@hominis/fireforge 0.16.2 → 0.16.5

package/dist/src/commands/furnace/status.js

@@ -196,7 +196,7 @@ export async function furnaceStatusCommand(projectRoot, name) {
             warn('Engine drift detected since last apply (reset/download/manual edit). Run `fireforge furnace apply` to re-deploy.');
         }
     }
-    info('Tip: run `furnace status <name>` for detailed component info, or `furnace --help` for all subcommands.');
+    info('Tip: run `fireforge furnace status <name>` for detailed component info, or `fireforge furnace --help` for all subcommands.');
     outro('Status complete');
 }
 //# sourceMappingURL=status.js.map

package/dist/src/commands/import.js

@@ -165,6 +165,32 @@ async function checkEngineDrift(engineDir, baseCommit, forceImport) {
     }
     return true;
 }
+/**
+ * Builds the set of patch filenames in scope when `--until <name>` is set.
+ * Accepts either the full filename (e.g. `001-foo.patch`) or the name
+ * without the `.patch` suffix (matching `applyPatchesWithContinue`'s
+ * `untilFilename` resolver).
+ *
+ * Returns an empty set when no match is found — the caller treats that as
+ * "no scope filter applies" so the import behaves identically to an
+ * unrecognised `--until` target (which `applyPatchesWithContinue` will
+ * later surface as a normal error).
+ */
+function buildUntilFilenameSet(patches, until) {
+    const set = new Set();
+    if (until === undefined)
+        return set;
+    const normalized = until.endsWith('.patch') ? until : `${until}.patch`;
+    const target = patches.find((p) => p.filename === until || p.filename === normalized);
+    if (!target)
+        return set;
+    for (const patch of patches) {
+        if (patch.order <= target.order) {
+            set.add(patch.filename);
+        }
+    }
+    return set;
+}
 /**
  * Runs the import command to apply patches.
  * @param projectRoot - Root directory of the project
@@ -200,20 +226,41 @@ export async function importCommand(projectRoot, options = {}) {
         outro('Import complete (no patches)');
         return;
     }
-    info(`Found ${patchCount} patch${patchCount === 1 ? '' : 'es'} to apply`);
+    // Load manifest early so we can scope the integrity / consistency checks to
+    // the `--until` subset. The manifest-consistency check stays global because
+    // structural manifest corruption (missing / duplicate rows) should block any
+    // import regardless of scope, but per-patch integrity and files-affected
+    // issues are legitimately skippable when the operator has asked to stop at
+    // an earlier patch.
+    const manifest = await loadPatchesManifest(paths.patches);
+    const untilFilenameSet = buildUntilFilenameSet(manifest?.patches ?? [], options.until);
+    const scopedPatchCount = options.until !== undefined ? untilFilenameSet.size : patchCount;
+    info(`Found ${scopedPatchCount} patch${scopedPatchCount === 1 ? '' : 'es'} to apply${options.until !== undefined ? ` (up to ${options.until})` : ''}`);
     const manifestConsistencyIssues = await validatePatchesManifestConsistency(paths.patches);
-    if (manifestConsistencyIssues.length > 0) {
-        const issueSummary = manifestConsistencyIssues.map((issue) => issue.message).join('\n  ');
+    const scopedManifestIssues = options.until !== undefined
+        ? manifestConsistencyIssues.filter((issue) => 
+        // Global (manifest-level) issues have no specific filename to scope
+        // against — a missing or unparseable patches.json blocks any
+        // import. Per-patch issues only block when the patch is in scope.
+        issue.code === 'manifest-missing' ||
+            issue.code === 'manifest-invalid' ||
+            untilFilenameSet.has(issue.filename))
+        : manifestConsistencyIssues;
+    if (scopedManifestIssues.length > 0) {
+        const issueSummary = scopedManifestIssues.map((issue) => issue.message).join('\n  ');
         throw new GeneralError('Patch manifest consistency check failed. Repair patches/patches.json before importing.\n' +
             `  ${issueSummary}\n\n` +
             'Run "fireforge doctor --repair-patches-manifest" to rebuild the manifest from on-disk patch files.');
     }
-    // Load manifest and check version compatibility
-    const manifest = await loadPatchesManifest(paths.patches);
+    // Version compatibility warnings (advisory only)
     if (manifest) {
         const config = await loadConfig(projectRoot);
         const currentVersion = config.firefox.version;
         for (const patch of manifest.patches) {
+            // Scope the advisory warnings too: an operator running with --until
+            // doesn't need to see version warnings for patches outside the range.
+            if (options.until !== undefined && !untilFilenameSet.has(patch.filename))
+                continue;
             const warning = checkVersionCompatibility(patch.sourceEsrVersion, currentVersion);
             if (warning) {
                 warn(`${patch.filename}: ${warning}`);
@@ -225,7 +272,15 @@ export async function importCommand(projectRoot, options = {}) {
     // warn-and-continue behaviour hid the real root cause because import
     // would later fail during patch application with a secondary, unrelated
     // error that made diagnosis harder.
-    const integrityIssues = await validatePatchIntegrity(paths.patches, paths.engine);
+    //
+    // Scope the surfaced issues to the `--until` range: a later patch with
+    // integrity problems should not block importing an earlier good subset,
+    // which is exactly what operators reach for when the tail of the queue
+    // is broken and they want to keep working against an earlier checkpoint.
+    const allIntegrityIssues = await validatePatchIntegrity(paths.patches, paths.engine);
+    const integrityIssues = options.until !== undefined
+        ? allIntegrityIssues.filter((issue) => untilFilenameSet.has(issue.filename))
+        : allIntegrityIssues;
     if (integrityIssues.length > 0) {
         warn('\nPatch integrity issues detected:');
         for (const issue of integrityIssues) {
@@ -253,11 +308,8 @@ export async function importCommand(projectRoot, options = {}) {
     // Dry-run: list patches that would be applied and exit
     if (isDryRun) {
         if (manifest) {
-            const patches = options.until
-                ? manifest.patches.filter((p) => {
-                    const untilPatch = manifest.patches.find((u) => u.filename === options.until || u.filename === `${options.until}.patch`);
-                    return untilPatch ? p.order <= untilPatch.order : true;
-                })
+            const patches = options.until !== undefined
+                ? manifest.patches.filter((p) => untilFilenameSet.has(p.filename))
                 : manifest.patches;
             info(`\n[dry-run] Would apply ${patches.length} patch(es) in order:`);
             for (const patch of patches) {

