@gjsify/cli 0.4.35 → 0.4.36

package/lib/utils/publish-diagnose.js

@@ -0,0 +1,99 @@
+// Dead-token vs new-package diagnostic for `gjsify publish`.
+//
+// When the publish PUT returns `404 Not Found` (body `"Not Found"` or empty)
+// it is ambiguous between two very different situations:
+//
+//   1. The `_authToken` in ~/.npmrc has been revoked / expired. The npm
+//      registry's 404 is its way of saying "we don't recognize this
+//      bearer". Easy to mistake for a missing-package error and send the
+//      user down the wrong path (Trusted-Publisher-bootstrap setup).
+//   2. The scoped `@gjsify/<pkg>` genuinely doesn't exist on npm yet —
+//      the first-publish bootstrap step from AGENTS.md.
+//
+// `GET /-/whoami` with the SAME Authorization header disambiguates: a live
+// token returns `{"username": "..."}`, a dead token returns `{}` (status 200
+// in both cases — the empty body is npm's signal).
+//
+// `npm publish` from npm-cli handles dead tokens with `401 EOTP` + a clear
+// "one-time-password or refresh the token" hint. The 404 path is npm's
+// PUT-specific shape and `gjsify publish` previously just printed the
+// opaque body. This helper closes the diagnostic gap.
+import { whoami } from '@gjsify/npm-registry';
+/**
+ * Probe `/-/whoami` to disambiguate the 404 cause. Best-effort: any thrown
+ * error / non-2xx falls through to `reason: 'unknown'` so the caller's
+ * generic error path runs untouched.
+ *
+ * Pure async I/O — no side effects, no process.exit, no console writes.
+ * The caller owns presentation (stderr vs stdout, plain vs JSON).
+ */
+export async function diagnose404(input) {
+    const { packageName, version, registry, npmrc } = input;
+    let probe = {};
+    try {
+        probe = await whoami(registry, npmrc);
+    }
+    catch {
+        return { reason: 'unknown', message: formatUnknown(packageName, version) };
+    }
+    if (probe.username && probe.username.length > 0) {
+        return {
+            reason: 'live-token-404',
+            username: probe.username,
+            message: formatLiveToken404(packageName, version, probe.username),
+        };
+    }
+    return { reason: 'dead-token', message: formatDeadToken(packageName, version) };
+}
+function formatDeadToken(name, version) {
+    return [
+        `gjsify publish: ${name}@${version} — 404 Not Found`,
+        '',
+        'The npm token in ~/.npmrc appears to be revoked or expired (the /-/whoami probe',
+        'returned {} instead of {"username": "..."}). The 404 is npm\'s response to a PUT',
+        'authenticated with an invalid bearer token.',
+        '',
+        'To refresh:',
+        '  npm login',
+        '  # or, future: gjsify login (tracked as project_gjsify_login_goal)',
+        '',
+        'Then verify before publishing:',
+        '  curl -s -H "Authorization: Bearer $(grep registry.npmjs.org ~/.npmrc | sed \'s|.*=||\')" \\',
+        '       https://registry.npmjs.org/-/whoami',
+        '  # Healthy: {"username":"<you>"}',
+        '  # Dead:    {}',
+    ].join('\n');
+}
+function formatLiveToken404(name, version, username) {
+    return [
+        `gjsify publish: ${name}@${version} — 404 Not Found`,
+        '',
+        `Authenticated as: ${username}`,
+        '',
+        `The package ${name} does not yet exist on npmjs.com. For a brand-new`,
+        'scoped package, this usually means the first-publish bootstrap step is needed',
+        '(see AGENTS.md > "New @gjsify/* package: first-publish + Trusted Publisher',
+        'bootstrap"). If you\'re sure you have write access to the scope, verify with:',
+        '  npm access ls-packages',
+    ].join('\n');
+}
+function formatUnknown(name, version) {
+    return `gjsify publish: ${name}@${version} — 404 Not Found`;
+}
+/**
+ * Heuristic: is the 404 body the "dead-token-or-missing-package" shape?
+ * npm's PUT returns plain text `Not Found` (sometimes empty body). We trigger
+ * the diagnostic for both, plus for the JSON `{"error":"Not Found"}` shape
+ * just in case. Other 404 bodies (e.g. with a structured npm error code)
+ * keep the generic error path.
+ */
+export function is404DiagnosticCandidate(body) {
+    const trimmed = body.trim();
+    if (trimmed.length === 0)
+        return true;
+    if (/^not found$/i.test(trimmed))
+        return true;
+    if (/"error"\s*:\s*"Not Found"/i.test(trimmed))
+        return true;
+    return false;
+}

