@hominis/fireforge 0.17.0 → 0.18.0

package/dist/src/core/git-diff.js

@@ -9,7 +9,7 @@ import { verbose } from '../utils/logger.js';
 import { exec } from '../utils/process.js';
 import { ensureGit, git } from './git-base.js';
 import { fileExistsInHead } from './git-file-ops.js';
-import { getUntrackedFiles } from './git-status.js';
+import { getUntrackedFiles, getUntrackedFilesInDir } from './git-status.js';
 async function execGitWithAllowedExitCodes(repoDir, args, allowedExitCodes = [0]) {
     const result = await exec('git', args, { cwd: repoDir });
     if (allowedExitCodes.includes(result.exitCode)) {
@@ -183,7 +183,26 @@ export async function getAllDiff(repoDir) {
  */
 export async function getDiffForFilesAgainstHead(repoDir, files) {
     await ensureGit();
-    const uniqueFiles = [...new Set(files)].sort();
+    // Expand any directory entries (paths ending with `/`) into their
+    // individual untracked files before diffing. `git status --porcelain=v1`
+    // reports collapsed untracked directories as `?? dir/`, and every caller
+    // that feeds the aggregate working-tree state into this function must
+    // not trigger an EISDIR when the diff pass reads `dir/` as if it were a
+    // file. Belt-and-suspenders: the caller-side expansion in `lint.ts`
+    // and `export-all.ts` covers the common path, but a single bad call
+    // site re-introduced the bug in 0.17.0 — guarding here makes the
+    // regression impossible at this layer.
+    const expandedFiles = [];
+    for (const file of files) {
+        if (file.endsWith('/')) {
+            const inner = await getUntrackedFilesInDir(repoDir, file);
+            for (const entry of inner)
+                expandedFiles.push(entry);
+            continue;
+        }
+        expandedFiles.push(file);
+    }
+    const uniqueFiles = [...new Set(expandedFiles)].sort();
     const diffs = [];
     for (const file of uniqueFiles) {
         if (await fileExistsInHead(repoDir, file)) {

package/dist/src/core/mach.d.ts

@@ -60,19 +60,25 @@ export declare function bootstrapWithOutput(engineDir: string): Promise<MachComm
 /**
  * Runs a full mach build. On a non-zero exit, any matched error hints are
  * surfaced on top of the raw mach output so operators get an actionable
- * nudge alongside the cryptic mozbuild traceback.
+ * nudge alongside the cryptic mozbuild traceback. Returns the captured
+ * result so the caller (e.g. `fireforge build`) can inspect the tail
+ * for post-build diagnostics that mach prints AFTER "Your build was
+ * successful!" — notably the stale `config.status is out of date`
+ * notice that mach emits when a tool-managed edit landed on
+ * `moz.configure` before the build.
  * @param engineDir - Path to the engine directory
  * @param jobs - Number of parallel jobs (optional)
- * @returns Exit code
+ * @returns Captured mach result (stdout tail, stderr tail, exit code)
  */
-export declare function build(engineDir: string, jobs?: number): Promise<number>;
+export declare function build(engineDir: string, jobs?: number): Promise<MachCommandResult>;
 /**
  * Runs a fast UI-only build. On a non-zero exit, any matched error hints are
- * surfaced on top of the raw mach output.
+ * surfaced on top of the raw mach output. See {@link build} for why the
+ * full captured result is returned rather than just the exit code.
  * @param engineDir - Path to the engine directory
- * @returns Exit code
+ * @returns Captured mach result
  */
-export declare function buildUI(engineDir: string): Promise<number>;
+export declare function buildUI(engineDir: string): Promise<MachCommandResult>;
 /**
  * Runs an operation while holding a sidecar build lock keyed on the
  * project root. Concurrent `fireforge build` / `fireforge build --ui`

