@hominis/fireforge 0.16.0 → 0.16.2

package/CHANGELOG.md

@@ -2,6 +2,82 @@
 
 ## 0.16.0
 
+### Security — eval-driven hardening for 0.16.0
+
+- **Release workflow — shell injection via `${{ inputs.version }}` interpolation.** `.github/workflows/release.yml` previously interpolated `${{ inputs.version }}` directly into `npm version "${{ inputs.version }}" --no-git-tag-version`, so anyone with `actions:write` could trigger `workflow_dispatch` with a crafted version string (e.g. `1.0.0"; <command> #`) and execute arbitrary shell inside the job. The release job carries `contents: write`, `id-token: write`, and the `npm` trusted-publishing environment, so that shell would have had an open door to the publish credentials. The fix routes `${{ inputs.version }}` through an `env: INPUT_VERSION:` block on the `Bump version` step and references `"$INPUT_VERSION"` inside the `run:` script, so GitHub Actions substitutes the value into the process environment rather than into the shell source. The `Tag and push` step gets the same treatment for `${{ steps.version.outputs.version }}` — defense-in-depth, since `npm version`'s semver check already filters that interpolation, but the pattern is consistent and cheap.
+- **`fireforge config` — prototype pollution via sentinel key segments.** `mutateConfig` in `src/core/config-mutate.ts` walks a dot-separated key through `getOrCreateChildRecord(parent, segment)` with no filter on `__proto__`, `constructor`, or `prototype`. `fireforge config __proto__.polluted 1 --force` therefore reached `parent["__proto__"]` and wrote a plain property onto `Object.prototype`, polluting every object in the Node process for the rest of the run. `--force` was the motivating pathway (the strict path guard rejects unknown top-level keys for non-sentinels), but the raw sink was also publicly re-exported from `src/core/config.ts`, widening the blast radius to any future caller. The fix rejects sentinel segments up-front in `mutateConfig` with a `ConfigError` before any clone or mutation — a single guard at the entry point covers both the descent loop and the final leaf assignment, and surfaces to the CLI as a normal "invalid key" failure rather than a crash. `readJson`'s existing reviver already strips the sentinels from loads, so input configs can't arrive pre-polluted.
+- **`fireforge wire --dom` — asymmetric newline marker parser projection drift.** `parseHunksForFile` in `src/core/patch-parse.ts` tracked `` as a single `noNewlineAtEnd: boolean` — collapsing the old-side and new-side markers into one flag. Asymmetric trailing-newline changes (e.g. removing the newline from the old side while the new side keeps one, or vice versa) were indistinguishable from the symmetric case, so `applyPatchToContent` produced content that disagreed with `git apply` on whether to emit a trailing newline. The projection drift surfaced as phantom entries in `fireforge status` and wipe-safe reprojection work in `fireforge import` for patches that were otherwise clean. The fix splits the field into `noNewlineAtEndOld` / `noNewlineAtEndNew` and peeks the body line that the marker trails (`-` → old-only, `+` → new-only, ` ` context → both), and `applyPatchToContent` now reads `noNewlineAtEndNew` for the output-side newline decision because the content we emit corresponds to the new side. `extractNewFileContentFromDiff` is unchanged — new-file patches only contain `+` lines, so its separate `hasNoNewlineMarker` local is already correct by construction.
+- **`fireforge wire --dom` — engine-relative inputs probed against CWD.** `src/commands/wire.ts` passed the raw `stripEnginePrefix(options.dom)` result to `pathExists` without joining `paths.engine` first, so a relative `--dom browser/base/content/foo.inc.xhtml` was probed inside the operator's shell directory and failed "DOM fragment file not found" even when the file existed in the correct engine location. The follow-on `isPathInsideRoot` and `toRootRelativePath` calls worked by coincidence — they internally `resolve(paths.engine, candidate)`, which masked the bug past the existence probe but only because those calls never hit the filesystem. The fix mirrors the pattern already in use in `src/commands/register.ts`: when the candidate is absolute probe it as-is, otherwise `join(paths.engine, candidate)` first. The error message still echoes the original operator input (not the internal joined path) so it remains copy-pasteable back into the CLI.
+
+### Config — `--force`-written keys are now readable
+
+- `fireforge config <key>` (read mode) now consults the raw `fireforge.json` document instead of the validated, typed config that `loadConfig` produces. Before this change, `fireforge config totallyUnknown value --force` succeeded (the key was persisted to disk via `writeConfigDocument`), but the corresponding `fireforge config totallyUnknown` read threw `Unknown config key: totallyUnknown` because `validateConfig` rebuilds a clean object containing only the schema-known fields — the forced key survived on disk but was invisible to the typed read path. A new `loadRawConfigDocument` helper in `src/core/config.ts` returns the raw JSON record, and the command's read branch now traverses that document. Writes are unaffected: schema validation still enforces shape for known keys, and `--force` continues to be the escape hatch for unknown keys.
+- The set-mode `--force` branch also now seeds the mutation from `loadRawConfigDocument`, so writing a second forced key no longer drops previously-written forced keys. Before this, the sequence `config foo 1 --force && config bar 2 --force` silently lost `foo` because the intermediate `loadConfig` stripped it out of the in-memory config.
+
+### Download — Extracting phase spinner
+
+- `fireforge download` now switches its spinner message from `Downloading Firefox <ver>... 100%` to `Extracting Firefox <ver>... (decompressing ~600 MB of source; typically 30–90s)` when the byte transfer completes and `tar -xf` starts. Before this change, the download spinner stayed pinned at "Downloading… 100%" for the entire extraction window — on a 601 MB ESR archive that is ~30–90 seconds of silent tar decompression where the first-run setup looked network-stalled precisely when the payload was already on disk. The new `FirefoxSourcePhaseCallback` in `src/core/firefox.ts` fires `'extract'` right before `extractTarXz`, and the download command swaps spinners on that signal; downgrading the initial `const s = spinner(...)` to `let s` is the only mutation site in the command.
