@hominis/fireforge 0.17.0 → 0.18.1

package/dist/src/core/patch-lint.js

@@ -8,6 +8,7 @@ import { loadFurnaceConfig } from './furnace-config.js';
 import { containsUpstreamLicenseText, getLicenseHeader, hasAnyLicenseHeader, hasAnyLicenseHeaderAnyStyle, } from './license-headers.js';
 import { runCheckJs } from './patch-lint-checkjs.js';
 import { detectNewFilesInDiff, extractAddedLinesPerFile } from './patch-lint-diff.js';
+import { AGGREGATE_PATCH_FILE } from './patch-lint-diff-tag.js';
 import { validateExportJsDoc } from './patch-lint-jsdoc.js';
 import { resolvePatchOwnedSysMjs } from './patch-lint-ownership.js';
 // ---------------------------------------------------------------------------
@@ -74,13 +75,49 @@ const PATCH_LINE_THRESHOLDS = {
     branding: { notice: 3000, warning: 8000, error: 20000 },
 };
 /**
- * Returns true when every file in a patch lives under `browser/branding/`.
- * Used by `lintPatchSize` to pick the branding threshold tier.
+ * Fixed allowlist of non-branding sibling paths that real-world Firefox
+ * branding patches legitimately need to touch to register the new
+ * branding flavor with the top-level configure. The 2026-04-21
+ * external eval showed that a branding patch which also touches
+ * `browser/moz.configure` (the canonical registration point) fell
+ * through to the general lint tier because the original predicate
+ * required every file to live under `browser/branding/`. This
+ * allowlist stays intentionally narrow — additions require a real
+ * operator data point, not a speculative expansion. Add new entries
+ * only when a genuine branding patch cannot be expressed without a
+ * specific registration sibling.
+ *
+ * Pinned against ESR 140.x conventions at time of writing.
+ */
+const BRANDING_REGISTRATION_FILES = new Set([
+    'browser/moz.configure',
+    'browser/confvars.sh',
+]);
+/**
+ * Returns true when a patch qualifies for the branding threshold tier:
+ * every file lives either under `browser/branding/` or in the narrow
+ * registration allowlist, AND the patch contains at least one file
+ * under `browser/branding/` (guard against a config-only patch
+ * accidentally qualifying as branding).
+ *
+ * Used by `lintPatchSize` to pick the branding threshold tier. The
+ * explicit `tier: "branding"` field on `PatchMetadata` bypasses this
+ * heuristic and forces the branding tier directly.
  */
 function isBrandingOnlyPatch(files) {
     if (files.length === 0)
         return false;
-    return files.every((file) => file.startsWith('browser/branding/'));
+    let hasBrandingFile = false;
+    for (const file of files) {
+        if (file.startsWith('browser/branding/')) {
+            hasBrandingFile = true;
+            continue;
+        }
+        if (BRANDING_REGISTRATION_FILES.has(file))
+            continue;
+        return false;
+    }
+    return hasBrandingFile;
 }
 /**
  * Returns true if the filename looks like a JS/MJS/JSM file.
@@ -426,17 +463,48 @@ export function lintModificationComments(diffContent, config) {
     }
     return issues;
 }
-// ---------------------------------------------------------------------------
-// Patch size lint (moved from export-shared.ts warnLargePatch)
-// ---------------------------------------------------------------------------
+/**
+ * Decides which `large-patch-lines` threshold tier applies to a patch.
+ * Exported so `runPatchLint` and the per-patch `lint` command can
+ * surface the tier choice to the operator *without* depending on
+ * `lintPatchSize`'s internal return shape — the rule itself stays a
+ * pure issues-array API, and the decision is computed separately for
+ * the sole purpose of reporting.
+ *
+ * Precedence: test > branding (explicit) > branding (auto) > general.
+ * The test tier beats branding because a table-driven regression test
+ * is legitimately large independent of whether the patch also claims
+ * branding shape, and the test-tier thresholds are already more
+ * permissive than branding — so "tests beat branding" is the
+ * defensive-for-tests choice.
+ */
+export function resolvePatchSizeTier(filesAffected, patchTier) {
+    const allTests = filesAffected.length > 0 && filesAffected.every(isTestFile);
+    if (allTests)
+        return { tier: 'test' };
+    if (patchTier === 'branding')
+        return { tier: 'branding', source: 'explicit' };
+    if (isBrandingOnlyPatch(filesAffected))
+        return { tier: 'branding', source: 'auto' };
+    return { tier: 'general' };
+}
 /**
  * Checks patch size and emits advisory warnings.
+ *
+ * @param filesAffected - Files touched by the patch
+ * @param lineCount - Non-binary line count of the unified diff
+ * @param patchTier - Optional explicit tier override declared on
+ *   `PatchMetadata.tier`. When `"branding"`, forces the branding
+ *   thresholds regardless of `filesAffected`. Tests still win over