package/lib/utils/resolve-npm-package.d.ts

@@ -0,0 +1,21 @@
+export interface ResolveNpmPackageOptions {
+    /** Anchor directory to search from (typically the caller's cwd). */
+    cwd?: string;
+    /**
+     * Bundle path or module URL to anchor the bundle-side createRequire
+     * at. Pass `import.meta.url` from the call site so the bundle's
+     * own node_modules chain stays reachable even when the CLI is
+     * invoked from an unrelated cwd.
+     */
+    bundleUrl?: string;
+}
+/**
+ * Resolve a bare npm specifier through multiple createRequire anchors.
+ * Returns the absolute filesystem path of the resolved module, or null
+ * if no anchor succeeded.
+ *
+ * Each anchor is tried in priority order — `GJSIFY_NODE_PATH` (highest)
+ * → caller cwd → workspace root → bundle URL → parent-dir walk from
+ * cwd. The first anchor whose `require.resolve()` succeeds wins.
+ */
+export declare function resolveNpmPackage(specifier: string, opts?: ResolveNpmPackageOptions): string | null;

package/lib/utils/resolve-npm-package.js

@@ -0,0 +1,121 @@
+// Multi-anchor npm-package resolver for the GJS-bundled CLI.
+//
+// GJS's native ESM loader has no node_modules walker — a bare
+// `await import('rolldown')` from inside the bundle throws
+// `ImportError: Module not found: rolldown` even when the package is
+// physically present in a node_modules above the caller's cwd.
+//
+// `createRequire(import.meta.url)` works when invoked under Node, and
+// when invoked under GJS *with* `@gjsify/module`'s polyfill it walks the
+// node_modules chain from the URL it was anchored at. But it walks
+// only ONE chain — the one rooted at the anchor's parent. When the
+// bundle lives at `<install>/dist/cli.gjs.mjs` and the user runs
+// `gjs -m <install>/dist/cli.gjs.mjs build …` from a completely
+// unrelated cwd (`/tmp/sandbox/`) whose `node_modules` is the only
+// place rolldown is present, anchoring on the bundle URL misses it.
+//
+// This helper resolves a bare specifier against multiple anchors in
+// order — the first one that resolves wins:
+//
+//   1. `GJSIFY_NODE_PATH` env override (colon-separated dir list,
+//      matches Node's NODE_PATH semantics — each entry is treated as a
+//      synthetic `node_modules` parent).
+//   2. Caller-supplied anchor dir (typically process.cwd()).
+//   3. Workspace root from `findWorkspaceRoot(anchorDir)` — finds the
+//      monorepo top when invoked from a sub-package directory.
+//   4. Bundle path's parent chain (`import.meta.url` of THIS module).
+//   5. Parent dirs of the anchor (fallback for nested-without-workspace
+//      setups — matches `oxc-resolve.ts`'s walker).
+//
+// Returns the absolute path on success (the caller usually wraps it in
+// `pathToFileURL().href` before passing to dynamic `import(...)`).
+// Returns null when every anchor failed.
+//
+// Reference: `packages/infra/cli/src/commands/tsc.ts` (workspace-root +
+// cwd anchoring precedent) and `packages/infra/cli/src/utils/oxc-resolve.ts`
+// (parent-dir walker precedent).
+import { createRequire } from 'node:module';
+import { pathToFileURL } from 'node:url';
+import { join, resolve } from 'node:path';
+import { findWorkspaceRoot } from './workspace-root.js';
+/**
+ * Resolve a bare npm specifier through multiple createRequire anchors.
+ * Returns the absolute filesystem path of the resolved module, or null
+ * if no anchor succeeded.
+ *
+ * Each anchor is tried in priority order — `GJSIFY_NODE_PATH` (highest)
+ * → caller cwd → workspace root → bundle URL → parent-dir walk from
+ * cwd. The first anchor whose `require.resolve()` succeeds wins.
+ */
+export function resolveNpmPackage(specifier, opts = {}) {
+    const cwd = opts.cwd ?? process.cwd();
+    // 1. GJSIFY_NODE_PATH env override (NODE_PATH-like) — each entry is
+    //    treated as a directory whose own `node_modules` participates
+    //    in the lookup. Mirrors Node's NODE_PATH semantics.
+    const envPath = process.env['GJSIFY_NODE_PATH'];
+    if (envPath) {
+        for (const dir of envPath.split(':').filter(Boolean)) {
+            const hit = tryResolveFromDir(specifier, resolve(dir));
+            if (hit)
+                return hit;
+        }
+    }
+    // 2. Caller cwd → walk up for nearest node_modules/<pkg>.
+    const fromCwd = tryResolveFromDir(specifier, cwd);
+    if (fromCwd)
