@hominis/fireforge 0.16.3 → 0.16.5

package/dist/src/commands/re-export.js

@@ -1,6 +1,6 @@
 // SPDX-License-Identifier: EUPL-1.2
 import { dirname, join } from 'node:path';
-import { multiselect } from '@clack/prompts';
+import { confirm, multiselect } from '@clack/prompts';
 import { getProjectPaths, loadConfig } from '../core/config.js';
 import { isGitRepository } from '../core/git.js';
 import { getDiffForFilesAgainstHead } from '../core/git-diff.js';
@@ -11,6 +11,14 @@ import { GeneralError, InvalidArgumentError } from '../errors/base.js';
 import { toError } from '../utils/errors.js';
 import { pathExists } from '../utils/fs.js';
 import { cancel, info, intro, isCancel, outro, spinner, success, warn } from '../utils/logger.js';
+/**
+ * Threshold above which `--scan` must be explicitly confirmed. Values were
+ * picked so the common "refresh after one-or-two-file tweak" case stays
+ * frictionless while catching the eval finding #13 scenario where `--scan`
+ * silently pulled in an entire sibling feature (xhtml + tests + theme CSS).
+ */
+const SCAN_ADD_COUNT_THRESHOLD = 3;
+const SCAN_DIR_COUNT_THRESHOLD = 2;
 import { pickDefined } from '../utils/options.js';
 import { runPatchLint } from './export-shared.js';
 import { reExportFilesInPlace } from './re-export-files.js';
@@ -39,25 +47,90 @@ async function scanPatchFiles(currentFilesAffected, engineDir, manifest, patchFi
             removed.push(f);
         }
     }
-    for (const f of added.sort()) {
+    const sortedAdded = [...added].sort();
+    const sortedRemoved = [...removed].sort();
+    for (const f of sortedAdded) {
         info(`  + ${f}`);
     }
-    for (const f of removed.sort()) {
+    for (const f of sortedRemoved) {
         info(`  - ${f}`);
     }
     if (added.length > 0 || removed.length > 0) {
         const removedSet = new Set(removed);
         const updated = [...currentFilesAffected.filter((f) => !removedSet.has(f)), ...added].sort();
         info(`  ${isDryRun ? 'Would update' : 'Updated'} ${patchFilename}: +${added.length} / -${removed.length} files`);
-        return updated;
+        return { updated, added: sortedAdded, removed: sortedRemoved };
     }
-    return currentFilesAffected;
+    return { updated: currentFilesAffected, added: [], removed: [] };
+}
+/**
+ * Returns true when the caller-confirmed threshold is exceeded for this
+ * scan's additions. The heuristic treats "small, same-directory" additions
+ * as friction-free (the common refresh case) and flags larger or
+ * multi-directory expansions so operators see them before they land.
+ *
+ * Pre-0.16.0 `--scan` silently broadened patches to include any modified or
+ * untracked file that shared a parent directory with the existing
+ * filesAffected — in practice, pulling adjacent feature code into a patch
+ * that had nothing to do with it. The gate below turns the broadening into
+ * an explicit opt-in.
+ */
+function scanAdditionsNeedConfirmation(added) {
+    if (added.length === 0)
+        return false;
+    if (added.length > SCAN_ADD_COUNT_THRESHOLD)
+        return true;
+    const dirs = new Set(added.map((f) => dirname(f)));
+    return dirs.size >= SCAN_DIR_COUNT_THRESHOLD;
+}
+/**
+ * Gate for broad `--scan` additions. Enforces explicit acknowledgement when
+ * the scan would pull in more files than a narrow refresh. Dry-run always
+ * proceeds (the preview is the whole point).
+ *
+ * @returns true if the caller should proceed; false if the user cancelled.
+ */
+async function confirmBroadScanAdditions(args) {
+    const { patchFilename, added, isDryRun, yes, isInteractive } = args;
+    if (isDryRun)
+        return true;
+    if (!scanAdditionsNeedConfirmation(added))
+        return true;
+    if (yes)
+        return true;
+    warn(`${patchFilename}: --scan would add ${String(added.length)} file(s) that span ${String(new Set(added.map((f) => dirname(f))).size)} director${new Set(added.map((f) => dirname(f))).size === 1 ? 'y' : 'ies'}. ` +
+        'Broad scans can silently pull adjacent features into a patch — review the diff before continuing.');
+    if (!isInteractive) {
+        throw new GeneralError(`Refusing to broaden "${patchFilename}" via --scan in non-interactive mode. ` +
+            'Pass --yes to acknowledge the expansion, or run with --dry-run first to review.');
+    }
+    const confirmed = await confirm({
+        message: `Proceed and broaden ${patchFilename} with ${String(added.length)} newly discovered file(s)?`,
+        initialValue: false,
+    });
+    if (isCancel(confirmed) || !confirmed) {
+        cancel(`Skipped ${patchFilename}`);
+        return false;
+    }
+    return true;
 }
 async function reExportSinglePatch(patch, paths, manifest, options, isDryRun, config) {
     let currentFilesAffected = [...patch.filesAffected];
     // --- Scan for new/removed files ---
     if (options.scan) {
-        currentFilesAffected = await scanPatchFiles(currentFilesAffected, paths.engine, manifest, patch.filename, isDryRun);
+        const scanResult = await scanPatchFiles(currentFilesAffected, paths.engine, manifest, patch.filename, isDryRun);
+        const isInteractive = process.stdin.isTTY && process.stdout.isTTY;
+        const proceed = await confirmBroadScanAdditions({
+            patchFilename: patch.filename,
+            added: scanResult.added,
+            isDryRun,
+            yes: options.yes === true,
+            isInteractive,
+        });
+        if (!proceed) {
+            return false;
+        }
+        currentFilesAffected = scanResult.updated;
     }
     else if (options.files === undefined) {
         // Finding #16: when neither `--scan` nor `--files` is set and some