+
+### Status — `--json` returns `[]` on a clean tree
+
+- `fireforge status --json` now emits a valid JSON document (`[]\n`) when there are no modified files, instead of falling through to the human-readable `No modified files` / `Working tree clean` banner. Before this change, the clean-tree early-return ran before the `--json` branch and silently printed human text, so automation that piped the command through a JSON parser broke precisely on the most common clean-workspace invocation. The `--raw` mode gets the same guard: a clean tree writes nothing to stdout in raw mode, matching what native `git status --porcelain` does on a clean repo.
+
+### Furnace init — tokens CSS scaffold + raw-color allowlist
+
+- `fireforge furnace init` now scaffolds the Furnace-managed tokens CSS at `engine/browser/themes/shared/<binaryName>-tokens.css` whenever the engine directory exists, and registers that path in `fireforge.json`'s `patchLint.rawColorAllowlist`. Before this change, `furnace init` only wrote `furnace.json`, so every fresh project's first `fireforge token add` hit `Token CSS file not found: browser/themes/shared/<binaryName>-tokens.css`. The scaffold writes a `:root { … }` shell seeded with four default category headers (`Colors — General`, `Colors — Canvas`, `Colors — Experiment`, `Spacing`) plus a `@media (prefers-color-scheme: dark)` overrides block; all four are recognised by `assertTokenCategoryExists` so `token add --category 'Colors — General' …` works end-to-end on a fresh project. The allowlist registration is idempotent (no-op when the entry is already present) so a `furnace init --force` on an existing project doesn't duplicate it.
+- `fireforge token add`'s "Category not found" error now lists the categories actually present in the file, along with a copy-pasteable header template (`/* = My Category = */`) and pointer to `fireforge furnace init --force`. Before this, the error told operators that "categories are defined by comment headers" without showing what was available — `token add` failed silently on any typo in the category name.
+
+### README — `token add` syntax update
+
+- The `Additional workflow commands` block in `README.md` now reflects the `token add <token> <value>` subcommand shape shipped in 0.14+. The previous example used a `--name/--value` form that no longer exists on the CLI surface and led operators through a broken copy-paste on their first try. The updated example also points at the Furnace tokens-CSS prerequisite so first-time operators know why `fireforge furnace init` runs before `token add`.
+
+### Furnace create — prefix mismatch is a hard refusal
+
+- `fireforge furnace create <name>` now refuses before any filesystem writes when `furnace.json`'s `componentPrefix` is set and `<name>` does not start with it. Before this change, the prefix check was a `warn()` that let the flow continue, producing runs where the command reported success, scaffolded files under `components/custom/<name>/`, registered tests in `browser/base/moz.build`, but the result was a second-class citizen of the fork's convention — subsequent follow-ups (list, status, rename) behaved inconsistently because the name didn't match what `fireforge furnace scan` / override workflows expected to see. A new `--allow-prefix-mismatch` flag is the intentional escape hatch when the mismatch is deliberate (e.g. a throwaway experiment); without it, the command throws `InvalidArgumentError` up-front with specific guidance about prefixing the name or editing `componentPrefix` in `furnace.json`.
+
+### Wire — `--dom` engine-relative normalisation
+
+- `fireforge wire --dom <path>` now accepts repo-root-relative forms (`engine/browser/base/content/foo.inc.xhtml`) and engine-relative forms (`browser/base/content/foo.inc.xhtml`) interchangeably, matching `lint`/`export`/`register`/`test`. Before this, passing the `engine/`-prefixed form from the repo root sailed through `pathExists` but then double-rooted through `toRootRelativePath(engineDir, 'engine/…')` — `resolve(engineDir, 'engine/…')` landed at `engineDir/engine/…`, which passed `isPathInsideRoot` but produced a `safeDomFilePath` of `engine/browser/base/content/foo.inc.xhtml`. The computed `#include` then read `#include ../../../engine/browser/base/content/foo.inc.xhtml`, nonsense that would never preprocess correctly. `stripEnginePrefix` normalises the input before the path probe so both forms produce `#include foo.inc.xhtml` in `browser.xhtml`. The `--target` option gets the same normalisation for symmetry.
+
+### Lint — `token-prefix-violation` scoped to added lines
+
+- `lintPatchedCss` now scopes its `token-prefix-violation` scan to the added/modified lines when diff context is available, mirroring what the `raw-color-value` rule already does. Before this change, a small CSS-only override of a stock component (e.g. `moz-card`) was flagged for every stock `var(--moz-card-*)` reference in the unchanged portion of the applied file, because the scanner saw the full applied CSS and treated every inherited reference as if the fork had introduced it. The fix ingests `addedLinesByFile.get(file)` as the scan source when present (with CSS comments stripped), de-duplicates per-prop so the same introduced var consumed five times produces one issue instead of five, and falls back to whole-file scanning only when no diff is available (matching the pre-existing contract for callers that pass raw CSS with no diff). `localDeclarations` continues to be collected from the full file so a var declared in an unchanged line is still recognised as a same-file runtime channel.
+
+### Lint — aggregate multi-patch size rules are warnings, not errors
+
+- `fireforge lint` running against an aggregate diff on a multi-patch queue (the default mode, `ctx.entries.length > 1`, no file paths supplied) now emits the two size rules (`large-patch-lines`, `large-patch-files`) as warnings rather than errors. Before this, a freshly-imported patch stack of 20+ patches failed the default lint on aggregate counts that are mathematically impossible to satisfy without splitting patches that were already split — the actionable unit is the individual patch, and `--per-patch` is the right mode. Per-patch mode (`lintPerPatch`) keeps the rules as errors because the size is genuinely per-patch there. The "aggregate mode" hint line is updated to note the severity downgrade so operators see the full picture.
+
+### Furnace chrome-doc — locale jar.mn source path fix
+
+- `localeJarMnEntryForChromeDoc` now emits `(%browser/<name>.ftl)` as the source-path column instead of `(%<name>.ftl)`. Before this fix, the first `fireforge build` after `fireforge furnace chrome-doc create <name>` failed with `jar.mn: Cannot find <name>.ftl` during backend generation because the FTL file is scaffolded under `engine/browser/locales/en-US/browser/<name>.ftl`, and the `%`-rooted jar path resolves relative to the per-locale root (e.g. `en-US/`), not the locale bundle root. The missing `browser/` subdirectory in the source path made the entry point at `en-US/<name>.ftl`, which doesn't exist. The extended docstring on the helper calls out the path resolution rule so a future refactor can't re-introduce the drift.
