@hominis/fireforge 0.16.2 → 0.16.5

package/dist/src/core/marionette-preflight.js

@@ -110,6 +110,16 @@ export async function runMarionettePreflight(engineDir, options = {}) {
                 cwd: engineDir,
                 env: { ...process.env, MOZ_HEADLESS: '1' },
                 stdio: ['ignore', 'ignore', 'pipe'],
+                // `detached: true` puts the child in a new process group so we can
+                // signal it and every descendant (Firefox, its helpers) via
+                // `process.kill(-pid, …)` in the finally block. Without this, the
+                // child is Python running mach; a SIGTERM kills Python but the
+                // Firefox grandchild inherits the stderr pipe FD and keeps Node's
+                // event loop alive even after the preflight PASS log. The symptom
+                // is `fireforge test --doctor` printing `Marionette preflight:
+                // PASS` and then hanging indefinitely in `uv__io_poll` — see the
+                // eval finding.
+                detached: true,
             });
         }
         catch (error) {
@@ -154,24 +164,21 @@ export async function runMarionettePreflight(engineDir, options = {}) {
     }
     finally {
         if (child && !hasChildExited(child)) {
-            try {
-                child.kill('SIGTERM');
-            }
-            catch {
-                // Already exited — nothing to do.
-            }
+            killProcessGroup(child, 'SIGTERM');
             // Small escalation: if the child doesn't honour SIGTERM quickly, SIGKILL
             // so we don't leave a ghost mach process around after a failed probe.
             await delay(500);
             if (!hasChildExited(child)) {
-                try {
-                    child.kill('SIGKILL');
-                }
-                catch {
-                    // Already gone.
-                }
+                killProcessGroup(child, 'SIGKILL');
             }
         }
+        // Destroy the stderr pipe explicitly. Firefox (a grandchild of the Python
+        // mach wrapper we spawned) can inherit and hold the stderr FD even after
+        // its direct parent exits — until the pipe closes, Node's readable
+        // stream stays attached and `uv__io_poll` keeps the event loop alive.
+        // `destroy()` closes the local end regardless, so `fireforge test
+        // --doctor` exits cleanly after a passing preflight.
+        child?.stderr?.destroy();
         try {
             await rm(profileDir, { recursive: true, force: true });
         }
@@ -180,6 +187,30 @@ export async function runMarionettePreflight(engineDir, options = {}) {
         }
     }
 }
+/**
+ * Sends `signal` to the child's whole process group when possible, falling
+ * back to a direct `child.kill` for environments that don't support
+ * `detached: true` (Windows in particular: Node still returns a pid, but
+ * `kill(-pid, …)` is not a supported kernel primitive).
+ */
+function killProcessGroup(child, signal) {
+    if (child.pid !== undefined && process.platform !== 'win32') {
+        try {
+            process.kill(-child.pid, signal);
+            return;
+        }
+        catch {
+            // ESRCH / EPERM — fall through to the narrow kill below so we at
+            // least signal the direct child.
+        }
+    }
+    try {
+        child.kill(signal);
+    }
+    catch {
+        // Already exited — nothing to do.
+    }
+}
 function fail(layer, message, durationMs) {
     return {
         ok: false,

package/dist/src/core/patch-files.d.ts

@@ -7,5 +7,16 @@ export declare function countPatches(patchesDir: string): Promise<number>;
 export declare function isNewFilePatch(patchPath: string): Promise<boolean>;
 /** Returns the first target file path referenced by a patch, if any. */
 export declare function getTargetFileFromPatch(patchPath: string): Promise<string | null>;
-/** Returns all target file paths referenced by a multi-file patch. */
+/**
+ * Returns all target file paths referenced by a multi-file patch.
+ *
+ * Delegates to {@link extractAffectedFiles} so `GIT binary patch` sections
+ * (which have no `+++ b/…` line, only a `diff --git a/… b/…` header) are
+ * included alongside text hunks. Before this delegation the custom regex
+ * only matched `+++ b/…` lines, dropping every binary file from
+ * `filesAffected` — verify reported `files-affected-mismatch` against
+ * branding patches and `doctor --repair-patches-manifest` "repaired" the
+ * manifest by rewriting it to the text-only subset, hiding the true scope
+ * of the patch.
+ */
 export declare function getAllTargetFilesFromPatch(patchPath: string): Promise<string[]>;