package/dist/src/commands/resolve.js

@@ -5,6 +5,7 @@ import { getProjectPaths, loadConfig, loadState, updateState } from '../core/con
 import { isGitRepository } from '../core/git.js';
 import { getStagedDiffForFiles } from '../core/git-diff.js';
 import { stageFiles, unstageFiles } from '../core/git-file-ops.js';
+import { extractAffectedFiles } from '../core/patch-apply.js';
 import { updatePatchAndMetadata } from '../core/patch-export.js';
 import { loadPatchesManifest } from '../core/patch-manifest.js';
 import { GeneralError, ResolutionError } from '../errors/base.js';
@@ -106,9 +107,22 @@ export async function resolveCommand(projectRoot) {
         // import / export / re-export / patch reorder / patch compact could
         // interleave with and leave the manifest disagreeing with the
         // freshly-written patch body.
+        //
+        // Always recompute `filesAffected` from the diff content itself. The
+        // eval finding #16 scenario: the user's manual fix removed every
+        // hunk for one file while the file still existed on disk, so the
+        // pre-0.16.0 gate of "update filesAffected only when files were
+        // deleted from disk" left the manifest claiming a file the patch
+        // body no longer targeted. The next `fireforge import` then failed
+        // the patch-manifest consistency check even though resolve reported
+        // success. `extractAffectedFiles` already owns the canonical
+        // "parse a diff, return its target paths" logic used by export and
+        // consistency — using it here keeps resolve in agreement with every
+        // other writer.
+        const diffFilesAffected = extractAffectedFiles(diffContent);
         const config = await loadConfig(projectRoot);
         await updatePatchAndMetadata(paths.patches, patchFilename, diffContent, {
-            ...(activeFiles.length < existingFiles.length ? { filesAffected: activeFiles } : {}),
+            filesAffected: diffFilesAffected,
             sourceEsrVersion: config.firefox.version,
         });
         // Cleanup: Clear pendingResolution from state.json transactionally so