+
+### Build — gecko-profiler bindgen hint
+
+- The `MACH_ERROR_HINTS` table gains a pattern that matches the distinctive `cannot find type \`\_CharT\` in this scope`+`gecko-profiler-` co-occurrence emitted by upstream bindgen on some macOS libc++ SDK versions. The generated alias (`pub type basic_string**\_self_view = root::std::**1::basic_string_view<\_CharT>;`) references a type name that is not in scope at the landing site, so the Rust compile fails partway through the build. The new hint points operators at Hominis' `990-infra-bindgen-basic-string-workaround.patch` (which strips the offending line post-generation) and also prints the exact file to edit (`<objdir>/release/build/gecko-profiler-\*/out/gecko/bindings.rs`) for operators not on Hominis' patch queue. The hint lands via the existing `surfaceMachErrorHints`plumbing in`src/core/mach.ts`—`mach build`already captures stderr and feeds it through`explainMachError`, so no new wiring is needed.
+
+### Export-all — `--exclude-furnace`
+
+- `fireforge export-all --exclude-furnace` now filters Furnace-managed paths out of the aggregate diff instead of refusing the command when any are present. Before this, a mixed workspace (Furnace overrides + non-Furnace edits) could not use `export-all` at all — the operator had to fall back to `fireforge export <paths…>` with a hand-curated file list. The filter reuses the existing `collectFurnaceManagedPrefixes` helper to identify the Furnace-owned subset, rescopes the diff via `getDiffForFilesAgainstHead` over the remaining paths, and prints a one-line info (`Excluded N furnace-managed file(s) from export; exporting M remaining path(s).`). Without the flag, the existing refusal-with-guidance stays — the default still protects against accidentally capturing Furnace files as a regular patch.
+
+### Furnace preview — accepts `.cargo/config.toml.in`
+
+- `assertPreviewPrerequisites` now accepts either `engine/.cargo/config.toml` OR `engine/.cargo/config.toml.in` as proof that the Rust toolchain is registered. Before this, the preflight insisted on the plain file, but `fireforge bootstrap` alone produces only the `.in` template (the plain file is generated at `mach configure` time). Operators who followed the remediation instruction ("run bootstrap then rerun preview") hit the same refusal on the retry and had no in-surface recovery. The relaxed check still catches a completely un-bootstrapped engine (neither file exists), and the separate `hasBuildArtifacts` check above remains the authoritative "no dist" guard so this relaxation doesn't weaken the signal we care about.
+
+### Rebase — Furnace override baseVersion stamped alongside patches
+
+- After a successful rebase, `runPatchLoop` now calls `stampFurnaceOverrideBaseVersions` (new helper in `src/core/furnace-config.ts`) to update every override's `baseVersion` in `furnace.json` to `session.toVersion`, right after the existing `stampPatchVersions` call. Before this, a successful ESR bump from, say, `140.9.0esr` to `140.9.1esr` stamped every patch's `sourceEsrVersion` but left every override in `furnace.json` pointing at the old baseline, and the very next `fireforge doctor` failed `Furnace component validation` on every override until the operator hand-updated the file. The stamp emits a one-line info (`Stamped N Furnace override baseVersion(s) to <version>.`) and no-ops cleanly when there are zero overrides. Per-override content health is still the job of `fireforge furnace validate` / `doctor --repair-furnace`; the stamp only closes the version-drift reporting gap so a successful rebase doesn't leave the workspace in a doctor-failing state.
+
+### Build baseline — packageable fingerprints for `test --doctor`
+
+- `BuildBaseline` gains a `packageableFingerprints: Record<path, sha256>` field recorded at build completion for every packageable-dirty engine path. `checkStaleBuildForTest` re-hashes each current packageable-dirty file and flags only those whose live hash differs from the baseline entry (or paths new since the baseline). Before this change, the stale probe reported every workdir-dirty file as "changed since the last build" every time, because a project with imported patches + Furnace-applied components always has a persistent workdir diff against HEAD — the engine HEAD SHA doesn't move between builds even though the workdir does, so `git diff --name-only HEAD` always returned the full post-import / post-apply set. The result was a warning that fired immediately after a successful full + UI build with no edits in between. The fingerprint layer captures "these files had this content when the build ran", so the only paths that register as stale now are ones whose content actually changed.
+- Baselines written by older FireForge versions do not carry `packageableFingerprints`; the stale check falls through to the pre-0.16.0 path-only comparison in that case, so upgrading does not silently flip the semantics for already-built workspaces until the next `fireforge build` re-records the baseline.
+
+### Known limitations (unchanged in 0.16.0)
+
+- **`fireforge test` against a browser-test harness fails with `ERROR_SIGNEDSTATE_REQUIRED`.** Gecko's add-on manager rejects the Marionette harness add-on as unsigned when the fork build's release settings enforce signing. Pref injection at the `fireforge test` boundary needs to plumb `--setpref xpinstall.signatures.required=false` (and a matching dev-root pref) through every harness invocation type; that work is tracked for 0.17.0. Workaround: toggle `MOZ_AUTOMATION=1` / relax signing in the launched build profile out-of-band.
+- **`fireforge test --build` can loop on xpcshell tests that read packaged chrome resources.** The `--build` path drives `mach build faster`, which regenerates the fast-rebuild subset but not the chrome package xpcshell resolves through `chrome://branding/…` / `resource:///modules/…`. The stale-check then flags the same files on the retry even though the inline build ran. Workaround: run a full `fireforge build` (without `--ui`) before `fireforge test`; a proper test-type classifier + `--full-rebuild` flag is planned for 0.17.0.
+- **`fireforge watch` can fail with `FasterBuildException: timed out waiting for response` while a direct `watchman watch-project <engine>` succeeds.** The timeout originates entirely inside `mozbuild.faster_daemon`; FireForge has no hook to extend or recover from it. Workaround: `watchman watch-del <engineDir>` followed by `watchman watch-project <engineDir>` to reset the watcher's internal state before rerunning `fireforge watch`.