package/dist/src/commands/patch/delete.js

@@ -114,7 +114,16 @@ export async function patchDeleteCommand(projectRoot, identifier, options = {})
     }
     const conflicts = dependents.length > 0
         ? {
-            reason: `${dependents.length} later patch(es) depend on files created by ${target.filename}`,
+            // Wording deliberately clarifies the *runtime* impact: `git apply`
+            // doesn't resolve imports and will succeed even when a later patch
+            // imports a file the target created (the eval observed this
+            // directly — forcing the delete and re-importing the remaining
+            // 20-patch queue was clean). The breakage surfaces at browser
+            // startup when `ChromeUtils.importESModule` can't locate the
+            // deleted module. Operators who deliberately plan to re-introduce
+            // the imported files (rename, refactor) need to know this is the
+            // impact model, not a patch-application failure.
+            reason: `${dependents.length} later patch(es) contain import statements that reference files created by ${target.filename}. Patch application itself will still succeed, but runtime imports will fail at browser startup until those files are re-introduced.`,
             details: dependents,
         }
         : null;

package/dist/src/commands/patch/index.js

@@ -20,7 +20,16 @@ export { patchReorderCommand } from './reorder.js';
 export function registerPatch(program, context) {
     const patch = program
         .command('patch')
-        .description('Manage individual patches in the queue (compact, delete, reorder)');
+        .description('Manage individual patches in the queue (compact, delete, reorder)')
+        // Match `fireforge furnace`'s no-args contract: print the group's help and
+        // exit 0. Without this default action, commander routes `fireforge patch`
+        // (no subcommand) through its own help-then-exit-1 path, so scripts that
+        // probe the CLI surface see a misleading non-zero exit for a purely
+        // informational invocation. The action prints the exact same help commander
+        // would otherwise print, but returns successfully.
+        .action(() => {
+        patch.outputHelp();
+    });
     registerPatchCompact(patch, context);
     registerPatchDelete(patch, context);
     registerPatchReorder(patch, context);

