deco-start ref + site identity
-        id: meta
-        run: |
-          WF_REF="${{ github.workflow_ref }}"
-          REF="${WF_REF##*@}"
-          REF="${REF#refs/tags/}"
-          REF="${REF#refs/heads/}"
-          echo "deco_start_ref=$REF" >> "$GITHUB_OUTPUT"
-          echo "site_name=${GITHUB_REPOSITORY#*/}" >> "$GITHUB_OUTPUT"
-
-      - name: Checkout deco-start registry at the same ref
-        uses: actions/checkout@v4
-        with:
-          repository: decocms/deco-start
-          ref: ${{ steps.meta.outputs.deco_start_ref }}
-          path: .deco-start
-
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 22
-
-      - name: Compute preview alias
-        id: alias
-        run: |
-          REF="${{ steps.resolve.outputs.ref }}"
-          if echo "$REF" | grep -q '^env/'; then
-            ALIAS=$(echo "$REF" | sed 's|^env/||')
-          elif [ "${{ github.event_name }}" = "pull_request" ]; then
-            ALIAS="pr-${{ github.event.pull_request.number }}"
-          else
-            ALIAS=$(echo "$REF" | sed 's|[^a-z0-9-]|-|g')
-          fi
-          echo "alias=$ALIAS" >> "$GITHUB_OUTPUT"
-
-      - name: Install dependencies
-        run: npm install
-
-      - name: Build
-        run: npm run build
-
-      - name: Resolve site manifest
-        id: site
-        run: node .deco-start/scripts/deploy/resolve-site.mjs
-        env:
-          DECO_START_PATH: .deco-start
-          SITE_NAME: ${{ steps.meta.outputs.site_name }}
-
-      - name: Generate wrangler.jsonc
-        run: node .deco-start/scripts/deploy/build-wrangler-config.mjs
-        env:
-          DECO_START_PATH: .deco-start
-          SITE_NAME: ${{ steps.meta.outputs.site_name }}
-          OUTPUT_PATH: ./wrangler.jsonc
-
-      - name: Upload preview version
-        id: deploy
-        run: |
-          set +e
-          OUTPUT=$(npx wrangler versions upload --preview-alias ${{ steps.alias.outputs.alias }} 2>&1)
-          EXIT_CODE=$?
-          set -e
-          echo "$OUTPUT"
-          if [ $EXIT_CODE -ne 0 ]; then
-            echo "::error::wrangler versions upload failed with exit code $EXIT_CODE"
-            exit $EXIT_CODE
-          fi
-          PREVIEW_URL=$(echo "$OUTPUT" | grep 'Version Preview URL:' | sed 's/.*Version Preview URL: //')
-          ALIAS_URL=$(echo "$OUTPUT" | grep 'Version Preview Alias URL:' | sed 's/.*Version Preview Alias URL: //')
-          echo "preview_url=${PREVIEW_URL}" >> "$GITHUB_OUTPUT"
-          echo "alias_url=${ALIAS_URL}" >> "$GITHUB_OUTPUT"
-        env:
-          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
-          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
-
-      - name: Comment preview URL on PR
-        if: github.event_name == 'pull_request'
-        uses: marocchino/sticky-pull-request-comment@v2
-        with:
-          header: preview-url
-          message: |
-            ### Preview deployed
-
-            | | URL |
-            |---|---|
-            | **Version** | ${{ steps.deploy.outputs.preview_url }} |
-            | **Alias** | ${{ steps.deploy.outputs.alias_url }} |