package/dist/src/commands/run.js

@@ -183,17 +183,31 @@ async function runSmokeExit(engineDir, options) {
         warn(`--capture-console stream error: ${err.message}`);
     });
     const findings = [];
-    let allowlistedHits = 0;
+    let allowlistedErrorHits = 0;
+    let allowlistedTotalHits = 0;
     const handleLine = (stream, line) => {
         // Mirror raw output to the terminal so operators watching the smoke
         // run still see what the browser is printing. Stream selection on the
         // mirror preserves stdout/stderr separation for downstream piping.
         const sink = stream === 'stdout' ? process.stdout : process.stderr;
         sink.write(`${line}\n`);
+        // Count allowlist hits up-front, regardless of error-pattern match.
+        // Pre-0.16.0 the counter only incremented when the line ALSO matched
+        // an error pattern — so an allowlist regex that visibly matched
+        // `console.warn: RSLoader:` still reported 0 hits because
+        // `console.warn:` is not a smoke error class, confusing operators
+        // who were tuning their allowlist. We now surface two numbers: the
+        // total set of allowlisted lines (what the operator sees in the
+        // console) and the subset that were error-class (what the smoke
+        // exit contract cares about). The exit contract itself is unchanged.
+        const isAllowlisted = allowlist.length > 0 && matchesAllowlist(line, allowlist);
+        if (isAllowlisted) {
+            allowlistedTotalHits += 1;
+        }
         if (!matchesSmokeError(line))
             return;
-        if (matchesAllowlist(line, allowlist)) {
-            allowlistedHits += 1;
+        if (isAllowlisted) {
+            allowlistedErrorHits += 1;
             return;
         }
         findings.push({ stream, line });
@@ -221,7 +235,8 @@ async function runSmokeExit(engineDir, options) {
         smokeTimeoutMs,
         elapsedMs,
         timedOut: result.timedOut,
-        allowlistedHits,
+        allowlistedErrorHits,
+        allowlistedTotalHits,
         findings,
         exitCode: result.exitCode,
     });
@@ -278,7 +293,14 @@ function reportSmokeSummary(args) {
     info('');
     info(`Smoke run complete: ${seconds}s elapsed of ${windowSeconds}s window${suffix}`);
     info(`  Unallowed errors: ${String(args.findings.length)}`);
-    info(`  Allowlisted hits: ${String(args.allowlistedHits)}`);
+    // The "suppressed errors" count is what the exit contract cares about —
+    // it is the subset of allowlisted hits that would otherwise have been
+    // tallied as findings. The "all allowlisted lines" count answers the
+    // operator's mental model ("my --console-allow pattern matched N
+    // console lines"), which pre-0.16.0 was missing and led to 0-hit
+    // reports on visibly matching regexes.
+    info(`  Allowlisted error hits (suppressed): ${String(args.allowlistedErrorHits)}`);
+    info(`  Allowlisted lines total: ${String(args.allowlistedTotalHits)}`);
     info(`  Child exit code:  ${String(args.exitCode)}`);
     if (args.findings.length === 0)
         return;

package/dist/src/commands/test.js

@@ -9,7 +9,7 @@ import { operatorAlreadySetAppPath, resolveXpcshellAppdirArg, } from '../core/xp
 import { GeneralError } from '../errors/base.js';
 import { AmbiguousBuildArtifactsError, BuildError } from '../errors/build.js';
 import { pathExists } from '../utils/fs.js';
-import { info, intro, spinner, warn } from '../utils/logger.js';
+import { info, intro, outro, spinner, warn } from '../utils/logger.js';
 import { pickDefined } from '../utils/options.js';
 import { stripEnginePrefix } from '../utils/paths.js';
 async function assertTestPathsExist(engineDir, testPaths) {
@@ -187,6 +187,13 @@ export async function testCommand(projectRoot, testPaths, options = {}) {
             if (!preflight.ok) {
                 throw new GeneralError('Marionette preflight reported FAIL — see output above.');
             }
+            // Close the intro frame explicitly. Without an outro, clack's
+            // grouped-output mode left the PASS line hanging inside an
+            // unclosed tree — in the eval's non-TTY capture the info line
+            // itself failed to render, so `test --doctor` looked like it had
+            // exited silently after the spinner start line. The outro also
+            // gives scripts a deterministic "done" marker to parse.
+            outro(`Marionette preflight: PASS (${preflight.durationMs}ms)`);
             return;
         }
         if (!preflight.ok) {

