@gjsify/cli 0.4.35 → 0.4.36

package/lib/commands/install.js

@@ -20,13 +20,21 @@
 // wins today).
 import { chmodSync, existsSync, lstatSync, mkdirSync, readFileSync, rmSync, symlinkSync, writeFileSync } from 'node:fs';
 import { dirname, join, relative } from 'node:path';
-import { spawn } from 'node:child_process';
+import { spawn, spawnSync } from 'node:child_process';
 import { discoverWorkspaces } from '@gjsify/workspace';
 import { buildInstallCommand, detectPackageManager, runMinimalChecks } from '../utils/check-system-deps.js';
 import { detectNativePackages } from '../utils/detect-native-packages.js';
-import { installPackages } from '../utils/install-backend.js';
+import { installPackages, makeProgressReporter } from '../utils/install-backend.js';
 import { binDirOnPath, defaultGlobalLayout, linkGlobalBins, specToPackageName } from '../utils/install-global.js';
 import { addDependencyEntry, defaultRangeFromVersion, parseSpec, projectSpecsFromPackageJson, readPackageJson, writePackageJson, } from '../utils/pkg-json-edit.js';
+// Default 30min wall-clock budget for the full install. Big workspaces
+// (212+ sub-packages × 600+ external deps in the gjsify monorepo itself)
+// can legitimately take 10-20 min on a fresh CI install when the npm CDN
+// is slow — a 5-min default would false-positive on those legitimate
+// flows. Per-fetch timeout (30s, retried) catches the truly stuck case
+// inside this budget. Set --timeout 0 to disable the wall-clock guard
+// entirely.
+const DEFAULT_INSTALL_TIMEOUT_MS = 1_800_000;
 export const installCommand = {
     command: 'install [packages..]',
     description: 'Install npm dependencies in the current project (or globally with -g), then run gjsify-aware post-checks.',
@@ -54,11 +62,26 @@ export const installCommand = {
         description: 'Verbose install logging.',
         type: 'boolean',
         default: false,
+    })
+        .option('quiet', {
+        description: 'Silence the progress bar.',
+        type: 'boolean',
+        default: false,
+    })
+        .option('progress', {
+        description: 'Show a TTY-aware progress bar for resolve / download / extract phases. Auto-enabled when stderr is a TTY (override with --no-progress). Implicitly off under --verbose (per-package log lines replace the bar) or --quiet.',
+        type: 'boolean',
+        default: true,
     })
         .option('backend', {
         description: 'Install backend. `native` (default) routes through `@gjsify/{semver,npm-registry,tar}` — no Node/npm at runtime. `npm` shells out to `npm install` as an escape hatch for cases the native backend does not yet model (Yarn PnP repos, lifecycle scripts). Overrides `GJSIFY_INSTALL_BACKEND` if both are set.',
         type: 'string',
         choices: ['native', 'npm'],
+    })
+        .option('timeout', {
+        description: 'Overall install wall-clock timeout in ms (default 1800000 = 30 min). On timeout, all in-flight registry fetches are aborted and the install exits non-zero with a clear "install timed out — likely a registry slowdown" message. Per-request timeouts in @gjsify/npm-registry (default 30s) still apply within this budget. Set to 0 to disable the overall budget.',
+        type: 'number',
+        default: DEFAULT_INSTALL_TIMEOUT_MS,
     }),
     handler: async (args) => {
         // --immutable is incompatible with explicit `<pkg>` adds and with
@@ -98,10 +121,58 @@ export const installCommand = {
             await runPostInstallChecks();
             return;
         }
-        await projectInstallNative(args);
-        await runPostInstallChecks();
+        // Overall wall-clock budget for the install (default 5 min). On
+        // timeout we abort every in-flight registry fetch via this controller
+        // so the process exits cleanly with an actionable message instead of
+        // a silent hang. Per-request timeouts inside @gjsify/npm-registry
+        // (default 30s, retried) still apply within this budget.