package/dist/src/core/mach.js

@@ -137,10 +137,15 @@ function surfaceMachErrorHints(result) {
 /**
  * Runs a full mach build. On a non-zero exit, any matched error hints are
  * surfaced on top of the raw mach output so operators get an actionable
- * nudge alongside the cryptic mozbuild traceback.
+ * nudge alongside the cryptic mozbuild traceback. Returns the captured
+ * result so the caller (e.g. `fireforge build`) can inspect the tail
+ * for post-build diagnostics that mach prints AFTER "Your build was
+ * successful!" — notably the stale `config.status is out of date`
+ * notice that mach emits when a tool-managed edit landed on
+ * `moz.configure` before the build.
  * @param engineDir - Path to the engine directory
  * @param jobs - Number of parallel jobs (optional)
- * @returns Exit code
+ * @returns Captured mach result (stdout tail, stderr tail, exit code)
  */
 export async function build(engineDir, jobs) {
     const args = ['build'];
@@ -151,20 +156,21 @@ export async function build(engineDir, jobs) {
     if (result.exitCode !== 0) {
         surfaceMachErrorHints(result);
     }
-    return result.exitCode;
+    return result;
 }
 /**
  * Runs a fast UI-only build. On a non-zero exit, any matched error hints are
- * surfaced on top of the raw mach output.
+ * surfaced on top of the raw mach output. See {@link build} for why the
+ * full captured result is returned rather than just the exit code.
  * @param engineDir - Path to the engine directory
- * @returns Exit code
+ * @returns Captured mach result
  */
 export async function buildUI(engineDir) {
     const result = await runMachInheritCapture(['build', 'faster'], engineDir);
     if (result.exitCode !== 0) {
         surfaceMachErrorHints(result);
     }
-    return result.exitCode;
+    return result;
 }
 /**
  * Runs an operation while holding a sidecar build lock keyed on the

package/dist/src/core/manifest-rules.js

@@ -24,7 +24,16 @@ export function getRules(binaryName) {
             // proposed a bogus jar.mn entry. The lookahead blocks the match so
             // `getUnregistrableAdvice` gets a chance to emit the correct
             // guidance for the `.inc.xhtml` case.
-            pattern: /^browser\/base\/content\/(?!.+\.inc\.xhtml$)(.+\.(?:js|mjs|xhtml|css))$/,
+            //
+            // Test implementation files under `browser/base/content/test/` are
+            // also excluded: they belong in the nearest `browser.toml` manifest,
+            // not in jar.mn. 2026-04-23 eval 2: `status --unmanaged` proposed
+            // `fireforge register browser/base/content/test/<dir>/browser_*.js`
+            // which would have clutter-registered a test file as browser
+            // chrome content. The negative lookahead routes those paths to
+            // `getUnregistrableAdvice`, which returns the correct
+            // browser.toml-centric guidance.
+            pattern: /^browser\/base\/content\/(?!.+\.inc\.xhtml$)(?!test\/)(.+\.(?:js|mjs|xhtml|css))$/,
             isRegistered: (engineDir, fileName) => isBrowserContentRegistered(engineDir, fileName),
             register: (engineDir, after, dryRun, fileName) => registerBrowserContent(engineDir, fileName, after, undefined, dryRun),
             extractArgs: (m) => [m[1] ?? ''],

package/dist/src/core/manifest-tokenizers.d.ts

@@ -26,6 +26,12 @@ export declare function tokenizeJarMn(lines: string[]): JarMnToken[];
 /**
  * Tokenizes a moz.build Python list block, returning the tokens and their
  * line range within the file.
+ *
+ * Supports both multi-line lists (the common shape) and single-line
+ * empty lists of the form `EXTRA_JS_MODULES += []` — the eval-2 finding
+ * case where a freshly-scaffolded module directory's `moz.build`
+ * started with an empty list and the tokenizer returned `null`,
+ * leaving `register` unable to add the first entry.
  */
 export declare function tokenizeMozBuildList(lines: string[], listPattern: RegExp): {
     tokens: MozBuildToken[];