package/dist/src/commands/token-coverage.js

@@ -1,5 +1,7 @@
 // SPDX-License-Identifier: EUPL-1.2
+import { join } from 'node:path';
 import { getProjectPaths, loadConfig } from '../core/config.js';
+import { furnaceConfigExists, loadFurnaceConfig } from '../core/furnace-config.js';
 import { getStatusWithCodes, isGitRepository } from '../core/git.js';
 import { measureTokenCoverage } from '../core/token-coverage.js';
 import { getTokensCssPath } from '../core/token-manager.js';
@@ -22,9 +24,19 @@ export async function tokenCoverageCommand(projectRoot) {
     const config = await loadConfig(projectRoot);
     const tokensCssPath = getTokensCssPath(config.binaryName);
     const files = await getStatusWithCodes(paths.engine);
-    const cssFiles = files
+    const statusCssFiles = files
         .filter((f) => f.file.endsWith('.css') && f.file !== tokensCssPath)
         .map((f) => f.file);
+    // Also scan CSS files deployed by Furnace custom components. Deployed
+    // files can be committed (and therefore absent from `git status`) while
+    // still being the primary surface where token adoption matters. Before
+    // 0.16.0, coverage only looked at modified files, which silently
+    // undercounted projects where Furnace writes many component-CSS files
+    // into the engine and they are already tracked.
+    const furnaceCssFiles = await collectFurnaceCustomCssFiles(projectRoot, paths.engine, tokensCssPath);
+    // De-dupe so a file that is both a custom deploy target AND modified is
+    // scanned exactly once.
+    const cssFiles = [...new Set([...statusCssFiles, ...furnaceCssFiles])];
     if (cssFiles.length === 0) {
         info('No modified CSS files');
         outro('Nothing to measure');
@@ -54,4 +66,46 @@ export async function tokenCoverageCommand(projectRoot) {
     }
     outro(`${report.filesScanned} CSS file${report.filesScanned === 1 ? '' : 's'} scanned`);
 }
+/**
+ * Returns engine-relative `.css` paths deployed by every Furnace custom
+ * component registered in `furnace.json`. Only files that actually exist
+ * on disk are included — a component whose deploy target is missing (e.g.
+ * `furnace apply` has not run yet) is skipped silently so a fresh
+ * `furnace init` followed immediately by `token coverage` does not error.
+ *
+ * Returns an empty array when the project has no furnace.json, no custom
+ * components, or when loading the config fails (a warn is emitted in the
+ * last case so the user can diagnose a broken furnace.json without losing
+ * coverage results on the non-furnace CSS files).
+ */
+async function collectFurnaceCustomCssFiles(projectRoot, engineDir, tokensCssPath) {
+    if (!(await furnaceConfigExists(projectRoot))) {
+        return [];
+    }
+    let furnaceConfig;
+    try {
+        furnaceConfig = await loadFurnaceConfig(projectRoot);
+    }
+    catch (error) {
+        warn(`Could not load furnace.json for token coverage — scanning modified files only (${error.message})`);
+        return [];
+    }
+    const results = [];
+    for (const [componentName, customConfig] of Object.entries(furnaceConfig.custom)) {
+        // Upstream Firefox widget layout: every component lives at
+        // `toolkit/content/widgets/<tagName>/` and ships at least
+        // `<tagName>.css`. `targetPath` already resolves to that directory
+        // (the create command writes `toolkit/content/widgets/<name>` into
+        // furnace.json) so we can probe the default layout directly without
+        // walking the whole tree.
+        const candidate = `${customConfig.targetPath}/${componentName}.css`;
+        if (candidate === tokensCssPath)
+            continue;
+        const absolutePath = join(engineDir, candidate);
+        if (await pathExists(absolutePath)) {
+            results.push(candidate);
+        }
+    }
+    return results;
+}
 //# sourceMappingURL=token-coverage.js.map

package/dist/src/commands/token.js

@@ -106,7 +106,18 @@ export async function tokenAddCommand(projectRoot, tokenName, value, options) {
 }
 /** Registers token management commands on the CLI program. */
 export function registerToken(program, { getProjectRoot, withErrorHandling }) {
-    const token = program.command('token').description('Design token management');
+    const token = program
+        .command('token')
+        .description('Design token management')
+        // Match `fireforge furnace`'s no-args contract: print the group's help and
+        // exit 0. Without this default action, commander routes `fireforge token`
+        // (no subcommand) through its own help-then-exit-1 path, so scripts that
+        // probe the CLI surface see a misleading non-zero exit for a purely
+        // informational invocation. The action prints the exact same help commander
+        // would otherwise print, but returns successfully.
+        .action(() => {
+        token.outputHelp();
+    });
     token
         .command('add <token-name> <value>')
         .description('Add a design token to CSS and documentation')