+        const overallTimeoutMs = args.timeout > 0 ? args.timeout : 0;
+        const overallController = overallTimeoutMs > 0 ? new AbortController() : null;
+        const overallTimerId = overallController !== null
+            ? setTimeout(() => overallController.abort(new Error('install-overall-timeout')), overallTimeoutMs)
+            : null;
+        try {
+            await projectInstallNative(args, overallController?.signal);
+            await runPostInstallChecks();
+        }
+        catch (err) {
+            if (overallController !== null && overallController.signal.aborted && isAbortedFromOverallTimeout(err)) {
+                const secs = Math.round(overallTimeoutMs / 100) / 10;
+                console.error(`gjsify install: timed out after ${secs}s — likely a registry slowdown.\n` +
+                    `Re-run, or override with --timeout <ms> (set --timeout 0 to disable the overall budget).`);
+                process.exit(1);
+            }
+            throw err;
+        }
+        finally {
+            if (overallTimerId !== null)
+                clearTimeout(overallTimerId);
+        }
     },
 };
+/**
+ * Heuristic: was this error raised because the overall-install AbortSignal
+ * fired? The signal's `reason` is the sentinel `Error('install-overall-timeout')`
+ * we installed above; the abort surfaces either as that exact reason or as
+ * any AbortError thrown by a downstream fetch / setTimeout-on-abort path.
+ * We match permissively because intermediate layers (fetch, GJS Soup, our
+ * own delay()) re-wrap the reason in their own AbortError instances.
+ */
+function isAbortedFromOverallTimeout(err) {
+    if (!err || typeof err !== 'object')
+        return false;
+    const name = err.name;
+    if (name === 'AbortError')
+        return true;
+    const message = err.message;
+    if (typeof message === 'string' && message.includes('install-overall-timeout'))
+        return true;
+    // RegistryTimeoutError surfaces the per-request budget — distinct from
+    // the overall budget but typically the symptom the overall timer reports.
+    if (name === 'RegistryTimeoutError')
+        return true;
+    return false;
+}
 function isWorkspaceRoot(cwd) {
     const pkgPath = join(cwd, 'package.json');
     const pkg = readPackageJson(pkgPath);
@@ -118,7 +189,7 @@ function depKindFromArgs(args) {
         return 'optionalDependencies';
     return 'dependencies';
 }
-async function projectInstallNative(args) {
+async function projectInstallNative(args, signal) {
     const cwd = process.cwd();
     const pkgPath = join(cwd, 'package.json');
     // gjsify install is a node_modules-linker installer (like `npm install`
@@ -155,7 +226,7 @@ async function projectInstallNative(args) {
     // fires for the root no-args case, which is the `yarn install`
     // equivalent).
     if ((!args.packages || args.packages.length === 0) && isWorkspaceRoot(cwd)) {
-        await workspaceInstall(cwd, args);
+        await workspaceInstall(cwd, args, signal);
         return;
     }
     let specs;
@@ -181,6 +252,12 @@ async function projectInstallNative(args) {
         }
     }
     mkdirSync(cwd, { recursive: true });
+    // Progress bar is auto-enabled when stderr is a TTY (and `--verbose` /
+    // `--quiet` / `--no-progress` aren't set). When piped to a log file the
+    // reporter falls back to one line per phase begin/end.
+    const progress = makeProgressReporter({
+        enabled: !args.verbose && !args.quiet && args.progress !== false,
+    });
     const result = await installPackages({
         prefix: cwd,
         specs,
@@ -189,6 +266,8 @@ async function projectInstallNative(args) {
         // it (the whole point is byte-stability under CI).
         lockfile: !args.immutable,
         frozen: args.immutable,
+        signal,
+        progress,
     });
     // Update package.json only when the user passed explicit packages
     // (the `gjsify install <pkg>...` add-a-dep flow). The no-args refresh
@@ -248,7 +327,7 @@ function syncLockfileRequested(cwd, specs) {
  * nested `node_modules/` for version conflicts are tracked as a follow-up
  * in STATUS.md "Open TODOs".
  */
-async function workspaceInstall(cwd, args) {
+async function workspaceInstall(cwd, args, signal) {
     const workspaces = discoverWorkspaces(cwd, { includeRoot: true });
     if (workspaces.length === 0) {
         throw new Error(`gjsify install: ${cwd} has a "workspaces" field but no workspaces were discovered`);
@@ -308,12 +387,78 @@ async function workspaceInstall(cwd, args) {
     console.log(`gjsify install: ${workspaces.length} workspace(s), ${externalSpecs.size} external dep spec(s), ${symlinks.length} workspace symlink(s)`);
     // Read top-level package.json's `overrides` (npm-native) or `resolutions`
     // (yarn-native, kept as the existing field name in pre-Phase-D.8 repos).