+ *   branding (precedence `test > branding > general`) because the
+ *   test-tier thresholds are already more permissive and an all-tests
+ *   patch that is also branding-shaped is vanishingly rare.
  */
-export function lintPatchSize(filesAffected, lineCount) {
+export function lintPatchSize(filesAffected, lineCount, patchTier) {
     const issues = [];
     if (filesAffected.length > 5) {
         issues.push({
-            file: '(patch)',
+            file: AGGREGATE_PATCH_FILE,
             check: 'large-patch-files',
             message: `Patch affects ${filesAffected.length} files (recommended: ≤5). Consider splitting into smaller, focused patches.`,
             severity: 'warning',
@@ -447,17 +515,19 @@ export function lintPatchSize(filesAffected, lineCount) {
     // harnesses run into the thousands of lines). Branding patches get their
     // own tier so a first-export of setup-generated branding doesn't fire
     // the general hard limit — see `PATCH_LINE_THRESHOLDS.branding` above
-    // for the eval data motivating this tier.
-    const allTests = filesAffected.length > 0 && filesAffected.every(isTestFile);
-    const branding = !allTests && isBrandingOnlyPatch(filesAffected);
-    const thresholds = allTests
+    // for the eval data motivating this tier. An explicit `patchTier`
+    // opt-in forces branding even when `isBrandingOnlyPatch` cannot reach
+    // the patch's actual shape (a branding patch that also touches a
+    // non-allowlisted sibling like a vendor-specific icon resource).
+    const decision = resolvePatchSizeTier(filesAffected, patchTier);
+    const thresholds = decision.tier === 'test'
         ? PATCH_LINE_THRESHOLDS.test
-        : branding
+        : decision.tier === 'branding'
             ? PATCH_LINE_THRESHOLDS.branding
             : PATCH_LINE_THRESHOLDS.general;
     if (lineCount >= thresholds.error) {
         issues.push({
-            file: '(patch)',
+            file: AGGREGATE_PATCH_FILE,
             check: 'large-patch-lines',
             message: `Patch is ${lineCount} lines (hard limit: ${thresholds.error}). Consider splitting into smaller, focused patches.`,
             severity: 'error',
@@ -465,7 +535,7 @@ export function lintPatchSize(filesAffected, lineCount) {
     }
     else if (lineCount >= thresholds.warning) {
         issues.push({
-            file: '(patch)',
+            file: AGGREGATE_PATCH_FILE,
             check: 'large-patch-lines',
             message: `Patch is ${lineCount} lines (soft limit: ${thresholds.warning}, hard limit: ${thresholds.error}). Consider splitting into smaller, focused patches.`,
             severity: 'warning',
@@ -473,7 +543,7 @@ export function lintPatchSize(filesAffected, lineCount) {
     }
     else if (lineCount >= thresholds.notice) {
         issues.push({
-            file: '(patch)',
+            file: AGGREGATE_PATCH_FILE,
             check: 'large-patch-lines',
             message: `Patch is ${lineCount} lines (soft limit: ${thresholds.warning}, hard limit: ${thresholds.error}). Consider splitting into smaller, focused patches.`,
             severity: 'notice',
@@ -534,9 +604,15 @@ export async function lintModifiedFileHeaders(repoDir, affectedFiles, newFiles)
  *   is advisory-noisy by nature (a cohesive branding bundle, auto-generated
  *   manifest, etc.) can opt out of a specific rule without reaching for the
  *   blunt `--skip-lint` hammer. Not mutated by this function.
+ * @param patchTier - Optional explicit tier override, threaded from
+ *   `PatchMetadata.tier`. When `"branding"` forces the branding
+ *   thresholds on the `large-patch-lines` rule. Callers with a
+ *   per-patch manifest context (re-export, per-patch lint) should
+ *   pass this; aggregate-mode callers without a specific patch
+ *   context skip it and fall through to auto-detection.
  * @returns Array of all lint issues found
  */
-export async function lintExportedPatch(repoDir, affectedFiles, diffContent, config, patchQueueCtx, ignoreChecks) {
+export async function lintExportedPatch(repoDir, affectedFiles, diffContent, config, patchQueueCtx, ignoreChecks, patchTier) {
     const newFiles = detectNewFilesInDiff(diffContent);
     const { textLines: lineCount } = countNonBinaryDiffLines(diffContent);
     const patchOwnedFiles = resolvePatchOwnedSysMjs(newFiles, patchQueueCtx);
@@ -547,7 +623,7 @@ export async function lintExportedPatch(repoDir, affectedFiles, diffContent, con
         lintModifiedFileHeaders(repoDir, affectedFiles, newFiles),
     ]);
     const modCommentIssues = lintModificationComments(diffContent, config);
-    const sizeIssues = lintPatchSize(affectedFiles, lineCount);
+    const sizeIssues = lintPatchSize(affectedFiles, lineCount, patchTier);
     const issues = [
         ...sizeIssues,
         ...cssIssues,