package/dist/src/core/manifest-tokenizers.js

@@ -44,6 +44,12 @@ export function tokenizeJarMn(lines) {
 /**
  * Tokenizes a moz.build Python list block, returning the tokens and their
  * line range within the file.
+ *
+ * Supports both multi-line lists (the common shape) and single-line
+ * empty lists of the form `EXTRA_JS_MODULES += []` — the eval-2 finding
+ * case where a freshly-scaffolded module directory's `moz.build`
+ * started with an empty list and the tokenizer returned `null`,
+ * leaving `register` unable to add the first entry.
  */
 export function tokenizeMozBuildList(lines, listPattern) {
     const tokens = [];
@@ -53,6 +59,28 @@ export function tokenizeMozBuildList(lines, listPattern) {
         const raw = lines[i] ?? '';
         if (startLine === -1) {
             if (listPattern.test(raw)) {
+                // Single-line empty-list handling: a fresh scaffold sometimes
+                // writes `EXTRA_JS_MODULES += []` on one line. The pre-fix
+                // tokenizer returned `null` because it never saw a line
+                // starting with `]`, which stranded `register` with a "Could
+                // not find module list section" error against the documented
+                // browser/modules/<fork>/ scaffold (eval 2).
+                //
+                // The in-place split rewrites the single-line form into the
+                // canonical multi-line shape so the caller's
+                // `lines.splice(insertIndex, 0, entry)` lands inside the list
+                // body. The tokens are emitted to mirror the new structure.
+                const singleLineMatch = /^([^[]*\[)\s*\]\s*$/.exec(raw);
+                if (singleLineMatch) {
+                    const openPart = singleLineMatch[1] ?? '';
+                    lines[i] = openPart;
+                    lines.splice(i + 1, 0, ']');
+                    startLine = i;
+                    endLine = i + 1;
+                    tokens.push({ type: 'list-open', raw: openPart, lineIndex: i });
+                    tokens.push({ type: 'list-close', raw: ']', lineIndex: i + 1 });
+                    break;
+                }
                 startLine = i;
                 tokens.push({ type: 'list-open', raw, lineIndex: i });
             }

package/dist/src/core/patch-lint.d.ts

@@ -67,10 +67,49 @@ export declare function lintPatchedJs(repoDir: string, affectedFiles: string[],
  * @returns Array of lint issues
  */
 export declare function lintModificationComments(diffContent: string, config: FireForgeConfig): PatchLintIssue[];
+/**
+ * Describes which tier `resolvePatchSizeTier` selected and why.
+ * Consumers that want to surface the tier choice to the operator
+ * (e.g. a one-line `info()` when branding thresholds kick in) read
+ * this alongside the issues array from `lintPatchSize`.
+ */
+export type PatchSizeTierDecision = {
+    tier: 'general';
+} | {
+    tier: 'test';
+} | {
+    tier: 'branding';
+    source: 'auto' | 'explicit';
+};
+/**
+ * Decides which `large-patch-lines` threshold tier applies to a patch.
+ * Exported so `runPatchLint` and the per-patch `lint` command can
+ * surface the tier choice to the operator *without* depending on
+ * `lintPatchSize`'s internal return shape — the rule itself stays a
+ * pure issues-array API, and the decision is computed separately for
+ * the sole purpose of reporting.
+ *
+ * Precedence: test > branding (explicit) > branding (auto) > general.
+ * The test tier beats branding because a table-driven regression test
+ * is legitimately large independent of whether the patch also claims
+ * branding shape, and the test-tier thresholds are already more
+ * permissive than branding — so "tests beat branding" is the
+ * defensive-for-tests choice.
+ */
+export declare function resolvePatchSizeTier(filesAffected: ReadonlyArray<string>, patchTier?: 'branding'): PatchSizeTierDecision;
 /**
  * Checks patch size and emits advisory warnings.
+ *
+ * @param filesAffected - Files touched by the patch
+ * @param lineCount - Non-binary line count of the unified diff
+ * @param patchTier - Optional explicit tier override declared on
+ *   `PatchMetadata.tier`. When `"branding"`, forces the branding
+ *   thresholds regardless of `filesAffected`. Tests still win over
+ *   branding (precedence `test > branding > general`) because the
+ *   test-tier thresholds are already more permissive and an all-tests
+ *   patch that is also branding-shaped is vanishingly rare.
  */
-export declare function lintPatchSize(filesAffected: string[], lineCount: number): PatchLintIssue[];
+export declare function lintPatchSize(filesAffected: string[], lineCount: number, patchTier?: 'branding'): PatchLintIssue[];
 /**
  * Checks that modified (non-new) files with a supported extension still
  * start with a recognized license header.
@@ -94,6 +133,12 @@ export declare function lintModifiedFileHeaders(repoDir: string, affectedFiles:
  *   is advisory-noisy by nature (a cohesive branding bundle, auto-generated
  *   manifest, etc.) can opt out of a specific rule without reaching for the
  *   blunt `--skip-lint` hammer. Not mutated by this function.
+ * @param patchTier - Optional explicit tier override, threaded from
+ *   `PatchMetadata.tier`. When `"branding"` forces the branding
+ *   thresholds on the `large-patch-lines` rule. Callers with a
+ *   per-patch manifest context (re-export, per-patch lint) should
+ *   pass this; aggregate-mode callers without a specific patch
+ *   context skip it and fall through to auto-detection.
  * @returns Array of all lint issues found
  */
-export declare function lintExportedPatch(repoDir: string, affectedFiles: string[], diffContent: string, config: FireForgeConfig, patchQueueCtx?: import('./patch-lint-cross.js').PatchQueueContext, ignoreChecks?: ReadonlySet<string>): Promise<PatchLintIssue[]>;
+export declare function lintExportedPatch(repoDir: string, affectedFiles: string[], diffContent: string, config: FireForgeConfig, patchQueueCtx?: import('./patch-lint-cross.js').PatchQueueContext, ignoreChecks?: ReadonlySet<string>, patchTier?: 'branding'): Promise<PatchLintIssue[]>;