package/dist/src/commands/wire.js

@@ -5,6 +5,7 @@ import { getProjectPaths, loadConfig } from '../core/config.js';
 import { furnaceConfigExists as checkFurnaceConfigExists, loadFurnaceConfig, } from '../core/furnace-config.js';
 import { consumeParserFallbackEvents } from '../core/parser-fallback.js';
 import { DEFAULT_DOM_TARGET } from '../core/wire-dom-fragment.js';
+import { coerceToCall, validateWireName as validateWireExpression } from '../core/wire-utils.js';
 import { InvalidArgumentError } from '../errors/base.js';
 import { toError } from '../utils/errors.js';
 import { pathExists } from '../utils/fs.js';
@@ -17,10 +18,14 @@ function printWireDryRun(engineDir, name, subscriptDir, domFilePath, domTargetPa
     info(`  source: ${subscriptDir}/${name}.js`);
     info(`  browser-main.js: loadSubScript("chrome://browser/content/${name}.js")`);
     if (options.init) {
-        info(`  browser-init.js: ${options.init}`);
+        // Show the coerced form so the preview matches the emitted block.
+        // Before 0.16.0 the preview echoed the raw input ("EvalStartup.init"),
+        // which did not reflect that the real run writes `EvalStartup.init();`
+        // to browser-init.js.
+        info(`  browser-init.js: ${coerceToCall(options.init)}`);
     }
     if (options.destroy) {
-        info(`  browser-init.js onUnload(): ${options.destroy}`);
+        info(`  browser-init.js onUnload(): ${coerceToCall(options.destroy)}`);
     }
     if (domFilePath) {
         const includePath = relative(join(engineDir, subscriptDir), join(engineDir, domFilePath)).replace(/\\/g, '/');
@@ -95,6 +100,21 @@ export async function wireCommand(projectRoot, name, options = {}) {
         // --after and have it forwarded unchanged to the lookup layer.
         validateWireName(options.after);
     }
+    // Validate init/destroy expressions BEFORE the dry-run/real fork so
+    // both paths enforce the same contract. Pre-0.16.0, validation only
+    // ran inside `addInitToBrowserInit`/`addDestroyToBrowserInit` (the
+    // real-execution path), so `--dry-run --init 'void 0'` succeeded and
+    // rendered a plausible-looking preview even though the real run would
+    // reject the same arguments. Dropping `void 0` into the template
+    // silently (or breaking out of the string literal) was already
+    // prevented downstream — this hoist just makes the failure surface
+    // identical in preview mode.
+    if (options.init !== undefined) {
+        validateWireExpression(options.init, 'init expression');
+    }
+    if (options.destroy !== undefined) {
+        validateWireExpression(options.destroy, 'destroy expression');
+    }
     consumeParserFallbackEvents();
     // Resolve subscript directory: CLI flag > fireforge.json > default
     let subscriptDir = DEFAULT_BROWSER_SUBSCRIPT_DIR;

package/dist/src/core/mach-error-hints.js

@@ -57,6 +57,22 @@ export const MACH_ERROR_HINTS = [
             'remove any `pub type basic_string___self_view = …<_CharT>;` line from ' +
             '`<objdir>/release/build/gecko-profiler-*/out/gecko/bindings.rs`.',
     },
+    {
+        // When `mach build` fails mid-compile, mach's own shutdown pipeline still
+        // runs its trailing "Config object not found by mach. / Configure
+        // complete! / Be sure to run |mach build|..." summary on the way out.
+        // Those three lines are plain upstream mach output, printed AFTER the
+        // non-zero exit code has already been established, and they look
+        // deceptively like a success banner — the eval's Darwin 25 log had
+        // operators double-checking whether `make` had actually failed. We do
+        // not own those lines, but we can give the operator a specific nudge
+        // that they are cosmetic post-failure output rather than a mixed
+        // success/failure signal.
+        pattern: /Config object not found by mach\.[\s\S]*?Configure complete!/,
+        hint: 'Ignore the trailing "Config object not found by mach. / Configure complete!" block — ' +
+            "that is mach's post-failure configure summary printed after the build already failed, " +
+            'not a sign the build succeeded. The real failure is the error above this block.',
+    },
 ];
 /**
  * Scans captured stderr for known mach errors and returns matching hints.