package/.github/workflows/sync-secrets.yml

@@ -1,180 +0,0 @@
-name: sync-secrets (central)
-
-# Reusable workflow. Reconciles the caller's `SECRET_*` GitHub repo secrets
-# with the Cloudflare Worker's runtime secrets (with the prefix stripped).
-#
-# Examples:
-#   SECRET_STRIPE_KEY in GitHub  ->  STRIPE_KEY on the worker
-#
-# Defaults to dry-run; the caller must pass `mode: apply` to actually write.
-# Orphans on the worker (present on worker but not in GitHub as SECRET_*) are
-# warned about, never deleted.
-#
-# Caller usage (in customer repo, `.github/workflows/sync-secrets.yml`):
-#
-#   on:
-#     workflow_dispatch:
-#       inputs:
-#         mode:
-#           description: "dry-run | apply"
-#           required: true
-#           default: "dry-run"
-#           type: choice
-#           options: [dry-run, apply]
-#   jobs:
-#     sync:
-#       uses: decocms/deco-start/.github/workflows/sync-secrets.yml@v2
-#       with:
-#         mode: ${{ inputs.mode }}
-#       secrets: inherit
-#
-# Two distinct secret classes flow through this job:
-#   - `CLOUDFLARE_API_TOKEN` / `CLOUDFLARE_ACCOUNT_ID` -> resolved from this
-#     repo's `production` environment (via `environment:` below). NEVER from
-#     the caller storefront. Same model as deploy.yml / preview.yml.
-#   - `SECRET_*` -> inherited from the caller storefront via `secrets: inherit`
-#     in the caller stub. These ARE site-owned and get pushed to the worker
-#     as runtime secrets (with the `SECRET_` prefix stripped).
-# `secrets: inherit` is therefore REQUIRED on the caller side for this
-# workflow specifically (unlike deploy.yml / preview.yml where it's just
-# tolerated).
-
-on:
-  workflow_call:
-    inputs:
-      mode:
-        description: "dry-run = print diff only | apply = set secrets on worker"
-        required: false
-        type: string
-        default: "dry-run"
-
-permissions:
-  contents: read
-
-concurrency:
-  group: sync-secrets-${{ github.repository }}
-  cancel-in-progress: false
-
-jobs:
-  sync:
-    runs-on: ubuntu-latest
-    environment: production
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Resolve deco-start ref + site identity
-        id: meta
-        run: |
-          WF_REF="${{ github.workflow_ref }}"
-          REF="${WF_REF##*@}"
-          REF="${REF#refs/tags/}"
-          REF="${REF#refs/heads/}"
-          echo "deco_start_ref=$REF" >> "$GITHUB_OUTPUT"
-          echo "site_name=${GITHUB_REPOSITORY#*/}" >> "$GITHUB_OUTPUT"
-
-      - name: Checkout deco-start registry at the same ref
-        uses: actions/checkout@v4
-        with:
-          repository: decocms/deco-start
-          ref: ${{ steps.meta.outputs.deco_start_ref }}
-          path: .deco-start
-
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 22
-
-      - name: Resolve site manifest
-        id: site
-        run: node .deco-start/scripts/deploy/resolve-site.mjs
-        env:
-          DECO_START_PATH: .deco-start
-          SITE_NAME: ${{ steps.meta.outputs.site_name }}
-
-      - name: Generate wrangler.jsonc
-        run: node .deco-start/scripts/deploy/build-wrangler-config.mjs
-        env:
-          DECO_START_PATH: .deco-start