package/dist/src/commands/re-export.js

@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: EUPL-1.2
 import { dirname, join } from 'node:path';
-import { multiselect } from '@clack/prompts';
+import { confirm, multiselect } from '@clack/prompts';
 import { getProjectPaths, loadConfig } from '../core/config.js';
 import { isGitRepository } from '../core/git.js';
 import { getDiffForFilesAgainstHead } from '../core/git-diff.js';
@@ -11,6 +11,14 @@ import { GeneralError, InvalidArgumentError } from '../errors/base.js';
 import { toError } from '../utils/errors.js';
 import { pathExists } from '../utils/fs.js';
 import { cancel, info, intro, isCancel, outro, spinner, success, warn } from '../utils/logger.js';
+/**
+ * Threshold above which `--scan` must be explicitly confirmed. Values were
+ * picked so the common "refresh after one-or-two-file tweak" case stays
+ * frictionless while catching the eval finding #13 scenario where `--scan`
+ * silently pulled in an entire sibling feature (xhtml + tests + theme CSS).
+ */
+const SCAN_ADD_COUNT_THRESHOLD = 3;
+const SCAN_DIR_COUNT_THRESHOLD = 2;
 import { pickDefined } from '../utils/options.js';
 import { runPatchLint } from './export-shared.js';
 import { reExportFilesInPlace } from './re-export-files.js';
@@ -39,25 +47,90 @@ async function scanPatchFiles(currentFilesAffected, engineDir, manifest, patchFi
             removed.push(f);
         }
     }
-    for (const f of added.sort()) {
+    const sortedAdded = [...added].sort();
+    const sortedRemoved = [...removed].sort();
+    for (const f of sortedAdded) {
         info(`  + ${f}`);
     }
-    for (const f of removed.sort()) {
+    for (const f of sortedRemoved) {
         info(`  - ${f}`);
     }
     if (added.length > 0 || removed.length > 0) {
         const removedSet = new Set(removed);
         const updated = [...currentFilesAffected.filter((f) => !removedSet.has(f)), ...added].sort();
         info(`  ${isDryRun ? 'Would update' : 'Updated'} ${patchFilename}: +${added.length} / -${removed.length} files`);
-        return updated;
+        return { updated, added: sortedAdded, removed: sortedRemoved };
     }
-    return currentFilesAffected;
+    return { updated: currentFilesAffected, added: [], removed: [] };
+}
+/**
+ * Returns true when the caller-confirmed threshold is exceeded for this
+ * scan's additions. The heuristic treats "small, same-directory" additions
+ * as friction-free (the common refresh case) and flags larger or
+ * multi-directory expansions so operators see them before they land.
+ *
+ * Pre-0.16.0 `--scan` silently broadened patches to include any modified or
+ * untracked file that shared a parent directory with the existing
+ * filesAffected — in practice, pulling adjacent feature code into a patch
+ * that had nothing to do with it. The gate below turns the broadening into
+ * an explicit opt-in.
+ */
+function scanAdditionsNeedConfirmation(added) {
+    if (added.length === 0)
+        return false;
+    if (added.length > SCAN_ADD_COUNT_THRESHOLD)
+        return true;
+    const dirs = new Set(added.map((f) => dirname(f)));
+    return dirs.size >= SCAN_DIR_COUNT_THRESHOLD;
+}
+/**
+ * Gate for broad `--scan` additions. Enforces explicit acknowledgement when
+ * the scan would pull in more files than a narrow refresh. Dry-run always
+ * proceeds (the preview is the whole point).
+ *
+ * @returns true if the caller should proceed; false if the user cancelled.
+ */
+async function confirmBroadScanAdditions(args) {
+    const { patchFilename, added, isDryRun, yes, isInteractive } = args;
+    if (isDryRun)
+        return true;
+    if (!scanAdditionsNeedConfirmation(added))
+        return true;
+    if (yes)
+        return true;
+    warn(`${patchFilename}: --scan would add ${String(added.length)} file(s) that span ${String(new Set(added.map((f) => dirname(f))).size)} director${new Set(added.map((f) => dirname(f))).size === 1 ? 'y' : 'ies'}. ` +
+        'Broad scans can silently pull adjacent features into a patch — review the diff before continuing.');
+    if (!isInteractive) {
+        throw new GeneralError(`Refusing to broaden "${patchFilename}" via --scan in non-interactive mode. ` +
+            'Pass --yes to acknowledge the expansion, or run with --dry-run first to review.');
+    }
+    const confirmed = await confirm({
+        message: `Proceed and broaden ${patchFilename} with ${String(added.length)} newly discovered file(s)?`,
+        initialValue: false,
+    });
+    if (isCancel(confirmed) || !confirmed) {
+        cancel(`Skipped ${patchFilename}`);
+        return false;
+    }
+    return true;
 }
 async function reExportSinglePatch(patch, paths, manifest, options, isDryRun, config) {
     let currentFilesAffected = [...patch.filesAffected];
     // --- Scan for new/removed files ---
     if (options.scan) {
-        currentFilesAffected = await scanPatchFiles(currentFilesAffected, paths.engine, manifest, patch.filename, isDryRun);
+        const scanResult = await scanPatchFiles(currentFilesAffected, paths.engine, manifest, patch.filename, isDryRun);
+        const isInteractive = process.stdin.isTTY && process.stdout.isTTY;
+        const proceed = await confirmBroadScanAdditions({
+            patchFilename: patch.filename,
+            added: scanResult.added,
+            isDryRun,
+            yes: options.yes === true,
+            isInteractive,
+        });
+        if (!proceed) {
+            return false;
+        }
+        currentFilesAffected = scanResult.updated;
     }
     else if (options.files === undefined) {
         // Finding #16: when neither `--scan` nor `--files` is set and some

