@gjsify/cli 0.4.20 → 0.4.21

package/lib/commands/install.js

@@ -276,17 +276,23 @@ async function workspaceInstall(cwd, args) {
             continue;
         const linkPath = join(target.location, 'node_modules', link.depName);
         mkdirSync(dirname(linkPath), { recursive: true });
-        // Remove any prior entry (regular dir, broken symlink, file).
+        // Remove any prior entry — regular dir, broken symlink, file, or
+        // a normal symlink left over from a previous install. Using
+        // `{ recursive: true, force: true }` handles every shape in one
+        // call: `rmSync` no-ops on missing paths under `force: true`, and
+        // `recursive: true` covers the directory case. Avoids the EEXIST
+        // race a previous lstat-then-branch version hit when the stat's
+        // type-discrimination missed an edge case (e.g. broken symlink
+        // whose `isSymbolicLink()` returned a non-truthy value through
+        // Gio's NOFOLLOW path, leaving a leftover entry that
+        // `symlinkSync` would then refuse to overwrite).
         try {
-            const stat = lstatSync(linkPath);
-            if (stat.isSymbolicLink() || stat.isFile()) {
-                rmSync(linkPath, { force: true });
-            }
-            else if (stat.isDirectory()) {
-                rmSync(linkPath, { recursive: true, force: true });
-            }
+            rmSync(linkPath, { recursive: true, force: true });
+        }
+        catch { /* unexpected — Gio failure on a path we just lstat'd to
+                     decide we wanted to remove. The subsequent symlinkSync
+                     will surface the real reason if there is one. */
         }
-        catch { /* ENOENT — fine, nothing to remove */ }
         // Relative symlink so the repo is portable across checkout paths.
         const relTarget = relative(dirname(linkPath), link.targetLocation);
         symlinkSync(relTarget, linkPath);

package/lib/commands/publish.d.ts

@@ -4,6 +4,7 @@ interface PublishOptions {
     tag?: string;
     access?: string;
     'tolerate-republish'?: boolean;
+    'tolerate-untrusted-new'?: boolean;
     provenance?: boolean;
     'dry-run'?: boolean;
     json?: boolean;

package/lib/commands/publish.js

@@ -57,6 +57,11 @@ export const publishCommand = {
         description: 'Treat "version already published" as success — covers both classic 409 Conflict and the npm OIDC-path 403 Forbidden + `"previously published"` body shape. Matches yarn `--tolerate-republish`.',
         type: 'boolean',
         default: false,
+    })
+        .option('tolerate-untrusted-new', {
+        description: 'Skip (exit 0) when OIDC token exchange returns `package not found` AND no fallback token is configured — i.e. a never-before-published `@scope/<name>` whose Trusted Publisher entry hasn\'t been set up on npmjs.com yet. Without this flag, one un-bootstrapped new package breaks the entire serialized `gjsify foreach publish` loop. Pair with `--tolerate-republish` in CI release workflows so a fresh-merged package gracefully skips its first CI publish, leaving the manual-bootstrap step to a maintainer (see AGENTS.md "New @gjsify/* package: first-publish + Trusted Publisher bootstrap").',
+        type: 'boolean',
+        default: false,
     })
         .option('provenance', {
         description: 'Pass-through flag — recorded in the payload but no signing happens (gjsify doesn\'t ship a sigstore signer yet).',
@@ -91,6 +96,7 @@ export const publishCommand = {
         const tag = args.tag ?? 'latest';
         const access = args.access;
         const tolerate = args['tolerate-republish'] === true;
+        const tolerateUntrustedNew = args['tolerate-untrusted-new'] === true;
         const provenance = args.provenance === true;
         const dryRun = args['dry-run'] === true;
         const checkTrustedOnly = args['check-trusted'] === true;
@@ -243,6 +249,34 @@ export const publishCommand = {
                 }
             }
             catch (err) {
+                // Detect the "never-before-published @scope/pkg" shape:
+                // npm's OIDC exchange returns 404 with body
+                //   {"message":"OIDC token exchange error - package not found"}
+                // for any package that has no Trusted Publisher entry (which
+                // includes every package that doesn't exist on npm yet —
+                // see AGENTS.md "New @gjsify/* package: first-publish +
+                // Trusted Publisher bootstrap"). Skip such a package when
+                // --tolerate-untrusted-new is set so one un-bootstrapped
+                // package doesn't break the entire serialized publish loop.
+                const isUntrustedNewPackage = err instanceof OidcExchangeError &&
+                    err.status === 404 &&
+                    /package not found/i.test(err.body);
+                if (isUntrustedNewPackage && tolerateUntrustedNew) {
+                    const headerMsg = `${packed.name}@${packed.version} (skipped — no Trusted Publisher on npm, see AGENTS.md "New @gjsify/* package: first-publish + Trusted Publisher bootstrap")`;
+                    if (args.json) {
+                        process.stdout.write(`${JSON.stringify({
+                            ok: true,
+                            action: 'skipped-untrusted-new',
+                            name: packed.name,
+                            version: packed.version,
+                            reason: 'no-trusted-publisher',
+                        }, null, 2)}\n`);
+                    }
+                    else {
+                        process.stdout.write(`~ ${headerMsg}\n`);
+                    }
+                    return;
+                }
                 if (trustedFlag === true) {
                     // Explicit --trusted: bail with a clear error.
                     handleOidcFailure(err, packed.name, args.json === true);