+
 ### Wire — transactional rollback
 
 - `fireforge wire` now snapshots every file the mutation sequence may touch (`browser/base/content/browser-main.js`, conditionally `browser/base/content/browser-init.js`, the chrome document the `#include` lands in, and `browser/base/jar.mn`) before any write, and restores them when any step fails. The evaluator hit the motivating case on `hominis/`: a `wire mock-wire --init … --destroy … --dom …` run threw `Could not find insertion point in chrome document` AFTER `browser-main.js`, `browser-init.js`, and `browser/base/jar.mn` had already been mutated — the operator had to hand-revert the partial mutation. The journal plumbing reuses `createRollbackJournal` / `snapshotFile` / `restoreRollbackJournal` from Furnace's rollback module; a rollback that itself fails surfaces both the original wire failure and the rollback diagnosis in a single `GeneralError` with `review "git status" under engine/` guidance so the operator knows the engine may need manual attention.

package/README.md

@@ -427,10 +427,12 @@ fireforge package
 # Watch for file changes and auto-rebuild
 fireforge watch
 
-# Add a CSS design token
-fireforge token --name "--my-color" --value "light-dark(#fff, #000)"
+# Add a CSS design token (requires `fireforge furnace init` first; see the Furnace/Tokens section below)
+fireforge token add --category 'Colors — General' -- --my-color 'light-dark(#fff, #000)'
 ```
 
+Tokens live in the Furnace-managed tokens CSS file (`engine/browser/themes/shared/<binaryName>-tokens.css`), scaffolded by `fireforge furnace init` alongside `furnace.json`. The scaffold seeds a default set of categories (`Colors — General`, `Colors — Canvas`, `Colors — Experiment`, `Spacing`); add a category by hand as a `/* = My Category = */` comment inside the `:root { … }` block if you need another. `fireforge furnace init` also registers the tokens CSS path in `patchLint.rawColorAllowlist` so raw color literals inside it are not flagged by `fireforge lint`.
+
 ### Diff-scoped lint (`lint --since`)
 
 `fireforge lint --since <git-rev>` tags each issue as `[introduced]` or `[cumulative]` based on whether its file changed since `<git-rev>`:

package/dist/src/commands/config.js

@@ -1,4 +1,4 @@
-import { configExists, loadConfig, mutateConfig, SUPPORTED_CONFIG_PATHS, SUPPORTED_CONFIG_ROOT_KEYS, writeConfig, writeConfigDocument, } from '../core/config.js';
+import { configExists, loadConfig, loadRawConfigDocument, mutateConfig, SUPPORTED_CONFIG_PATHS, SUPPORTED_CONFIG_ROOT_KEYS, writeConfig, writeConfigDocument, } from '../core/config.js';
 import { GeneralError, InvalidArgumentError } from '../errors/base.js';
 import { toError } from '../utils/errors.js';
 import { info, intro, outro, success, warn } from '../utils/logger.js';
@@ -83,10 +83,15 @@ export async function configCommand(projectRoot, key, value, options = {}) {
     if (!(await configExists(projectRoot))) {
         throw new GeneralError('No fireforge.json found. Run "fireforge setup" to create a project.');
     }
-    const config = await loadConfig(projectRoot);
     if (value === undefined) {
-        // Get mode
-        const currentValue = getNestedValue(config, key);
+        // Get mode — read the raw document rather than the validated config so
+        // keys persisted via `fireforge config <key> --force` remain readable.
+        // `validateConfig` builds a typed clone containing only the known
+        // schema fields; relying on it here would silently hide forced-write
+        // keys and surface "Unknown config key" on the read even though the
+        // key is sitting plainly inside fireforge.json.
+        const rawConfig = await loadRawConfigDocument(projectRoot);
+        const currentValue = getNestedValue(rawConfig, key);
         if (currentValue === undefined) {
             throw new InvalidArgumentError(`Unknown config key: ${key}`);
         }
@@ -113,10 +118,16 @@ export async function configCommand(projectRoot, key, value, options = {}) {
             // listed in SUPPORTED_CONFIG_PATHS, regardless of --force, and only
             // skip validation for genuinely unknown key paths.
             if (options.force && !keyIsKnown) {
-                const updatedConfig = mutateConfig(config, key, parsedValue, true);
+                // Seed mutation from the raw on-disk document so previously-forced
+                // keys (which `validateConfig` would strip) survive the round-trip.
+                // Without this, writing a second --force key would silently drop
+                // every earlier forced key from fireforge.json.
+                const rawConfig = await loadRawConfigDocument(projectRoot);
+                const updatedConfig = mutateConfig(rawConfig, key, parsedValue, true);
                 await writeConfigDocument(projectRoot, updatedConfig);
             }
             else {
+                const config = await loadConfig(projectRoot);
                 const updatedConfig = mutateConfig(config, key, parsedValue);
                 await writeConfig(projectRoot, updatedConfig);
             }

package/dist/src/commands/download.js

@@ -172,9 +172,16 @@ export async function downloadCommand(projectRoot, options) {
     // Ensure cache directory exists
     const cacheDir = join(paths.fireforgeDir, 'cache');
     await ensureDir(cacheDir);
-    // Download with progress
-    const s = spinner(`Downloading Firefox ${version}...`);
+    // Phase-switched spinners: the download phase runs with the byte-count
+    // progress callbacks below; the extract phase is blocking tar-xz and
+    // has no incremental progress, but it can take 30–90s on a ~600 MB
+    // Firefox tree, so it gets its own spinner message. Before the phase
+    // split, a single "Downloading Firefox … 100%" spinner covered both
+    // — the first-run setup looked hung precisely when the archive had
+    // already reached disk and `tar` was the long pole.