package/dist/src/commands/resolve.js

@@ -5,6 +5,7 @@ import { getProjectPaths, loadConfig, loadState, updateState } from '../core/con
 import { isGitRepository } from '../core/git.js';
 import { getStagedDiffForFiles } from '../core/git-diff.js';
 import { stageFiles, unstageFiles } from '../core/git-file-ops.js';
+import { extractAffectedFiles } from '../core/patch-apply.js';
 import { updatePatchAndMetadata } from '../core/patch-export.js';
 import { loadPatchesManifest } from '../core/patch-manifest.js';
 import { GeneralError, ResolutionError } from '../errors/base.js';
@@ -106,9 +107,22 @@ export async function resolveCommand(projectRoot) {
         // import / export / re-export / patch reorder / patch compact could
         // interleave with and leave the manifest disagreeing with the
         // freshly-written patch body.
+        //
+        // Always recompute `filesAffected` from the diff content itself. The
+        // eval finding #16 scenario: the user's manual fix removed every
+        // hunk for one file while the file still existed on disk, so the
+        // pre-0.16.0 gate of "update filesAffected only when files were
+        // deleted from disk" left the manifest claiming a file the patch
+        // body no longer targeted. The next `fireforge import` then failed
+        // the patch-manifest consistency check even though resolve reported
+        // success. `extractAffectedFiles` already owns the canonical
+        // "parse a diff, return its target paths" logic used by export and
+        // consistency — using it here keeps resolve in agreement with every
+        // other writer.
+        const diffFilesAffected = extractAffectedFiles(diffContent);
         const config = await loadConfig(projectRoot);
         await updatePatchAndMetadata(paths.patches, patchFilename, diffContent, {
-            ...(activeFiles.length < existingFiles.length ? { filesAffected: activeFiles } : {}),
+            filesAffected: diffFilesAffected,
             sourceEsrVersion: config.firefox.version,
         });
         // Cleanup: Clear pendingResolution from state.json transactionally so