package/dist/src/core/patch-lint.js

@@ -74,13 +74,49 @@ const PATCH_LINE_THRESHOLDS = {
     branding: { notice: 3000, warning: 8000, error: 20000 },
 };
 /**
- * Returns true when every file in a patch lives under `browser/branding/`.
- * Used by `lintPatchSize` to pick the branding threshold tier.
+ * Fixed allowlist of non-branding sibling paths that real-world Firefox
+ * branding patches legitimately need to touch to register the new
+ * branding flavor with the top-level configure. The 2026-04-21
+ * external eval showed that a branding patch which also touches
+ * `browser/moz.configure` (the canonical registration point) fell
+ * through to the general lint tier because the original predicate
+ * required every file to live under `browser/branding/`. This
+ * allowlist stays intentionally narrow — additions require a real
+ * operator data point, not a speculative expansion. Add new entries
+ * only when a genuine branding patch cannot be expressed without a
+ * specific registration sibling.
+ *
+ * Pinned against ESR 140.x conventions at time of writing.
+ */
+const BRANDING_REGISTRATION_FILES = new Set([
+    'browser/moz.configure',
+    'browser/confvars.sh',
+]);
+/**
+ * Returns true when a patch qualifies for the branding threshold tier:
+ * every file lives either under `browser/branding/` or in the narrow
+ * registration allowlist, AND the patch contains at least one file
+ * under `browser/branding/` (guard against a config-only patch
+ * accidentally qualifying as branding).
+ *
+ * Used by `lintPatchSize` to pick the branding threshold tier. The
+ * explicit `tier: "branding"` field on `PatchMetadata` bypasses this
+ * heuristic and forces the branding tier directly.
  */
 function isBrandingOnlyPatch(files) {
     if (files.length === 0)
         return false;
-    return files.every((file) => file.startsWith('browser/branding/'));
+    let hasBrandingFile = false;
+    for (const file of files) {
+        if (file.startsWith('browser/branding/')) {
+            hasBrandingFile = true;
+            continue;
+        }
+        if (BRANDING_REGISTRATION_FILES.has(file))
+            continue;
+        return false;
+    }
+    return hasBrandingFile;
 }
 /**
  * Returns true if the filename looks like a JS/MJS/JSM file.
@@ -426,13 +462,44 @@ export function lintModificationComments(diffContent, config) {
     }
     return issues;
 }
-// ---------------------------------------------------------------------------
-// Patch size lint (moved from export-shared.ts warnLargePatch)
-// ---------------------------------------------------------------------------
+/**
+ * Decides which `large-patch-lines` threshold tier applies to a patch.
+ * Exported so `runPatchLint` and the per-patch `lint` command can
+ * surface the tier choice to the operator *without* depending on
+ * `lintPatchSize`'s internal return shape — the rule itself stays a
+ * pure issues-array API, and the decision is computed separately for
+ * the sole purpose of reporting.
+ *
+ * Precedence: test > branding (explicit) > branding (auto) > general.
+ * The test tier beats branding because a table-driven regression test
+ * is legitimately large independent of whether the patch also claims
+ * branding shape, and the test-tier thresholds are already more
+ * permissive than branding — so "tests beat branding" is the
+ * defensive-for-tests choice.
+ */
+export function resolvePatchSizeTier(filesAffected, patchTier) {
+    const allTests = filesAffected.length > 0 && filesAffected.every(isTestFile);
+    if (allTests)
+        return { tier: 'test' };
+    if (patchTier === 'branding')
+        return { tier: 'branding', source: 'explicit' };
+    if (isBrandingOnlyPatch(filesAffected))