package/dist/src/core/patch-manifest-consistency.js

@@ -121,7 +121,15 @@ export async function rebuildPatchesManifest(patchesDir, fallbackSourceEsrVersio
             // human-written descriptions during a recovery run.
             recoveredFilenames.push(patch.filename);
         }
-        rebuiltPatches.push({
+        // Preserve optional fields the operator declared on the existing
+        // entry — `lintIgnore` (per-patch lint suppression) and `tier`
+        // (explicit branding-threshold override). Without this, a
+        // `doctor --repair-patches-manifest` run silently strips both
+        // fields from every entry that had them, and the next `lint`
+        // or `re-export` pass fires rules the operator had intentionally
+        // quieted. Mirrors how other descriptive fields fall back to
+        // existing values when the entry is known.
+        const rebuilt = {
             filename: patch.filename,
             order: recoveredOrder,
             category: existing?.category ?? inferred.category,
@@ -131,7 +139,12 @@ export async function rebuildPatchesManifest(patchesDir, fallbackSourceEsrVersio
             createdAt: existing?.createdAt ?? new Date(patchStats.mtimeMs).toISOString(),
             sourceEsrVersion: existing?.sourceEsrVersion ?? fallbackSourceEsrVersion,
             filesAffected,
-        });
+        };
+        if (existing?.lintIgnore !== undefined)
+            rebuilt.lintIgnore = [...existing.lintIgnore];
+        if (existing?.tier !== undefined)
+            rebuilt.tier = existing.tier;
+        rebuiltPatches.push(rebuilt);
     }
     rebuiltPatches.sort((left, right) => left.order - right.order || left.filename.localeCompare(right.filename));
     const rebuiltManifest = {

package/dist/src/core/patch-manifest-io.js

@@ -189,6 +189,16 @@ export async function renumberPatchesInManifest(patchesDir, renameMap) {
                 throw new Error(`Cannot renumber: target patch filename already exists on disk: ${toEntry.newFilename}`);
             }
             await rename(join(patchesDir, staged), targetPath);
+            // Postcondition assert: confirm the target actually exists on
+            // disk before we mark the rename complete. A silent rename
+            // failure would leave the manifest and the filesystem
+            // disagreeing — exactly what the eval 1 Finding #7 report
+            // described: manifest rewrote to new filenames while the old
+            // files stayed on disk. If the assert ever fires, the Phase 2
+            // rollback will undo prior moves before re-throwing.
+            if (!(await pathExists(targetPath))) {
+                throw new Error(`Rename postcondition failed: expected ${toEntry.newFilename} to exist after rename, but it was not found on disk.`);
+            }
             completedFinalRenames.push(stagedEntry);
         }
     }