-    // Both are flattened to a name → version map and passed to the install
-    // backend. Pattern keys like `typescript@*` are normalised to bare names —
-    // we don't yet support per-parent scoping (npm's nested overrides shape).
+    // Flat `name → range` entries become global overrides applied to every
+    // workspace; nested `<workspace> → {dep → range}` entries become
+    // workspace-local installs that place the overridden dep inside that
+    // workspace's own `node_modules/`. Lets a monorepo pin one workspace to
+    // an older `typescript` (e.g. a downstream integration test) without
+    // forcing the rest of the tree to the same version.
     const rootManifest = workspaces.find((w) => w.location === cwd)?.manifest;
-    const overrides = extractOverrides(rootManifest);
+    const extracted = extractOverrides(rootManifest);
+    const overrides = extracted?.global;
+    // Second pass: pluck specs that have a workspace-scoped override out of
+    // `externalSpecs` and re-collect them into a per-workspace map. Those
+    // specs will be installed into the workspace's own `node_modules/` after
+    // the root install completes, so the resolver in the root pass does NOT
+    // see the conflicting versions.
+    const wsLocalSpecs = new Map(); // wsLocation → name@range set
+    const droppedFromExternal = new Set();
+    if (extracted && extracted.scoped.size > 0) {
+        for (const ws of workspaces) {
+            const wsManifest = ws.manifest;
+            for (const kind of ['dependencies', 'devDependencies', 'optionalDependencies']) {
+                const deps = wsManifest[kind];
+                if (!deps)
+                    continue;
+                for (const [depName, spec] of Object.entries(deps)) {
+                    const override = scopedOverrideFor(ws, depName, extracted);
+                    if (!override)
+                        continue;
+                    // Re-route this dep to the workspace's own install
+                    const targetRange = override;
+                    const wsKey = ws.location;
+                    let bucket = wsLocalSpecs.get(wsKey);
+                    if (!bucket) {
+                        bucket = new Set();
+                        wsLocalSpecs.set(wsKey, bucket);
+                    }
+                    bucket.add(`${depName}@${targetRange}`);
+                    // Drop the un-overridden version from the root spec set:
+                    // the workspace will see its scoped version via parent-walk
+                    // resolution. Note we only drop the EXACT `name@spec` the
+                    // workspace declared; other workspaces' instances of the
+                    // same name+spec stay in the root set.
+                    droppedFromExternal.add(`${depName}@${spec}`);
+                }
+            }
+        }
+        // Apply the drops only when no OTHER workspace declared the same spec
+        // — otherwise it has legitimate root requesters and must stay.
+        const stillNeeded = new Set();
+        for (const ws of workspaces) {
+            for (const kind of ['dependencies', 'devDependencies', 'optionalDependencies']) {
+                const deps = ws.manifest[kind];
+                if (!deps)
+                    continue;
+                for (const [depName, spec] of Object.entries(deps)) {
+                    if (scopedOverrideFor(ws, depName, extracted))
+                        continue;
+                    stillNeeded.add(`${depName}@${spec}`);
+                }
+            }
+        }
+        for (const dropped of droppedFromExternal) {
+            if (!stillNeeded.has(dropped))
+                externalSpecs.delete(dropped);
+        }
+        if (wsLocalSpecs.size > 0) {
+            console.log(`gjsify install: ${wsLocalSpecs.size} workspace(s) have scoped overrides — they will install their overridden deps locally after the root install`);
+        }
+    }
     if (externalSpecs.size > 0) {
+        const progress = makeProgressReporter({
+            enabled: !args.verbose && !args.quiet && args.progress !== false,
+        });
         await installPackages({
             prefix: cwd,
             specs: [...externalSpecs],
@@ -321,40 +466,90 @@ async function workspaceInstall(cwd, args) {
             lockfile: !args.immutable,
             frozen: args.immutable,
             overrides,
+            signal,
+            progress,
         });
     }
     else if (args.verbose) {
         console.log('gjsify install: no external deps to fetch');
     }
-    for (const link of symlinks) {
-        const target = byName.get(link.fromWorkspaceName);
-        if (!target)
+    // Workspace-local installs for scoped overrides. Each runs as its own
+    // `installPackages` call inside the workspace location — the resulting
+    // `node_modules/<dep>` shadows the root-hoisted version via standard
+    // Node parent-walk resolution.