package/dist/src/core/patch-files.js

@@ -2,7 +2,7 @@
 import { readdir } from 'node:fs/promises';
 import { extname, join } from 'node:path';
 import { pathExists, readText } from '../utils/fs.js';
-import { extractOrder } from './patch-parse.js';
+import { extractAffectedFiles, extractOrder } from './patch-parse.js';
 /** Discovers patch files in a directory and returns them in apply order. */
 export async function discoverPatches(patchesDir) {
     if (!(await pathExists(patchesDir))) {
@@ -35,17 +35,20 @@ export async function getTargetFileFromPatch(patchPath) {
     const match = /^\+\+\+ b\/(.+)$/m.exec(content);
     return match?.[1] ?? null;
 }
-/** Returns all target file paths referenced by a multi-file patch. */
+/**
+ * Returns all target file paths referenced by a multi-file patch.
+ *
+ * Delegates to {@link extractAffectedFiles} so `GIT binary patch` sections
+ * (which have no `+++ b/…` line, only a `diff --git a/… b/…` header) are
+ * included alongside text hunks. Before this delegation the custom regex
+ * only matched `+++ b/…` lines, dropping every binary file from
+ * `filesAffected` — verify reported `files-affected-mismatch` against
+ * branding patches and `doctor --repair-patches-manifest` "repaired" the
+ * manifest by rewriting it to the text-only subset, hiding the true scope
+ * of the patch.
+ */
 export async function getAllTargetFilesFromPatch(patchPath) {
     const content = await readText(patchPath);
-    const files = [];
-    const regex = /^\+\+\+ b\/(.+)$/gm;
-    let match;
-    while ((match = regex.exec(content)) !== null) {
-        if (match[1]) {
-            files.push(match[1]);
-        }
-    }
-    return files;
+    return extractAffectedFiles(content);
 }
 //# sourceMappingURL=patch-files.js.map

package/dist/src/core/patch-lint.js

@@ -60,7 +60,28 @@ export function countNonBinaryDiffLines(diffContent) {
 const PATCH_LINE_THRESHOLDS = {
     general: { notice: 800, warning: 1500, error: 3000 },
     test: { notice: 1500, warning: 3000, error: 6000 },
+    /**
+     * Branding patches have a legitimate reason to be large: they include
+     * every locale's `brand.ftl`, copied upstream CSS/PNG assets, and the
+     * fork-specific `configure.sh` / `brand.properties` under a single
+     * `browser/branding/<name>/` subtree. The general hard limit of 3000
+     * lines fires on even a first-export branding patch (the eval saw 15904
+     * lines for a freshly-setup fork), which is loud but not actionable —
+     * the patch already is the minimum branding diff. A dedicated tier keeps
+     * the size guidance while moving the hard limit to a threshold that
+     * corresponds to "something other than branding is bundled in here too".
+     */
+    branding: { notice: 3000, warning: 8000, error: 20000 },
 };
+/**
+ * Returns true when every file in a patch lives under `browser/branding/`.
+ * Used by `lintPatchSize` to pick the branding threshold tier.
+ */
+function isBrandingOnlyPatch(files) {
+    if (files.length === 0)
+        return false;
+    return files.every((file) => file.startsWith('browser/branding/'));
+}
 /**
  * Returns true if the filename looks like a JS/MJS/JSM file.
  * Handles `.sys.mjs` as well.
@@ -133,10 +154,18 @@ export async function lintPatchedCss(repoDir, affectedFiles, diffContent, config
         // Strip block comments before scanning
         const cssContent = rawCss.replace(/\/\*[\s\S]*?\*\//g, '');
         // Check only introduced raw color values when diff context is available.
-        // Skip files on the raw-color allowlist (exact path or basename match).
+        // Skip files on the raw-color allowlist (exact path or basename match) and
+        // auto-exempt files under `browser/branding/` — those are the fork's
+        // visual identity assets (app-about dialogs, installer pages, branded
+        // CSS copied from Firefox's `unofficial` template) and belong to the
+        // design-decision layer the design-token system does not govern.
+        // Without this auto-exemption, every first-time setup's copied CSS
+        // failed `raw-color-value` with no actionable fix other than manually
+        // listing each path in `rawColorAllowlist`.
         const allowlist = config?.patchLint?.rawColorAllowlist;
         const isAllowlisted = allowlist?.some((entry) => file === entry || file.endsWith('/' + entry));
-        if (!isAllowlisted) {
+        const isBranding = file.startsWith('browser/branding/');
+        if (!isAllowlisted && !isBranding) {
             // Strip lines with inline fireforge-ignore: raw-color-value suppression.
             // Check against rawCss (before comment stripping) so the CSS comment marker is still present.
             const sourceForSuppression = addedLinesByFile
@@ -239,14 +268,25 @@ export async function lintNewFileHeaders(repoDir, newFiles, config) {
             continue;
         const content = await readText(filePath);
         const expectedHeader = getLicenseHeader(license, style);
-        if (!content.startsWith(expectedHeader)) {
-            issues.push({
-                file,
-                check: 'missing-license-header',
-                message: `New file is missing the required ${license} license header.`,
-                severity: 'error',
-            });
-        }
+        // Auto-exempt `browser/branding/` when the file carries ANY recognised
+        // license header in the matching comment style. The setup-generated
+        // branding directory is copied from Firefox's `unofficial` template,
+        // which arrives with Mozilla MPL-2.0 headers — those are legitimate
+        // for copyright purposes (the assets are Mozilla's) even when the
+        // fork's own code is 0BSD / EUPL-1.2 / GPL-2.0-or-later. The narrower
+        // license-match rule would force operators to either rewrite the
+        // copied headers (misrepresenting authorship) or suppress the lint
+        // with `--skip-lint` (hiding real issues elsewhere).
+        if (content.startsWith(expectedHeader))
+            continue;
+        if (file.startsWith('browser/branding/') && hasAnyLicenseHeader(content, style))
+            continue;
+        issues.push({
+            file,
+            check: 'missing-license-header',
+            message: `New file is missing the required ${license} license header.`,
+            severity: 'error',
+        });
     }
     return issues;
 }
@@ -402,8 +442,19 @@ export function lintPatchSize(filesAffected, lineCount) {
             severity: 'warning',
         });
     }
+    // Tier selection: test > branding > general. Tests keep their elevated
+    // thresholds because a big regression test is legitimate (table-driven
+    // harnesses run into the thousands of lines). Branding patches get their
+    // own tier so a first-export of setup-generated branding doesn't fire
+    // the general hard limit — see `PATCH_LINE_THRESHOLDS.branding` above
+    // for the eval data motivating this tier.
     const allTests = filesAffected.length > 0 && filesAffected.every(isTestFile);
-    const thresholds = allTests ? PATCH_LINE_THRESHOLDS.test : PATCH_LINE_THRESHOLDS.general;
+    const branding = !allTests && isBrandingOnlyPatch(filesAffected);
+    const thresholds = allTests
+        ? PATCH_LINE_THRESHOLDS.test
+        : branding
+            ? PATCH_LINE_THRESHOLDS.branding
+            : PATCH_LINE_THRESHOLDS.general;
     if (lineCount >= thresholds.error) {
         issues.push({
             file: '(patch)',