package/dist/src/core/patch-manifest-resolve.d.ts

@@ -1,5 +1,24 @@
 import type { PatchMetadata } from '../types/commands/index.js';
 /**
- * Resolves a patch identifier (ordinal number or filename) to its manifest entry.
+ * Resolves a patch identifier to its manifest entry. Accepts:
+ *
+ *   1. An ordinal number (e.g. `2`) — matches `PatchMetadata.order`.
+ *   2. A full filename with `.patch` suffix (e.g. `002-ui-foo.patch`) —
+ *      matches `PatchMetadata.filename`.
+ *   3. A filename without the `.patch` suffix — the command appends it
+ *      before matching (e.g. `002-ui-foo`).
+ *   4. The manifest `name` field (e.g. `eval-furnace-token-override`) —
+ *      matches `PatchMetadata.name`. This is the short logical handle
+ *      the export workflow stamps onto the patch and the natural
+ *      identifier an operator keeps in their notes. 2026-04-21 eval
+ *      (Finding #6): `patch reorder`/`delete` rejected the `name`
+ *      even though the CLI help said `<name>`, forcing the operator
+ *      to copy the full filename from `patches.json` before every
+ *      queue mutation.
+ *
+ * Resolution order is strict: numeric ordinals first, then filename
+ * lookup (with + without `.patch` suffix), then name-field lookup.
+ * The filename lookup beats the name lookup when the two happen to
+ * collide so legacy scripts that pass filenames keep working.
  */
 export declare function resolvePatchIdentifier(identifier: string, patches: PatchMetadata[]): PatchMetadata | null;

package/dist/src/core/patch-manifest-resolve.js

@@ -1,12 +1,39 @@
 /**
- * Resolves a patch identifier (ordinal number or filename) to its manifest entry.
+ * Resolves a patch identifier to its manifest entry. Accepts:
+ *
+ *   1. An ordinal number (e.g. `2`) — matches `PatchMetadata.order`.
+ *   2. A full filename with `.patch` suffix (e.g. `002-ui-foo.patch`) —
+ *      matches `PatchMetadata.filename`.
+ *   3. A filename without the `.patch` suffix — the command appends it
+ *      before matching (e.g. `002-ui-foo`).
+ *   4. The manifest `name` field (e.g. `eval-furnace-token-override`) —
+ *      matches `PatchMetadata.name`. This is the short logical handle
+ *      the export workflow stamps onto the patch and the natural
+ *      identifier an operator keeps in their notes. 2026-04-21 eval
+ *      (Finding #6): `patch reorder`/`delete` rejected the `name`
+ *      even though the CLI help said `<name>`, forcing the operator
+ *      to copy the full filename from `patches.json` before every
+ *      queue mutation.
+ *
+ * Resolution order is strict: numeric ordinals first, then filename
+ * lookup (with + without `.patch` suffix), then name-field lookup.
+ * The filename lookup beats the name lookup when the two happen to
+ * collide so legacy scripts that pass filenames keep working.
  */
 export function resolvePatchIdentifier(identifier, patches) {
     if (/^\d+$/.test(identifier)) {
         const order = parseInt(identifier, 10);
         return patches.find((p) => p.order === order) ?? null;
     }
+    // Filename lookup — try the input as-is first (covers both the
+    // full `.patch` form and a bare name, because `endsWith` treats the
+    // bare form as a miss and falls through to the appended variant).
     const normalized = identifier.endsWith('.patch') ? identifier : `${identifier}.patch`;
-    return patches.find((p) => p.filename === normalized) ?? null;
+    const byFilename = patches.find((p) => p.filename === normalized || p.filename === identifier);
+    if (byFilename)
+        return byFilename;
+    // Name-field lookup — the short logical handle stamped into the
+    // manifest at export time. See function docstring.
+    return patches.find((p) => p.name === identifier) ?? null;
 }
 //# sourceMappingURL=patch-manifest-resolve.js.map