package/dist/src/core/mach.js

@@ -111,13 +111,22 @@ export async function bootstrapWithOutput(engineDir) {
     return runMachInheritCapture(['bootstrap', '--application-choice', 'browser'], engineDir);
 }
 /**
- * Prints any matched {@link MachErrorHint} hints for the captured stderr.
+ * Prints any matched {@link MachErrorHint} hints for the captured mach output.
  * No-op when nothing matches. Always called before a non-zero exit propagates
  * so the hint sits immediately below the raw mach error in the operator's
  * terminal.
- */
-function surfaceMachErrorHints(stderr) {
-    const hints = explainMachError(stderr);
+ *
+ * The scanner is passed the concatenation of stderr AND stdout because mach
+ * streams its subcommand output through a timestamp-prefixing wrapper that
+ * writes both streams to whatever FD the subprocess chose — in practice,
+ * `rustc` errors from `mach build` can land on stdout rather than stderr,
+ * and the eval run's Darwin 25 `_CharT` hint pattern matched the captured
+ * text but our pre-0.16 code only fed `result.stderr` into the scanner, so
+ * the hint never fired.
+ */
+function surfaceMachErrorHints(result) {
+    const combined = `${result.stderr}\n${result.stdout}`;
+    const hints = explainMachError(combined);
     if (hints.length === 0)
         return;
     for (const hint of hints) {
@@ -139,7 +148,7 @@ export async function build(engineDir, jobs) {
     }
     const result = await runMachInheritCapture(args, engineDir);
     if (result.exitCode !== 0) {
-        surfaceMachErrorHints(result.stderr);
+        surfaceMachErrorHints(result);
     }
     return result.exitCode;
 }
@@ -152,7 +161,7 @@ export async function build(engineDir, jobs) {
 export async function buildUI(engineDir) {
     const result = await runMachInheritCapture(['build', 'faster'], engineDir);
     if (result.exitCode !== 0) {
-        surfaceMachErrorHints(result.stderr);
+        surfaceMachErrorHints(result);
     }
     return result.exitCode;
 }

package/dist/src/core/wire-destroy.js

@@ -10,7 +10,7 @@ import { pathExists, readText, writeText } from '../utils/fs.js';
 import { escapeRegex } from '../utils/regex.js';
 import { detectIndent, parseScript } from './ast-utils.js';
 import { withParserFallback } from './parser-fallback.js';
-import { assertBraceBalancePreserved, extractNameFromExpression, findMethodBody, findMethodBraceIndex, validateWireName, } from './wire-utils.js';
+import { assertBraceBalancePreserved, coerceToCall, extractNameFromExpression, findMethodBody, findMethodBraceIndex, validateWireName, } from './wire-utils.js';
 const BROWSER_INIT_JS = 'browser/base/content/browser-init.js';
 /**
  * AST-based implementation: finds onUnload()/uninit() method body and
@@ -18,6 +18,12 @@ const BROWSER_INIT_JS = 'browser/base/content/browser-init.js';
  */
 export function addDestroyAST(content, expression) {
     const name = extractNameFromExpression(expression);
+    // See wire-init.ts for the rationale: the template interpolates the
+    // expression verbatim, so a bare `Foo.bar` compiled to `Foo.bar;`
+    // (a property reference) instead of `Foo.bar();`. `coerceToCall`
+    // appends `()` when absent so the emitted block always invokes the
+    // teardown hook the operator asked for.
+    const callExpression = coerceToCall(expression);
     const ast = parseScript(content);
     const ms = new MagicString(content);
     const body = findMethodBody(ast, ['onUnload', 'uninit']);
@@ -41,7 +47,7 @@ export function addDestroyAST(content, expression) {
         `${indent}// ${name} destroy`,
         `${indent}try {`,
         `${indent}  if (typeof ${name} !== "undefined") {`,
-        `${indent}    ${expression};`,
+        `${indent}    ${callExpression};`,
         `${indent}  }`,
         `${indent}} catch (e) {`,
         `${indent}  console.error("${name} destroy failed:", e);`,
@@ -55,6 +61,9 @@ export function addDestroyAST(content, expression) {
  */
 export function legacyAddDestroy(content, expression) {
     const name = extractNameFromExpression(expression);
+    // Match the AST path on the call-coercion contract so fallback vs AST
+    // emits identical blocks (see wire-init.ts).
+    const callExpression = coerceToCall(expression);
     const lines = content.split('\n');
     const destroyRegex = /\b(?:async\s+)?(onUnload|uninit)\s*[(:]/;
     const found = findMethodBraceIndex(lines, destroyRegex, { requireBrace: true });
@@ -67,7 +76,7 @@ export function legacyAddDestroy(content, expression) {
         `    // ${name} destroy`,
         `    try {`,
         `      if (typeof ${name} !== "undefined") {`,
-        `        ${expression};`,
+        `        ${callExpression};`,
         `      }`,
         `    } catch (e) {`,
         `      console.error("${name} destroy failed:", e);`,
@@ -91,8 +100,12 @@ export async function addDestroyToBrowserInit(engineDir, expression) {
         throw new GeneralError(`${BROWSER_INIT_JS} not found in engine`);
     }
     const content = await readText(filePath);
-    // Idempotency check — use word-boundary regex to avoid substring false positives
-    const destroyPattern = new RegExp(`(?:^|\\W)${escapeRegex(expression)}\\s*;?\\s*$`, 'm');
+    // Idempotency check — look for the coerced (call) form because that is
+    // what the emitter writes. Matching against the raw input would miss a
+    // previous `EvalStartup.destroy` invocation that the 0.16.0 coercion
+    // already persisted as `EvalStartup.destroy()`.
+    const callExpression = coerceToCall(expression);
+    const destroyPattern = new RegExp(`(?:^|\\W)${escapeRegex(callExpression)}\\s*;?\\s*$`, 'm');
     if (destroyPattern.test(content)) {
         return false;
     }