+        return { tier: 'branding', source: 'auto' };
+    return { tier: 'general' };
+}
 /**
  * Checks patch size and emits advisory warnings.
+ *
+ * @param filesAffected - Files touched by the patch
+ * @param lineCount - Non-binary line count of the unified diff
+ * @param patchTier - Optional explicit tier override declared on
+ *   `PatchMetadata.tier`. When `"branding"`, forces the branding
+ *   thresholds regardless of `filesAffected`. Tests still win over
+ *   branding (precedence `test > branding > general`) because the
+ *   test-tier thresholds are already more permissive and an all-tests
+ *   patch that is also branding-shaped is vanishingly rare.
  */
-export function lintPatchSize(filesAffected, lineCount) {
+export function lintPatchSize(filesAffected, lineCount, patchTier) {
     const issues = [];
     if (filesAffected.length > 5) {
         issues.push({
@@ -447,12 +514,14 @@ export function lintPatchSize(filesAffected, lineCount) {
     // harnesses run into the thousands of lines). Branding patches get their
     // own tier so a first-export of setup-generated branding doesn't fire
     // the general hard limit — see `PATCH_LINE_THRESHOLDS.branding` above
-    // for the eval data motivating this tier.
-    const allTests = filesAffected.length > 0 && filesAffected.every(isTestFile);
-    const branding = !allTests && isBrandingOnlyPatch(filesAffected);
-    const thresholds = allTests
+    // for the eval data motivating this tier. An explicit `patchTier`
+    // opt-in forces branding even when `isBrandingOnlyPatch` cannot reach
+    // the patch's actual shape (a branding patch that also touches a
+    // non-allowlisted sibling like a vendor-specific icon resource).
+    const decision = resolvePatchSizeTier(filesAffected, patchTier);
+    const thresholds = decision.tier === 'test'
         ? PATCH_LINE_THRESHOLDS.test
-        : branding
+        : decision.tier === 'branding'
             ? PATCH_LINE_THRESHOLDS.branding
             : PATCH_LINE_THRESHOLDS.general;
     if (lineCount >= thresholds.error) {
@@ -534,9 +603,15 @@ export async function lintModifiedFileHeaders(repoDir, affectedFiles, newFiles)
  *   is advisory-noisy by nature (a cohesive branding bundle, auto-generated
  *   manifest, etc.) can opt out of a specific rule without reaching for the
  *   blunt `--skip-lint` hammer. Not mutated by this function.
+ * @param patchTier - Optional explicit tier override, threaded from
+ *   `PatchMetadata.tier`. When `"branding"` forces the branding
+ *   thresholds on the `large-patch-lines` rule. Callers with a
+ *   per-patch manifest context (re-export, per-patch lint) should
+ *   pass this; aggregate-mode callers without a specific patch
+ *   context skip it and fall through to auto-detection.
  * @returns Array of all lint issues found
  */
-export async function lintExportedPatch(repoDir, affectedFiles, diffContent, config, patchQueueCtx, ignoreChecks) {
+export async function lintExportedPatch(repoDir, affectedFiles, diffContent, config, patchQueueCtx, ignoreChecks, patchTier) {
     const newFiles = detectNewFilesInDiff(diffContent);
     const { textLines: lineCount } = countNonBinaryDiffLines(diffContent);
     const patchOwnedFiles = resolvePatchOwnedSysMjs(newFiles, patchQueueCtx);
@@ -547,7 +622,7 @@ export async function lintExportedPatch(repoDir, affectedFiles, diffContent, con
         lintModifiedFileHeaders(repoDir, affectedFiles, newFiles),
     ]);
     const modCommentIssues = lintModificationComments(diffContent, config);
-    const sizeIssues = lintPatchSize(affectedFiles, lineCount);
+    const sizeIssues = lintPatchSize(affectedFiles, lineCount, patchTier);
     const issues = [
         ...sizeIssues,
         ...cssIssues,