package/dist/src/core/patch-manifest-validate.js

@@ -23,7 +23,26 @@ export function validatePatchMetadata(data, index) {
         throw new Error(`patches[${index}].sourceEsrVersion must be a valid Firefox version string`);
     }
     const filesAffected = rec.stringArray('filesAffected');
-    return {
+    // Optional fields. These were silently stripped before the 0.17.0
+    // branding-tier work reached in and audited the loader — the 0.16.0
+    // `lintIgnore` escape hatch demonstrably round-tripped only through
+    // test fixtures that mocked `loadPatchesManifest` directly. Real
+    // operator edits to `patches.json` were dropped on every subsequent
+    // load, so any patch that relied on `lintIgnore` to suppress a
+    // specific lint rule was quietly re-tripped the next time the
+    // manifest validated. Preserve both the pre-existing `lintIgnore`
+    // and the new `tier` field here so future-added optional fields
+    // have a ready template to follow.
+    const lintIgnore = rec.optionalStringArray('lintIgnore');
+    const rawTier = rec.raw('tier');
+    let tier;
+    if (rawTier !== undefined) {
+        if (rawTier !== 'branding') {
+            throw new Error(`patches[${index}].tier must be "branding" when present (unknown tier values are rejected, not silently ignored).`);
+        }
+        tier = 'branding';
+    }
+    const result = {
         filename,
         order,
         category,
@@ -33,6 +52,11 @@ export function validatePatchMetadata(data, index) {
         sourceEsrVersion,
         filesAffected,
     };
+    if (lintIgnore !== undefined)
+        result.lintIgnore = lintIgnore;
+    if (tier !== undefined)
+        result.tier = tier;
+    return result;
 }
 /** Validates raw patches.json data and returns the typed manifest shape. */
 export function validatePatchesManifest(data) {

package/dist/src/core/patch-registration-refs.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Extracts furnace-shaped registration references from a patch body.
+ *
+ * 2026-04-24 eval Finding 1: `export-all --exclude-furnace` can land a
+ * patch that registers a furnace component (via edits to
+ * `toolkit/content/customElements.js`, `toolkit/content/jar.mn`, or
+ * `toolkit/locales/jar.mn`) without including the component's source
+ * files in the patch. `fireforge verify` then reports "Verify clean" for
+ * the broken queue. This module provides a pattern-scoped scan so
+ * `verify` can cross-check registrations against available file bodies.
+ *
+ * The scan is deliberately narrow: it only matches component-shaped
+ * references (widget tag names, locale fluent names). Unrelated jar.mn
+ * or customElements.js edits pass through without spurious warnings.
+ */
+/**
+ * A referenced engine path extracted from a registration hunk, together
+ * with where it came from. The `source` field lets `verify` point
+ * operators at the specific consequence file whose hunk introduced the
+ * reference.
+ */
+export interface PatchRegistrationReference {
+    /** Engine-relative path that the registration hunk adds a reference to. */
+    targetPath: string;
+    /** The registration file that contained the added hunk. */
+    source: string;
+    /** Raw hunk line that produced the reference, for diagnostic context. */
+    lineText: string;
+}
+/**
+ * Walks a unified-diff patch body and returns the set of
+ * component-shaped engine paths that the patch ADDS a registration for.
+ *
+ * Returns the empty array when no registration hunks are present OR
+ * when the registration hunks do not mention any component-shaped
+ * paths — that leaves the scan silent on the vast majority of patches
+ * (branding tweaks, behavioural fixes, module additions) so it only
+ * fires when a furnace-managed component is being newly registered.
+ *
+ * @param patchBody - Full unified-diff body of the patch file.
+ */
+export declare function collectPatchRegistrationReferences(patchBody: string): PatchRegistrationReference[];