+    for (const [wsLocation, specSet] of wsLocalSpecs) {
+        if (specSet.size === 0)
             continue;
-        const linkPath = join(target.location, 'node_modules', link.depName);
-        mkdirSync(dirname(linkPath), { recursive: true });
-        // Remove any prior entry — regular dir, broken symlink, file, or
-        // a normal symlink left over from a previous install. Using
-        // `{ recursive: true, force: true }` handles every shape in one
-        // call: `rmSync` no-ops on missing paths under `force: true`, and
-        // `recursive: true` covers the directory case. Avoids the EEXIST
-        // race a previous lstat-then-branch version hit when the stat's
-        // type-discrimination missed an edge case (e.g. broken symlink
-        // whose `isSymbolicLink()` returned a non-truthy value through
-        // Gio's NOFOLLOW path, leaving a leftover entry that
-        // `symlinkSync` would then refuse to overwrite).
-        try {
-            rmSync(linkPath, { recursive: true, force: true });
+        const wsName = workspaces.find((w) => w.location === wsLocation)?.name ?? wsLocation;
+        if (args.verbose) {
+            console.log(`gjsify install: ${wsName} — installing ${specSet.size} scoped-override spec(s) into ${wsLocation}/node_modules/`);
         }
-        catch {
-            /* unexpected — Gio failure on a path we just lstat'd to
-                     decide we wanted to remove. The subsequent symlinkSync
-                     will surface the real reason if there is one. */
-        }
-        // Relative symlink so the repo is portable across checkout paths.
-        const relTarget = relative(dirname(linkPath), link.targetLocation);
-        symlinkSync(relTarget, linkPath);
+        await installPackages({
+            prefix: wsLocation,
+            specs: [...specSet],
+            verbose: args.verbose,
+            // Per-workspace installs get a thin lockfile next to the workspace
+            // package.json. Same `--immutable` semantics as the root install.
+            lockfile: !args.immutable,
+            frozen: args.immutable,
+            signal,
+        });
     }
+    // Workspace symlink wiring — pre-dedup the parent-dir mkdirs (every
+    // symlink for the same workspace shares a single `node_modules` parent),
+    // then run the per-link rm + symlink steps with bounded concurrency.
+    // Pure sync loops here used to dominate the tail of large installs
+    // (~793 symlinks × ~10ms each for mkdir+rm+symlink = ~24s of serial
+    // syscalls). With async + a 32-wide pool the same set lands in 1-2s.
     if (symlinks.length > 0) {
+        const fsp = await import('node:fs/promises');
+        const parentDirs = new Set();
+        const plans = [];
+        for (const link of symlinks) {
+            const target = byName.get(link.fromWorkspaceName);
+            if (!target)
+                continue;
+            const linkPath = join(target.location, 'node_modules', link.depName);
+            parentDirs.add(dirname(linkPath));
+            const relTarget = relative(dirname(linkPath), link.targetLocation);
+            plans.push({ linkPath, relTarget });
+        }
+        // Phase 1: one mkdir per unique parent (max ~213 instead of ~793).
+        await Promise.all([...parentDirs].map((dir) => fsp.mkdir(dir, { recursive: true })));
+        // Phase 2: per-link rm + symlink, pooled. A semaphore-style cursor
+        // keeps the concurrent in-flight count bounded so we don't blow up
+        // the file-descriptor table on huge monorepos.
+        const SYMLINK_CONCURRENCY = 32;
+        let cursor = 0;
+        const workers = [];
+        const wireOne = async (linkPath, relTarget) => {
+            // Remove any prior entry — regular dir, broken symlink, file, or
+            // a normal symlink left over from a previous install.
+            // `{ recursive: true, force: true }` handles every shape (rm
+            // no-ops on missing paths under force; recursive covers dirs).