package/dist/src/commands/run.js

@@ -183,17 +183,31 @@ async function runSmokeExit(engineDir, options) {
         warn(`--capture-console stream error: ${err.message}`);
     });
     const findings = [];
-    let allowlistedHits = 0;
+    let allowlistedErrorHits = 0;
+    let allowlistedTotalHits = 0;
     const handleLine = (stream, line) => {
         // Mirror raw output to the terminal so operators watching the smoke
         // run still see what the browser is printing. Stream selection on the
         // mirror preserves stdout/stderr separation for downstream piping.
         const sink = stream === 'stdout' ? process.stdout : process.stderr;
         sink.write(`${line}\n`);
+        // Count allowlist hits up-front, regardless of error-pattern match.
+        // Pre-0.16.0 the counter only incremented when the line ALSO matched
+        // an error pattern — so an allowlist regex that visibly matched
+        // `console.warn: RSLoader:` still reported 0 hits because
+        // `console.warn:` is not a smoke error class, confusing operators
+        // who were tuning their allowlist. We now surface two numbers: the
+        // total set of allowlisted lines (what the operator sees in the
+        // console) and the subset that were error-class (what the smoke
+        // exit contract cares about). The exit contract itself is unchanged.
+        const isAllowlisted = allowlist.length > 0 && matchesAllowlist(line, allowlist);
+        if (isAllowlisted) {
+            allowlistedTotalHits += 1;
+        }
         if (!matchesSmokeError(line))
             return;
-        if (matchesAllowlist(line, allowlist)) {
-            allowlistedHits += 1;
+        if (isAllowlisted) {
+            allowlistedErrorHits += 1;
             return;
         }
         findings.push({ stream, line });
@@ -221,7 +235,8 @@ async function runSmokeExit(engineDir, options) {
         smokeTimeoutMs,
         elapsedMs,
         timedOut: result.timedOut,
-        allowlistedHits,
+        allowlistedErrorHits,
+        allowlistedTotalHits,
         findings,
         exitCode: result.exitCode,
     });
@@ -278,7 +293,14 @@ function reportSmokeSummary(args) {
     info('');
     info(`Smoke run complete: ${seconds}s elapsed of ${windowSeconds}s window${suffix}`);
     info(`  Unallowed errors: ${String(args.findings.length)}`);
-    info(`  Allowlisted hits: ${String(args.allowlistedHits)}`);
+    // The "suppressed errors" count is what the exit contract cares about —
+    // it is the subset of allowlisted hits that would otherwise have been
+    // tallied as findings. The "all allowlisted lines" count answers the
+    // operator's mental model ("my --console-allow pattern matched N
+    // console lines"), which pre-0.16.0 was missing and led to 0-hit
+    // reports on visibly matching regexes.
+    info(`  Allowlisted error hits (suppressed): ${String(args.allowlistedErrorHits)}`);
+    info(`  Allowlisted lines total: ${String(args.allowlistedTotalHits)}`);
     info(`  Child exit code:  ${String(args.exitCode)}`);
     if (args.findings.length === 0)
         return;