package/dist/src/core/patch-registration-refs.js

@@ -0,0 +1,117 @@
+// SPDX-License-Identifier: EUPL-1.2
+/**
+ * Extracts furnace-shaped registration references from a patch body.
+ *
+ * 2026-04-24 eval Finding 1: `export-all --exclude-furnace` can land a
+ * patch that registers a furnace component (via edits to
+ * `toolkit/content/customElements.js`, `toolkit/content/jar.mn`, or
+ * `toolkit/locales/jar.mn`) without including the component's source
+ * files in the patch. `fireforge verify` then reports "Verify clean" for
+ * the broken queue. This module provides a pattern-scoped scan so
+ * `verify` can cross-check registrations against available file bodies.
+ *
+ * The scan is deliberately narrow: it only matches component-shaped
+ * references (widget tag names, locale fluent names). Unrelated jar.mn
+ * or customElements.js edits pass through without spurious warnings.
+ */
+/** Canonical file paths that registration-shaped diffs touch. */
+const REGISTRATION_FILE_PATHS = new Set([
+    'toolkit/content/customElements.js',
+    'toolkit/content/jar.mn',
+    'toolkit/locales/jar.mn',
+]);
+/**
+ * Walks a unified-diff patch body and returns the set of
+ * component-shaped engine paths that the patch ADDS a registration for.
+ *
+ * Returns the empty array when no registration hunks are present OR
+ * when the registration hunks do not mention any component-shaped
+ * paths — that leaves the scan silent on the vast majority of patches
+ * (branding tweaks, behavioural fixes, module additions) so it only
+ * fires when a furnace-managed component is being newly registered.
+ *
+ * @param patchBody - Full unified-diff body of the patch file.
+ */
+export function collectPatchRegistrationReferences(patchBody) {
+    if (!patchBody)
+        return [];
+    const refs = [];
+    let currentFile;
+    // Walk line-by-line. The canonical unified-diff header line is
+    // `diff --git a/<path> b/<path>` — we key the file state off the `b/`
+    // path because that names the target side and is stable against
+    // renames. Additional diff metadata lines (index/---/+++/@@) are
+    // ignored for the purposes of tracking the current file.
+    const lines = patchBody.split(/\r?\n/);
+    for (const line of lines) {
+        const diffHeader = /^diff --git a\/(.+?) b\/(.+)$/.exec(line);
+        if (diffHeader?.[2]) {
+            currentFile = diffHeader[2];
+            continue;
+        }
+        if (!currentFile)
+            continue;
+        if (!REGISTRATION_FILE_PATHS.has(currentFile))
+            continue;
+        if (!line.startsWith('+'))
+            continue;
+        // Skip the `+++ b/<path>` header line — only real hunk adds count.
+        if (line.startsWith('+++'))
+            continue;
+        const added = line.slice(1);
+        const extracted = extractTargetPathsFromRegistrationLine(currentFile, added);
+        for (const target of extracted) {
+            refs.push({ targetPath: target, source: currentFile, lineText: added });
+        }
+    }
+    return refs;
+}
+/**
+ * Per-source extractor. Each registration file has a distinct syntactic
+ * shape; we scope the match to that file so a jar.mn regex does not
+ * accidentally match a customElements.js line.
+ */
+function extractTargetPathsFromRegistrationLine(sourceFile, added) {
+    if (sourceFile === 'toolkit/content/jar.mn') {
+        // Example (added line, leading `+` already stripped):
+        //   `   content/global/elements/moz-qa-panel.mjs  (widgets/moz-qa-panel/moz-qa-panel.mjs)`
+        // The parenthesised second half is the repo-relative path Firefox's
+        // packaging system reads. Widget registrations always live under
+        // `widgets/<tag>/<file>` — the enclosing tree is
+        // `toolkit/content/widgets/`. Reconstruct the engine-relative
+        // target path so callers can check it against patch bodies.
+        const widgetMatch = /\(\s*(widgets\/[^\s)]+)\s*\)/.exec(added);
+        if (widgetMatch?.[1]) {
+            return [`toolkit/content/${widgetMatch[1]}`];
+        }
+        return [];
+    }
+    if (sourceFile === 'toolkit/locales/jar.mn') {
+        // Example:
+        //   `  locale/@AB_CD@/toolkit/global/moz-qa-panel.ftl (%toolkit/global/moz-qa-panel.ftl)`
+        // The `%`-prefixed repo-relative reference points at
+        // `toolkit/locales/en-US/<rel>`, which is the canonical FTL path.
+        const localeMatch = /\(%\s*([^\s)]+\.ftl)\s*\)/.exec(added);
+        if (localeMatch?.[1]) {
+            return [`toolkit/locales/en-US/${localeMatch[1]}`];
+        }
+        return [];
+    }
+    if (sourceFile === 'toolkit/content/customElements.js') {
+        // Example:
+        //   `          ["moz-qa-panel", "chrome://global/content/elements/moz-qa-panel.mjs"],`
+        // The chrome URL maps back to
+        // `toolkit/content/widgets/<tag>/<tag>.mjs` by convention: the
+        // packager rewrites `chrome://global/content/elements/<file>` to the
+        // widget tree root. The tag name is the identifier we key off.
+        const elementMatch = /\[\s*"([a-z][a-z0-9-]*)"\s*,\s*"chrome:\/\/global\/content\/elements\/([a-zA-Z0-9_-]+)\.mjs"\s*\]/.exec(added);
+        if (elementMatch?.[1] && elementMatch[2]) {
+            const tag = elementMatch[1];
+            const fileStem = elementMatch[2];
+            return [`toolkit/content/widgets/${tag}/${fileStem}.mjs`];
+        }
+        return [];
+    }
+    return [];
+}
+//# sourceMappingURL=patch-registration-refs.js.map