+    let s = spinner(`Downloading Firefox ${version}...`);
     let lastPercent = 0;
+    const phaseState = { value: 'download' };
     try {
         await downloadFirefoxSource(version, config.firefox.product, paths.engine, cacheDir, (downloaded, total) => {
             if (total <= 0)
@@ -184,11 +191,22 @@ export async function downloadCommand(projectRoot, options) {
                 s.message(`Downloading Firefox ${version}... ${percent}% (${formatBytes(downloaded)} / ${formatBytes(total)})`);
                 lastPercent = percent;
             }
+        }, (phase) => {
+            if (phase === 'extract' && phaseState.value === 'download') {
+                s.stop(`Firefox ${version} downloaded`);
+                phaseState.value = 'extract';
+                s = spinner(`Extracting Firefox ${version}... (decompressing ~600 MB of source; typically 30–90s)`);
+            }
         });
-        s.stop(`Firefox ${version} downloaded`);
+        if (phaseState.value === 'extract') {
+            s.stop(`Firefox ${version} extracted`);
+        }
+        else {
+            s.stop(`Firefox ${version} downloaded`);
+        }
     }
     catch (error) {
-        s.error('Download failed');
+        s.error(phaseState.value === 'extract' ? 'Extraction failed' : 'Download failed');
         throw error;
     }
     // Finding #17: the git indexing phase of `download` can block for

package/dist/src/commands/export-all.js

@@ -4,7 +4,7 @@ import { isBrandingManagedPath } from '../core/branding.js';
 import { getProjectPaths, loadConfig } from '../core/config.js';
 import { collectFurnaceManagedPrefixes } from '../core/furnace-config.js';
 import { hasChanges, isGitRepository } from '../core/git.js';
-import { getAllDiff } from '../core/git-diff.js';
+import { getAllDiff, getDiffForFilesAgainstHead } from '../core/git-diff.js';
 import { getWorkingTreeStatus } from '../core/git-status.js';
 import { extractAffectedFiles } from '../core/patch-apply.js';
 import { commitExportedPatch } from '../core/patch-export.js';
@@ -25,18 +25,35 @@ async function checkBrandingManagedFiles(paths, config) {
             'Review these files with "fireforge status" first. If you intentionally want a branding patch, export the specific branding paths explicitly with "fireforge export ...".');
     }
 }
-async function checkFurnaceManagedFiles(paths, projectRoot) {
+/**
+ * Policy around Furnace-managed files in the aggregate diff.
+ *
+ * Default behavior refuses the export (Furnace paths belong to
+ * `furnace apply`). `--exclude-furnace` flips the policy from refusal to
+ * filtering: the command still runs, but the Furnace-managed paths are
+ * dropped from the diff and counted in an info line so operators in
+ * mixed workspaces can capture only the non-Furnace subset.
+ *
+ * Returns the set of Furnace-managed paths to exclude (empty when the
+ * policy is "refuse" and nothing is in the working tree).
+ */
+async function resolveFurnaceExclusionPolicy(paths, projectRoot, excludeFurnace) {
     const prefixes = await collectFurnaceManagedPrefixes(projectRoot);
     if (prefixes.size === 0)
-        return;
+        return new Set();
     const changedFiles = await getWorkingTreeStatus(paths.engine);
     const furnaceManagedFiles = changedFiles
         .flatMap((entry) => [entry.file, entry.originalPath].filter((value) => !!value))
         .filter((file) => [...prefixes].some((prefix) => file.startsWith(prefix)));
-    if (furnaceManagedFiles.length > 0) {
-        throw new GeneralError('Export-all refuses to capture Furnace-managed component changes.\n\n' +
-            'These files are deployed by "fireforge furnace apply" and should be managed through the Furnace workflow. Review them with "fireforge status" or "fireforge furnace status".');
+    if (furnaceManagedFiles.length === 0)
+        return new Set();
+    if (excludeFurnace) {
+        return new Set(furnaceManagedFiles);
     }
+    throw new GeneralError('Export-all refuses to capture Furnace-managed component changes.\n\n' +
+        'These files are deployed by "fireforge furnace apply" and should be managed through the Furnace workflow. ' +
+        'Review them with "fireforge status" or "fireforge furnace status", ' +
+        'or pass --exclude-furnace to export the non-Furnace subset of the diff.');
 }
 /**
  * Refuses the export when the aggregate diff would create (new-file-mode) a
@@ -103,9 +120,32 @@ export async function exportAllCommand(projectRoot, options = {}) {
     }
     const config = await loadConfig(projectRoot);
     await checkBrandingManagedFiles(paths, config);
-    await checkFurnaceManagedFiles(paths, projectRoot);
-    // Get the full diff
-    let diff = await getAllDiff(paths.engine);
+    const furnaceExcluded = await resolveFurnaceExclusionPolicy(paths, projectRoot, options.excludeFurnace);
+    // Get the full diff. When --exclude-furnace is set and furnaceExcluded
+    // is non-empty, rescope the diff to the non-Furnace path subset so the
+    // resulting patch does not contain any Furnace-managed hunks. We use
+    // `getDiffForFilesAgainstHead` over the filtered path list rather than
+    // post-hoc string surgery on the aggregate diff, which keeps the
+    // output shape aligned with the single-file `export` command.
+    let diff;
+    if (furnaceExcluded.size > 0) {
+        const allChanged = await getWorkingTreeStatus(paths.engine);
+        const nonFurnacePaths = [
+            ...new Set(allChanged
+                .flatMap((entry) => [entry.file, entry.originalPath].filter((value) => !!value))
+                .filter((file) => !furnaceExcluded.has(file))),
+        ].sort();
+        if (nonFurnacePaths.length === 0) {
+            info(`Excluded ${furnaceExcluded.size} furnace-managed file(s) from export; no non-Furnace changes remain.`);
+            outro('Nothing to export');
+            return;
+        }
+        diff = await getDiffForFilesAgainstHead(paths.engine, nonFurnacePaths);
+        info(`Excluded ${furnaceExcluded.size} furnace-managed file(s) from export; exporting ${nonFurnacePaths.length} remaining path(s).`);
+    }
+    else {
+        diff = await getAllDiff(paths.engine);
+    }
     if (!diff.trim()) {
         info('No diff content to export');
         outro('Nothing to export');
@@ -172,6 +212,7 @@ export function registerExportAll(program, { getProjectRoot, withErrorHandling }
         .option('-d, --description <desc>', 'Description of the patch')
         .option('--supersede', 'Allow superseding multiple existing patches')
         .option('--skip-lint', 'Skip patch lint checks (downgrade errors to warnings)')
+        .option('--exclude-furnace', 'Export the non-Furnace subset of the aggregate diff instead of refusing when Furnace-managed files are modified. Furnace-managed files are still deployed by "fireforge furnace apply"; this flag only changes whether export-all aborts or filters in their presence.')