package/dist/src/core/patch-manifest-consistency.js

@@ -121,7 +121,15 @@ export async function rebuildPatchesManifest(patchesDir, fallbackSourceEsrVersio
             // human-written descriptions during a recovery run.
             recoveredFilenames.push(patch.filename);
         }
-        rebuiltPatches.push({
+        // Preserve optional fields the operator declared on the existing
+        // entry — `lintIgnore` (per-patch lint suppression) and `tier`
+        // (explicit branding-threshold override). Without this, a
+        // `doctor --repair-patches-manifest` run silently strips both
+        // fields from every entry that had them, and the next `lint`
+        // or `re-export` pass fires rules the operator had intentionally
+        // quieted. Mirrors how other descriptive fields fall back to
+        // existing values when the entry is known.
+        const rebuilt = {
             filename: patch.filename,
             order: recoveredOrder,
             category: existing?.category ?? inferred.category,
@@ -131,7 +139,12 @@ export async function rebuildPatchesManifest(patchesDir, fallbackSourceEsrVersio
             createdAt: existing?.createdAt ?? new Date(patchStats.mtimeMs).toISOString(),
             sourceEsrVersion: existing?.sourceEsrVersion ?? fallbackSourceEsrVersion,
             filesAffected,
-        });
+        };
+        if (existing?.lintIgnore !== undefined)
+            rebuilt.lintIgnore = [...existing.lintIgnore];
+        if (existing?.tier !== undefined)
+            rebuilt.tier = existing.tier;
+        rebuiltPatches.push(rebuilt);
     }
     rebuiltPatches.sort((left, right) => left.order - right.order || left.filename.localeCompare(right.filename));
     const rebuiltManifest = {

package/dist/src/core/patch-manifest-io.js

@@ -189,6 +189,16 @@ export async function renumberPatchesInManifest(patchesDir, renameMap) {
                 throw new Error(`Cannot renumber: target patch filename already exists on disk: ${toEntry.newFilename}`);
             }
             await rename(join(patchesDir, staged), targetPath);
+            // Postcondition assert: confirm the target actually exists on
+            // disk before we mark the rename complete. A silent rename
+            // failure would leave the manifest and the filesystem
+            // disagreeing — exactly what the eval 1 Finding #7 report
+            // described: manifest rewrote to new filenames while the old
+            // files stayed on disk. If the assert ever fires, the Phase 2
+            // rollback will undo prior moves before re-throwing.
+            if (!(await pathExists(targetPath))) {
+                throw new Error(`Rename postcondition failed: expected ${toEntry.newFilename} to exist after rename, but it was not found on disk.`);
+            }
             completedFinalRenames.push(stagedEntry);
         }
     }

package/dist/src/core/patch-manifest-resolve.d.ts

@@ -1,5 +1,24 @@
 import type { PatchMetadata } from '../types/commands/index.js';
 /**
- * Resolves a patch identifier (ordinal number or filename) to its manifest entry.
+ * Resolves a patch identifier to its manifest entry. Accepts:
+ *
+ *   1. An ordinal number (e.g. `2`) — matches `PatchMetadata.order`.
+ *   2. A full filename with `.patch` suffix (e.g. `002-ui-foo.patch`) —
+ *      matches `PatchMetadata.filename`.
+ *   3. A filename without the `.patch` suffix — the command appends it
+ *      before matching (e.g. `002-ui-foo`).
+ *   4. The manifest `name` field (e.g. `eval-furnace-token-override`) —
+ *      matches `PatchMetadata.name`. This is the short logical handle
+ *      the export workflow stamps onto the patch and the natural
+ *      identifier an operator keeps in their notes. 2026-04-21 eval
+ *      (Finding #6): `patch reorder`/`delete` rejected the `name`
+ *      even though the CLI help said `<name>`, forcing the operator
+ *      to copy the full filename from `patches.json` before every
+ *      queue mutation.
+ *
+ * Resolution order is strict: numeric ordinals first, then filename
+ * lookup (with + without `.patch` suffix), then name-field lookup.
+ * The filename lookup beats the name lookup when the two happen to
+ * collide so legacy scripts that pass filenames keep working.
  */
 export declare function resolvePatchIdentifier(identifier: string, patches: PatchMetadata[]): PatchMetadata | null;