package/dist/src/core/token-coverage.js

@@ -5,6 +5,21 @@ import { pathExists, readText } from '../utils/fs.js';
 import { verbose } from '../utils/logger.js';
 import { countRawCssColors } from '../utils/regex.js';
 import { loadFurnaceConfig } from './furnace-config.js';
+/**
+ * Default platform prefixes treated as allowlisted upstream vars. Any
+ * `var(--moz-*)` usage in a fork's CSS is a Firefox platform variable
+ * that the fork does not own and should not be counted as an unknown.
+ * 2026-04-21 eval (Finding #5): a `furnace override moz-button -t
+ * css-only` + one fork token produced 1% coverage because the 84
+ * upstream `--moz-*` vars in the copied baseline counted as unknown.
+ *
+ * Forks that want to opt out can override this via
+ * `furnace.json.platformPrefixes = []`; forks that want more can
+ * extend it (e.g. `['--moz-', '--in-content-']`). The config is
+ * additive — nothing is removed from the defaults unless the operator
+ * explicitly writes a shorter list.
+ */
+const DEFAULT_PLATFORM_PREFIXES = ['--moz-'];
 /**
  * Measures design token coverage across CSS files.
  *
@@ -19,6 +34,7 @@ export async function measureTokenCoverage(repoDir, cssFiles, projectRoot) {
     // Load furnace config gracefully
     let tokenPrefix;
     let tokenAllowlist;
+    let platformPrefixes = DEFAULT_PLATFORM_PREFIXES;
     try {
         const root = projectRoot ?? join(repoDir, '..');
         const config = await loadFurnaceConfig(root);
@@ -26,6 +42,9 @@ export async function measureTokenCoverage(repoDir, cssFiles, projectRoot) {
             tokenPrefix = config.tokenPrefix;
             tokenAllowlist = new Set(config.tokenAllowlist ?? []);
         }
+        if (config.platformPrefixes !== undefined) {
+            platformPrefixes = config.platformPrefixes;
+        }
     }
     catch (error) {
         verbose(`Proceeding without furnace token metadata because furnace.json could not be loaded: ${toError(error).message}`);
@@ -56,6 +75,11 @@ export async function measureTokenCoverage(repoDir, cssFiles, projectRoot) {
             else if (tokenAllowlist?.has(prop)) {
                 allowlisted++;
             }
+            else if (platformPrefixes.some((prefix) => prop.startsWith(prefix))) {
+                // Platform vars (upstream `--moz-*`) are counted as allowlisted
+                // so they don't drag the fork-owned coverage percentage down.
+                allowlisted++;
+            }
             else {
                 unknownVars++;
             }

package/dist/src/core/wire-destroy.d.ts

@@ -4,12 +4,16 @@
 /**
  * AST-based implementation: finds onUnload()/uninit() method body and
  * inserts the destroy block at the top (LIFO ordering).
+ *
+ * `marker` is prefixed to the generated comment so wire-generated
+ * edits carry the patch-lint `// <MARKER>:` signature
+ * `lintModificationComments` looks for (eval 1 Finding #9).
  */
-export declare function addDestroyAST(content: string, expression: string): string;
+export declare function addDestroyAST(content: string, expression: string, marker?: string): string;
 /**
  * Legacy regex/line-based implementation preserved as fallback.
  */
-export declare function legacyAddDestroy(content: string, expression: string): string;
+export declare function legacyAddDestroy(content: string, expression: string, marker?: string): string;
 /**
  * Adds a destroy expression to the top of onUnload() or uninit() in
  * browser-init.js (LIFO ordering — newest first).
@@ -18,4 +22,4 @@ export declare function legacyAddDestroy(content: string, expression: string): s
  * @param expression - The destroy expression (e.g., "MyComponent.destroy()")
  * @returns true if added, false if already present
  */
-export declare function addDestroyToBrowserInit(engineDir: string, expression: string): Promise<boolean>;
+export declare function addDestroyToBrowserInit(engineDir: string, expression: string, marker?: string): Promise<boolean>;