         .action(withErrorHandling(async (options) => {
         const { category, ...rest } = options;
         await exportAllCommand(getProjectRoot(), {

package/dist/src/commands/furnace/chrome-doc-templates.d.ts

@@ -62,5 +62,15 @@ export declare function generateChromeDocFtl(name: string, licenseHeader: string
 export declare function jarMnEntriesForChromeDoc(name: string): string[];
 /** jar.inc.mn entry that registers the scoped CSS under `content/browser/`. */
 export declare function jarIncMnEntryForChromeDoc(name: string): string;
-/** locales/jar.mn entry that registers the `.ftl` under the browser locale bundle. */
+/**
+ * locales/jar.mn entry that registers the `.ftl` under the browser locale
+ * bundle. The source path is resolved by mach-locale-jar relative to the
+ * per-locale root (e.g. `engine/browser/locales/en-US/`), and the FTL
+ * file is scaffolded at `browser/${name}.ftl` under that root — the `%`
+ * prefix means "per-locale content" and the `browser/` subdirectory
+ * matches the subdir the scaffolder writes into. Before this fix the
+ * entry emitted `(%${name}.ftl)`, which pointed at `en-US/${name}.ftl`
+ * and broke the first post-scaffold `fireforge build` with
+ * "jar.mn: Cannot find ${name}.ftl".
+ */
 export declare function localeJarMnEntryForChromeDoc(name: string): string;

package/dist/src/commands/furnace/chrome-doc-templates.js

@@ -162,8 +162,18 @@ export function jarMnEntriesForChromeDoc(name) {
 export function jarIncMnEntryForChromeDoc(name) {
     return `    content/browser/${name}-chrome.css           (shared/${name}-chrome.css)`;
 }
-/** locales/jar.mn entry that registers the `.ftl` under the browser locale bundle. */
+/**
+ * locales/jar.mn entry that registers the `.ftl` under the browser locale
+ * bundle. The source path is resolved by mach-locale-jar relative to the
+ * per-locale root (e.g. `engine/browser/locales/en-US/`), and the FTL
+ * file is scaffolded at `browser/${name}.ftl` under that root — the `%`
+ * prefix means "per-locale content" and the `browser/` subdirectory
+ * matches the subdir the scaffolder writes into. Before this fix the
+ * entry emitted `(%${name}.ftl)`, which pointed at `en-US/${name}.ftl`
+ * and broke the first post-scaffold `fireforge build` with
+ * "jar.mn: Cannot find ${name}.ftl".
+ */
 export function localeJarMnEntryForChromeDoc(name) {
-    return `    locale/browser/${name}.ftl                    (%${name}.ftl)`;
+    return `    locale/browser/${name}.ftl                    (%browser/${name}.ftl)`;
 }
 //# sourceMappingURL=chrome-doc-templates.js.map

package/dist/src/commands/furnace/create.js

@@ -400,9 +400,27 @@ export async function furnaceCreateCommand(projectRoot, name, options = {}) {
             throw new FurnaceError(`"${componentName}" already exists in the engine source tree. Use "fireforge furnace override" instead.`, componentName);
         }
     }
-    // Warn if name doesn't match componentPrefix
-    if (config.componentPrefix && !componentName.startsWith(config.componentPrefix)) {
-        warn(`Name "${componentName}" does not start with the configured prefix "${config.componentPrefix}".`);
+    // Refuse if name doesn't match componentPrefix, unless
+    // --allow-prefix-mismatch was explicitly passed.
+    //
+    // Pre-0.16.0 this was a bare `warn()` and the create flow continued,
+    // which produced a class of validation runs where the command reported
+    // success, scaffolded files under components/custom/<name>/, and
+    // registered tests in browser/base/moz.build, but the component
+    // wasn't a good citizen of the fork's convention — subsequent
+    // follow-up commands (list, status, rename) behaved inconsistently.
+    // Refusing up-front leaves the workspace untouched on a bad name and
+    // forces an intentional `--allow-prefix-mismatch` for the rare case
+    // where the mismatch is deliberate.
+    if (config.componentPrefix &&
+        !componentName.startsWith(config.componentPrefix) &&
+        !options.allowPrefixMismatch) {
+        throw new InvalidArgumentError(`Name "${componentName}" does not start with the configured prefix "${config.componentPrefix}". ` +
+            'Use a prefixed name (e.g. "' +
+            config.componentPrefix +
+            componentName +
+            '"), update `componentPrefix` in furnace.json, ' +
+            'or pass --allow-prefix-mismatch to create the component anyway.', 'name');
     }
     // --- Resolve description ---
     const description = await resolveDescription(isInteractive, options);

package/dist/src/commands/furnace/index.js

@@ -83,6 +83,7 @@ function registerFurnaceInfoCommands(furnace, context) {
         .option('--compose <tags>', 'Record stock tags composed internally (metadata only, comma-separated)', (val) => val.split(',').map((s) => s.trim()))
         .option('--shared-ftl <path>', 'Participate in an existing feature-scoped .ftl at this path (e.g. "browser/hominis-dock.ftl"); skips the per-component .ftl scaffold (implies --localized)')
         .option('--dry-run', 'Show the planned file set and furnace.json changes without writing')
+        .option('--allow-prefix-mismatch', 'Create the component even when its name does not start with the configured `componentPrefix` in furnace.json. Without this flag the command refuses to write anything on a prefix mismatch.')