+            try {
+                await fsp.rm(linkPath, { recursive: true, force: true });
+            }
+            catch {
+                /* unexpected; symlink call below will surface the real
+                   cause if it persists. */
+            }
+            await fsp.symlink(relTarget, linkPath);
+        };
+        for (let i = 0; i < Math.min(SYMLINK_CONCURRENCY, plans.length); i++) {
+            workers.push((async () => {
+                while (true) {
+                    const idx = cursor++;
+                    if (idx >= plans.length)
+                        return;
+                    const p = plans[idx];
+                    if (!p)
+                        return;
+                    await wireOne(p.linkPath, p.relTarget);
+                }
+            })());
+        }
+        await Promise.all(workers);
         console.log(`gjsify install: wired ${symlinks.length} workspace symlink(s)`);
     }
     // Hoist EVERY workspace package to the repo root's `node_modules/` so
@@ -461,62 +656,75 @@ async function workspaceInstall(cwd, args) {
         console.log(`gjsify install: linked ${wsBinsCreated} workspace bin(s) into node_modules/.bin/`);
     }
 }
-/**
- * Build a shell shim that prefers Node when its target file exists at
- * invocation time, falling back to GJS otherwise. The runtime check is
- * per-invocation (not at install time) so the same shim works both
- * before and after the workspace's `lib/` has been built — a fresh
- * checkout only has the committed `dist/cli.gjs.mjs`, while every
- * subsequent `npm run build` produces `lib/index.js`.
- *
- * Both targets are absolute paths so the shim is portable across the
- * different cwds that consumers (`yarn run`, `npm run`, direct PATH
- * invocation) call us from.
- */
-/**
- * Flatten npm `overrides` or yarn `resolutions` into a bare name → range map.
- *
- * Supports two input shapes:
- *
- *   "overrides": { "typescript": "~5.9.2" }                       (npm)
- *   "resolutions": { "typescript@*": "~5.9.2" }                   (yarn pattern)
- *
- * Pattern keys with a version glob (`name@*`, `name@^x`) are normalised to the
- * bare name — gjsify's resolver doesn't yet support per-incoming-range
- * scoping. Object-valued nested overrides (npm's per-parent shape, e.g.
- * `"foo": { ".": "1.0", "bar": "2.0" }`) are intentionally ignored; they would
- * silently misbehave without per-parent support, so we surface a warning
- * instead of half-applying them.
- *
- * Keys beginning with `_` are skipped (convention for documentation entries
- * like `"_comment_typescript"` used in the wild).
- */
 function extractOverrides(rootManifest) {
     if (!rootManifest)
         return undefined;
-    const out = {};
+    const global = {};
+    const scoped = new Map();
     const merge = (source, fieldName) => {
         if (!source)
             return;
         for (const [key, value] of Object.entries(source)) {
             if (key.startsWith('_'))
                 continue;
-            if (typeof value !== 'string') {
-                console.warn(`gjsify install: ${fieldName}["${key}"] is not a string — nested override shape isn't supported yet, skipping`);
+            if (typeof value === 'string') {
+                // Flat `name → range` entry. Normalise pattern keys (`name@*`,
+                // `name@^range`) → bare name. For scoped packages preserve the
+                // leading `@`.
+                let name = key;
+                const atIdx = key.startsWith('@') ? key.indexOf('@', 1) : key.indexOf('@');
+                if (atIdx > 0)
+                    name = key.slice(0, atIdx);
+                global[name] = value;
+                continue;
+            }
+            if (value && typeof value === 'object' && !Array.isArray(value)) {
+                // Scoped entry — `<workspace> → {dep → range}`. This is the
+                // npm-overrides nested shape and yarn's resolutions
+                // selectors collapsed to per-workspace level.
+                const sub = {};
+                for (const [depKey, depValue] of Object.entries(value)) {
+                    if (depKey.startsWith('_'))
+                        continue;
+                    if (typeof depValue !== 'string') {
+                        console.warn(`gjsify install: ${fieldName}["${key}"]["${depKey}"] is not a string — only one level of nesting is supported, skipping`);
+                        continue;
+                    }
+                    let depName = depKey;
+                    const atIdx = depKey.startsWith('@') ? depKey.indexOf('@', 1) : depKey.indexOf('@');
+                    if (atIdx > 0)
+                        depName = depKey.slice(0, atIdx);
+                    sub[depName] = depValue;
+                }
+                if (Object.keys(sub).length > 0) {
+                    const existing = scoped.get(key) ?? {};
+                    scoped.set(key, { ...existing, ...sub });
+                }
                 continue;
             }
-            // Normalise pattern keys (`name@*`, `name@^range`) → bare name.
-            // For scoped packages preserve the leading `@`.