package/dist/src/commands/setup-support.js

@@ -263,6 +263,59 @@ export function buildSetupConfig(inputs) {
         },
     };
 }
+/**
+ * Creates or updates the root `package.json` so its `license` field matches
+ * the project license selected during setup. When the file already exists we
+ * ONLY touch the `license` field — preserving `name`, `description`,
+ * `dependencies`, `scripts`, and every other author-editorial field the
+ * operator may have added. Without this sync, a `fireforge setup --force`
+ * that picked a new license left the old license in `package.json`, which
+ * then disagreed with `fireforge.json` (the motivating eval finding:
+ * setup rewrote fireforge.json but left the original package.json
+ * untouched, so the two files described different projects).
+ *
+ * Preserves the file's trailing newline state so a hand-edited
+ * `package.json` with a specific EOL convention is not silently
+ * re-normalised.
+ */
+async function syncRootPackageJson(projectRoot, license) {
+    const rootPackageJsonPath = join(projectRoot, 'package.json');
+    if (!(await pathExists(rootPackageJsonPath))) {
+        const rootPackageJson = {
+            private: true,
+            license,
+        };
+        await writeText(rootPackageJsonPath, JSON.stringify(rootPackageJson, null, 2) + '\n');
+        return;
+    }
+    const raw = await readText(rootPackageJsonPath);
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch {
+        // Malformed package.json is the operator's editorial responsibility to
+        // repair; rewriting it would risk clobbering hand-authored content that
+        // the parser happens to reject. Leave the file alone and rely on the
+        // doctor / lint paths that already surface invalid JSON.
+        return;
+    }
+    if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
+        return;
+    }
+    // Treat the object as a typed shape with only the one field we modify.
+    // Keeping it narrowly typed rather than `Record<string, unknown>` avoids
+    // eslint's `dot-notation` / `noPropertyAccessFromIndexSignature`
+    // friction, and the rest of the package.json body is preserved via
+    // object spread at the write site so we don't lose author-editorial
+    // fields.
+    const packageJson = parsed;
+    if (packageJson.license === license) {
+        return;
+    }
+    const trailingNewline = raw.endsWith('\n') ? '\n' : '';
+    await writeText(rootPackageJsonPath, JSON.stringify({ ...packageJson, license }, null, 2) + trailingNewline);
+}
 /** Writes the initial project files produced by the setup workflow. */
 export async function writeSetupProjectFiles(projectRoot, config) {
     const paths = getProjectPaths(projectRoot);
@@ -291,13 +344,13 @@ export async function writeSetupProjectFiles(projectRoot, config) {
     else {
         await writeText(gitignorePath, requiredIgnores.join('\n') + '\n');
     }
-    const rootPackageJsonPath = join(projectRoot, 'package.json');
-    if (!(await pathExists(rootPackageJsonPath))) {
-        const rootPackageJson = {
-            private: true,
-            license: config.license,
-        };
-        await writeText(rootPackageJsonPath, JSON.stringify(rootPackageJson, null, 2) + '\n');
+    // FireForgeConfig types license as optional, but `buildSetupConfig` always
+    // fills it from the resolved setup inputs (which default to `EUPL-1.2`).
+    // Narrow explicitly so the helper takes a concrete license rather than
+    // widening its own signature for a field that is always set at this call
+    // site.
+    if (config.license !== undefined) {
+        await syncRootPackageJson(projectRoot, config.license);
     }
     const templatesDir = getTemplatesDir();
     if (config.license !== undefined) {

package/dist/src/commands/status.js

@@ -3,7 +3,7 @@ import { join } from 'node:path';
 import { isBrandingManagedPath } from '../core/branding.js';
 import { getProjectPaths, loadConfig } from '../core/config.js';
 import { collectFurnaceManagedPrefixes } from '../core/furnace-config.js';
-import { getStatusWithCodes, isGitRepository } from '../core/git.js';
+import { getHead, getStatusWithCodes, isGitRepository, isMissingHeadError } from '../core/git.js';
 import { getUntrackedFilesInDir } from '../core/git-status.js';
 import { isFileRegistered, matchesRegistrablePattern } from '../core/manifest-rules.js';
 import { buildOwnershipTable, renderOwnershipTable } from '../core/ownership-table.js';
@@ -262,6 +262,32 @@ async function renderJsonStatus(files, paths, projectRoot, binaryName) {
     }));
     process.stdout.write(JSON.stringify(output, null, 2) + '\n');
 }
+/**
+ * Detects the "unborn HEAD" aftermath of an interrupted `fireforge download`
+ * — git init succeeded but the initial Firefox source commit was never
+ * created, so every file in engine/ reads as untracked. On a ~600 MB
+ * Firefox tree this would flood the output with hundreds of thousands of
+ * entries and a truncation warning, which is technically correct but not
+ * actionable. Throws a `GeneralError` with a single recovery banner
+ * pointing at `fireforge download --force`. `raw` / `json` modes skip the
+ * banner so their consumers see the structural failure in error form
+ * only.
+ */
+async function assertEngineHasBaselineCommit(engineDir, options) {
+    try {
+        await getHead(engineDir);
+    }
+    catch (err) {
+        if (!isMissingHeadError(err))
+            throw err;
+        const guidance = 'Engine repository has no baseline commit yet — a previous "fireforge download" was interrupted before git created the initial Firefox source commit. Re-run "fireforge download --force" to recreate the baseline repository cleanly.';
+        if (!options.raw && !options.json) {
+            warn(guidance);
+            outro('Engine baseline missing — re-run download --force');
+        }
+        throw new GeneralError(guidance);
+    }
+}
 /**
  * Runs the status command to show modified files.
  * @param projectRoot - Root directory of the project
@@ -331,6 +357,7 @@ export async function statusCommand(projectRoot, options = {}) {
     if (!(await isGitRepository(paths.engine))) {
         throw new GeneralError('Engine directory is not a git repository. Run "fireforge download" to initialize.');
     }
+    await assertEngineHasBaselineCommit(paths.engine, options);
     const rawFiles = await getStatusWithCodes(paths.engine);
     const { entries: expanded, truncations } = await expandDirectoryEntries(rawFiles, paths.engine);
     // Strip atomic-write temp files (Finding #18) before every mode