         .action(withErrorHandling(async (name, options) => {
         await furnaceCreateCommand(getProjectRoot(), name, options);
     }));

package/dist/src/commands/furnace/init.js

@@ -1,9 +1,15 @@
 // SPDX-License-Identifier: EUPL-1.2
-import { isAbsolute, normalize } from 'node:path';
+import { dirname, isAbsolute, join, normalize } from 'node:path';
 import { text } from '@clack/prompts';
+import { getProjectPaths, loadConfig, mutateConfig, writeConfig } from '../../core/config.js';
 import { createDefaultFurnaceConfig, furnaceConfigExists, writeFurnaceConfig, } from '../../core/furnace-config.js';
+import { DEFAULT_LICENSE } from '../../core/license-headers.js';
+import { getTokensCssPath } from '../../core/token-manager.js';
+import { generateDefaultTokensCss } from '../../core/token-scaffold.js';
 import { FurnaceError } from '../../errors/furnace.js';
-import { cancel, info, intro, isCancel, note, outro, success } from '../../utils/logger.js';
+import { toError } from '../../utils/errors.js';
+import { ensureDir, pathExists, writeText } from '../../utils/fs.js';
+import { cancel, info, intro, isCancel, note, outro, success, warn } from '../../utils/logger.js';
 /**
  * Validates an FTL base path before writing it to furnace.json. Rejects
  * absolute paths, null bytes, and any normalised segment starting with
@@ -80,10 +86,14 @@ export async function furnaceInitCommand(projectRoot, options = {}) {
     }
     await writeFurnaceConfig(projectRoot, config);
     success('Created furnace.json');
+    const scaffoldResult = await scaffoldTokensCss(projectRoot);
     const lines = [`Component prefix: ${config.componentPrefix}`];
     if (config.ftlBasePath) {
         lines.push(`FTL base path: ${config.ftlBasePath}`);
     }
+    if (scaffoldResult.tokensCssPath) {
+        lines.push(`Tokens CSS:       ${scaffoldResult.tokensCssPath}`);
+    }
     note(lines.join('\n'), 'Configuration');
     info('Next steps:\n' +
         '  fireforge furnace scan        — discover engine components\n' +
@@ -91,4 +101,68 @@ export async function furnaceInitCommand(projectRoot, options = {}) {
         '  fireforge furnace override     — fork an existing component');
     outro('Init complete');
 }
+/**
+ * Scaffolds the default tokens CSS file under the engine and registers
+ * its path in `fireforge.json`'s `patchLint.rawColorAllowlist`. Both
+ * operations are skipped silently when the engine directory does not
+ * yet exist (a fresh project that hasn't `fireforge download`ed yet);
+ * the scaffold is re-driven on the next `furnace init --force`.
+ *
+ * Returns the scaffolded path when the file was actually created, so
+ * the init command can surface it in the summary note.
+ */
+async function scaffoldTokensCss(projectRoot) {
+    const paths = getProjectPaths(projectRoot);
+    if (!(await pathExists(paths.engine))) {
+        info('Skipping tokens CSS scaffold: engine/ not found. Run "fireforge download" followed by "fireforge furnace init --force" to scaffold it.');
+        return {};
+    }
+    let forgeConfig;
+    try {
+        forgeConfig = await loadConfig(projectRoot);
+    }
+    catch (error) {
+        warn(`Skipping tokens CSS scaffold: fireforge.json could not be loaded (${toError(error).message}). Re-run "fireforge furnace init --force" after fixing the config.`);
+        return {};
+    }
+    const tokensCssPath = getTokensCssPath(forgeConfig.binaryName);
+    const tokensCssAbsPath = join(paths.engine, tokensCssPath);
+    if (!(await pathExists(tokensCssAbsPath))) {
+        try {
+            await ensureDir(dirname(tokensCssAbsPath));
+            await writeText(tokensCssAbsPath, generateDefaultTokensCss(forgeConfig.binaryName, forgeConfig.license ?? DEFAULT_LICENSE));
+            success(`Scaffolded tokens CSS at engine/${tokensCssPath}`);
+        }
+        catch (error) {
+            warn(`Could not scaffold tokens CSS at engine/${tokensCssPath}: ${toError(error).message}. Create the file manually before running "fireforge token add".`);
+            return {};
+        }
+    }
+    else {
+        info(`Tokens CSS already present at engine/${tokensCssPath}; leaving it untouched.`);
+    }
+    // Registering the tokens file in `patchLint.rawColorAllowlist` is the
+    // complement to the scaffold itself: the file exists specifically to
+    // carry raw color literals, and without the allowlist entry the very
+    // first `fireforge lint` run against a post-`token add` workspace
+    // fails on raw-color-value issues for tokens the operator just
+    // created. The add is idempotent, so re-running `furnace init --force`
+    // does not duplicate the entry.
+    try {
+        const existingAllowlist = forgeConfig.patchLint?.rawColorAllowlist ?? [];
+        if (!existingAllowlist.includes(tokensCssPath)) {
+            const updatedConfig = mutateConfig(forgeConfig, 'patchLint.rawColorAllowlist', [
+                ...existingAllowlist,
+                tokensCssPath,
+            ]);
+            await writeConfig(projectRoot, updatedConfig);
+            info(`Added ${tokensCssPath} to patchLint.rawColorAllowlist`);
+        }
+    }
+    catch (error) {
+        warn(`Could not register tokens CSS in patchLint.rawColorAllowlist: ${toError(error).message}. ` +
+            `Add "${tokensCssPath}" manually under patchLint.rawColorAllowlist in fireforge.json if lint flags its contents.`);
+    }
+    return { tokensCssPath };
+}
 //# sourceMappingURL=init.js.map

package/dist/src/commands/furnace/preview.js

@@ -111,10 +111,23 @@ async function assertPreviewPrerequisites(engineDir) {
             'Run "fireforge build" and wait for it to finish, then rerun "fireforge furnace preview". ' +
             'This preflight avoids a multi-minute `mach storybook upgrade` npm install on an engine that cannot start Storybook anyway.');
     }
+    // Accept either `.cargo/config.toml` (post-configure) or
+    // `.cargo/config.toml.in` (post-bootstrap template, consumed at
+    // `mach configure` time). Pre-0.16.0 the preflight insisted on the
+    // plain file, but `fireforge bootstrap` alone produces only `.in` —
+    // operators who followed the remediation instruction ("run bootstrap
+    // then rerun preview") hit the same refusal on the retry. Either name
+    // is sufficient to prove the Rust toolchain is registered; the stronger
+    // `hasBuildArtifacts` check above already guards against a completely
+    // un-configured tree, so relaxing this to an OR-check does not weaken
+    // the signal we care about.