package/lib/index.js

@@ -1,8 +1,27 @@
 #!/usr/bin/env node
+import { readFileSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
 import yargs from 'yargs';
 import { hideBin } from 'yargs/helpers';
 import { buildCommand as build, testCommand as test, runCommand as run, infoCommand as info, checkCommand as check, showcaseCommand as showcase, createCommand as create, gresourceCommand as gresource, gettextCommand as gettext, gsettingsCommand as gsettings, flatpakCommand as flatpak, dlxCommand as dlx, installCommand as install, foreachCommand as foreach, workspaceCommand as workspace, packCommand as pack, publishCommand as publish, selfUpdateCommand as selfUpdate, generateInstallerCommand as generateInstaller, uninstallCommand as uninstall, formatCommand as format, lintCommand as lint, fixCommand as fix, upgradeCommand as upgrade, barrelsCommand as barrels, } from './commands/index.js';
 import { APP_NAME } from './constants.js';
+// Read the version from package.json adjacent to the bundle. yargs's
+// auto-version-discovery (its `pkg-up`-driven default) doesn't reach
+// through the bundled `dist/cli.gjs.mjs` path on GJS — falls back to
+// "unknown". Both layouts are covered:
+//   - dev (tsx, `yarn workspace`):  src/index.ts → ../package.json
+//   - bundled (install -g):         dist/cli.gjs.mjs → ../package.json
+function readBundleVersion() {
+    try {
+        const here = dirname(fileURLToPath(import.meta.url));
+        const pkg = JSON.parse(readFileSync(join(here, '..', 'package.json'), 'utf8'));
+        return typeof pkg.version === 'string' ? pkg.version : 'unknown';
+    }
+    catch {
+        return 'unknown';
+    }
+}
 // `parseAsync()` instead of `.argv` so the top-level await keeps the
 // process alive until command handlers complete. Under Node this is
 // cosmetic — the event loop holds the process up — but under GJS the
@@ -11,6 +30,7 @@ import { APP_NAME } from './constants.js';
 const cli = yargs(hideBin(process.argv));
 await cli
     .scriptName(APP_NAME)
+    .version(readBundleVersion())
     .strict()
     // Use the full terminal width for help. yargs's default caps at 80
     // (`Math.min(80, process.stdout.columns)`); we explicitly opt into

package/lib/utils/install-backend-native.d.ts

@@ -1,6 +1,14 @@
+import { type Packument } from "@gjsify/npm-registry";
 import type { InstallOptions } from "./install-backend.ts";
+interface ParsedSpec {
+    name: string;
+    range: string;
+}
 export interface InstalledTopLevel {
     name: string;
     version: string;
 }
 export declare function installPackagesNative(opts: InstallOptions): Promise<InstalledTopLevel[]>;
+export declare function parseSpec(raw: string): ParsedSpec;
+export declare function pickVersion(packument: Packument, range: string): string | null;
+export {};