package/dist/src/core/patch-manifest-resolve.js

@@ -1,12 +1,39 @@
 /**
- * Resolves a patch identifier (ordinal number or filename) to its manifest entry.
+ * Resolves a patch identifier to its manifest entry. Accepts:
+ *
+ *   1. An ordinal number (e.g. `2`) — matches `PatchMetadata.order`.
+ *   2. A full filename with `.patch` suffix (e.g. `002-ui-foo.patch`) —
+ *      matches `PatchMetadata.filename`.
+ *   3. A filename without the `.patch` suffix — the command appends it
+ *      before matching (e.g. `002-ui-foo`).
+ *   4. The manifest `name` field (e.g. `eval-furnace-token-override`) —
+ *      matches `PatchMetadata.name`. This is the short logical handle
+ *      the export workflow stamps onto the patch and the natural
+ *      identifier an operator keeps in their notes. 2026-04-21 eval
+ *      (Finding #6): `patch reorder`/`delete` rejected the `name`
+ *      even though the CLI help said `<name>`, forcing the operator
+ *      to copy the full filename from `patches.json` before every
+ *      queue mutation.
+ *
+ * Resolution order is strict: numeric ordinals first, then filename
+ * lookup (with + without `.patch` suffix), then name-field lookup.
+ * The filename lookup beats the name lookup when the two happen to
+ * collide so legacy scripts that pass filenames keep working.
  */
 export function resolvePatchIdentifier(identifier, patches) {
     if (/^\d+$/.test(identifier)) {
         const order = parseInt(identifier, 10);
         return patches.find((p) => p.order === order) ?? null;
     }
+    // Filename lookup — try the input as-is first (covers both the
+    // full `.patch` form and a bare name, because `endsWith` treats the
+    // bare form as a miss and falls through to the appended variant).
     const normalized = identifier.endsWith('.patch') ? identifier : `${identifier}.patch`;
-    return patches.find((p) => p.filename === normalized) ?? null;
+    const byFilename = patches.find((p) => p.filename === normalized || p.filename === identifier);
+    if (byFilename)
+        return byFilename;
+    // Name-field lookup — the short logical handle stamped into the
+    // manifest at export time. See function docstring.
+    return patches.find((p) => p.name === identifier) ?? null;
 }
 //# sourceMappingURL=patch-manifest-resolve.js.map

package/dist/src/core/patch-manifest-validate.js

@@ -23,7 +23,26 @@ export function validatePatchMetadata(data, index) {
         throw new Error(`patches[${index}].sourceEsrVersion must be a valid Firefox version string`);
     }
     const filesAffected = rec.stringArray('filesAffected');
-    return {
+    // Optional fields. These were silently stripped before the 0.17.0
+    // branding-tier work reached in and audited the loader — the 0.16.0
+    // `lintIgnore` escape hatch demonstrably round-tripped only through
+    // test fixtures that mocked `loadPatchesManifest` directly. Real
+    // operator edits to `patches.json` were dropped on every subsequent
+    // load, so any patch that relied on `lintIgnore` to suppress a
+    // specific lint rule was quietly re-tripped the next time the
+    // manifest validated. Preserve both the pre-existing `lintIgnore`
+    // and the new `tier` field here so future-added optional fields
+    // have a ready template to follow.
+    const lintIgnore = rec.optionalStringArray('lintIgnore');
+    const rawTier = rec.raw('tier');
+    let tier;
+    if (rawTier !== undefined) {
+        if (rawTier !== 'branding') {
+            throw new Error(`patches[${index}].tier must be "branding" when present (unknown tier values are rejected, not silently ignored).`);
+        }
+        tier = 'branding';
+    }
+    const result = {
         filename,
         order,
         category,
@@ -33,6 +52,11 @@ export function validatePatchMetadata(data, index) {
         sourceEsrVersion,
         filesAffected,
     };
+    if (lintIgnore !== undefined)
+        result.lintIgnore = lintIgnore;
+    if (tier !== undefined)
+        result.tier = tier;
+    return result;
 }
 /** Validates raw patches.json data and returns the typed manifest shape. */
 export function validatePatchesManifest(data) {