-          SITE_NAME: ${{ steps.meta.outputs.site_name }}
-          OUTPUT_PATH: ./wrangler.jsonc
-
-      - name: Install wrangler
-        run: npm install --no-save wrangler@4
-
-      - name: Plan and (optionally) apply
-        env:
-          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
-          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
-          ALL_SECRETS: ${{ toJSON(secrets) }}
-          MODE: ${{ inputs.mode }}
-        run: |
-          set -euo pipefail
-
-          # Build desired-state map from SECRET_* entries.
-          desired_json=$(printf '%s' "$ALL_SECRETS" | jq '
-            to_entries
-            | map(select(.key | startswith("SECRET_")))
-            | map({ key: (.key | sub("^SECRET_"; "")), value: .value })
-            | from_entries
-          ')
-
-          desired_names=$(printf '%s' "$desired_json" | jq -r 'keys[]' | sort)
-
-          # Validate names before any side effect.
-          while IFS= read -r name; do
-            [ -z "$name" ] && continue
-            if ! [[ "$name" =~ ^[A-Z][A-Z0-9_]{0,63}$ ]]; then
-              echo "::error::Invalid worker secret name derived from SECRET_${name}: must match ^[A-Z][A-Z0-9_]{0,63}$"
-              exit 1
-            fi
-          done <<< "$desired_names"
-
-          # Snapshot what's currently on the worker.
-          existing=$(npx wrangler secret list --format=json | jq -r '.[].name' | sort)
-
-          # Diff
-          to_set="$desired_names"
-          orphans=$(comm -23 <(printf '%s\n' "$existing") <(printf '%s\n' "$desired_names") || true)
-
-          {
-            echo "## Diff"
-            echo ""
-            echo "### Will set (from SECRET_* in GitHub):"
-            if [ -z "$to_set" ]; then
-              echo "  (none)"
-            else
-              echo "$to_set" | sed 's/^/  + /'
-            fi
-            echo ""
-            echo "### Orphans (on worker, not in GitHub as SECRET_*):"
-            if [ -z "$orphans" ]; then
-              echo "  (none)"
-            else
-              echo "$orphans" | sed 's/^/  ! /'
-              echo ""
-              echo "  These will NOT be deleted automatically. To remove manually:"
-              echo "$orphans" | sed 's|^|    npx wrangler secret delete "|; s|$|" --force|'
-            fi
-          } | tee -a "$GITHUB_STEP_SUMMARY"
-
-          if [ -n "$orphans" ]; then
-            echo "::warning::${orphans//$'\n'/, } exist on the worker but not in GitHub as SECRET_*. Not deleting."
-          fi
-
-          if [ "$MODE" = "dry-run" ]; then
-            echo "::notice::dry-run mode -- no changes applied"
-            exit 0
-          fi
-
-          # Apply
-          if [ -z "$to_set" ]; then
-            echo "Nothing to apply."
-            exit 0
-          fi
-
-          printf '%s' "$desired_json" | jq -r 'to_entries[] | "\(.key)\t\(.value)"' \
-            | while IFS=$'\t' read -r name value; do
-                echo "Setting $name..."
-                printf '%s' "$value" | npx wrangler secret put "$name"
-              done
-
-          echo "::notice::Applied $(echo "$to_set" | wc -l | tr -d ' ') secrets."