package/dist/src/core/wire-init.js

@@ -10,7 +10,7 @@ import { pathExists, readText, writeText } from '../utils/fs.js';
 import { escapeRegex } from '../utils/regex.js';
 import { detectIndent, getNodeSource, parseScript } from './ast-utils.js';
 import { withParserFallback } from './parser-fallback.js';
-import { assertBraceBalancePreserved, extractNameFromExpression, findInsertionAfterFireforgeBlocks, findMethodBody, findMethodBraceIndex, validateWireName, walkToTryBlockEnd, } from './wire-utils.js';
+import { assertBraceBalancePreserved, coerceToCall, extractNameFromExpression, findInsertionAfterFireforgeBlocks, findMethodBody, findMethodBraceIndex, validateWireName, walkToTryBlockEnd, } from './wire-utils.js';
 const BROWSER_INIT_JS = 'browser/base/content/browser-init.js';
 /**
  * AST-based implementation: finds onLoad() method body, locates existing
@@ -19,6 +19,12 @@ const BROWSER_INIT_JS = 'browser/base/content/browser-init.js';
  */
 export function addInitAST(content, expression, after) {
     const name = extractNameFromExpression(expression);
+    // `validateWireName` accepts both `Foo.bar` and `Foo.bar()` shapes. The
+    // template below interpolates the value verbatim, so a bare property
+    // path compiles to `Foo.bar;` — a silent no-op, not a lifecycle
+    // invocation. `coerceToCall` normalises to the function-call form so
+    // the emitted block always invokes the hook the operator asked for.
+    const callExpression = coerceToCall(expression);
     const ast = parseScript(content);
     const ms = new MagicString(content);
     const body = findMethodBody(ast, 'onLoad');
@@ -97,7 +103,7 @@ export function addInitAST(content, expression, after) {
         `${indent}// inits that reference native UI elements we hide.`,
         `${indent}try {`,
         `${indent}  if (typeof ${name} !== "undefined") {`,
-        `${indent}    ${expression};`,
+        `${indent}    ${callExpression};`,
         `${indent}  }`,
         `${indent}} catch (e) {`,
         `${indent}  console.error("${name} init failed:", e);`,
@@ -111,6 +117,11 @@ export function addInitAST(content, expression, after) {
  */
 export function legacyAddInit(content, expression, after) {
     const name = extractNameFromExpression(expression);
+    // See `addInitAST` for the rationale — the AST and fallback paths must
+    // agree on whether the emitted block is a function call, otherwise
+    // operators would see different behaviour depending on which parser
+    // happened to handle their browser-init.js layout.
+    const callExpression = coerceToCall(expression);
     const lines = content.split('\n');
     const onLoadRegex = /\b(?:async\s+)?onLoad\s*[(:]/;
     const found = findMethodBraceIndex(lines, onLoadRegex, { requireBrace: true });
@@ -167,7 +178,7 @@ export function legacyAddInit(content, expression, after) {
         `${baseIndent}// inits that reference native UI elements we hide.`,
         `${baseIndent}try {`,
         `${inner}if (typeof ${name} !== "undefined") {`,
-        `${inner2}${expression};`,
+        `${inner2}${callExpression};`,
         `${inner}}`,
         `${baseIndent}} catch (e) {`,
         `${inner}console.error("${name} init failed:", e);`,
@@ -192,8 +203,12 @@ export async function addInitToBrowserInit(engineDir, expression, after) {
         throw new GeneralError(`${BROWSER_INIT_JS} not found in engine`);
     }
     const content = await readText(filePath);
-    // Idempotency check — use word-boundary regex to avoid substring false positives
-    const initPattern = new RegExp(`(?:^|\\W)${escapeRegex(expression)}\\s*;?\\s*$`, 'm');
+    // Idempotency check — look for the coerced (call) form because that is
+    // what the emitter writes. Matching against the raw input would miss a
+    // previous `EvalStartup.init` invocation that the 0.16.0 coercion
+    // already persisted as `EvalStartup.init()`.
+    const callExpression = coerceToCall(expression);
+    const initPattern = new RegExp(`(?:^|\\W)${escapeRegex(callExpression)}\\s*;?\\s*$`, 'm');
     if (initPattern.test(content)) {
         return false;
     }