package/dist/src/core/wire-destroy.js

@@ -10,7 +10,7 @@ import { pathExists, readText, writeText } from '../utils/fs.js';
 import { escapeRegex } from '../utils/regex.js';
 import { detectIndent, parseScript } from './ast-utils.js';
 import { withParserFallback } from './parser-fallback.js';
-import { assertBraceBalancePreserved, extractNameFromExpression, findMethodBody, findMethodBraceIndex, validateWireName, } from './wire-utils.js';
+import { assertBraceBalancePreserved, coerceToCall, extractNameFromExpression, findMethodBody, findMethodBraceIndex, validateWireName, } from './wire-utils.js';
 const BROWSER_INIT_JS = 'browser/base/content/browser-init.js';
 /**
  * AST-based implementation: finds onUnload()/uninit() method body and
@@ -18,6 +18,12 @@ const BROWSER_INIT_JS = 'browser/base/content/browser-init.js';
  */
 export function addDestroyAST(content, expression) {
     const name = extractNameFromExpression(expression);
+    // See wire-init.ts for the rationale: the template interpolates the
+    // expression verbatim, so a bare `Foo.bar` compiled to `Foo.bar;`
+    // (a property reference) instead of `Foo.bar();`. `coerceToCall`
+    // appends `()` when absent so the emitted block always invokes the
+    // teardown hook the operator asked for.
+    const callExpression = coerceToCall(expression);
     const ast = parseScript(content);
     const ms = new MagicString(content);
     const body = findMethodBody(ast, ['onUnload', 'uninit']);
@@ -41,7 +47,7 @@ export function addDestroyAST(content, expression) {
         `${indent}// ${name} destroy`,
         `${indent}try {`,
         `${indent}  if (typeof ${name} !== "undefined") {`,
-        `${indent}    ${expression};`,
+        `${indent}    ${callExpression};`,
         `${indent}  }`,
         `${indent}} catch (e) {`,
         `${indent}  console.error("${name} destroy failed:", e);`,
@@ -55,6 +61,9 @@ export function addDestroyAST(content, expression) {
  */
 export function legacyAddDestroy(content, expression) {
     const name = extractNameFromExpression(expression);
+    // Match the AST path on the call-coercion contract so fallback vs AST
+    // emits identical blocks (see wire-init.ts).
+    const callExpression = coerceToCall(expression);
     const lines = content.split('\n');
     const destroyRegex = /\b(?:async\s+)?(onUnload|uninit)\s*[(:]/;
     const found = findMethodBraceIndex(lines, destroyRegex, { requireBrace: true });
@@ -67,7 +76,7 @@ export function legacyAddDestroy(content, expression) {
         `    // ${name} destroy`,
         `    try {`,
         `      if (typeof ${name} !== "undefined") {`,
-        `        ${expression};`,
+        `        ${callExpression};`,
         `      }`,
         `    } catch (e) {`,
         `      console.error("${name} destroy failed:", e);`,
@@ -91,8 +100,12 @@ export async function addDestroyToBrowserInit(engineDir, expression) {
         throw new GeneralError(`${BROWSER_INIT_JS} not found in engine`);
     }
     const content = await readText(filePath);
-    // Idempotency check — use word-boundary regex to avoid substring false positives
-    const destroyPattern = new RegExp(`(?:^|\\W)${escapeRegex(expression)}\\s*;?\\s*$`, 'm');
+    // Idempotency check — look for the coerced (call) form because that is
+    // what the emitter writes. Matching against the raw input would miss a
+    // previous `EvalStartup.destroy` invocation that the 0.16.0 coercion
+    // already persisted as `EvalStartup.destroy()`.
+    const callExpression = coerceToCall(expression);
+    const destroyPattern = new RegExp(`(?:^|\\W)${escapeRegex(callExpression)}\\s*;?\\s*$`, 'm');
     if (destroyPattern.test(content)) {
         return false;
     }