     const cargoConfigPath = join(engineDir, '.cargo', 'config.toml');
-    if (!(await pathExists(cargoConfigPath))) {
+    const cargoConfigInPath = join(engineDir, '.cargo', 'config.toml.in');
+    const cargoConfigPresent = (await pathExists(cargoConfigPath)) || (await pathExists(cargoConfigInPath));
+    if (!cargoConfigPresent) {
         throw new FurnaceError("Furnace preview requires the engine's Rust toolchain to be bootstrapped. " +
-            '`.cargo/config.toml` is missing under the engine directory — `mach storybook` fails deep inside the Storybook backend compile without it.\n\n' +
+            'Neither `.cargo/config.toml` nor `.cargo/config.toml.in` exists under the engine directory — ' +
+            '`mach storybook` fails deep inside the Storybook backend compile without either of them.\n\n' +
             'Run "fireforge bootstrap" (or the underlying `mach bootstrap` in the engine) to populate the toolchain config, then rerun "fireforge furnace preview".');
     }
 }

package/dist/src/commands/lint.js

@@ -154,10 +154,25 @@ export async function lintCommand(projectRoot, files, options = {}) {
     // really an artefact of aggregation. Surface a one-line note pointing at
     // `--per-patch` so the operator knows the per-patch scope exists before
     // they read the error message as "my queue is broken".
+    //
+    // In aggregate mode over a multi-patch queue we also downgrade the two
+    // size rules from `error` to `warning`. Before this downgrade, a
+    // fresh-imported patch stack of 20+ patches hard-failed `fireforge lint`
+    // on lines-per-aggregate counts that are mathematically impossible to
+    // satisfy without splitting patches that were already split — the
+    // actionable unit is the individual patch, and `--per-patch` is the
+    // mode that matches. Per-patch mode keeps errors as errors (see
+    // `lintPerPatch` below).
     const aggregateHintApplicable = files.length === 0 && ctx !== undefined && ctx.entries.length > 1;
     if (aggregateHintApplicable &&
         issues.some((i) => i.check === 'large-patch-lines' || i.check === 'large-patch-files')) {
-        info('NOTE: aggregate diff across all applied patches. Use `fireforge lint --per-patch` to lint each patch individually; patch-size rules fire against the sum in aggregate mode.');
+        info('NOTE: aggregate diff across all applied patches. Use `fireforge lint --per-patch` to lint each patch individually; patch-size rules fire against the sum in aggregate mode and are reported as warnings rather than errors here.');
+        for (const issue of issues) {
+            if ((issue.check === 'large-patch-lines' || issue.check === 'large-patch-files') &&
+                issue.severity === 'error') {
+                issue.severity = 'warning';
+            }
+        }
     }
     if (issues.length === 0) {
         success('No lint issues found.');

package/dist/src/commands/rebase/patch-loop.js

@@ -4,6 +4,7 @@
  */
 import { join } from 'node:path';
 import { updateState } from '../../core/config.js';
+import { stampFurnaceOverrideBaseVersions } from '../../core/furnace-config.js';
 import { getDiffForFilesAgainstHead } from '../../core/git-diff.js';
 import { applyPatchWithFuzz } from '../../core/patch-apply-fuzz.js';
 import { updatePatch } from '../../core/patch-export.js';
@@ -126,6 +127,24 @@ export async function runPatchLoop(projectRoot, session, paths, maxFuzz) {
     if (appliedFilenames.length > 0) {
         await stampPatchVersions(paths.patches, appliedFilenames, session.toVersion);
     }
+    // Stamp every Furnace override's `baseVersion` to match the rebased
+    // Firefox version. Before this stamp, a successful ESR bump left
+    // overrides in a doctor-failing drift state (each override still
+    // claimed the pre-rebase ESR as its baseline) and every subsequent
+    // `fireforge doctor` failed `Furnace component validation`. The
+    // stamp is unconditional per the helper's contract: rebase already
+    // succeeded on the patch side, so the operator is committing to the
+    // new ESR baseline; per-component health checking stays with
+    // `fireforge furnace validate` / `doctor --repair-furnace`.
+    try {
+        const overridesStamped = await stampFurnaceOverrideBaseVersions(projectRoot, session.toVersion);
+        if (overridesStamped > 0) {
+            info(`Stamped ${overridesStamped} Furnace override baseVersion(s) to ${session.toVersion}.`);
+        }
+    }
+    catch (furnaceStampError) {
+        warn(`Could not stamp Furnace override baseVersion(s) to ${session.toVersion}: ${toError(furnaceStampError).message}. Update baseVersion in furnace.json by hand or run "fireforge furnace refresh" if validate reports drift.`);
+    }
     // Print summary and clean up
     printSummary(session);
     await clearRebaseSession(projectRoot);

package/dist/src/commands/status.js

@@ -337,6 +337,23 @@ export async function statusCommand(projectRoot, options = {}) {
     // branch so raw / unmanaged / default / json all agree.
     const files = filterFireForgeTempFiles(expanded);
     renderTruncationBanner(truncations);
+    // `--json` callers expect machine-parseable output on every invocation,
+    // including the clean-tree case. Before this ordering fix a clean tree
+    // printed "No modified files" / "Working tree clean" via the human
+    // branch below and `--json` was silently ignored, so scripts that piped
+    // the output through a JSON parser broke precisely when there was
+    // nothing to report. Emit `[]` here and return before the human fallback.
+    if (options.json) {
+        await renderJsonStatus(files, paths, projectRoot, config.binaryName);
+        return;
+    }
+    // `--raw` consumers parse the native `git status --porcelain` output
+    // directly. On a clean tree the raw mode should produce nothing on
+    // stdout — the human "Working tree clean" banner would contaminate the
+    // pipe. Short-circuit before the human clean-tree branch below.
+    if (options.raw && files.length === 0) {
+        return;
+    }
     if (files.length === 0) {
         info('No modified files');
         outro('Working tree clean');
@@ -347,11 +364,6 @@ export async function statusCommand(projectRoot, options = {}) {
         renderRawStatus(files);
         return;
     }
-    // JSON mode and default mode both need classification
-    if (options.json) {
-        await renderJsonStatus(files, paths, projectRoot, config.binaryName);
-        return;
-    }
     // Patch-aware classification
     const furnacePrefixes = await collectFurnaceManagedPrefixes(projectRoot);
     const classified = await classifyFiles(files, paths.engine, paths.patches, config.binaryName, furnacePrefixes);