+        return fromCwd;
+    // 3. Workspace root (monorepo top, if any).
+    const wsRoot = findWorkspaceRoot(cwd);
+    if (wsRoot && wsRoot !== cwd) {
+        const fromWsRoot = tryResolveFromDir(specifier, wsRoot);
+        if (fromWsRoot)
+            return fromWsRoot;
+    }
+    // 4. Bundle path's own parent chain — anchored at the bundle URL
+    //    so the install-time node_modules layout (e.g.
+    //    `<install>/node_modules/rolldown` next to the CLI bundle)
+    //    is reachable even when the user runs the bundle directly from
+    //    an unrelated cwd.
+    if (opts.bundleUrl) {
+        try {
+            const req = createRequire(opts.bundleUrl);
+            return req.resolve(specifier);
+        }
+        catch {
+            // Fall through.
+        }
+    }
+    // 5. Parent-dir walk from cwd as a last resort (nested
+    //    package layouts without a workspace marker). Capped at 8
+    //    levels to avoid runaway filesystem walks on pathological
+    //    layouts. Matches the depth `oxc-resolve.ts` uses for its
+    //    equivalent walker.
+    let dir = resolve(cwd, '..');
+    for (let i = 0; i < 8; i++) {
+        const hit = tryResolveFromDir(specifier, dir);
+        if (hit)
+            return hit;
+        const parent = resolve(dir, '..');
+        if (parent === dir)
+            break;
+        dir = parent;
+    }
+    return null;
+}
+/**
+ * Attempt to resolve `specifier` as if a fictional source file at
+ * `<dir>/__gjsify_resolve__.js` were doing the lookup. createRequire's
+ * algorithm walks up from the anchor's parent for `node_modules/<pkg>`
+ * so seeding it inside `<dir>` makes `<dir>/node_modules/<pkg>` the
+ * first hit.
+ */
+function tryResolveFromDir(specifier, dir) {
+    try {
+        const sentinel = pathToFileURL(join(dir, '__gjsify_resolve__.js')).href;
+        const req = createRequire(sentinel);
+        return req.resolve(specifier);
+    }
+    catch {
+        return null;
+    }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@gjsify/cli",
-    "version": "0.4.35",
+    "version": "0.4.36",
     "description": "CLI for Gjsify",
     "type": "module",
     "main": "lib/index.js",
@@ -120,35 +120,46 @@
         "cli"
     ],
     "dependencies": {
-        "@gjsify/buffer": "^0.4.35",
-        "@gjsify/create-app": "^0.4.35",
-        "@gjsify/node-globals": "^0.4.35",
-        "@gjsify/node-polyfills": "^0.4.35",
-        "@gjsify/npm-registry": "^0.4.35",
-        "@gjsify/resolve-npm": "^0.4.35",
-        "@gjsify/rolldown-plugin-gjsify": "^0.4.35",
-        "@gjsify/rolldown-plugin-pnp": "^0.4.35",
-        "@gjsify/semver": "^0.4.35",
-        "@gjsify/tar": "^0.4.35",
-        "@gjsify/web-polyfills": "^0.4.35",
-        "@gjsify/workspace": "^0.4.35",
+        "@gjsify/buffer": "^0.4.36",
+        "@gjsify/create-app": "^0.4.36",
+        "@gjsify/node-globals": "^0.4.36",
+        "@gjsify/node-polyfills": "^0.4.36",
+        "@gjsify/npm-registry": "^0.4.36",
+        "@gjsify/resolve-npm": "^0.4.36",
+        "@gjsify/rolldown-plugin-gjsify": "^0.4.36",
+        "@gjsify/rolldown-plugin-pnp": "^0.4.36",
+        "@gjsify/semver": "^0.4.36",
+        "@gjsify/tar": "^0.4.36",
+        "@gjsify/tsc": "^0.4.36",
+        "@gjsify/web-polyfills": "^0.4.36",
+        "@gjsify/workspace": "^0.4.36",
         "cosmiconfig": "^9.0.1",
         "get-tsconfig": "^4.14.0",
         "pkg-types": "^2.3.1",
-        "rolldown": "^1.0.0",
+        "rolldown": "^1.0.3",
         "yargs": "^18.0.0"
     },
     "devDependencies": {
-        "@gjsify/unit": "^0.4.35",
+        "@gjsify/unit": "^0.4.36",
         "@types/yargs": "^17.0.35",
-        "typescript": "^6.0.3"
+        "typescript": "^5.9.3"
     },
     "peerDependencies": {
-        "@gjsify/rolldown-native": "^0.4.35"
+        "@gjsify/rolldown-native": "^0.4.36"
     },
     "peerDependenciesMeta": {
         "@gjsify/rolldown-native": {
             "optional": true
         }
-    }
+    },
+    "license": "MIT",
+    "repository": {
+        "type": "git",
+        "url": "git+https://github.com/gjsify/gjsify.git",
+        "directory": "packages/infra/cli"
+    },
+    "bugs": {
+        "url": "https://github.com/gjsify/gjsify/issues"
+    },
+    "homepage": "https://github.com/gjsify/gjsify/tree/main/packages/infra/cli#readme"
 }