package/dist/src/core/wire-destroy.js

@@ -12,11 +12,16 @@ import { detectIndent, parseScript } from './ast-utils.js';
 import { withParserFallback } from './parser-fallback.js';
 import { assertBraceBalancePreserved, coerceToCall, extractNameFromExpression, findMethodBody, findMethodBraceIndex, validateWireName, } from './wire-utils.js';
 const BROWSER_INIT_JS = 'browser/base/content/browser-init.js';
+const DEFAULT_MARKER = 'FIREFORGE:';
 /**
  * AST-based implementation: finds onUnload()/uninit() method body and
  * inserts the destroy block at the top (LIFO ordering).
+ *
+ * `marker` is prefixed to the generated comment so wire-generated
+ * edits carry the patch-lint `// <MARKER>:` signature
+ * `lintModificationComments` looks for (eval 1 Finding #9).
  */
-export function addDestroyAST(content, expression) {
+export function addDestroyAST(content, expression, marker = DEFAULT_MARKER) {
     const name = extractNameFromExpression(expression);
     // See wire-init.ts for the rationale: the template interpolates the
     // expression verbatim, so a bare `Foo.bar` compiled to `Foo.bar;`
@@ -44,7 +49,7 @@ export function addDestroyAST(content, expression) {
         indent = '    ';
     }
     const block = [
-        `${indent}// ${name} destroy`,
+        `${indent}// ${marker} wire-destroy ${name}`,
         `${indent}try {`,
         `${indent}  if (typeof ${name} !== "undefined") {`,
         `${indent}    ${callExpression};`,
@@ -59,7 +64,7 @@ export function addDestroyAST(content, expression) {
 /**
  * Legacy regex/line-based implementation preserved as fallback.
  */
-export function legacyAddDestroy(content, expression) {
+export function legacyAddDestroy(content, expression, marker = DEFAULT_MARKER) {
     const name = extractNameFromExpression(expression);
     // Match the AST path on the call-coercion contract so fallback vs AST
     // emits identical blocks (see wire-init.ts).
@@ -73,7 +78,7 @@ export function legacyAddDestroy(content, expression) {
     }
     const insertIndex = found.braceIndex + 1;
     const block = [
-        `    // ${name} destroy`,
+        `    // ${marker} wire-destroy ${name}`,
         `    try {`,
         `      if (typeof ${name} !== "undefined") {`,
         `        ${callExpression};`,
@@ -93,7 +98,7 @@ export function legacyAddDestroy(content, expression) {
  * @param expression - The destroy expression (e.g., "MyComponent.destroy()")
  * @returns true if added, false if already present
  */
-export async function addDestroyToBrowserInit(engineDir, expression) {
+export async function addDestroyToBrowserInit(engineDir, expression, marker = DEFAULT_MARKER) {
     validateWireName(expression, 'destroy expression');
     const filePath = join(engineDir, BROWSER_INIT_JS);
     if (!(await pathExists(filePath))) {
@@ -109,7 +114,7 @@ export async function addDestroyToBrowserInit(engineDir, expression) {
     if (destroyPattern.test(content)) {
         return false;
     }
-    const { value, usedFallback } = withParserFallback(() => addDestroyAST(content, expression), () => legacyAddDestroy(content, expression), BROWSER_INIT_JS);
+    const { value, usedFallback } = withParserFallback(() => addDestroyAST(content, expression, marker), () => legacyAddDestroy(content, expression, marker), BROWSER_INIT_JS);
     if (usedFallback) {
         assertBraceBalancePreserved(content, value, BROWSER_INIT_JS);
     }