-            let name = key;
-            const atIdx = key.startsWith('@') ? key.indexOf('@', 1) : key.indexOf('@');
-            if (atIdx > 0)
-                name = key.slice(0, atIdx);
-            out[name] = value;
+            console.warn(`gjsify install: ${fieldName}["${key}"] is not a string or object — skipping`);
         }
     };
     merge(rootManifest.overrides, 'overrides');
     merge(rootManifest.resolutions, 'resolutions');
-    return Object.keys(out).length > 0 ? out : undefined;
+    if (Object.keys(global).length === 0 && scoped.size === 0)
+        return undefined;
+    return { global, scoped };
+}
+/**
+ * Look up the scoped override for a given workspace + dep. Matches by
+ * workspace name OR relative location (both accepted for readability).
+ */
+function scopedOverrideFor(ws, depName, extracted) {
+    if (!extracted || extracted.scoped.size === 0)
+        return undefined;
+    const candidates = [ws.name, ws.relativeLocation];
+    for (const key of candidates) {
+        const entry = extracted.scoped.get(key);
+        if (entry?.[depName])
+            return entry[depName];
+    }
+    return undefined;
 }
 function buildBinShim(wsLocation, nodeTarget, gjsTarget, nativePrebuildDirs = []) {
     const nodeAbs = nodeTarget ? join(wsLocation, nodeTarget) : null;
@@ -668,4 +876,43 @@ async function runPostInstallChecks() {
         }
         console.log('\nUse `gjsify run <bundle>` to launch with LD_LIBRARY_PATH/GI_TYPELIB_PATH set.');
     }
+    // 3. Install workspace git hooks (only fires inside the gjsify monorepo
+    //    itself, NOT in consumer projects that depend on @gjsify/cli — gated
+    //    by the presence of `scripts/install-git-hooks.mjs` + a `.git`
+    //    checkout). Idempotent; safe to re-run on every install.
+    maybeInstallGitHooks();
+}
+/**
+ * Wire `core.hooksPath = .githooks` when running `gjsify install` inside a
+ * git checkout that ships `scripts/install-git-hooks.mjs` (i.e. the gjsify
+ * monorepo). Consumer projects that don't ship the script are skipped
+ * silently — they wouldn't have hooks to install.
+ *
+ * The script itself handles its own no-op cases (extracted tarball, already
+ * configured, SKIP_GJSIFY_HOOKS=1).
+ */
+function maybeInstallGitHooks() {
+    const cwd = process.cwd();
+    const scriptPath = join(cwd, 'scripts', 'install-git-hooks.mjs');
+    if (!existsSync(scriptPath))
+        return;
+    // Need a git checkout — the script also checks, but skipping here
+    // avoids spawning a process when we know the answer.
+    if (!existsSync(join(cwd, '.git')))
+        return;
+    try {
+        const result = spawnSync(process.execPath, [scriptPath, '--quiet'], {
+            cwd,
+            stdio: 'inherit',
+            env: process.env,
+        });
+        if (result.status !== 0) {
+            console.warn(`[gjsify install] scripts/install-git-hooks.mjs exited ${result.status} — git hooks may not be active.`);
+        }
+    }
+    catch (err) {
+        // Hook installation is a quality-of-life touchup, not a hard install
+        // requirement. Never let it abort the surrounding install.
+        console.warn(`[gjsify install] git hook installation skipped: ${err instanceof Error ? err.message : String(err)}`);
+    }
 }

package/lib/commands/publish.js

@@ -33,12 +33,13 @@
 // Source: documented in https://docs.npmjs.com/cli/v10/commands/npm-publish
 // and npm's @npmcli/registry-fetch internals — verified against npm's
 // in-the-wild publish payloads.