package/dist/src/core/wire-init.js

@@ -10,7 +10,7 @@ import { pathExists, readText, writeText } from '../utils/fs.js';
 import { escapeRegex } from '../utils/regex.js';
 import { detectIndent, getNodeSource, parseScript } from './ast-utils.js';
 import { withParserFallback } from './parser-fallback.js';
-import { assertBraceBalancePreserved, extractNameFromExpression, findInsertionAfterFireforgeBlocks, findMethodBody, findMethodBraceIndex, validateWireName, walkToTryBlockEnd, } from './wire-utils.js';
+import { assertBraceBalancePreserved, coerceToCall, extractNameFromExpression, findInsertionAfterFireforgeBlocks, findMethodBody, findMethodBraceIndex, validateWireName, walkToTryBlockEnd, } from './wire-utils.js';
 const BROWSER_INIT_JS = 'browser/base/content/browser-init.js';
 /**
  * AST-based implementation: finds onLoad() method body, locates existing
@@ -19,6 +19,12 @@ const BROWSER_INIT_JS = 'browser/base/content/browser-init.js';
  */
 export function addInitAST(content, expression, after) {
     const name = extractNameFromExpression(expression);
+    // `validateWireName` accepts both `Foo.bar` and `Foo.bar()` shapes. The
+    // template below interpolates the value verbatim, so a bare property
+    // path compiles to `Foo.bar;` — a silent no-op, not a lifecycle
+    // invocation. `coerceToCall` normalises to the function-call form so
+    // the emitted block always invokes the hook the operator asked for.
+    const callExpression = coerceToCall(expression);
     const ast = parseScript(content);
     const ms = new MagicString(content);
     const body = findMethodBody(ast, 'onLoad');
@@ -97,7 +103,7 @@ export function addInitAST(content, expression, after) {
         `${indent}// inits that reference native UI elements we hide.`,
         `${indent}try {`,
         `${indent}  if (typeof ${name} !== "undefined") {`,
-        `${indent}    ${expression};`,
+        `${indent}    ${callExpression};`,
         `${indent}  }`,
         `${indent}} catch (e) {`,
         `${indent}  console.error("${name} init failed:", e);`,
@@ -111,6 +117,11 @@ export function addInitAST(content, expression, after) {
  */
 export function legacyAddInit(content, expression, after) {
     const name = extractNameFromExpression(expression);
+    // See `addInitAST` for the rationale — the AST and fallback paths must
+    // agree on whether the emitted block is a function call, otherwise
+    // operators would see different behaviour depending on which parser
+    // happened to handle their browser-init.js layout.
+    const callExpression = coerceToCall(expression);
     const lines = content.split('\n');
     const onLoadRegex = /\b(?:async\s+)?onLoad\s*[(:]/;
     const found = findMethodBraceIndex(lines, onLoadRegex, { requireBrace: true });
@@ -167,7 +178,7 @@ export function legacyAddInit(content, expression, after) {
         `${baseIndent}// inits that reference native UI elements we hide.`,
         `${baseIndent}try {`,
         `${inner}if (typeof ${name} !== "undefined") {`,
-        `${inner2}${expression};`,
+        `${inner2}${callExpression};`,
         `${inner}}`,
         `${baseIndent}} catch (e) {`,
         `${inner}console.error("${name} init failed:", e);`,
@@ -192,8 +203,12 @@ export async function addInitToBrowserInit(engineDir, expression, after) {
         throw new GeneralError(`${BROWSER_INIT_JS} not found in engine`);
     }
     const content = await readText(filePath);
-    // Idempotency check — use word-boundary regex to avoid substring false positives
-    const initPattern = new RegExp(`(?:^|\\W)${escapeRegex(expression)}\\s*;?\\s*$`, 'm');
+    // Idempotency check — look for the coerced (call) form because that is
+    // what the emitter writes. Matching against the raw input would miss a
+    // previous `EvalStartup.init` invocation that the 0.16.0 coercion
+    // already persisted as `EvalStartup.init()`.
+    const callExpression = coerceToCall(expression);
+    const initPattern = new RegExp(`(?:^|\\W)${escapeRegex(callExpression)}\\s*;?\\s*$`, 'm');
     if (initPattern.test(content)) {
         return false;
     }