package/dist/src/core/wire-utils.d.ts

@@ -5,6 +5,21 @@ import { type AcornESTreeNode } from './ast-utils.js';
  * Rejects strings containing characters that could break out of JS strings or inject code.
  */
 export declare function validateWireName(value: string, label: string): void;
+/**
+ * Coerces an init/destroy expression into a function call by appending `()`
+ * when the caller passed a bare property chain. Idempotent: an expression
+ * already ending in `()` is returned unchanged, so operators can pass either
+ * `EvalStartup.init` or `EvalStartup.init()` and get the same wired output.
+ *
+ * Motivation (eval finding 8): `validateWireName` accepts both shapes, but
+ * the generated block interpolated the expression verbatim inside
+ * `${expression};`. When a caller passed `EvalStartup.init`, the emitted
+ * code was `EvalStartup.init;` — a plain property reference that never
+ * invoked the lifecycle hook. The symptom was silent: `wire` reported
+ * success and the browser-init block looked plausible, but the hook
+ * never fired at runtime. Coercion at the template site closes that gap.
+ */
+export declare function coerceToCall(expression: string): string;
 /**
  * Counts net brace depth change in a single line, ignoring braces inside
  * string literals (single, double, template), line comments (`//`), and

package/dist/src/core/wire-utils.js

@@ -17,6 +17,23 @@ export function validateWireName(value, label) {
         }
     }
 }
+/**
+ * Coerces an init/destroy expression into a function call by appending `()`
+ * when the caller passed a bare property chain. Idempotent: an expression
+ * already ending in `()` is returned unchanged, so operators can pass either
+ * `EvalStartup.init` or `EvalStartup.init()` and get the same wired output.
+ *
+ * Motivation (eval finding 8): `validateWireName` accepts both shapes, but
+ * the generated block interpolated the expression verbatim inside
+ * `${expression};`. When a caller passed `EvalStartup.init`, the emitted
+ * code was `EvalStartup.init;` — a plain property reference that never
+ * invoked the lifecycle hook. The symptom was silent: `wire` reported
+ * success and the browser-init block looked plausible, but the hook
+ * never fired at runtime. Coercion at the template site closes that gap.
+ */
+export function coerceToCall(expression) {
+    return expression.endsWith('()') ? expression : `${expression}()`;
+}
 /**
  * Counts net brace depth change in a single line, ignoring braces inside
  * string literals (single, double, template), line comments (`//`), and

package/dist/src/types/commands/options.d.ts

@@ -86,6 +86,13 @@ export interface ExportOptions {
     forceUnsafe?: boolean;
     /** Exclude furnace-managed file paths from the export. */
     excludeFurnace?: boolean;
+    /**
+     * Acknowledge that the export will create cross-patch ownership overlap
+     * with existing non-superseded patches. Without this flag, `export`
+     * refuses when one or more `filesAffected` are already claimed by
+     * another patch, because the resulting queue fails `verify` immediately.
+     */
+    allowOverlap?: boolean;
 }
 /**
  * Options for the reset command.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hominis/fireforge",
-  "version": "0.16.3",
+  "version": "0.16.5",
   "description": "FireForge — a build tool for customizing Firefox",
   "type": "module",
   "main": "./dist/src/index.js",