package/lib/utils/install-backend-native.js

@@ -384,22 +384,36 @@ function describeLockfileDrift(lockfile, specs) {
         lines.push(`  - ${removed.sort().join("\n  - ")}`);
     return lines.join("\n");
 }
-function parseSpec(raw) {
+// Exported for unit-testing — keep the function name + signature
+// stable, the install-backend itself still calls it via the local
+// binding below. Internal API.
+export function parseSpec(raw) {
+    // Bare names without an explicit `@version` resolve to the `latest`
+    // dist-tag. This matches npm CLI behaviour (`npm install foo` →
+    // foo@latest) and — crucially — picks up prereleases when the
+    // publisher has tagged them as `latest`. Using semver `*` here
+    // would silently exclude any version with a `-` (rc, beta, alpha,
+    // …) suffix per semver §9 ("Pre-release versions have a lower
+    // precedence than the associated normal version"); ts-for-gir
+    // shipped only prereleases (4.0.0-rc.17 is the `latest` tag, no
+    // stable 4.x yet) and `*` was selecting the abandoned 3.3.0
+    // instead.
     if (raw.startsWith("@")) {
         const slash = raw.indexOf("/");
         if (slash < 0)
             throw new Error(`Invalid spec (scoped name without slash): ${raw}`);
         const at = raw.indexOf("@", slash);
         if (at < 0)
-            return { name: raw, range: "*" };
-        return { name: raw.slice(0, at), range: raw.slice(at + 1) || "*" };
+            return { name: raw, range: "latest" };
+        return { name: raw.slice(0, at), range: raw.slice(at + 1) || "latest" };
     }
     const at = raw.indexOf("@");
     if (at < 0)
-        return { name: raw, range: "*" };
-    return { name: raw.slice(0, at), range: raw.slice(at + 1) || "*" };
+        return { name: raw, range: "latest" };
+    return { name: raw.slice(0, at), range: raw.slice(at + 1) || "latest" };
 }
-function pickVersion(packument, range) {
+// Exported for unit-testing. Internal API.
+export function pickVersion(packument, range) {
     // dist-tag fast path: `latest`, `next`, ...
     if (packument["dist-tags"][range])
         return packument["dist-tags"][range];

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@gjsify/cli",
-    "version": "0.4.20",
+    "version": "0.4.21",
     "description": "CLI for Gjsify",
     "type": "module",
     "main": "lib/index.js",
@@ -37,18 +37,18 @@
         "cli"
     ],
     "dependencies": {
-        "@gjsify/buffer": "^0.4.20",
-        "@gjsify/create-app": "^0.4.20",
-        "@gjsify/node-globals": "^0.4.20",
-        "@gjsify/node-polyfills": "^0.4.20",
-        "@gjsify/npm-registry": "^0.4.20",
-        "@gjsify/resolve-npm": "^0.4.20",
-        "@gjsify/rolldown-plugin-gjsify": "^0.4.20",
-        "@gjsify/rolldown-plugin-pnp": "^0.4.20",
-        "@gjsify/semver": "^0.4.20",
-        "@gjsify/tar": "^0.4.20",
-        "@gjsify/web-polyfills": "^0.4.20",
-        "@gjsify/workspace": "^0.4.20",
+        "@gjsify/buffer": "^0.4.21",
+        "@gjsify/create-app": "^0.4.21",
+        "@gjsify/node-globals": "^0.4.21",
+        "@gjsify/node-polyfills": "^0.4.21",
+        "@gjsify/npm-registry": "^0.4.21",
+        "@gjsify/resolve-npm": "^0.4.21",
+        "@gjsify/rolldown-plugin-gjsify": "^0.4.21",
+        "@gjsify/rolldown-plugin-pnp": "^0.4.21",
+        "@gjsify/semver": "^0.4.21",
+        "@gjsify/tar": "^0.4.21",
+        "@gjsify/web-polyfills": "^0.4.21",
+        "@gjsify/workspace": "^0.4.21",
         "cosmiconfig": "^9.0.1",
         "get-tsconfig": "^4.14.0",
         "pkg-types": "^2.3.1",
@@ -56,12 +56,12 @@
         "yargs": "^18.0.0"
     },
     "devDependencies": {
-        "@gjsify/unit": "^0.4.20",
+        "@gjsify/unit": "^0.4.21",
         "@types/yargs": "^17.0.35",
         "typescript": "^6.0.3"
     },
     "peerDependencies": {
-        "@gjsify/rolldown-native": "^0.4.20"
+        "@gjsify/rolldown-native": "^0.4.21"
     },
     "peerDependenciesMeta": {
         "@gjsify/rolldown-native": {