package/dist/src/core/wire-utils.d.ts

@@ -5,6 +5,21 @@ import { type AcornESTreeNode } from './ast-utils.js';
  * Rejects strings containing characters that could break out of JS strings or inject code.
  */
 export declare function validateWireName(value: string, label: string): void;
+/**
+ * Coerces an init/destroy expression into a function call by appending `()`
+ * when the caller passed a bare property chain. Idempotent: an expression
+ * already ending in `()` is returned unchanged, so operators can pass either
+ * `EvalStartup.init` or `EvalStartup.init()` and get the same wired output.
+ *
+ * Motivation (eval finding 8): `validateWireName` accepts both shapes, but
+ * the generated block interpolated the expression verbatim inside
+ * `${expression};`. When a caller passed `EvalStartup.init`, the emitted
+ * code was `EvalStartup.init;` — a plain property reference that never
+ * invoked the lifecycle hook. The symptom was silent: `wire` reported
+ * success and the browser-init block looked plausible, but the hook
+ * never fired at runtime. Coercion at the template site closes that gap.
+ */
+export declare function coerceToCall(expression: string): string;
 /**
  * Counts net brace depth change in a single line, ignoring braces inside
  * string literals (single, double, template), line comments (`//`), and

package/dist/src/core/wire-utils.js

@@ -17,6 +17,23 @@ export function validateWireName(value, label) {
         }
     }
 }
+/**
+ * Coerces an init/destroy expression into a function call by appending `()`
+ * when the caller passed a bare property chain. Idempotent: an expression
+ * already ending in `()` is returned unchanged, so operators can pass either
+ * `EvalStartup.init` or `EvalStartup.init()` and get the same wired output.
+ *
+ * Motivation (eval finding 8): `validateWireName` accepts both shapes, but
+ * the generated block interpolated the expression verbatim inside
+ * `${expression};`. When a caller passed `EvalStartup.init`, the emitted
+ * code was `EvalStartup.init;` — a plain property reference that never
+ * invoked the lifecycle hook. The symptom was silent: `wire` reported
+ * success and the browser-init block looked plausible, but the hook
+ * never fired at runtime. Coercion at the template site closes that gap.
+ */
+export function coerceToCall(expression) {
+    return expression.endsWith('()') ? expression : `${expression}()`;
+}
 /**
  * Counts net brace depth change in a single line, ignoring braces inside
  * string literals (single, double, template), line comments (`//`), and

package/dist/src/types/commands/options.d.ts

@@ -86,6 +86,13 @@ export interface ExportOptions {
     forceUnsafe?: boolean;
     /** Exclude furnace-managed file paths from the export. */
     excludeFurnace?: boolean;
+    /**
+     * Acknowledge that the export will create cross-patch ownership overlap
+     * with existing non-superseded patches. Without this flag, `export`
+     * refuses when one or more `filesAffected` are already claimed by
+     * another patch, because the resulting queue fails `verify` immediately.
+     */
+    allowOverlap?: boolean;
 }
 /**
  * Options for the reset command.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hominis/fireforge",
-  "version": "0.16.2",
+  "version": "0.16.5",
   "description": "FireForge — a build tool for customizing Firefox",
   "type": "module",
   "main": "./dist/src/index.js",