package/deploy/README.md

@@ -1,111 +0,0 @@
-# `deploy/` — central deploy registry
-
-This directory is the single source of truth for **what gets deployed where**
-across every storefront on the platform. It is consumed by the reusable GitHub
-workflows under [`.github/workflows/`](../.github/workflows/) (`deploy.yml`,
-`preview.yml`, `sync-secrets.yml`) and by the local `deco-wrangler` CLI.
-
-## Files
-
-| File | Purpose |
-|------|---------|
-| `wrangler-template.jsonc` | Canonical wrangler config that every site inherits. Compatibility flags, worker-entry path, observability — everything that is the same for every site. |
-| `sites/<repo-name>.jsonc` | Per-site overrides. Only the keys that genuinely vary per-site live here (`worker_name` always; `routes`, `kv_namespaces`, `analytics_engine_datasets`, `version_metadata` when used). |
-
-The repository name (the part of `${{ github.repository }}` after the `/`) is
-the lookup key. `als-tanstack` deploys via `sites/als-tanstack.jsonc`. There is
-no other way to identify a site.
-
-## Trust model
-
-- Customer caller workflows pass **no inputs** to the central reusable workflow.
-- The central workflow derives the site name from `${{ github.repository }}`
-  (set by GitHub, untamperable by user code) and looks up
-  `sites/<repo-name>.jsonc` from this registry.
-- A customer cannot misroute a deploy onto another customer's worker because
-  they can't write to `decocms/deco-start`.
-
-`deploy/**` is CODEOWNERS-protected. Only the platform team can change site
-manifests or the template.
-
-### Where Cloudflare credentials live
-
-`CLOUDFLARE_API_TOKEN` and `CLOUDFLARE_ACCOUNT_ID` live in **this repo's
-`production` GitHub Environment**, never in any storefront repo. The reusable
-workflows declare `environment: production` on the deploy / preview /
-sync-secrets jobs, which is what GitHub uses to resolve `secrets.CLOUDFLARE_*`
-against the called repo (deco-start) instead of the caller (the storefront).
-
-This is the second half of the trust property: even if a storefront repo were
-fully compromised, the attacker has no path to the Cloudflare token. The
-storefront repo only holds its own `SECRET_*` runtime secrets, which are
-inherited by `sync-secrets.yml` and pushed to its own worker as runtime
-secrets — never reaching another site's worker because the central workflow
-resolves `worker_name` from this registry, not from caller input.
-
-| Secret class | Lives in | Reaches worker via |
-|---|---|---|
-| `CLOUDFLARE_API_TOKEN` / `CLOUDFLARE_ACCOUNT_ID` | this repo's `production` environment | central workflow's `environment:` binding (no caller passthrough) |
-| `SECRET_*` runtime secrets (per site) | each storefront repo | `sync-secrets.yml` inherits via `secrets: inherit` and pushes via `wrangler secret put` |
-
-To rotate the Cloudflare credentials, edit the environment in this repo only.
-No storefront PR needed.
-
-## How wrangler.jsonc is generated
-
-At deploy time, the central workflow runs
-[`scripts/deploy/build-wrangler-config.mjs`](../scripts/deploy/build-wrangler-config.mjs),
-which:
-
-1. Loads `deploy/wrangler-template.jsonc` (canonical defaults).
-2. Loads `deploy/sites/<site>.jsonc` (per-site overrides).
-3. Deep-merges: site overrides win. `worker_name` becomes wrangler's `name`.
-   Arrays are replaced, not concatenated.
-4. Writes the result to `./wrangler.jsonc` in the caller checkout.
-
-`account_id` is never written to JSON — wrangler reads it from
-`CLOUDFLARE_ACCOUNT_ID` (env var in CI; `wrangler login` locally).
-
-## Adding a new site
-
-1. Open a PR to this repo adding `deploy/sites/<new-repo>.jsonc`:
-   ```jsonc
-   {
-     "worker_name": "<new-repo>"   // can differ from repo name if needed
-   }
-   ```
-2. After merge, the next `v2.x.y` semantic-release publish auto-moves the
-   `@v2` major tag (the major-tag advance step lives inline in
-   [`.github/workflows/release.yml`](../.github/workflows/release.yml)).
-3. In the new repo, add the four caller workflows from
-   [`.github/workflows/`](../.github/workflows/). **Do not** add
-   `CLOUDFLARE_*` to the storefront — those live in this repo's `production`
-   environment and reach the runner via the central workflow's `environment:`
-   binding. The storefront only needs `SECRET_*` entries for its own worker
-   runtime secrets.
-4. Push to `main` and verify the deploy lands on the right worker.
-
-## Per-site override schema
-
-```jsonc
-{
-  "worker_name": "string (required, immutable)",
-  "routes": [                          // optional
-    { "pattern": "www.example.com/*", "zone_name": "decocdn.com" }
-  ],
-  "kv_namespaces": [                   // optional
-    { "binding": "SITES_KV", "id": "<cf-kv-id>" }
-  ],
-  "analytics_engine_datasets": [       // optional
-    { "binding": "DECO_METRICS", "dataset": "deco_metrics_<site>" }
-  ],
-  "version_metadata": {                // optional
-    "binding": "CF_VERSION_METADATA"
-  }
-}
-```
-
-All other wrangler keys (compatibility flags, `main`, observability, etc.) come
-from the template — do not duplicate them per-site. If a per-site override is
-genuinely needed for one of those keys, add it to the schema and document the
-reason here.