package/dist/src/core/token-coverage.js

@@ -5,6 +5,21 @@ import { pathExists, readText } from '../utils/fs.js';
 import { verbose } from '../utils/logger.js';
 import { countRawCssColors } from '../utils/regex.js';
 import { loadFurnaceConfig } from './furnace-config.js';
+/**
+ * Default platform prefixes treated as allowlisted upstream vars. Any
+ * `var(--moz-*)` usage in a fork's CSS is a Firefox platform variable
+ * that the fork does not own and should not be counted as an unknown.
+ * 2026-04-21 eval (Finding #5): a `furnace override moz-button -t
+ * css-only` + one fork token produced 1% coverage because the 84
+ * upstream `--moz-*` vars in the copied baseline counted as unknown.
+ *
+ * Forks that want to opt out can override this via
+ * `furnace.json.platformPrefixes = []`; forks that want more can
+ * extend it (e.g. `['--moz-', '--in-content-']`). The config is
+ * additive — nothing is removed from the defaults unless the operator
+ * explicitly writes a shorter list.
+ */
+const DEFAULT_PLATFORM_PREFIXES = ['--moz-'];
 /**
  * Measures design token coverage across CSS files.
  *
@@ -19,6 +34,7 @@ export async function measureTokenCoverage(repoDir, cssFiles, projectRoot) {
     // Load furnace config gracefully
     let tokenPrefix;
     let tokenAllowlist;
+    let platformPrefixes = DEFAULT_PLATFORM_PREFIXES;
     try {
         const root = projectRoot ?? join(repoDir, '..');
         const config = await loadFurnaceConfig(root);
@@ -26,6 +42,9 @@ export async function measureTokenCoverage(repoDir, cssFiles, projectRoot) {
             tokenPrefix = config.tokenPrefix;
             tokenAllowlist = new Set(config.tokenAllowlist ?? []);
         }
+        if (config.platformPrefixes !== undefined) {
+            platformPrefixes = config.platformPrefixes;
+        }
     }
     catch (error) {
         verbose(`Proceeding without furnace token metadata because furnace.json could not be loaded: ${toError(error).message}`);
@@ -56,6 +75,11 @@ export async function measureTokenCoverage(repoDir, cssFiles, projectRoot) {
             else if (tokenAllowlist?.has(prop)) {
                 allowlisted++;
             }
+            else if (platformPrefixes.some((prefix) => prop.startsWith(prefix))) {
+                // Platform vars (upstream `--moz-*`) are counted as allowlisted
+                // so they don't drag the fork-owned coverage percentage down.
+                allowlisted++;
+            }
             else {
                 unknownVars++;
             }

package/dist/src/core/wire-destroy.d.ts

@@ -4,12 +4,16 @@
 /**
  * AST-based implementation: finds onUnload()/uninit() method body and
  * inserts the destroy block at the top (LIFO ordering).
+ *
+ * `marker` is prefixed to the generated comment so wire-generated
+ * edits carry the patch-lint `// <MARKER>:` signature
+ * `lintModificationComments` looks for (eval 1 Finding #9).
  */
-export declare function addDestroyAST(content: string, expression: string): string;
+export declare function addDestroyAST(content: string, expression: string, marker?: string): string;
 /**
  * Legacy regex/line-based implementation preserved as fallback.
  */
-export declare function legacyAddDestroy(content: string, expression: string): string;
+export declare function legacyAddDestroy(content: string, expression: string, marker?: string): string;
 /**
  * Adds a destroy expression to the top of onUnload() or uninit() in
  * browser-init.js (LIFO ordering — newest first).
@@ -18,4 +22,4 @@ export declare function legacyAddDestroy(content: string, expression: string): s
  * @param expression - The destroy expression (e.g., "MyComponent.destroy()")
  * @returns true if added, false if already present
  */
-export declare function addDestroyToBrowserInit(engineDir: string, expression: string): Promise<boolean>;
+export declare function addDestroyToBrowserInit(engineDir: string, expression: string, marker?: string): Promise<boolean>;