package/dist/src/commands/test.js

@@ -9,7 +9,7 @@ import { operatorAlreadySetAppPath, resolveXpcshellAppdirArg, } from '../core/xp
 import { GeneralError } from '../errors/base.js';
 import { AmbiguousBuildArtifactsError, BuildError } from '../errors/build.js';
 import { pathExists } from '../utils/fs.js';
-import { info, intro, spinner, warn } from '../utils/logger.js';
+import { info, intro, outro, spinner, warn } from '../utils/logger.js';
 import { pickDefined } from '../utils/options.js';
 import { stripEnginePrefix } from '../utils/paths.js';
 async function assertTestPathsExist(engineDir, testPaths) {
@@ -36,8 +36,14 @@ function buildStaleBuildMessage() {
         'Re-run "fireforge build --ui" or "fireforge test --build" and then retry.');
 }
 function hasStaleBuildArtifactsSignal(output) {
+    // Deliberately narrow: only fire on branding-specific resource paths
+    // that are always a stale-artifact symptom. The earlier pattern also
+    // matched `resource:///modules/distribution.sys.mjs`, which surfaced on
+    // real packaging / module-resolution failures too (e.g. a fork's
+    // `HominisStore.sys.mjs` missing from the installed app dir after a
+    // successful build). That false-positive pushed operators toward
+    // "rebuild" advice for what was actually a module-registration issue.
     return (/chrome:\/\/branding\/locale\/brand\.properties/i.test(output) ||
-        /resource:\/\/\/modules\/distribution\.sys\.mjs/i.test(output) ||
         /browser\/branding\/[^/\s]+\/moz\.build/i.test(output));
 }
 // Detects the broader xpcshell symptom where every `resource:///modules/...`
@@ -87,15 +93,25 @@ function handleNonZeroTestExit(result, normalizedPaths, appdirInjectionAttempted
     if (/UNKNOWN TEST\b/i.test(combinedOutput)) {
         throw new GeneralError(buildUnknownTestMessage(normalizedPaths));
     }
+    // Branding-specific stale-build signals keep priority over the broader
+    // xpcshell-appdir hint: when `chrome://branding/locale/brand.properties`
+    // fails to resolve, the fix really is "rebuild", not "pass --app-path".
+    // But the stale-build check is now narrower — it no longer matches
+    // `resource:///modules/distribution.sys.mjs` alone, which was producing
+    // false-positive rebuild advice on fork-custom module-load failures
+    // (the eval saw this for `HominisStore.sys.mjs`). Cases that once
+    // landed on `distribution.sys.mjs` fall through to xpcshell-appdir,
+    // which is the more useful diagnosis in practice for `Failed to load
+    // resource:///modules/…`.
     if (hasStaleBuildArtifactsSignal(combinedOutput)) {
         throw new GeneralError(buildStaleBuildMessage());
     }
-    if (hasMochitestHttp3ServerSignal(combinedOutput)) {
-        throw new GeneralError(buildMochitestHttp3ServerMessage());
-    }
     if (hasXpcshellAppdirSignal(combinedOutput)) {
         throw new GeneralError(buildXpcshellAppdirMessage(appdirInjectionAttempted));
     }
+    if (hasMochitestHttp3ServerSignal(combinedOutput)) {
+        throw new GeneralError(buildMochitestHttp3ServerMessage());
+    }
     if (/invalid filename/i.test(combinedOutput) ||
         /chrome:\/\/mochitests.*not found/i.test(combinedOutput)) {
         info('Hint: The test file may not be registered in browser.toml or jar.mn.');
@@ -171,6 +187,13 @@ export async function testCommand(projectRoot, testPaths, options = {}) {
             if (!preflight.ok) {
                 throw new GeneralError('Marionette preflight reported FAIL — see output above.');
             }
+            // Close the intro frame explicitly. Without an outro, clack's
+            // grouped-output mode left the PASS line hanging inside an
+            // unclosed tree — in the eval's non-TTY capture the info line
+            // itself failed to render, so `test --doctor` looked like it had
+            // exited silently after the spinner start line. The outro also
+            // gives scripts a deterministic "done" marker to parse.
+            outro(`Marionette preflight: PASS (${preflight.durationMs}ms)`);
             return;
         }
         if (!preflight.ok) {