package/deploy/sites/als-tanstack.jsonc

@@ -1,7 +0,0 @@
-// Per-site overrides for `als-tanstack` (immutable repo->worker binding).
-// Renaming `worker_name` is a breaking change: it points the next deploy at a
-// different Cloudflare worker. Only the platform team can change this file
-// (CODEOWNERS-protected).
-{
-  "worker_name": "als-tanstack"
-}

package/deploy/sites/americanas-tanstack.jsonc

@@ -1,4 +0,0 @@
-// Per-site overrides for `americanas-tanstack`.
-{
-  "worker_name": "americanas-tanstack"
-}

package/deploy/sites/baggagio-tanstack.jsonc

@@ -1,4 +0,0 @@
-// Per-site overrides for `baggagio-tanstack`.
-{
-  "worker_name": "baggagio-tanstack"
-}

package/deploy/sites/casaevideo-storefront.jsonc

@@ -1,11 +0,0 @@
-// Per-site overrides for `casaevideo-storefront`.
-//
-// NOTE: `kv_namespaces[].id` is shared with `lebiscuit-tanstack`. Verify this
-// is intentional before promoting this registry to v1. R4 in the central-deploy
-// plan adds a CI check that flags shared KV ids as a copy-paste smell.
-{
-  "worker_name": "casaevideo-tanstack",
-  "kv_namespaces": [
-    { "binding": "SITES_KV", "id": "ad0b74fc4d9341c9af9149c4ab85132f" }
-  ]
-}

package/deploy/sites/lebiscuit-tanstack.jsonc

@@ -1,19 +0,0 @@
-// Per-site overrides for `lebiscuit-tanstack`.
-//
-// NOTE: `kv_namespaces[].id` is shared with `casaevideo-storefront`. See the
-// note in casaevideo's site file. R4 will add CI validation for this.
-//
-// `version_metadata` and `analytics_engine_datasets` are consumed by
-// @decocms/start's `instrumentWorker`:
-//   - version_metadata populates `service.version` on the OTel resource.
-//   - analytics_engine_datasets is the dual-emit metrics target.
-{
-  "worker_name": "lebiscuit-tanstack",
-  "kv_namespaces": [
-    { "binding": "SITES_KV", "id": "ad0b74fc4d9341c9af9149c4ab85132f" }
-  ],
-  "version_metadata": { "binding": "CF_VERSION_METADATA" },
-  "analytics_engine_datasets": [
-    { "binding": "DECO_METRICS", "dataset": "deco_metrics_lebiscuit" }
-  ]
-}

package/deploy/sites/miess-01-tanstack.jsonc

@@ -1,8 +0,0 @@
-// Per-site overrides for `miess-01-tanstack`.
-//
-// Worker name keeps the historical `miess-tanstack` (no "-01") so the deploy
-// continues to land on the existing Cloudflare worker. The repo name has the
-// `-01-` suffix; the worker name does not.
-{
-  "worker_name": "miess-tanstack"
-}

package/deploy/wrangler-template.jsonc

@@ -1,28 +0,0 @@
-// Canonical wrangler.jsonc template for every storefront on the platform.
-//
-// Per-site overrides live in `deploy/sites/<repo-name>.jsonc`. The deploy
-// workflow deep-merges site overrides on top of this template at runtime and
-// writes the result to `wrangler.jsonc` in the caller checkout. Site overrides
-// always win. Arrays are replaced (not concatenated).
-//
-// Notes on what is INTENTIONALLY missing here:
-//   - "name" -- always derived from the per-site `worker_name`.
-//   - "account_id" -- never lives in the JSON. Wrangler reads it from the
-//     CLOUDFLARE_ACCOUNT_ID env var in CI and from local config otherwise.
-//     This way, a typo in JSON cannot misroute a deploy.
-//
-// To upgrade compatibility flags, observability, or worker-entry path across
-// every site at once, change this file and tag a new deco-start release.
-{
-  "compatibility_date": "2026-02-14",
-  "compatibility_flags": ["nodejs_compat", "no_handle_cross_request_promise_resolution"],
-  "main": "./src/worker-entry.ts",
-  "workers_dev": true,
-  "preview_urls": true,
-  "observability": {
-    "logs": {
-      "enabled": true,
-      "invocation_logs": true
-    }
-  }
-}