-import { existsSync, readFileSync } from 'node:fs';
-import { homedir } from 'node:os';
+import { readFileSync } from 'node:fs';
 import { join, resolve } from 'node:path';
-import { DEFAULT_REGISTRY, parseNpmrc, registryFor, buildHeaders } from '@gjsify/npm-registry';
+import { DEFAULT_REGISTRY, registryFor, buildHeaders } from '@gjsify/npm-registry';
 import { packWorkspace } from './pack.js';
 import { getNpmTrustedToken, hasGithubOidcEnv, OidcExchangeError, OidcUnavailableError } from '../utils/npm-oidc.js';
+import { diagnose404, is404DiagnosticCandidate } from '../utils/publish-diagnose.js';
+import { loadNpmrc } from '../utils/load-npmrc.js';
 export const publishCommand = {
     command: 'publish [path]',
     description: 'Pack + upload the workspace at <path> (default: cwd) to its npm registry. Drop-in for `npm publish` with workspace:^ rewrite handled automatically.',
@@ -403,6 +404,38 @@ export const publishCommand = {
                 process.stdout.write(`= ${packed.name}@${packed.version} (already published, tolerated)\n`);
             return;
         }
+        // 404 diagnostic — token-auth only. npm returns 404 for both a
+        // dead `_authToken` and a genuinely-missing package; `/-/whoami`
+        // disambiguates. OIDC has its own clear error surfaces (handled in
+        // the OIDC catch block above) and `--otp` flows take a different
+        // 401 path, so the diagnostic only kicks in for the plain
+        // token-auth PUT signature.
+        if (res.status === 404 && authMode === 'token' && !otp) {
+            if (is404DiagnosticCandidate(text)) {
+                const diag = await diagnose404({
+                    packageName: packed.name,
+                    version: packed.version,
+                    registry: registryClean,
+                    npmrc,
+                });
+                if (diag.reason !== 'unknown') {
+                    if (args.json) {
+                        process.stdout.write(`${JSON.stringify({
+                            ok: false,
+                            name: packed.name,
+                            version: packed.version,
+                            status: 404,
+                            diagnostic: diag.reason,
+                            username: diag.username,
+                        }, null, 2)}\n`);
+                    }
+                    else {
+                        process.stderr.write(`${diag.message}\n`);
+                    }
+                    process.exit(1);
+                }
+            }
+        }
         console.error(`gjsify publish: ${packed.name}@${packed.version} — ${res.status} ${res.statusText}`);
         console.error(text);
         process.exit(1);
@@ -460,38 +493,6 @@ async function loadRewrittenManifest(wsDir, pkg) {
     }
     return pkg;
 }
-async function loadNpmrc(cwd) {
-    // npm CLI's npmrc resolution order (lowest → highest precedence):
-    //   1. globalconfig:  /etc/npmrc  (system)
-    //   2. userconfig:    $NPM_CONFIG_USERCONFIG  (overrides ~/.npmrc)
-    //                     or ~/.npmrc  (default)
-    //   3. projectconfig: ./.npmrc  (closest)
-    //
-    // actions/setup-node writes the auth-token npmrc to $RUNNER_TEMP/.npmrc
-    // and exports NPM_CONFIG_USERCONFIG pointing at it — it does NOT touch
-    // ~/.npmrc. Honor the env var so CI authentication works end-to-end.
-    const sources = [];
-    const projectNpmrc = join(cwd, '.npmrc');
-    if (existsSync(projectNpmrc))
-        sources.push(readFileSync(projectNpmrc, 'utf-8'));
-    const userConfig = process.env.NPM_CONFIG_USERCONFIG;
-    if (userConfig && existsSync(userConfig)) {
-        sources.push(readFileSync(userConfig, 'utf-8'));
-    }
-    else {
-        const homeNpmrc = join(homedir(), '.npmrc');
-        if (existsSync(homeNpmrc))
-            sources.push(readFileSync(homeNpmrc, 'utf-8'));
-    }
-    // Inline `${VAR}` placeholders (npm CLI's expand-on-read behavior).
-    // The auth-token npmrc from actions/setup-node ships
-    // `_authToken=${NODE_AUTH_TOKEN}` as a literal placeholder; the env var
-    // is set on the publish step.
-    const merged = sources
-        .join('\n')
-        .replace(/\$\{([A-Z_][A-Z0-9_]*)\}/gi, (_, name) => process.env[name] ?? '');
-    return parseNpmrc(merged);
-}
 function buildPublishPayload(opts) {
     const { pkg, tag, access, tarballBytes, tarballUrl, packed, provenance } = opts;
     const versionEntry = {

package/lib/commands/tsc.d.ts

@@ -0,0 +1,6 @@
+import type { Command } from '../types/index.js';
+interface TscOptions {
+    tscArgs: string[];
+}
+export declare const tscCommand: Command<unknown, TscOptions>;
+export {};