package/dist/src/commands/token-coverage.js

@@ -1,5 +1,7 @@
 // SPDX-License-Identifier: EUPL-1.2
+import { join } from 'node:path';
 import { getProjectPaths, loadConfig } from '../core/config.js';
+import { furnaceConfigExists, loadFurnaceConfig } from '../core/furnace-config.js';
 import { getStatusWithCodes, isGitRepository } from '../core/git.js';
 import { measureTokenCoverage } from '../core/token-coverage.js';
 import { getTokensCssPath } from '../core/token-manager.js';
@@ -22,9 +24,19 @@ export async function tokenCoverageCommand(projectRoot) {
     const config = await loadConfig(projectRoot);
     const tokensCssPath = getTokensCssPath(config.binaryName);
     const files = await getStatusWithCodes(paths.engine);
-    const cssFiles = files
+    const statusCssFiles = files
         .filter((f) => f.file.endsWith('.css') && f.file !== tokensCssPath)
         .map((f) => f.file);
+    // Also scan CSS files deployed by Furnace custom components. Deployed
+    // files can be committed (and therefore absent from `git status`) while
+    // still being the primary surface where token adoption matters. Before
+    // 0.16.0, coverage only looked at modified files, which silently
+    // undercounted projects where Furnace writes many component-CSS files
+    // into the engine and they are already tracked.
+    const furnaceCssFiles = await collectFurnaceCustomCssFiles(projectRoot, paths.engine, tokensCssPath);
+    // De-dupe so a file that is both a custom deploy target AND modified is
+    // scanned exactly once.
+    const cssFiles = [...new Set([...statusCssFiles, ...furnaceCssFiles])];
     if (cssFiles.length === 0) {
         info('No modified CSS files');
         outro('Nothing to measure');
@@ -54,4 +66,46 @@ export async function tokenCoverageCommand(projectRoot) {
     }
     outro(`${report.filesScanned} CSS file${report.filesScanned === 1 ? '' : 's'} scanned`);
 }
+/**
+ * Returns engine-relative `.css` paths deployed by every Furnace custom
+ * component registered in `furnace.json`. Only files that actually exist
+ * on disk are included — a component whose deploy target is missing (e.g.
+ * `furnace apply` has not run yet) is skipped silently so a fresh
+ * `furnace init` followed immediately by `token coverage` does not error.
+ *
+ * Returns an empty array when the project has no furnace.json, no custom
+ * components, or when loading the config fails (a warn is emitted in the
+ * last case so the user can diagnose a broken furnace.json without losing
+ * coverage results on the non-furnace CSS files).
+ */
+async function collectFurnaceCustomCssFiles(projectRoot, engineDir, tokensCssPath) {
+    if (!(await furnaceConfigExists(projectRoot))) {
+        return [];
+    }
+    let furnaceConfig;
+    try {
+        furnaceConfig = await loadFurnaceConfig(projectRoot);
+    }
+    catch (error) {
+        warn(`Could not load furnace.json for token coverage — scanning modified files only (${error.message})`);
+        return [];
+    }
+    const results = [];
+    for (const [componentName, customConfig] of Object.entries(furnaceConfig.custom)) {
+        // Upstream Firefox widget layout: every component lives at
+        // `toolkit/content/widgets/<tagName>/` and ships at least
+        // `<tagName>.css`. `targetPath` already resolves to that directory
+        // (the create command writes `toolkit/content/widgets/<name>` into
+        // furnace.json) so we can probe the default layout directly without
+        // walking the whole tree.
+        const candidate = `${customConfig.targetPath}/${componentName}.css`;
+        if (candidate === tokensCssPath)
+            continue;
+        const absolutePath = join(engineDir, candidate);
+        if (await pathExists(absolutePath)) {
+            results.push(candidate);
+        }
+    }
+    return results;
+}
 //# sourceMappingURL=token-coverage.js.map