package/scripts/deploy/build-wrangler-config.mjs

@@ -1,49 +0,0 @@
-#!/usr/bin/env node
-// build-wrangler-config.mjs
-//
-// Materializes a `wrangler.jsonc` from the canonical template + the site's
-// per-site overrides. The output file is what `wrangler deploy` /
-// `wrangler versions upload` / `wrangler secret put` will read.
-//
-// Required env:
-//   DECO_START_PATH  - path to a checked-out deco-start (e.g. ".deco-start")
-//   SITE_NAME        - the registry key (== caller repo name)
-//   OUTPUT_PATH      - where to write the merged wrangler.jsonc
-//                      (e.g. "./wrangler.jsonc" in the caller checkout)
-
-import { writeFileSync } from "node:fs";
-import { resolve } from "node:path";
-import { loadSiteManifest, loadTemplate, mergeWithTemplate } from "./site-registry.mjs";
-
-function fail(message) {
-  console.error(`::error::${message}`);
-  process.exit(1);
-}
-
-const decoStartPath = process.env.DECO_START_PATH;
-const siteName = process.env.SITE_NAME;
-const outputPath = process.env.OUTPUT_PATH;
-
-if (!decoStartPath) fail("DECO_START_PATH env var is required");
-if (!siteName) fail("SITE_NAME env var is required");
-if (!outputPath) fail("OUTPUT_PATH env var is required");
-
-let merged;
-try {
-  const template = loadTemplate(decoStartPath);
-  const manifest = loadSiteManifest(decoStartPath, siteName);
-  merged = mergeWithTemplate(template, manifest);
-} catch (err) {
-  fail(err instanceof Error ? err.message : String(err));
-}
-
-const header = `// AUTOGENERATED by @decocms/start at deploy time.
-// Do not edit -- changes will be overwritten on the next deploy.
-// Source: decocms/deco-start deploy/sites/${siteName}.jsonc
-//         + decocms/deco-start deploy/wrangler-template.jsonc
-`;
-
-const body = JSON.stringify(merged, null, 2);
-writeFileSync(resolve(outputPath), `${header}${body}\n`);
-
-console.log(`Wrote ${outputPath} for site "${siteName}" (worker "${merged.name}")`);

package/scripts/deploy/jsonc.mjs

@@ -1,76 +0,0 @@
-// Minimal JSONC -> JSON parser used by the deploy scripts.
-//
-// Strips // line comments and /* block comments */ outside of string literals
-// and tolerates trailing commas in objects/arrays. Dependency-free so the
-// deploy scripts can run with vanilla `node` in CI.
-
-import { readFileSync } from "node:fs";
-
-/**
- * @param {string} input
- * @returns {string}
- */
-function stripComments(input) {
-  let out = "";
-  let i = 0;
-  let inStr = false;
-  let strChar = "";
-  while (i < input.length) {
-    const c = input[i];
-    const n = input[i + 1];
-    if (inStr) {
-      out += c;
-      if (c === "\\" && i + 1 < input.length) {
-        out += input[i + 1];
-        i += 2;
-        continue;
-      }
-      if (c === strChar) inStr = false;
-      i++;
-      continue;
-    }
-    if (c === '"') {
-      inStr = true;
-      strChar = c;
-      out += c;
-      i++;
-      continue;
-    }
-    if (c === "/" && n === "/") {
-      while (i < input.length && input[i] !== "\n") i++;
-      continue;
-    }
-    if (c === "/" && n === "*") {
-      i += 2;
-      while (i < input.length && !(input[i] === "*" && input[i + 1] === "/")) i++;
-      i += 2;
-      continue;
-    }
-    out += c;
-    i++;
-  }
-  return out;
-}
-
-/**
- * @param {string} text
- * @returns {unknown}
- */
-export function parseJsonc(text) {
-  const stripped = stripComments(text).replace(/,\s*([}\]])/g, "$1");
-  return JSON.parse(stripped);
-}
-
-/**
- * @param {string} path
- * @returns {unknown}
- */
-export function readJsoncFile(path) {
-  const raw = readFileSync(path, "utf8");
-  try {
-    return parseJsonc(raw);
-  } catch (err) {
-    const message = err instanceof Error ? err.message : String(err);
-    throw new Error(`Failed to parse JSONC at ${path}: ${message}`);
-  }
-}